NEEDED FIXES FOR SBS 2011 STANDARD [with Exchange]
Adjust the supported client operating systems:
As noted in //windowsserveressentials.com/2015/08/17/small-business-server-2011-standardwindows-10/ you need to adjust the client supported operating systems.
Add the following lines to your client operating system
Admin needs to add the following two lines to the XML file on the server located at –
C:\Program Files\Windows Small Business Server\Bin\WebApp\ClientDeployment\packageFiles\supportedOS.xml Find the file and open in notepad. Add the following two lines:
< OS id=”10″ Name=”Windows 10, x86″ Major=”10″ Minor=”0″ Build=”10240″ SPMajor=”” SPMinor=”” ExcludedSuite=”512″ RequiredSuite=”” RequiredProductType=”1″ Architecture=”0″/>
Adjust the group policy wmi filter to fix the issue where folder redirection does not work:
Instead of the WMI filter included in Essentials R2, please adjust it as follows:
Instead of select * from Win32_OperatingSystem where [Version >= “6.1%”] and ProductType= “1”
Change it to select * from Win32_OperatingSystem where Version like “10.%” or Version >=”6.1″
Click Start, click All Programs, click Accessories, and then click Run. Type gpmc.msc in the text box, and then click OK or press ENTER Once you launch the group policy editor, scroll to the bottom where the wmi filters reside. Right mouse click and click edit, and bring up the filter. Now click on edit and adjust it as noted.
Alternatively remember that if you want to set up a unique wmi filter just for Windows 10 you can use to select * from Win32_OperatingSystem where Version like “10.%”
Note that you may have to edit the quotes and retype them as cut and pasting from this document may not copy over the right formatting.
Change Windows 10’s default printer changes.
Due to a change in Windows 10 build 1511, each time you select a new printer it will make that the default printer. To adjust this perform the following:
1. Click on Windows icon [lower left] then click Settings
2. From the Settings window, click Devices
3. From the Devices window, click Printers & scanners
4. From the Printers & scanners window, scroll down and locate the section Let Windows manage my default printer
5. You can click on the toggle button to turn the option on or off, as desired.
See here for more details: //kwsupport.com/2015/12/windows-10-new-feature-changes-your-default-printer-to-the-last-printer-used/
RWA functionality:
No issues reported with RWA. You can use the Edge browser to connect to the remote web access.
Adjust the group policy to allow RDP access to Windows 10 machines
As noted in //windowsserveressentials.com/2015/08/06/sbs-2011-essentials-windows-10/ SBS 2011 Essentials [and standard] need an adjustment to allow for remote desktop and also RWA into these workstations. To add this ability a new policy and ensure it has a wmi filter so that it applies to Windows 10. Go into the WMI section, right mouse click on new. Add a new WMI filter. Call it Windows 10, For the filter value click add and merely use select * from Win32_OperatingSystem where Version like “10.%”
Click to save the filter.
Now build a new policy. Go up to the policy settings and add a new policy. Right mouse click and click on create a GPO in this domain and link it here. Name your policy. Windows 10 computers [or something equality descriptive].
The policy setting is found at :
Computer Configuration > Policies> Administrative Templates > Windows components> Remote Desktop Services> Remote Desktop Session Host > Connections >
‘Allow users to connect remotely using Remote Desktop Services’
Also set
Computer Configuration > Policies> Administrative Templates > Windows components> Remote Desktop Services> Remote Desktop Session Host > Security >
‘Set Client Encryption Level’
To Enabled and High.
As the final step, change the wmi filter to be the Windows 10 filter you set up before
Changes needed to WSUS server
Our final changes required a needed evaluation of the needs of and control of patching of Windows 10 in a network where WSUS 3.2 will not get the needed fixes in order to manage branch patching for Windows 10. While WSUS 3.2 can handle normal security releases, it will not be getting the hotfix needed to support WSUS deployment of branch updates.
If you have the ability to install the WSUS role on a Server 2012 or 2012 R2 member server inside the SBS 2011 standard or SBS 2008 domain, you may wish to do so. Alternatively you can disable the WSUS services and decide to use a third party patchmanagement tool to deploy updates throughout the network. I would recommend leaving WSUS installed and merely disabling the WSUS services. The installation of WSUS changes IIS compression settings and removing SQL server from a domain controller can be hazardous to the server, thus why I recommend to leave the services installed and merely disable them.
Another option you can do firm wide is to change the group policy to no longer use WSUS in the network and to move all workstations to get their updates automatically from Microsoft update.
Finally you can make a setting to just impact the Windows 10 in your domains.
For those of you on older [non supported] WSUS, you have several options:
Option one: Change the settings to that every workstation in the network doesn’t use WSUS.
To use this option, change these settings in group policy:
In the update services common settings policy>Computer configuration>policies>administrative templates>Windows components>Windows update
Notice all of the enabled policies:
Review each to see which ones you still want to keep, and ones that need to be adjusted.
Specifically you need to change to “Not configured” the Setting for “Specify intranet Microsoft update service location”
Make sure it’s adjusted to not configured:
When you are done it should look like this:
For servers we do not want the patches to auto install
You are aiming to set the workstations to go directly to MU and install critical and important updates every day at 3:00am and reboot as necessary, except the server which will download and notify.
The advantage to this is you no longer have the overhead of WSUS on the server as you can shut down the services. The disadvantage is that you are at the mercy of patch Tuesday.
Option two:
Keep using WSUS for security and normal patching, manually update Windows 10 professional or Enterprise skus to the branch updates. Any Windows 10 workstation on a domain behind WSUS can manually go to Microsoft update merely by going to the Settings, Update and security section and manually force the workstation to check in with Microsoft update. The branch update will be offered up and you can then manually install it. After the install the workstation will once again be fully patchable by WSUS.
Make WSUS 10 not say Vista on the WSUS 3.2 server
As noted in //windowsserveressentials.com/2015/07/22/windows-10-on-wsus-shows-as-windows-vista/ you will need to do a SQL query to fix this. Note this issue is fixed in WSUS on 2012 and 2012 R2, this is only an issue for WSUS 3.2 After each build is released and installed you will have to run this script again.
UPDATE [SUSDB].[dbo].[tbComputerTargetDetail]
SET [OSDescription] = ‘Windows 10’
WHERE [OSMajorVersion] = ’10’
AND [OSMinorVersion] = ‘0’
AND [OldProductType] = ‘1’
AND [[OSDescription] ‘Windows 10’ or [OSDescription] IS NULL]
Assume a situation whereby you have just set up a remote site and now you find yourself having users or support servers that you can’t physically gain access. This means walking to the desk is out of your options. So how do you go about it to access the data and information you may be in need of?
To get it right, you need to figure out how to enable Remote Desktop via Group Policy, so that it can get applied to all devices at your site. Configuration of remote desktop forms the basis of our guide today. Let’s get started.
What is Remote Desktop Group Policy
Almost all users who are interested in building safe connections between computers on the internet might have heard about RDP or VPN. RDP stands for the Remote Desktop Protocol. It is a network of communications protocol developed by Microsoft, to allow users to connect to another computer.
With RDP, one can connect to any computer that runs Windows. With RDP, you can connect to the remote PC, view the same display and interact as if you are working on that machine locally.
Some instances where you may need to use RDP include;
- When traveling or when on vacation and you need to access your work computer
- When you can’t go to your office due to certain reasons and you still need to fulfill your daily tasks
- When you are a system admin and you need to perform administrative duties on your PC such as computer troubleshooting, tune-up, ID protection setting, printer set-up, software installation, email setup, virus and spyware removal, among others.
- When you need to give a demo and you need to access data from a private device
- When you want to personalize your remote desktop on experiences such as resolution, connection setting, screen setting, toolbar, start menu, icons among others.
How to Enable Remote Desktop Remotely on Windows 10
The easiest way to enable Remote Desktop on the Windows operating system family is to use a Graphical User Interface [GUI]. To do this, you need to;
Open the “System” control panel, go to “Remote Setting” and enable the “Allow remote connection to this computer” option in the Remote Desktop section.
However, performing the above process will need local access to the computer on which you want to enable the RD.
By default, remote desktop is disabled in both desktop versions of Windows and in Windows Server.
How to Enable Remote Desktop Remotely Using PowerShell
Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/2019. Here is the procedure to achieve the same;
- On your computer, open the PowerShell console and run the following commands to connect to your remote server. Enter-PSSession -ComputerName server.domain.local -Credential domain\administrator.
- You will have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you need to change registry parameter fDenyTSConnections from 1 to 0 on the remote machine. Run the command; Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
- When RDP is enabled this way [as opposed to GUI method] the rule that allows remote RDP connections is not enabled in the Windows Firewall rules.
- To allow incoming RDP connections in Windows Firewall, run the command; Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
- If for some reason the firewall rule is deleted, you can create it manually using the following commands. netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
- In case you need to allow secure RDP authentication [NLA – Network Level Authentication] run the command; Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
- Now from your computer, you can check the TCP 3389 port on the remote host to see if it has become available. To do so, run the command below’ Test-NetConnection 192.168.1.11 -CommonTCPPort RDP.
- If successful, you should get results similar to what is shown below’
The above results mean RDP on the remote host is enables and you can establish a remote desktop connection using mstsc client.
How to Enable/Disable Remote Desktop Using Group Policy
You can enable or disable remote desktop using group policy. To do so, perform the following steps
- Search gpedit.msc in the Start menu. In the program list, click gpedit.msc as shown below;
- After Local Group Policy Editor opens, expand Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections.
- On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services. See below;
- Select Enabled and click Apply if you want to enable Remote Desktop. Select Disabled and click Apply if you need to disable it.
Now you will have enabled or disabled remote desktop using group policy
Network Level Authentication NLA on the remote RDP server
Network Level Authentication is a method used to enhance RD Session Host server security by requiring that a user be authenticated to RD session Host Server before a session can be created.
If you want to restrict who can access your PC, you can choose to allow access only with Network Level Authentication [NLA]. NLA is an authentication tool used in RDP Server. When a user tries to establish a connection to a device that is NLA enabled, NLA will delegate the user’s credentials from the client-side Security Support Provider to the server for authentication, before creating a session.
The advantages of Network Level Authentication is;
- It requires fewer remote computer resources initially.
- It can provide better security by reducing the risk of denial of service attacks.
To configure Network Level Authentication for a connection, follow the steps below.
- On the RD Session Host Server, open Remote Desktop Session Host Configuration. To do so, click Start>>Adminstrative Tools1>>Remote Desktop Services>> Remote Desktop Session Host Configuration.
- Under Connections, right-click the name of the connection and then click Properties.
- On the General tab, select Allow the connection only from computers running Remote Desktop with Network Level Authentication checkbox
- Click OK
Note, under step 3, if the “Allow connections only from computers running a remote desktop with network-level authentication” checkbox is not enabled, the “Require user authentication for remote connections by using network-level authentication” Group Policy setting has to be enabled, and has been applied to the RD Session Host Server.