Archive for Group Policy

Security Patch MS16-072 Breaks GPO on SBS 2008, SBS 2011, and Windows Server 2008/2008R2

Microsoft recently released security hotfix MS16-072 last week. This patch attempts to improve GPO security. But as my fellow MVP’s Susan Bradley and Wayne Small have discovered, this new security update can actually break certain GPO based processes, such as WSUS.

Note: Microsoft has not released a fix to this, nor are we expecting them to do so. But the blog posts below offer instructions for manually fixing this issue.

Here are the two blog posts that Wayne Small posted on his site, identifying the problem and suggested work arounds:

Susan Bradley forwarded the following post from Group Policy Central which includes a PowerShell script and further instructions from Microsoft to manually fix this problem.

Active Hours in Windows 10

Active Hours is a new feature recently released within the Insider (beta) version of Windows 10, and will be part of the upcoming anniversary release of Windows 10.

Think of Active hours as your business work hours, or the time frame that you most use your computer. By setting Active Hours, you can make sure that your computer will NOT automatically restart after updates are installed during those times.

By default, Active Hours is defined as 8am to 5pm (relative to your time zone).image

To change your Active Hours,

  • Click Windows+I to go to the Settings app
  • Click Update & security
  • Click Change active hours


Unfortunately, the valid range for active hours is 10 hours. And, keep in mind – you are defining your busiest work hours so as to avoid automatic reboots. Personally, I would have preferred if this would have been the  time frame when we would want reboots to occur.

And for those Group Policy people, yes, Active Hours can be set and changed within the Group Policy Editor.

Go to:  Local Computer Policy –> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates and locate the “Turn off auto-restart for updates during active hours” policy.

Cannot RDP into Windows 10 Computer

Working with a customer that has SBS 2008 and upgraded a local computer to Windows 10. We discovered that we could not RDP into that workstation either locally using “mstsc” nor remotely using Remote Web Workplace (RWW).

Turns out the fix is very easy.

By default, Windows 10 has Remote Desktop turned off in the firewall settings for the local workstation.

Here’s how to fix it:

  • Open up Control Panel and go to System & Security –> Windows Firewall
  • Click on “Allow an app or feature through Windows Firewall” option located in the left frame
  • Click on the Change settings button
  • If you do not have administrator access to this workstation, you will be prompted to enter an administrator username and password
  • Scroll down and locate Remote Desktop. Click on the box to select it, and then click on the appropriate boxes under the Domain and Private columns.
  • Click OK.
  • I suggest you then run gpupdate /force from a command prompt, first on the server, and then from the workstation. For the workstation, you may be prompted to logout to apply the update.

CryptoLocker Round 3?

I first blogged about the Cryptolocker ransomware a little over a month ago. Since then workstations and servers worldwide have been attacked and compromised, even with the best levels of software and hardware protection in place. And this “cyber nemesis” is still on the move, per a new advisory from US-CERT.

In early October I began a review of the computer systems that I manage on a daily basis to ensure that all systems were clean. Later in the month, I began implementing new security policies on those systems to block the attack and spread of the ransomware. These policies were based on documentation provided by Third Tier, a group of my fellow MVP’ers.

But, the party is not over.

Most often, the CryptoLocker gets loaded via a fake email from companies, such as PayPal or FedEx. However, I was just alerted from an I.T. friend of a version of the CryptoLocker that showed up as a voice mail attachment!

If I do not manage your systems on a regular basis, and you would like me to review your computer, and implement security policies to minimize the Cryptolocker attackes, please contact me at

Creating the SBS MyBusiness OU

The SBS products (SBS 2003/2008/2011) all included a pre-installed set of Group Policy OU’s called MyBusiness. Organizational Units (OU’s) are used to organize users and computers (workstations and servers) in order to manage and apply specific rules and policies.

However, the Essentials products (SBS 2011 Essentials, Windows 2012 Essentials) do not include the MyBusiness OU. So, if you wish to keep consistency between the SBS and Essentials platforms, you will need to create this on your own. One reason for doing this would be to implement the Group Policies related to blocking the CryptoLocker ransomware.

Fortunately, Microsoft did identify the basic steps for creating the MyBusiness OU in KB 2578426 and scroll down to Issue 3 / Rule 3 in the KB article for the required steps.

To (re)create the MyBusiness OU manually. To do this, follow these steps:

  1. Open Active Directory Users and Computers.
  2. Right-click the domain name object. In the shortcut menu, point to New…, and then click Organizational Unit. Type MyBusiness to name the new object.
    Note Type MyBusiness as one word.
  3. In the MyBusiness OU that you created in step 2, create the following OUs:
    • Computers
    • Distribution Groups
    • Security Groups
    • Users
  4. In the Computers OU that you created in step 3, create the following OUs:
    • SBSComputers
    • SBSServers
  5. In the Users OU that you created in step 3, create the following OU:
    • SBSUsers

After you have finished these steps, your Group policy structure should look like this: