Tag: Group Policy

Windows 10 Roll-out: WSUS, Group Policy and Installation

As a software development company we need to be a little ahead of the curve when it comes to our adoption of new releases of Windows Server and Desktop environments as we need to ensure that our software will continue to function when our clients decide to upgrade to the latest technologies. However until recently due to our customers being large enterprises, which traditionally are slow to adopt new technology, we didn’t need to jump in immediately when a new OS was released. That has changed since we started to gain clients in emerging markets, Kenya and Nigeria specifically, who appear to be quicker to adopt the latest OS as they are experiencing rapid expansion and growth of their infrastructure.

So just over two months since the release of Windows 10 I undertook a pilot program to roll it out to a limited number of developers and create a small number of virtual machines for testing.

Edit: Since first writing this up the number of people that I have rolled Windows 10 out to now encompasses almost a third of the company.

But prior to the actual roll-out there are a couple of tasks that need to be done to ensure that the infrastructure for managing Windows 10 is in place namely WSUS (Windows Server Update Services) and Group Policy.

WSUS was pretty simple as the product list it uses is updated automatically with new entries so it is just a matter of ticking the boxes to receive updates for those products. Open up the WSUS console, click on Options and then Products and Classifications. Tick all the relevant boxes to receive the Windows 10 updates.

WSUS_windows10

Installing the Group Policy Administrative Templates (admx files) was more involved but again was pretty straightforward. I downloaded the ADMX files Microsoft Administrative Templates for Windows 10 I also downloaded the ones for Windows 8.1 and Windows Server 2012 R2 as I’d realized that I’d somehow overlooked these previously.

Logged into one of the Domain Controllers and found the path to the SYSVOL folders location in the Central Store. Please note if you’re following these instructions and do not have a central store in your domain then the SYSVOL location will have different path.

Then opened the msi installer to start the installation of the Administrative Templates. At the Select Installation Folder window I changed the folder from the default to the folder of the SYSVOL folder in the central store that I found previously.

Windows-10-admx-installation

If you have a Central Store for ADMX files, the location should be the same or similar to the path below, just replace with your domain name (domain.com).

C:\Windows\SYSVOL\sysvol\\Policies\PolicyDefinitions

Installed both sets of templates and then took a quick look at the Group Policy Settings reference spreadsheet to see what new settings have been added, the total number of settings is now over 3700!

The actual installs of Windows 10 have all gone very smoothly so far. As well as the relatively new developer PCs (1-2 years old) I have carried out Windows 10 upgrades on a variety of different older systems including a 5 year old desktop PC and a 4 year old laptop.



Cannot RDP to a Windows Server 2008 R2 virtual machine

A quite mystifying issue with one of Citrix test machines was escalated to me this morning. The member of staff whose role it is to configure new test environments on the Citrix servers Skyped me to say that he couldn’t RDP to the machine but could access it via the vSphere client and could I please take a look at it and see if I could work out what was going on.

It was in a hell of state and I suspect that he’d had a good go at fixing things himself but had made matters much worse. The Remote Desktop Services role had been uninstalled for a start! Not that that would have actually made much of a difference as RDP for Administration would still be available without that role installed.

From the command line I ran the following two commands.

netstat -a -o | findstr 3389
and
qwinsta

The first was to display all the active TCP and UDP ports on which the computer was listening and then find the string 3389 which is the default RDP port number, the second command displays information about Remote Desktop sessions on a server. Neither returned any result.

I then restarted the Remote Desktop Services service.

Checked Remote Desktop Session Host and then at that point realised that RDS was no longer there. Reinstalled RDS and configured it to point at the license server again. A redundant step in terms of resolving the issue, but an important one in restoring the server back to full functionality.

Disabled the Windows Firewall completely.

From elevated command prompt I ran the following two commands.
sfc /scannow
regsvr32 remotepg.dll

I thought about checking Group Policy to ensure that nothing silly had been configured that would have denied RDP connections.

To do so would involve opening up the Group Policy Editor locally and then expanding the following.
Computer Configuration – Administrative Templates – Windows Components – Remote Desktop Services – Remote Desktop Session Host – Connections.
Allow users to connect remotely using Remote Desktop Services (enable or disable)

But the issue was more fundamental than that as I could see that the port itself wasn’t open.

Then decided to check whether the correct port number was assigned to the Remote Desktop Services and using information from this knowledge base article http://support.microsoft.com/kb/2477176 I checked the port number associated with RDP in the registry.

  • Ran regedit and opened the following registry subkey:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Desktop server\WinStations
  • Located the PortNumber registry entry.
  • Saw that the port number 3390 had been assigned.
  • Changed the port back from 3390 to 3389.
  • Saved the change, and then closed Registry Editor.

Tested RDP from my laptop and it worked.

Job done.

This strikes me as being a deliberate change . There is security advice out there that suggests changing the default port to something else, but I don’t believe that it offers a great deal of security and in this case was a massive pain. Also I can’t think who would have made this change.