Windows 10 Anniversary Update Issues


(Craig Mashburn) #1

So, I loaded the update on my machine to test. Several little annoying things so far, but nothing major.

I did notice that all my mapped drives that come from Group Policy, do not honor the “Label as” tag from Group Policy. This will be a huge issue when I roll this out to users.

Anyone know of a fix?


(Aaron Harvey) #2

I have not seen this issue. I have one of my drives mapped with the Label As feature, and it is working correctly on my Anniversary Ed. computers. I’m using the Group Policy Preferences to map user drives. I’m not sure if this would affect it at all, but are you using the 1607 administrative template (https://www.microsoft.com/en-us/download/details.aspx?id=53430)?

This most annoying part of 1607 for me has been the Windows Update changes they have made since 1511 in GPO, and how some of it has been implemented. Like if you turn on “Defer Feature Updates”, the clients will completely ignore your WSUS and go download updates from MS, even if you haven’t approved them in WSUS.


(Will Polley) #3

I wonder if @smithje3 knows. Troll face.


(Optimus Prime) #4

What is your domain’s functional level? It’s possible that this is something that’s addressed in higher functional levels or with more modern GP. I think @aharvey may be on to something with the administrative templates too.


(Jonathan Smith) #5

I’ve not experienced this issue either. I agree that you may need to update your templates. Those change a lot. At least that part is easy and if that is the issue updating your templates should automatically fix the problem.

In general if you are using Pro or lower then you are losing more and more control over updates as Microsoft wants the updates installed to help “keep us all safe” as most folks don’t install the updates. If you need granular control make sure you run Enterprise.

Smiling Troll face.


(Derek Schwab) #6

If you’re using WSUS, there’s no reason to check he defer upgrades box. One you specify a WSUS server, the upgrades are controlled by WSUS.
This applies to Pro as well. There’s no need to run enterprise to control upgrades.


(Aaron Harvey) #7

Agreed, but it would be nice to be able to defer feature upgrades all the time, whether they check online for updates, or check for updates from WSUS. I’m not blocking system from being able to check online for updates from Microsoft for a couple reasons, but I’d still like those systems to defer feature updates when doing so, but also follow WSUS rules when they are not explicitly checking online for updates. I guess I want my update cake and eat it too.


(Craig Mashburn) #8

Had no idea there were new templates. I will give that a whirl. Thanks!


(Craig Mashburn) #9

Okay, I got them installed but am having a problem with GP that I do not understand. Keep in mind I am able to fumble my way through GP, but not anywhere near knowledgeable!

So I have policy to map a drive. It uses the User Configuration/Preferences/Windows Setting/Drive Maps setting to map a drive K: (with action update). This policy is set to go to a usergroup Staff which I am in.

When I do a gpresults /r on my Win10Pro machine, the policy does not show in results.
If I go back to Group Policy Management and apply it to my COMPUTER instead of my user, then it shows up in my results.

So why is a USER CONFIGURATION not applying when assigned to a user? I have run into this on some other settings I tried to add and I am baffled.


(Aaron Harvey) #10

Are you using Security Filtering on the GPO to apply the policy? Or are you just applying the mapping using Item-level targeting for the specific mapped drive?

I ask because this summer Microsoft released an update that inherently changed how GPOs are read and applied. They now are read by the computers only, even if they are User configuration GPs. Here is a link to a MS blog on the topic. https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/ Basically, it boils down to making sure either Authenticated Users, or at least Domain Computers has read access to the GPO.

For my drive mapping GPO, the security filtering on the GPO itself is set to include “Authenticated Users” (which is the default). This allows all computers/users to be able to read the GPO.

Then within the GPO, for the specific drive mapping, I’m using Item-level targeting to apply the drive mapping to a specific user group.


You’ll notice that my mapping GPO is applied to both church staff, and computers in the domain. So mine isn’t an accurate test of the problem you are experiencing since you are only applying the GPO to users when it fails.

If all this looks good in your environment, let me know and I’ll try to do some more digging. Let me know if you have any questions.

Aaron


(Craig Mashburn) #11

Thanks for the info. Sorry it took so long to reply. Been swamped.

I think I understand how you are doing it. One question…

I have a mapping policy that is only for two users. I used the item level targeting as you did and changed the security filtering to Authenticated Users.

When I run gpresults /r on my machine, it lists that policy as being applied even though I was not one of the targeted users. It does not seem to be mapping the drive, but still shows it as applied which can be very confusing in the future trying to figure things out.

Any ideas?


(Aaron Harvey) #12

That sounds like you are getting the correct behavior. The policy itself is going to apply to everyone in the OU(s) that you have it linked with. But it will only map drives for the people you have targeted in the Item-Level targeting.

Item-level targeting does add another layer you will have to deal with. Your GPResult will indicate that it is applied, but if for some reason drives aren’t mapped, you’ll have to realize it is a Preference setting, and as such may be subject to targeting rules which may need modified/updated.

If you run gpresult /h, the html file will give you a little more insight in that it will show it as a Preference, and also show which, if any, drive mappings are applicable to the user.

So if you log in as one of the users you have the targeting assigned to with your policy, is it mapping the drive properly?


(Craig Mashburn) #13

Well, that sure makes things confusing! So there is no way anymore to just apply a GP only to those who need it? You have to apply to everyone and then select the ones that actually honor it.

Yes, it seems to be working as you described.


(Craig Mashburn) #14

Here is another GP issue. I have a GP to redirect a users MUSIC folder to the server. Using User Config/Policies/Windows Settings/Folder Redirection/Music.

When I try to assign it to a user, does not work. Assign it to a computer, it works. As far as I can tell this does not have the same Item-level targeting that the mappings have.


(Aaron Harvey) #15

You can still apply a GP to individual users if you so choose. So for your drive mappings GP, you could only have it assigned to specific users at the GP level, and totally ignore the Item-Level Targeting. That is an option. I went the other route to have it assigned to everyone, and then since I use a single GPO to map multiple drives, I use Item-Level Targeting to determine who gets which drive mapped. (K: is mapped for all domain users, L: is mapped if you are in the Worship group, M: if you are Ministry staff, etc.) That way I don’t have to have separate GPOs for each drive mapping and mess with security at the GPO level.

For your second item, I believe it goes back to the security changes made by Microsoft this summer and the article I linked in a message above. You can apply a GPO to a user, BUT the computer the user is logging into has to have read access to the GPO. So if you are changing the Security Filtering scope to only apply to specific users, you then need to add permissions for the computer to be able to read the GPO. You can do this on the delegation tab. The article recommends that you use the delegation tab to grant Authenticated Users just the Read right. Remember, it won’t Apply the GPO to all authenticated users, since that is a separate right, it just allows them to be able to read it. Other options are to grant Domain Computers read rights, or even specific computers, but if the user logs into a different computer, or gets a new one, the GPO will not be read, and thus not applied. The article goes into more details and probably a better explanation than I could give.


(Craig Mashburn) #16

So how do you “assign to specific users at the GP level”?

I have always just put the users in the “Security Filtering” field, but that seems to no longer work.

The second part makes perfect sense. No way Microsoft could explain it better! Thanks!


(Aaron Harvey) #17

Yep, that is how. Use the Security Filtering field.

Just remember to update the delegation tab so computers somehow have read access to the GPO anytime you remove Authenticated Users from the Security Filtering scope.


(Craig Mashburn) #18

Gotcha. Thanks! :slight_smile:


(Craig Mashburn) #19

While I have you on this topic, I am playing with a test GPO. It is to redirect the Music folder to a user folder on the server. gpresults shows me it is getting applied to my test Windows 10 Pro machine, but it will not redirect the folder.

I have made sure the test machine has access/rights to the folder. Any ideas on how to track down the problem?


(Craig Mashburn) #20

When doing a gpupdate I get “The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.”

So I reboot and still nothing.