Think I figured something out. Nevermind! And thanks again.
Okay, got another question…
Is there really any difference in putting the users computer in on the delegation tab and putting it in the Security Filtering tab?
Seems if I put it in the Security Filtering tab, it adds it to the Delegations tab.
If you put things in the Security Filtering area, the object gets both Read and Apply rights to the GPO. Whereas if you put the computer in the delegation tab, you can manually assign it only Read rights and leave off Apply.
You’d have to decide if it’s ok to have the GPO apply to the computer. If the GPO only has User configurations, it won’t make a difference if it applies to a computer.
Thanks. You have really cleared something up for me! Makes much more sense now.
Okay, another issue I was hoping to get help with.
Got a brand new Windows 10 Pro laptop in. Updated it to the anniversary edition. It is capable of using Windows Hello, however it is disabled once I joined it to our local domain.
I created a GPO and enabled the following under computer config…
Turn on convenience Pin sign-in
Allow users to log on using biometrics
Use a hardware security device
Use Windows Hello for Business
All settings (PIN and Hello) are still greyed out. I have applied it to Authenticated users and the computer shows it applied in results.
One more thing, for some reason there is a down arrow on the Use Biometrics setting even though it is enabled. Never seen that before.
I am going to start a new post about this since it looks to be a bit different than the discussion we were having.
I saw that down arrow too, and don’t know what it means. See my other post for details on getting Hello to work.
Okay, so I have a GP that makes it where a user cannot change their Windows 10 Lock screen image. The GP applies to the computers, but is not listed in the gpresults. Why would that be?
It also seems that Windows 10 honors the “Force a specific default lock screen and logon image” but the Anniversary edition does not. That really stinks as now there is no way for me to use a custom screen from GP.
So then I decide, I will manually set the lock screen then use a GP to “Prevent changing lock screen and logon image”. Nope. Anniversary edition does prevent changing, but it does not use the last selected image, it defaults to the beach picture.
So, control of the lock screen, desktop, etc has been moved into Windows 10 Enterprise.
Essentially, and I could probably teach a class on this by this point, moving forward MS sees Win 10 Pro as essentially Windows 10 Home + Domain Join for use in small businesses. It will be inexpensive, and the people who utilize it will receive a mostly standardized Windows experience without much interference from whatever form of IT Administration they may have.
Any organizations which want to exert control over the desktop experience will need to pay for that privilege by blanket licensing Windows 10 Enterprise. They can do that either perpetually via a Volume Licensing or Enterprise agreement, by stand-alone subscription with Windows 10 Enterprise E3 or E5, or via bundled subscription as part of Secure Productive Enterprise E3 or E5.
Don’t mistake this communication as either for or against Microsofts actions. I both understand their position as well as the position that Microsoft has put effected parties into. The best thing I can say is that with the proliferation of web-based or cloud services, there has never been a better time to deeply consider whether you want to commit to being a Microsoft client over the next 10 years.
If yes, you should embrace their new subscription model and begin to migrate onto the “next-gen” microsoft platform. If no, you should begin to prepare a move to macOS, Chrome, or maybe even Linux on the Desktop. (if you are brave )
- Karl P
Okay, so I thought, I will just change out that dumb beach picture with my image. It still shows the beach picture! How is that even possible? Unless it is pulling it from somewhere else whenever I lock changing the lock screen image.
iamkarlp, can I just go to Techsoup and buy the Enterprise edition upgrade from them for $15 and upgrade my Win10Pro?
You can absolutely “upgrade” from Win 10 Pro → Enterprise, but it does require a full upgrade to do it (you can’t just do a windows anytime upgrade). That said, I believe you can do an in-place upgrade to do this (leaving all user settings, apps, and data intact).
Someone else might have more experience with that process than I.
From what I have read, upgrading to Enterprise consists only of putting in a new product key.
I can confirm, all I had to do is enter our MAC Key and tell it to upgrade:
Now I feel all special, I guess.
Just found a TechNet artical that supports: https://blogs.technet.microsoft.com/askcore/2015/11/23/how-to-convert-windows-10-pro-to-windows-10-enterprise-using-icd/
Hey, Great to hear! Glad I learned something new!
I apologize for misleading you. Up to and including Windows 8.1 the Pro → Enterprise path was via full “reinstall” with the “old” windows being moved to windows.old.
Glad to hear this has been imposed - this is great news!
I am still trying to figure out the GP issues. I have upgraded my PC to Enterprise and I can now set the Lockscreen image successfully. HOWEVER, I created a policy to do only that. Specify the lockscreen image and set it so the user cannot change it (both are under Computer Config). It applies just fine, but does not show up on the list of applied policies doing a gpresult.
If I add some little setting under User Config, then gpresult shows it under the applied policies.
Why is that? Why will it not show when it is only a Computer Config?
Are you running in an elevated session (Run As Administrator)? I believe it will only show User results if you run gpresult in a normal user session, but should show both if elevated.
Tried both ways. Does not list it either way.