Search This Blog

Wednesday, February 27, 2013

Merge button missing in Security Compliance Manager (SCM)

When trying to merge two baselines in Microsoft Security Compliance Manager (SCM) you might see that the Merge button is missing.


Baselines must be associated with the same product before they can be merged.


After the baseline has been associated you are able to merge.


Tuesday, February 26, 2013

Updates missing when schedule update of Windows 2012

When trying to schedule update of a Windows 2012 Server image in System Center Configuration Manager 2012 SP1 no updates are shown even though updates are available.


Microsoft has released an update to fix this issue:


After updating SCCM 2012 SP1 the updates are shown as expected, nice Smiley


Monday, February 25, 2013

Remove Citrix XenApp Graphics from Web Interface

In some situations you might want to remove the Citrix XenApp graphics shown on the Web Interface.


Start a command prompt as administrator.


Create a copy of the existing file c:\inetpub\wwwroot\Citrix\XenApp\app_data\include\


Then edit the file c:\inetpub\wwwroot\Citrix\XenApp\app_data\include\


Find the entry #horizonTop img {  and insert the text Display: none;  as shown here:


Graphics is now gone:


Friday, February 22, 2013

Skip You have been logged off on Web Interface

In some situations you would like not to see the message You have been logged off. Se you again soon. And instead of pressing the Return to Log On you would like to go directly the logon page after logoff.


Start a Command Prompt as administrator.


Copy the existing file c:\inetpub\wwwroot\Citrix\XenApp\auth\loggedout.aspx in order to have a backup of the original file.


Edit the file c:\inetpub\wwwroot\Citrix\XenApp\auth\loggedout.aspx


Find the entry // A new Session will have been created for this page request as it has already been and insert the text Response.Redirect("login.aspx?CTX_FromLoggedoutPage=1"); just before the %> as shown here:


You will now jump directly to the logon page when you logoff.

Wednesday, February 20, 2013

Slow Citrix Web Interface

This is a typical problem with newly installed Citrix Web servers.

You may see a very long response time for the users to get to the welcome screen.

This is often when you have restarted IIS or the web site has not been used lately.

To fix this start a command prompt as administrator.


Edit c:\Windows\Microsoft.NET\Framework\v2.0.50727\Aspnet.config


Insert the text <generatePublisherEvidence enabled="false"/> as show here:


Do the same for the 64 bit version in c:\Windows\Microsoft.NET\Framework64\v2.0.50727\Aspnet.config


More information can be found here

Another tip that seem to have a good performance impact on Application Enumeration is to disable NetBIOS over TCP/IP:


Thursday, February 14, 2013

ADMX files available

In this post I will list the ADMX/ADML files I am aware of.

Some of them I have used in my daily work , there are properly many more so let me know if you know other ADMX files and I will update the list.

Product Download Link/Information Link
Office 2007 SP2
Office 2010
Office 2013
Office 2016 (Added October 2015)
Internet Explorer 8 Install Internet Explorer 8 on a computer and copy the updated inetres.admx and inetres.adml from C:\Windows\PolicyDefinitions or use IE 11 download link
Internet Explorer 9 Install Internet Explorer 9 on a computer and copy the updated inetres.admx and inetres.adml from C:\Windows\PolicyDefinitions or use IE 11 download link
Internet Explorer 10 Install Internet Explorer 10 on a computer and copy the updated inetres.admx and inetres.adml from C:\Windows\PolicyDefinitions or use IE 11 download link
Internet Explorer 11 Install Internet Explorer 11 on a computer and copy the updated inetres.admx and inetres.adml from C:\Windows\PolicyDefinitions or use
OneDrive for Business Next Generation Sync Client
(Added June 2016)
MDOP (UE-V, APP-V and MBAM) (changed March 2017)
Adobe Reader XI
Direct Access Connectivity Assistant
Citrix Profile management Find it in your XenDesktop/XenApp ISO in
x64\ProfileManagement\ADM_Templates (changed March 2017)
Citrix Receiver part of installation in "C:\Program Files (x86)\Citrix\ICA Client\Configuration"
(changed March 2017)
Citrix Sharefile (ShareFile Drive Mapper Policy Definitions) changed March 2017
Windows Server 2016 TP5 Windows Server 2016 Technical Preview 5

(added April 2016)
Windows 10 (RTM and 1511)
(added August 2015)
Windows 10 (1607) and server 2016
(added August 2016)
Windows 10 (1703)
(added April 2017)
Windows 8.1 and 2012 R2 with Update1 (KB2919355)
(added July 2014)
Windows 8.1 and 2012 R2
(added December 2013)
Windows 8 and 2012 (RTM)
Windows 7 and 2008 R2 (RTM)
Windows 2008
Windows Vista
Forefront Identity Manager 2010
GPO Logging Custom ADMX
3rd party software like Adobe Reader, 7-ZIP, Java, Skype and more
HP Universal Printer Driver HP Printer Administrator Resource Kit (added January 2014)
Forefront Endpoint Protection 2010 (fep2010grouppolicytools-en-us.exe)
Enhanced Mitigation Experience Toolkit Install EMET  and you will find the admx file in the installation folder under EMET\Deployment\Group Policy Files
(e.g. C:\Program Files (x86)\EMETxx\Deployment\Group Policy Files)
(added March 2014)
VMware Horizon 6 ADMX files available inside the file
(added July 2015)

Please also take a look at the article

Tuesday, February 12, 2013

Encountered an error while parsing in GPMC

After updating the ADMX files in you central store, you might see this error in GPMC:

Encountered an error while parsing.

Expected one of the following possible element(s)

This error is for example seen if you try to open the administrative template node from a Windows 2008 server but your central store is updated to Windows 2008 R2 or Windows 7 ADMX files.

From now on you should only use Windows 2008 R2, Windows 7 or newer to edit your group policy objects.


Friday, February 8, 2013

Create a central Store for GPO administrative templates

Update 18-11-2015

Looks like the ADMX files for the 1511 update has almost the same problem as the last time:

If you previously has copied ADMX files for Windows 8.1 you might see this error:

Namespace 'Microsoft.Policies.WindowsStore' is already defined as the target namespace for another file in the store.


Right now just delete the old files winstoreui.adml and winstoreui.admx they are replaced by WindowsStore.admx and WindowsStore.adml

Update 05-08-2015

In order to support Windows 10 clients you can after updating your central store with Windows 2012 R2 and Windows 8.1 ADMX files also update with Windows 10 ADMX files.

Download the Windows 10 ADMX files from here Administrative Templates (.admx) for Windows 10. Install the downloaded MSI and then copy all ADMX files and the language folders you need (ADML files) from "C:\Program Files (x86)\Microsoft Group Policy\Windows 10\PolicyDefinitions" to \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions


Accept to copy and Replace all files and folders:



After copying you need to do this:

Delete the LocationProviderADM.admx and LocationProviderADM.adml files from the central store.

Rename Microsoft-Windows-Geolocation-WLPAdm.admx to LocationProviderADM.admx

Rename Microsoft-Windows-Geolocation-WLPAdm.adml to LocationProviderADM.adml

"'Microsoft.Policies.Sensors.WindowsLocationProvider' is already defined" error when you edit a policy in Windows

Update 05-01-2014

Now that we are typically dealing with Windows 2012 R2 and Windows 8.1 it’s its time for a short update.

The procedure explained in this article is still valid, but at the moment the easiest way is to download the ADMX files from here and copy all ADMX files after installing the downloaded file from "C:\Program Files (x86)\Microsoft Group Policy\Windows 8.1-Windows Server 2012 R2\PolicyDefinitions" to \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions

Then copy all the language folders (with ADML files) for the languages you need ending up with something like this were only en-US language files are used.


By using the downloaded files instead of the files in c:\Windows\PolicyDefinitions you will see a bit more files than in the local PolicyDefinitions folder, in my example the ADMX files added were these:


But this will depend on the Roles and features installed on your Windows 2012 R2 server. By doing this you are ready to support Windows 2012 R2 and Windows 8.1 clients.

Original post

In order to take full advantage of the ADMX/ADML template files we create a central store for the files.

To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location: \\FQDN\SYSVOL\FQDN\policies as shown here


Copy all files and subfolders from the PolicyDefinitions folder on a Windows 7 client computer to the PolicyDefinitions folder on the domain controller.

After that copy all files and subfolders from the PolicyDefinitions folder on a Windows 2008 R2 server to the same location overwriting any existing files.

The same has to be done if you source is Windows 8 and Windows 2012 instead.


You can find the PolicyDefinitions folder in your windows folder (C:\Windows\PolicyDefinitions).

The reason for copying from both Windows 7 and Windows 2008 R2 is that some ADMX/ADML files only exist on one of the platforms.

To make this a bit more complicated some ADMX/ADML files will first show up in the local PolicyDefinitions folder when the corresponding server role has been installed.

You should always edit your policies from a OS platform equal to or higher than the OS platform were the ADMX/ADML files is taken from. So if your files is taken from Windows 7 and Windows 2008 R2, don’t use Windows Vista or Windows 2008 to edit GPO’s.

ADMX files for other products can also be copied to the central store, more on this later Smiley

When the central store is in use you will see the information Policy definitions (ADMX files) retrieved from the central store when looking at the administrative templates in the Group Policy management Editor (GPMC).


Please also see my list of available ADMX files that you could add to your Central Store when needed:

Remember to use the latest version of the Group policy Editor or you could end up with errors like this:

Thursday, February 7, 2013

Drive Mappings in Group Policy Preferences not working

Drive mappings in group policy preferences is not always working as I would like it to do. There are however ways to change the default behavior.

Drive mappings are not done at every login or gpupdate, so in order to change this you can change the policy

Computer Configuration – Administrative Templates – System – Group Policy – Drive Maps preference extension policy processing (on Windows 8/2012 the title is Configure Drive Maps preference extension policy processing)

If this setting is missing you might have to update your ADMX files in your central store.


This will trigger the drive mapping CSE at every login.

When deleting a drive mapping and running GPUPDATE the drive is not coming back.

This can be fixed by changing this registry value to 0 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}\NoBackgroundPolicy


If your Windows 7 users have local administrative rights you might also need to take a closer look at this link and then create the EnableLinkedConnections registry entry. For Windows 8 this hotfix might be your answer


Another issue seen more than once is that your non-persistent drive mappings is shown as disconnected when you start your computer offline, Microsoft has an hotfix available for this problem:

A mapped drive that has the non-persistent flag set is displayed as a disconnected drive in Windows 7 or in Windows Server 2008 R2

Wednesday, February 6, 2013

Users able to eject NIC on RDS and XenApp servers

When building virtual XenApp og RDS servers it might not me a good thing that users are able to eject the network card Smiley.


One way to disable this is to change the configuration of the virtual machine.

Go to the Options tab, select General and then click on Configuration Parameters.


Now Add a Row named devices.hotplug and set it to False, this will remove the eject option from Windows.


Friday, February 1, 2013


When demoting a DC I ran into this error:

The operation failed because: Active Directory Domain Services could not configure the computer account <hostname>$ to the remote Active Directory Domain Controller account <fully qualified name of helper DC>. “Access is denied”

I found a possible explanation dealing with missing security rights as described here kb2002413, but it was quickly clear that this was not the case.

It turned out to be a very simple solution, the computer had the protect object from accidental deletion checked, when this was unchecked, I was able to remove the DC.