Use a Local Administrator Account for Remote Administration

Local administrator accounts are commonly configured with the same password across all devices in corporate environments, making it easy for attackers to own every device if the password is compromised. Microsoft’s security baseline templates block remote use of local accounts because until Local Administrator Password Solution (LAPS) was released in 2015, there was no mechanism for securely managing local administrator accounts. LAPS is a free tool from Microsoft that randomizes local admin passwords every 30 days and stores them securely in Active Directory for each computer account.

The risk posed by local administrator accounts can be managed by manually setting a random password on each device and then recording it in a spreadsheet. But that doesn’t address the issue of changing passwords periodically and requires you to make sure the spreadsheet isn’t accessed by malicious or unauthorized users. LAPS solves these problems, ensuring that local administrator accounts remain secure and can’t be used by hackers to laterally move around your network.

For more information on using LAPS, see Secure Local Administrator Accounts with the Local Administrator Password Solution (LAPS) Tool on Petri. Microsoft’s security baseline templates for Windows and Windows Server are available as part of the Security Compliance Toolkit.

Despite the convenience LAPS provides for managing local admin accounts, IT helpdesk staff often use a domain account that is granted administrator rights on each workstation in the domain. While this account doesn’t need to be a privileged domain account, i.e. not a member of Domain Admins or other privileged AD group, the account could still be used to compromise every workstation in the domain.

Local Accounts for Remote Administration

In a blog post by Aaron Margosis, Microsoft recommends that organizations consider unblocking remote use of local administrator accounts if LAPS or another password management solution in place, and if you want to use local accounts for remote administration. Otherwise you should continue to block remote use of local accounts.

Margosis says that if a helpdesk user wants to remotely access a workstation, it is more secure to retrieve the local administrator password from AD than to use a domain account. If the local admin password is compromised, any damage is limited to that device. Some remote access tools expose credentials when logging in to remote systems, so IT helpdesk account credentials could be compromised.

If you decide to unblock remote use of local accounts, there are three Group Policy settings that need to be changed:

  • Deny access to this computer from the network
  • Deny log on through Remote Desktop Services
  • Apply UAC restrictions to local accounts on network logon

The first two settings can be found under Windows Settings\Security Settings\Local Policies\User Rights Assignment and should be set to empty. The third is a custom setting that’s part of the baseline templates (SecGuide.admx). It can be found under Administrative Templates\MS Security Guide and should be set to Disabled.

As you can see, there are some definite advantages to using LAPS-managed local administrator accounts for remote access. The only drawbacks that I can see are that it requires some administrative effort for helpdesk staff to retrieve local admin passwords from AD every time they need to log in, as opposed to getting quick access with a domain account. Secondly, using an unnamed account to log in means we don’t have a record of who accessed the device with administrative privileges. You can work around this by enabling auditing of access to LAPS passwords in AD and resetting passwords after each use. Both these tasks can be accomplished using the PowerShell Set-AdmPwdAuditing and Reset-AdmPwdPassword cmdlets respectively.

 

Source
https://www.petri.com/use-a-local-administrator-account-for-remote-administration

How to disable SMBv1 Windows

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

Applies to: Windows 7 EnterpriseWindows 7 Home BasicWindows 7 Home Premium More

Summary


This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.

In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:

  • Request compounding - allows for sending multiple SMB 2 requests as a single network request
  • Larger reads and writes - better use of faster networks
  • Caching of folder and file properties - clients keep local copies of folders and files
  • Durable handles - allow for connection to transparently reconnect to the server if there is a temporary disconnection
  • Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
  • Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
  • Support for symbolic links
  • Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
  • Large MTU support - for full use of 10-gigabye (GB) Ethernet
  • Improved energy efficiency - clients that have open files to a server can sleep

In Windows 8, Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016, disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that's described in the previous list):

  • Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
  • Scale Out – concurrent access to shared data on all file cluster nodes
  • Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
  • SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
  • Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
  • Directory Leasing - Improves application response times in branch offices through caching
  • Performance Optimizations - optimizations for small random read/write I/O

More Information


The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008.

The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

For more information about the capabilities of SMBv2 and SMBv3 capabilities, go to the following Microsoft TechNet websites:

How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016


Windows Server 2012 R2 & 2016: PowerShell methods

SMB v1
Detect:Get-WindowsFeature FS-SMB1
Disable:Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Enable:Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
SMB v2/v3
Detect:Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable:Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable:Set-SmbServerConfiguration -EnableSMB2Protocol $true

Windows Server 2012 R2 and Windows Server 2016: Server Manager method for disabling SMB

SMB v1

 

Windows 8.1 and Windows 10: PowerShell method

SMB v1 Protocol

Windows 8.1 and Windows 10: Add or Remove Programs method

How to detect status, enable, and disable SMB protocols on the SMB Server


For Windows 8 and Windows Server 2012

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

SMB v1 on SMB Server
Detect:Get-SmbServerConfiguration | Select EnableSMB1Protocol
Disable:Set-SmbServerConfiguration -EnableSMB1Protocol $false
Enable:Set-SmbServerConfiguration -EnableSMB1Protocol $true

For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server
Detect:Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable:Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable:Set-SmbServerConfiguration -EnableSMB2Protocol $true

For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

PowerShell methods

SMB v1 on SMB Server

Detect:

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned

Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force

Note You must restart the computer after you make these changes.

For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server

Detect:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force

Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force

Note You must restart the computer after you make these changes.

Registry Editor

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

To enable or disable SMBv2 on the SMB server, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Note You must restart the computer after you make these changes.

How to detect status, enable, and disable SMB protocols on the SMB Client


For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

Note When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

SMB v1 on SMB Client
Detect:sc.exe qc lanmanworkstation
Disable:sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Enable:sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto

For more information, see Server storage at Microsoft

SMB v2/v3 on SMB Client
Detect:sc.exe qc lanmanworkstation
Disable:sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
Enable:sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto

Notes

  • You must run these commands at an elevated command prompt.
  • You must restart the computer after you make these changes.

Disable SMBv1 Server with Group Policy


This procedure configures the following new item in the registry:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1 REG_DWORD: 0 = Disabled

To configure this by using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.

In the New Registry Properties dialog box, select the following:

  • Action: Create
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  • Value name: SMB1
  • Value type: REG_DWORD
  • Value data: 0

This disables the SMBv1 Server components. This Group Policy must be applied to all necessary workstations, servers, and domain controllers in the domain.

Note WMI filters can also be set to exclude unsupported operating systems or selected exclusions, such as Windows XP.

Disable SMBv1 Client with Group Policy


To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

This will update and replace the default values in the following 2 items in the registry:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

Registry entry: Start REG_DWORD: = Disabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

Registry entry: DependOnService REG_MULTI_SZ: “Bowser”,”MRxSmb20″,”NSI”

Note The default included MRxSMB10 which is now removed as dependency

To configure this by using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.

In the New Registry Properties dialog box, select the following:

  • Action: Update
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
  • Value name: Start
  • Value type: REG_DWORD
  • Value data: 4

Then remove the dependency on the MRxSMB10 that was just disabled

In the New Registry Properties dialog box, select the following:

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
  • Value name: DependOnService
  • Value type REG_MULTI_SZ
  • Value data:
    • Bowser
    • MRxSmb20
    • NSI

Note These three strings will not have bullets (see the following screen shot).

The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

Note When you use Group Policy Management Console, you don't have to use quotation marks or commas. Just type the each entry on individual lines.

Restart required

After the policy has applied and the registry settings are in place, the targeted systems must be restarted before SMB v1 is disabled.

Summary

If all the settings are in the same Group Policy Object (GPO), Group Policy Management displays the following settings.

Testing and validation

After these are configured, allow the policy to replicate and update. As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. Make sure SMB v2 and SMB v3 is functioning for all other systems in the environment.

Windows Start Run commands

Accessibility Options		utilman
				or
				control access.cpl

Add Hardware Wizard		hdwwiz
Programs and Features		appwiz.cpl
(Add New Programs)		control appwiz.cpl,,1
(Add Remove Windows Components)	control appwiz.cpl,,2
(Set Program Access & Defaults) control appwiz.cpl,,3


Administrative Tools	        control admintools
Advanced User Accounts 
Control Panel	                netplwiz
Authorization Manager	        azman.msc
Automatic Update control        wuaucpl.cpl
Backup and Restore Utility	sdclt
Bluetooth Transfer Wizard	fsquirt
Calculator	                calc
Certificate Manager	        certmgr.msc
Character Map	                charmap

Check Disk Utility	        chkdsk
Clear Type (tune or turn off)	cttune
Color Management	        colorcpl.exe
Command Prompt	                cmd
Component Services	        dcomcnfg
	                        or
	                        comexp.msc
Computer Management	        CompMgmtLauncher.exe
	                        or 
	                        compmgmt.msc
Control Panel	                control

Credential (passwords) Backup
and Restore Wizard	        credwiz
Data Execution Prevention	SystemPropertiesDataExecutionPrevention
Date and Time Properties	timedate.cpl
Device Manager	                hdwwiz
	                        or
	                       devmgmt.msc
Device Pairing Wizard	       DevicePairingWizard
Digitizer Calibration Tool
(Tablets/Touch screens)	       tabcal
Direct X Control Panel
(if installed)	              directx.cpl
Direct X Troubleshooter	      dxdiag
Disk Cleanup Utility	      cleanmgr
Disk Defragmenter	      dfrgui
	                      defrag
Disk Management	              diskmgmt.msc
Disk Partition Manager	      diskpart
Display Color Calibration     dccw
Display DPI / Text size	      dpiscaling
Display Properties (Themes,
Desktop, Screensaver)	      control desktop
Display Properties
(Resolution, Orientation)     desk.cpl
Display Properties
(Color & Appearance)	      control color
Documents (open
'My Documents' folder)	      documents
Downloads (open
'Downloads' folder)	     downloads
Driver Verifier Utility	     verifier
DVD Player	             dvdplay

Edit Environment Variables   rundll32.exe sysdm.cpl,EditEnvironmentVariables
Encrypting File
System Wizard (EFS)	     rekeywiz
Event Viewer	             eventvwr.msc
File Signature Verification
Tool (Device drivers)	     sigverif
Files and Settings
Transfer Tool	            %systemroot%\system32\migwiz\migwiz.exe
Firewall Control Panel	    firewall.cpl
Folders Properties	    control folders
Fonts list	            control fonts
Font preview	            fontview arial.ttf
Game Controllers	    joy.cpl
Local Group Policy Editor   gpedit.msc
Internet Properties	    inetcpl.cpl
IP Configuration	    ipconfig
iSCSI Initiator
configuration	            iscsicpl
Keyboard Properties	    control keyboard
Language Pack Installer	    lpksetup
Local Security Policy	    secpol.msc
Local Users and Groups	    lusrmgr.msc
Log out	                    logoff
Microsoft Malicious
Software Removal Tool	    mrt
Microsoft Management
Console	                   mmc
Access (Microsoft Office)  msaccess
Excel (Microsoft Office)   Excel
Powerpoint
(Microsoft Office)         powerpnt
Word (Microsoft Office)	   winword
Microsoft Paint            mspaint

Microsoft Support
Diagnostic Tool	          msdt
Mouse Properties	  control mouse
	                  or 
	                  main.cpl
Network Connections	  control netconnections
	                  or 
	                  ncpa.cpl
Projector:	          netproj
Connect to Network
Projector Switch
projector display	  displayswitch
Notepad	                  notepad
ODBC Data Source Admin	
Default ODBC driver:	  C:\windows\system32\odbcad32.exe
32-bit ODBC driver
under 64-bit platform:	  C:\windows\sysWOW64\odbcad32.exe
ODBC configuration
Install/configure MDAC
drivers	                 odbcconf
On Screen Keyboard	 osk
OOB Getting Started	 gettingstarted
Password - Create a
Windows Password Reset
Disk (USB)	        "C:\Windows\system32\rundll32.exe" keymgr.dll,PRShowSaveWizardExW


Pen and Touch
(Tablet/Pen input
configuration)	        tabletpc.cpl
Performance Monitor	perfmon.msc
Phone and Modem Options	telephon.cpl
Phone Dialer	        dialer
Power Configuration	powercfg.cpl and powercfg.exe
Presentation Settings	PresentationSettings
Problem Steps Recorder	psr
Program Access and
Computer Defaults 
browser / email / media	computerdefaults
Printers and Faxes	control printers
Print Management (.msc)	PrintManagement
Printer Migration
(backup/restore)	printbrmui and printbrm.exe
Printer user interface
(List all printui.dll
options)	        printui
Private Character
Editor	                eudcedit
Regional Settings
Language, Date/Time
format, keyboard	intl.cpl
Registry Editor	        regedit
Remote Assistance	msra

Remote Desktop	        mstsc
Resource Monitor	resmon
Resultant Set of Policy	rsop.msc
Settings (Windows 10)	ms-settings:
Scheduled Tasks	control schedtasks
Screenshot
Snipping Tool	        snippingtool
Security Center	        wscui.cpl
Services	        services.msc
Shared Folder Wizard	shrpubw
Shared Folders	        fsmgmt.msc
Shut Down Windows	shutdown
Software Licensing
Activation	        slui
Sounds and Audio	mmsys.cpl
Sound Recorder	        soundrecorder
Sound Volume	        sndvol
Syncronization Tool
(Offline files)	        mobsync
System Configuration
Utility	                msconfig
System File Checker
Utility (Scan/Purge)	sfc
System Information	msinfo32
System Properties	sysdm.cpl SystemProperties
	                or
	                sysdm.cpl DisplaySYSDMCPL

System Properties
Performance	        SystemPropertiesPerformance
System Properties
Hardware	        SystemPropertiesHardware
System Properties
Advanced	        SystemPropertiesAdvanced
System Repair
Create a System
Repair Disc	       recdisc
System Restore	       rstrui
Task Manager	       taskmgr
Task Scheduler	       taskschd.msc
Telnet Client	       telnet
Trusted Platform
Module Initialization
Wizard	               tpmInit
User Accounts
(Autologon)	       control userpasswords2
User Account
Control (UAC) Settings UserAccountControlSettings
User Profiles
Edit/Change type       C:\Windows\System32\rundll32.exe sysdm.cpl,EditUserProfiles
Windows Disc Image
Burning Tool	       isoburn C:\movies\madmax.iso
Windows Explorer       explorer
Windows Features       optionalfeatures
Windows Firewall       firewall.cpl
Windows Firewall with
Advanced Security      wf.msc
Windows Image
Acquisition (scanner)  wiaacmgr
Windows Magnifier      magnify
Windows Management
Infrastructure         wmimgmt.msc
Windows Memory
Diagnostic Scheduler   mdsched
Windows Mobility
Center (for notebook)  mblctr
Windows PowerShell     powershell
Windows PowerShell ISE powershell_ise
Windows Security
Action Center	       wscui.cpl
Windows Script Host
(VBScript)	       wscript NAME_OF_SCRIPT.VBS
Windows System
Security Tool
Encrypt the SAM database. syskey (boot password.)	
Windows Update         wuapp
Windows Update
Standalone Installer   wusa
Windows Version
(About Windows)	      winver
WordPad	              write




Unless indicated otherwise, all the commands above work in all versions of Windows from Vista upwards.	
Most of these utilities can be found in %systemroot%\System32\	

soruce

https://ss64.com/nt/run.html

Microsoft Office Customization Tool

The Office Customization Tool creates the configuration files that are used to deploy Office in large organizations. These configuration files give you more control over an Office installation: you can define which applications and languages are installed, how those applications should be updated, and application preferences. After creating the configuration files, you can use them with the Office Deployment Tool to deploy a customized version of Office.

 Note

The Office Customization Tool is part of the deployment process for installing Office on hundreds or thousands of computers. To follow this process end-to-end, we recommend completing the assessment and planning phases for your Office deployment. If you're not an enterprise administrator and are looking to install Office 365 in your home or business, see Install Office with Office 365.

Get started

To work with the service, go to Office Customization Tool and choose the products, languages, and application settings you want to configure. For example, you can create a configuration file that downloads the 64-bit English version of Office 365 ProPlus, or you can create a file that installs the 64-bit English and German version of Office without Access and Publisher and with the EULA automatically accepted. When you're done, you export the configuration file, which you can then use with the Office Deployment Tool or another software distribution solution to deploy Office in your organization.

 Note

If you use System Center Configuration Manager (Current Branch) to deploy Office, we recommend using the Office 365 Installer wizard in the Configuration Manager console. That wizard includes a customized version of the Office Customization Tool. For more details, see Deploy Office 365 ProPlus with System Center Configuration Manager (Current Branch).

Create a configuration file

Follow these steps to create a configuration file that can be used by the Office Deployment Tool or another software distribution solution to install Office. Note that a product and language must be selected before you can export the configuration file.

  1. Go to Office Customization Tool.
  2. In the General section, type your organization name and a description for this particular configuration. For example, you might want to use this file to install the 64-bit version of Office for your finance department.
  3. In the Product and releases section, choose the architecture you want to deploy. Each configuration file can only deploy one architecture. For details on which architecture to choose, see Choose the 32-bit or 64-bit version of Office.
  4. Choose the products and applications you want to deploy, and then click Add. Note that you can create a package that includes Office, Visio, and Project by selecting each and adding them separately.
  5. Choose the update channel you want to deploy. The update channel determines how frequently your client devices are updated with new features. For best practice recommendations, see Step 3 - Choose your update channels.
  6. Choose which version you want to deploy. Unless you require a particular version, we recommend choosing the latest. For details on previous versions, see Update history for Office 365 ProPlus.
  7. In the Language section, choose which languages to include. You can include multiple languages and you can select Match operating system to automatically install the same languages that are in use on the client device. For more details, see Overview of deploying languages in Office 365 ProPlus.
  8. In the Installation section, choose whether to install the Office files directly from the cloud or from a local source on your network. For more details, see Choose how to deploy.
  9. Choose whether to display the installation from your end users and whether to pin the Office icons to the taskbar. For more details on these options, see Display element and PinIconsToTaskBar property.
  10. In the Update and upgrade section, choose whether to install updates directly from the cloud, from a local source on your network, or with Configuration Manager. If you want to update your client devices automatically, choose CDN and Automatically check for updates. For best practice recommendations, see Choose your update channels.
  11. Choose whether to automatically upgrade from 2013 versions of Click-to-Run versions of Office, whether to automatically remove all MSI-versions of Office, and whether to automatically install the same language as the removed MSI-version of Office. For more details, see Install the same languages from a previous MSI installation.
  12. If you are deploying a volume-licensed version of Office, Visio, or Project, specify the appropriate license key in Licensing and activation settings. Note that Office 365 ProPlus is not volume licensed and does not require a KMS or MAK activation. For more details, see Overview of volume activation of Office.
  13. Choose whether to automatically accept the EULA.
  14. In the Application preferences section, choose what settings to apply when deploying Office. You can search for a setting, filter the settings by Office app, and learn more about each setting by clicking it and reviewing the detailed description.
  15. Click Finish, review the configured settings in the righthand pane, and then click Export.
  16. Accept the terms in the license agreement, name the confguration file, and then click Export.
  17. You can now use the configuration file in your deployment workflow with the Office Deployment Tool or another software distribution solution.

Edit an existing configuration file

Follow these steps to import and edit an existing configuration file.

  1. Go to Office Customization Tool.
  2. Click Import, and then select the configuration file you want to edit.
  3. Change the settings you want, and then export the updated file.

Define application preferences

As part of the Office Customization Tool, you can define application prefences for Office 365 ProPlus, including VBA macro notifications, default file locations, and default file formats. When you define these preferences, you can apply them as part of deploying Office or you can apply them to an existing installation of Office without changing any other deployment settings. For more details, see Apply application prefences and Apply application preferences to an existing installation of Office.

Notes

When creating a configuration file, the Office Customization Tool includes two attributes for the Configuration element: The ID attribute, which identifies the deployment method, and the Host attribute, which identifies the deployment options that have been selected. These attributes don't contain any personally identifiable information (PII), but Click-to-Run sends the attribute values to Microsoft so that we can better understand what configurations customers use and make customization even easier. Because of these insights, we recommend keeping the attributes. They are optional, however, and can be removed without affecting your deployment.

 

source
https://docs.microsoft.com/en-us/DeployOffice/overview-of-the-office-customization-tool-for-click-to-run

Microsoft Office default installation folders for Windows

Installation Paths

All the applications provided by the Office suite (WordExcelOutlookAccessPowerpoint), if installed, can be found within the given folder(s). The executable files have kept the same names since Office XP, which are the following:

  • Word:
  • Excel:
  • PowerPoint:
  • Access:
  • Outlook:
  • Visio:
  • Project:

Office XP

  • Windows 64-bit:
  • Windows 32-bit:

Office 2003

  • Windows 64-bit:
  • Windows 32-bit:

Office 2007

  • Windows 64-bit:
  • Windows 32-bit:

Office 2010

  • Windows 64-bit:
  • Windows 32-bit:

Click-To-Run

  • Windows 64-bit:
  • Windows 32-bit:

Office 2013

  • Windows 64-bit:
  • Windows 32-bit:

Click-To-Run

  • Windows 64-bit:
  • Windows 32-bit:

Office 2016

  • Windows 64-bit:
  • Windows 32-bit:

Click-To-Run

  • Windows 64-bit:
  • Windows 32-bit:

If you never heard of Click-To-Run installation mode, read here.

GUID

In case you also need the installation GUIDs, for example to retrieve some Office-related installation data from Windows Installer and/or Registry Editor, I’m also enumerating those (source: https://support.microsoft.com/en-us/kb/234788):

Office XP

  • Word: {8E46FEFA-D973-6294-B305-E968CEDFFCB9}
  • Excel: {5572D282-F5E5-11D3-A8E8-0060083FD8D3}
  • PowerPoint: {FC780C4C-F066-40E0-B720-DA0F779B81A9}
  • Access: {CC29E967-7BC2-11D1-A921-00A0C91E2AA3}
  • Office: {20280409-6000-11D3-8CFE-0050048383C9}

Office 2003

  • Word: {1EBDE4BC-9A51-4630-B541-2561FA45CCC5}
  • Excel: {A2B280D4-20FB-4720-99F7-40C09FBCE10A}
  • PowerPoint: {C86C0B92-63C0-4E35-8605-281275C21F97}
  • Access: {F2D782F8-6B14-4FA4-8FBA-565CDDB9B2A8}
  • Office: {90110409-6000-11D3-8CFE-0150048383C9}

Office 2007

  • Word: {0638C49D-BB8B-4CD1-B191-051E8F325736}
  • Excel: {0638C49D-BB8B-4CD1-B191-052E8F325736}
  • PowerPoint: {0638C49D-BB8B-4CD1-B191-053E8F325736}
  • Access: {0638C49D-BB8B-4CD1-B191-054E8F325736}
  • Office: {0638C49D-BB8B-4CD1-B191-050E8F325736}

Office 2010

32-bit

  • Word: {019C826E-445A-4649-A5B0-0BF08FCC4EEE}
  • Excel: {538F6C89-2AD5-4006-8154-C6670774E980}
  • PowerPoint: {E72E0D20-0D63-438B-BC71-92AB9F9E8B54}
  • Access: {AE393348-E564-4894-B8C5-EBBC5E72EFC6}
  • Office: {398E906A-826B-48DD-9791-549C649CACE5}

64-bit

  • Word: {C0AC079D-A84B-4CBD-8DBA-F1BB44146899}
  • Excel: {8B1BF0B4-A1CA-4656-AA46-D11C50BC55A4}
  • PowerPoint: {EE8D8E0A-D905-401D-9BC3-0D20156D5E30}
  • Access: {02F5CBEC-E7B5-4FC1-BD72-6043152BD1D4}
  • Office: {E6AC97ED-6651-4C00-A8FE-790DB0485859}

source https://www.ryadel.com/en/microsoft-office-default-installation-folders-versions/

How to increase maximum size Outlook pst files and ost files

In Outlook 2003 and 2007 the maximum recommended size of a Unicode pst-file and ost-file has been limited to 20 gb

In Outlook 2010, 2013 and 2016, the maximum recommended limit has been set to 50 gb

you can increase the limit with Group Polices and Registry

Registry
Outlook 2003
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\PST
Outlook 2007
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\PST
Outlook 2010
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\PST
Outlook 2013
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\PST
Outlook 2016
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\PST

create new DWORD with value MaxLargeFileSize
Don’t set this higher than 4294967295 (decimal) or ffffffff (hexadecimal)

Group Polices
User Configuration-> Administrative Templates-> Microsoft Outlook <version>-> Miscellaneous-> PST Settings

Disk Part for Windows 7 and 10

The diskpart utility it’s a command line utility (available in Windows 2000, XP, Vista, 7, 8, 8.1 and 10) can be used to create or delete partitions on your PC.
Open command prompt with administrative privilege. Click Start , type CMD , right click "open as an Administrator" . On command prompt, type diskpart . When utility is open , type list disk for list of all disk available. select disk "number" where "number" is hard disk you want use , for example select disk 2 and type Enter . after that, type command clean for delete any partitions on hard disk selected .

 

How to Remove Windows 10 Built-in Apps with PowerShell

With PowerShell . In a easy way we can uninstall applications installed on Windows 10

click to Start button or Cortana search bar and type PowerShell
Right click on PowerShell icon and Select "Run as Administrator"

Some buit-in apps, like Contacts, are integrated on Microsoft Windows 10 operating system and is not permitted remove it.

copy and paste on PowerShell Command below

3D Builder
Get-AppxPackage *3dbuilder* | Remove-AppxPackage

Alarms and Clock
Get-AppxPackage *windowsalarms* | Remove-AppxPackage

Calculator
Get-AppxPackage *windowscalculator* | Remove-AppxPackage

Calendar and Mail
Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage

Camera
Get-AppxPackage *windowscamera* | Remove-AppxPackage

Get Office
Get-AppxPackage *officehub* | Remove-AppxPackage

Get Skype
Get-AppxPackage *skypeapp* | Remove-AppxPackage

Get Started
Get-AppxPackage *getstarted* | Remove-AppxPackage

Groove Music
Get-AppxPackage *zunemusic* | Remove-AppxPackage

Maps
Get-AppxPackage *windowsmaps* | Remove-AppxPackage

Microsoft Solitaire Collection
Get-AppxPackage *solitairecollection* | Remove-AppxPackage

Money
Get-AppxPackage *bingfinance* | Remove-AppxPackage

Movies & TV
Get-AppxPackage *zunevideo* | Remove-AppxPackage

News
Get-AppxPackage *bingnews* | Remove-AppxPackage

OneNote
Get-AppxPackage *onenote* | Remove-AppxPackage

People
Get-AppxPackage *people* | Remove-AppxPackage

Phone Companion
Get-AppxPackage *windowsphone* | Remove-AppxPackage

Photos
Get-AppxPackage *photos* | Remove-AppxPackage

Store
Get-AppxPackage *windowsstore* | Remove-AppxPackage

Sports
Get-AppxPackage *bingsports* | Remove-AppxPackage

Voice Recorder
Get-AppxPackage *soundrecorder* | Remove-AppxPackage

Weather
Get-AppxPackage *bingweather* | Remove-AppxPackage

Xbox
Get-AppxPackage *xboxapp* | Remove-AppxPackage

-------------------------------------------------------------------------

Remove all applications and mantain Calculator:
Get-AppxPackage -AllUsers | where-object {$_.name –notlike “*windowscalculator*”} | Remove-AppxPackage

Get-appxprovisionedpackage –online | where-object {$_.packagename –notlike “*windowscalculator*”} | Remove-AppxProvisionedPackage -online

Source
https://community.spiceworks.com/topic/1408834-removing-windows-10-apps-gpo

Matty_C

 

Upgrade to Windows 10 from Windows 7

Today you can again update your operating system and passing from Windows 7 Pro or Windows 8.1 Pro to Windows 10 Pro, free of charge.

You need only download Media Creator Tool directly from Microsoft website , run the tool and select "update Windows 10" instead of "Using the tool to create installation media (USB flash drive, DVD, or ISO file) to install Windows 10 on a different PC"

Instructions from Microsoft website:
1. Select Download tool, and select Run. You need to be an administrator to run this tool.
2. On the License terms page, if you accept the license terms, select Accept.
3. On the What do you want to do? page, select Upgrade this PC now, and then select Next.
4 .After downloading and installing, the tool will walk you through how to set up Windows 10 on your PC. All Windows 10 editions are available when you select Windows 10, except for Enterprise edition. For more information on Enterprise edition, go to the Volume Licensing Service Center.

Requirements:
regoular Microsoft Windows 7 Professional - Windows 8 Professional activated.

At the end of the process, you can find Windows 10 Professional license activated

How to create a virtual machine in Hyper-V

From Microsoft Website:

Create a virtual machine by using Hyper-V Manager

  1. Open Hyper-V Manager.
  2. From the Action pane, click New, and then click Virtual Machine.
  3. From the New Virtual Machine Wizard, click Next.
  4. Make the appropriate choices for your virtual machine on each of the pages. For more information, see New virtual machine options and defaults in Hyper-V Manager later in this topic.
  5. After verifying your choices in the Summary page, click Finish.
  6. In Hyper-V Manager, right-click the virtual machine and select connect.
  7. In the Virtual Machine Connection window, select Action > Start.

Create a virtual machine by using Windows PowerShell

  1. On the Windows desktop, click the Start button and type any part of the name Windows PowerShell.
  2. Right-click Windows PowerShell and select Run as administrator.
  3. Get the name of the virtual switch that you want the virtual machine to use by using Get-VMSwitch. For example,
    Get-VMSwitch  * | Format-Table Name  
    
  4. Use the New-VM cmdlet to create the virtual machine. See the following examples.

     Note

    If you may move this virtual machine to a Hyper-V host that runs Windows Server 2012 R2, use the -Version parameter with New-VM to set the virtual machine configuration version to 5. The default virtual machine configuration version for Windows Server 2016 isn't supported by Windows Server 2012 R2 or earlier versions. You can't change the virtual machine configuration version after the virtual machine is created. For more information, see Supported virtual machine configuration versions.

    • Existing virtual hard disk - To create a virtual machine with an existing virtual hard disk, you can use the following command where,
      • -Name is the name that you provide for the virtual machine that you're creating.
      • -MemoryStartupBytes is the amount of memory that is available to the virtual machine at start up.
      • -BootDevice is the device that the virtual machine boots to when it starts like the network adapter (NetworkAdapter) or virtual hard disk (VHD).
      • -VHDPath is the path to the virtual machine disk that you want to use.
      • -Path is the path to store the virtual machine configuration files.
      • -Generation is the virtual machine generation. Use generation 1 for VHD and generation 2 for VHDX. See Should I create a generation 1 or 2 virtual machine in Hyper-V?.
      • -Switch is the name of the virtual switch that you want the virtual machine to use to connect to other virtual machines or the network. See Create a virtual switch for Hyper-V virtual machines.
        New-VM -Name <Name> -MemoryStartupBytes <Memory> -BootDevice <BootDevice> -VHDPath <VHDPath> -Path <Path> -Generation <Generation> -Switch <SwitchName>  
        

        For example:

        New-VM -Name Win10VM -MemoryStartupBytes 4GB -BootDevice VHD -VHDPath .\VMs\Win10.vhdx -Path .\VMData -Generation 2 -Switch ExternalSwitch  
        

        This creates a generation 2 virtual machine named Win10VM with 4GB of memory. It boots from the folder VMs\Win10.vhdx in the current directory and uses the virtual switch named ExternalSwitch. The virtual machine configuration files are stored in the folder VMData.

    • New virtual hard disk - To create a virtual machine with a new virtual hard disk, replace the -VHDPath parameter from the example above with -NewVHDPath and add the -NewVHDSizeBytes parameter. For example,
      New-VM -Name Win10VM -MemoryStartupBytes 4GB -BootDevice VHD -NewVHDPath .\VMs\Win10.vhdx -Path .\VMData -NewVHDSizeBytes 20GB -Generation 2 -Switch ExternalSwitch  
      
    • New virtual hard disk that boots to operating system image - To create a virtual machine with a new virtual disk that boots to an operating system image, see the PowerShell example in Create virtual machine walkthrough for Hyper-V on Windows 10.
  5. Start the virtual machine by using the Start-VM cmdlet. Run the following cmdlet where Name is the name of the virtual machine you created.
    Start-VM -Name <Name>  
    

    For example:

    Start-VM -Name Win10VM  
    
  6. Connect to the virtual machine by using Virtual Machine Connection (VMConnect).
    VMConnect.exe  
    

Options in Hyper-V Manager New Virtual Machine Wizard

The following table lists the options you can pick when you create a virtual machine in Hyper-V Manager and the defaults for each.

PageDefault for Windows Server 2016 and Windows 10Other options
Specify Name and LocationName: New Virtual Machine.

Location:C:\ProgramData\Microsoft\Windows\Hyper-V\.

You can also enter your own name and choose another location for the virtual machine.

This is where the virtual machine configuration files will be stored.

Specify GenerationGeneration 1You can also choose to create a Generation 2 virtual machine. For more information, see Should I create a generation 1 or 2 virtual machine in Hyper-V?.
Assign MemoryStartup memory: 1024 MB

Dynamic memory: not selected

You can set the startup memory from 32MB to 5902MB.

You can also choose to use Dynamic Memory. For more information, see Hyper-V Dynamic Memory Overview.

Configure NetworkingNot connectedYou can select a network connection for the virtual machine to use from a list of existing virtual switches. See Create a virtual switch for Hyper-V virtual machines.
Connect Virtual Hard DiskCreate a virtual hard disk

Name: <vmname>.vhdx

LocationC:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\

Size: 127GB

You can also choose to use an existing virtual hard disk or wait and attach a virtual hard disk later.
Installation OptionsInstall an operating system laterThese options change the boot order of the virtual machine so that you can install from an .iso file, bootable floppy disk or a network installation service, like Windows Deployment Services (WDS).
SummaryDisplays the options that you have chosen, so that you can verify they are correct.

- Name
- Generation
- Memory
- Network
- Hard Disk
- Operating System

Tip: You can copy the summary from the page and paste it into e-mail or somewhere else to help you keep track of your virtual machines.