Category: Windows 10

Category for Windows 10 posts

WSUS synchronization fails with SoapException

WSUS synchronization fails with SoapException

Applies to: WSUS - All versionsWindows Server 2016Windows Server 2012 R2Windows Server 2012 Less

Symptoms

Windows Server Update Services (WSUS) synchronization fails, and you receive the following error message:

Additionally, an error message that resembles the following is logged in the WSUS log file (%ProgramFiles%\Update Services\LogFiles\SoftwareDistribution.log) on the WSUS server:

Cause

This issue occurs if the WSUS servers are configured to use the old synchronization endpoint, https://fe2.update.microsoft.com/v6. This endpoint was fully decommissioned and is no longer reachable after July 8, 2019.

Resolution

To fix the issue, change the synchronization endpoint in WSUS configuration to https://sws.update.microsoft.com.

To do this, follow these steps on the topmost WSUS server that connects directly to Microsoft Update, such as the root WSUS server in a WSUS hierarchy:

  1. Close all WSUS consoles.
  2. At an elevated PowerShell command prompt, run the following PowerShell scripts.

    Note Don't run the scripts on a WSUS server that’s not the topmost server. If the server isn’t connected to the Internet, synchronization may fail.
    For WSUS version 3.x:

    [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
    $server = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()
    $config = $server.GetConfiguration()
    # Check current settings before you change them
    $config.MUUrl
    $config.RedirectorChangeNumber
    # Update the settings if MUUrl is https://fe2.update.microsoft.com/v6
    $config.MUUrl = "https://sws.update.microsoft.com"
    $config.RedirectorChangeNumber = 4002
    $config.Save();
    iisreset
    Restart-Service *Wsus* -v

    Note WSUS servers that are running Windows Server 2008 (without the latest update) or earlier versions may be using the https://update.microsoft.com/v6 or https://www.update.microsoft.com synchronization endpoints. Because these versions of Windows don’t support SHA256 certificate authentication, use the following settings in the PowerShell scripts:

    $config.MUUrl = " https://sws1.update.microsoft.com"
    $config.RedirectorChangeNumber = 3011
    For WSUS on Windows Server 2012 and later versions:

    $server = Get-WsusServer
    $config = $server.GetConfiguration()
    # Check current settings before you change them
    $config.MUUrl
    $config.RedirectorChangeNumber
    # Update the settings if MUUrl is https://fe2.update.microsoft.com/v6
    $config.MUUrl = "https://sws.update.microsoft.com"
    $config.RedirectorChangeNumber = 4002
    $config.Save()
    iisreset
    Restart-Service *Wsus* -v

  3. Verify that WSUS synchronization succeeds.

More Information

For more information about how to run PowerShell scripts, see PowerShell Scripting.

Source:
https://support.microsoft.com/en-us/help/4482416/wsus-synchronization-fails-with-soapexception

Offline install of .NET Framework 3.5 in Windows 10 using DISM

You can use the Deployment Image Servicing and Management (DISM) command-line tool to create a modified image to deploy .NET Framework 3.5.

 Important

For images that will support more than one language, you must add .NET Framework 3.5 binaries before adding any language packs. This order ensures that .NET Framework 3.5 language resources are installed correctly in the reference image and available to users and applications.

Using DISM with Internet connectivity

Requirements

For an online reference image that can access Windows Update

  1. Open a command prompt with administrator user rights (Run as Administrator) in Windows 8 or Windows Server 2012.
  2. To Install .NET Framework 3.5 feature files from Windows Update, use the following command: 
    DISM /Online /Enable-Feature /FeatureName:NetFx3 /All

    Use /All to enable all parent features of the specified feature. For more information on DISM arguments, see Enable or Disable Windows Features Using DISM.

  3. On Windows 8 PCs, after installation .NET Framework 3.5 is displayed as enabled in Turn Windows features on or off in Control Panel. For Windows Server 2012 systems, feature installation state can be viewed in Server Manager.

For an offline reference image

  1. Run the following DISM command (image mounted to the c:\test\offline folder and the installation media in the D:\drive) to install .NET 3.5: 
    DISM /Image:C:\test\offline /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:D:\sources\sxs

    Use /All to enable all parent features of the specified feature.

    Use /LimitAccess to prevent DISM from contacting Windows Update/WSUS.

    Use /Source to specify the location of the files that are needed to restore the feature.

    To use DISM from an installation of the Windows ADK, locate the Windows ADK servicing folder and navigate to this directory. By default, DISM is installed at C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools\. You can install DISM and other deployment and imaging tools, such as Windows System Image Manager (Windows SIM), on another supported operating system from the Windows ADK. For information about DISM-supported platforms, see DISM Supported Platforms.

  2. Run the following command to look up the status of .NET Framework 3.5 (offline image mounted to c:\test\offline): 
    DISM /Image:c:\test\offline /Get-Features /Format:Table

    A status of Enable Pending indicates that the image must be brought online to complete the installation.

Using DISM with no Internet connectivity

You can use DISM to add .NET Framework 3.5 and provide access to the \sources\SxS folder on the installation media to an installation of Windows that is not connected to the Internet.

 Warning

If you're not relying on Windows Update as the source for installing the .NET Framework 3.5, make sure to use sources from the same corresponding Windows operating system version. Using a source path that doesn't correspond to the same version of Windows won't prevent a mismatched version of .NET Framework 3.5 from being installed. This can cause the system to be in an unsupported and unserviceable state.

Requirements

  • Windows 8, Windows Server 2012, or the Windows ADK tools.
  • Installation media
  • Administrator user rights. The current user must be a member of the local Administrators group to add or remove Windows features.

Steps

  1. Open a command prompt with administrator user rights (Run as Administrator).
  2. To install .NET Framework 3.5 from installation media located on the D: drive, use the following command: 
    DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:d:\sources\sxs

    Use /All to enable all parent features of the specified feature.

    Use /LimitAccess to prevent DISM from contacting Windows Update/WSUS.

    Use /Source to specify the location of the files that are needed to restore the feature.

    For more information on DISM arguments, see Enable or Disable Windows Features Using DISM.

On Windows 8 PCs, after installation, .NET Framework 3.5 is displayed as enabled in Turn Windows features on or off in Control Panel.

 

Source:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/deploy-net-framework-35-by-using-deployment-image-servicing-and-management--dism

Full Download Offline installer:

Direct link to the .Net-3.5-Full-Setup

http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe

Direct link to the .Net-3.5-SP1-Full-Setup

http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988e-fdaa79a8ac3d/dotnetfx35.exe

Windows Server 2008 End of Support: Are you Prepared?

On July 14th, 2015, Microsoft’s widely deployed Windows Server 2003 reached end of life after nearly 12 years of support. For millions of enterprise servers, this meant the end of security updates, leaving the door open to serious security risks. Now, we are fast approaching the end of life of another server operating system – Windows Server 2008 and Server 2008 R2, which will soon reach end of support on January 14, 2020.

Nevertheless, many enterprises still rely on Windows Server 2008 for core business functions such as Directory Server, File Server, DNS Server, and Email Server. Organizations depend on these workloads for critical business applications and to support their internal services like Active Directory, File Sharing, and hosting internal websites.

What does this mean for you?

End of support for an operating system like Windows Server 2008 introduces major challenges for organizations who are running their workloads on the platform. While a small number may be ready to fully migrate to a new system or to the cloud, the reality is that most organizations aren’t able to migrate this quickly due to time, budgetary, or technical constraints. Looking back at Windows Server 2003, even nine months after the official EOS, 42% of organizations indicated they would still be using Windows Server 2003 for 6 months or more, while the remaining 58% were still in the process of migrating off of Windows Server 2003 (Osterman Research, April 2016). The same is likely to occur with the Server 2008 EOS, meaning many critical applications will continue to reside on Windows Server 2008 for the next few years, despite the greatly increased security risks.

What are the risks?

The end of support means organizations must prepare to deal with missing security updates, compliance issues, defending against malware, as well as other non-security bugs. You will no longer receive patches for security issues, or notifications of new vulnerabilities affecting your systems. With constant discovery of new vulnerabilities and exploits – 1,450 0days disclosed by the ZDI in 2018 alone – it’s all but guaranteed that we will see additions to the more than 1300+ vulnerabilities faced by Windows Server 2008. The lack of notifications to help monitor and measure the risk associated with new vulnerabilities can leave a large security gap.

This was the case for many organizations in the wake of the 2017 global WannaCry ransomware attack, which affected over 230,000 systems worldwide, specifically leveraging the EternalBlue exploit present in older Windows operating systems. While Microsoft did provide a patch for this, many weren’t able to apply the patches in time due to the difficulty involved in patching older systems.

What can security and IT teams do?

The most obvious solution is to migrate to a newer platform, whether that’s on-premise or using a cloud infrastructure-as-a-service offering such as AWS, Azure, or Google Cloud.

However, we know many organizations will either delay migration or leave a portion of their workloads running in a Windows Server 2008 environment for the foreseeable future. Hackers are aware of this behavior, and often view out-of-support servers as an easy target for attacks. Security teams need to assess the risk involved with leaving company data on those servers, and whether or not the data is secure by itself. If not, you need to ensure you have the right protection in place to detect and stop attacks and meet compliance on your Windows Server 2008 environment.

How can Trend Micro help?

Trend Micro Deep Security delivers powerful, automated protection that can be used to secure applications and workloads across new and end of support systems. Deep Security’s capabilities include host-based intrusion prevention, which will automatically shield workloads from new vulnerabilities, applying an immediate ‘virtual patch’ to secure the system until an official patch is rolled out – or in the case of EOS systems – for the foreseeable future.

Deep Security also helps monitor for system changes with real-time integrity monitoring and application control, and will secure your workloads with anti-malware, powered by the Trend Micro Smart Protection Network’s global threat intelligence. Deep Security’s broad platform and infrastructure support allows you to seamlessly deploy security across your physical, virtualized, cloud, and containerized workloads, and protecting your end of life systems throughout and beyond your migration.

Learn how easy it is to deploy virtual patching to secure your enterprise and address patching issues.

 

Source
https://blog.trendmicro.com/windows-server-2008-end-of-support-are-you-prepared/

Dropbox Uninstall via Batch Script

Dropbox Removal via Batch Script (works for SCCM or other management systems)

I recently ran into a security issue at work where we had a number of users installing and using Dropbox on their machines. Well this is an issue becuase they can take company files and upload them. So I was assigned the task of removing Dropbox and blocking it. Blocking it was simple enough but removing it not so much. My first thought was that I would use SCCM. However, when I went to look for a way to uninstall off multiple machines at once I found this was not supported. So I created a batch file that will perform the removal. Now I will say it is a little sloppy as it leaves behind the icon and shortcuts and I am still currntly looking for a way to remove those too but for now the concern is taken care of as this removes and prevents users from using Dropbox. Feel free to comment any ways I can inprove on this. I would love to hear it and anything we come up with together will also be submitted to the Dropbox community.

You should download the Offline Installer.exe from Dropbox and create an application out of it but set the uninstall program field to reference the "UninstallDropbox.bat"

Then when you deploy set it to Action:Uninstall Purpose:Required

 

Removal:

I have attached the script

 

Detection Method:

File

C:\Program Files (x86)\Dropbox\

Client

The File System Setting Must Exist on the Target System to Indicate Pressence of the Application

 

OR

 

Registry

HKLM

SOFTWARE\Classes\Dropbox.Gdoc

<Check> Use (Default) Registry key value for detection

This registry setting must exist on the target system to indicate pressence of the application

 

Platform verified

Windows 10 Yes
Windows Server 2012 No
Windows Server 2012 R2 No
Windows Server 2008 R2 No
Windows Server 2008 No
Windows Server 2003 No
Windows Server 2016 No
Windows 8 Yes
Windows 7 No
Windows Vista No
Windows XP No
Windows 2000 No

Source:
https://gallery.technet.microsoft.com/Dropbox-Removal-via-SCCM-063fdd08#content

Use a Local Administrator Account for Remote Administration

Local administrator accounts are commonly configured with the same password across all devices in corporate environments, making it easy for attackers to own every device if the password is compromised. Microsoft’s security baseline templates block remote use of local accounts because until Local Administrator Password Solution (LAPS) was released in 2015, there was no mechanism for securely managing local administrator accounts. LAPS is a free tool from Microsoft that randomizes local admin passwords every 30 days and stores them securely in Active Directory for each computer account.

The risk posed by local administrator accounts can be managed by manually setting a random password on each device and then recording it in a spreadsheet. But that doesn’t address the issue of changing passwords periodically and requires you to make sure the spreadsheet isn’t accessed by malicious or unauthorized users. LAPS solves these problems, ensuring that local administrator accounts remain secure and can’t be used by hackers to laterally move around your network.

For more information on using LAPS, see Secure Local Administrator Accounts with the Local Administrator Password Solution (LAPS) Tool on Petri. Microsoft’s security baseline templates for Windows and Windows Server are available as part of the Security Compliance Toolkit.

Despite the convenience LAPS provides for managing local admin accounts, IT helpdesk staff often use a domain account that is granted administrator rights on each workstation in the domain. While this account doesn’t need to be a privileged domain account, i.e. not a member of Domain Admins or other privileged AD group, the account could still be used to compromise every workstation in the domain.

Local Accounts for Remote Administration

In a blog post by Aaron Margosis, Microsoft recommends that organizations consider unblocking remote use of local administrator accounts if LAPS or another password management solution in place, and if you want to use local accounts for remote administration. Otherwise you should continue to block remote use of local accounts.

Margosis says that if a helpdesk user wants to remotely access a workstation, it is more secure to retrieve the local administrator password from AD than to use a domain account. If the local admin password is compromised, any damage is limited to that device. Some remote access tools expose credentials when logging in to remote systems, so IT helpdesk account credentials could be compromised.

If you decide to unblock remote use of local accounts, there are three Group Policy settings that need to be changed:

  • Deny access to this computer from the network
  • Deny log on through Remote Desktop Services
  • Apply UAC restrictions to local accounts on network logon

The first two settings can be found under Windows Settings\Security Settings\Local Policies\User Rights Assignment and should be set to empty. The third is a custom setting that’s part of the baseline templates (SecGuide.admx). It can be found under Administrative Templates\MS Security Guide and should be set to Disabled.

As you can see, there are some definite advantages to using LAPS-managed local administrator accounts for remote access. The only drawbacks that I can see are that it requires some administrative effort for helpdesk staff to retrieve local admin passwords from AD every time they need to log in, as opposed to getting quick access with a domain account. Secondly, using an unnamed account to log in means we don’t have a record of who accessed the device with administrative privileges. You can work around this by enabling auditing of access to LAPS passwords in AD and resetting passwords after each use. Both these tasks can be accomplished using the PowerShell Set-AdmPwdAuditing and Reset-AdmPwdPassword cmdlets respectively.

 

Source
https://www.petri.com/use-a-local-administrator-account-for-remote-administration

How to disable SMBv1 Windows

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

Applies to: Windows 7 EnterpriseWindows 7 Home BasicWindows 7 Home Premium More

Summary

This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.

In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:

  • Request compounding - allows for sending multiple SMB 2 requests as a single network request
  • Larger reads and writes - better use of faster networks
  • Caching of folder and file properties - clients keep local copies of folders and files
  • Durable handles - allow for connection to transparently reconnect to the server if there is a temporary disconnection
  • Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
  • Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
  • Support for symbolic links
  • Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
  • Large MTU support - for full use of 10-gigabye (GB) Ethernet
  • Improved energy efficiency - clients that have open files to a server can sleep

In Windows 8, Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016, disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that's described in the previous list):

  • Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
  • Scale Out – concurrent access to shared data on all file cluster nodes
  • Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
  • SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
  • Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
  • Directory Leasing - Improves application response times in branch offices through caching
  • Performance Optimizations - optimizations for small random read/write I/O

More Information

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008.

The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

For more information about the capabilities of SMBv2 and SMBv3 capabilities, go to the following Microsoft TechNet websites:

Server Message Block overview

What's New in SMB

How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016

Windows Server 2012 R2 & 2016: PowerShell methods

SMB v1
Detect: Get-WindowsFeature FS-SMB1
Disable: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Enable: Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
SMB v2/v3
Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable: Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable: Set-SmbServerConfiguration -EnableSMB2Protocol $true

Windows Server 2012 R2 and Windows Server 2016: Server Manager method for disabling SMB

SMB v1
Server Manager - Dashboard method

 

Windows 8.1 and Windows 10: PowerShell method

SMB v1 Protocol
Detect: Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol
Disable: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Enable: Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
SMB v2/v3 Protocol
Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable: Set-SmbServerConfiguration –EnableSMB2Protocol $false
Enable: Set-SmbServerConfiguration –EnableSMB2Protocol $true

Windows 8.1 and Windows 10: Add or Remove Programs method

Add-Remove Programs client method

How to detect status, enable, and disable SMB protocols on the SMB Server

For Windows 8 and Windows Server 2012

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

SMB v1 on SMB Server
Detect: Get-SmbServerConfiguration | Select EnableSMB1Protocol
Disable: Set-SmbServerConfiguration -EnableSMB1Protocol $false
Enable: Set-SmbServerConfiguration -EnableSMB1Protocol $true

For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server
Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable: Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable: Set-SmbServerConfiguration -EnableSMB2Protocol $true

For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

PowerShell methods

SMB v1 on SMB Server

Detect:

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned

Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force

Note You must restart the computer after you make these changes.

For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server

Detect:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}

Disable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force

Enable:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force

Note You must restart the computer after you make these changes.

Registry Editor

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

To enable or disable SMBv2 on the SMB server, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Note You must restart the computer after you make these changes.

How to detect status, enable, and disable SMB protocols on the SMB Client

For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

Note When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

SMB v1 on SMB Client
Detect: sc.exe qc lanmanworkstation
Disable: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Enable: sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto

For more information, see Server storage at Microsoft

SMB v2/v3 on SMB Client
Detect: sc.exe qc lanmanworkstation
Disable: sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
Enable: sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto

Notes

  • You must run these commands at an elevated command prompt.
  • You must restart the computer after you make these changes.

Disable SMBv1 Server with Group Policy

This procedure configures the following new item in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1 REG_DWORD: 0 = Disabled

To configure this by using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.
    Registry - New - Registry Item

In the New Registry Properties dialog box, select the following:

  • Action: Create
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  • Value name: SMB1
  • Value type: REG_DWORD
  • Value data: 0
New Registry Properties - General

This disables the SMBv1 Server components. This Group Policy must be applied to all necessary workstations, servers, and domain controllers in the domain.

Note WMI filters can also be set to exclude unsupported operating systems or selected exclusions, such as Windows XP.

Disable SMBv1 Client with Group Policy

To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

This will update and replace the default values in the following 2 items in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

Registry entry: Start REG_DWORD: = Disabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

Registry entry: DependOnService REG_MULTI_SZ: “Bowser”,”MRxSmb20″,”NSI”

Note The default included MRxSMB10 which is now removed as dependency

To configure this by using Group Policy:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.
  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
  3. Right-click the Registry node, point to New, and select Registry Item.
Registry - New - Registry Item

In the New Registry Properties dialog box, select the following:

  • Action: Update
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\services\mrxsmb10
  • Value name: Start
  • Value type: REG_DWORD
  • Value data: 4
Start Properties - General

Then remove the dependency on the MRxSMB10 that was just disabled

In the New Registry Properties dialog box, select the following:

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation
  • Value name: DependOnService
  • Value type REG_MULTI_SZ
  • Value data:
    • Bowser
    • MRxSmb20
    • NSI

Note These three strings will not have bullets (see the following screen shot).

DependOnService Properties

The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

Note When you use Group Policy Management Console, you don't have to use quotation marks or commas. Just type the each entry on individual lines.

Restart required

After the policy has applied and the registry settings are in place, the targeted systems must be restarted before SMB v1 is disabled.

Summary

If all the settings are in the same Group Policy Object (GPO), Group Policy Management displays the following settings.

Group Policy Management Editor - Registry

Testing and validation

After these are configured, allow the policy to replicate and update. As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. Make sure SMB v2 and SMB v3 is functioning for all other systems in the environment.

Windows Start Run commands

Accessibility Options		utilman
				or
				control access.cpl

Add Hardware Wizard		hdwwiz
Programs and Features		appwiz.cpl
(Add New Programs)		control appwiz.cpl,,1
(Add Remove Windows Components)	control appwiz.cpl,,2
(Set Program Access & Defaults) control appwiz.cpl,,3


Administrative Tools	        control admintools
Advanced User Accounts 
Control Panel	                netplwiz
Authorization Manager	        azman.msc
Automatic Update control        wuaucpl.cpl
Backup and Restore Utility	sdclt
Bluetooth Transfer Wizard	fsquirt
Calculator	                calc
Certificate Manager	        certmgr.msc
Character Map	                charmap

Check Disk Utility	        chkdsk
Clear Type (tune or turn off)	cttune
Color Management	        colorcpl.exe
Command Prompt	                cmd
Component Services	        dcomcnfg
	                        or
	                        comexp.msc
Computer Management	        CompMgmtLauncher.exe
	                        or 
	                        compmgmt.msc
Control Panel	                control

Credential (passwords) Backup
and Restore Wizard	        credwiz
Data Execution Prevention	SystemPropertiesDataExecutionPrevention
Date and Time Properties	timedate.cpl
Device Manager	                hdwwiz
	                        or
	                       devmgmt.msc
Device Pairing Wizard	       DevicePairingWizard
Digitizer Calibration Tool
(Tablets/Touch screens)	       tabcal
Direct X Control Panel
(if installed)	              directx.cpl
Direct X Troubleshooter	      dxdiag
Disk Cleanup Utility	      cleanmgr
Disk Defragmenter	      dfrgui
	                      defrag
Disk Management	              diskmgmt.msc
Disk Partition Manager	      diskpart
Display Color Calibration     dccw
Display DPI / Text size	      dpiscaling
Display Properties (Themes,
Desktop, Screensaver)	      control desktop
Display Properties
(Resolution, Orientation)     desk.cpl
Display Properties
(Color & Appearance)	      control color
Documents (open
'My Documents' folder)	      documents
Downloads (open
'Downloads' folder)	     downloads
Driver Verifier Utility	     verifier
DVD Player	             dvdplay

Edit Environment Variables   rundll32.exe sysdm.cpl,EditEnvironmentVariables
Encrypting File
System Wizard (EFS)	     rekeywiz
Event Viewer	             eventvwr.msc
File Signature Verification
Tool (Device drivers)	     sigverif
Files and Settings
Transfer Tool	            %systemroot%\system32\migwiz\migwiz.exe
Firewall Control Panel	    firewall.cpl
Folders Properties	    control folders
Fonts list	            control fonts
Font preview	            fontview arial.ttf
Game Controllers	    joy.cpl
Local Group Policy Editor   gpedit.msc
Internet Properties	    inetcpl.cpl
IP Configuration	    ipconfig
iSCSI Initiator
configuration	            iscsicpl
Keyboard Properties	    control keyboard
Language Pack Installer	    lpksetup
Local Security Policy	    secpol.msc
Local Users and Groups	    lusrmgr.msc
Log out	                    logoff
Microsoft Malicious
Software Removal Tool	    mrt
Microsoft Management
Console	                   mmc
Access (Microsoft Office)  msaccess
Excel (Microsoft Office)   Excel
Powerpoint
(Microsoft Office)         powerpnt
Word (Microsoft Office)	   winword
Microsoft Paint            mspaint

Microsoft Support
Diagnostic Tool	          msdt
Mouse Properties	  control mouse
	                  or 
	                  main.cpl
Network Connections	  control netconnections
	                  or 
	                  ncpa.cpl
Projector:	          netproj
Connect to Network
Projector Switch
projector display	  displayswitch
Notepad	                  notepad
ODBC Data Source Admin	
Default ODBC driver:	  C:\windows\system32\odbcad32.exe
32-bit ODBC driver
under 64-bit platform:	  C:\windows\sysWOW64\odbcad32.exe
ODBC configuration
Install/configure MDAC
drivers	                 odbcconf
On Screen Keyboard	 osk
OOB Getting Started	 gettingstarted
Password - Create a
Windows Password Reset
Disk (USB)	        "C:\Windows\system32\rundll32.exe" keymgr.dll,PRShowSaveWizardExW


Pen and Touch
(Tablet/Pen input
configuration)	        tabletpc.cpl
Performance Monitor	perfmon.msc
Phone and Modem Options	telephon.cpl
Phone Dialer	        dialer
Power Configuration	powercfg.cpl and powercfg.exe
Presentation Settings	PresentationSettings
Problem Steps Recorder	psr
Program Access and
Computer Defaults 
browser / email / media	computerdefaults
Printers and Faxes	control printers
Print Management (.msc)	PrintManagement
Printer Migration
(backup/restore)	printbrmui and printbrm.exe
Printer user interface
(List all printui.dll
options)	        printui
Private Character
Editor	                eudcedit
Regional Settings
Language, Date/Time
format, keyboard	intl.cpl
Registry Editor	        regedit
Remote Assistance	msra

Remote Desktop	        mstsc
Resource Monitor	resmon
Resultant Set of Policy	rsop.msc
Settings (Windows 10)	ms-settings:
Scheduled Tasks	control schedtasks
Screenshot
Snipping Tool	        snippingtool
Security Center	        wscui.cpl
Services	        services.msc
Shared Folder Wizard	shrpubw
Shared Folders	        fsmgmt.msc
Shut Down Windows	shutdown
Software Licensing
Activation	        slui
Sounds and Audio	mmsys.cpl
Sound Recorder	        soundrecorder
Sound Volume	        sndvol
Syncronization Tool
(Offline files)	        mobsync
System Configuration
Utility	                msconfig
System File Checker
Utility (Scan/Purge)	sfc
System Information	msinfo32
System Properties	sysdm.cpl SystemProperties
	                or
	                sysdm.cpl DisplaySYSDMCPL

System Properties
Performance	        SystemPropertiesPerformance
System Properties
Hardware	        SystemPropertiesHardware
System Properties
Advanced	        SystemPropertiesAdvanced
System Repair
Create a System
Repair Disc	       recdisc
System Restore	       rstrui
Task Manager	       taskmgr
Task Scheduler	       taskschd.msc
Telnet Client	       telnet
Trusted Platform
Module Initialization
Wizard	               tpmInit
User Accounts
(Autologon)	       control userpasswords2
User Account
Control (UAC) Settings UserAccountControlSettings
User Profiles
Edit/Change type       C:\Windows\System32\rundll32.exe sysdm.cpl,EditUserProfiles
Windows Disc Image
Burning Tool	       isoburn C:\movies\madmax.iso
Windows Explorer       explorer
Windows Features       optionalfeatures
Windows Firewall       firewall.cpl
Windows Firewall with
Advanced Security      wf.msc
Windows Image
Acquisition (scanner)  wiaacmgr
Windows Magnifier      magnify
Windows Management
Infrastructure         wmimgmt.msc
Windows Memory
Diagnostic Scheduler   mdsched
Windows Mobility
Center (for notebook)  mblctr
Windows PowerShell     powershell
Windows PowerShell ISE powershell_ise
Windows Security
Action Center	       wscui.cpl
Windows Script Host
(VBScript)	       wscript NAME_OF_SCRIPT.VBS
Windows System
Security Tool
Encrypt the SAM database. syskey (boot password.)	
Windows Update         wuapp
Windows Update
Standalone Installer   wusa
Windows Version
(About Windows)	      winver
WordPad	              write




Unless indicated otherwise, all the commands above work in all versions of Windows from Vista upwards.	
Most of these utilities can be found in %systemroot%\System32\	

soruce

https://ss64.com/nt/run.html

Microsoft Office Customization Tool

The Office Customization Tool creates the configuration files that are used to deploy Office in large organizations. These configuration files give you more control over an Office installation: you can define which applications and languages are installed, how those applications should be updated, and application preferences. After creating the configuration files, you can use them with the Office Deployment Tool to deploy a customized version of Office.

 Note

The Office Customization Tool is part of the deployment process for installing Office on hundreds or thousands of computers. To follow this process end-to-end, we recommend completing the assessment and planning phases for your Office deployment. If you're not an enterprise administrator and are looking to install Office 365 in your home or business, see Install Office with Office 365.

Get started

To work with the service, go to Office Customization Tool and choose the products, languages, and application settings you want to configure. For example, you can create a configuration file that downloads the 64-bit English version of Office 365 ProPlus, or you can create a file that installs the 64-bit English and German version of Office without Access and Publisher and with the EULA automatically accepted. When you're done, you export the configuration file, which you can then use with the Office Deployment Tool or another software distribution solution to deploy Office in your organization.

 Note

If you use System Center Configuration Manager (Current Branch) to deploy Office, we recommend using the Office 365 Installer wizard in the Configuration Manager console. That wizard includes a customized version of the Office Customization Tool. For more details, see Deploy Office 365 ProPlus with System Center Configuration Manager (Current Branch).

Create a configuration file

Follow these steps to create a configuration file that can be used by the Office Deployment Tool or another software distribution solution to install Office. Note that a product and language must be selected before you can export the configuration file.

  1. Go to Office Customization Tool.
  2. In the General section, type your organization name and a description for this particular configuration. For example, you might want to use this file to install the 64-bit version of Office for your finance department.
  3. In the Product and releases section, choose the architecture you want to deploy. Each configuration file can only deploy one architecture. For details on which architecture to choose, see Choose the 32-bit or 64-bit version of Office.
  4. Choose the products and applications you want to deploy, and then click Add. Note that you can create a package that includes Office, Visio, and Project by selecting each and adding them separately.
  5. Choose the update channel you want to deploy. The update channel determines how frequently your client devices are updated with new features. For best practice recommendations, see Step 3 - Choose your update channels.
  6. Choose which version you want to deploy. Unless you require a particular version, we recommend choosing the latest. For details on previous versions, see Update history for Office 365 ProPlus.
  7. In the Language section, choose which languages to include. You can include multiple languages and you can select Match operating system to automatically install the same languages that are in use on the client device. For more details, see Overview of deploying languages in Office 365 ProPlus.
  8. In the Installation section, choose whether to install the Office files directly from the cloud or from a local source on your network. For more details, see Choose how to deploy.
  9. Choose whether to display the installation from your end users and whether to pin the Office icons to the taskbar. For more details on these options, see Display element and PinIconsToTaskBar property.
  10. In the Update and upgrade section, choose whether to install updates directly from the cloud, from a local source on your network, or with Configuration Manager. If you want to update your client devices automatically, choose CDN and Automatically check for updates. For best practice recommendations, see Choose your update channels.
  11. Choose whether to automatically upgrade from 2013 versions of Click-to-Run versions of Office, whether to automatically remove all MSI-versions of Office, and whether to automatically install the same language as the removed MSI-version of Office. For more details, see Install the same languages from a previous MSI installation.
  12. If you are deploying a volume-licensed version of Office, Visio, or Project, specify the appropriate license key in Licensing and activation settings. Note that Office 365 ProPlus is not volume licensed and does not require a KMS or MAK activation. For more details, see Overview of volume activation of Office.
  13. Choose whether to automatically accept the EULA.
  14. In the Application preferences section, choose what settings to apply when deploying Office. You can search for a setting, filter the settings by Office app, and learn more about each setting by clicking it and reviewing the detailed description.
  15. Click Finish, review the configured settings in the righthand pane, and then click Export.
  16. Accept the terms in the license agreement, name the confguration file, and then click Export.
  17. You can now use the configuration file in your deployment workflow with the Office Deployment Tool or another software distribution solution.

Edit an existing configuration file

Follow these steps to import and edit an existing configuration file.

  1. Go to Office Customization Tool.
  2. Click Import, and then select the configuration file you want to edit.
  3. Change the settings you want, and then export the updated file.

Define application preferences

As part of the Office Customization Tool, you can define application prefences for Office 365 ProPlus, including VBA macro notifications, default file locations, and default file formats. When you define these preferences, you can apply them as part of deploying Office or you can apply them to an existing installation of Office without changing any other deployment settings. For more details, see Apply application prefences and Apply application preferences to an existing installation of Office.

Notes

When creating a configuration file, the Office Customization Tool includes two attributes for the Configuration element: The ID attribute, which identifies the deployment method, and the Host attribute, which identifies the deployment options that have been selected. These attributes don't contain any personally identifiable information (PII), but Click-to-Run sends the attribute values to Microsoft so that we can better understand what configurations customers use and make customization even easier. Because of these insights, we recommend keeping the attributes. They are optional, however, and can be removed without affecting your deployment.

 

source
https://docs.microsoft.com/en-us/DeployOffice/overview-of-the-office-customization-tool-for-click-to-run

Microsoft Office default installation folders for Windows

Installation Paths

All the applications provided by the Office suite (WordExcelOutlookAccessPowerpoint), if installed, can be found within the given folder(s). The executable files have kept the same names since Office XP, which are the following:

  • Word:
  • Excel:
  • PowerPoint:
  • Access:
  • Outlook:
  • Visio:
  • Project:

Office XP

  • Windows 64-bit:
  • Windows 32-bit:

Office 2003

  • Windows 64-bit:
  • Windows 32-bit:

Office 2007

  • Windows 64-bit:
  • Windows 32-bit:

Office 2010

  • Windows 64-bit:
  • Windows 32-bit:

Click-To-Run

  • Windows 64-bit:
  • Windows 32-bit:

Office 2013

  • Windows 64-bit:
  • Windows 32-bit:

Click-To-Run

  • Windows 64-bit:
  • Windows 32-bit:

Office 2016

  • Windows 64-bit:
  • Windows 32-bit:

Click-To-Run

  • Windows 64-bit:
  • Windows 32-bit:

If you never heard of Click-To-Run installation mode, read here.

GUID

In case you also need the installation GUIDs, for example to retrieve some Office-related installation data from Windows Installer and/or Registry Editor, I’m also enumerating those (source: https://support.microsoft.com/en-us/kb/234788):

Office XP

  • Word: {8E46FEFA-D973-6294-B305-E968CEDFFCB9}
  • Excel: {5572D282-F5E5-11D3-A8E8-0060083FD8D3}
  • PowerPoint: {FC780C4C-F066-40E0-B720-DA0F779B81A9}
  • Access: {CC29E967-7BC2-11D1-A921-00A0C91E2AA3}
  • Office: {20280409-6000-11D3-8CFE-0050048383C9}

Office 2003

  • Word: {1EBDE4BC-9A51-4630-B541-2561FA45CCC5}
  • Excel: {A2B280D4-20FB-4720-99F7-40C09FBCE10A}
  • PowerPoint: {C86C0B92-63C0-4E35-8605-281275C21F97}
  • Access: {F2D782F8-6B14-4FA4-8FBA-565CDDB9B2A8}
  • Office: {90110409-6000-11D3-8CFE-0150048383C9}

Office 2007

  • Word: {0638C49D-BB8B-4CD1-B191-051E8F325736}
  • Excel: {0638C49D-BB8B-4CD1-B191-052E8F325736}
  • PowerPoint: {0638C49D-BB8B-4CD1-B191-053E8F325736}
  • Access: {0638C49D-BB8B-4CD1-B191-054E8F325736}
  • Office: {0638C49D-BB8B-4CD1-B191-050E8F325736}

Office 2010

32-bit

  • Word: {019C826E-445A-4649-A5B0-0BF08FCC4EEE}
  • Excel: {538F6C89-2AD5-4006-8154-C6670774E980}
  • PowerPoint: {E72E0D20-0D63-438B-BC71-92AB9F9E8B54}
  • Access: {AE393348-E564-4894-B8C5-EBBC5E72EFC6}
  • Office: {398E906A-826B-48DD-9791-549C649CACE5}

64-bit

  • Word: {C0AC079D-A84B-4CBD-8DBA-F1BB44146899}
  • Excel: {8B1BF0B4-A1CA-4656-AA46-D11C50BC55A4}
  • PowerPoint: {EE8D8E0A-D905-401D-9BC3-0D20156D5E30}
  • Access: {02F5CBEC-E7B5-4FC1-BD72-6043152BD1D4}
  • Office: {E6AC97ED-6651-4C00-A8FE-790DB0485859}

source https://www.ryadel.com/en/microsoft-office-default-installation-folders-versions/

How to increase maximum size Microsoft Outlook pst files and ost files

In Outlook 2003 and 2007 the maximum recommended size of a Unicode pst-file and ost-file has been limited to 20 gb

In Outlook 2010, 2013 and 2016, the maximum recommended limit has been set to 50 gb

you can increase the limit with Group Polices and Registry

Registry
Outlook 2003
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\PST
Outlook 2007
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\PST
Outlook 2010
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\PST
Outlook 2013
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\PST
Outlook 2016
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\PST

create new DWORD with value MaxLargeFileSize
Don’t set this higher than 4294967295 (decimal) or ffffffff (hexadecimal)

Group Polices
User Configuration-> Administrative Templates-> Microsoft Outlook <version>-> Miscellaneous-> PST Settings