Migrate from Windows Hello to Windows Hello For Business (WHFB)

Description:

You have deployed Windows Hello in the past to several machines in the organizations. Recently you got direction from Management to deploy Windows Hello For Business (WHFB) for your organization. 
You have enable the Hybrid Cloud Kerberos trust and the configured required group policy. However, on the test machine, no WHFB got the prompt for provision. You have try to restart and make sure the WFHB group policy apply correctly.

Resolution:

Since you previously deployed Windows Hello, you need to make sure the "old" policy is being disabled.
Go to "Computer Configuration\Administrative Templates\System\Logon\Turn on convenience PIN sign-in". Make sure it is Disabled.

Error 1297 when starting AD FS Service

Description:

When you try to start ADFS Service for the first time after finishing the configuration, you may encounter 1297 error.

Resolution:

You need to make sure that the service account that you use to run the ADFS Service has the following rights on the ADFS Server:

• Logon As Service
• Generate Security Audits

BitLocker Deployment with Active Directory - How to Start Automatic Encryption

Description:

You deployed BitLocker using Active Directory only. You have setup the necessary Group Policy, run manual BitLocker Encryption and can see the recovery password is being store at Active Directory.

Now you are wondering how it could start auto encryption without user interaction.

Resolution:

From https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html we can see that we can create a task scheduler on the machine and run it with System credential.

Detail:

Task name: BL (name it as you want, but please don’t forget to change the name in the last script line)

Triggers: at logon of any user

Executing account: system

Action: powershell.exe with the argument \\server\share\BL.ps1

The script:

$pin=(Get-Random -Minimum 0 -Maximum 999999).ToString('000000')
echo "$pin" | out-file \\server\pins\$env:computername.txt -Append
$SecureString = ConvertTo-SecureString "$pin" -AsPlainText -Force
Add-BitlockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector
manage-bde -on c: -s -used -rp
msg * /time:0 Your hard drive is being encrypted. To start your PC, you need your Bitlocker-PIN, which is $pin
schtasks /delete /tn BL /f

How to Add NT Service\All Services group to Active Directory User Rights Assignment

Description:

You want to use a group Managed Service Account (gMSA) on multiple domain in your forest. You also have Group Policy that managed the User Rights Assignment setting on Active Directory. You need to add NT Service\All Services to those User Rights Assignment policy.

Resolution:

1. Open up Group Policy Manager, and edit the Group Policy. Example is the “Default Domain Controller Policy” if you want to modify the user Rights Assignment at Domain Controllers.
2. Navigate down to “Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment”
3. Edit the “Log on as a service” properties and ensure the box next to “Define these policy settings:” is ticked. Click “Add User or Group” and manually type “NT SERVICE\ALL SERVICES” (Do Not Click Browse)
4. Click OK twice
5. Close the Group Policy Manager

Group Policy are not applying properly - event id 1054

Description:

You have a group policy setting that you want to deploy during computer startup. However it seems that the policy is not applying properly. Running gpresult command from the client machine shows no error. Running gpresult wizard from GPMC for the problematic machine shows GPO Core processing error preventing some policies from applying successfully. Running gpupdate /force will correct the situation and the settings will be applied successfully. 
At event viewer of the problematic computer, you found event id 1054, “Windows cannot obtain the domain controller name for the computer network. (The specified domain either does not exist or exist or could not be contacted). Group Policy processing aborted.”

Resolutions:

Please follow Microsoft's Knowledge Base Article KB840669 http://support.microsoft.com/kb/840669

As Per KB 840669, create a new DWord value on registry on:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: GpNetworkStartTimeoutPolicyValue
Value: 120

Restart the client computer. Settings can be applied successfully.

Windows PowerShell Syntax

> To list all the PowerShell commands available for group policy module:

Get-Command -module GroupPolicy

or

Get-Command *-GP*
 

> To list all the PowerShell commands available for active directory module:

Get-Command -module activedirectory

or

Get-Command *-AD*

 

> For more detail information about certain PowerShell commands:
 

Get-Help (commandname) -detailed

Get-Help (commandname) - examples

Get-Help (commandname) -full

or

Get-help (commandname) -online

 

How to lock Internet Explorer setting through GPO

To lock changes in Proxy settings using GPO check the following GPO option:
User configuration->Administrative Templates->Windows Components->Internet Explorer->"Disable changing proxy settings"

Set the option ->"Disable changing proxy settings" to enable.

Group Policy for safe sender lists in Outlook 2007 does not work

Description:
You have set Outlook 2007 safe sender list through GPO however it isn’t applying to users. You’ve check that the GPO was applied successfully.

Resolution:
Change the safe sender list path to \\servername\sharefolder\filename. It cannot use the %logonserver%\sharefolder syntax.

Proxy Exception at Internet Explorer does not work

Description:
You have set proxy exception for IE through Group Policy (GPO). For some reason the setting won’t apply to user’s computer. You verified that the GPO has the right setting and has no conflict with other GPO. You also confirmed that the GPO was applied to user’s computer, but the computer registry contains different data.

Resolution:
Please check the exception list content. Make sure there’s no invalid character or value. If the http address in Proxy Exception list contains more than two “/” characters, the IE Branding extension would accept this setting. You should remove the rest of the “/” from the http address in proxy exception list.