Tuesday, June 20, 2017

Windows 10 Creates 4 New Folders

Scenario: On the root of the C drive you right click and select New "Folder".  Windows will then create 4 New folder i.e. New Folder, New Folder (2), New Folder (3), New Folder (4).  To delete or open these folders you need to elevate permissions on each one.

We have seen this issue only occur on Windows 10 systems applying Group Policy.

Cause: In our environment a specific Group policy was filtered to Windows 10 only.  Within this policy the following security setting was set to modify C: drive file permissions:

Computer> Policies> Windows Settings>File System

The policy specifically was allowing Administrators Full Control and Users Read and Execute permissions to "This Folder" only.  This had the affect of preventing sub-folders from  inheriting Administrator / Users permissions.

If this policy does not exist or is set to "This folder, Sub-folders, and files" then the additional Folders are not created.

I believe this issue is a bug in the way Windows attempt to create the folder and inherit permissions; by default the folder will inherit from above but with this policy in place it fails to inherit and tries 4 times before timing out.  Each attempt results in a restricted folder.

Friday, June 9, 2017

SCCM Unknown computer not able to see Task Sequences after installing Current Branch 1702

Soon after installing SCCM CB 1702 we were unable to see Task Sequences deployed to the unknown collection.

This issue was identified as a random system taking the GUID of the 'x64 Unknown Computer (x64 Unknown Computer)' record. As a result it was now a known GUID; as we were only deploying Task Sequences to the Unknown collection none were made available.

'x64 Unknown Computer (x64 Unknown Computer)' record
'x86 Unknown Computer (x86 Unknown Computer)' record

To get the GUID of your unknown systems open SQL management studio and run the following command:

--Sql Command to list the name and GUID for UnknownSystems record data
select ItemKey, Name0,SMS_Unique_Identifier0 from UnknownSystem_DISC

Using the returned GUID (SMS_Unique_Identifier0) we can find the hostname that has been assigned the 'x64 Unknown Computer (x64 Unknown Computer)' GUID by running the query below.

--x64 Unknown Computers
select Name0,SMS_Unique_Identifier0,Decommissioned0 from System_DISC where System_DISC.SMS_Unique_Identifier0 = '##Enter-GUID-Here##'

The query returned the hostname GUID and whether it is present within the SCCM database.  A '1' implies the record is deleted and will be purged from the database. We saw a '0' imply the opposite.

Deleting the 'x64 Unknown Computer (x64 Unknown Computer)' record and recreating the record through the steps below had limited success.  The issue was resolved until the new GUID created for 'x64 Unknown Computer (x64 Unknown Computer)' was used again.

delete from UnknownSystem_DISC where ItemKey in (##ItemKey##)

CreatedUnknownDDR      Change the entry to 0

Restart SMS Executive  this then recreates the Default x86 and x64 unknown collections

Microsoft has since release a Update Rollup KB4019926 which other sources were hailing as the fix.

After applying the Rollup we were still receiving reports of the Unknown GUID being assigned to systems.  It was identified that when a build used the "Previous" button within WinPe (after a dependancy failure or simply to refresh task sequence policy) the task sequence would take the Unknown GUID still.

What was not highlighted in the documentation for the Rollup was the requirement to either recreate or update distribution points with the current Boot Image and then if you use USB boot media recreate this.

Friday, March 24, 2017

Office 365 Update Restarts my Apps in SCCM

Office 365 Update Restarts my Apps in SCCM

Pushing Office 365 C2R updates through SCCM 1610 causes Office applications to close unexpectedly on client PCs

This is a known bug since the release of ConfigMgr CB 1610. and was resolved with Hotfix KB4010155

  • After you start installation of Office updates from Software Center, users do not receive a notification message to exit all open Office 365 applications. This behavior occurs even with the forceappshutdown=False switch in the Configuration.xml file for Office 365.
Install all hotfixes

Wednesday, March 22, 2017

Dell E5450 Bricked after applying CCTK.exe command

Dell E5450 Bricked after applying CCTK.exe command

Dell E5450 with i3 Processors a CCTK.exe warning

We recently had our E5450 Latitude failing to post following a stand SCCM Window Task Sequence.  It was collected for diagnosis and motherboard swap out.  While no diagnosis was performed (pointless sending away) we was returned within a few days with a new motherboard.

Upon receiving it I cautiously rebuilt it with success with a cut down version of the task sequence; I have simply installed the Windows Image (WIM) and driver package.  Upon introducing additional steps to the SCCM task sequence I see a complete failure of the BIOS as previously experienced.

The failed post was the result of CCTK.EXE modifying BIOS settings.

We are using the latest version of CCTK 3.2 with the following commands; 

cctk --secureboot=enable --valsetuppwd=PASSWORD
cctk --wakeonlan=enable --valsetuppwd=PASSWORD
cctk --uefinwstack=enable --valsetuppwd=PASSWORD
cctk --embsataraid=ahci --valsetuppwd=PASSWORD
cctk --tpm=on --valsetuppwd=PASSWORD
cctk --tpmactivation=activate --valsetuppwd=PASSWORD
cctk --virtualization=enable --valsetuppwd=PASSWORD
cctk --vtfordirectio=on --valsetuppwd=PASSWORD
cctk --trustexecution=on --valsetuppwd=PASSWORD
cctk --autoon=disable --valsetuppwd=PASSWORD 

After analysis and discussion with Dell product groups they found that CCTK is forcefully arming TrustExecution in a way that conflicts the chain of trust. The basis of this is because the i3 CPUs within that unit model do not fully support Trust Execution which has been causing the NO POST via the CPU failure.

When this happens its driving the first measurement of the CPU to validate the signed module which isn’t supported (PCR 0 which holds the Core Root of Trust Measurement (CRTM). The issue was not replicated on any i5 or i7 systems we have in our lab.

Moving Forward; Dell recommend any units in a failed state have the motherboard replaced and to remove TrustExecution Command from your CCTK.ini 

Monday, March 20, 2017

Sharepoint documents will not open in Word/Excel

Sharepoint documents will not open in Word/Excel

Today I have been dealing with a very interesting Office 365 / SharePoint issue. It was reported that the Edit in Application button within SharePoint i.e. “Edit in Excel” “Edit in Word” is not working correctly and results in an empty Spreadsheet or empty Word document.

Viewing and Editing within the browser is fully functional and the behaviour varies depending on computers within specific OU in active directory.  It is worth noting at this point the estate consisted of Office 2013 ProPlus installations running on Windows 8.1.

The fact that identical systems with identical software versions patch to the same level, resulted in different behaviour could only mean Group Policy was different between them.

I was quickly able to find the offending policy; "Block signing into Office: Enabled". The screen shot above details a systems policy with the issue.

With the Standard Workstation GPO's the policy "Block signing into Office: Enabled" is not configured and Office applications can see the Sign-In option and can login to Office 365. 

Upon logging into a domain joined system Microsoft Office will login by default with the same account used to login to the computer.  If the account used to login to the computer ( i.e. SA_U1234567) is different from the account used to login to Office 365  (i.e. U1234567) the application Excel will fail to authenticate.  The Application will attempt to open the SharePoint URL intended for U1234567 and authenticate site/file; it will attempt to authenticate against the locally log on user ( i.e. SA_U1234567) who does not have permission and fail. 

For example the SA_U1234567 will need to have permissions to the resource U1234567 has selected within the Office 365 portal to "Edit in Excel". If the account SA_U1234567 does not have rights Excel will present, the user with the following Information message.  "Sorry, we couldn't open HTTPS://...SharePoint.com/Sites/…../Document.XLS"

It will follow up with a Warning message explaining:
Microsoft Excel cannot access the file 'HTTPS://...SharePoint.com/Sites/…../Document.XLS".  There are several possible reasons:

The message clearly explains that excel cannot access the file. Without an authenticated account the file will not be accessible; the first “possible reasons”, “The File name or path does not exist” is true from the perspective that Excel cannot find the file request.

If the account used to login to the computer is U1234567 and Office 365 /SharePoint is authenticated with the account U1234567 then the “Edit in Excel” will pass the MS-Excel Protocol a site URL that can be authenticated; resulting in success.

The Workstation that was unable to “Edit in Excel”  was applying the policy "Block signing into Office : Enabled". This configuration blocks the ability for the Microsoft Application to Sign-in; Excel was not able even attempting to authenticate against Office 365. 

Within Office 365/SharePoint when the button is clicked to "Edit in Excel" essentially the user is  initiating a hyperlink calling the protocol MS-Excel with the full URL to the resource.


In the case of the Workstation that was unable to “Edit in Excel” the protocol for ms-excel opens Excel (set through File Association) and the URL is ignored. As the Sign-In is block Excel does not even attempt to find the SharePoint site and the user simply see a blank Excel spreadsheet.  It is unfortunate that the User does not get a dialogue box explaining the Sign-In is block and is left to believe the operating failed. 

It is worth noting that If you are seeing the Information and Warning dialogue boxes your issue will most likely relate to Authentication and access to the resource.  If you are presented with an empty Excel or Word document then Policy is a root of investigation.

Thursday, January 19, 2017

Office 365 Management with System Center Configuration Manager – Current Branch 1606

This section describes the Office 365 application implemented.

1.1       Observations

The current estate contains a range of Office suite and standalone products (Standard, ProPlus, Outlook, Lync, Visio, and Project) as well as a range/mix of versions on each system; from 2007- 2016.

1.2       Application Deployment

An Office 365 application has been created in English.  Each application source directory is about 1.2GB in size and has been distributed to all corresponding DP’s.  Note: it is possible to install multiple languages of Office 365 on a single system however, the first installation will take ownership of the UI Shell i.e. Menus, drop –downs etc.

1.3       Office 2016 Deployment Tool for Click-to-Run

The source files for Office 365 can be downloaded via the Click-To-Run URL here. This will download and extract two files (setup.exe and Configuration.xml). A download.xml and install.xml can be extrapolated from the accompanied configuration.xml; see below.
“The Office 2016 Deployment Tool allows the administrator to customize and manage Office 2016 Click-to-Run deployments. This tool will help administrators to manage installations sources, product/language combinations, and deployment configuration options for Office Click-to-Run.” http://www.microsoft.com/en-us/download/details.aspx?id=36778
Product IDs that are supported by the Office Deployment Tool for Click-to-Run https://support.microsoft.com/en-us/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click-to-run 

1.4       Download.xml

The download.xml within the source files is kept as reference but is no longer required as part of the application deployment. A custom download.xml was created for the initial download. The Language tags (language IDs), and LCIDs available in Office 2016 can be found here
The command line to download content is: setup.exe /download download.xml
  <Add SourcePath="" OfficeClientEdition="32" >
   <Product ID="O365ProPlusRetail">
       <Language ID="en-us" />

1.5       Example.xml

The install.xml file within the source files controls the installation behaviour during the SCCM deployment i.e. language, product, logging etc. The Language tags (language IDs), and LCIDs available in Office 2016 can be found here
Microsoft 365 ProPlus 
The command line to install is: setup.exe /configure Installation.xml
 <Add OfficeClientEdition="32" Channel="Current" OfficeMgmtCOM="True">
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
 <Updates Enabled="TRUE" />
<Display Level="None" AcceptEULA="TRUE" />
 <Logging Path="%Windir%\Temp\" />
 <Property Name="AUTOACTIVATE" Value="1" />

i.e. <Updates Enabled="TRUE" UpdatePath=”\\ServerName\Share$\ />

Microsoft Office Deployment Tool volume licensed editions of Visio 2016 and Project 2016 
The command line to install is: setup.exe /configure Installation_ProjectProXVolume.xml
 <Add OfficeClientEdition="32" Channel="Current" OfficeMgmtCOM="True">
  <Product ID="ProjectProXVolume">
      <Language ID="en-us" />
 <Updates Enabled="TRUE" />
 <Display Level="none" AcceptEULA="TRUE" />
 <Logging Path="%Windir%\Temp\" />
 <Property Name="AUTOACTIVATE" Value="1" />

The command line to install is: setup.exe /configure Installation_VisioProXVolume.xml
 <Add OfficeClientEdition="32" Channel="Current" OfficeMgmtCOM="True">
  <Product ID="VisioProXVolume">
      <Language ID="en-us" />
 <Updates Enabled="TRUE" />
 <Display Level="none" AcceptEULA="TRUE" />
 <Logging Path="%Windir%\Temp\" />
 <Property Name="AUTOACTIVATE" Value="1" />

SourcePath indicates the installation source path from which to install Office when you run the Office Deployment Tool in configure mode. If you do not specify SourcePath in configure mode, Setup will look in the current folder for the Office source files. If the Office source files are not found in the current folder, Setup will look on Office 365 for them. SourcePath indicates the location to save the Click-to-Run installation source when you run the Office Deployment Tool in download mode.
OfficeClientEdition specifies the edition of Click-to-Run for Office 365 product to use.
Product ID specifies the products to install. (Check here for a complete list of Product IDs that is supported by the Office Deployment Tool for Click-to-Run)
Language ID specifies which product languages to install. (Check here for a complete list of available Language IDs)
Updates Enabled=”TRUE” specifies that the Click-to-Run update system will check for updates.
UpdatePath specifies the path where Click-to-Run installations obtain updates. Optional. If UpdatePath is not set, Click-to-Run installations obtain updates from the Microsoft Click-to-Run source (Content Delivery Network or CDN). This is by default. If UpdatePath is set to empty (""), updates are obtained from the Microsoft Click-to-Run source, CDN.
UpdatePath can specify a network, local, or HTTP path of a Click-to-Run source. Environment variables can be used for network or local paths. If you use Group Policy with the Office 2016 or Office 2016 Administrative Template files (ADMX/ADML), you can set UpdatePath by using the Update Path policy setting. You can find this policy setting under Computer Configuration\Administrative Templates\Microsoft Office 2016 (Machine)\Updates.
OfficeMgmtCOM specifies that the client is managed and Updates are controlled from a central system; SCCM. This option effectively makes the UpdatePath option redundant.
Display Level=”None” specifies that the user sees no UI. No progress UI, completion screen, error dialog boxes, or first run automatic start UI are displayed.
AcceptEULA=”TRUE” specifies that user does not see a Microsoft Software License Terms dialog Box.
Logging Path specifies the path of the folder that is used for the log file. (Name is no longer a supported attribute to use for setting the name of the log file)

1.6       previous versions of Office

Office 365 installation files will not automatically remove or upgrade previous versions; it is recommended to remove previous versions prior to deploying Office 365. Microsoft have provided uninstallation VBS scripts to remove all or selective Office products i.e. Standard, ProPlus, Outlook, Visio, Project, ALL etc.
The VBS scripts have been extracted from the MSI’s; the process is it run the MSI accepting the EULA and once the FixIt tool is ready (see the screen below) asking you click Next; open Windows Explorer to navigate to: C:\Users\%USERNAME%\AppData\Local\Temp\Fixit

Click on the hyperlinks below to direct you to the site in which you can download the MSI.

These scripts have been incorporated into the source files for Office 365 and can be called as follows:
cscript //B %~dp0Offscrub07.vbs ProPlus,Standard,Outlook /quiet /nocancel
cscript //B %~dp0Offscrub10.vbs ProPlus,Standard,Outlook /quiet /nocancel
cscript //B %~dp0OffScrub_O15msi.vbs All /quiet /nocancel
cscript //B %~dp0OffScrub_O16msi.vbs All /quiet /nocancel

1.7       Install.cmd

The Install CMD command calls a PowerShell script to provide the user with feedback during installation.
powershell -ExecutionPolicy Bypass .\AppDeploy.ps1
The AppDeploy.ps1 script is based on the “PowerShell App Deployment Toolkit” http://psappdeploytoolkit.com/
The extract below highlights some of the key sections:
1.       Check to see if any of the applications are running and allow the User to defer the installation 3 times.
2.       Check and record whether the device has Visio and/or Project installed
3.       Remove all Previous versions of Office 2003-2016
4.       Install Office 365 ProPlus and Volume Licensed Click to Run versions of Visio and/or Project if previously installed.
If ($deploymentType -ne "uninstall") { $installPhase = "Pre-Installation"

 # Show Welcome Message, close Internet Explorer if required, allow up to 3 deferrals, and verify there is enough disk space to complete the install
 Show-InstallationWelcome -CloseApps "iexplore,PWConsole,excel,groove,onenote,infopath,onenote,outlook,mspub,powerpnt,winword,communicator,lync" -BlockExecution -AllowDefer -CloseAppsCountdown 600 -DeferTimes 3 -CheckDiskSpace

# Check whether anything might prevent us from running the cleanup
 If (($isServerOS -eq $true)) {
 Write-Log "Installation of components has been skipped as one of the following options are enabled. isServerOS: $isServerOS"

 # Display Pre-Install cleanup status
 Show-InstallationProgress "Performing Pre-Install cleanup. This may take some time. Please wait..."

# Remove any previous version of Office (if required)
 $officeExecutables = @("excel.exe", "groove.exe", "onenote.exe", "infopath.exe", "onenote.exe", "outlook.exe", "mspub.exe", "powerpnt.exe", "winword.exe", "winproj.exe", "Visio.exe")

 If (Test-Path (Join-Path $dirOffice "Office12\Visio.exe")) {$InstallVisio=$TrueWrite-Log "Office12\Visio.exe was detected. To be updated."}
 If (Test-Path (Join-Path $dirOffice "Office12\winproj.exe")) {$InstallProject=$TrueWrite-Log "Office12\winproj.exe was detected. To be updated."}
 If (Test-Path (Join-Path $dirOffice "Office14\Visio.exe")) {$InstallVisio=$TrueWrite-Log "Office14\Visio.exe was detected. To be updated."}
 If (Test-Path (Join-Path $dirOffice "Office14\winproj.exe")) {$InstallProject=$TrueWrite-Log "Office14\winproj.exe was detected. To be updated."}
 If (Test-Path (Join-Path $dirOffice "Office15\Visio.exe")) {$InstallVisio=$TrueWrite-Log "Office15\Visio.exe was detected. To be updated."}
 If (Test-Path (Join-Path $dirOffice "Office15\winproj.exe")) {$InstallProject=$TrueWrite-Log "Office15\winproj.exe was detected. To be updated."}
 If (Test-Path (Join-Path $dirOffice "Office16\Visio.exe")) {$InstallVisio=$TrueWrite-Log "Office16\Visio.exe was detected. To be updated."}
 If (Test-Path (Join-Path $dirOffice "Office16\winproj.exe")) {$InstallProject=$TrueWrite-Log "Office16\winproj.exe was detected. To be updated."}

 ForEach ($officeExecutable in $officeExecutables) {
 If (Test-Path (Join-Path $dirOffice "Office12\$officeExecutable")) {
 Write-Log "Microsoft Office 2007 was detected. Will be uninstalled."
 Execute-Process -FilePath "CScript.Exe" -Arguments "`"$dirSupportFiles\OffScrub07.vbs`" ALL /S /Q /NoCancel" -WindowStyle Hidden -IgnoreExitCodes "1,2,3"
 ForEach ($officeExecutable in $officeExecutables) {
 If (Test-Path (Join-Path $dirOffice "Office14\$officeExecutable")) {
 Write-Log "Microsoft Office 2010 was detected. Will be uninstalled."
 Execute-Process -FilePath "CScript.Exe" -Arguments "`"$dirSupportFiles\OffScrub10.vbs`" ALL /S /Q /NoCancel" -WindowStyle Hidden -IgnoreExitCodes "1,2,3"
 ForEach ($officeExecutable in $officeExecutables) {
 If (Test-Path (Join-Path $dirOffice "Office15\$officeExecutable")) {
 Write-Log "Microsoft Office 2013 was detected. Will be uninstalled."
 Execute-Process -FilePath "CScript.Exe" -Arguments "`"$dirSupportFiles\OffScrub_O15msi.vbs`" ALL /S /Q /NoCancel" -WindowStyle Hidden -IgnoreExitCodes "1,2,3"
  ForEach ($officeExecutable in $officeExecutables) {
 If (Test-Path (Join-Path $dirOffice "Office16\$officeExecutable")) {
 Write-Log "Microsoft Office 2013 was detected. Will be uninstalled."
 Execute-Process -FilePath "CScript.Exe" -Arguments "`"$dirSupportFiles\OffScrub_O16msi.vbs`" ALL /S /Q /NoCancel" -WindowStyle Hidden -IgnoreExitCodes "1,2,3"

$installPhase = "Installation"

# Installing Office 365 Pro Plus
 Show-InstallationProgress "Installing Office 365 Pro Plus. This may take some time. Please wait..."
 Execute-Process -FilePath "$dirFiles\Office365ProPlus\setup.exe" -Arguments " /configure `"$dirFiles\Office365ProPlus\Installation.xml`"" -WindowStyle Hidden -IgnoreExitCodes "3010"

 # Installing Office 365 volume licensed edition of Visio 2016
 If ($InstallVisio -eq $true) {
 Show-InstallationProgress "Installing Office 365 volume licensed edition of Visio 2016. This may take some time. Please wait..."
 Execute-Process -FilePath "$dirFiles\Office365ProPlus\setup.exe" -Arguments " /configure `"$dirFiles\Office365ProPlus\Installation_VisioProXVolume.xml`"" -WindowStyle Hidden -IgnoreExitCodes "3010"

 # Installing Office 365 volume licensed edition of Project 2016
  If ($InstallProject -eq $true) {
 Show-InstallationProgress "Installing Office 365 volume licensed edition of Project 2016. This may take some time. Please wait..."
 Execute-Process -FilePath "$dirFiles\Office365ProPlus\setup.exe" -Arguments " /configure `"$dirFiles\Office365ProPlus\Installation_ProjectProXVolume.xml`"" -WindowStyle Hidden -IgnoreExitCodes "3010"

2          updates for Office 365

Automatic updates is a servicing model built into Office 365 ProPlus, and provides the ability to be always up to date, or “evergreen”, with security and functionality enhancements. 
A default install of Office 365 ProPlus is configured to update automatically from the cloud.  Separately, each month a new build of Office 365 ProPlus is released in the cloud.  When a computer with Office 365 ProPlus detects that a new build is available, the difference – or delta – between the new build and the existing one is streamed down in the background.  Updates are then installed when Office apps/processes aren’t running. So, with the default configuration Office 365 ProPlus, you will always be up-to-date.
Some environments may prefer to use their existing software distribution tool to manage updates for Office 365 ProPlus, and this can be facilitated using the Office Deployment Tool.  IT Pros can customize the configuration by controlling if updates are managed. For example you can pass full management over to SCCM via the initial install.xml, via GPO or SCCM client policy. Office 365 ProPlus updates are provided by Windows Update and incorporated into SCCM Software updates Groups. 

The way that the users in your organization receive the updates for Office depends on where you've configured Office 365 ProPlus to get updates.
·         From the Internet   If you've configured your users to get updates directly from the Office Content Delivery Network (CDN) on the Internet.
o    If you don’t want these users to be updated automatically you can configure this either by using the Office Deployment Tool or by using Group Policy and the Update Path policy setting.
·         From SCCM /WSUS This will be the obvious choice for Enterprises as patching integrates into current processes.

Office 365 Management with System Center Configuration Manager – Current Branch 1602
Assumptions: SCCM CB 1606 has been installed with the SUP site system role installed successfully.

The default behaviour of the client will check for updates every time an Office 365 application is run.  Previously the administrator was unable to manage which branch the client would have installed using WSUS.  Thankfully this has been addressed; in the 1602 onwards current branch of Configuration Manager it is now possible to manage Office 365 updates natively without the clients going to either the Internet or a network share as described above. 
Within System Center Configuration Manager the ability to enable is very simple.  Select the Classification “Updates” and the Product “Office 365 Client”.  Then the next time Software updates Synchronize the current branch will be available to download and deploy as a normal Windows Update.

wsyncmgr.log extract The log will detail the selections made when it attempts to synchronize

Requested categories: Product=Office 365 Client, UpdateClassification=Updates

Office 365 Client Management
When Office 365 is initially installed it is possible to instruct the agent to use SCCM for updates.  The install XML can be set as below with the line (OfficeMgmtCOM="True") instructing the management of the client. 

  <Add OfficeClientEdition="32" Channel="Current" OfficeMgmtCOM="True" >
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
  <Updates Enabled="True"  />

Updating Existing Clients:

To change the management and update mechanism there two options available. The necessary settings (OfficeMgmtCOM) can be changed by modifying the registry, GPO, or via Client Policy.  The Office COM interface (OfficeMgmtCOM) will leverage BITS service to download updates from local distribution point.


The ADMX/ADML for Office 2016 Administrative Template files include the ability to enable the “Office 365 Client Management”. Once enabled, System Center Configuration Manager can manage the Office 365 client. 

The ADMX/ADML files can be downloaded here https://www.microsoft.com/en-us/download/details.aspx?id=49030  and should be copied to your central store to be accessible from any GPO editor: %logonserver%\sysvol\%Domain.local%\Policies\PolicyDefinitions