Upload
lykhue
View
286
Download
23
Embed Size (px)
Citation preview
RAP as a Service for Windows DesktopPrepared for
NC State University
5-May-2023
Version 1.0
Prepared by
Brian Monroe
Key Findings Report
Key Findings ReportConfidential – NC State University
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.
© 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Table of ContentsExecutive Summary...............................................................................................................5
Health Assessment Result..........................................................................................5Risk Assessment Result..............................................................................................5
Risk & Health Scorecard........................................................................................................6Issue Level Summary.............................................................................................................7Issue Details........................................................................................................................13
Issue Severity Legend.....................................................................................................13Applications.....................................................................................................................14
Increasing Reliability.................................................................................................14Enhancing Security...................................................................................................14Improving Performance............................................................................................15Advancing Usability..................................................................................................15Removing Legacy Components.................................................................................15
Defragmentation.............................................................................................................29Migration - Compatibility.................................................................................................30
Recommended application testing process..............................................................30Master Image Techniques.........................................................................................31
Device Drivers.................................................................................................................41Group Policy....................................................................................................................56
Overview of Group Policy..........................................................................................56Hardware Information......................................................................................................97Networking....................................................................................................................108
TCP/IP (with IPv4)....................................................................................................109TCP/IP (with IPv6)....................................................................................................109
Operational Excellence..................................................................................................124Strategy..................................................................................................................124Design....................................................................................................................124Security..................................................................................................................124Transition................................................................................................................125Operate..................................................................................................................125Monitoring..............................................................................................................125
Operating System Information......................................................................................145Baseline Configuration............................................................................................145Defining Desktop Solutions.....................................................................................145Develop an Applications List...................................................................................146Security Settings....................................................................................................146
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Security.........................................................................................................................168Solid State Drive............................................................................................................184Virtualization.................................................................................................................186
User State Virtualization.........................................................................................186Application Virtualization........................................................................................187Operating System Virtualization.............................................................................187
Windows System Performance......................................................................................222Performance Monitor..............................................................................................222
Windows System Shutdown...........................................................................................223Windows System Startup...............................................................................................224Windows System Assessment Tool (WinSAT)................................................................235Windows Performance Toolkit.......................................................................................241
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Executive SummaryMicrosoft has completed a Microsoft RAP as a Service for Windows Desktop through interviews with the staff and by running a suite of tools to collect data from target clients and their dependent systems. The assessment provides findings and guidance based on analysis by the Microsoft Advanced Services Delivery (ASD) team and the accredited Premier Field Engineer (PFE) that performed the engagement.
The assessment provides you results grouped in two areas: health issues and risk issues. Risk issues cover areas such as change control, monitoring, design, service level agreements and other items that if left unresolved increase the chances of problems in the environment. Health issues cover areas such as configuration items and the proper function of the major components that make up client systems such as network infrastructure, physical hardware, Group Policy, Domain Name Systems and so on.
The overall assessment gives you a high-level understanding of the health and risk items together. You will see a summary for each of the two areas, health and risk, giving an introductory view into the findings of the environment.
The severity calculation is as follows: Whenever a critical issue is found the overall health or risk assessment result will be critical. When no critical issue is found the average of all issues is calculated.
Health Assessment ResultRating: Critical
Hidden Virtual Network Adapter Bad Block Detected on Drive Network Start Timeout is Configured Image Not Up to Date on Security Updates Memory Dump Found Applications Configured to AutoStart
Risk Assessment ResultRating: Critical
Antivirus/Antispyware not installed on all clients 7-10-year BIOS on Systems Security Center Alerts Found UAC is Disabled Builtin Local Admin is Not Disabled Users are Local Admins by Default
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Risk & Health ScorecardThis scorecard shows the overall health and risk severity levels for each major and minor category. This is determined by the highest severity issue found per category, per health and risk.
Consolidated Scorecard Risk Severity Health SeverityApplications Medium Critical
Defragmentation No Issues No Issues
Deployment and Migration High High
Device Drivers High No Issues
Group Policy High High
Hardware Information Critical Critical
Networking Medium Medium
Operating System Information Critical High
Security Critical Medium
Solid State Drive No Issues No Issues
Operational Survey High No Issues
Virtualization No Issues Medium
Windows System Performance High No Issues
Windows System Shutdown No Issues No Issues
Windows System Startup No Issues Medium
Windows System Assessment Tool (WinSAT) Medium Medium
Windows Performance Toolkit No Issues Low
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Issue Level SummaryThe following are details about the issues discovered in your environment. Where applicable the status has been updated to the current state at the time of this report.
Issue Details Scorecard Severity Type StatusApplications
Hidden Virtual Network Adapter Found Critical Health FailedInstalled Applications Have Not Been Tested For Windows Compatibility
Medium Health Failed
Use Microsoft Application Compatibility Toolkit (ACT) And the Internet Explorer Guide For Developers To Test And Design Your Web Sites
Medium Risk Failed
Applications Are Configured In The Registry To Automatically Start After System Boot
Medium Health Failed
Applications Are Configured In The Registry To Automatically Start After User Logon
Medium Health Failed
Microsoft Office Shell Data Caching Not Enforced Medium Risk FailedMicrosoft Word Template Search Timeout Not Defined
Medium Risk Failed
DefragmentationDeployment and Migration
Non-administrator Can Interrupt Installation Process
High Risk Failed
Latest Updates Are Not In The Foundation Deployment Source
High Health Failed
On supported Operating Systems UEFI based hardware is strongly recommended
Medium Both Failed
Usage of Advanced Group Policy Management (AGPM) should be evaluated
Medium Risk Failed
Usage of Application Virtualization (App-V) should be evaluated
Medium Risk Failed
Usage of User Experience Virtualization (UE-V) should be evaluated
Medium Risk Failed
Your version of User Experience Virtualization (UE-V) is not compatible with Windows 10
Medium Both Failed
ASF Partition Sector Not Aligned Medium Health FailedUnattend XML Not Deleted After System Installation
Medium Risk Failed
Device DriversSource: Microsoft-Windows-CodeIntegrity / Event ID: 3001 / Error: Unsigned Kernel Module Is Loaded
High Risk Failed
Source: Microsoft-Windows-CodeIntegrity / Event ID: 3002 / Error: Unable To Verify Image Integrity
High Risk Failed
Device Driver Release Date Older Than 12 Months
Medium Risk Failed
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Issue Details Scorecard Severity Type StatusGroup Policy
Setting GpNetworkStartTimeoutPolicyValue Is Configured
High Health Failed
Source: Microsoft-Windows-GroupPolicy / Event ID: 7017 / Error: LDAP Call Failed
High Risk Failed
Source: Microsoft-Windows-GroupPolicy / Event ID: 7326 / Error: Failed To Discover Domain Controller
High Risk Failed
Source: Microsoft-Windows-GroupPolicy / Event ID: 5018 / Error: Start, Logon, Logoff Or Shutdown Script Detected With Runtime Over 1 Minute
Medium Health Failed
Non-Default Group Policy Extensions Found Medium Risk FailedRun Logon Scripts Synchronously Is Enabled Medium Health FailedScripts For System Shutdown Found Medium Risk FailedScripts For System Startup Found Medium Risk FailedGroup Policy Slow Link Detection Is Disabled Low Health FailedLoopback Processing Mode Enabled Low Risk FailedPowerShell Scripts For Computer GP Processing Found
Low Risk Failed
WMI Filters Are Enabled On Group Policy Objects Low Risk FailedHardware Information
BIOS Release Date Is Between 7 And 10 Years Old
Critical Risk Failed
Source: Disk / Event ID: 7 / Error: Bad Block Detected
Critical Health Failed
No Standardized PC Hardware High Risk FailedBIOS Release Date Is Between 5 And 7 Years Old High Risk FailedNo Fixed Hardware Lifecycle Medium Risk FailedNo Computer Management Software To Manage Hardware Settings
Medium Risk Failed
BIOS Release Date Is Between 3 And 5 Years Old Medium Risk FailedDevice Not Working Properly Is Detected Medium Risk Failed
NetworkingHOSTS Or LMHOSTS Configuration File Contains Entries
Medium Health Failed
IPv6 Configuration Is Modified Medium Risk FailedSource: NETLOGON / Event ID: 5719 / Error: No Domain Controller Is Available For Domain
Medium Risk Failed
Standard Order For Built In Network Provider Is Changed
Medium Health Failed
Kerberos Access Token Size Lower Than Recommended
Low Risk Failed
Legacy Kerberos Registry Value Configured (MaxPacketSize)
Low Risk Failed
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Issue Details Scorecard Severity Type StatusOperating System Information
User Account Control Is Disabled Critical Risk FailedEnterprise Hotfix Rollup For Windows 7 SP1 Not Installed
High Risk Failed
Memory Dump Found High Health FailedUser Account Control Secure Desktop Is Disabled High Risk FailedThe Organization Has Not Implemented A Power Management Plan
Medium Risk Failed
Power Plan Is Set To High Performance Medium Risk FailedPath Environment Variable Contains Too Many Entries
Low Risk Failed
Path Environment Variable Contains Non Existing Entries
Low Risk Failed
Recommended HotFixes for Windows 7 Not Installed
Low Risk Failed
Users Are Able To Index Any Path Low Risk FailedVerbose Status Messages Enabled Low Risk Failed
SecurityAntivirus Software Is Not Installed On All Clients Critical Risk FailedAntispyware Software Is Not Installed On All Clients
Critical Risk Failed
Security Center Alerts Detected Critical Risk FailedFull Hard Disk Encryption Is Not Enabled On All Devices
High Risk Failed
The Organization Does Not Apply Hardware Security Updates Proactively
High Risk Failed
The Organization Does Not Apply Security Updates For Both Software And Hardware Proactively
High Risk Failed
Users Are Local Administrators By Default High Risk FailedNo Procedures And Tools In Place For Checking Missing Security Updates And Service Packs
High Risk Failed
Built-In Local Administrator Account Is Not Disabled
High Risk Failed
The Organization Does Not Use A Tool To Regularly Scan The Environment For Security Issues
Medium Risk Failed
Network Access Protection Is Not Used To Ensure Computer Identity And Compliance
Medium Risk Failed
Antivirus Exclusion List Should Be Reviewed Medium Health FailedBIOS Settings Are Not Protected Through System BIOS Password
Medium Risk Failed
EnableLinkedConnections Is Not Default Medium Risk FailedData Confidentiality Is Not Ensured For Data Stored Inside Or Outside The Corporate Network
Low Risk Failed
No Measure Of The Progress And Success Level Low Risk Failed
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Issue Details Scorecard Severity Type StatusOf Security Updates DeploymentNo Test Environment Available For Security Update Management
Low Risk Failed
Solid State DriveOperational Survey
The Organization Does Not Measure Satisfaction With Their Applications And Services
High Risk Failed
No Formal Security Risk Management Process Is Implemented
High Risk Failed
The Organization Does Not Have Documented Service Level Agreements (SLAs) For PCs And Windows Devices
High Risk Failed
The Organization Does Not Have A Change Management Process
High Risk Failed
The Organization Does Not Have A Formal Release Management Process
High Risk Failed
The Organization Does Not Have Up-to-date Asset Information For The Environment
High Risk Failed
The Organization Is Not Formally Measured On Improving The Quality Of The Service
High Risk Failed
The Organization Does Not Have A Formal Incident Management Process For The Windows Client Environment
High Risk Failed
No Client Testing Environment That Mirrors End-user Installation Base
High Risk Failed
The Organization Does Not Review Performance Against Their Existing Support Agreements
Medium Risk Failed
The Organization Has Not Developed Training Plans Based On The Roadmaps Of Their Key Vendors
Medium Risk Failed
The Organization Does Not Maintain Documented Standards And Policies For The Design And Implementation Of Services
Medium Risk Failed
The Organization Does Not Have Defined Operating Level Agreements (OLAs) Between Dependent IT Units
Medium Risk Failed
The Organization Has Not Implemented Management Packs Or Guides To Monitor PCs And Other Windows Devices
Low Risk Failed
Base Level IT Certification Is Not Required Low Risk FailedNo Rollback Plans Defined As Part Of Security Update Management Process
Low Risk Failed
VirtualizationDisable Autoupdate Drivers Medium Health FailedDisable Background Defragmentation Medium Health FailedDisable Hibernation Medium Health FailedDisable Service Microsoft Software Shadow Copy Medium Health Failed
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Issue Details Scorecard Severity Type StatusProviderForce Offscreen Composition For Internet Explorer Should Be Configured
Medium Health Failed
Increase The Disk Timeout Value Medium Health FailedDisable Boot Animation Low Health FailedDisable Desktop Cleanup Low Health FailedDisable Scheduled Task Microsoft Windows DiskDiagnosticDataCollector
Low Health Failed
Disable Scheduled Task AnalyzeSystem Low Health FailedDisable Scheduled Task BfeOnServiceStartTypeChange
Low Health Failed
Disable Scheduled Task Consolidator Low Health FailedDisable Scheduled Task KernelCeipTask Low Health FailedDisable Scheduled Task MobilityManager Low Health FailedDisable Scheduled Task ProgramDataUpdater Low Health FailedDisable Scheduled Task Proxy Low Health FailedDisable Scheduled Task Registry Idle Backup Low Health FailedDisable Scheduled Task ResolutionHost Low Health FailedDisable Scheduled Task Scheduled Low Health FailedDisable Scheduled Task ScheduledDefrag Low Health FailedDisable Scheduled Task System Restore Low Health FailedDisable Scheduled Task UpdateLibrary Low Health FailedDisable Scheduled Task UsbCeip Low Health FailedDisable Scheduled Task WinSAT Low Health FailedDisable Windows Sideshow Feature Low Health FailedModify The Network Location Dialog Low Health Failed
Windows System PerformanceNo Client Performance Testing During Client Lifetime
High Risk Failed
Windows System ShutdownWindows System Startup
High Amount Of Locally Cached Profiles Medium Health FailedReadyBoot Has Low Cache Hit Percentage Medium Health FailedHigh Startup Time Detected For Complete Computer System
Medium Health Failed
High Startup Time Detected For Explorer Init Medium Health FailedHigh Startup Time Detected For Machine Profile Processing
Medium Health Failed
High Startup Time Detected For Service Medium Health FailedHigh Startup Time Detected For User Profile Processing
Medium Health Failed
Windows System Assessment Tool (WinSAT)WinSAT Base Score Rating 3.0 - 4.9 Medium Risk Failed
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Issue Details Scorecard Severity Type StatusWinSAT Should Be Executed After System Installation
Medium Health Failed
WinSAT Base Score Rating 5.0 - 6.9 Low Risk FailedWindows Performance Toolkit
Period SessionInit Phase Between 10 And 25 Sec Without SSD
Low Health Failed
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Issue DetailsThe following are details about the issues discovered in your environment. This includes descriptions, best practice guidance, recommended reading, recommended resolutions and custom comments.
Issue Severity Legend
Severity Symbol
Description
Critical Immediate fix needed
High Fix as soon as possible
Medium Fix within next 3 months
Low Fix within the next 6 months
Informational Needs to be reviewed
Status Symbol
Description
Failed Issue was found
Inconclusive
Data collection had issues, new collection needed
Passed No issue found
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
ApplicationsApplications in general are programs designed to assist in the performance of a specific task, such as word processing, accounting, inventory management, and more. Applications are used to fulfill open tasks faster and more efficiently. Thus, it is important that these applications are correctly configured.
Application compatibility bugs occur in applications for many different reasons. Sometimes a feature on which an application has relied is simply retired from Windows. In Windows Vista, several applications exhibited bugs simply because developers had hard-coded the Windows version that the applications were compatible with and the application failed when the version changed. Anytime operating system behavior is changed, there is a possibility that an application has taken a dependency on the previously implemented behavior.
Increasing ReliabilityWith the introduction of the User Account Control feature in Windows Vista, Microsoft demonstrated its commitment to enabling organizations to configure their users with standard user accounts thus offering the industry a desktop configuration with greater security and reduced total cost of operation (TCO). Windows Vista includes features, such as the ability for standard users to change the time zone when traveling, that dramatically improve the user experience for standard users accounts. Windows 7 makes the user experience even better. When running with standard user accounts, organizations will also realize improved resiliency against malicious software, better control over what users install on their computer, and a higher degree of management over what users can configure on their computers (including security settings).
Prior to Windows Vista, many developers had been developing software that positioned users as members of the Administrators group, and the software inadvertently required administrator privileges. When Administrator privileges were removed for standard users in Windows Vista, the application compatibility impact was significant. User Account Control does offer a variety of features to improve application compatibility, such as File and Registry Virtualization and Installer Detection. Also, as the industry continues to move toward standard user desktops, many of these application compatibility bugs are being addressed by independent software vendors (ISVs) and fixed in their most recent products.
User Account Control is one of many features designed to increase the reliability of Windows. Another feature is Windows Resource Protection (WRP), which increases system stability, predictability, and reliability. WRP safeguards Windows read-only resources - specifically operating system files, folders, and registry keys that are non-configurable by design. WRP enforces this safeguard using Windows Security by specifying special security descriptors on the resource. Any process, including those running as administrator or system, that does not have rights to make changes to WRP resources can only read and execute the resources. Full access to WRP resources is restricted to Windows Modules Installer service.
Enhancing Security
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
When new features are added to enhance the security of the operating system the features generally affect application compatibility. In many cases this occurs because the feature is designed to limit behavior of malware by changing behavior in the operating system or an application platform technology, such as Internet Explorer. As previously mentioned, applications are built to use a wide variety of platform functionality, and any change has the potential for application compatibility issues.
Improving PerformanceImproving operating system performance is a key focus during the development cycle of Windows. This focus has resulted in overall operating system improvements and the further development of features that originated with Windows Vista.
Advancing UsabilityWhile many of the features previously mentioned are focused on the underpinnings that enable applications to work better, there are also features that change the actual user experience of Windows. Because these features change how users and applications interact with Windows, there is the possibility of associated application compatibility issues.
Removing Legacy ComponentsGiven the continual focus on progressing and modernizing the Windows operating system, over time features will be retired from the Windows operating system. In certain cases, there are successors that better satisfy the needs of developers and users. In other cases, the technology has simply reached the end of life and is deprecated.
Hidden Virtual Network Adapter FoundStatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
When a virtual network adapter is hidden modern apps on Windows 8 won’t be able to connect to the internet whereas all non- modern apps work fine.Additional InformationImportanceTo ensure that modern apps are able to connect to the internet the virtual network device needs to be visible.
Recommended ReadingINetCfgComponent::GetCharacteristics method
http://msdn.microsoft.com/en-us/windows/hardware/ff547832(v=vs.85).aspx
Recommended ResolutionTo enable modern apps to connect to the internet the setting should be configured to the value shown in the properties of the target machine.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Rule AlgorithmSource
Registry_Path_1 HKLM\SYSTEM\CurrentControlSet\Control\Class\*
Registry_Value_1 {Registry_Path_1}\DeviceInstanceID @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Characteristics @ REG_DWORD
Detection Logic
Applies to: Windows 8 or later
The following must be true:
* Registry_Value_1 starts with "ROOT\NET"
* 8th bit of Registry_Value_2 is greater than 0
AnnotationLooks like a cisco anyconnect adapter
Affected NodesOITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
LocalMachine\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0003
Characteristics: 1ComponentID: VPNVAProviderName: Cisco SystemsDriverDesc: Cisco AnyConnect Secure Mobility Client Virtual Miniport
Adapter for Windows x64To unhide the adapter configure the following value for Characteristics: 0
Installed Applications Have Not Been Tested For Windows Compatibility
QuestionDo all of your business critical applications have a "Compatible to Windows Logo" ?Selected AnswerNoStatusFailedDescriptionSome of the business critical applications that are installed on your devices have not been approved for Windows compatibility.
Some applications that were designed for an older operating system may not be compatible with newer operating systems.Additional InformationTesting Application CompatibilityMicrosoft has released the Application Compatibility Toolkit (ACT) which contains the necessary tools and
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
documentation to evaluate and mitigate application compatibility issues.
It is highly recommended to use ACT or a similar tool before deploying new applications or a new version of Windows or Internet Explorer.
ACT is a lifecycle management tool that assists in identifying and managing your overall application portfolio, reducing the cost and time involved in resolving application compatibility issues, and helping you quickly deploy Windows and Windows updates.
With the ACT, you can:
· Analyze your portfolio of applications, websites, and computers
· Evaluate operating system deployments, the impact of operating system updates, and your compatibility with websites
· Centrally manage compatibility evaluators and configuration settings
· Rationalize and organize applications, websites, and computers
· Prioritize application compatibility efforts with filtered reporting
· Add and manage issues and solutions for your enterprise-computing environment
· Deploy automated mitigations to known compatibility issues
· Send and receive compatibility information from the Microsoft Compatibility Exchange
http://technet.microsoft.com/en-us/windows/application-compatibility.aspx
Use Microsoft Application Compatibility Toolkit (ACT) And the Internet Explorer Guide
For Developers To Test And Design Your Web SitesQuestionHave you tested your internal websites and web applications for Internet Explorer compatibility?Selected AnswerNoAdditional CommentsTesting happens as people are using it. There have been times where we have found things that do not work with IE or Edge so users are told to use an alternative browsers since most desktops have Chrome and Firefox also installed.
StatusFailedDescriptionBecause of an initial lack of formal standards and subsequent adherence to that non-standard behavior, many Web sites have been designed and built to serve multiple client browsers. It is common to see name-specific and version-specific checks hard-coded into HTML to provide the best shared Web browsing experience to diverse audiences and to meet their requirements.
Many corporations are still relying on Internet Explorer 6 based web applications that have been built and
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
customized over the past decade. Organizations planning to deploy Windows 7 need to have a comprehensive strategy and an execution plan in place to migrate legacy web applications to Internet Explorer 8.
Browser targeting, cross-compatibility, and development of multiple Web sites in parallel have been painstaking endeavors for Web developers. With Microsoft Internet Explorer 8.0, the goal has been to reduce the amount of time and effort required by these tasks, as well as to improve the support for true cross-platform standards compliance and browser compatibility.Additional InformationSolving Internet Explorer compatibility problemsMicrosoft recommends thoroughly testing a sample of the most commonly used web applications and add-ons in your organization to help identify any compatibility issues before rolling out a new version of Internet Explorer.
The best way to determine if applications will experience compatibility issues deploying the current version of the Internet Explorer is to create an inventory of critical applications and add-ons used in an organization.
The Microsoft Application Compatibility Toolkit (ACT) includes the Internet Explorer Compatibility Test Tool (IECTT) which can be used to automatically uncover web page issues.
http://technet.microsoft.com/en-us/library/cc749257(WS.10).aspx
When testing and designing for the latest version of the Internet Explorer, it is also highly recommended to comply with the Internet Explorer guide for developers.
Internet Explorer guide for developers
Applications Are Configured In The Registry To Automatically Start After System BootStatusFailedDescription37 node(s) out of 37 node(s) were affected by this issue (100%).
There are applications configured in the registry to automatically start after system boot. This takes place before users log on and can decrease system performance.Additional InformationImportanceApplications that are configured to automatically start after the system boot procedure has been completed may delay the ability to log on users and may also result in poor user experience overall.
Recommended ReadingRun, RunOnce, RunServices, RunServicesOnce and Startup:
http://support.microsoft.com/kb/179365
Recommended ResolutionWe recommend that you verify the need of the listed applications against the line of business applications and requirements. If it is not necessary to start the listed applications automatically after the system boot procedure, they should be removed to avoid delays in the system boot and user logon procedure.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Autoruns for Windows:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Detection Logic
Applies to: All operating systems
The following must be true:
* Count of subkeys in Registry_Path_1 is greater than 0
Affected Nodes315BPT01.CALS.NCSU.EDU
There are 2 application(s) configured in the machine registry run key.
"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe"kass.exe
admpc280.CVM.NCSU.EDU
There are 14 application(s) configured in the machine registry run key.
"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe""C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized"C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Acrotray.exe""C:\Program Files (x86)\HP\HP UT LEDM\bin\hppusg.exe" "C:\Program Files (x86)\HP\HP UT LEDM\""C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin"C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload"C:\Program Files (x86)\CEZEO software\BackUpTime\BackUp.exe""C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe""C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe""C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime"C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"C:\Program Files\CrashPlan\electron\CrashPlanDesktop.exe" --menubar --desktop=false"C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe
ALUMINUM.CNR.NCSU.EDU
There are 10 application(s) configured in the machine registry run key.
"C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe""C:\Program Files (x86)\PaperCut MF Client\pc-client.exe" /silent"C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Windows\SSDriver\fi5110\SsWiaChecker.exe"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe"
C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch"C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe""C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /MAXX4C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe /s
BILT-3032A-01.CNR.NCSU.EDU
There are 9 application(s) configured in the machine registry run key.
"C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Acrotray.exe""C:\Program Files (x86)\PaperCut MF Client\pc-client.exe" /silent"C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun"C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
"C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe" "C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60"C:\Program Files\Windows Defender\MSASCui.exe" -hide -runkey"C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe""C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /MAXX4"C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" /s
BUSTA.ECE.NCSU.EDU There are 8 application(s) configured in the machine registry run key.
"C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Acrotray.exe""C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe"
"C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe""C:\Program Files\CrashPlan\electron\CrashPlanDesktop.exe" --menubar --desktop=falseC:\Program Files\Realtek\Audio\HDA\RtDCpl64.exeC:\Windows\system32\igfxpers.exeC:\Windows\system32\hkcmd.exeC:\Windows\system32\igfxtray.exe
CHASSIT-TEST.CHASS.NCSU.EDU
There are 3 application(s) configured in the machine registry run key.
C:\Windows\kass.exe
kass.exe"C:\Program Files\Windows Defender\MSASCui.exe" -hide -runkey
CLH-9F8NXR1.COM.NCSU.EDU
There are 4 application(s) configured in the machine registry run key.
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe""C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe""C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe""C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
COLLAB-TEST-HD.EOS.NCSU.EDU
There are 10 application(s) configured in the machine registry run key.
"C:\Program Files (x86)\National Instruments\NI Device Monitor\DeviceMonitor.exe" --startup
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe""C:\Program Files (x86)\PaperCut MF Client\pc-client.exe" /silent"C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe""C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"C:\Program Files\AMD\CNext\CNext\cnext.exe" atlogon"C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe""C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /MAXX6 /WAVES_SUBTYPE_FOR_LYNC"C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" /s"C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
crpc11.CVM.NCSU.EDU There are 13 application(s) configured in the machine registry run key.
"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe""C:\Program Files (x86)\CEZEO software\BackUpTime\BackUp.exe""C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Acrotray.exe"C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe"C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe""C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe""C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe""C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime"C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"C:\Windows\system32\igfxpers.exeC:\Windows\system32\hkcmd.exeC:\Windows\system32\igfxtray.exe
DELTA-DT-SP03.DELTA.NCSU.EDU
There are 5 application(s) configured in the machine registry run key.
"C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\Acrotray.exe"
"C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe""C:\Program Files\Windows Defender\MSASCui.exe" -hide -runkey"C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /MAXX4"C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" /s
Applications Are Configured In The Registry To Automatically Start After User LogonStatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
Applications that are configured to automatically start after user logon may delay the user logon procedure and result in poor user experience overall.Additional InformationImportanceIt is important that the number of startup applications is kept at a minimum to reduce the startup time.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Recommended ReadingRun, RunOnce, RunServices, RunServicesOnce and Startup:http://support.microsoft.com/kb/179365
Recommended ResolutionWe recommend that you verify the need of the listed applications against the line of business applications and requirements. If it is not necessary to start the listed applications automatically after user logon, they should be removed to avoid delays in the user logon procedure.
Autoruns for Windows:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Rule AlgorithmSource
Registry_Path_1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Detection Logic
Applies to: All operating systems
The following must be true:
* Count of subkeys in Registry_Path_1 is greater than 0
Affected NodesDELTA-DT-SP05.DELTA.NCSU.EDU
There are 1 application(s) configured in the user`s registry run key.
"C:\Users\delta.user\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
Microsoft Office Shell Data Caching Not EnforcedStatusFailedDescription35 node(s) out of 37 node(s) were affected by this issue (94.59%).
When you try to open a file from a network location, the Office program may run very slowly or may appear to stop responding (hang). This situation may occur after you click Open in the Open dialog box (on the File menu, click Open) to open a file from a network location (for example, a network server). During the process of opening the file, you lose your network connection or the network location that contains the file that you are trying to open goes down. During the process of opening the file, your Office program tries to add the file name and the path information of the file that you are trying to open to the Windows recent file list. Because the network location (path) does not now exist, the Office program may run slowly and may appear to stop responding (hang). Note This situation may also occur if your connection to your network is slow because your Office program has to make multiple queries to the network to obtain the correct file information.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Additional InformationImportanceWhen you try to open a file from a network location, the Office program may run very slowly or may appear to stop responding (hang).
This situation may occur after you click Open in the Open dialog box (on the File menu, click Open) to open a file from a network location (for example, a network server). During the process of opening the file, you lose your network connection or the network location that contains the file that you are trying to open goes down. During the process of opening the file, your Office program tries to add the file name and the path information of the file that you are trying to open to the Windows recent file list. Because the network location (path) does not now exist, the Office program may run slowly and may appear to stop responding (hang)
Note: This situation may also occur if your connection to your network is slow because your Office program has to make multiple queries to the network to obtain the correct file information.
Recommended ReadingAn Office program is slow or may appear to stop responding (hang) when you open a file from a network location
http://support.microsoft.com/kb/833041/en-us
Recommended ResolutionIt is recommended to verify the registry setting named EnableShellDataCaching documented in KB833041 which is still valid vor Microsoft Office 2010 and 2013.
Rule AlgorithmSource
Registry_Value_1 HKCU\Software\Microsoft\Office\*\Common\Open Find\EnableShellDataCaching @ REG_DWORD
Registry_Value_2 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayName @ REG_SZ
Detection Logic
Applies to: all Operating System
The following must be true:
* Registry_Value_2 contains "Microsoft Office" or "Microsoft Word"
* Registry_Value_1 does not exist or is not 0x00000001
Affected Nodes315BPT01.CALS.NCSU.EDU
Setting not configured.
admpc280.CVM.NCSU.EDU
Setting not configured.
ALUMINUM.CNR.NCSU.EDU
Setting not configured.
BILT-3032A-01.CNR.NCSU.EDU
Setting not configured.
BUSTA.ECE.NCSU.EDU Setting not configured.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
CLH-9F8NXR1.COM.NCSU.EDU
Setting not configured.
COLLAB-TEST-HD.EOS.NCSU.EDU
Setting not configured.
crpc11.CVM.NCSU.EDU Setting not configured.
DELTA-DT-SP03.DELTA.NCSU.EDU
Setting not configured.
DELTA-DT-SP05.DELTA.NCSU.EDU
Setting not configured.
Microsoft Word Template Search Timeout Not DefinedStatusFailedDescription35 node(s) out of 37 node(s) were affected by this issue (94.59%).
In Microsoft Office Word, when you try to create a new document from a template that is located on a network share, you may experience slow performance. For example, you may experience one of the following symptoms:• If Word 2007 connects to the network share over a wide area network (WAN) link, it takes four minutes to load the template.• If the network share does not exist, a time-out occurs after 30 to 60 seconds.Additionally, if you want to cancel the template load process during the slow performance, you have to press ESC key. Additional InformationImportanceIn Microsoft Office Word, when you try to create a new document from a template that is located on a network share, you may experience slow performance. For example, you may experiece one of the following symptoms:
• If Word connects to the network share over a wide area network (WAN) link, it takes four minutes to load the template.
• If the network share does not exist, a time-out occurs after 30 to 60 seconds.
Additionally, if you want to cancel the template load process during the slow performance, you have to press ESC key.
Recommended ReadingIn Word 2007, when you try to create a new document from a template that is located on a network share, you may experience slow performance
http://support.microsoft.com/kb/970270
Recommended ResolutionIt is recommended to reduce the template search timeout by using the registry value UseTimeoutForAttachedTemplateLoad. Sample time-out-periods are documented in
http://support.microsoft.com/kb/970270
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Rule AlgorithmSource
Registry_Value_1 HKCU\Software\Microsoft\Office\*\Word\Options\UseTimeoutForAttachedTemplateLoad @ REG_DWORD
Registry_Value_2 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayName @ REG_SZ
Detection Logic
Applies to: all Operating System
The following must be true:
* Registry_Value_2 contains "Microsoft Office" or "Microsoft Word"
* Registry_Value_1 does not exist
Affected Nodes315BPT01.CALS.NCSU.EDU
Setting not configured.
admpc280.CVM.NCSU.EDU
Setting not configured.
ALUMINUM.CNR.NCSU.EDU
Setting not configured.
BILT-3032A-01.CNR.NCSU.EDU
Setting not configured.
BUSTA.ECE.NCSU.EDU Setting not configured.CLH-9F8NXR1.COM.NCSU.EDU
Setting not configured.
COLLAB-TEST-HD.EOS.NCSU.EDU
Setting not configured.
crpc11.CVM.NCSU.EDU Setting not configured.DELTA-DT-SP03.DELTA.NCSU.EDU
Setting not configured.
DELTA-DT-SP05.DELTA.NCSU.EDU
Setting not configured.
Custom Task Scheduler Entries Are DefinedStatusFailedDescription35 node(s) out of 37 node(s) were affected by this issue (94.59%).
The Task Scheduler service allows you to perform automated tasks on a chosen computer. With this service, you can schedule any program to run at a convenient time for you or when a specific event occurs. The Task Scheduler monitors the time or event criteria that you choose and then executes the task when those criteria are met.
The Task Scheduler can be used to execute tasks such as starting an application, sending an email message, or showing a message box. Tasks can be scheduled to execute:- When a specific system event occurs.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
- At a specific time. - At a specific time on a daily schedule. - At a specific time on a weekly schedule. - At a specific time on a monthly schedule. - At a specific time on a monthly day-of-week schedule. - When the computer enters an idle state. - When the task is registered. - When the system is booted. - When a user logs on. - When a Terminal Server session changes state.Additional InformationImportanceCustomized Task Scheduler entries may interact with the user's desktop or may allocate system resources that prevent the user from working efficiently.
Recommended ResolutionDelete or disable unnecessary scheduled tasks.
Autoruns for Windows:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Triggers @ REG_BINARY
Registry_Value_2 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_3 {Registry_Path_1}\Author @ REG_SZ
Detection Logic
Applies to: All operating systems
The following must be true:
* Byte 127 of Registry_Value_1 is "C" or "4"
* Registry_Value_2 does not contain "Optimize Start Menu Cache Files", "User_Feed_Synchronization", "\Microsoft", "\OfficeSoftwareProtection" or "\WPD\"
* Registry_Value_3 does not contain "System", "BrowserChoice", "Microsoft" or "$(@"
Affected Nodes315BPT01.CALS.NCSU.EDU
Scheduled Tasks entries found:
Author: Adobe Systems Incorporated Task Name: \Adobe Acrobat Update Task Author: WOLFTECH\adbuckne.admin Task Name: \Nightly Reboot
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
admpc280.CVM.NCSU.EDU
Scheduled Tasks entries found:
Author: Task Name: \Amazon Music Helper Author: Task Name: \{8E612338-7F43-45DE-AD82-BBE76B5A8F96} Author: Task Name: \Adobe Acrobat Update Task Author: Task Name: \hpUrlLauncher.exe_{71668AB6-B78D-41A1-818D-5E88B063480A}
ALUMINUM.CNR.NCSU.EDU
Scheduled Tasks entries found:
Author: Task Name: \restart for anti virus Author: Task Name: \CNR Backup Author: Task Name: \restart for Anti Virus but not logged in Author: Task Name: \Disable Defrag
BILT-3032A-01.CNR.NCSU.EDU
Scheduled Tasks entries found:
Author: Adobe Systems Incorporated Task Name: \Adobe Acrobat Update Task Author: WOLFTECH\cdgoodw2.admin Task Name: \Printer Settings Author: WOLFTECH\rdnorris.admin Task Name: \CNR Backup IT
BUSTA.ECE.NCSU.EDU Scheduled Tasks entries found:
Author: Task Name: \Adobe Acrobat Update Task
CHASSIT-TEST.CHASS.NCSU.EDU
Scheduled Tasks entries found:
Author: Adobe Systems Incorporated Task Name: \Adobe Acrobat Update Task Author: WOLFTECH\daniel.admin Task Name: \CHASS Group Recorder
CLH-9F8NXR1.COM.NCSU.EDU
Scheduled Tasks entries found:
Author: Task Name: \OpenAFS Service Stop
COLLAB-TEST-HD.EOS.NCSU.EDU
Scheduled Tasks entries found:
Author: WOLFTECH\jibrown.admin Task Name: \Weekly Reboot Author: WOLFTECH\jibrown.admin Task Name: \Remove-Printers Author: Realtek Task Name: \RtHDVBg_PushButton Author: Task Name: \NIUpdateServiceStartupTask
crpc11.CVM.NCSU.EDU Scheduled Tasks entries found:
Author: Task Name: \Adobe Acrobat Update Task
DELTA-DT-SP03.DELTA.NCSU.EDU
Scheduled Tasks entries found:
Author: WOLFTECH\robert.admin Task Name: \Restart_Daily Author: Adobe Systems Incorporated Task Name: \Adobe Acrobat Update Task Author: WOLFTECH\robert.admin
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Task Name: \Restart_Pre-Updates
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
DefragmentationThe file system of an operating system is the overall structure in which files are named, stored, and organized. A file system consists of files, directories, or folders, and the information needed to locate and access these items.
Microsoft Windows NT File System (NTFS) is a robust and secure disk file system that has been optimized for size and performance. To keep NTFS in an optimal performing state it is important to schedule defragmentation jobs on a regular basis.
Disk fragmentation slows the overall performance of your system. When files are fragmented, the computer must search the hard disk as a file is opened (to piece it back together). The response time can be significantly longer.
Disk Defragmenter is a Windows utility that consolidates fragmented files and folders on your computer's hard disk so that each occupies a single space on the disk. With your files stored neatly end to end, without fragmentation, reading and writing to the disk speeds up.
No Issues Found.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Migration - CompatibilityWindows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10.
Recommended application testing processHistorically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level:
Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
No Issues Found.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Deployment and MigrationRapid deployment of Windows across large enterprise environments is often an important topic for IT professionals. There is not only the question of how to deploy by using the following methods:
▪ Deploy from Media▪ Deploy from a Network▪ Deploy from a Server
Often it is a question of which deployment scenarios must be supported:
▪ New Computer▪ Upgrade Computer▪ Refresh Computer▪ Replace Computer
Besides of these questions it is possible to deploy the original and unmodified image from Microsoft resources or to customize a master image (often called golden image). This may reduce the necessary installation time. Additionally, all available security and recommended updates can be integrated to this master image which can significantly increase the stability, compatibility and security from beginning of the installation procedure. By adding frameworks, runtimes and line of business applications and software components, installation times can be further reduced.
The master image creation process should be fully automated (e.g. by scripts) without having manual steps. The master image rebuild process should be performed on a regular basis (e.g. 2-3 times a year). This will result in a constant, secure and a reliable master image.
It is common recommended practice to create such master image on a virtual system (e.g. Hyper-V reference system) without including any additional drivers. The required drivers for the individual hardware platform should be integrated during deployment process later. Please refer to the manual of your deployment solution used to get information how this can be accomplished. Please check with 3rd party software manufacturer if their products will support the Sysprep process or if additional steps need to be taken before/after creating the golden image.
Master Image TechniquesThere are three primary strategies possible for creating a master image and all are valid depending on the use case:
▪ Thick Image - This is an approach to install and image everything what could be necessary and useful for the end user. A reference machine will be prepared and all possible applications will be installed there. After that is done, software updates will be applied for the operating system and all the applications, then Sysprep will be run on the computer to capture the image. After the master image is gathered by a proper tool like dism.exe, then the deployment and the image quality must be verified.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
▪ Thin Image - This approach takes things to the other extreme. A minimum or nothing is installed on the reference computer and Sysprep is used to capture that image. IT pros sometimes will just use the image as shipped in the Windows 7 retail DVD or ISO with zero customization. This strategy assumes that customizations of the installation with applications and other required data will be dynamically performed during the deploy phase. This also means that all of the required applications are packaged for an unattended installation or pre-staged for users to install when they want.
▪ Hybrid Image - Hybrid Image is the method used between of Thick and Thin Imaging, where applications that everyone uses or needs are captured in the master image (perhaps VPN software, antivirus software, Microsoft Office, App-V client). Aside from those core applications, additional applications are layered on at deploy phase based on user needs.
All of these strategies can be justified. The thick image approach is useful in situations where the company has a homogeneous environment, uses a single language, and all users use and need exactly the same set of applications. When using thick images in larger organizations, the trade-offs are that you pay for several applications that may not be necessary for all users, images are larger and multiple applications can affect performance, plus the image is more difficult to maintain, and flexibility is greatly reduced.
Thin images are the most flexible and easiest to maintain, but customizations need to happen during the deployment or later which means that applications are packaged for a silent. Installation speed can be slower compared to thick images because each application needs to install itself one-by-one at deploy time and more automation is required.
Hybrid images include many of the components of thick images, without necessarily wasting licensing costs, required disk space, and often the performance hit of multiple unused applications.
Non-administrator Can Interrupt Installation Process
QuestionCan a non-administrator interrupt the client installation procedure and access the system?
Selected AnswerYesStatusFailedDescriptionSecurity has to be implemented by design. This means that security begins when planning the deployment strategy and during the deployment itself. Additional InformationNon-administrator can Interrupt installationIt is recommended that you ensure no user has physical access (by keyboard, mouse, CD-R, or other media) to the computer to interrupt the installation process. Some deployment solutions like System Center Configuration Manager have this type of security options.
In most cases, it is also useful to specify an adequate boot device order in the BIOS settings.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Latest Updates Are Not In The Foundation Deployment Source
QuestionDo you integrate approved updates into the foundation deployment source?Selected AnswerNoStatusFailedDescriptionIncluding updates and slipstreaming service packs into the deployment image reduces considerably the installation of items and the overall total time needed for computer deployment. Additional InformationIncluding updates in the imageAll the latest approved updates should be included in the master images before capturing and deploying to other machines.
On supported Operating Systems UEFI based hardware is strongly recommended
QuestionDo you use BIOS or UEFI based hardware?Selected AnswerBIOSAdditional CommentsRecently we've started pushing groups to use UEFI due to things like device guard. Up until this point we did not have a easy way to image machines using UEFI. Due to networking issues where we have multiple operating systems on the same subnet that needed to PXE to different servers we cannot use IP helpers, so we are using DHCP options. We cannot rely on all IT staff being able to determine if things are BIOS or UEFI, so we default to BIOS, but as new machines come in we are pushing UEFI.
StatusFailedDescriptionWhen the PC starts, the firmware interface controls the booting process of the PC, and then passes control to Windows or another operating system.
UEFI is a replacement for the older BIOS firmware interface and the Extensible Firmware Interface (EFI) 1.10 specifications.
More than 140 leading technology companies participate in the Unified EFI Forum, including AMD, AMI, Apple, Dell, HP, IBM, Insyde, Intel, Lenovo, Microsoft, and Phoenix Technologies.Additional InformationImportanceFirmware that meets the UEFI 2.3.1 specifications provides the following benefits:
Faster boot and resume times.
Ability to use security features such as Secure Boot and factory encrypted drives that help prevent untrusted code from running before the operating system is loaded.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Ability to more easily support large hard drives (more than 2 terabytes) and drives with more than four partitions.
Support for multicast deployment, which allows PC manufacturers to broadcast a PC image that can be received by multiple PCs without overwhelming the network or image server.
Support for UEFI firmware drivers, applications, and option ROMs.
Recommended ReadingUEFI Firmware
https://technet.microsoft.com/en-us/library/hh824898.aspx
Installing Windows to an EFI-Based Computer
https://technet.microsoft.com/en-us/library/cc749064(v=ws.10).aspx
Recommended ResolutionNewly purchased hardware should always meet Microsoft's recommendation regarding enterprise readiness.
Usage of Advanced Group Policy Management (AGPM) should be evaluated
QuestionDo you use Advanced Group Policy Management (AGPM) within your environment?Selected AnswerNoAdditional CommentsWe want to use AGMP, but with our decentralized IT environment there is no way to programmatically assign delegated permissions to groups. We have 5882 GPO's managed by upwards of 90 different groups, and we need away to create approvers, edit, readers, as well as setup email notifications for all of those different groups.
StatusFailedDescriptionMicrosoft Advanced Group Policy Management (AGPM) extends the capabilities of the Group Policy Management Console (GPMC) to provide comprehensive change control and improved management for Group Policy Objects (GPOs).Additional InformationImportanceImagine a tool that can help you take control of Group Policy. What would this tool do? It would help you better delegate who can review, edit, and deploy Group Policy objects (GPOs). It would help you prevent widespread failures that result from editing GPOs in production. You could use it to track each version of each GPO. Any tool that provided these capabilities, cost little, and was easy to deploy would certainly be worth a closer look.
Such a tool indeed exists, and it’s an integral part of the Microsoft® Desktop Optimization Pack (MDOP) for Software Assurance. MDOP helps organizations reduce the cost of deploying applications, deliver applications as
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
services, and better manage desktop configurations.
Recommended ReadingAdvanced Group Policy Management
https://technet.microsoft.com/en-us/library/dd420466.aspx
MDOP Information Experience
https://technet.microsoft.com/en-us/library/hh563900.aspx
Usage of Application Virtualization (App-V) should be evaluated
QuestionDo you use Application Virtualization (App-V) within your environment?Selected AnswerNoAdditional CommentsWe have looked at it in the past, and in some very extreme corner cases it was useful but in a more wide scale deployment it wasn't. We're looking into something like RDS to accomplish those goals.
StatusFailedDescriptionMicrosoft Application Virtualization (App-V) 5.1 enables administrators to deploy, update, and support applications as services in real time, on an as-needed basis. Individual applications are transformed from locally installed products into centrally managed services and are available wherever you need, without the need to preconfigure computers or to change operating system settings.Additional InformationImportance
Recommended ReadingApplication Virtualization
https://technet.microsoft.com/en-us/library/jj680850.aspx
MDOP Information Experience
https://technet.microsoft.com/en-us/library/hh563900.aspx
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Usage of User Experience Virtualization (UE-V) should be evaluated
QuestionDo you use User Experience Virtualization (UE-V) within your environment?Selected AnswerNoStatusFailedDescriptionMicrosoft User Experience Virtualization (UE-V) provides an enterprise-scalable user state virtualization solution that delivers a personal Windows experience, is easy for you to deploy, and integrates into your existing infrastructure.Additional InformationImportance
Recommended ReadingUser Experience Virtualization
https://technet.microsoft.com/en-us/library/dn458947.aspx
MDOP Information Experience
https://technet.microsoft.com/en-us/library/hh563900.aspx
Your version of User Experience Virtualization (UE-V) is not compatible with Windows 10
QuestionIs at least UE-V version 2.1 with Service Pack 1 in use?Selected AnswerNoStatusFailedDescriptionWindows 10 is not supported on your installed version of Microsoft User Experience Virtualization (UE-V).Additional InformationImportanceIf you have Microsoft User Experience Virtualization in your environment, you will most likely want to use it together with Windows 10.
Recommended ReadingWindows 10 infrastructure requirements
https://technet.microsoft.com/en-us/library/mt574262(v=vs.85).aspx
User Experience Virtualization
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
https://technet.microsoft.com/en-us/library/dn458947.aspx
Microsoft User Experience Virtualization (UE-V) 2.x
https://technet.microsoft.com/en-us/library/dn458926.aspx
Recommended ResolutionYou should upgrade your Microsoft User Experience Virtualization environment to at least version 2.1 with Service Pack 1.
ASF Partition Sector Not AlignedStatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
Hard disk drives are commonly based on 512-byte sectors, and all access to the physical media is addressed based on this unit.
Additional InformationImportanceHard disks vendors now manufacture Advanced Format disks that have a sector size of 4096 bytes (4 KB). These disks can perform only physical media updates in the granularity of the 4 KB physical sector. Therefore, a partition not aligned with 4K (e.g starting at sector 63) results in up to two times 4096 byte read/write that is directed to the disk requires some additional work to be completed. This additional work affects performance and reliability, depending on the workload and hardware implementation.
Recommended ReadingAdvanced format (4K) disk compatibility update
http://msdn.microsoft.com/en-us/library/windows/desktop/hh848035(v=vs.85).aspx
Recommended ResolutionTo avoid this additional overhead align partition with 4K sector. We recommend to use the default offset of 1024 KB.
Rule AlgorithmSource
WMI_1 Root\CIMv2:WMI_Win32_DiskPartition.StartingOffset
Detection Logic
Applies to: all Operating Systems
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
The following must be true:
* WMI_1 is not dividable by 4096
Affected NodesEI-SPARE-LT1.DELTA.NCSU.EDU
Disk #0, Partition #0 is NOT 4k/512e sector aligned.
Unattend XML Not Deleted After System InstallationStatusFailedDescription31 node(s) out of 37 node(s) were affected by this issue (83.78%).
The Unattend.XML deployment files are not removed after system deployment has been completed. This may be a security risk because confidential setup details may be included.Additional InformationImportanceFor security reasons it is not recommended to leave the unattend.xml on the system after the setup. The unattend.xml may contain environmental or user specific informations which can be used for compromising the environment.
Recommended ReadingMethods for Running Windows Setup
http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx
Recommended ResolutionDelete the unattend.xml file after deployment has been sucessfully finished.
Rule Algorithm Source
File_1 %WINDIR%\Panther\Unattend.xml
File_2 %WINDIR%\System32\Sysprep\Unattend.xml
File_3 %WINDIR%\System32\Sysprep\Panther\Unattend.xml
Detection Logic
Applies to: all Operating Systems
Either one of the following must be true:
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
* FILE_1 exists
* FILE_2 exists
* FILE_3 exists
Affected Nodes315BPT01.CALS.NCSU.EDU
Found: \\315BPT01.CALS.NCSU.EDU\ADMIN$\Panther\Unattend.xml
ALUMINUM.CNR.NCSU.EDU
Found: \\ALUMINUM.CNR.NCSU.EDU\ADMIN$\Panther\Unattend.xml
BILT-3032A-01.CNR.NCSU.EDU
Found: \\BILT-3032A-01.CNR.NCSU.EDU\ADMIN$\Panther\Unattend.xml
BUSTA.ECE.NCSU.EDU Found: \\BUSTA.ECE.NCSU.EDU\ADMIN$\Panther\Unattend.xmlCHASSIT-TEST.CHASS.NCSU.EDU
Found: \\CHASSIT-TEST.CHASS.NCSU.EDU\ADMIN$\Panther\Unattend.xml
CLH-9F8NXR1.COM.NCSU.EDU
Found: \\CLH-9F8NXR1.COM.NCSU.EDU\ADMIN$\Panther\Unattend.xml
COLLAB-TEST-HD.EOS.NCSU.EDU
Found: \\COLLAB-TEST-HD.EOS.NCSU.EDU\ADMIN$\Panther\Unattend.xml
DELTA-DT-SP03.DELTA.NCSU.EDU
Found: \\DELTA-DT-SP03.DELTA.NCSU.EDU\ADMIN$\Panther\Unattend.xml
DELTA-DT-SP05.DELTA.NCSU.EDU
Found: \\DELTA-DT-SP05.DELTA.NCSU.EDU\ADMIN$\Panther\Unattend.xml
EB2-2214-LOAN01.CSC.NCSU.EDU
Found: \\EB2-2214-LOAN01.CSC.NCSU.EDU\ADMIN$\Panther\Unattend.xml
The recommended deployment method for existing devices is traditional wipe-and-load
QuestionWhat statements are true for feature upgrades on existing devices?Selected Answer
StatusResolvedDescriptionNew versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the Windows Assessment and Deployment Kit, Windows Deployment Services, the Microsoft Deployment Toolkit, and System Center Configuration Manager.Additional InformationImportanceTo successfully deploy a Windows operating system in your organization, it is important to understand the different ways that it can be deployed. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.
Recommended Reading
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Windows 10 deployment scenarios
https://technet.microsoft.com/en-us/library/mt282208(v=vs.85).aspx
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Device DriversMicrosoft Windows supports thousands of hardware accessories, generally referred to as devices, including printers, digital cameras, and network adapters. These extend what your computer can do. To provide this level of flexibility, Windows uses software called a device driver to communicate with the hardware. Every hardware device you connect to your computer has its own device driver. Over time, the manufacturer may update the driver for your device to improve its performance, to improve security, or to correct a problem.
Windows supports the Plug and Play specifications that define how a computer can detect and configure newly added hardware and automatically install the device driver. Prior to Plug and Play, users needed to manually configure devices before attaching them to the computer.
Plug and Play hardware, combined with a Plug and Play-compatible operating system, allow a user to plug in the hardware and Windows searches for an appropriate device driver package, automatically configuring it to work without interfering with other devices.
Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted.
Source: Microsoft-Windows-CodeIntegrity / Event ID: 3001 / Error: Unsigned Kernel Module Is Loaded
StatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
Code integrity checks each kernel-mode driver for a digital signature when an attempt is made to load the driver into memory. Depending on the architecture and configuration of the system, the operating system might not load unsigned kernel-mode drivers.This error message indicates that an unsigned kernel module is currently loaded into the system. Check with the publisher to see if a signed version is available.Additional InformationImportanceThe Microsoft digital signature affirms that software has been tested with Windows and that the software has not been altered since it was tested.
Rule AlgorithmSource
Event_1 EventLog ("Microsoft-Windows-CodeIntegrity\Operational") @ 3001
Detection Logic
Applies to: All operating systems
The following must be true:
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
* Event_1 is listed in the past 7 days
Affected NodesUNO.IE.NCSU.EDU Amount of Events logged within 7 days : 4
First Event logged : 2016-10-03T22:09:40.9158467+00:00Last Event logged : 2016-09-29T18:54:49.6968846+00:00
ID : 3001Provider : Microsoft-Windows-CodeIntegrityMessage : Code Integrity determined an unsigned kernel module \Device\HarddiskVolume2\Windows\System32\drivers\cvintdrv.sys is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available.
Source: Microsoft-Windows-CodeIntegrity / Event ID: 3002 / Error: Unable To Verify Image Integrity
StatusFailedDescription10 node(s) out of 37 node(s) were affected by this issue (27.03%).
Code integrity checks each kernel-mode driver for a digital signature when an attempt is made to load the driver into memory. Depending on the architecture and configuration of the system, the operating system might not load unsigned kernel-mode drivers.
The behavior across different architectures is as follows:For x64-based computers, all kernel-mode drivers must be digitally signed.For x86-based or Itanium-based computers, the following kernel-mode drivers require a digital signature: bootvid.dll, ci.dll, clfs.sys, hal.dll, kdcom.dll, ksecdd.sys, ntoskrnl.exe, pshed.dll, spldr.sys, tpm.sys, and winload.exe.
Note that if a kernel debugger is attached to the system, Code Integrity will still check for a digital signature on every kernel-mode driver, but the operating system will still load the drivers regardless.
This error message related to Code Integrity being unable to verify a file due to a signature not being present on the system. The image has been allowed however, because a kernel mode debugger is attached.Additional InformationImportanceThe Microsoft digital signature affirms that software has been tested with Windows and that the software has not been altered since it was tested.
Rule AlgorithmSource
Event_1 EventLog ("Microsoft-Windows-CodeIntegrity\Operational") @ 3002
Detection Logic
Applies to: All operating systems
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
The following must be true:
* Event_1 is listed in the past 7 days
Affected NodesCHASSIT-TEST.CHASS.NCSU.EDU
Amount of Events logged within 7 days : 7
First Event logged : 2016-10-05T06:40:01.692216+00:00Last Event logged : 2016-09-30T15:28:17.4188242+00:00
ID : 3002Provider : Microsoft-Windows-CodeIntegrityMessage : Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
DELTA-DT-SP03.DELTA.NCSU.EDU
Amount of Events logged within 7 days : 11
First Event logged : 2016-09-30T15:20:52.084943+00:00Last Event logged : 2016-09-28T19:49:04.9744096+00:00
ID : 3002Provider : Microsoft-Windows-CodeIntegrityMessage : Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
DELTA-DT-SP05.DELTA.NCSU.EDU
Amount of Events logged within 7 days : 4
First Event logged : 2016-09-29T17:51:59.0407564+00:00Last Event logged : 2016-09-29T06:57:37.9120003+00:00
ID : 3002Provider : Microsoft-Windows-CodeIntegrityMessage : Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
OITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
Amount of Events logged within 7 days : 16
First Event logged : 2016-10-04T21:21:59.8801476+00:00Last Event logged : 2016-09-28T19:39:12.4485748+00:00
ID : 3002Provider : Microsoft-Windows-CodeIntegrityMessage : Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
Amount of Events logged within 7 days : 11
First Event logged : 2016-10-02T06:44:57.0021556+00:00Last Event logged : 2016-09-28T19:29:00.2531126+00:00
ID : 3002Provider : Microsoft-Windows-CodeIntegrityMessage : Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
PT315B-01.CALS.NCSU.EDU
Amount of Events logged within 7 days : 6
First Event logged : 2016-10-04T14:46:25.9747389+00:00Last Event logged : 2016-09-30T18:47:31.7114167+00:00
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
ID : 3002Provider : Microsoft-Windows-CodeIntegrityMessage : Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
PT315B-02.CALS.NCSU.EDU
Amount of Events logged within 7 days : 1
First Event logged : 2016-10-03T22:08:58.6561264+00:00Last Event logged : 2016-10-03T22:08:58.6561264+00:00
ID : 3002Provider : Microsoft-Windows-CodeIntegrityMessage : Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
T-131B-2.CHASS.NCSU.EDU
Amount of Events logged within 7 days : 18
First Event logged : 2016-10-05T03:13:51.8968213+00:00Last Event logged : 2016-09-29T19:45:09.0855993+00:00
ID : 3002Provider : Microsoft-Windows-CodeIntegrityMessage : Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
VTHLOANERPC.CVM.NCSU.EDU
Amount of Events logged within 7 days : 6
First Event logged : 2016-09-29T20:51:00.8965406+00:00Last Event logged : 2016-09-28T20:48:54.996406+00:00
ID : 3002Provider : Microsoft-Windows-CodeIntegrityMessage : Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
WN-133-01.CHASS.NCSU.EDU
Amount of Events logged within 7 days : 2
First Event logged : 2016-10-05T02:04:42.2920655+00:00Last Event logged : 2016-10-04T02:04:11.5861873+00:00
ID : 3002Provider : Microsoft-Windows-CodeIntegrityMessage : Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
Device Driver Release Date Older Than 12 MonthsStatusFailedDescription36 node(s) out of 37 node(s) were affected by this issue (97.3%).
A device driver is code that an operating system uses to control disk devices, display adapters, input devices such as a mouse or trackball, as well as modems, fax machines, printers, and other hardware. The latest release often includes bug fixes and resolutions for performance and stability issues.Additional InformationImportance
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
A driver is software that Windows uses to communicate with hardware devices. Without drivers, hardware that is connected to the computer does not work correctly. For example, if a video card or a printer does not have the correct driver installed, that device may not work correctly.
Recommended ReadingDescription of Device Drivers:
http://support.microsoft.com/kb/253671
Recommended ResolutionIt is strongly recommended that you regularly verify if new device drivers are available and that you update these on a regular interval. Make sure to test the new driver packages against line of business applications.
Rule AlgorithmSource
WMI_1 Root\CIMv2:Win32_PnPSignedDriver
Detection Logic
Applies to: All operating systems
The following must be true:
* WMI_1.DriverDate is older than 12 months and WMI_1.DriverProviderName does not contain "Microsoft"
Annotationlook to see if there are updated drivers for these devices
Affected Nodes315BPT01.CALS.NCSU.EDU
Device driver older than 12 months found: None
Intel | 7/25/2013 | oem5.inf:Intel(R) ICH10 Family SMBus Controller - 3A60
Intel Corporation | 5/2/2014 | oem4.inf:Intel(R) Desktop/Workstation/Server Express Chipset SATA RAID Controller
Intel Corporation | 3/11/2013 | oem8.inf:Intel(R) Q45/Q43 Express Chipset (Microsoft Corporation - WDDM 1.1)Intel(R) Q45/Q43 Express Chipset (Microsoft Corporation - WDDM 1.1)
Dell Inc. | 5/11/2009 | oem7.inf:Dell E190S
AMD | 2/12/2015 | oem6.inf:Pci Bus
admpc280.CVM.NCSU.EDU
Device driver older than 12 months found: None
Oracle Corporation | 4/12/2013 | oem56.inf:VirtualBox Bridged Networking Driver MiniportVirtualBox Bridged Networking Driver Miniport
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Cisco Systems | 2/26/2014 | oem60.inf:Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for
Windows x64
Oracle Corporation | 4/12/2013 | vboxnetadp.inf:VirtualBox Host-Only Ethernet Adapter
Intel | 9/15/2006 | oem13.inf:Intel(R) 82801 PCI Bridge - 244EHigh Precision Event Timer
Synaptics | 9/7/2012 | oem33.inf:Synaptics SMBus Driver
Intel | 11/29/2011 | oem24.inf:Intel(R) 5 Series/3400 Series SATA AHCI Controller
Intel | 10/28/2009 | oem8.inf:Intel(R) 5 Series/3400 Series Chipset Family PCI Express Root Port 1 - 3B42Intel(R) 5 Series/3400 Series Chipset Family PCI Express Root Port 5 - 3B4AIntel(R) Q57 Express Chipset LPC Interface Controller - 3B0A
Intel | 8/20/2009 | oem3.inf:Intel(R) 5 Series/3400 Series Chipset Family USB Enhanced Host Controller -
3B3CIntel(R) 5 Series/3400 Series Chipset Family USB Enhanced Host Controller -
3B34
Realtek Semiconductor Corp. | 9/14/2010 | oem26.inf:Realtek High Definition Audio
Intel | 4/12/2010 | oem34.inf:Intel(R) 82578DM Gigabit Network Connection
Intel | 10/28/2009 | oem5.inf:Intel(R) processor DMI - D131Intel(R) processor PCI Express Root Port 1 - D138Intel(R) processor System Management Registers - D155Intel(R) processor Semaphore and Scratchpad Registers - D156Intel(R) processor System Control and Status Registers - D157Intel(R) QuickPath Interconnect - D150Intel(R) QuickPath Interconnect - D151
Advanced Micro Devices, Inc. | 12/6/2011 | oem14.inf:ATI Radeon HD 3450 - Dell Optiplex
ALUMINUM.CNR.NCSU.EDU
Device driver older than 12 months found: None
Synaptics | 2/25/2014 | oem49.inf:Synaptics SMBus Driver
Intel Corporation | 10/18/2013 | oem38.inf:Intel(R) 8 Series/C220 Chipset Family SATA AHCI Controller
Intel | 9/15/2006 | oem30.inf:High Precision Event Timer
Intel | 7/25/2013 | oem31.inf:Intel(R) Q87 LPC Controller - 8C4E
Intel | 7/31/2013 | oem6.inf:Intel(R) 8 Series/C220 Series USB EHCI #2 - 8C2DIntel(R) 8 Series/C220 Series USB EHCI #1 - 8C26
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Realtek Semiconductor Corp. | 3/31/2014 | oem26.inf:Realtek High Definition Audio
Intel | 3/13/2014 | oem24.inf:Intel(R) Ethernet Connection I217-LM
Intel | 1/23/2014 | oem35.inf:Intel(R) Active Management Technology - SOL
Intel | 3/13/2014 | oem2.inf:Intel(R) Management Engine Interface
Intel(R) Corporation | 11/18/2013 | oem22.inf:Intel(R) USB 3.0 Root Hub
Intel(R) Corporation | 11/18/2013 | oem86.inf:Intel(R) USB 3.0 eXtensible Host Controller
Intel(R) Corporation | 3/31/2015 | oem85.inf:Intel(R) Display Audio
Intel | 7/25/2013 | oem39.inf:Intel(R) 4th Gen Core processor DRAM Controller - 0C00
Intel | 11/18/2013 | oem33.inf:PCI bus
BILT-3032A-01.CNR.NCSU.EDU
Device driver older than 12 months found: None
Realtek Semiconductor Corp. | 9/22/2015 | oem12.inf:Realtek High Definition Audio
Intel | 8/4/2015 | oem11.inf:Intel(R) Ethernet Connection I217-LM
Intel | 5/8/2015 | oem9.inf:Intel(R) Active Management Technology - SOL
Intel | 8/31/2015 | oem4.inf:Intel(R) Management Engine Interface
Dell Inc. | 8/2/2013 | oem13.inf:Dell P2314H (DVI)
BUSTA.ECE.NCSU.EDU Device driver older than 12 months found: None
Synaptics | 11/18/2014 | oem63.inf:Synaptics SMBus Driver
Intel Corporation | 11/15/2013 | oem12.inf:Intel(R) Desktop/Workstation/Server Express Chipset SATA AHCI Controller
Intel | 9/15/2006 | oem76.inf:Intel(R) 82801 PCI Bridge - 244EHigh Precision Event Timer
Intel | 7/25/2013 | oem19.inf:Intel(R) 6 Series/C200 Series Chipset Family PCI Express Root Port 1 - 1C10Intel(R) 6 Series/C200 Series Chipset Family PCI Express Root Port 3 - 1C14Intel(R) Q65 Express Chipset Family LPC Interface Controller - 1C4C
INTEL | 7/14/2015 | oem41.inf:Intel(R) 6 Series/C200 Series Chipset Family USB Enhanced Host Controller -
1C2DIntel(R) 6 Series/C200 Series Chipset Family USB Enhanced Host Controller -
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
1C26
Intel(R) Corporation | 2/21/2014 | oem16.inf:Intel(R) Display Audio
Realtek Semiconductor Corp. | 9/14/2010 | oem91.inf:Realtek High Definition Audio
Intel | 7/19/2011 | oem61.inf:Intel(R) 6 Series/C200 Series Chipset Family High Definition Audio - 1C20
Intel | 5/2/2014 | oem59.inf:Intel(R) 82579LM Gigabit Network Connection
Intel | 8/31/2015 | oem60.inf:Intel(R) Management Engine Interface
Intel Corporation | 2/22/2013 | oem30.inf:Intel(R) HD Graphics
Intel | 7/25/2013 | oem8.inf:2nd Generation Intel(R) Core(TM) Processor Family DRAM Controller - 0100
AMD | 7/24/2013 | oem6.inf:Pci Bus
CHASSIT-TEST.CHASS.NCSU.EDU
Device driver older than 12 months found: None
NVIDIA Corporation | 9/23/2013 | nvraid.inf:NVIDIA nForce Serial ATA ControllerNVIDIA nForce Serial ATA Controller
NVIDIA | 1/30/2015 | oem11.inf:NVIDIA GeForce 6150 LE
AMD | 2/12/2015 | oem2.inf:Pci Bus
CLH-9F8NXR1.COM.NCSU.EDU
Device driver older than 12 months found: None
Intel | 9/10/2010 | oem6.inf:Intel(R) 6 Series/C200 Series Chipset Family 4 port Serial ATA Storage
Controller - 1C00Intel(R) 6 Series/C200 Series Chipset Family 2 port Serial ATA Storage
Controller - 1C08
Intel | 9/10/2010 | oem7.inf:Intel(R) 6 Series/C200 Series Chipset Family SMBus Controller - 1C22
Intel | 11/20/2010 | oem5.inf:Intel(R) 6 Series/C200 Series Chipset Family PCI Express Root Port 1 - 1C10Intel(R) 6 Series/C200 Series Chipset Family PCI Express Root Port 3 - 1C14Intel(R) Q67 Express Chipset Family LPC Interface Controller - 1C4E
Intel | 9/16/2010 | oem8.inf:Intel(R) 6 Series/C200 Series Chipset Family USB Enhanced Host Controller -
1C2DIntel(R) 6 Series/C200 Series Chipset Family USB Enhanced Host Controller -
1C26
Intel | 7/20/2011 | oem13.inf:Intel(R) 82579LM Gigabit Network Connection
ATI Technologies Inc. | 4/19/2011 | oem3.inf:ATI Radeon HD 5450
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Intel | 9/10/2010 | oem9.inf:2nd generation Intel(R) Core(TM) processor family DRAM Controller - 01002nd generation Intel(R) Core(TM) processor family PCI Express Controller -
0101COLLAB-TEST-HD.EOS.NCSU.EDU
Device driver older than 12 months found: None
National Instruments | 6/15/2010 | oem20.inf:NI Ethernet Device Enumerator
Intel | 8/4/2015 | oem7.inf:Intel(R) Ethernet Connection (2) I219-LM
INTEL | 8/17/2015 | oem76.inf:Intel(R) 100 Series/C230 Series Chipset Family Thermal subsystem - A131Intel(R) 100 Series/C230 Series Chipset Family PMC - A121Intel(R) 100 Series/C230 Series Chipset Family SMBus - A123
Realtek Semiconductor Corp. | 7/10/2015 | oem72.inf:Realtek High Definition Audio
Intel Corporation | 7/22/2015 | oem6.inf:Intel(R) 100 Series/C230 Chipset Family SATA AHCI Controller
Intel | 5/8/2015 | oem5.inf:Intel(R) Active Management Technology - SOL
Intel | 7/28/2015 | oem60.inf:Intel(R) Management Engine Interface
Dell Inc. | 8/2/2013 | oem78.inf:Dell P2314H (DVI)
INTEL | 7/14/2015 | oem70.inf:Intel(R) Xeon(R) E3 - 1200/1500 v5/6th Gen Intel(R) Core(TM) PCIe
Controller (x16) - 1901
AMD | 8/10/2015 | oem69.inf:Pci Bus
crpc11.CVM.NCSU.EDU Device driver older than 12 months found: None
Intel | 9/15/2006 | oem7.inf:Intel(R) 82801 PCI Bridge - 244EHigh Precision Event Timer
Intel | 7/25/2013 | oem92.inf:Intel(R) ICH10 Family 4 port Serial ATA Storage Controller 1 - 3A00Intel(R) ICH10 Family 2 port Serial ATA Storage Controller 2 - 3A06
Intel | 7/25/2013 | oem121.inf:Intel(R) ICH10 Family SMBus Controller - 3A60
Intel | 7/25/2013 | oem123.inf:Intel(R) ICH10 Family PCI Express Root Port 1 - 3A70Intel(R) ICH10 Family PCI Express Root Port 2 - 3A72Intel(R) ICH10D LPC Interface Controller - 3A1A
Intel | 7/31/2013 | oem96.inf:Intel(R) ICH10 Family USB Universal Host Controller - 3A67Intel(R) ICH10 Family USB Universal Host Controller - 3A68Intel(R) ICH10 Family USB Universal Host Controller - 3A69Intel(R) ICH10 Family USB Enhanced Host Controller - 3A6CIntel(R) ICH10 Family USB Universal Host Controller - 3A64
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Intel(R) ICH10 Family USB Universal Host Controller - 3A65Intel(R) ICH10 Family USB Universal Host Controller - 3A66Intel(R) ICH10 Family USB Enhanced Host Controller - 3A6A
AnalogDevices | 6/19/2008 | oem115.inf:SoundMAX Integrated Digital High Definition Audio
Intel | 4/12/2010 | oem82.inf:Intel(R) 82567LM-3 Gigabit Network Connection
Intel | 7/6/2009 | oem114.inf:Intel(R) Active Management Technology - SOL
NVIDIA | 11/11/2013 | oem127.inf:NVIDIA GeForce 9300 GE
Intel | 7/25/2013 | oem106.inf:Intel(R) 4 Series Chipset Processor to I/O Controller - 2E10Intel(R) 4 Series Chipset PCI Express Root Port - 2E11
AMD | 7/24/2013 | oem79.inf:Pci Bus
DELTA-DT-SP03.DELTA.NCSU.EDU
Device driver older than 12 months found: None
INTEL | 7/14/2015 | oem10.inf:Intel(R) 8 Series/C220 Series PCI Express Root Port #1 - 8C10Intel(R) 8 Series/C220 Series PCI Express Root Port #5 - 8C18Intel(R) Q87 LPC Controller - 8C4EIntel(R) 8 Series/C220 Series SMBus Controller - 8C22
Intel Corporation | 7/22/2015 | oem1.inf:Intel(R) 8 Series/C220 Chipset Family SATA AHCI Controller
Advanced Micro Devices | 5/13/2015 | oem12.inf:AMD High Definition Audio DeviceAMD High Definition Audio Device
Advanced Micro Devices, Inc. | 7/6/2015 | oem4.inf:AMD Radeon HD 8490AMD Radeon HD 8490
Realtek Semiconductor Corp. | 9/22/2015 | oem15.inf:Realtek High Definition Audio
Intel | 8/4/2015 | oem17.inf:Intel(R) Ethernet Connection I217-LM
Intel | 5/8/2015 | oem16.inf:Intel(R) Active Management Technology - SOL
Intel | 7/7/2015 | oem11.inf:Intel(R) Management Engine Interface
INTEL | 7/14/2015 | oem0.inf:Intel(R) Xeon(R) processor E3 - 1200 v3/4th Gen Core processor PCI Express
x16 Controller - 0C01
AMD | 2/12/2015 | oem6.inf:Pci Bus
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Device Driver Signature Not Found Or InvalidStatusFailedDescription7 node(s) out of 37 node(s) were affected by this issue (18.92%).
Because device driver software runs as a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers are permitted.
The 64-bit versions of Windows Vista, Windows 7 and Windows 8 require that all kernel mode device drivers be signed with a Software Publishing Certificate issued by a certification authority. If you use a 64-bit version of Windows, then you need a driver package that is already signed or have access to a Software Publishing Certificate with which you can sign the driver package. If you sign a 64-bit kernel mode device driver incorrectly, it will not load or run successfully. If the device driver is required to start the computer, your computer might fail to start. Ensure that you test your packages thoroughly on each type of computer on which you will deploy them.Additional InformationImportanceBecause device drivers run with system-level privileges and can access anything on your computer, it is essential that you trust the device drivers that you install. Trust, in this context, includes two main principles:
- Authenticity - This is a guarantee that the package came from its claimed source. It cannot be malicious code masquerading as something legitimate.
- Integrity - This is an assurance that the package is 100 percent intact and has not been modified by anyone after it was released.
Windows uses digital certificates and digital signatures to provide support for these principles.
Recommended ReadingDevice Management and Installation Step-by-Step Guide: Signing and Staging Device Drivers in Windows 7 and Windows Server 2008 R2:
http://technet.microsoft.com/en-us/library/dd919230(WS.10).aspx
Device Management and Installation Step-by-Step Guide: Signing and Staging Device Drivers in Windows Vista and Windows Server 2008:
http://technet.microsoft.com/en-us/library/cc754052.aspx
Recommended ResolutionIt is recommended to only use WHQL signed driver packages.
Contact your hardware manufacturer to verify if there are newer packages available.
Rule AlgorithmSource
WMI_1 Root\CIMv2:Win32_PnPSignedDriver
Detection Logic
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Applies to: All operating systems
The following must be true:
* WMI_1.IsSigned is "False" and WMI_1.DriverProviderName does not contain "Microsoft"
Affected Nodesadmpc280.CVM.NCSU.EDU
Device driver without valid signature found: None
Oracle Corporation | Signed: False | oem56.infVirtualBox Bridged Networking Driver MiniportVirtualBox Bridged Networking Driver Miniport
Oracle Corporation | Signed: False | vboxnetadp.infVirtualBox Host-Only Ethernet Adapter
WolfVision | Signed: False | oem72.infWolfVision Video Capture II
WolfVision | Signed: False | oem71.infvSolution Link Streaming Capture
WolfVision GmbH | Signed: False | oem73.infWolfVision WIA-compatible device
BILT-3032A-01.CNR.NCSU.EDU
Device driver without valid signature found: None
Intel | Signed: False | oem4.infIntel(R) Management Engine Interface
COLLAB-TEST-HD.EOS.NCSU.EDU
Device driver without valid signature found: None
National Instruments | Signed: False | oem20.infNI Ethernet Device Enumerator
HLB106PC.CLASSTECH.NCSU.EDU
Device driver without valid signature found: None
WolfVision | Signed: False | oem18.infWolfVision Video Capture II
WolfVision | Signed: False | oem17.infvSolution Link Streaming Capture
WolfVision GmbH | Signed: False | oem19.infWolfVision WIA-compatible device
MOBILELAB4.IE.NCSU.EDU
Device driver without valid signature found: None
Rockwell Automation | Signed: False | oem29.infA-B Virtual Backplane
TEX-OXYGEN.TX.NCSU.EDU
Device driver without valid signature found: None
National Instruments | Signed: False | oem123.infNI Ethernet Device Enumerator
UNO.IE.NCSU.EDU Device driver without valid signature found: None
National Instruments | Signed: False | oem41.infNI Ethernet Device Enumerator
Filter Drivers Detected
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
StatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
Filter drivers are used to add functionality to devices (or existing drivers) or to modify I/O requests and responses from other drivers. Filter drivers are optional and can exist in any number. They can be placed above or below a function driver and above a bus driver.Additional InformationImportanceWhen you are troubleshooting application issues you have to do more than just stop or disable the services that are associated with the software. Even if you disable the software component, the filter driver is still loaded when you restart the computer. You may be forced to remove a software component to find the cause of an issue. As an alternative to removing the software component, you can stop the relevant services and disable the corresponding filter drivers in the registry. For example, if you prevent antivirus software from scanning or filtering files on your computer, you must also disable the corresponding filter drivers.
Recommended ReadingFile System Filter Drivers:
http://www.microsoft.com/whdc/driver/filterdrv/default.mspx
Recommended ResolutionToo many filter drivers may negatively impact system performance and stability, or produce other problems due to overlapping functionality. In the future, carefully test the impact of filter drivers on the client system performance.
Especially in scenarios where optimized system settings are not solving performance related problems, we recommend that you contact your third party manufacturer for a filter driver update. Keeping the total number of installed filter drivers to a minimum will help reduce the risk of failures and system performance issues.
Rule AlgorithmSource
Registry_Path_1 HKLM\SYSTEM\CurrentControlSet\Services\*
Registry_Value_1 {Registry_Path_1}\Owners @ REG_EXPAND_SZ
Registry_Value_2 HKLM\SYSTEM\CurrentControlSet\Control\Class\*\LowerFilters @ REG_MULTI_SZ
Registry_Value_3 HKLM\SYSTEM\CurrentControlSet\Control\Class\*\UpperFilters @ REG_MULTI_SZ
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Path_1 exists and Registry_Value_1 contains "OEM" and Registry_Value_2 or Registry_Value_3 contains ServiceName (right value of the Path) from Registry_Path_1
Affected Nodes
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
MOBILELAB4.IE.NCSU.EDU
Upper filter driver:
mouclass | C:\Windows\system32\drivers\mouclass.sys
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Group PolicyYou can use Windows Server Group Policy to manage configurations for groups of computers and users, including options for registry-based policy settings, security settings, software deployment, scripts, folder redirection, and preferences. Group Policy preferences, new in Windows Server 2008, expand the range of configurable policy settings within a Group Policy object (GPO). In contrast to Group Policy settings, preferences are not enforced. Users can change preferences after initial deployment.
Using Group Policy, you can significantly reduce an organization’s total cost of ownership. Various factors, such as the large number of policy settings available, the interaction between multiple policies, and inheritance options, can make Group Policy design complex. By carefully planning, designing, testing, and deploying a solution based on your organization’s business requirements, you can provide the standardized functionality, security, and management control that your organization needs.
Overview of Group PolicyGroup Policy enables Active Directory–based change and configuration management of user and computer settings on computers running Windows 8, Windows 7, Windows Vista and Windows XP. In addition to using Group Policy to define configurations for groups of users and computers, you can also use Group Policy to help manage server computers, by configuring many server-specific operational and security settings.
The Group Policy settings you create are contained in a GPO. To create and edit a GPO, use the Group Policy Management Console (GPMC). By using the GPMC to link a GPO to selected Active Directory sites, domains, and organizational units (OUs), you apply the policy settings in the GPO to the users and computers in those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
To guide your Group Policy design decisions, you need a clear understanding of your organization’s business needs, service level agreements, and requirements for security, network, and IT. By analyzing your current environment and users’ requirements, defining the business objectives you want to meet by using Group Policy, and following these guidelines for designing a Group Policy infrastructure, you can establish the approach that best supports your organization’s needs.
Setting GpNetworkStartTimeoutPolicyValue Is ConfiguredStatusFailedDescription4 node(s) out of 37 node(s) were affected by this issue (10.81%).
Group Policy application will fail if the Group Policy engine or Active Directory time out while they wait for the network to start.
A race condition may occur between the TCP/IP protocol and the network adaptor driver when they try to register with the Microsoft Network Driver Interface Specification (NDIS). If the TCP/IP protocol registers with NDIS before the network adaptor driver, there is a short window of time where connectivity for higher user mode networking components is not available. During this short time, the Group Policy startup script cannot be downloaded.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Additional InformationImportanceGroup Policy application fails because the Group Policy engine or Active Directory times out while it waits for the network to start. A race condition may occur between the TCP/IP protocol and the network adaptor driver when they try to register with the Microsoft Network Driver Interface Specification (NDIS). If the TCP/IP protocol registers with NDIS before the network adaptor driver, for a short time it prompts higher user mode networking components that network connectivity is not available. During this short time, the Group Policy startup script cannot be downloaded.
When set, this setting causes a computer that is started without network connectivity to wait for network connectivity. Please ensure that this setting is really needed and intentional.
Recommended ReadingWindows 7 Clients intermittently fail to apply group policy at startup
http://support.microsoft.com/kb/2421599
Recommended ResolutionThe GpNetworkStartTimeoutPolicyValue policy timeout can be specified in the registry in two locations:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon * HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
You can do this by adding a DWORD value of GpNetworkStartTimeoutPolicyValue with a number of seconds between 30 and 600.
Windows reads the Winlogon subkey first. Then, Windows reads the Policies subkey. The value in the Policies subkey supersedes any value in the Winlogon subkey. There is no user interface that you can use to set this Group Policy object (GPO). Therefore, you have to deploy a custom ADM file in order to set the GPO.
The value specified should be of sufficient duration to make sure that the connection is made. During the timeout period, Windows examines the connection status every two seconds and continues with system startup as soon as the connection is confirmed. Therefore, setting the value larger than the minimum value of 30 is recommended. However, be advised that if the system is legitimately disconnected, Windows will stall for the whole timeout period.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GpNetworkStartTimeoutPolicyValue @ REG_DWORD
Registry_Value_2 HKLM\SOFTWARE\Policies\Microsoft\Windows\System\GpNetworkStartTimeoutPolicyValue @ REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Value_1 or Registry_Value_2 exists
Affected Nodes
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
HLB106PC.CLASSTECH.NCSU.EDU
GPNetworkStartTimeoutPolicy (Policy) : 20GPNetworkStartTimeoutPolicy (Registry) : n/a
MOBILELAB4.IE.NCSU.EDU
GPNetworkStartTimeoutPolicy (Policy) : 30GPNetworkStartTimeoutPolicy (Registry) : n/a
TEX-OXYGEN.TX.NCSU.EDU
GPNetworkStartTimeoutPolicy (Policy) : 60GPNetworkStartTimeoutPolicy (Registry) : n/a
UNO.IE.NCSU.EDU GPNetworkStartTimeoutPolicy (Policy) : 3GPNetworkStartTimeoutPolicy (Registry) : n/a
Source: Microsoft-Windows-GroupPolicy / Event ID: 7017 / Error: LDAP Call FailedStatusFailedDescription7 node(s) out of 37 node(s) were affected by this issue (18.92%).
The LDAP call to connect and bind to Active Directory completed. The call failed after x milliseconds. Additional InformationImportanceThis event ID indicates that Windows failed perform a LDAP query against a domain controller. Look for other event entries to determine whether discovery later succeeded. If the call later succeeds, this could indicate a delay in the Windows system startup process. If the call continues to fail, then certain aspects of the system will be unable to function such as Group Policy processing.
When Windows is unable to connect to a domain controller, group policy processing will not occur. Access to other network resources could also be affected depending on the nature of the problem.
Recommended ResolutionCheck that the machine has appropriate connectivity on the domain controller and is able to connect via LDAP. To check LDAP connectivity, use a port query tool or an LDAP browser to connect directly to a discovered domain controller.
This error can be presented during system boot when network interfaces are not yet ready. Some reasons for this might include a delay in obtaining DHCP leases (no valid IP address yet), or network services still starting as part of the system boot procedure. You can perform boot tracing to learn more about the startup order of services & availability of the network during boot. This error can also indicate a delay in performing 802.1x network authentication during boot if that is configured.
Rule AlgorithmSource
Event_1 EventLog ("MicrosoftWindowsGroupPolicy\Operational") @ EventID 7017
XML Attributes: TimeGenerated, Message
Detection Logic
Applies to: all Operating Systems
The following must be true:
* Event_1 is listed in the past 7 days
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Affected NodesALUMINUM.CNR.NCSU.EDU
Amount of Events logged within 7 days : 1
First Event logged : 2016-10-04T20:07:47.4640074+00:00Last Event logged : 2016-10-04T20:07:47.4640074+00:00
ID : 7017Provider : Microsoft-Windows-GroupPolicyMessage : The system call to get account information completed.
The call failed after 265 milliseconds.BUSTA.ECE.NCSU.EDU Amount of Events logged within 7 days : 1
First Event logged : 2016-10-04T22:00:28.5835511+00:00Last Event logged : 2016-10-04T22:00:28.5835511+00:00
ID : 7017Provider : Microsoft-Windows-GroupPolicyMessage : The LDAP call to connect and bind to Active Directory completed. romana.wolftech.ad.ncsu.eduThe call failed after 21029 milliseconds.
crpc11.CVM.NCSU.EDU Amount of Events logged within 7 days : 1
First Event logged : 2016-10-04T15:50:06.1984652+00:00Last Event logged : 2016-10-04T15:50:06.1984652+00:00
ID : 7017Provider : Microsoft-Windows-GroupPolicyMessage : The system call to get account information completed.
The call failed after 2216 milliseconds.EI-SPARE-LT1.DELTA.NCSU.EDU
Amount of Events logged within 7 days : 7
First Event logged : 2016-10-04T11:22:23.4285959+00:00Last Event logged : 2016-10-04T04:06:35.8580343+00:00
ID : 7017Provider : Microsoft-Windows-GroupPolicyMessage : The system call to get account information completed.
The call failed after 795 milliseconds.ITECS-DT-34.EOS.NCSU.EDU
Amount of Events logged within 7 days : 1
First Event logged : 2016-10-03T21:59:07.5212262+00:00Last Event logged : 2016-10-03T21:59:07.5212262+00:00
ID : 7017Provider : Microsoft-Windows-GroupPolicyMessage : The system call to get account information completed.
The call failed after 0 milliseconds.LAU-214-29.CHASS.NCSU.EDU
Amount of Events logged within 7 days : 3
First Event logged : 2016-10-05T05:04:38.9614+00:00Last Event logged : 2016-10-04T02:01:56.49+00:00
ID : 7017Provider : Microsoft-Windows-GroupPolicyMessage : The system call to get account information completed.
The call failed after 873 milliseconds.T-131B- Amount of Events logged within 7 days : 3
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
2.CHASS.NCSU.EDUFirst Event logged : 2016-10-04T17:03:44.713341+00:00Last Event logged : 2016-10-04T13:53:41.7308422+00:00
ID : 7017Provider : Microsoft-Windows-GroupPolicyMessage : The system calls to access specified file completed. \\wolftech.ad.ncsu.edu\SysVol\wolftech.ad.ncsu.edu\Policies\{CD934700-21B3-4991-8719-51FC30A7693C}\gpt.iniThe call failed after 0 milliseconds.
Source: Microsoft-Windows-GroupPolicy / Event ID: 7326 / Error: Failed To Discover Domain Controller
StatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
Group Policy failed to discover the Domain Controller details in x milliseconds. Additional InformationImportanceThis event ID indicates that Windows failed to discover a domain controller. Look for other event entries to determine whether discovery later succeeded.
When Windows is unable to discover a domain controller, group policy processing will not occur. In addition, authentication failures may occur during logon especially if the user is unable to logon with cached credentials. Access to other network resources could also be affected.
Recommended ResolutionDetermine the cause of the error message by examining the event log. Verify that name resolution is configured correctly.
Ensure that the network configuration on the clients is correct and valid DNS servers are provided. Check that domain controllers have properly registered their DNS records and the DNS infrastructure is working properly. From the client, you can run "nltest /dsgetdc:domain name" to invoke the call made to discover a domain controller.
This error can be presented during system boot when network interfaces are not yet ready. Some reasons for this might include a delay in obtaining DHCP leases (no valid IP address yet), or network services still starting as part of the system boot procedure. You can perform boot tracing to learn more about the startup order of services and availability of the network during boot. This error can also indicate a delay in performing 802.1x network authentication during boot if that is configured.
Rule AlgorithmSource
Event_1 EventLog ("MicrosoftWindowsGroupPolicy\Operational") @ EventID 7326
XML Attributes: TimeGenerated, Message
Detection Logic
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Applies to: all Operating Systems
The following must be true:
* Event_1 is listed in the past 7 days
Affected NodesCOLLAB-TEST-HD.EOS.NCSU.EDU
Amount of Events logged within 7 days : 5
First Event logged : 2016-10-05T11:01:15.5331808+00:00Last Event logged : 2016-10-04T22:22:37.7058127+00:00
ID : 7326Provider : Microsoft-Windows-GroupPolicyMessage : Group Policy failed to discover the Domain Controller details in 1204 milliseconds.
EI-SPARE-LT1.DELTA.NCSU.EDU
Amount of Events logged within 7 days : 23
First Event logged : 2016-10-05T18:22:54.462733+00:00Last Event logged : 2016-10-04T07:39:46.330383+00:00
ID : 7326Provider : Microsoft-Windows-GroupPolicyMessage : Group Policy failed to discover the Domain Controller details in 24633 milliseconds.
Source: Microsoft-Windows-GroupPolicy / Event ID: 5018 / Error: Start, Logon, Logoff Or Shutdown Script Detected With Runtime Over 1 Minute
StatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The Group Policy service logs this event when Group Policy scripts processing completes successfully. In this case script processing for a specific script took more than 1 minute.Additional InformationImportanceThis event is significant because it indicates that a script took a very long time to complete, or may not have completed properly at all depending on the nature of the script.
In a scenario where synchronous script processing is enabled, this could also cause a major impact to the boot or logon time for this machine or user and if the script was unable to complete successfully (such as the script hanging) then the user's environment may not be configured as desired.
Recommended ResolutionReview the specific events and other events in the Group Policy Operational event log to determine more information about the error. Consider performing testing and boot tracing to determine the specific cause of the script taking a long time to complete.
Also review all scripts against business needs to determine any scripts that can be removed or have their functionality provided by Group Policy Preferences (GPP). This will provide optimal performance and reliability.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Rule AlgorithmSource
Event_1 EventLog ("MicrosoftWindowsGroupPolicy\Operational") @ EventID 5018
XML Attributes: TimeGenerated, Message
Detection Logic
Applies to: all Operating Systems
The following must be true:
* Event_1 is listed in the past 7 days
* Event_1.Message Threshold is between 61 and 119 seconds
Affected Nodesadmpc280.CVM.NCSU.EDU
Specific events logged in last 7 days:
TimeCreated: 2016-10-03T22:09:58.3617064+00:00ProviderName: Microsoft-Windows-GroupPolicyId: 5018Message: Completed Startup script for WOLFTECH\ADMPC280$ in 62 seconds.
ITECS-DT-34.EOS.NCSU.EDU
Specific events logged in last 7 days:
TimeCreated: 2016-10-03T22:01:01.0982168+00:00ProviderName: Microsoft-Windows-GroupPolicyId: 5018Message: Completed Startup script for WOLFTECH\ITECS-DT-34$ in 113 seconds.
Non-Default Group Policy Extensions FoundStatusFailedDescription37 node(s) out of 37 node(s) were affected by this issue (100%).
Group Policy architecture includes both server and client-side components. The server component includes the user interface that an administrator can use to configure a unique policy. When Group Policy is applied to a user or computer, the client component interprets the policy and makes the appropriate changes to the environment. These are known as Group Policy client-side extensions. A Globally Unique Identifier (GUID), a 128-bit number identifying a given object, identifies the extension to the operating system. As Group Policy is processed, the Winlogon process passes the list of Group Policy Objects (GPOs) that must be processed to each Group Policy client-side extension. The extension uses the list to process the appropriate policy when applicable.Additional InformationImportanceNon-default Group Policy client-side extensions can slow down client startup and user logon.
Rule Algorithm
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Source
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*\DLLName @ REG_EXPAND_SZ
Detection Logic
Applies to: Windows Vista and later
The following must be true:
* Registry_Value_1 is not equal to "gpprefcl.dll", "wlgpclnt.dll", "auditcse.dll", "fdeploy.dll", "frconfigwmigpcse.dll", "dskquota.dll", "gptext.dll", "gpscript.dll", "tsusbredirectiongrouppolicyextension.dll", "iedkcs32.dll", "tsworkspace.dll", "srchadmin.dll", "scecli.dll", "gpprnext.dll", "dot3gpcInt.dll", "pwlauncher.dll", "cscobj.dll", "appmgmts.dll", "polstore.dll", "ccmusrcse.dll", "wlnotify.dll", "rdpgrouppolicyextension.dll", "Workfoldersgpext.dll"
Affected Nodes315BPT01.CALS.NCSU.EDU
One or more non-default Group Policy Extensions DLL's are found:
admpwd.dlldggpext.dlldggpext.dll
admpc280.CVM.NCSU.EDU
One or more non-default Group Policy Extensions DLL's are found:
admpwd.dllALUMINUM.CNR.NCSU.EDU
One or more non-default Group Policy Extensions DLL's are found:
admpwd.dllBILT-3032A-01.CNR.NCSU.EDU
One or more non-default Group Policy Extensions DLL's are found:
admpwd.dlldggpext.dlldggpext.dll
BUSTA.ECE.NCSU.EDU One or more non-default Group Policy Extensions DLL's are found:
admpwd.dllCHASSIT-TEST.CHASS.NCSU.EDU
One or more non-default Group Policy Extensions DLL's are found:
admpwd.dlldggpext.dlldggpext.dll
CLH-9F8NXR1.COM.NCSU.EDU
One or more non-default Group Policy Extensions DLL's are found:
admpwd.dllCOLLAB-TEST-HD.EOS.NCSU.EDU
One or more non-default Group Policy Extensions DLL's are found:
admpwd.dlldggpext.dlldggpext.dll
crpc11.CVM.NCSU.EDU One or more non-default Group Policy Extensions DLL's are found:
admpwd.dllDELTA-DT-SP03.DELTA.NCSU.EDU
One or more non-default Group Policy Extensions DLL's are found:
admpwd.dlldggpext.dlldggpext.dll
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Run Logon Scripts Synchronously Is EnabledStatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
The Run logon scripts synchronously option directs the system to wait for logon scripts to finish running before it starts the Windows Explorer interface program and before it creates the desktop.Additional InformationImportanceIf you enable this setting each script listed will run one after another. If you run logon scripts synchronously it is important that you limit the amount of scripts. As an alternative you could also write a controller script that runs all scripts asynchronous and waits till that last one has finished.
Recommended ReadingRun logon scripts synchronously
http://msdn.microsoft.com/en-us/library/ms811586.aspx
Scripts Extension Tools and Settings
http://technet.microsoft.com/en-us/library/cc738773.aspx
Recommended ResolutionTo improve the logon time, scripts can be run in the background and the shell (explorer.exe) can be loaded asynchronously.
To run scripts asynchronously, complete the following steps:
1. Select Computer Configuration, select Administrative Templates, select System, and then select Logon.
2. Select the option, Run startup scripts asynchronously.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\RunLogonScriptSync @REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Value_1 is equal to 0x00000001
Affected Nodes
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
315BPT01.CALS.NCSU.EDU
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\RunLogonScriptSync = 1
Scripts For System Shutdown FoundStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
During logoff and shutdown, WinLogon creates a Userinit process to run the relevant scripts. The Userinit process uses the ShellExecute command to run each script.
Additional InformationImportanceDuring logoff and shutdown, WinLogon creates a Userinit process to run the relevant scripts. The Userinit process uses the ShellExecute command to run each script.
These scripts can significantly influence the time that is needed to shutdown the system especially on slow network connections.
Recommended ResolutionScripts are attached to the user/computer object. This may affect and increase the system startup and shutdown time. To eliminate tasks that must be performed and checked in each attached script, you should keep the configuration and scripts as simple as possible.
By using only one script, you could avoid multiple issues:
· Multiple script files must not be loaded, therefore avoiding the use of system resources.
· Other script files can be run asynchronously.
· There is no requirement to host multiple files, build registry access and running other simultaneous tasks.
· It is also useful to implement logging capabilities to verify runtime, failures, and elements which may cause errors and failures in the script.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\*\Script @ REG_SZ
Registry_Value_2 HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown\*\Script @ REG_SZ
Detection Logic
Applies to: All operating systems
The following must be true:
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
* at least one Registry_Value_1 exists
* at least one Registry_Value_2 exists
Affected NodesEB2-2214-LOAN01.CSC.NCSU.EDU
SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Shutdown
CSC-Users-Logon ScriptGPO-ID: cn={AF489786-E67A-445C-A524-
7277A939DF71},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\engr\csc\prod\useraccess\logon\
logon_mysql.ps1Parameters: S csc_shutdown_script.log
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown
EB2-2214-LOAN02.CSC.NCSU.EDU
SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Shutdown
CSC-Users-Logon ScriptGPO-ID: cn={AF489786-E67A-445C-A524-
7277A939DF71},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\engr\csc\prod\useraccess\logon\
logon_mysql.ps1Parameters: S csc_shutdown_script.log
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown
Scripts For System Startup FoundStatusFailedDescription37 node(s) out of 37 node(s) were affected by this issue (100%).
When Group Policy is finished processing, the WinLogon process retrieves the registry information and then creates a Userinit process that actually runs the scripts. Additional InformationImportanceWhen Group Policy is finished processing, the WinLogon process retrieves the registry information and then creates a Userinit process that actually runs the scripts.
These scripts can significantly influence the time that is needed to startup the system especially on slow network connections.
Recommended ResolutionScripts are attached to the user/computer object. This may affect and increase the system startup and shutdown time. To eliminate tasks that must be performed and checked in each attached script, you should keep the configuration and scripts as simple as possible.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
By using only one script, you could avoid multiple issues:
· Multiple script files must not be loaded, therefore avoiding the use of system resources.
· Other script files can be run asynchronously.
· There is no requirement to host multiple files, build registry access and running other simultaneous tasks.
· It is also useful to implement logging capabilities to verify runtime, failures, and elements which may cause errors and failures in the script.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\*\Script @ REG_SZ
Registry_Value_2 HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup\*\Script @ REG_SZ
Detection Logic
Applies to: All operating systems
The following must be true:
* at least one Registry_Value_1 exists
* at least one Registry_Value_2 exists
Affected Nodes315BPT01.CALS.NCSU.EDU
SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup
WolfTech-Default Domain Policy - Desktop OSGPO-ID: cn={7EE2A5E6-E185-4D51-9D39-
93FAEA913D9C},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SYSVOL\wolftech.ad.ncsu.edu\
scripts\RemoveDefaultUsers.vbsParameters:
CALSADM-Facilities-SW-Apple-QuickTime-uninstaller for 7.7GPO-ID: cn={E4A381F3-0833-44A2-903C-
F95570A1201B},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: Quicktime_uninstaller.batParameters:
OITLAB-Unity-Lock DesktopGPO-ID: cn={2B8FC163-E070-443E-B129-
CF06BF551354},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\dist00.oit.ncsu.edu\distro\Tools\Scripts\create-redirected-
desktop-folder.cmdParameters:
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
admpc280.CVM.NCSU.EDU
SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup
WolfTech-Default Domain Policy - Desktop OSGPO-ID: cn={7EE2A5E6-E185-4D51-9D39-
93FAEA913D9C},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SYSVOL\wolftech.ad.ncsu.edu\
scripts\RemoveDefaultUsers.vbsParameters:
CVM-IE SettingsGPO-ID: cn={03D56FC8-B0E6-4E6E-850F-
6ACCCB434B68},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\cvm\Deploy\gpo\scripts\Amicas_RIS\
IntraLaunch\installintralaunch.batParameters:
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
ALUMINUM.CNR.NCSU.EDU
SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup
WolfTech-Default Domain Policy - Desktop OSGPO-ID: cn={7EE2A5E6-E185-4D51-9D39-
93FAEA913D9C},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SYSVOL\wolftech.ad.ncsu.edu\
scripts\RemoveDefaultUsers.vbsParameters:
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
BILT-3032A-01.CNR.NCSU.EDU
SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup
WolfTech-Default Domain Policy - Desktop OSGPO-ID: cn={7EE2A5E6-E185-4D51-9D39-
93FAEA913D9C},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SYSVOL\wolftech.ad.ncsu.edu\
scripts\RemoveDefaultUsers.vbsParameters:
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
BUSTA.ECE.NCSU.EDU SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup
WolfTech-Default Domain Policy - Desktop OSGPO-ID: cn={7EE2A5E6-E185-4D51-9D39-
93FAEA913D9C},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SYSVOL\wolftech.ad.ncsu.edu\
scripts\RemoveDefaultUsers.vbsParameters:
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
CHASSIT-TEST.CHASS.NCSU.EDU
SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup
WolfTech-Default Domain Policy - Desktop OSGPO-ID: cn={7EE2A5E6-E185-4D51-9D39-
93FAEA913D9C},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SYSVOL\wolftech.ad.ncsu.edu\
scripts\RemoveDefaultUsers.vbsParameters:
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
CHASS-Enable Remote AssistanceGPO-ID: cn={CD3C6467-13E5-4F5F-ADAF-
D5A6FCA9B64F},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SysVol\wolftech.ad.ncsu.edu\scripts\
Add Domain Entity to Local Group.batParameters: Users HelpAssistant
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
CLH-9F8NXR1.COM.NCSU.EDU
SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup
WolfTech-Default Domain Policy - Desktop OSGPO-ID: cn={7EE2A5E6-E185-4D51-9D39-
93FAEA913D9C},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SYSVOL\wolftech.ad.ncsu.edu\
scripts\RemoveDefaultUsers.vbsParameters:
COM-SW-Cyberlink Corp-PowerDVD-9.5.1.4822GPO-ID: cn={B48DAE07-E0B4-4759-A3F6-
01A0768A62C4},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\com\Apps\CyberLink_Corp-
PowerDVD-9.5.1.4822\Install-PowerDVD-W7.cmdParameters: \\wolftech.ad.ncsu.edu\com\Apps\CyberLink_Corp-
PowerDVD-9.5.1.4822
COM-Labs-Reboot Logging PolicyGPO-ID: cn={5E4DA1AA-D208-4CBA-9CDE-
7D1ABFD02B21},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\com\scripts\active\
LabRebootLog.cmdParameters:
OITLAB-Unity-Lock DesktopGPO-ID: cn={2B8FC163-E070-443E-B129-
CF06BF551354},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\dist00.oit.ncsu.edu\distro\Tools\Scripts\create-redirected-
desktop-folder.cmdParameters:
COM-SW-Cyberlink Corp-PowerDVD-9.5.1.4822GPO-ID: cn={B48DAE07-E0B4-4759-A3F6-
01A0768A62C4},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\com\Apps\CyberLink_Corp-
PowerDVD-9.5.1.4822\Install-PowerDVD-W7.cmdParameters: \\wolftech.ad.ncsu.edu\com\Apps\CyberLink_Corp-
PowerDVD-9.5.1.4822
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
COLLAB-TEST-HD.EOS.NCSU.EDU
SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup
WolfTech-Default Domain Policy - Desktop OSGPO-ID: cn={7EE2A5E6-E185-4D51-9D39-
93FAEA913D9C},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SYSVOL\wolftech.ad.ncsu.edu\
scripts\RemoveDefaultUsers.vbsParameters:
COEDEAN-Set Magic Packet
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
GPO-ID: cn={F51E589A-4FFC-43B6-9A3E-DFE8F4C04B06},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=edu
Script: \\wolftech.ad.ncsu.edu\engr\scripts\set_MP.ps1Parameters:
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
crpc11.CVM.NCSU.EDU SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup
WolfTech-Default Domain Policy - Desktop OSGPO-ID: cn={7EE2A5E6-E185-4D51-9D39-
93FAEA913D9C},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SYSVOL\wolftech.ad.ncsu.edu\
scripts\RemoveDefaultUsers.vbsParameters:
CVM-IE SettingsGPO-ID: cn={03D56FC8-B0E6-4E6E-850F-
6ACCCB434B68},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\cvm\Deploy\gpo\scripts\Amicas_RIS\
IntraLaunch\installintralaunch.batParameters:
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
DELTA-DT-SP03.DELTA.NCSU.EDU
SOFTWARE\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup
WolfTech-Default Domain Policy - Desktop OSGPO-ID: cn={7EE2A5E6-E185-4D51-9D39-
93FAEA913D9C},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SYSVOL\wolftech.ad.ncsu.edu\
scripts\RemoveDefaultUsers.vbsParameters:
DELTA-Enable Remote AssistanceGPO-ID: cn={57CA6770-44A1-42CA-BF7B-
36B0DA690784},cn=policies,cn=system,DC=wolftech,DC=ad,DC=ncsu,DC=eduScript: \\wolftech.ad.ncsu.edu\SysVol\wolftech.ad.ncsu.edu\scripts\
Add Domain Entity to Local Group.batParameters: Users HelpAssistant
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
Group Policy Slow Link Detection Is DisabledStatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
If a policy update from the domain controller to the computer is applied at a rate slower than is specified in the value of this entry, the system defines the connection as slow. The time taken for a process to complete often varies on network speed and latency.Additional Information
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
ImportanceIf a policy update travels from the domain controller to the computer at a rate slower than is specified in the value of this entry, the system defines the connection as slow. The time taken for a process to complete often varies on network speed and latency.
Recommended ReadingGroupPolicyMinTransferRatehttp://technet.microsoft.com/en-us/library/cc758687.aspx
Group Policy does not apply when connecting remotely over a slow linkhttp://technet.microsoft.com/en-us/library/cc759191(v=WS.10).aspx
How to troubleshoot Group Policy object processing failures that occur across multiple forestshttp://support.microsoft.com/kb/910206
Recommended ResolutionTo avoid heavy network traffic on slow or limited network connections, the Slow Network Detection routine should be defined. By using this setting, specific tasks for user profiles, Client Side Caching, and Group Policies may or may not run on the client side. These specific tasks can be modified and configured as needed.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Policies\Microsoft\Windows\System\GroupPolicyMinTransferRate @ REG_DWORD
Registry_Value_2 HKCU\SOFTWARE\Policies\Microsoft\Windows\System\GroupPolicyMinTransferRate @ REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Value_1 or Registry_Value_2 is equal to 0x00000000
Affected NodesLAU-214-29.CHASS.NCSU.EDU
HKLM GroupPolicyMinTransferRate: 0 HKCU GroupPolicyMinTransferRate: n/a
Loopback Processing Mode EnabledStatusFailedDescription
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
37 node(s) out of 37 node(s) were affected by this issue (100%).
Group Policy is applied to the user or computer, based on where the user or computer object is located in Active Directory. However, in some cases, users might need policy applied to them, based on the location of the computer object, not the location of the user object. The Group Policy loopback feature gives you the ability to apply User Group Policy, based on the computer that the user is logging on to. Additional InformationImportanceLoopback processing takes more time to process, depending on the configuration. In case of Group Policy failures, a troubleshooting scenario with enabled loopback policies is also more difficult.
Recommended ReadingDeployment considerations for Group Policy
http://technet.microsoft.com/en-us/library/cc738810.aspx
UserPolicyMode
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91630.mspx?mfr=true
Recommended ResolutionTo avoid system resource allocation and delays during Group Policy Processing on the client side, loopback processing should only be used in exceptional cases.
Carefully plan loopback policy processing and test the impact it has on your Windows client performance.
Rule AlgorithmSource
WMI_1 Root\RSOP\Computer:RSOP_RegistryPolicySetting.Name("UserPolicyMode"),RSOP_RegistryPolicySetting.GPOID
WMI_2 Root\RSOP\Computer:RSOP_GPO.GPOID(WMI_1.GPOID).Name
Registry_Value_1 HKLM\SOFTWARE\Policies\Microsoft\Windows\System\UserPolicyMode @REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
* WMI_1 results exists or Registry_Value_1 is greater than 0
Affected Nodes315BPT01.CALS.NCSU.EDU
Loopback processing is enabled in the following policy: NCSU-OU Policy
admpc280.CVM.NCSU.EDU
Loopback processing is enabled in the following policy: NCSU-OU PolicyCVM-OU Policy
ALUMINUM.CNR.NCSU.EDU
Loopback processing is enabled in the following policy: NCSU-OU Policy
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
BILT-3032A-01.CNR.NCSU.EDU
Loopback processing is enabled in the following policy: NCSU-OU PolicyCNR-Teaching Labs-Default Policy
BUSTA.ECE.NCSU.EDU Loopback processing is enabled in the following policy: NCSU-OU Policy
CHASSIT-TEST.CHASS.NCSU.EDU
Loopback processing is enabled in the following policy: CHASS-OU PolicyNCSU-OU Policy
CLH-9F8NXR1.COM.NCSU.EDU
Loopback processing is enabled in the following policy: NCSU-OU Policy
COLLAB-TEST-HD.EOS.NCSU.EDU
Loopback processing is enabled in the following policy: NCSU-OU PolicyCOEDEAN-Public Labs Policy
crpc11.CVM.NCSU.EDU Loopback processing is enabled in the following policy: NCSU-OU PolicyCVM-OU Policy
DELTA-DT-SP03.DELTA.NCSU.EDU
Loopback processing is enabled in the following policy: NCSU-OU Policy
PowerShell Scripts For Computer GP Processing FoundStatusFailedDescription8 node(s) out of 37 node(s) were affected by this issue (21.62%).
Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.
Built-in Windows PowerShell commands, called cmdlets, let you manage the computers in your enterprise from the command line. Windows PowerShell providers let you access data stores, such as the registry and certificate store, as easily as you access the file system. In addition, Windows PowerShell has a rich expression parser and a fully developed scripting language.Additional InformationBest Practice GuidanceIt is recommended to verify if other Group Policy mechanisms are available to perform the actions you try to perform within the Powershell scripts.
ImportancePowershell.exe consumes significant resources to load .NET assemblies and other components. Even a "hello world" sample script may result in delays.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\*\Script @ REG_SZ
Detection Logic
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Applies to: All operating systems
The following must be true:
* at least one Registry_Value_1 exists and ends with "ps1"
Affected NodesCOLLAB-TEST-HD.EOS.NCSU.EDU
PowerShell scripts found:
\\wolftech.ad.ncsu.edu\engr\scripts\set_MP.ps1EB2-2214-LOAN01.CSC.NCSU.EDU
PowerShell scripts found:
\\wolftech.ad.ncsu.edu\engr\csc\prod\useraccess\logon\logon_mysql.ps1\\wolftech.ad.ncsu.edu\engr\csc\prod\scripts_and_setups\scripts\cron\apply_hotfixes.ps1\\wolftech.ad.ncsu.edu\engr\csc\prod\scripts_and_setups\scripts\cron\apply_hotfixes.ps1\\wolftech.ad.ncsu.edu\engr\csc\prod\scripts_and_setups\scripts\server_core\smremote.ps1\\wolftech.ad.ncsu.edu\engr\csc\prod\scripts_and_setups\scripts\cron\skype_removal.ps1\\wolftech.ad.ncsu.edu\engr\csc\prod\useraccess\logon\logon_mysql.ps1
EB2-2214-LOAN02.CSC.NCSU.EDU
PowerShell scripts found:
\\wolftech.ad.ncsu.edu\engr\csc\prod\useraccess\logon\logon_mysql.ps1\\wolftech.ad.ncsu.edu\engr\csc\prod\scripts_and_setups\scripts\cron\apply_hotfixes.ps1\\wolftech.ad.ncsu.edu\engr\csc\prod\scripts_and_setups\scripts\cron\apply_hotfixes.ps1\\wolftech.ad.ncsu.edu\engr\csc\prod\scripts_and_setups\scripts\server_core\smremote.ps1\\wolftech.ad.ncsu.edu\engr\csc\prod\scripts_and_setups\scripts\cron\skype_removal.ps1\\wolftech.ad.ncsu.edu\engr\csc\prod\useraccess\logon\logon_mysql.ps1
ITECS-DT-19.EOS.NCSU.EDU
PowerShell scripts found:
\\wolftech.ad.ncsu.edu\engr\ccee\apps\scripts\ccee-loginRestrictions-gradStudents.ps1
ITECS-DT-34.EOS.NCSU.EDU
PowerShell scripts found:
\\wolftech.ad.ncsu.edu\engr\scripts\set_MP.ps1ITECS-DT-55.EOS.NCSU.EDU
PowerShell scripts found:
\\wolftech.ad.ncsu.edu\engr\scripts\remotedesktop-coe.ps1\\wolftech.ad.ncsu.edu\engr\scripts\set_MP.ps1\\wolftech.ad.ncsu.edu\engr\scripts\Firefox_Autoupdate.ps1
OITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
PowerShell scripts found:
\\wolftech.ad.ncsu.edu\oit\Apps\Scripts\Set_Wake_Windows.ps1OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
PowerShell scripts found:
\\wolftech.ad.ncsu.edu\oit\Apps\Scripts\Set_Wake_Windows.ps1
WMI Filters Are Enabled On Group Policy ObjectsStatusFailed
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Description37 node(s) out of 37 node(s) were affected by this issue (100%).
Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer.
When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. When the WMI filter evaluates to false, the GPO is not applied if the WMI filter evaluates to true and the GPO is then applied.
Depending on the defined WMI filter and processing time, the filter might have an impact on computer and user group policy processing.
A WMI filter consists of one or more queries based on this data. If all queries are true, the GPO linked to the filter will be applied. The queries are written using the WMI Query Language (WQL), a SQL-like language. Queries can be combined with AND and OR logical operators to achieve whatever effect the administrator wants. Each query is executed against a particular WMI namespace. When you create a query, you must specify the namespace. The default is root\CIMv2, which is appropriate for most WMI queries.
The WMI filter is a separate object from the GPO in the directory. To apply a WMI filter to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one WMI filter. However, the same WMI filter can be linked to multiple GPOs.
WMI filters like GPOs are stored on a per-domain basis. A WMI filter and the GPO it is linked to must be in the same domain.
Additional InformationImportanceComplex WMI filters can have an impact, especially during the Windows client boot process and user logon phase.
Recommended ReadingDeployment considerations for Group Policy
http://technet.microsoft.com/en-us/library/cc738810.aspx
Recommended ResolutionCarefully test the impact of WMI filters on the Windows client for system performance.
The WMI service has to be started before the evaluation of WMI filters on the client. This procedure as well as the resulting WMI calls can be time-consuming. To avoid delays, it is recommended that you use Security filtering instead of WMI filters.
Rule AlgorithmSource
WMI_1 Root\RSOP\Computer:RSOP_SOM.FilterID, RSOP_SOM.ID
Detection Logic
Applies to: All operating systems
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
The following must be true:
* WMI_1 results exist
Affected Nodes315BPT01.CALS.NCSU.EDU
Number of Group Policies found with WMI filters : 26Number of WMI filters found: 12
MSFT_SomFilter.ID="{B520B9CB-FC3E-446F-AAFF-F8DE5BF6E9F7}",Domain="wolftech.ad.ncsu.edu"
Win7 EC Desktop PolicyCALSADM-UAC policyWolfTech-Default Domain Policy - Win7OIT-Unity-Win7-FixRegSizeLimit
MSFT_SomFilter.ID="{7C739E36-BBDD-493E-8F72-5FF2D1BB1261}",Domain="wolftech.ad.ncsu.edu"
VSG EC Desktop PolicyWolfTech-Default Domain Policy - Vista
MSFT_SomFilter.ID="{C6210AFD-EA41-4BF0-A580-3FABCD996872}",Domain="wolftech.ad.ncsu.edu"
WS08R2-EC-Member-ServerWolfTech-Default Domain Policy - WS08R2
MSFT_SomFilter.ID="{E26922BA-F080-432E-A3F1-BF087D9AFA71}",Domain="wolftech.ad.ncsu.edu"
CALSADM-Win10-BasePolicyWindows 10 Computer (SCM, v1511)WolfTech-Default Domain Policy - Win 10.0
MSFT_SomFilter.ID="{3A493044-F4E3-47BB-8570-4D3B58BD6843}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Win8.1Win8.1 Computer Policy
MSFT_SomFilter.ID="{5CA2491B-3D7B-48F4-818E-EBF94E0AD72B}",Domain="wolftech.ad.ncsu.edu"
WS03 EC Member Server Baseline PolicyWolfTech-Default Domain Policy - Win2003
MSFT_SomFilter.ID="{BA0DD3BD-3726-482E-A165-1534E3F52650}",Domain="wolftech.ad.ncsu.edu"
Win8 EC Desktop Policy (beta)WolfTech-Default Domain Policy - Win8 (beta)
MSFT_SomFilter.ID="{54EB8571-0718-42C3-A1C1-E91515564477}",Domain="wolftech.ad.ncsu.edu"
XP EC Desktop PolicyWolfTech-Default Domain Policy - WinXP
MSFT_SomFilter.ID="{CA73870A-FC28-49F2-B418-404B761AFFDC}",Domain="wolftech.ad.ncsu.edu"
WS2012 R2 Member ServerWolfTech-Default Domain Policy - WS2012 R2
MSFT_SomFilter.ID="{5347B94D-AEAD-4511-BF5C-907F140E64B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - WS08
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
WS08 EC Member Server Baseline Policy
MSFT_SomFilter.ID="{097C6471-7E67-4E0B-A1E4-5A378D852048}",Domain="wolftech.ad.ncsu.edu"
WS12-EC-Member-Server (beta)WolfTech-Default Domain Policy - WS12 (beta)
MSFT_SomFilter.ID="{2115E492-B943-42B3-82A0-F7B2AC1FC3B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Desktop OS
admpc280.CVM.NCSU.EDU
Number of Group Policies found with WMI filters : 34Number of WMI filters found: 14
MSFT_SomFilter.ID="{B520B9CB-FC3E-446F-AAFF-F8DE5BF6E9F7}",Domain="wolftech.ad.ncsu.edu"
Win7 EC Desktop PolicyCVM-Special Remote Assistance UAC WolfTech-Default Domain Policy - Win7
MSFT_SomFilter.ID="{07A66FF6-4555-4BAE-8535-6E89F342EEEA}",Domain="wolftech.ad.ncsu.edu"
CVM-Win7 x64 Desktop Settings
MSFT_SomFilter.ID="{7C739E36-BBDD-493E-8F72-5FF2D1BB1261}",Domain="wolftech.ad.ncsu.edu"
VSG EC Desktop PolicyWolfTech-Default Domain Policy - Vista
MSFT_SomFilter.ID="{C6210AFD-EA41-4BF0-A580-3FABCD996872}",Domain="wolftech.ad.ncsu.edu"
WS08R2-EC-Member-ServerWolfTech-Default Domain Policy - WS08R2
MSFT_SomFilter.ID="{3A493044-F4E3-47BB-8570-4D3B58BD6843}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Win8.1Win8.1 Computer Policy
MSFT_SomFilter.ID="{E26922BA-F080-432E-A3F1-BF087D9AFA71}",Domain="wolftech.ad.ncsu.edu"
Windows 10 Computer (SCM, v1511)WolfTech-Default Domain Policy - Win 10.0CVM-Win10 x64 Desktop Settings
MSFT_SomFilter.ID="{2115E492-B943-42B3-82A0-F7B2AC1FC3B0}",Domain="wolftech.ad.ncsu.edu"
CVM-Uvis FilesCVM-Google Chrome SettingsCVM-Fax Server IconCVM-BackupTime startup policyCVM-VH Apps FolderCVM-Allow Removable Media Driver InstallCVM-Uvis and VetView Tester IconsWolfTech-Default Domain Policy - Desktop OS
MSFT_SomFilter.ID="{5CA2491B-3D7B-48F4-818E-EBF94E0AD72B}",Domain="wolftech.ad.ncsu.edu"
WS03 EC Member Server Baseline PolicyWolfTech-Default Domain Policy - Win2003
MSFT_SomFilter.ID="{BA0DD3BD-3726-482E-A165-1534E3F52650}",Domain="wolftech.ad.ncsu.edu"
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Win8 EC Desktop Policy (beta)WolfTech-Default Domain Policy - Win8 (beta)
MSFT_SomFilter.ID="{54EB8571-0718-42C3-A1C1-E91515564477}",Domain="wolftech.ad.ncsu.edu"
XP EC Desktop PolicyWolfTech-Default Domain Policy - WinXP
MSFT_SomFilter.ID="{CA73870A-FC28-49F2-B418-404B761AFFDC}",Domain="wolftech.ad.ncsu.edu"
WS2012 R2 Member ServerWolfTech-Default Domain Policy - WS2012 R2
MSFT_SomFilter.ID="{5347B94D-AEAD-4511-BF5C-907F140E64B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - WS08WS08 EC Member Server Baseline Policy
MSFT_SomFilter.ID="{A23E95A0-A8F6-4125-B8A5-6291E603CC21}",Domain="wolftech.ad.ncsu.edu"
CVM-Win7 x86 Desktop Settings
MSFT_SomFilter.ID="{097C6471-7E67-4E0B-A1E4-5A378D852048}",Domain="wolftech.ad.ncsu.edu"
WS12-EC-Member-Server (beta)WolfTech-Default Domain Policy - WS12 (beta)
ALUMINUM.CNR.NCSU.EDU
Number of Group Policies found with WMI filters : 28Number of WMI filters found: 14
MSFT_SomFilter.ID="{B520B9CB-FC3E-446F-AAFF-F8DE5BF6E9F7}",Domain="wolftech.ad.ncsu.edu"
Win7 EC Desktop PolicyCNR-Fix No Network Access Policy - Win 7WolfTech-Default Domain Policy - Win7
MSFT_SomFilter.ID="{E26922BA-F080-432E-A3F1-BF087D9AFA71}",Domain="wolftech.ad.ncsu.edu"
CNR-Windows 10 Default PolicyWindows 10 Computer (SCM, v1511)WolfTech-Default Domain Policy - Win 10.0
MSFT_SomFilter.ID="{7C739E36-BBDD-493E-8F72-5FF2D1BB1261}",Domain="wolftech.ad.ncsu.edu"
VSG EC Desktop PolicyWolfTech-Default Domain Policy - Vista
MSFT_SomFilter.ID="{C6210AFD-EA41-4BF0-A580-3FABCD996872}",Domain="wolftech.ad.ncsu.edu"
WS08R2-EC-Member-ServerWolfTech-Default Domain Policy - WS08R2
MSFT_SomFilter.ID="{3A493044-F4E3-47BB-8570-4D3B58BD6843}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Win8.1Win8.1 Computer Policy
MSFT_SomFilter.ID="{5CA2491B-3D7B-48F4-818E-EBF94E0AD72B}",Domain="wolftech.ad.ncsu.edu"
WS03 EC Member Server Baseline PolicyWolfTech-Default Domain Policy - Win2003
MSFT_SomFilter.ID="{BA0DD3BD-3726-482E-A165-
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
1534E3F52650}",Domain="wolftech.ad.ncsu.edu"Win8 EC Desktop Policy (beta)WolfTech-Default Domain Policy - Win8 (beta)
MSFT_SomFilter.ID="{95F7F159-E2CF-40C9-980A-1F36BA6F9DFC}",Domain="wolftech.ad.ncsu.edu"
CNR-Remote Shutdown Icon PolicyCNR-Backup Report Policy-64
MSFT_SomFilter.ID="{54EB8571-0718-42C3-A1C1-E91515564477}",Domain="wolftech.ad.ncsu.edu"
XP EC Desktop PolicyWolfTech-Default Domain Policy - WinXP
MSFT_SomFilter.ID="{CA73870A-FC28-49F2-B418-404B761AFFDC}",Domain="wolftech.ad.ncsu.edu"
WS2012 R2 Member ServerWolfTech-Default Domain Policy - WS2012 R2
MSFT_SomFilter.ID="{5347B94D-AEAD-4511-BF5C-907F140E64B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - WS08WS08 EC Member Server Baseline Policy
MSFT_SomFilter.ID="{097C6471-7E67-4E0B-A1E4-5A378D852048}",Domain="wolftech.ad.ncsu.edu"
WS12-EC-Member-Server (beta)WolfTech-Default Domain Policy - WS12 (beta)
MSFT_SomFilter.ID="{C5953DC6-FAAA-42F7-A0C9-111D41BF10B4}",Domain="wolftech.ad.ncsu.edu"
CNR-Backup Report Policy-32
MSFT_SomFilter.ID="{2115E492-B943-42B3-82A0-F7B2AC1FC3B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Desktop OS
BILT-3032A-01.CNR.NCSU.EDU
Number of Group Policies found with WMI filters : 25Number of WMI filters found: 12
MSFT_SomFilter.ID="{B520B9CB-FC3E-446F-AAFF-F8DE5BF6E9F7}",Domain="wolftech.ad.ncsu.edu"
Win7 EC Desktop PolicyCNR-Fix No Network Access Policy - Win 7WolfTech-Default Domain Policy - Win7
MSFT_SomFilter.ID="{E26922BA-F080-432E-A3F1-BF087D9AFA71}",Domain="wolftech.ad.ncsu.edu"
CNR-Windows 10 Default PolicyWindows 10 Computer (SCM, v1511)WolfTech-Default Domain Policy - Win 10.0
MSFT_SomFilter.ID="{7C739E36-BBDD-493E-8F72-5FF2D1BB1261}",Domain="wolftech.ad.ncsu.edu"
VSG EC Desktop PolicyWolfTech-Default Domain Policy - Vista
MSFT_SomFilter.ID="{C6210AFD-EA41-4BF0-A580-3FABCD996872}",Domain="wolftech.ad.ncsu.edu"
WS08R2-EC-Member-ServerWolfTech-Default Domain Policy - WS08R2
MSFT_SomFilter.ID="{3A493044-F4E3-47BB-8570-
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
4D3B58BD6843}",Domain="wolftech.ad.ncsu.edu"WolfTech-Default Domain Policy - Win8.1Win8.1 Computer Policy
MSFT_SomFilter.ID="{5CA2491B-3D7B-48F4-818E-EBF94E0AD72B}",Domain="wolftech.ad.ncsu.edu"
WS03 EC Member Server Baseline PolicyWolfTech-Default Domain Policy - Win2003
MSFT_SomFilter.ID="{BA0DD3BD-3726-482E-A165-1534E3F52650}",Domain="wolftech.ad.ncsu.edu"
Win8 EC Desktop Policy (beta)WolfTech-Default Domain Policy - Win8 (beta)
MSFT_SomFilter.ID="{54EB8571-0718-42C3-A1C1-E91515564477}",Domain="wolftech.ad.ncsu.edu"
XP EC Desktop PolicyWolfTech-Default Domain Policy - WinXP
MSFT_SomFilter.ID="{CA73870A-FC28-49F2-B418-404B761AFFDC}",Domain="wolftech.ad.ncsu.edu"
WS2012 R2 Member ServerWolfTech-Default Domain Policy - WS2012 R2
MSFT_SomFilter.ID="{5347B94D-AEAD-4511-BF5C-907F140E64B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - WS08WS08 EC Member Server Baseline Policy
MSFT_SomFilter.ID="{097C6471-7E67-4E0B-A1E4-5A378D852048}",Domain="wolftech.ad.ncsu.edu"
WS12-EC-Member-Server (beta)WolfTech-Default Domain Policy - WS12 (beta)
MSFT_SomFilter.ID="{2115E492-B943-42B3-82A0-F7B2AC1FC3B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Desktop OS
BUSTA.ECE.NCSU.EDU Number of Group Policies found with WMI filters : 35Number of WMI filters found: 16
MSFT_SomFilter.ID="{B520B9CB-FC3E-446F-AAFF-F8DE5BF6E9F7}",Domain="wolftech.ad.ncsu.edu"
Win7 EC Desktop PolicyECE-Windows7-v2ECE-Enable Remote Assistance-Win7WolfTech-Default Domain Policy - Win7
MSFT_SomFilter.ID="{2115E492-B943-42B3-82A0-F7B2AC1FC3B0}",Domain="wolftech.ad.ncsu.edu"
ECE-Enable Remote Desktop-Win7ECE-Config-Keyboard ShortcutsECE-Config-Desktop Power SettingsCOE-Power StatsWolfTech-Default Domain Policy - Desktop OS
MSFT_SomFilter.ID="{7C739E36-BBDD-493E-8F72-5FF2D1BB1261}",Domain="wolftech.ad.ncsu.edu"
VSG EC Desktop PolicyWolfTech-Default Domain Policy - Vista
MSFT_SomFilter.ID="{C6210AFD-EA41-4BF0-A580-3FABCD996872}",Domain="wolftech.ad.ncsu.edu"
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
WS08R2-EC-Member-ServerWolfTech-Default Domain Policy - WS08R2
MSFT_SomFilter.ID="{3A493044-F4E3-47BB-8570-4D3B58BD6843}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Win8.1ECE-Windows8.1Win8.1 Computer Policy
MSFT_SomFilter.ID="{E26922BA-F080-432E-A3F1-BF087D9AFA71}",Domain="wolftech.ad.ncsu.edu"
Windows 10 Computer (SCM, v1511)WolfTech-Default Domain Policy - Win 10.0ECE-Windows10
MSFT_SomFilter.ID="{5CA2491B-3D7B-48F4-818E-EBF94E0AD72B}",Domain="wolftech.ad.ncsu.edu"
WS03 EC Member Server Baseline PolicyWolfTech-Default Domain Policy - Win2003
MSFT_SomFilter.ID="{BA0DD3BD-3726-482E-A165-1534E3F52650}",Domain="wolftech.ad.ncsu.edu"
Win8 EC Desktop Policy (beta)WolfTech-Default Domain Policy - Win8 (beta)
MSFT_SomFilter.ID="{4462489B-E831-4FC7-AC05-E60EEF49E30E}",Domain="wolftech.ad.ncsu.edu"
ECE-Windows8
MSFT_SomFilter.ID="{54EB8571-0718-42C3-A1C1-E91515564477}",Domain="wolftech.ad.ncsu.edu"
XP EC Desktop PolicyWolfTech-Default Domain Policy - WinXP
MSFT_SomFilter.ID="{CA73870A-FC28-49F2-B418-404B761AFFDC}",Domain="wolftech.ad.ncsu.edu"
WS2012 R2 Member ServerWolfTech-Default Domain Policy - WS2012 R2
MSFT_SomFilter.ID="{95F7F159-E2CF-40C9-980A-1F36BA6F9DFC}",Domain="wolftech.ad.ncsu.edu"
ECE-Config-64bit Env Variables
MSFT_SomFilter.ID="{5347B94D-AEAD-4511-BF5C-907F140E64B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - WS08WS08 EC Member Server Baseline Policy
MSFT_SomFilter.ID="{BC238903-7712-4CE7-89CC-D0F378256E9B}",Domain="wolftech.ad.ncsu.edu"
ECE-Enable Remote Desktop
MSFT_SomFilter.ID="{097C6471-7E67-4E0B-A1E4-5A378D852048}",Domain="wolftech.ad.ncsu.edu"
WS12-EC-Member-Server (beta)WolfTech-Default Domain Policy - WS12 (beta)
MSFT_SomFilter.ID="{C5953DC6-FAAA-42F7-A0C9-111D41BF10B4}",Domain="wolftech.ad.ncsu.edu"
ECE-Config-32bit Env Variables
CHASSIT-TEST.CHASS.NCSU.EDU
Number of Group Policies found with WMI filters : 27Number of WMI filters found: 15
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
MSFT_SomFilter.ID="{B520B9CB-FC3E-446F-AAFF-F8DE5BF6E9F7}",Domain="wolftech.ad.ncsu.edu"
Win7 EC Desktop PolicyWolfTech-Default Domain Policy - Win7
MSFT_SomFilter.ID="{7C739E36-BBDD-493E-8F72-5FF2D1BB1261}",Domain="wolftech.ad.ncsu.edu"
VSG EC Desktop PolicyWolfTech-Default Domain Policy - Vista
MSFT_SomFilter.ID="{C6210AFD-EA41-4BF0-A580-3FABCD996872}",Domain="wolftech.ad.ncsu.edu"
WS08R2-EC-Member-ServerWolfTech-Default Domain Policy - WS08R2
MSFT_SomFilter.ID="{3A493044-F4E3-47BB-8570-4D3B58BD6843}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Win8.1Win8.1 Computer Policy
MSFT_SomFilter.ID="{E26922BA-F080-432E-A3F1-BF087D9AFA71}",Domain="wolftech.ad.ncsu.edu"
Windows 10 Computer (SCM, v1511)WolfTech-Default Domain Policy - Win 10.0CHASS-Configure Windows 10 Default Policies
MSFT_SomFilter.ID="{5CA2491B-3D7B-48F4-818E-EBF94E0AD72B}",Domain="wolftech.ad.ncsu.edu"
WS03 EC Member Server Baseline PolicyWolfTech-Default Domain Policy - Win2003
MSFT_SomFilter.ID="{BA0DD3BD-3726-482E-A165-1534E3F52650}",Domain="wolftech.ad.ncsu.edu"
Win8 EC Desktop Policy (beta)WolfTech-Default Domain Policy - Win8 (beta)
MSFT_SomFilter.ID="{54EB8571-0718-42C3-A1C1-E91515564477}",Domain="wolftech.ad.ncsu.edu"
XP EC Desktop PolicyWolfTech-Default Domain Policy - WinXP
MSFT_SomFilter.ID="{CA73870A-FC28-49F2-B418-404B761AFFDC}",Domain="wolftech.ad.ncsu.edu"
WS2012 R2 Member ServerWolfTech-Default Domain Policy - WS2012 R2
MSFT_SomFilter.ID="{4462489B-E831-4FC7-AC05-E60EEF49E30E}",Domain="wolftech.ad.ncsu.edu"
CHASS-Configure Windows 8 Default Policies
MSFT_SomFilter.ID="{5347B94D-AEAD-4511-BF5C-907F140E64B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - WS08WS08 EC Member Server Baseline Policy
MSFT_SomFilter.ID="{097C6471-7E67-4E0B-A1E4-5A378D852048}",Domain="wolftech.ad.ncsu.edu"
WS12-EC-Member-Server (beta)WolfTech-Default Domain Policy - WS12 (beta)
MSFT_SomFilter.ID="{95F7F159-E2CF-40C9-980A-1F36BA6F9DFC}",Domain="wolftech.ad.ncsu.edu"
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
CHASS-App Settings-GMail Default Email Client (x64)
MSFT_SomFilter.ID="{2115E492-B943-42B3-82A0-F7B2AC1FC3B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Desktop OS
MSFT_SomFilter.ID="{C5953DC6-FAAA-42F7-A0C9-111D41BF10B4}",Domain="wolftech.ad.ncsu.edu"
CHASS-App Settings-GMail Default Email Client (x86)
CLH-9F8NXR1.COM.NCSU.EDU
Number of Group Policies found with WMI filters : 26Number of WMI filters found: 14
MSFT_SomFilter.ID="{B520B9CB-FC3E-446F-AAFF-F8DE5BF6E9F7}",Domain="wolftech.ad.ncsu.edu"
Win7 EC Desktop PolicyCOM-Labs-Custom Firewall and System SettingsWolfTech-Default Domain Policy - Win7
MSFT_SomFilter.ID="{7C739E36-BBDD-493E-8F72-5FF2D1BB1261}",Domain="wolftech.ad.ncsu.edu"
VSG EC Desktop PolicyWolfTech-Default Domain Policy - Vista
MSFT_SomFilter.ID="{C6210AFD-EA41-4BF0-A580-3FABCD996872}",Domain="wolftech.ad.ncsu.edu"
WS08R2-EC-Member-ServerWolfTech-Default Domain Policy - WS08R2
MSFT_SomFilter.ID="{3A493044-F4E3-47BB-8570-4D3B58BD6843}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Win8.1Win8.1 Computer Policy
MSFT_SomFilter.ID="{E26922BA-F080-432E-A3F1-BF087D9AFA71}",Domain="wolftech.ad.ncsu.edu"
Windows 10 Computer (SCM, v1511)WolfTech-Default Domain Policy - Win 10.0
MSFT_SomFilter.ID="{5CA2491B-3D7B-48F4-818E-EBF94E0AD72B}",Domain="wolftech.ad.ncsu.edu"
WS03 EC Member Server Baseline PolicyWolfTech-Default Domain Policy - Win2003
MSFT_SomFilter.ID="{BA0DD3BD-3726-482E-A165-1534E3F52650}",Domain="wolftech.ad.ncsu.edu"
Win8 EC Desktop Policy (beta)WolfTech-Default Domain Policy - Win8 (beta)
MSFT_SomFilter.ID="{54EB8571-0718-42C3-A1C1-E91515564477}",Domain="wolftech.ad.ncsu.edu"
XP EC Desktop PolicyWolfTech-Default Domain Policy - WinXP
MSFT_SomFilter.ID="{CA73870A-FC28-49F2-B418-404B761AFFDC}",Domain="wolftech.ad.ncsu.edu"
WS2012 R2 Member ServerWolfTech-Default Domain Policy - WS2012 R2
MSFT_SomFilter.ID="{5347B94D-AEAD-4511-BF5C-907F140E64B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - WS08WS08 EC Member Server Baseline Policy
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
MSFT_SomFilter.ID="{097C6471-7E67-4E0B-A1E4-5A378D852048}",Domain="wolftech.ad.ncsu.edu"
WS12-EC-Member-Server (beta)WolfTech-Default Domain Policy - WS12 (beta)
MSFT_SomFilter.ID="{95F7F159-E2CF-40C9-980A-1F36BA6F9DFC}",Domain="wolftech.ad.ncsu.edu"
NCSU-FW-OpenAFS-OpenAFS-1.7.26-x64
MSFT_SomFilter.ID="{2115E492-B943-42B3-82A0-F7B2AC1FC3B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Desktop OS
MSFT_SomFilter.ID="{C5953DC6-FAAA-42F7-A0C9-111D41BF10B4}",Domain="wolftech.ad.ncsu.edu"
NCSU-FW-OpenAFS-OpenAFS-1.7.26-x86
COLLAB-TEST-HD.EOS.NCSU.EDU
Number of Group Policies found with WMI filters : 24Number of WMI filters found: 13
MSFT_SomFilter.ID="{B520B9CB-FC3E-446F-AAFF-F8DE5BF6E9F7}",Domain="wolftech.ad.ncsu.edu"
Win7 EC Desktop PolicyWolfTech-Default Domain Policy - Win7
MSFT_SomFilter.ID="{7C739E36-BBDD-493E-8F72-5FF2D1BB1261}",Domain="wolftech.ad.ncsu.edu"
VSG EC Desktop PolicyWolfTech-Default Domain Policy - Vista
MSFT_SomFilter.ID="{C6210AFD-EA41-4BF0-A580-3FABCD996872}",Domain="wolftech.ad.ncsu.edu"
WS08R2-EC-Member-ServerWolfTech-Default Domain Policy - WS08R2
MSFT_SomFilter.ID="{3A493044-F4E3-47BB-8570-4D3B58BD6843}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Win8.1Win8.1 Computer Policy
MSFT_SomFilter.ID="{E26922BA-F080-432E-A3F1-BF087D9AFA71}",Domain="wolftech.ad.ncsu.edu"
Windows 10 Computer (SCM, v1511)WolfTech-Default Domain Policy - Win 10.0
MSFT_SomFilter.ID="{5CA2491B-3D7B-48F4-818E-EBF94E0AD72B}",Domain="wolftech.ad.ncsu.edu"
WS03 EC Member Server Baseline PolicyWolfTech-Default Domain Policy - Win2003
MSFT_SomFilter.ID="{BA0DD3BD-3726-482E-A165-1534E3F52650}",Domain="wolftech.ad.ncsu.edu"
Win8 EC Desktop Policy (beta)WolfTech-Default Domain Policy - Win8 (beta)
MSFT_SomFilter.ID="{54EB8571-0718-42C3-A1C1-E91515564477}",Domain="wolftech.ad.ncsu.edu"
XP EC Desktop PolicyWolfTech-Default Domain Policy - WinXP
MSFT_SomFilter.ID="{CA73870A-FC28-49F2-B418-404B761AFFDC}",Domain="wolftech.ad.ncsu.edu"
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
WS2012 R2 Member ServerWolfTech-Default Domain Policy - WS2012 R2
MSFT_SomFilter.ID="{C5953DC6-FAAA-42F7-A0C9-111D41BF10B4}",Domain="wolftech.ad.ncsu.edu"
COEDEAN-Public Labs-Reg and File Cleanup
MSFT_SomFilter.ID="{5347B94D-AEAD-4511-BF5C-907F140E64B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - WS08WS08 EC Member Server Baseline Policy
MSFT_SomFilter.ID="{097C6471-7E67-4E0B-A1E4-5A378D852048}",Domain="wolftech.ad.ncsu.edu"
WS12-EC-Member-Server (beta)WolfTech-Default Domain Policy - WS12 (beta)
MSFT_SomFilter.ID="{2115E492-B943-42B3-82A0-F7B2AC1FC3B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Desktop OS
crpc11.CVM.NCSU.EDU Number of Group Policies found with WMI filters : 36Number of WMI filters found: 14
MSFT_SomFilter.ID="{B520B9CB-FC3E-446F-AAFF-F8DE5BF6E9F7}",Domain="wolftech.ad.ncsu.edu"
Win7 EC Desktop PolicyCVM-Remote Assistance UAC SettingsCVM-Special Remote Assistance UAC WolfTech-Default Domain Policy - Win7
MSFT_SomFilter.ID="{07A66FF6-4555-4BAE-8535-6E89F342EEEA}",Domain="wolftech.ad.ncsu.edu"
CVM-Win7 x64 Desktop Settings
MSFT_SomFilter.ID="{7C739E36-BBDD-493E-8F72-5FF2D1BB1261}",Domain="wolftech.ad.ncsu.edu"
VSG EC Desktop PolicyWolfTech-Default Domain Policy - Vista
MSFT_SomFilter.ID="{C6210AFD-EA41-4BF0-A580-3FABCD996872}",Domain="wolftech.ad.ncsu.edu"
WS08R2-EC-Member-ServerWolfTech-Default Domain Policy - WS08R2
MSFT_SomFilter.ID="{3A493044-F4E3-47BB-8570-4D3B58BD6843}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Win8.1Win8.1 Computer Policy
MSFT_SomFilter.ID="{E26922BA-F080-432E-A3F1-BF087D9AFA71}",Domain="wolftech.ad.ncsu.edu"
Windows 10 Computer (SCM, v1511)WolfTech-Default Domain Policy - Win 10.0CVM-Win10 x64 Desktop Settings
MSFT_SomFilter.ID="{2115E492-B943-42B3-82A0-F7B2AC1FC3B0}",Domain="wolftech.ad.ncsu.edu"
CVM-Uvis FilesCVM-Google Chrome SettingsCVM-Fax Server IconCVM-BackupTime startup policyCVM-VH Apps Folder
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
CVM-MS Office 2016 FolderCVM-Allow Removable Media Driver InstallCVM-Uvis and VetView Tester IconsWolfTech-Default Domain Policy - Desktop OS
MSFT_SomFilter.ID="{5CA2491B-3D7B-48F4-818E-EBF94E0AD72B}",Domain="wolftech.ad.ncsu.edu"
WS03 EC Member Server Baseline PolicyWolfTech-Default Domain Policy - Win2003
MSFT_SomFilter.ID="{BA0DD3BD-3726-482E-A165-1534E3F52650}",Domain="wolftech.ad.ncsu.edu"
Win8 EC Desktop Policy (beta)WolfTech-Default Domain Policy - Win8 (beta)
MSFT_SomFilter.ID="{54EB8571-0718-42C3-A1C1-E91515564477}",Domain="wolftech.ad.ncsu.edu"
XP EC Desktop PolicyWolfTech-Default Domain Policy - WinXP
MSFT_SomFilter.ID="{CA73870A-FC28-49F2-B418-404B761AFFDC}",Domain="wolftech.ad.ncsu.edu"
WS2012 R2 Member ServerWolfTech-Default Domain Policy - WS2012 R2
MSFT_SomFilter.ID="{5347B94D-AEAD-4511-BF5C-907F140E64B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - WS08WS08 EC Member Server Baseline Policy
MSFT_SomFilter.ID="{A23E95A0-A8F6-4125-B8A5-6291E603CC21}",Domain="wolftech.ad.ncsu.edu"
CVM-Win7 x86 Desktop Settings
MSFT_SomFilter.ID="{097C6471-7E67-4E0B-A1E4-5A378D852048}",Domain="wolftech.ad.ncsu.edu"
WS12-EC-Member-Server (beta)WolfTech-Default Domain Policy - WS12 (beta)
DELTA-DT-SP03.DELTA.NCSU.EDU
Number of Group Policies found with WMI filters : 23Number of WMI filters found: 12
MSFT_SomFilter.ID="{B520B9CB-FC3E-446F-AAFF-F8DE5BF6E9F7}",Domain="wolftech.ad.ncsu.edu"
Win7 EC Desktop PolicyWolfTech-Default Domain Policy - Win7
MSFT_SomFilter.ID="{7C739E36-BBDD-493E-8F72-5FF2D1BB1261}",Domain="wolftech.ad.ncsu.edu"
VSG EC Desktop PolicyWolfTech-Default Domain Policy - Vista
MSFT_SomFilter.ID="{C6210AFD-EA41-4BF0-A580-3FABCD996872}",Domain="wolftech.ad.ncsu.edu"
WS08R2-EC-Member-ServerWolfTech-Default Domain Policy - WS08R2
MSFT_SomFilter.ID="{3A493044-F4E3-47BB-8570-4D3B58BD6843}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Win8.1Win8.1 Computer Policy
MSFT_SomFilter.ID="{E26922BA-F080-432E-A3F1-
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
BF087D9AFA71}",Domain="wolftech.ad.ncsu.edu"Windows 10 Computer (SCM, v1511)WolfTech-Default Domain Policy - Win 10.0
MSFT_SomFilter.ID="{5CA2491B-3D7B-48F4-818E-EBF94E0AD72B}",Domain="wolftech.ad.ncsu.edu"
WS03 EC Member Server Baseline PolicyWolfTech-Default Domain Policy - Win2003
MSFT_SomFilter.ID="{BA0DD3BD-3726-482E-A165-1534E3F52650}",Domain="wolftech.ad.ncsu.edu"
Win8 EC Desktop Policy (beta)WolfTech-Default Domain Policy - Win8 (beta)
MSFT_SomFilter.ID="{54EB8571-0718-42C3-A1C1-E91515564477}",Domain="wolftech.ad.ncsu.edu"
XP EC Desktop PolicyWolfTech-Default Domain Policy - WinXP
MSFT_SomFilter.ID="{CA73870A-FC28-49F2-B418-404B761AFFDC}",Domain="wolftech.ad.ncsu.edu"
WS2012 R2 Member ServerWolfTech-Default Domain Policy - WS2012 R2
MSFT_SomFilter.ID="{5347B94D-AEAD-4511-BF5C-907F140E64B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - WS08WS08 EC Member Server Baseline Policy
MSFT_SomFilter.ID="{097C6471-7E67-4E0B-A1E4-5A378D852048}",Domain="wolftech.ad.ncsu.edu"
WS12-EC-Member-Server (beta)WolfTech-Default Domain Policy - WS12 (beta)
MSFT_SomFilter.ID="{2115E492-B943-42B3-82A0-F7B2AC1FC3B0}",Domain="wolftech.ad.ncsu.edu"
WolfTech-Default Domain Policy - Desktop OS
Always Wait For Network ConfigurationStatusFailedDescription37 node(s) out of 37 node(s) were affected by this issue (100%).
During startup and logon there are key moments where Windows can either get the user to the desktop as quickly as possible, or wait for operations like network initialization, policy, and scripts to complete before allowing the user to interact with the desktop.
In general these modes can be thought of as synchronous logon (wait for each task to complete) or asynchronous logon (get the user to the desktop and complete tasks in the background).
The two modes exist in order to allow Windows to flexibly meet the goals of different organizations and environments.Additional InformationImportance
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
In environments where top down management and consistency is of the utmost importance (for example environments with exacting security requirements deployed via group policy and startup scripts, administratively modified user experiences like auto-mapped drives, folder redirection, roaming profiles, and so on) then synchronous logon is generally preferred. This comes at a potential cost to startup/logon time and user productivity as the user cannot interact with the desktop until all tasks have finished. If any tasks are delayed in completing the user experience can be badly delayed. In synchronous mode all startup/logon tasks added by administrators (and by applications) must be thoroughly tested in different conditions (on the network , off the network, or other conditions) to ensure that users are not unduly delayed
In environments where fast user access to the desktop upon startup/logon is paramount, and where it is acceptable to have configuration (group policy, scripts, etc.) applied in the background shortly after the user already has access to the desktop, then asynchronous logon is generally preferred. Asynchronous is the default on a clean install of Windows (client SKUs) since Windows XP.
Windows 7 takes this concept to new heights as many previously boot time tasks are delayed by default until seconds or minutes after the user logs on.
While asynchronous logon is ideal in pure logon speed terms, it comes with several caveats that make it non-trivial to use in an enterprise environment.
Several Windows features only work in synchronous mode and enable it automatically. These include (but may not be limited to):
Roaming profiles
Home drives (mapped on user account in AD)
User logon script (mapped on user account in AD [not group policy based])
Folder Redirection
GPP Mapped Drives
Logon scripts configured to run synchronously
If you are using any of these features (and the benefit of doing so is such that you will continue using them), you should enable "Always wait for the network…" via Group Policy for the sake of consistency. Inconsistent experiences can result when relying on these features to automatically request a synchronous logon (for example settings that only apply every other logon, or don’t apply until a second logon).
In scenarios where fast logon is more important than top down user experience modifications, consider not using the above features (all of which not only create synchronous logons but add complex processing and potential delays during logon) and also disabling "Always wait for the network…" through Group Policy.
The right choice depends on the environment in question. As you can see the pattern that emerges here is that systems with heavily managed user experiences (kiosks, locked down workstations, roaming profiles, etc) are generally better off with synchronous logon (with the risk of delayed user logon). Other systems may be better off avoiding the use of certain features that are tied to startup/logon experience and benefit from using asynchronous mode (with the risk that configuration may not be applied until after the user logs on or not until a subsequent logon).
Note that there are additional sync vs. async control points which impact different phases of startup and logon along similar lines. These include:
Run Startup Scripts Asynchronously (can be enabled/disabled)
Run Logon Scripts Synchronously (can be enabled/disabled)
GPNetworkStartTimeout
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Recommended ReadingDescription of the Windows XP Professional Fast Logon Optimization feature:
http://support.microsoft.com/kb/305293
Scripts May Not Run Before Windows Explorer Starts Even Though the "Run Logon Scripts Synchronously" Setting is Enabled:
http://support.microsoft.com/kb/304970
Troubleshooting Group Policy Problems:
http://technet.microsoft.com/en-us/library/cc787386.aspx
Best Practices for User Profiles:
http://technet.microsoft.com/en-us/library/cc784484(v=WS.10).aspx
Users are not automatically logged on to the domain when you apply a startup script to automate the logon process on computers that are running Windows Fundamentals for Legacy PCs:
http://support.microsoft.com/kb/920319
Recommended ResolutionThis finding is included to highlight current settings and raise discussion around the best setting for the environment.
Desktop architects or engineers in charge of designing and optimizing the desktop experience should consider their various user populations and whether sync or async mode is more appropriate for each.
Also when using or planning the use of features or technologies that modify startup/logon experience, including those that invoke synchronous logon, architects should (as with any feature) weigh the cost of its use against the benefit provided.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy @ REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Value_1 is equal to 0x00000001
Affected Nodes315BPT01.CALS.NCSU.EDU
Always Wait For Network Configuration: Not configured.
admpc280.CVM.NCSU.EDU
Always Wait For Network Configuration: Not configured.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
ALUMINUM.CNR.NCSU.EDU
Always Wait For Network Configuration: Not configured.
BILT-3032A-01.CNR.NCSU.EDU
Always Wait For Network Configuration: Not configured.
BUSTA.ECE.NCSU.EDU Always Wait For Network Configuration: Not configured.CHASSIT-TEST.CHASS.NCSU.EDU
Always Wait For Network Configuration: Not configured.
CLH-9F8NXR1.COM.NCSU.EDU
Always Wait For Network Configuration: 1
COLLAB-TEST-HD.EOS.NCSU.EDU
Always Wait For Network Configuration: 1
crpc11.CVM.NCSU.EDU Always Wait For Network Configuration: Not configured.DELTA-DT-SP03.DELTA.NCSU.EDU
Always Wait For Network Configuration: Not configured.
Scripts Maximum Wait Time Is Too LowStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The MaxGPOScriptWait setting determines how long the system waits for scripts applied by Group Policy to run. The value of this entry limits the combined time for all logon, startup, and shutdown scripts applied by Group Policy to finish running.
This interval is particularly important when other system tasks must wait while the scripts finish. By default, each startup script must finish before the next one runs. An excessively long interval can delay the system and inconvenience users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely.Additional InformationImportanceThe group policy setting, Maximum wait time for Group Policy scripts, is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next script runs.
Recommended ReadingMaximum wait time for Group Policy scripts
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/14.mspx?mfr=true
MaxGPOScriptWait
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91596.mspx?mfr=true
Recommended Resolution
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
It is recommended that you preconfigure an adequate and low value for the maximum wait time for Group Policy scripts. If a script stops responding and the script was called in a synchronous mode, the client startup, logon, logoff, or shutdown process is also interrupted by this delay. If the script timeout has been exceeded before the script has completed, the script will be terminated.
Because scripts vary, the optimal configuration for this setting must be evaluated in a test environment. Recommended values are between 1 and 3 minutes.
The default interval is 600 seconds (10 minutes), and valid intervals range from 0 to 32000 seconds.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\MaxGPOScriptWait @ REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Value_1 is less than decimal 30 (hex: 0x0000001E)
Affected NodesALUMINUM.CNR.NCSU.EDU
If value is below 30 seconds scripts might always fail.
MaxGPOScriptWait(GPO) : 12MaxGPOScriptWait: : n/a
BILT-3032A-01.CNR.NCSU.EDU
If value is below 30 seconds scripts might always fail.
MaxGPOScriptWait(GPO) : 12MaxGPOScriptWait: : n/a
Slow Link Detection Threshold Is Not DefinedStatusFailedDescription
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
36 node(s) out of 37 node(s) were affected by this issue (97.3%).
The slow link detection threshold is used to determine at which point the link between the domain controller and the client is considered 'slow' for the purposes of Group Policy application.
When Group Policy detects a slow link that is below the defined threshold, it sets a flag to indicate to client-side extensions (CSEs) that a policy is being applied over a slow link.
Individual CSEs can have their own settings to determine whether they will process over a slow link. For example, Security Settings and Administrative Templates will always process over a slow link (this cannot be turned off) and Software Installation, Scripts and Folder Redirection will not process by default but can be configured to do so.
The default slow link threshold is 500 Kbps.
As part of the configuration of Group Policy, it is essential to configure the slow link based on organizational-specific needs. For example, if clients will regularly be connecting over links that are just below the default threshold (500Kbps) then you may want to configure this setting to that lower threshold. Conversely, you may also want to increase the threshold higher than 500 Kbps to match other network scenarios.Additional InformationImportanceIf a policy update travels from the domain controller to the computer at a rate slower than is specified in the value of this entry, the system defines the connection as slow. The default threshold is 500 kbps (kilobytes per second).
Recommended ReadingGroup Policy does not apply when connecting remotely over a slow link:
http://technet.microsoft.com/en-us/library/cc759191(v=WS.10).aspx
How to troubleshoot Group Policy object processing failures that occur across multiple forests:
http://support.microsoft.com/kb/910206/en-us
Recommended ResolutionTo avoid heavy network traffic on slow or limited network connections, the Slow Network Detection routine should be defined. By using this setting, specific tasks for user profiles, Client Side Caching, and Group Policies may or may not run on the client side. These specific tasks can be modified and configured as needed.
Depending on the topology used for LAN, an adequate link speed must be defined. It is recommended that you verify users experience over slow link by using Modem, ISDN, DSL, and slow LAN connectivity.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Policies\Microsoft\Windows\System\GroupPolicyMinTransferRate @ REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
* Registry_Value_1 does not exist
Affected Nodes315BPT01.CALS.NCSU.EDU
GroupPolicyMinTransferRate: n/a
admpc280.CVM.NCSU.EDU
GroupPolicyMinTransferRate: n/a
ALUMINUM.CNR.NCSU.EDU
GroupPolicyMinTransferRate: n/a
BILT-3032A-01.CNR.NCSU.EDU
GroupPolicyMinTransferRate: n/a
BUSTA.ECE.NCSU.EDU GroupPolicyMinTransferRate: n/aCHASSIT-TEST.CHASS.NCSU.EDU
GroupPolicyMinTransferRate: n/a
CLH-9F8NXR1.COM.NCSU.EDU
GroupPolicyMinTransferRate: n/a
COLLAB-TEST-HD.EOS.NCSU.EDU
GroupPolicyMinTransferRate: n/a
crpc11.CVM.NCSU.EDU GroupPolicyMinTransferRate: n/aDELTA-DT-SP03.DELTA.NCSU.EDU
GroupPolicyMinTransferRate: n/a
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Hardware InformationComputer hardware can include the following parts:
▪ Motherboard
The motherboard is sometimes referred to as the mainboard or system board. It holds the CPU, memory, and slots for expansion cards.
▪ Power Supply▪ Storage Controller▪ Integrated Drive Electronic (IDE), Small Computer System Interface (SCSI)▪ Serial Advanced Technology Attachment (SATA), Fiber-optic Connector (FC)▪ Hard Drive▪ Floppy, CD-ROM, Hard Drive, Solid State Drive (SSD), Display Adapter, Graphics Card and
Monitor▪ Interface Controller▪ Parallel, Serial, Universal Serial Bus (USB), Firewire▪ Input devices such as the mouse and keyboard
BIOS Release Date Is Between 7 And 10 Years OldStatusFailedDescription4 node(s) out of 37 node(s) were affected by this issue (10.81%).
Microsoft recommends installing the newest BIOS version to avoid possible incompatibilities with the Windows operating system and to prepare for future Windows installations. Also, any problems with power management, as well as general operations that could rely on ACPI such as startup and shutdown, rely on having the newest BIOS installed. When manufacturers release a new motherboard, the BIOS on the board is already flashed. Because technology often advances in quantum leaps, it is important to keep in mind that new products are constantly released. Flashing your BIOS to the latest release is crucial because it enhances your system's capabilities, helps it to detect newer devices and components (bigger hard drives, newer processors, and so forth), and improves stability. In addition, manufacturers often include a series of bug fixes in their latest BIOS flashes.Additional InformationImportanceMicrosoft recommends reviewing new BIOS version at least every half a year and to evaluate the need to deploy the newer version. The newest BIOS version avoids possible incompatibilities with the Windows® operating system.
Recommended ResolutionIt is recommended that you regularly check for new BIOS releases and install the update after verifying the package. There is always a change log included with every newer BIOS release that should be read first. It helps you decide whether or not it is worth it to flash that specific version.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Updating BIOS should only be done if necessary (for example, to solve a compatibility problem). It can be a complicated process, and if an error occurs, your computer could be rendered inoperable. Be sure to follow the manufacturer's instructions exactly.
Rule AlgorithmSource
WMI_1 Root\CIMv2:Win32_OperatingSystem.LocalDateTime
WMI_2 Root\CIMv2:Win32_BIOS.ReleaseDate
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is not virtualized
The following must be true:
* WMI_2 is compared to WMI_1 between 2558 and 3652 days old
AnnotationLook to see if there is a update available for this,
Affected Nodescrpc11.CVM.NCSU.EDU Bios Release Date: 8/17/2009 12:00:00 AMEB2-2214-LOAN01.CSC.NCSU.EDU
Bios Release Date: 1/31/2008 12:00:00 AM
EB2-2214-LOAN02.CSC.NCSU.EDU
Bios Release Date: 8/14/2008 12:00:00 AM
UNO.IE.NCSU.EDU Bios Release Date: 11/30/2006 12:00:00 AM
Source: Disk / Event ID: 7 / Error: Bad Block DetectedStatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
This issue relates to an event in the System event log indicating that a bad block has been detected on a disk. Review the affected nodes and verify the hard disk is working properly by using disk checking utilities such as chkdsk.Additional InformationImportanceIf a bad block has been detected the block cannot be used anymore and will be marked in the file table as bad.
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Recommended ResolutionRun CHKDSK to mark the block as bad or replace the hard drive if the issue persists.
Rule AlgorithmSource
Event_1 EventLog ("System") @ "EventSource:Disk;EventID:7"
Detection Logic
Applies to: All operating systems
The following must be true:
* Event_1 is listed in the past 7 days
AnnotationLook at the drive on this system to see if it is only a bad sector or pointing to something larger
Affected NodesUNO.IE.NCSU.EDU Amount of Events logged within 7 days : 63
First Event logged : 2016-09-29T14:14:38.608435Last Event logged : 2016-10-05T07:04:56.71298
ID : 7Provider : DiskMessage : The device, \Device\Harddisk0\DR0, has a bad block.
No Standardized PC Hardware
QuestionDo you have standardized client PC hardware?
Selected AnswerNoAdditional CommentsWe have a commendation of about 30-40 machines people can choose from and we driver to support those as best as possible, but at the end of the day departments can still buy whatever they want and we are expected to support it.
StatusFailedDescriptionImplementing too many different computer hardware models from one or different hardware manufacturers introduces unlimited complexity in administration and maintenance
Standardized Client PC hardware greatly improves troubleshooting activity as well as predictability of client
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
reaction to software updates and application of hotfixes.
Standardizing the Hardware can greatly reduce support cost and troubleshooting activities as well as create a base of predictable service. Additional InformationStandardizing PC HardwareReduce to the necessary minimum the number of client hardware and hardware manufacturers you support.
BIOS Release Date Is Between 5 And 7 Years OldStatusFailedDescription5 node(s) out of 37 node(s) were affected by this issue (13.51%).
Microsoft recommends installing the newest BIOS version to avoid possible incompatibilities with the Windows operating system and to prepare for future Windows installations. Also, any problems with power management, as well as general operations that could rely on ACPI such as startup and shutdown, rely on having the newest BIOS installed. When manufacturers release a new motherboard, the BIOS on the board is already flashed. Because technology often advances in quantum leaps, it is important to keep in mind that new products are constantly released. Flashing your BIOS to the latest release is crucial because it enhances your system's capabilities, helps it to detect newer devices and components (bigger hard drives, newer processors, and so forth), and improves stability. In addition, manufacturers often include a series of bug fixes in their latest BIOS flashes.Additional InformationImportanceMicrosoft recommends reviewing new BIOS version at least every half a year and to evaluate the need to deploy the newer version. The newest BIOS version avoids possible incompatibilities with the Windows® operating system.
Recommended ResolutionIt is recommended that you regularly check for new BIOS releases and install the update after verifying the package. There is always a change log included with every newer BIOS release that should be read first. It helps you decide whether or not it is worth it to flash that specific version.
Updating BIOS should only be done if necessary (for example, to solve a compatibility problem). It can be a complicated process, and if an error occurs, your computer could be rendered inoperable. Be sure to follow the manufacturer's instructions exactly.
Rule AlgorithmSource
WMI_1 Root\CIMv2:Win32_OperatingSystem.LocalDateTime
WMI_2 Root\CIMv2:Win32_BIOS.ReleaseDate
Detection Logic
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Applies to: All operating systems
Hardware condition:
* Target device is not virtualized
The following must be true:
* WMI_2 is compared to WMI_1 between 1827 and 2557 days old
Affected Nodesadmpc280.CVM.NCSU.EDU
Bios Release Date: 11/3/2010 12:00:00 AM
CHASSIT-TEST.CHASS.NCSU.EDU
Bios Release Date: 8/3/2011 12:00:00 AM
LAU-214-29.CHASS.NCSU.EDU
Bios Release Date: 8/3/2011 12:00:00 AM
T-131B-2.CHASS.NCSU.EDU
Bios Release Date: 9/10/2011 12:00:00 AM
VTHLOANERPC.CVM.NCSU.EDU
Bios Release Date: 11/3/2010 12:00:00 AM
No Fixed Hardware Lifecycle
QuestionDo you have a fixed refresh cycle for your PCs and devices?Selected AnswerNoStatusFailedDescriptionOlder hardware may have a negative influence on growing IT needs and scalability of applications.
Older hardware may also have performance implications on newer software releases and a negative overall effect on power consumption. Additional InformationHardware Refresh CycleHardware should be renewed according to growing IT needs and performance requirements.
Renewing PCs in regular, low intervals will ensure performance improvements and advanced power management and consumption capabilities.
No Computer Management Software To Manage Hardware Settings
QuestionDoes your organization use any configuration tool to control the hardware settings of your clients? Selected Answer
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
NoStatusFailedDescriptionNo computer management software exists to manage hardware settings of the client computers in the organization.
It is essential to keep track of hardware settings and BIOS versions of the client computers in order to keep the hardware secure as well as compatible with the newest Operating Systems and driver updates.Additional InformationComputer Management StrategyIt is essential to be able to change hardware settings and update BIOS versions from a centralized management platform in order to have the newest BIOS versions when they become available.
BIOS Release Date Is Between 3 And 5 Years OldStatusFailedDescription10 node(s) out of 37 node(s) were affected by this issue (27.03%).
Microsoft recommends installing the newest BIOS version to avoid possible incompatibilities with the Windows operating system and to prepare for future Windows installations. Also, any problems with power management, as well as general operations that could rely on ACPI such as startup and shutdown, rely on having the newest BIOS installed. When manufacturers release a new motherboard, the BIOS on the board is already flashed. Because technology often advances in quantum leaps, it is important to keep in mind that new products are constantly released. Flashing your BIOS to the latest release is crucial because it enhances your system's capabilities, helps it to detect newer devices and components (bigger hard drives, newer processors, and so forth), and improves stability. In addition, manufacturers often include a series of bug fixes in their latest BIOS flashes.Additional InformationImportanceMicrosoft recommends reviewing new BIOS version at least every half a year and to evaluate the need to deploy the newer version. The newest BIOS version avoids possible incompatibilities with the Windows operating system.
Recommended ResolutionIt is recommended that you regularly check for new BIOS releases and install the update after verifying the package. There is always a change log included with every newer BIOS release that should be read first. It helps you decide whether or not it is worth it to flash that specific version.
Updating BIOS should only be done if necessary (for example, to solve a compatibility problem). It can be a complicated process, and if an error occurs, your computer could be rendered inoperable. Be sure to follow the manufacturer's instructions exactly.
Rule AlgorithmSource
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
WMI_1 Root\CIMv2:Win32_OperatingSystem.LocalDateTime
WMI_2 Root\CIMv2:Win32_BIOS.ReleaseDate
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is not virtualized
The following must be true:
* WMI_2 is compared to WMI_1 between 1096 and 1826 days old
Affected Nodes315BPT01.CALS.NCSU.EDU
Bios Release Date: 8/6/2013 12:00:00 AM
BUSTA.ECE.NCSU.EDU Bios Release Date: 9/24/2013 12:00:00 AMEI-SPARE-LT1.DELTA.NCSU.EDU
Bios Release Date: 10/18/2011 12:00:00 AM
ITECS-DT-55.EOS.NCSU.EDU
Bios Release Date: 3/14/2013 12:00:00 AM
MCHAMMER.ECE.NCSU.EDU
Bios Release Date: 9/24/2013 12:00:00 AM
TEX-KETONE.TX.NCSU.EDU
Bios Release Date: 3/27/2013 12:00:00 AM
TEX-OXYGEN.TX.NCSU.EDU
Bios Release Date: 9/19/2012 12:00:00 AM
TEX-TUNGSTEN.TX.NCSU.EDU
Bios Release Date: 9/19/2012 12:00:00 AM
VANILLAICE.ECE.NCSU.EDU
Bios Release Date: 9/24/2013 12:00:00 AM
WN-133-01.CHASS.NCSU.EDU
Bios Release Date: 9/24/2013 12:00:00 AM
Device Not Working Properly Is DetectedStatusFailedDescription11 node(s) out of 37 node(s) were affected by this issue (29.73%).
Problem devices are found. Review the affected nodes and ensure that all devices are functioning properly.
In addition to the devices not functioning properly, they also contribute to reliability and system performance issues.Additional InformationImportance
Microsoft Proprietary and Confidential Information Page
Key Findings ReportConfidential – NC State University
Devices with reported issues may result in unstable and non-performing working experience.
Recommended ResolutionPlease check the hardware manufacturer Web site for any missing drivers and updates.
Rule AlgorithmSource
WMI_1 Root\CIMv2:Win32_PnPEntity.ConfigManagerErrorCode
WMI_2 Root\CIMv2:Win32_PnPEntity.Caption
WMI_3 Root\CIMv2:Win32_PnPEntity.Status
Detection Logic
Applies to: All operating systems
The following must be true:
* WMI_3 equals to "eror" and WMI_1 is not equal to "0" and WMI_2 does not contain "PS/" and "VPN"
Affected Nodes315BPT01.CALS.NCSU.EDU Caption: HP Scanjet scanner
PNPDeviceID: USB\VID_03F0&PID_4605\CN7B9A63H505Status: Error
Caption: USB 2861 DevicePNPDeviceID: USB\VID_1B80&PID_E302&MI_00\6&13A1AD1F&0&0000Status: Error
admpc280.CVM.NCSU.EDU Caption: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for
Windows x64PNPDeviceID: ROOT\NET\0001Status: Error
BILT-3032A-01.CNR.NCSU.EDU Caption: No Caption
PNPDeviceID: ROOT\LEGACY_MSISERVER\0000Status: Error
Caption: SentinelPNPDeviceID: ROOT\LEGACY_SENTINEL\0000Status: Error
EI-SPARE-LT1.DELTA.NCSU.EDU Caption: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for
Windows x64PNPDeviceID: ROOT\NET\0000Status: Error
Caption: Microsoft Teredo Tunneling AdapterPNPDeviceID: ROOT\NET\0001Status: Error
Microsoft Proprietary and Confidential Information Page 100
Key Findings ReportConfidential – NC State University
Caption: iphttpsinterfacePNPDeviceID: ROOT\*IPHTTPS\0000Status: Error
GRAD076.NE.NCSU.EDU Caption: SM Bus Controller
PNPDeviceID: PCI\VEN_8086&DEV_8C22&SUBSYS_05A41028&REV_04\3&11583659&1&FBStatus: Error
ITECS-DT-34.EOS.NCSU.EDU Caption: No Caption
PNPDeviceID: IUSB3\ROOT_HUB30\4&36E5125B&0Status: Error
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
Caption: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64PNPDeviceID: ROOT\NET\0000Status: Error
PT315B-03.CALS.NCSU.EDU Caption: Microsoft Teredo Tunneling Adapter
PNPDeviceID: ROOT\*TEREDO\0000Status: Error
Caption: No CaptionPNPDeviceID: IUSB3\ROOT_HUB30\4&2EFDC18D&0Status: Error
PT315B-04.CALS.NCSU.EDU Caption: No Caption
PNPDeviceID: IUSB3\ROOT_HUB30\4&2EFDC18D&0Status: Error
TEX-OXYGEN.TX.NCSU.EDU Caption: No Caption
PNPDeviceID: IUSB3\ROOT_HUB30\4&92A43F&0Status: Error
Total Physical Memory Is Less Than 4GBStatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
If a computer running Windows 7 seems too slow, it's usually because the PC doesn't have enough RAM. The best way to speed it up is to add more.Additional InformationImportanceLow physical memory results in paging operations and produces delays in working with applications and the operating system.
Microsoft Proprietary and Confidential Information Page 101
Key Findings ReportConfidential – NC State University
Recommended ReadingThe system memory that is reported in the System Information dialog box in Windows Vista is less than you expect if 4 GB of RAM is installed
http://support.microsoft.com/kb/929605
System requirements for Windows Vista
http://support.microsoft.com/kb/919183
Windows 7 System Requirements
http://windows.microsoft.com/systemrequirements
Rule AlgorithmSource
Registry_Path_1 HKLM\System\CurrentControlSet\Services\dmvsc\Enum
WMI_1 Root\CIMv2:Win32_ComputerSystem.TotalPhysicalMemory
Detection Logic
Applies to: All operating systems
The following must be true:
* Count keys in Registry_Path_1 is equal or less to 1
* WMI_1 is less than 3.489.660.928 and greater than or equal to 2.000.000.000
Affected NodesUNO.IE.NCSU.EDU Total Physical Memory: 2,045.66 MB
Microsoft Proprietary and Confidential Information Page 102
Key Findings ReportConfidential – NC State University
NetworkingNetworking is one of the primary functions of Windows and much of the operating system is designed around its networking architecture. It enables communication between applications on different computers on a network and allows access to shared resources, such as directories and network printers on computers in the network. When you install the operating system, the Windows setup program can detect the network interface adapter, if there is one in the computer, and install a basic network software configuration consisting of a network interface adapter driver, the Client for Microsoft Networks, the File and Printer Sharing for Microsoft Networks service, and the Internet Protocol (TCP/IP) protocol module. These components make up the default configuration that provides basic local area network (LAN) connectivity in Windows.
In Microsoft Windows, core networking tasks are accomplished by using TCP/IP. TCP/IP consists of a suite of protocols, of which TCP and IP are two. This suite of protocols was originally designed to solve a communications problem among the branches of the United States military. In the 1960s, each of the military branches obtained bids from different vendors to provide computer systems for their branch. The Army chose Digital Equipment Corporation (DEC), the Air Force chose International Business Machines (IBM), and the Navy chose Unisys. Soon after, the military branches discovered that they needed their computer systems to communicate with each other to facilitate coordination between the military branches. The Department of Defense (DoD) launched a research project in 1969 to connect the systems of various vendors together to form a network of networks. The DoD developed TCP/IP with IP version 4 (IPv4) to connect this network of networks - the collection of networks now known as the Internet. TCP/IP is still used to connect business networks across the world.
IPv4 proved to be robust, easily implemented and interoperable. It has also stood the test of scalability from an internetwork to today’s global Internet. However, the initial design did not fully allow for the following:
▪ The exponential growth of the Internet and the impending depletion of the IPv4 address space.
▪ The requirement for security at the IP level.▪ Private communication over a public medium, such as the Internet, requires encryption
services that protect the data being sent from being viewed or modified in transit. Although a standard now exists for providing security for IPv4 packets, known as Internet Protocol Security, or IPSec, this standard is optional.
▪ The growth of the Internet and the ability of Internet backbone routers to maintain large routing tables.
▪ The need for better support for real-time delivery of data, or Quality of Service (QoS).
To address these and other concerns, the Internet Engineering Task Force (IETF) developed IP version 6 (IPv6). IPv6, previously called IP next generation, incorporates the concepts of many proposed methods for updating the IPv4 protocol. The design of IPv6 is intentionally targeted for minimal impact on upper and lower layer protocols by avoiding the random addition of new features.
Microsoft Proprietary and Confidential Information Page 103
Key Findings ReportConfidential – NC State University
TCP/IP (with IPv4)TCP/IP in Windows enables enterprise networking and connectivity that have the following features:
▪ A standard, routable enterprise networking protocol that is the most complete and accepted protocol available. All modern, network operating systems offer TCP/IP support, and most large networks rely on TCP/IP for much of their network traffic.
▪ A technology for connecting dissimilar systems. Many standard connectivity tools are available to access and transfer data between dissimilar systems, including File Transfer Protocol (FTP) and Telnet, a terminal emulation protocol. Several of these standard tools are included with Windows Server.
▪ A robust, scalable, cross-platform client/server framework. TCP/IP in Windows Server offers the Windows Sockets (Winsock) interface, which is ideal for developing client/server applications that can run on Winsock-compliant TCP/IP protocol implementations from other vendors.
▪ A method of gaining access to the Internet. The Internet consists of thousands of networks worldwide, connecting research facilities, universities, libraries, and private companies.
TCP/IP (with IPv6)The following features of the IPv6 protocol overcome the limitations of IPv4:
▪ New header format▪ Large address space▪ Efficient and hierarchical addressing and routing infrastructure▪ Stateless and stateful address configuration▪ Built-in security measures▪ Better support for QoS▪ New protocol for neighboring node interaction▪ Extensibility
IPv6 includes new capabilities such as scoped addresses, stateless autoconfiguration, lowering the complexity and management burden, and mandatory IPSec, permitting end-to-end data authentication, data integrity, and privacy of connections. In addition to the new capabilities, IPv6 brings back the capability of end-to-end communications; making networking applications simpler as the network again becomes transparent.
HOSTS Or LMHOSTS Configuration File Contains EntriesStatusFailedDescription
Microsoft Proprietary and Confidential Information Page 104
Key Findings ReportConfidential – NC State University
1 node(s) out of 37 node(s) were affected by this issue (2.7%).
Microsoft TCP/IP can be configured to search the local host table file, HOSTS, for mappings of remote host names to IP addresses and to search the local host table file, LMHOSTS, for mappings of IP addresses to remote host names. This can cause unexpected name resolution issues and due to this name and IP resolution should be done by Domain Name System (DNS).
Additional InformationImportanceHaving entries in the HOSTS or LMHOSTS create additional complexity when troubleshooting name resolution problems.
Consider that each HOSTS or LMHOSTS file is stored locally, and is unlikely to be centrally managed or reported on, creating an element of risk when managing the overall name resolution process. As the configuration is specific per computer, it can also cause issues when migrating or installing applications on new computers that may not have that specific configuration.
Recommended ReadingProviding Single-Label Name Resolution
http://technet.microsoft.com/en-us/library/cc816610(v=WS.10).aspx
Recommended ResolutionReview the entries in the HOSTS or LMHOSTS files and ensure these are necessary. Other options might include registering the record in DNS, or implementing a GlobalNames Zone if the entry is being used to support single-label name resolution.
Rule AlgorithmSource
FILE_1 %systemroot%\system32\Drivers\etc\HOSTS
FILE_2 %systemroot%\system32\Drivers\etc\LMHOSTS
Detection Logic
Applies to: All operating systems
The following must be true:
* content in FILE_1 found and self-hosted entries are not listed (127.0.0.1, LOCALHOST)
* content in FILE_2 found
Affected NodesUNO.IE.NCSU.EDU Hosts Content:
10.254.254.253 AFS
LMHosts Content:10.254.254.253 AFS #PRE
Microsoft Proprietary and Confidential Information Page 105
Key Findings ReportConfidential – NC State University
IPv6 Configuration Is ModifiedStatusFailedDescription8 node(s) out of 37 node(s) were affected by this issue (21.62%).
Windows Vista and newer operating systems are configured with a 'dual stack' (both IPv4 and IPv6) and IPv6 is enabled by default. As this is the standard configuration, Microsoft does not perform testing with different IPv6 configurations. In addition, certain features and components (such as DirectAccess, Remote Assistance and HomeGroup) have dependencies on IPv6 and will not work if it is disabled.Additional InformationImportanceWith IPv6 enabled on Windows clients, they will only register globally-routable addresses in DNS - therefore typically there won't be any AAAA records in DNS until one of the following occur:
• The DC is attached to a network segment where an IPv6 prefix is advertised by the router (and the client therefore gets a native IPv6 address)
• You enable an ISATAP router in your environment and the client is pointed to the ISATAP router either by an isatap.yourdomain.com DNS entry, a GPO for ISATAP router, or the netsh int isatap set router command
• You use a public IPv4 address range on your intranet, in which case your client will pick up a 6to4 IPv6 address and register that in DNS
Until one of the above is true, the client might have a link local IPv6 address or possibly a teredo address however neither of these will register AAAA records in DNS and as a result other clients performing name resolution should be unaware that the client is available over IPv6.
Be aware that unchecking the "Internet Protocol Version 6 (TCP/IPv6)" check box in the network connection's properties (ncpa.cpl) merely unbinds IPv6 from that adapter/interface and does not fully disabled it. Although discouraged, the appropriate method of disabling IPv6 is via the registry as referenced in knowledgebase article http://support.microsoft.com/kb/929852
In summary, it is strongly recommended that IPv6 remain enabled, even in environments where IPv6 has not yet been deployed.
Recommended ReadingDisabling IPv6 Doesn't Help
http://blogs.technet.com/b/ipv6/archive/2007/11/08/disabling-ipv6-doesn-t-help.aspx
Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
How to disable IP version 6 or its specific components in Windows
http://support.microsoft.com/kb/929852
Startup delay occurs after you disable IPv6 in Windows 7 SP1 or Windows Server 2008 R2 SP1
http://support.microsoft.com/kb/3014406
Microsoft Proprietary and Confidential Information Page 106
Key Findings ReportConfidential – NC State University
A 5 Second Boot Optimization If You’ve Disabled IPv6 on Windows Client and Server by setting DisabledComponents to 0xFFFFFFFF
http://blogs.technet.com/b/askpfeplat/archive/2014/09/15/a-5-second-boot-optimization-if-you-ve-disabled-ipv6-on-windows-client-and-server-by-setting-disabledcomponents-to-0xffffffff.aspx
Recommended ResolutionIf it is suspected that IPv6 may be causing issues in the environment, the recommendation is to open a support case with Microsoft in order to address any concerns and establish whether IPv6 is indeed the root cause - rather than disabling it as a potential workaround.
By default, the 6to4 tunneling protocol is enabled in Windows 8/8.1, Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 when an interface is assigned a public IPv4 address (that is, an IPv4 address that is not in the ranges 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16). 6to4 will automatically assign an IPv6 address to the 6to4 tunneling interface for each such address that is assigned, and 6to4 will dynamically register these IPv6 addresses on the assigned DNS server. If this behavior is not desired, we recommend disabling IPv6 tunnel interfaces on the affected hosts.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
REG_DWORD: DisabledComponents
Type 0x01 to disable IPv6 on all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo.
0x0 Enable all IPv6 components. (Windows default setting)
0x000000ff Disable all IPv6 components except the IPv6 loopback interface. This value also configures Windows to prefer using IPv4 over IPv6 by changing entries in the prefix policy table.
0x20 Prefer IPv4 over IPv6 by changing entries in the prefix policy table.
0x10 Disable IPv6 on all nontunnel interfaces (both LAN and Point-to-Point Protocol [PPP] interfaces).
0x11 Disable all IPv6 interfaces except for the IPv6 loopback interface.
Rule AlgorithmSource
Registry_Value_1 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents @ REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Value_1 is greater than or equal to 0x00000001
Affected NodesCOLLAB-TEST-HD.EOS.NCSU.EDU
DisabledComponents: 4294967295
Microsoft Proprietary and Confidential Information Page 107
Key Findings ReportConfidential – NC State University
EI-SPARE-LT1.DELTA.NCSU.EDU
DisabledComponents: 4294967295
GRAD073.NE.NCSU.EDU
DisabledComponents: 4294967295
GRAD076.NE.NCSU.EDU
DisabledComponents: 4294967295
PT315B-01.CALS.NCSU.EDU
DisabledComponents: 255
PT315B-03.CALS.NCSU.EDU
DisabledComponents: 255
UNO.IE.NCSU.EDU DisabledComponents: 4294967295WN-133-01.CHASS.NCSU.EDU
DisabledComponents: 142
Source: NETLOGON / Event ID: 5719 / Error: No Domain Controller Is Available For Domain
StatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
This event ID indicates that this computer was unable to connect to a domain controller. While there are a number of reasons why this may be the case, you can use the time the event was logged to help determine the root cause of the issue. This event ID may be expected depending on the current network state or configuration of the computer.Additional InformationImportanceDepending on the nature of the issue this could be significant, affecting user logon. For example, if the issue is persistent and the client continues to be unable to contact a domain controller, the user may not be able to log in, or will log in with cached credentials with no Group Policy applied.
However, if the issue is transient and only occurs briefly during computer startup, it may still indicate a network configuration issue. While user authentication and subsequent access to the computer and wider environment would not be affected in this scenario, it is worthwhile investigating whether there are reasons why this client would be unable to contact a domain controller.
Review KB938449 in the Recommended Reading section for detail on a known scenario with the portfast spanning tree configuration option.
Recommended ReadingA "Netlogon event ID 5719" event message is logged when you start a Windows based computer
http://support.microsoft.com/kb/938449
Rule AlgorithmSource
Event_1 EventLog ("System") @ "EventSource:NetLogon;EventID:5719"
Detection Logic
Applies to: All operating systems
Microsoft Proprietary and Confidential Information Page 108
Key Findings ReportConfidential – NC State University
The following must be true:
* Event_1 is listed in the past 7 days
Affected NodesEI-SPARE-LT1.DELTA.NCSU.EDU
Amount of Events logged within 7 days : 15
First Event logged : 2016-09-28T16:59:23Last Event logged : 2016-10-05T12:40:26
ID : 5719Provider : NETLOGONMessage : This computer was not able to set up a secure session with a domain controller in domain WOLFTECH due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Standard Order For Built In Network Provider Is ChangedStatusFailedDescription11 node(s) out of 37 node(s) were affected by this issue (29.73%).
A network provider is a DLL that supports a specific network protocol. It also implements the Network Provider API. This enables it to interact with the Windows operating system to receive standard network requests, such as connection or disconnection requests. To handle these requests, the network provider then calls the network-specific API that is appropriate to the network protocol the network provider supports. In other words, the network provider wraps the network-specific functionality in a DLL, which exposes a standard interface to Windows.
Using network providers, Windows can support many different types of network protocols without having to know the network-specific details of each network. This is essential because new network protocols are being developed all the time. With network providers, supporting a new protocol simply requires creating and installing a new network provider.
Network performance can be seriously degraded if you rearrange the bindings or provider order in an inappropriate way for your network. Set the connections and the protocols that you use to reach your resources listed first, with less frequently used connections and protocols listed second. For example, if you are on a LAN using primarily IPv4, then it is recommended that the LAN adapter be the first connection listed, and that IPv4 be the first protocol listed for that connection. Additional InformationImportanceThe network provider order tells Windows how to communicate with other services. Windows tries to communicate with these services using multiple protocols. Some protocols are more efficient than others. Thus, tuning the order in which Windows uses these protocols greatly impacts how fast your computer processes service requests.
Microsoft Proprietary and Confidential Information Page 109
Key Findings ReportConfidential – NC State University
Recommended ReadingModify the Network Provider Order
http://technet.microsoft.com/en-us/library/cc771440(WS.10).aspx
ProviderOrder
http://technet.microsoft.com/en-us/library/cc786521.aspx
Recommended ResolutionYou can change the network provider order so that a specific redirector is picked first. These redirectors include server message block (SMB), Web Distributed Authoring and Versioning (WebDAV), and Novell NetWare Client for Windows.
The following are the registry subkeys that are related to the redirector.
* RDPNP
* LanmanWorkstation
* WebClient
* NetwareRedirector/NetwareWorkstation
You can change the network provider order in the Control Panel. Or, you can change the network provider order by modifying the registry. To change the network provider order by modifying the registry, change the following registry key:
Hive:HKEY_LOCAL_MACHINE
Path:SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
Name:ProviderOrder
Default for Windows XP: RDPNP,LanmanWorkstation,webclient
Default for Windows Vista: LanmanWorkstation,RDPNP,webclient
Default for Windows 7/8: RDPNP,LanmanWorkstation,webclient
Rule AlgorithmSource
Registry_Value_1 HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder @ REG_SZ
Detection Logic
Applies to: Windows XP
The following must be true:
* Registry_Value_1 is equal to "rdpnp,lanmanworkstation,webclient"
Microsoft Proprietary and Confidential Information Page 110
Key Findings ReportConfidential – NC State University
Applies to: Windows Vista
The following must be true:
* Registry_Value_1 is equal to "lanmanworkstation,rdpnp,webclient"
Applies to: Windows 7 and later
The following must be true:
* Registry_Value_1 is equal to "rdpnp,lanmanworkstation,webclient"
Affected Nodes315BPT01.CALS.NCSU.EDU
ProviderOrder:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonBILT-3032A-01.CNR.NCSU.EDU
ProviderOrder:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonCLH-9F8NXR1.COM.NCSU.EDU
ProviderOrder:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonCOLLAB-TEST-HD.EOS.NCSU.EDU
ProviderOrder:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonEB2-2214-LOAN01.CSC.NCSU.EDU
ProviderOrder:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonEB2-2214-LOAN02.CSC.NCSU.EDU
ProviderOrder:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonHLB106PC.CLASSTECH.NCSU.EDU
ProviderOrder:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonITECS-DT-34.EOS.NCSU.EDU
ProviderOrder:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonMOBILELAB4.IE.NCSU.EDU
ProviderOrder:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonUNO.IE.NCSU.EDU ProviderOrder:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,MIT Kerberos,TransarcAFSDaemon
Kerberos Access Token Size Lower Than RecommendedStatusFailedDescription
Microsoft Proprietary and Confidential Information Page 111
Key Findings ReportConfidential – NC State University
37 node(s) out of 37 node(s) were affected by this issue (100%).
The Kerberos token has a fixed size. If a user is a member of a group either directly or by membership in another group, the security ID (SID) for that group is added to the user's token. For a SID to be added to the user's token, it must be communicated by using the Kerberos token.Additional InformationImportanceThe maximum verified size of Kerberos Access Token is 65535. This limit should not be exceeded.
To avoid issues, the recommended size is 48000.
Recommended ReadingIf the registry setting is larger than 64 kilobytes (KB), the following issues could occur:
FIX: Error Message: "Timeout expired" Occurs When You Connect to SQL Server Over TCP/IP and the Kerberos MaxTokenSize is Greater Than 0xFFFF
http://support.microsoft.com/kb/313661
Error message when an Outlook Web Access user tries to access a mailbox in Exchange Server 2003: HTTP 400 Bad Request (Request header too long)
http://support.microsoft.com/kb/920862
How Access Tokens Work
http://technet.microsoft.com/en-us/library/cc783557(WS.10).aspx
How to use Group Policy to add the MaxTokenSize registry entry to multiple computers
http://support.microsoft.com/kb/938118
The recommended MaxTokenSize is 48000 which is documented in the following article:
Problems with Kerberos authentication when a user belongs to many groups
http://support.microsoft.com/kb/327825
Recommended ResolutionDetermine why the Kerberos Access Token MaxSize is set less than 48000 and whether any users have access tokens that are likely to be larger as the standard.
Set the Kerberos Access Token size to 48000 for recommended practices.
Rule AlgorithmSource
Registry_Value_1 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MaxTokenSize @ REG_DWORD
Detection Logic
Microsoft Proprietary and Confidential Information Page 112
Key Findings ReportConfidential – NC State University
Applies to: All operating systems
The following must be true:
* Registry_Value_1 is less than decimal 48000 (hex: 0x0000BB80)
AnnotationThey should look to set this to 48k
Affected Nodes315BPT01.CALS.NCSU.EDU
Configured token size: 24576
admpc280.CVM.NCSU.EDU
Configured token size: 24576
ALUMINUM.CNR.NCSU.EDU
Configured token size: 24576
BILT-3032A-01.CNR.NCSU.EDU
Configured token size: 24576
BUSTA.ECE.NCSU.EDU Configured token size: 24576CHASSIT-TEST.CHASS.NCSU.EDU
Configured token size: 24576
CLH-9F8NXR1.COM.NCSU.EDU
Configured token size: 24576
COLLAB-TEST-HD.EOS.NCSU.EDU
Configured token size: 24576
crpc11.CVM.NCSU.EDU Configured token size: 24576DELTA-DT-SP03.DELTA.NCSU.EDU
Configured token size: 24576
Legacy Kerberos Registry Value Configured (MaxPacketSize)StatusFailedDescription3 node(s) out of 37 node(s) were affected by this issue (8.11%).
The Kerberos registry key ‘MaxPacketSize’ is not present by default, however it was detected in this environment. It is possible that this may have been configured in a Group Policy Preference (GPP) item, script, or as part of the image deployment process, etc.This may indicate an outdated configuration and therefore it is recommended that this setting be reviewed to determine the most appropriate action to take.Additional InformationImportanceBy default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors, including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. In addition, depending on the network hardware configuration, these larger packets have to be fragmented. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.
Since Windows Vista the operating system always defaults to TCP. The registry key does not exist by default on
Microsoft Proprietary and Confidential Information Page 113
Key Findings ReportConfidential – NC State University
these platforms.
Recommended ReadingHow to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000 (also applies to Windows 7 and Higher).
http://support.microsoft.com/kb/244474
Recommended ResolutionPlease remove the following registry key setting as it is not needed anymore.
Hive: HKLM
Path: System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Key: MaxPacketSize
Rule AlgorithmSource
Registry_Value_1 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MaxPacketSize @ REG_DWORD
Detection Logic
Applies to: Windows Vista and later
The following must be true:
* Registry_Value_1 is equal to 0x00000001
AnnotationLook to set this to 48 k
Affected Nodesadmpc280.CVM.NCSU.EDU
MaxPacketSize is configured to 1.
EI-SPARE-LT1.DELTA.NCSU.EDU
MaxPacketSize is configured to 1.
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
MaxPacketSize is configured to 1.
Custom Network Provider ConfiguredStatusFailedDescription
Microsoft Proprietary and Confidential Information Page 114
Key Findings ReportConfidential – NC State University
17 node(s) out of 37 node(s) were affected by this issue (45.95%).
Network providers allow different protocols to be used when communicating with remote computers over a network. Windows supports the installation of custom network providers to allow third parties to add networking support to Windows.
While custom network providers allow new functionality, there are performance and potential security impacts associated with adding a third party network provider.
Only install and configure network providers that are absolutely necessary as each network provider will be tried in sequence when establishing a new connection. The sequence that these Providers are tried is determined by the Network Provider order.Additional InformationImportanceThe network provider order can affect the network request speed and should be reviewed. Often security components like VPN or virus scan software provide custom providers.
Recommended ResolutionReview the list of network providers and ensure that each one relates to a required software component. In some instances, software will install a new network provider even if that feature is not provided. If supported by the software vendor, you may not need to keep this provider installed.
Once unnecessary providers have been removed, ensure the network provider order is appropriate to provide optimal network performance.
Rule AlgorithmSource
Registry_Value_1 HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder @ REG_SZ
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Value_1 splitted by comma is not "LanmanWorkstation", "WebClient" or "RDPNP"
Affected Nodes315BPT01.CALS.NCSU.EDU
Custom Provider:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonadmpc280.CVM.NCSU.EDU
Custom Provider:
AdobeDriveCS4_NP,RDPNP,LanmanWorkstation,webclientBILT-3032A-01.CNR.NCSU.EDU
Custom Provider:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonCLH-9F8NXR1.COM.NCSU.EDU
Custom Provider:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonCOLLAB-TEST-HD.EOS.NCSU.EDU
Custom Provider:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemon
Microsoft Proprietary and Confidential Information Page 115
Key Findings ReportConfidential – NC State University
EB2-2214-LOAN01.CSC.NCSU.EDU
Custom Provider:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonEB2-2214-LOAN02.CSC.NCSU.EDU
Custom Provider:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonHLB106PC.CLASSTECH.NCSU.EDU
Custom Provider:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonITECS-DT-34.EOS.NCSU.EDU
Custom Provider:
RDPNP,AFSRedirector,LanmanWorkstation,webclient,TransarcAFSDaemonLAU-214-29.CHASS.NCSU.EDU
Custom Provider:
WDNP32,RDPNP,LanmanWorkstation,webclient
Slow Network Performance Due To Suppression Policy ConfigurationStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
When you use Windows Explorer to connect to a shared folder on a remote computer on your network, and you double-click a file in that shared folder to open it, it may take a longer time than expected to open the file. For example, you may experience this issue when you open a Microsoft Office document over a slow connection, such as a 64-kilobits-per-second (kbps) Integrated Services Digital Network (ISDN) connection on a wide area network (WAN). Additional InformationImportanceThis issue occurs because Windows Explorer tries to obtain detailed information about the remote share and about the file that you are opening. This operation may take a long time over a slow connection.
Recommended ReadingSlow network performance when you open a file that is located in a shared folder on a remote network computer
http://support.microsoft.com/kb/829700
Recommended ResolutionWhen a user connects to a network folder, some information will be obtained by the Windows operating system. You should suppress this to avoid the unnecessary network traffic and delays. To do so, you should configure the following registry settings:
Hive:HKEY_CLASSES_ROOT Path:*\Shellex\PropertySheetHandlers\CryptoSignMenu Entry:SuppressionPolicy Type:REG_DWORD ValuesHexadecimal, type 100000
Hive:HKEY_CLASSES_ROOT Path:*\Shellex\PropertySheetHandlers\{3EA48300-8CF6-101B-84FB-666CCB9BCD32} Entry:SuppressionPolicy Type:REG_DWORD ValuesHexadecimal, type 100000
Hive:HKEY_CLASSES_ROOT
Microsoft Proprietary and Confidential Information Page 116
Key Findings ReportConfidential – NC State University
Path:*\Shellex\PropertySheetHandlers\{883373C3-BF89-11D1-BE35-080036B11A03} Entry:SuppressionPolicy Type:REG_DWORD ValuesHexadecimal, type 100000
Hive:HKEY_LOCAL_MACHINE Path:SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SCAPI Entry:Flags Type:REG_DWORD ValuesHexadecimal, type 00100c02
Besides the direct registry modifications, you can also resolve this issue by using a Group Policy. Administrators can control which shell extensions can run by using the Approved key and the EnforceShellExtensionSecurity policy. The SuppressionPolicy value is tied to the EnforceShellExtensionSecurity policy. You can add this policy to enable the modified shell behavior.
To do this, follow these steps:
1. Click Start, click Run, type Gpedit.msc and then click OK. 2. Under User Configuration in the left pane, expand Administrative Templates, expand Windows Components, and then click Windows Explorer. 3. In the right pane, double-click Allow only per user or approved shell extensions, click Enabled, and then click OK.
Rule AlgorithmSource
Registry_Value_1 HKCR\*\Shellex\PropertySheetHandlers\CryptoSignMenu\SuppressionPolicy @ REG_DWORD
Registry_Value_2 HKCR\*\Shellex\PropertySheetHandlers\{3EA48300-8CF6-101B-84FB-666CCB9BCD32}\SuppressionPolicy @ REG_DWORD
Registry_Value_3 HKCR\*\Shellex\PropertySheetHandlers\{883373C3-BF89-11D1-BE35-080036B11A03}\SuppressionPolicy @ REG_DWORD
Registry_Value_4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SCAPI\Flags @ REG_DWORD
Registry_Value_5 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\EnforceShellExtensionSecurity @ REG_DWORD
Registry_Value_6 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\EnforceShellExtensionSecurity @ REG_DWORD
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is Laptop/Notebook
The following must be true:
* Registry_Value_1, Registry_Value_2 or Registry_Value_3 is not equal to decimal 1048576 (hex: 0x00100000) or Registry_Value_4 is not equal to decimal 1051650 (hex: 0x00100C02)
* Registry_Value_5 or Registry_Value_6 is not equal to 0x00000001
Microsoft Proprietary and Confidential Information Page 117
Key Findings ReportConfidential – NC State University
Affected NodesEI-SPARE-LT1.DELTA.NCSU.EDU
SuppressionPolicy registry settings are not configured as recommended
MOBILELAB4.IE.NCSU.EDU
SuppressionPolicy registry settings are not configured as recommended
Microsoft Proprietary and Confidential Information Page 118
Key Findings ReportConfidential – NC State University
Operational ExcellenceThe Microsoft Operations Framework (MOF) provides operational guidance that enables organizations to achieve the mission-critical system reliability, availability, supportability, and manageability of Microsoft products. With this guidance, you can assess your current IT service management maturity, prioritize your most important processes, and apply proven principles and best practices to optimize the management of your client platform.
StrategyServices provided by IT should align with the company Business Strategy. It is vital for IT platform to be clear on what it is able to provide today and what it needs to be able to provide in the future. IT may also be able to influence Business Strategy by what it could provide using new technology.
This phase provides guidance on how to continually plan for and optimize the IT service strategy. It helps to deliver services that are:
▪ Valuable and compelling for the overall business.▪ Predictable and reliable.▪ Compliant with your policies.▪ Cost-effective.▪ Adaptable to the changing needs of the business.
DesignEffective design contributes towards the delivery of quality Services that meet or exceed Customer Expectations. This phase gives IT professionals the tools to more effectively deliver IT services, infrastructure projects, or packaged product deployments, and helps to ensure that those services are envisioned, planned, built, stabilized, and deployed in line with business requirements and the customer’s specifications.
SecuritySecurity is an important part of system infrastructure. Any information system with a weak security foundation can eventually experience a security breach. In addition, depending on the information system and the severity of the breach, these breaches can range from data disclosure and loss of system availability to data corruption and even complete data loss.
Security can be separated into six categories, all of which are equally important in helping ensure the confidentiality, integrity, and availability of data. The categories include:
▪ Identification - Identification deals with user names and how users identify themselves to a computer system.
▪ Authentication - Authentication deals with passwords, smart cards, biometrics, and so forth. Specifically, authentication is how users demonstrate to the system that they are who they say they are.
Microsoft Proprietary and Confidential Information Page 119
Key Findings ReportConfidential – NC State University
▪ Access Control (also called authorization) - Access control deals with the access and privileges granted to users so they can perform certain functions on a computer system.
▪ Confidentiality - Confidentiality deals with encryption. Specifically, confidentiality mechanisms ensure that only authorized individuals are able to see data stored on or traversing the network.
▪ Integrity - Integrity deals with checksums and digital signatures. Specifically, integrity mechanisms ensure that data is not garbled, lost, or changed when traveling across the network.
▪ Non-repudiation - Non-repudiation is a means for providing proof of data transmission or receipt so that the occurrence of a transaction cannot be denied.
Another very important aspect of security is auditing. Audit logs might be the only indication that a security breach has occurred. Or, if the breach is discovered in some other way, correct audit settings can generate an audit log that helps administrators pinpoint the location and the perpetrator of the breach.
TransitionSuccessfully bringing a well-designed service into the production environment takes efficient transition planning and execution. It is necessary to deliver new or changed services with the appropriate balance of speed, reliability and safety while ensuring minimum disruption to operations.
This area helps IT Professionals coordinate processes described in the lifecycle phase SMFs, and provides guidance about:
▪ Establishing decision-making processes.▪ Employing risk management and controls as part of all processes.▪ Promoting change and configuration processes that are appropriately controlled.▪ Dividing work so that accountabilities for results are clear and do not conflict.
OperateOnce Services have been successfully delivered into the production environment, they need to be managed effectively on a day-to-day basis. It is here where service user´s interface and your performance as a service provider are measured. This phase helps IT professionals efficiently operate, monitor, and support deployed services in line with existing service level agreement (SLA) targets.
MonitoringMonitoring a client environment is critical to successful operations. Ineffective or absent monitoring can lead to a significant impact on performance, availability, and security. It can also lead to a degraded client experience going unnoticed by those responsible for timely response and resolution.
Thus, it is critical to design and deploy an effective monitoring system. Effective monitoring can drive improvements in performance, availability, and security of a client environment.
Microsoft Proprietary and Confidential Information Page 120
Key Findings ReportConfidential – NC State University
Consequently, it is essential that service levels are taken into consideration in the design and deployment of a client monitoring solution.
The Organization Does Not Measure Satisfaction With Their Applications And Services
QuestionDoes your organization measure user, customer, and business unit satisfaction with the Applications and Services?Selected AnswerNoStatusFailedDescriptionCustomer satisfaction, a business term, is a measure of how products and services supplied by a company meet or surpass customer expectation. It is seen as a key performance indicator within business.
Additional InformationMeasuring User SatisfactionConduct a survey of all or a sample of the business.
This can sometimes highlight issues in the perception of service, even if the SLA is not breached-for example, issues with the way service desk technicians respond to calls.
Consider making the Service Desk responsible for the Survey.
Customer satisfaction is an ambiguous and abstract concept and the actual manifestation of the state of satisfaction will vary from person to person and product/service to product/service. The state of satisfaction depends on a number of both psychological and physical variables which correlate with satisfaction behaviors such as return and recommend rate. The level of satisfaction can also vary depending on other options the customer may have and other products against which the customer can compare the organization's products
No Formal Security Risk Management Process Is Implemented
QuestionDo you have a formal security risk management process in place?
Selected AnswerNoStatusFailedDescriptionThe Microsoft approach to security risk management involves a proactive approach. This approach can assist organizations of all sizes in their response to the requirements presented by environmental and legal challenges. A formal security risk management process enables enterprises to operate in the most cost-efficient manner with a known and acceptable level of business risk. It also gives organizations a consistent, clear path to organize and prioritize limited resources in order to manage risk. You will realize the benefits of using security risk management when you implement cost-effective controls that lower risk to an acceptable level. The definition of acceptable risk, and the approach to manage risk, is different for every organization. There is no right or wrong answer, and there are many risk management models currently in use. Each model has tradeoffs
Microsoft Proprietary and Confidential Information Page 121
Key Findings ReportConfidential – NC State University
that balance accuracy, resources, time, complexity, and subjectivity. Investing in a risk management process-with a solid framework and clearly defined roles and responsibilities-prepares the organization to articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to the business. Additionally, an effective risk management program will help the company to make significant progress toward meeting new legislative requirements. It is essential to understand the concept and processes in order to help plan, deploy, and implement a solution strategy for malware, viruses, or other attack risk. Additional InformationImplement a Risk Management ProcessThe following Microsoft guide provides information about how Microsoft deals with security and risk management:
The Security Risk Management Guide
http://www.microsoft.com/en-us/download/details.aspx?id=6232
The Organization Does Not Have Documented Service Level Agreements (SLAs) For PCs
And Windows DevicesQuestionDoes your organization have documented Service Level Agreements (SLAs) for PCs and Windows devices?
Selected AnswerNoStatusFailedDescriptionService Level Management aligns business needs with the delivery of IT services. It provides the interface with the business that allows the other SMFs to deliver IT solutions that are in line with the requirements of the business and at an acceptable cost. The goal of Service Level Management is to successfully deliver, maintain, and improve IT services. Service Level Management aims to align and manage IT services through a process of definition, agreement, operation measurement, and review. The scope of Service Level Management includes defining the IT services for the organization and establishing service level agreements (SLAs) for them. Fulfilling SLAs is assured by using underpinning contracts (UCs) and operating level agreements (OLAs) for internal or external delivery of the services. Introducing Service Level Management into a business will not give an immediate improvement in the levels of service delivered. It is a long-term commitment. Initially, the service is likely to change very little; but over time, it will improve as targets are met and then exceeded. SLAs are an essential, beneficial, and often the most visible part of the Service Level Management SMF. The SLAs are a mutually agreed-on and negotiated offering for both the IT department and the business. They are formal, typically signed, agreements between IT and the organization to document the expectations and requirements of a service delivered to the organization from the IT service provider. There are many different types of SLAs: · Internal SLAs · External SLAs · Nominal expectations SLAs · Fully documented and legally binding SLAs · SLAs for one part of the business area and one service within that area · SLAs for one business area and all the services within that area · SLAs for one service for all areas.
Microsoft Proprietary and Confidential Information Page 122
Key Findings ReportConfidential – NC State University
Additional InformationDefining SLAsWhen considering how to build the SLA structure, it is useful to consider the services in question and the business areas that they pertain to, the practicality of the reporting and monitoring functions, the involvement and manageability of the review meetings, and any informal communication. All of these factors can contribute to the structure that is put into place. For example, if an organization uses a service across several departments, but the culture within that organization treats different areas as separate functions, it may be worth creating an SLA that delivers the minimum requirements of the service across the entire business. This can be considered as a generic SLA, but departments may indicate that they want individually specified response times, resolution times, or review meetings specifically for their own areas. These are exceptions to the generic service availability. Because such specific SLA objectives may be added to a department's agreements, the organization-wide SLA becomes measurable, and the specifics can be reported when required.
Common measures in SLAs include:
- Service Hours; Days and hours that the service is available
- Availability; % figure of Service Hours that the Service needs to be available
- Responsiveness and performance; Speed and volume of a service, data transfer etc.
- Integrity and accuracy; Is the data in the Service doing what it is meant to?
- Security; security of the service.
The measures for the service level objectives should be carefully considered using the following criteria:
Do they support the business objectives?
· Are they specific?
· Can they be measured?
· Are they attainable, even if this requires significant effort on the part of IT?
· Are they realistic in relation to the benefit they will bring to the business?
When the requirements of the SLA have been defined, determine if they can be delivered at a reasonable cost to the business and to the IT department. All parties agreeing on the Service level (business and IT) then will need to negotiate and agree these requirements. As long as the IT department knows what it can provide, including monitoring and reporting capabilities, and the business can justify the cost of exceptions to these capabilities, then the negotiation should be straightforward.
Once the negotiation is complete the SLA should be documented in a simple (3 to 4 page document and easy-to-understand format, designed so that all interested parties can easily view the SLA and become familiar with the requirements specified in it.
The SLA should include:
· Agreeing parties. For the SLA: IT and the business / for the OLA: IT and IT.
· Terms. The period the SLA will last-for example, one or two years. This is obviously subject to update and review in line with business requirements. For example, if the business runs on a project basis and no project runs for more than one year, then one year is a reasonable term for the SLA.
· Scope. The services and the line of business area covered.
· Limitations. Consider the services being delivered. There may be limitations-for example, the number of online
Microsoft Proprietary and Confidential Information Page 123
Key Findings ReportConfidential – NC State University
users or the reasonable hours of usage-that may affect the SLA. These limitations should be noted so that the expectation of the service is practical.
· Service level objectives. These objectives should be simple and relatively few in numbers in order to focus on the most important objectives.
· Indicators. What determines success or failure of the objective? Be sure to use business language for this even if technology is involved-for example, packets sent means nothing to the financial manager.
· Exclusions. What is not included-for example, a high-speed printing service might be included in the SLA but not a check-printing facility.
· Reporting. What reports will be run to support the SLA, when, by whom, how will the reports be distributed, and what indicators will be measured?
· Reviews. Define the review period and the process for any informal changes and reviews-for example, who must agree in order for a change to be made to the SLA.
Changes to the SLA may arise from other changes in the change management process or because of reviews or informal communications. Changes must be agreed on by both parties whether they are made in the internal review process or between reviews. Specify in the SLA the agreement process for making changes to a specific SLA. For example, a department manager and the IT representative may both need to sign off on any changes made to the SLA; but if it is a corporate service, this sign off may need to be made at a higher management level and involve more consultation with IT and the business.
The SLA should be reviewed at regular intervals and after major changes.
NOTE While it is important to remember that the long-term aim of Service Level Management is improved service, there may be times during its initial stages in which the service does not meet the expectations and agreed-upon constraints. This is not necessarily a failure, but it can mean that the marker has been set too high and must be adjusted while the service gradually improves.
The Organization Does Not Have A Change Management Process
QuestionDoes your organization have a Change Management process?
Selected AnswerNoAdditional CommentsFor campus wide Windows services there are two committees that must approve changes
StatusFailedDescriptionThe objective of Change Management is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to controlled IT infrastructure, in order to minimize the number and impact of any related incidents upon service.
Change Management can ensure standardized methods, processes and procedures are used for all changes, facilitate efficient and prompt handling of all changes, and maintain the proper balance between the need for change and the potential detrimental impact of changes.
Microsoft Proprietary and Confidential Information Page 124
Key Findings ReportConfidential – NC State University
Additional InformationImplement a Change Management ProcessImplement a Release Management process that follows good practice of ITIL or MOF.
When implementing any process the following should be considered:
· Do not be over ambitious
· Consider what elements already exist, are in use and effective
· Identify what can be re-used or needs to be developed
· Adapt the guidelines to meet your requirements
The costs of implementing a process will include the following and should be budgeted for appropriately:
· SET UP vs. ONGOING vs. ENHANCEMENT
· Consider cost of NOT taking action
· TRANSFER - staff from other areas of IT to assist
· HARDWARE - PCs, Printers, servers to run tools etc.
· EXTERNAL - consultants, contractors
· SOFTWARE - ITSM toolset, alert tools, MS-Office, etc.
· PEOPLE - salaries, training, benefits etc.
· ACCOMMODATION - office space, computer equipment room space, utilities etc.
The following issues are common when implementing new processes:
· Lack of commitment (IT, Customer, Management)
· Resistance to change
· Knowing where to start
· Over expectation/Over commitment
· Lack of Tools, Training, Resources
· Culture/Geography of organization
· Bypassing procedures
· Cost justification
To assist in overcoming such problems there must be clear guidelines in place regarding roles & responsibilities. Define early on:
Microsoft Proprietary and Confidential Information Page 125
Key Findings ReportConfidential – NC State University
· Who is the process owner
· What are the roles within the process
· What skills are required to perform the roles
· Relationships with other IT Service Management disciplines
· Relationship with rest of IT
Defining KPIs to assist the measurement of the process and its ongoing success should also be defined but ensure that the KPIs:
· Are measurable
· Are reported in terms which make sense to recipient
· Prove efficiency and effectiveness of process
· Are reported as a "number of" or "percentage of"
Many Organizations attempt to implement new processes through the purchase of a tool. The selection of any Service Management tool must be carefully made and the following factors have to be considered:
· Process MUST come first
· Meet all mandatory requirements
· Out of the box should fit at least 80% of operational requirements
· Little product customization
· ITIL conformance (Consider verification products such as PinkVerify)
· Sound data structure and handling (can get data out - reporting)
· Service management driven - not technology driven
· Admin and maintenance costs within budget
The Organization Does Not Have A Formal Release Management Process
QuestionDoes your organization have a release management process?Selected AnswerNoStatusFailedDescription
Microsoft Proprietary and Confidential Information Page 126
Key Findings ReportConfidential – NC State University
The goals and objectives of Release Management are to: · Plan releases in line with requirements resulting from approved changes. · Build effective release packages for the deployment of one or many changes into production. · Test release mechanisms to ensure minimum disruption to the production environment. · Review preparation for the release to ensure maximum successful deployments. · Deploy the release in line with structured implementation guidelines. Additional InformationRelease ManagementImplement a Release Management process that follows good practice of ITIL or MOF.
When implementing any process the following should be considered:
· Do not be over ambitious
· Consider what elements already exist, are in use and effective
· Identify what can be re-used or needs to be developed
· Adapt the guidelines to meet your requirements
The costs of implementing a process will include the following and should be budgeted for appropriately:
· SET UP vs. ONGOING vs. ENHANCEMENT
· Consider cost of NOT taking action
· TRANSFER - staff from other areas of IT to assist
· HARDWARE - PCs, Printers, servers to run tools etc.
· EXTERNAL - consultants, contractors
· SOFTWARE - ITSM toolset, alert tools, MS-Office, etc.
· PEOPLE - salaries, training, benefits etc.
· ACCOMMODATION - office space, computer equipment room space, utilities etc.
The following issues are common when implementing new processes:
· Lack of commitment (IT, Customer, Management)
· Resistance to change
· Knowing where to start
· Over expectation/Over commitment
· Lack of Tools, Training, Resources
· Culture/Geography of organization
· Bypassing procedures
Microsoft Proprietary and Confidential Information Page 127
Key Findings ReportConfidential – NC State University
· Cost justification
To assist in overcoming such problems there must be clear guidelines in place regarding roles & responsibilities. Define early on:
· Who is the process owner
· What are the roles within the process
· What skills are required to perform the roles
· Relationships with other IT Service Management disciplines
· Relationship with rest of IT
Defining KPIs to assist the measurement of the process and its ongoing success should also be defined but ensure that the KPIs:
· Are measurable
· Are reported in terms which make sense to recipient
· Prove efficiency and effectiveness of process
· Are reported as a "number of" or "percentage of"
Many Organizations attempt to implement new processes through the purchase of a tool. The selection of any Service Management tool must be carefully made and the following factors have to be considered:
· Process MUST come first
· Meet all mandatory requirements
· Out of the box should fit at least 80% of operational requirements
· Little product customization
· ITIL conformance (Consider verification products such as PinkVerify)
· Sound data structure and handling (can get data out - reporting)
· Service management driven - not technology driven
· Admin and maintenance costs within budget
The Organization Does Not Have Up-to-date Asset Information For The Environment
QuestionDoes your organization have up-to-date asset (hardware/software inventory) inventory of you PCs and Windows devices?
Microsoft Proprietary and Confidential Information Page 128
Key Findings ReportConfidential – NC State University
Selected AnswerNoAdditional CommentsWe use SCCM for all of our hardware/software inventory. And while we collect a lot of data we have no way of using that data to make informed decisions or even get an overview of the health of our environment. For devices not in AD we have no way of getting inventory from those machines.
StatusFailedDescriptionIf you are not aware that a particular machine has non-standard software installed, it is impossible for you to be compliant with your licensing contracts.
Also, if you don't know who the owner of each device is and what are the hardware characteristics, it becomes impossible to remotely support it.Additional InformationAsset InventoryUp-to-date and complete asset information for IT servers is required in order to successfully manage an IT environment. Managing asset information alone is not sufficient. Configuration management information is also required.
MOF and ITIL define the best practices for configuration management that should be adapted and applied to the IT infrastructure. The IT team should know what and where the servers are, how they are configured, and the relationships among the servers.
You can use System Center Configuration Manager or a similar tool to collect information about your machines. Desired Configuration Manager (DCM) will help you monitor and/or enforce compliance
The Organization Is Not Formally Measured On Improving The Quality Of The Service
QuestionDoes your organization formally get measured on improving quality of the service?Selected AnswerNoStatusFailedDescriptionTo stay competitive in an aggressive business environment, the Service Management strategy should be based on the concept of an iterative life cycle that supports both the ability to incorporate change quickly and to continuously assess and improve the overall operations environment.
Additional InformationContinuous ImprovementConsider defining some basic activities which can be carried out based upon regular reviews and metrics which are trended over time to define where potential improvements can be made to Service Management processes and activities.
Think of the IT service lifecycle as a continuum: it begins with the efforts of IT to understand the services that the
Microsoft Proprietary and Confidential Information Page 129
Key Findings ReportConfidential – NC State University
business needs and ends with those services operating in a production environment.
Cost, quality and resource utilization are excellent measures for how well a Service Improvement Program has been run. These are also important factor in the Return On Investment generated from the SIP. If these are higher than expected the ROI will be lowered.
The Organization Does Not Have A Formal Incident Management Process For The
Windows Client EnvironmentQuestionDoes your organization have an Incident Management Process for the Windows client environment?Selected AnswerNoStatusFailedDescriptionAll organizations experience incidents that either impact or threaten to impact the normal running of the business. As businesses have become increasingly dependent upon their IT services, the need to react quickly and effectively to any incidents that adversely affect IT services or infrastructure has become paramount.
Incident management is a critical process that allows organizations to first detect an incident and then target the correct support resources in order to resolve the incident as quickly as possible. The process also provides management with accurate information about the incident so they can identify the required support resources and plan for their provision. By using the incident management process, organizations can ensure that their support resources are focusing on the issues having the greatest urgency and the greatest impact, potentially, on the business. Without the control and management information provided by this process, organizations cannot be assured that their often substantial investment in IT support is truly meeting their objectives. Key benefits of incident management include the following: · Timely incident resolution, thus resulting in minimized business impact · Improved utilization of support resources · Better understanding of the impact of incidents on SLA targets, thus allowing improved prioritization · Accurate information on the incidents that are occurring · Elimination of lost incidents and service requests · Increased availability of management information. Additional InformationImplement an Incident Management ProcessImplement an Incident Management process that follows good practice of ITIL or MOF.
When implementing any process the following should be considered:
· Do not be over ambitious
· Consider what elements already exist, are in use and effective
· Identify what can be re-used or needs to be developed
Microsoft Proprietary and Confidential Information Page 130
Key Findings ReportConfidential – NC State University
· Adapt the guidelines to meet your requirements
The costs of implementing a process will include the following and should be budgeted for appropriately:
· SET UP vs. ONGOING vs. ENHANCEMENT
· Consider cost of NOT taking action
· TRANSFER - staff from other areas of IT to assist
· HARDWARE - PCs, Printers, servers to run tools etc.
· EXTERNAL - consultants, contractors
· SOFTWARE - ITSM toolset, alert tools, MS-Office, etc.
· PEOPLE - salaries, training, benefits etc.
· ACCOMMODATION - office space, computer equipment room space, utilities etc.
The following issues are common when implementing new processes:
· Lack of commitment (IT, Customer, Management)
· Resistance to change
· Knowing where to start
· Over expectation/Over commitment
· Lack of Tools, Training, Resources
· Culture/Geography of organization
· Bypassing procedures
· Cost justification
To assist in overcoming such problems there must be clear guidelines in place regarding roles & responsibilities. Define early on:
· Who is the process owner
· What are the roles within the process
· What skills are required to perform the roles
· Relationships with other IT Service Management disciplines
· Relationship with rest of IT
Defining KPIs to assist the measurement of the process and its ongoing success should also be
Microsoft Proprietary and Confidential Information Page 131
Key Findings ReportConfidential – NC State University
defined but ensure that the KPIs:
· Are measurable
· Are reported in terms which make sense to recipient
· Prove efficiency and effectiveness of process
· Are reported as a "number of" or "percentage of"
Many Organizations attempt to implement new processes through the purchase of a tool. The selection of any Service Management tool must be carefully made and the following factors have to be considered:
· Process MUST come first
· Meet all mandatory requirements
· Out of the box should fit at least 80% of operational requirements
· Little product customization
· ITIL conformance (Consider verification products such as PinkVerify)
· Sound data structure and handling (can get data out - reporting)
· Service management driven - not technology driven
· Admin and maintenance costs within budget
No Client Testing Environment That Mirrors End-user Installation Base
QuestionDo you have a lab that contains the same application servers and Active Directory structure you run in the production environment?Selected AnswerNoStatusFailedDescriptionThorough testing and development can only be safely conducted in an isolated test environment.
The lack of an environment typically means that these activities either do not occur or they occur on production servers.
Failure to perform adequate testing is a common cause of production outages.
In addition, testing in production is very risky and can cause as many problems as it was intended to prevent.Additional InformationCreate Test Environment
Microsoft Proprietary and Confidential Information Page 132
Key Findings ReportConfidential – NC State University
Implement an adequate test environment that reflects components of the production environment. This test environment will ensure stability and predictability for all components being rolled out to the production environment.
The Organization Does Not Review Performance Against Their Existing Support
AgreementsQuestionDoes your organization proactively review performance of support agreements against plans / expectations and agree to changes that facilitate better alignment with requirements?
Selected AnswerNoStatusFailedDescriptionWhile a service improvement program is of value to an organization, it has to be measured so as to provide tangible benefits. Additional InformationManaging Support AgreementsCost, quality and resource utilization are excellent measures for how well a Service Improvement Program has been run. These are also important factor in the Return On Investment generated from the SIP. If these are higher than expected the ROI will be lowered.
The Organization Has Not Developed Training Plans Based On The Roadmaps Of Their
Key VendorsQuestionHas your organization developed training plans that follow the product roadmap of your key vendors?Selected AnswerNoStatusFailedDescriptionAn understanding of a vendor's applications and services can be leveraged as a vital part of an organizations planning for the future of their IT environment. Additional InformationAlign with Vendor RoadmapsSpeak to vendors and ensure they provide roadmaps for their future products. Many vendors like Microsoft will be able to arrange for an Executive Briefing which will be carried out over several days to discuss the roadmap and the organizational challenges of the Customer. This should occur annually at least.
Microsoft Proprietary and Confidential Information Page 133
Key Findings ReportConfidential – NC State University
The Organization Does Not Maintain Documented Standards And Policies For The
Design And Implementation Of ServicesQuestionDoes your organization maintain documented standards and policies for service design and implementation?Selected AnswerNoStatusFailedDescriptionComplex solutions require consistent methods and policies when deployed. The lack of consistency can lead to configuration errors and potential service outages.
Additional InformationCreate Service StandardsImplement and document clear Standards and Policies around the design of your infrastructure and how items are implemented in to the Operational Environment. This should include builds to use, hardware standards, testing standards etc.
The Organization Does Not Have Defined Operating Level Agreements (OLAs) Between
Dependent IT UnitsQuestionDoes your organization have defined Operating Level Agreements (OLAs) between dependent IT Units?
Selected AnswerNoAdditional CommentsThe past couple of years ITIL has become more important, but a long way from having OLA's.
StatusFailedDescriptionRisks to availability may be caused by technology, processes and procedures, and human error. Countermeasures, such as carefully designed testing and release procedures and appropriate staff training plans, can be employed to help mitigate these risks. Risks to availability exist throughout the whole IT infrastructure and within every management process. Although not directly responsible for each of these processes, availability management is responsible for making sure that all areas of risk to availability are taken into account and that the overall IT infrastructure and the maturity of management processes supporting a given IT service are sufficient.
Availability management and service continuity management are closely related in this respect as both processes strive to eliminate risks to the availability of IT services. The prime focus of availability management is handling the routine risks to availability that can be reasonably expected to occur on a day-to-day basis. Rare, expensive, or unanticipated risks are handled by service continuity management.
Defining Operating Level Agreements (OLAs) between dependent IT units is paramount to maintain well defined accountabilities.Additional Information
Microsoft Proprietary and Confidential Information Page 134
Key Findings ReportConfidential – NC State University
Defining Operating Level AgreementsWhen considering how to build the OLA structure, it is useful to consider the services in question and the business areas that they pertain to, the practicality of the reporting and monitoring functions, the involvement and manageability of the review meetings, and any informal communication. All of these factors can contribute to the structure that is put into place. For example, if an organization uses a service across several departments, but the culture within that organization treats different areas as separate functions, it may be worth creating an OLA that delivers the minimum requirements of the service across the entire business. This can be considered as a generic OLA, but departments may indicate that they want individually specified response times, resolution times, or review meetings specifically for their own areas. These are exceptions to the generic service availability. Because such specific OLA objectives may be added to a department's agreements, the organization-wide OLA becomes measurable, and the specifics can be reported when required.
Common measures in OLAs include:
- Service Hours; Days and hours that the service is available
- Availability; % figure of Service Hours that the Service needs to be available
- Responsiveness and performance; Speed and volume of a service, data transfer etc.
- Integrity and accuracy; Is the data in the Service doing what it is meant to?
- Security; security of the service.
The measures for the service level objectives should be carefully considered using the following criteria:
Do they support the business objectives?
· Are they specific?
· Can they be measured?
· Are they attainable, even if this requires significant effort on the part of IT?
· Are they realistic in relation to the benefit they will bring to the business?
When the requirements of the OLA have been defined, determine if they can be delivered at a reasonable cost to the business and to the IT department. All parties agreeing on the Service level (business and IT) then will need to negotiate and agree these requirements. As long as the IT department knows what it can provide, including monitoring and reporting capabilities, and the business can justify the cost of exceptions to these capabilities, then the negotiation should be straightforward.
Once the negotiation is complete the OLA should be documented in a simple (3 to 4 page document and easy-to-understand format, designed so that all interested parties can easily view the OLA and become familiar with the requirements specified in it.
The OLA should include:
· Agreeing parties. For the SLA: IT and the business / for the OLA: IT and IT.
· Terms. The period the OLA will last-for example, one or two years. This is obviously subject to update and review in line with business requirements. For example, if the business runs on a project basis and no project runs for more than one year, then one year is a reasonable term for the OLA.
· Scope. The services and the line of business area covered.
· Limitations. Consider the services being delivered. There may be limitations-for example, the number of online users or the reasonable hours of usage-that may affect the OLA. These limitations should be noted so that the
Microsoft Proprietary and Confidential Information Page 135
Key Findings ReportConfidential – NC State University
expectation of the service is practical.
· Service level objectives. These objectives should be simple and relatively few in numbers in order to focus on the most important objectives.
· Indicators. What determines success or failure of the objective? Be sure to use business language for this even if technology is involved-for example, packets sent means nothing to the financial manager.
· Exclusions. What is not included-for example, a high-speed printing service might be included in the OLA but not a check-printing facility.
· Reporting. What reports will be run to support the OLA, when, by whom, how will the reports be distributed, and what indicators will be measured?
· Reviews. Define the review period and the process for any informal changes and reviews-for example, who must agree in order for a change to be made to the OLA.
The Organization Has Not Implemented Management Packs Or Guides To Monitor PCs
And Other Windows DevicesQuestionDoes your organization implement system monitoring practices by utilizing vendor management guides or management packs on Windows client machines?
Selected AnswerNoStatusFailedDescriptionIt is essential to apply an engineering focus to the design and deployment of a service in an enterprise environment. It is just as important to apply a similar focus to the design and deployment of an effective monitoring system.
Effective monitoring can drive improvements in performance, availability, and the security of a service deployment. Therefore, make sure that service levels are considered in the design and deployment of a service monitoring solution.
Additional InformationUsing Management PacksThe two following considerations are very important:
Time Required for Alerts to Reach the Console
The time that is required for a generated alert to reach the operator's console will directly affect the ability of the operator to respond in a timely manner. In Microsoft IT, this metric is measured against a service level agreement (SLA) of 90 percent of alerts reaching the operator's console within one minute.
Alert-to-Ticket Ratio
Although there are many ways to measure the effectiveness of a monitoring solution, the alert-to-ticket (service
Microsoft Proprietary and Confidential Information Page 136
Key Findings ReportConfidential – NC State University
request) ratio is an indispensable metric. For example, if the operator is presented with too many alerts that do not require action, there is a risk that the operator may ignore some of the information being presented by the monitoring solution. The perfect state would be one in which every alert presented to the operator requires action. However, to ensure effective monitoring, even this state would require measuring the number of actions required without an associated alert.
Base Level IT Certification Is Not Required
QuestionDo you require a base level certification for your operations staff?
Selected AnswerNoStatusFailedDescriptionThe Windows client staff does not have a base IT certification requirement.
A base IT certification ensures high quality of IT staff and should greatly enhance support as well as reduce support cost due to the ability to react adequately to the organizations IT needs. Additional InformationCertificationsUnderstanding the fundamentals about Windows client components and how they relate to each other is important for running an efficient, secure, and stable environment. Established industry certification is a method to help reach this level of knowledge.
Microsoft provides certifications to fulfill this need: http://www.microsoft.com/learning/en/us/certification/cert-overview.aspx
No Rollback Plans Defined As Part Of Security Update Management Process
QuestionWhich of the following items apply to your security updates management process?Selected AnswerCritical security updates are applied within a month after being released.An emergency process exists for deploying urgent software updatesStatusFailedDescriptionUnderstanding the requirements for returning computers to their original state in the event that a deployment adversely affects your environment is an important aspect of release management. Despite following proper planning and testing procedures, problems can arise. Even if a particular software update cannot be uninstalled, a rollback approach should have been identified for use during release management in case the security release cannot be fixed through other means.Additional InformationBest Practice Guidance
Microsoft Proprietary and Confidential Information Page 137
Key Findings ReportConfidential – NC State University
If serious problems are encountered during deployment, problem management may be needed to help identify and diagnose the root cause of the problem. If a suitable fix or workaround can be found, this should be documented and a request for change created to deploy it into the production environment. If not, it may be appropriate to recover to a known state after a failed Change or Release.
Rollback considerations include:
- Can the release be uninstalled?
- Are necessary provisions in place in the event that a computer stops responding after an update is deployed?
- Are the data backup and restore procedures taking place properly?
The following are the main steps for the rollback and redeployment of security updates:
- Stop the current deployment. Identify any steps necessary for deactivating release mechanisms used in your environment.
- Identify and resolve any update deployment issues. Determine what is causing a security update deployment to fail. The order in which updates are applied, the release mechanism used, and flaws in the update itself are all possible causes for a failed deployment.
- Uninstall security updates if necessary. Updates that introduce instabilities into your production environment should be removed, if possible.
Reactivate release mechanisms. After resolving update issues, reactivate the appropriate release mechanism to redeploy updates.
Recommended ResolutionIdeally, when designing the solution, the same tools and technologies used to deploy the release into production will also be able to uninstall it, returning the production environment to its previous state. The back-out plan should be tested thoroughly and be documented to enable any Operations resource the ability to back out the Release. Where a back out plan is not possible, remediation activities may include a fall forward plan where a failed change may be overcome through the implementation of other changes, for example, upgrading applications or systems.
Microsoft Proprietary and Confidential Information Page 138
Key Findings ReportConfidential – NC State University
Operating System InformationBaseline ConfigurationA baseline configuration defines the lowest common denominator of what is needed for all the systems in your organization - meaning what applications, updates, settings, and so on must be in place for every user. The baseline must be extremely easy to deploy with a rapid installation method so that both users and administrators will use it without complaint.
Exceptions for special applications and settings required by particular sub-groups are a separate issue and should not confuse the efforts to achieve the baseline. These special applications and settings must be dealt with in separate follow-up routines.
A properly deployed baseline configuration lets you control what’s normal - the baseline - on your systems, making it easier to detect what’s not normal. The baseline setup can help you, for example, track down where an additional account came from, determine if constant slowdowns are due to a denial-of-service attack, or find out whether a new security update really works in your enterprise.
It’s also important that an established baseline configuration not be written in stone. To stay current and valid, you should regularly evaluate and refresh your baseline standard, adding new software, revisions, and updates as necessary. This includes addressing any emerging security technologies or threats that may require across-the-board revisions to the security settings. This reevaluation of the baseline configuration is often done on a monthly or quarterly basis. In short, the baseline is not just an image; it is also the set of specifications that define that image, the scripts that build that image, and the upgrade paths that bring existing systems into line with the current image.
Classic deployments center on a complete image, sometimes referred to as a "wipe and load" solution because it completely replaces all preexisting information on the system. The image is often provided to the computer manufacturer and installed on all new machines at the factory. It is then used in the field for disaster recovery situations when the system has to be completely rebuilt. But this image is just one necessary component of the deployment.
As a new baseline image is issued, the builders must issue an upgrade pack along with it so that organizations with previous versions can bring their baseline up to the new, current standard. After all, they will also need all the updates and security enhancements, as well.
Defining Desktop SolutionsThe best solution is to have both operations and security personnel in your organization work together, taking a more holistic look at the desktop-build process as it relates to security. People shy away from this approach, thinking it will complicate the process. But, in fact, the opposite is true. By dealing with these details up front, you eliminate the last-minute redesigns, the painful arguments, and the stops and starts so common in many deployments.
For starters, collaborate. Get representatives of both the operations and security teams in the same room and have them collaborate to define the desktop configuration end-to-end. Recognize that each party brings something essential to the table, and use their natural opposition and conflicts as a way to drive more balanced decisions.
Microsoft Proprietary and Confidential Information Page 139
Key Findings ReportConfidential – NC State University
A testing period will be necessary. Establish regular cycles of security decision reviews so operations personnel have a chance to present and address any unexpected impacts of past security decisions. Security evolves, and so should the baseline. Recognizing this is very important to promoting adoption and ensuring people are comfortable with their choices.
A side benefit to this holistic approach is that the very act of establishing a standard desktop forces much closer collaboration between security policy makers, the domain administrators responsible for Active Directory, and system builders. These groups don’t traditionally communicate very well, largely contributing to the difficulties in achieving better desktop security.
Develop an Applications ListYou need to create a list of applications that everyone in your enterprise requires. This is a baseline and should include only the applications that every single computer absolutely needs. Do not include applications that only a subset of users will need; you should use the software delivery system to augment the baseline image with those applications later on. Specify the version, publisher, and any updates that are required for a basic installation. Don’t forget to include such things as crucial add-ins and plug-ins. For instance, it’s a good idea to identify frequently used sites in your enterprise, so you can include any necessary ActiveX controls and plug-ins. Log on with User permissions and surf those sites. See which controls and plug-ins can be loaded by users with limited privileges and which are blocked by the system. The latter will need to be preloaded in your baseline image.
A typical baseline set of applications includes Microsoft Office, antivirus software, plug-ins for Internet Explorer, and any necessary internal line-of-business applications. Getting your organization to standardize on a single application and version for things like word processors, spreadsheets, antivirus, and so on is critical to achieving a useful baseline configuration. And the usual rules apply when it comes to keeping an eye on security: starting with the latest versions and updates for each product is likely to help keep your desktops more secure.
Security SettingsYour security team should have already performed a security threat analysis and be ready to propose settings in a checklist format. Operations technicians can then evaluate those theoretical security decisions in the context of real-world user expectations and requirements. Between these two points of view, your team should be able to reach a compromise that makes the organization hardened to attack yet still productive for users.
User Account Control Is DisabledStatusFailedDescription
Microsoft Proprietary and Confidential Information Page 140
Key Findings ReportConfidential – NC State University
3 node(s) out of 37 node(s) were affected by this issue (8.11%).
User Account Control (UAC) is a security component that enables users to perform common tasks as non-administrators (called standard users), and as administrators without having to switch users, log off, or use Run As. User accounts that are members of the local Administrators group run most applications as a standard user. By separating user and administrator functions, UAC helps users move toward using standard user rights by default.
When an administrator logs on to a computer that is running Windows Vista, Windows 7 or Windows 8, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by the Windows operating system to control what resources and tasks the user can access. The access control model in earlier Windows operating systems did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users' computers without notifying the users. (This is sometimes referred to as a "silent" installation.)
Even more damaging, because the user is an administrator, the malicious software could use the administrator's access control data to infect core operating system files, and in some instances, become nearly impossible to remove.The primary difference between a standard user and an administrator is the level of access that the user has over core, protected areas of the computer. Administrators can change the system state, turn off the firewall, configure security policies, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users cannot perform these tasks, and they can only install per-user software.
Unlike earlier versions of Windows, when an administrator logs on to a computer running Windows Vista, Windows 7 or Windows 8, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user.
After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task. When a standard user logs on, only a standard user access token is created. This standard user access token is then used to start the desktop.Additional InformationBest Practice GuidancePlease follow the guidance on:
http://technet.microsoft.com/en-us/library/ee679793(v=ws.10).aspx
Disabling User Account Control (UAC) on Windows Server
http://support.microsoft.com/kb/2526083
ImportanceIt is strongly recommended not to disable User Account Control (UAC) on any client versions of Windows. Aside from the security benefits that are lost, disabling UAC also has a potential impact on application compatibility, as File and Registry Virtualization (FARV) is deactivated too. FARV allows legacy applications that would typically fail when run under Windows 7 to succeed, by redirecting (virtualizing) their writes to user specific locations that are accessible by the current user. FARV is enabled by default, and is only applicable to 32 bit processes.
It is not recommended to turn off UAC prompting in Group Policy settings or by changing the slider setting.
Although the elevation prompt is the most visible part of UAC, UAC also provides the underlying components that allow for increased security with a minimal amount of disruption, especially for standard users. Two of these benefits include:
Microsoft Proprietary and Confidential Information Page 141
Key Findings ReportConfidential – NC State University
- Protected Mode in Internet Explorer
- File and registry virtualization
Instead of being restricted to accessing a few selected folders under the user's profile, Internet Explorer can access many other locations which would usually be restricted - this can be an issue for malware, phishing and other such attack mechanisms. Lastly, users who are local administrators cannot benefit from 'token filtering' where their standard (non-privileged) user account is used for the majority of operations - instead their accounts are not protected and they are using their 'full' administrative account all of the time. This is effectively the same as having local administrative rights under Windows XP.
If UAC is disabled to avoid the elevation prompt, all UAC functionality is disabled. Instead, consider configuring UAC to elevate without prompting. In this case, applications that have been marked as administrator applications, as well as setup applications, will automatically run with the full administrator access token. All other applications will automatically run with the standard user token. The additional functionality of UAC is maintained.
In summary, disabling UAC is strongly discouraged as it has implications for both security and application compatibility.
Recommended ReadingInside Windows 7 User Account Control - Mark Russinovich
http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA @ REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Value_1 is equal to 0x00000000
Affected Nodesadmpc280.CVM.NCSU.EDU
The registry key EnableLUA has value: 0
A value of 1 means "UAC is enabled"A value of 0 means "UAC is disabled"
CLH-9F8NXR1.COM.NCSU.EDU
The registry key EnableLUA has value: 0
A value of 1 means "UAC is enabled"A value of 0 means "UAC is disabled"
VTHLOANERPC.CVM.NCSU.EDU
The registry key EnableLUA has value: 0
A value of 1 means "UAC is enabled"A value of 0 means "UAC is disabled"
Microsoft Proprietary and Confidential Information Page 142
Key Findings ReportConfidential – NC State University
Enterprise Hotfix Rollup For Windows 7 SP1 Not InstalledStatusFailedDescription16 node(s) out of 37 node(s) were affected by this issue (43.24%).
Enterprise hotfix rollup for windows 7 SP1 (KB2775511) is not installed. This rollup contains 90 slow boot and slow logon fixes.Additional InformationBest Practice GuidanceTo take full advantage of this improvement for Windows 7 clients that log on to Windows Server 2008 R2 servers, install this rollup update on Windows 7 clients. Additionally, install this rollup update on the Windows Server 2008 R2 servers that clients authenticate and retrieve user profiles, policies and script data from during the startup and logon process. You can update your environment by installing this hotfix rollup on both clients and servers in no particular order. Network improvements can be installed on the client or server. You may not notice any changes in performance until this update is installed on both client and server computers.
ImportanceAn enterprise hotfix rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1 has been released which contains 90 hotfixes released after the release of Service Pack 1. These hotfixes improve the overall performance and system reliability of Windows 7 SP1-based and Windows Server 2008 R2 SP1-based computers. We recommend customers to apply this hotfix rollup as part of their regular maintenance routine and build processes for Windows 7 and Windows Server 2008 R2 computers.
This hotfix rollup includes the following improvements:
· Improves the Windows Client Remote File System components.
· Improves the SMB Service and TCP protocol components.
· Improves the processing of Group Policies and Group Policy preferences.
· Improves the Windows Management Instrumentation (WMI) components to reduce the CPU usage and to improve the repository verification performance.
Recommended ReadingAn enterprise hotfix rollup is available for Windows 7 SP1 and Windows Server 2008 R2 SP1
http://support.microsoft.com/kb/2775511
Recommended ResolutionConsider installing and testing this performance update.
After this update is installed, you must install update 2732673 to fix a regression issue in the Rdbss.sys file. To do this, install update 2732673 from the following Microsoft Knowledge Base article: "Delayed write failed" error message when .pst files are stored on a network file server that is running Windows Server 2008 R2"
After this update is installed, you must install update 2728738 to fix a regression issue in the Profsvc.dll file. To do this, install update 2728738 from the following Microsoft Knowledge Base article: "You experience a long logon time when you try to log on to a Windows 7-based or a Windows Server 2008 R2-based client computer
Microsoft Proprietary and Confidential Information Page 143
Key Findings ReportConfidential – NC State University
that uses roaming profiles"
Rule AlgorithmSource
WMI_1 Root\CIMv2:Win32_QuickFixEngineering.HotFixID
Detection Logic
Applies to: Windows 7Service Pack 1
The following must be true:
* WMI_1 equal to "KB2775511" does not exist
AnnotationLook to install this on the affected machines
Affected Nodesadmpc280.CVM.NCSU.EDU
KB2775511 is not installed
ALUMINUM.CNR.NCSU.EDU
KB2775511 is not installed
BUSTA.ECE.NCSU.EDU KB2775511 is not installedcrpc11.CVM.NCSU.EDU KB2775511 is not installedEI-SPARE-LT1.DELTA.NCSU.EDU
KB2775511 is not installed
GRAD073.NE.NCSU.EDU
KB2775511 is not installed
GRAD076.NE.NCSU.EDU
KB2775511 is not installed
ITECS-DT-34.EOS.NCSU.EDU
KB2775511 is not installed
ITECS-DT-55.EOS.NCSU.EDU
KB2775511 is not installed
LAU-214-29.CHASS.NCSU.EDU
KB2775511 is not installed
Memory Dump FoundStatusFailedDescription3 node(s) out of 37 node(s) were affected by this issue (8.11%).
You can configure Windows operating systems to write debugging information. The debugging information can be written to different file formats (also known as memory dump files) when your computer stops unexpectedly because of a Stop error (also known as a "blue screen," system crash, or bug check). You can also configure Windows not to write debugging information to a memory dump file.
Microsoft Proprietary and Confidential Information Page 144
Key Findings ReportConfidential – NC State University
Windows can generate any one of the following memory dump file types:- Complete memory dump- Kernel memory dump- Small memory dump (64 KB)
A complete memory dump records all the contents of system memory when your computer stops unexpectedly. A complete memory dump may contain data from processes that were running when the memory dump was collected. If you select the Complete memory dump option, you must have a paging file on the boot volume that is sufficient to hold all the physical RAM plus 1 megabyte (MB). If a second problem occurs and another complete memory dump (or kernel memory dump) file is created, the previous file is overwritten.
A kernel memory dump records only the kernel memory. This speeds up the process of recording information in a log when your computer stops unexpectedly. You must have a pagefile large enough to accommodate your kernel memory. For 32-bit systems, kernel memory is usually between150MB and 2GB. Additionally, on Windows 2003 and Windows XP, the page file must be on the boot volume. Otherwise, a memory dump cannot be created. This dump file does not include unallocated memory or any memory that is allocated to User-mode programs. It includes only memory that is allocated to the kernel and hardware abstraction layer (HAL) in Windows 2000 and later, and memory allocated to Kernel-mode drivers and other Kernel-mode programs. For most purposes, this dump file is the most useful. It is significantly smaller than the complete memory dump file, but it omits only those parts of memory that are unlikely to have been involved in the problem. If a second problem occurs and another kernel memory dump file (or a complete memory dump file) is created, the previous file is overwritten when the 'Overwrite any existing file' setting is checked.
A small memory dump records the smallest set of useful information that may help identify why your computer stopped unexpectedly. This option requires a paging file of at least 2 MB on the boot volume and specifies that Windows 2000 and later create a new file every time your computer stops unexpectedly. A history of these files is stored in a folder. This dump file type includes the following information:- The Stop message and its parameters and other data- A list of loaded drivers - The processor context (PRCB) for the processor that stopped- The process information and kernel context (EPROCESS) for the process that stopped- The process information and kernel context (ETHREAD) for the thread that stopped- The Kernel-mode call stack for the thread that stoppedThis kind of dump file can be useful when space is limited. However, because of the limited information included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by an analysis of this file. If a second problem occurs and a second small memory dump file is created, the previous file is preserved. Each additional file is given a distinct name. The date is encoded in the file name. For example, Mini022900-01.dmp is the first memory dump generated on February 29, 2000. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder. Additional InformationImportanceWindows can be configured to write debugging information to disk when the computer stops unexpectedly as a result of a Stop error. This file can be analyzed later to determine the root cause.
Recommended ResolutionDump files were found on the target system. It is recommended that you analyze the files to determine the root cause and solve the issue globally in your client infrastructure environment.
Rule AlgorithmSource
Registry_Value_1 HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DumpFile @ REG_SZ
Registry_Value_2 HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\MinidumpDir @ REG_SZ
Microsoft Proprietary and Confidential Information Page 145
Key Findings ReportConfidential – NC State University
WMI_1 Root\CIMv2:Win32_OperatingSystem.LocalDateTime
FILE_1 Registry_Value_1
PATH_1 Registry_Value_2
Detection Logic
Applies to: All operating systems
The following must be true:
* FILE_1 exists and CreateTime attribute is not older than 6 months compared to WMI_1
* File count of PATH_1 is greather than 0 and CreateTime attribute of the files are not older than 6 months compared to WMI_1
Affected Nodes315BPT01.CALS.NCSU.EDU
Kernel Dump found: TrueDate created: 9/28/2016 9:32:43 AM
Amount of Mini Dumps found: 1Date created last entry: 9/28/2016 9:32:59 AM
DELTA-DT-SP05.DELTA.NCSU.EDU
Kernel Dump found: TrueDate created: 9/29/2016 3:15:33 PM
Amount of Mini Dumps found: 1Date created last entry: 9/29/2016 3:15:36 PM
MOBILELAB4.IE.NCSU.EDU
Kernel Dump found: TrueDate created: 7/27/2016 2:09:15 PM
Amount of Mini Dumps found: 2Date created last entry: 7/27/2016 2:09:36 PM
User Account Control Secure Desktop Is DisabledStatusFailedDescription4 node(s) out of 37 node(s) were affected by this issue (10.81%).
One method by which malicious applications might attempt to collect sensitive information from the user is by emulating a standard application or window. This is particularly true of the UAC elevation prompt. Users might be prompted for credentials by an unauthorized application that appears to be a standard Windows dialog box. The program collects user names and passwords and then might use this information to compromise security.
To prevent this problem, Windows displays elevation prompts, using a secure desktop. The secure desktop automatically dims the desktop background and prevents all applications from launching any new prompts or windows until the user makes a decision related to the UAC elevation prompt. In this way, the user can be assured that the UAC prompt is coming from the Windows Vista operating system itself.Additional InformationBest Practice GuidancePlease follow the guidance on:
Microsoft Proprietary and Confidential Information Page 146
Key Findings ReportConfidential – NC State University
http://technet.microsoft.com/en-us/library/ee679793(v=ws.10).aspx
ImportanceIt is recommended that UAC prompting not be turned off in Group Policy settings or by changing the slider setting.
Although the elevation prompt is the most visible part of UAC, UAC also provides the underlying components that allow for increased security with a minimal amount of disruption, especially for standard users. Two of these benefits include:
- Protected Mode in Internet Explorer
- File and registry virtualization
If UAC is disabled to avoid the elevation prompt, all UAC functionality is disabled. Instead, consider configuring UAC to elevate without prompting. In this case, applications that have been marked as administrator applications, as well as setup applications, will automatically run with the full administrator access token. All other applications will automatically run with the standard user token. The additional functionality of UAC is maintained.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA @ REG_DWORD
Registry_Value_2 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop@ REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Value_1 is not equal to 0x00000000 and Registry_Value_2 is equal to 0x00000000
Affected Nodes315BPT01.CALS.NCSU.EDU
PromptOnSecureDesktop value is: 0
A value of 1 means "Secure Desktop Prompt is enabled"A value of 0 means "Secure Desktop Prompt is disabled"
crpc11.CVM.NCSU.EDU PromptOnSecureDesktop value is: 0
A value of 1 means "Secure Desktop Prompt is enabled"A value of 0 means "Secure Desktop Prompt is disabled"
PT315B-01.CALS.NCSU.EDU
PromptOnSecureDesktop value is: 0
A value of 1 means "Secure Desktop Prompt is enabled"A value of 0 means "Secure Desktop Prompt is disabled"
PT315B-02.CALS.NCSU.EDU
PromptOnSecureDesktop value is: 0
A value of 1 means "Secure Desktop Prompt is enabled"A value of 0 means "Secure Desktop Prompt is disabled"
Microsoft Proprietary and Confidential Information Page 147
Key Findings ReportConfidential – NC State University
The Organization Has Not Implemented A Power Management Plan
QuestionHave you implemented an energy and cost-efficient power management plan for your PCs and Windows devices?Selected AnswerNoAdditional CommentsSome groups have started using power settings either in GPO or in SCCM with maintenance widows.
StatusFailedDescriptionImplement adequate power management plans in order to reduce power cost, carbon footprint, and material wear-and-tear in your environment. It is strongly recommended that you implement a green IT strategy in order to save cost and contribute to the environment. Additional InformationCreating a Power Management PlanCreating a Power Scheme on Windows 7:
http://windows.microsoft.com/en-US/windows7/Change-create-or-delete-a-power-plan-scheme
Power Plan Is Set To High PerformanceStatusFailedDescription35 node(s) out of 37 node(s) were affected by this issue (94.59%).
Each power plan targets different uses, and you can easily switch between different power plans to provide tradeoffs between performance and power consumption. By default, the Balanced power plan is recommended, because it configures Windows to dynamically scale the level of delivered performance, depending on current workload requirements. The Power saver power plan is designed for maximizing energy savings and is good for mobile PC usage and for maximizing battery life. (A mobile PC is a notebook, laptop, or other portable computer that runs Windows Vista or a later version of Windows.) The High performance power plan disables dynamic scaling of performance to match the workload and instead delivers constant high performance levels at the cost of increased power consumption. This power plan is useful in certain scenarios that are highly performance or latency sensitive or in scenarios in which power consumption is not an issue.
Power plans can be customized. You can use each plan as a template to configure your own unique power plan that meets your needs. If battery life is your key concern but you want a bright display, you should create a power plan based on the Power saver power plan. After you create a power plan, you can use the Change Advanced Power Settings feature to better adjust the plan to meet your needs. For example, you can now change the display brightness to a comfortable level. Be aware that changing the default setting will affect power consumption and performance, depending on the setting. Increasing the display brightness will result in increased power consumption. Additional InformationImportance
Microsoft Proprietary and Confidential Information Page 148
Key Findings ReportConfidential – NC State University
If a sleep idle timeout is enabled in power policy, Windows Vista and Windows 7 automatically place the computer in the Sleep state after a period of inactivity. The idle detection threshold determines the amount of required processor idleness for the system to automatically enter the Sleep state.
Recommended ReadingOptimizing Windows Vista Platforms for Energy Efficiencyhttp://download.microsoft.com/download/0/0/b/00bba048-35e6-4e5b-a3dc-36da83cbb0d1/Optimize_Power.doc
Windows Driver Kit: Driver Development ToolsIndex of Windows Driver Kit Toolshttp://msdn.microsoft.com/en-us/library/windows/hardware/gg487428.aspx
Application Power Management Best Practices for Windows Vistahttp://www.microsoft.com/whdc/system/pnppwr/powermgmt/PM_apps.mspx
Power Management in Windows 7 Overviewhttp://technet.microsoft.com/en-us/library/dd744300(v=WS.10).aspx
Recommended ResolutionThe Windows Power Manager tracks the following inputs to determine if a system is idle and should automatically enter the Sleep state:
* User input, including mouse and keyboard input* Application requests such as a PVR application requesting that the system remain in wake to record a television program even though the user is not present at the system* Processor idleness or the amount of processor idle time on the system
The idle detection threshold configures the minimum amount of processor idle time (the percentage) that is required for Windows to accrue time toward the Sleep idle timeout. By default, the idle detection threshold is configured to 80 percent, indicating that the processor must be 80-percent idle for the Power Manager to automatically place the system into the Sleep state.
The Windows Power Manager reviews current system idleness every 15 seconds. During each review period, the Power Manager determines the time since the last user input, any application requests for the system to remain in wake, and the amount of processor idle time over the last 15-second period.If the processor idle time is greater or equal to 80 percent and all other conditions are met, the Power Manager considers the system to be idle for the last 15-second period and increments the accrued idle time by 15 seconds. The processor idle time is correctly adjusted for processor performance states where processor frequency may be adaptively changed, based on workload.
System manufacturers and IT professionals can adjust the idle detection threshold to a lower value. This allows the Power Manager to be more aggressive in transitioning the system to the Sleep state automatically, thus helping to reduce energy consumption and extend mobile PC battery life. Setting the idle detection threshold to 0 percent is the most aggressive value for power savings and indicates to the Power Manager that processor activity should be ignored in determining if the system is idle enough to automatically transition to the Sleep state.
By using powercfg, the setting can be specified in the following way:
Friendly name: Idle detection threshold
Description: Required processor idleness to sleep
GUID: 81cd32e0-7833-44f3-8737-7081f38d1f70
Rule AlgorithmSource
Microsoft Proprietary and Confidential Information Page 149
Key Findings ReportConfidential – NC State University
WMI_1 ROOT\CIMv2\Power:Win32_PowerPlan\{8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c}.IsActive
Detection Logic
Applies to: Windows 7 and later
The following must be true:
* WMI_1 is "true"
Affected Nodes315BPT01.CALS.NCSU.EDU
Current active power plan: High performance
admpc280.CVM.NCSU.EDU
Current active power plan: High performance
ALUMINUM.CNR.NCSU.EDU
Current active power plan: High performance
BILT-3032A-01.CNR.NCSU.EDU
Current active power plan: High performance
BUSTA.ECE.NCSU.EDU Current active power plan: High performanceCHASSIT-TEST.CHASS.NCSU.EDU
Current active power plan: High performance
CLH-9F8NXR1.COM.NCSU.EDU
Current active power plan: High performance
COLLAB-TEST-HD.EOS.NCSU.EDU
Current active power plan: High performance
crpc11.CVM.NCSU.EDU Current active power plan: High performanceDELTA-DT-SP05.DELTA.NCSU.EDU
Current active power plan: High performance
Path Environment Variable Contains Too Many EntriesStatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
The system finds the executable files necessary to execute the commands you type or files requested by an application by searching the directories listed in the PATH environment variable. The list of directories contained within the PATH environment variable are separated by semi-colons.
Too many entries cause delays during search in folders which are provided in PATH environment variable.Additional InformationImportanceLots of entries may increase the startup time of applications and DLL searches.
Recommended Resolution
Microsoft Proprietary and Confidential Information Page 150
Key Findings ReportConfidential – NC State University
Use only path entries that are necessary for line of business applications and the operating system itself.
Rule AlgorithmSource
WMI_1 Root\CIMv2:Win32_Environment.Caption
Detection Logic
Applies to: All operating systems
The following must be true:
* WMI_1 contains more than 30 entries
AnnotationLook to reduce these
Affected NodesCOLLAB-TEST-HD.EOS.NCSU.EDU
More than 30 paths are defined.
Path Environment Variable: C:\Program Files\Tecplot\Tecplot 360 EX 2016 R2\bin;C:\Program Files\Microsoft MPI\Bin\;%CPLEX_STUDIO_BINARIES1261%;C:\Program Files (x86)\Rockwell Software\RSCommon;C:\ProgramData\Oracle\Java\javapath;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\IBM\SPSS\Statistics\24\JRE\bin;C:\Program Files (x86)\OpenAFS\Common;C:\Windows\SysWOW64\;C:\Windows\SysWOW64\Wbem;C:\Windows\SysWOW64\WindowsPowerShell\v1.0;C:\c\Program Files\Anaconda2\;C:\c\Program Files\Anaconda2\Scripts;C:\c\Program Files\Anaconda2\Library\bin;C:\LINGO13\;C:\Program Files\SASHome\Secure\ccme4;C:\Program Files\SASHome\x86\Secure\ccme4;C:\Program Files\MATLAB\R2016a\runtime\win64;C:\Program Files\MATLAB\R2016a\bin;C:\Program Files (x86)\NAG\EFBuilder 6.0\bin;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SDKs\TypeScript\1.0\;C:\Program Files\Microsoft SQL Server\120\Tools\Binn\;C:\Program Files (x86)\National Instruments\Motion Assistant\bin\mxwplugins;C:\Program Files (x86)\IVI Foundation\VISA\WinNT\Bin\;C:\Program Files\IVI Foundation\VISA\Win64\Bin\;C:\Program Files (x86)\IVI Foundation\VISA\WinNT\Bin;C:\Program Files\OpenAFS\Client\Program;C:\Program Files (x86)\OpenAFS\Client\Program;C:\Program Files\Heimdal\bin\;C:\Program Files (x86)\NAG\EFBuilder 6.1\bin;C:\gcc295\bin
Path Environment Variable Contains Non Existing EntriesStatus
Microsoft Proprietary and Confidential Information Page 151
Key Findings ReportConfidential – NC State University
FailedDescription9 node(s) out of 37 node(s) were affected by this issue (24.32%).
The system finds the executable files necessary to execute the commands you type or files requested by an application by searching the directories listed in the PATH environment variable. The list of directories contained within the PATH environment variable are separated by semi-colons.
Non existing entries cause delays during search in folders which are provided in PATH environment variable.Additional InformationImportanceThe path environment variable should contain only existing paths. Applications may result in faults or delays upon startup if exceptions are not handled in the application.
Recommended ResolutionUse only existing path entries in the environment variable named PATH.
Rule AlgorithmSource
WMI_1 Root\CIMv2:Win32_Environment.Caption
PATH_1 WMI_1
Detection Logic
Applies to: All operating systems
The following must be true:
* PATH_1 does not exist
AnnotationLook to remove these
Affected NodesCLH-9F8NXR1.COM.NCSU.EDU
Contents Of Path Variable:
C:\ProgramData\Oracle\Java\javapath;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\DLLShared\;C:\Program Files (x86)\Heimdal\bin\;C:\Program Files\Heimdal\bin\;C:\Program Files\OpenAFS\Common;C:\Program Files\OpenAFS\Client\Program;C:\Program Files (x86)\OpenAFS\Common;C:\Program Files (x86)\OpenAFS\Client\Program
Amount Of Non-Existing Directories Found: 1
Directories Found To Be Missing:
C:\Program Files (x86)\Common Files\Roxio Shared\10.0\DLLShared\COLLAB-TEST-HD.EOS.NCSU.EDU
Contents Of Path Variable:
Microsoft Proprietary and Confidential Information Page 152
Key Findings ReportConfidential – NC State University
C:\Program Files\Tecplot\Tecplot 360 EX 2016 R2\bin;C:\Program Files\Microsoft MPI\Bin\;%CPLEX_STUDIO_BINARIES1261%;C:\Program Files (x86)\Rockwell Software\RSCommon;C:\ProgramData\Oracle\Java\javapath;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\IBM\SPSS\Statistics\24\JRE\bin;C:\Program Files (x86)\OpenAFS\Common;C:\Windows\SysWOW64\;C:\Windows\SysWOW64\Wbem;C:\Windows\SysWOW64\WindowsPowerShell\v1.0;C:\c\Program Files\Anaconda2\;C:\c\Program Files\Anaconda2\Scripts;C:\c\Program Files\Anaconda2\Library\bin;C:\LINGO13\;C:\Program Files\SASHome\Secure\ccme4;C:\Program Files\SASHome\x86\Secure\ccme4;C:\Program Files\MATLAB\R2016a\runtime\win64;C:\Program Files\MATLAB\R2016a\bin;C:\Program Files (x86)\NAG\EFBuilder 6.0\bin;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SDKs\TypeScript\1.0\;C:\Program Files\Microsoft SQL Server\120\Tools\Binn\;C:\Program Files (x86)\National Instruments\Motion Assistant\bin\mxwplugins;C:\Program Files (x86)\IVI Foundation\VISA\WinNT\Bin\;C:\Program Files\IVI Foundation\VISA\Win64\Bin\;C:\Program Files (x86)\IVI Foundation\VISA\WinNT\Bin;C:\Program Files\OpenAFS\Client\Program;C:\Program Files (x86)\OpenAFS\Client\Program;C:\Program Files\Heimdal\bin\;C:\Program Files (x86)\NAG\EFBuilder 6.1\bin;C:\gcc295\bin
Amount Of Non-Existing Directories Found: 3
Directories Found To Be Missing:
C:\Program Files\IBM\ILOG\CPLEX_Studio1261\opl\bin\x64_win64;C:\Program Files\IBM\ILOG\CPLEX_Studio1261\opl\oplide\;C:\Program Files\IBM\ILOG\CPLEX_Studio1261\cplex\bin\x64_win64;C:\Program Files\IBM\ILOG\CPLEX_Studio1261\cpoptimizer\bin\x64_win64C:\Program Files (x86)\NAG\EFBuilder 6.0\binC:\gcc295\bin
EB2-2214-LOAN01.CSC.NCSU.EDU
Contents Of Path Variable:
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Java\jdk1.7.0_25\bin;C:\Program Files (x86)\Heimdal\bin\;C:\Program Files\Heimdal\bin\;C:\Program Files\OpenAFS\Common;C:\Program Files\OpenAFS\Client\Program;C:\Program Files (x86)\OpenAFS\Common;C:\Program Files (x86)\OpenAFS\Client\Program
Amount Of Non-Existing Directories Found: 1
Directories Found To Be Missing:
C:\Program Files\Java\jdk1.7.0_25\binEB2-2214-LOAN02.CSC.NCSU.EDU
Contents Of Path Variable:
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Java\jdk1.7.0_25\bin;C:\Program Files (x86)\Heimdal\bin\;C:\Program Files\Heimdal\bin\;C:\Program Files\OpenAFS\Common;C:\Program Files\OpenAFS\Client\Program;C:\Program Files (x86)\OpenAFS\Common;C:\Program Files (x86)\OpenAFS\Client\Program
Amount Of Non-Existing Directories Found: 1
Directories Found To Be Missing:
C:\Program Files\Java\jdk1.7.0_25\binGRAD073.NE.NCSU.EDU
Contents Of Path Variable:
C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\
Microsoft Proprietary and Confidential Information Page 153
Key Findings ReportConfidential – NC State University
System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE;C:\Program Files\Microsoft Visual Studio 10.0\VC\bin;C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files\Dell\Dell Data Protection\Drivers\TSS\bin\;C:\Program Files (x86)\NAG\FL21\fldll214al\batch;C:\Program Files (x86)\NAG\FL21\fldll214al\bin;C:\Program Files (x86)\NAG\FL21\fldll214al\MKL_ia32_8.0\bin;C:\Program Files (x86)\NAG\EFBuilderPro 5.2\nagfor\bin;C:\Windows\SysWOW64\;%SystemRoot%;C:\Windows\SysWOW64\Wbem;C:\Windows\SysWOW64\WindowsPowerShell\v1.0
Amount Of Non-Existing Directories Found: 4
Directories Found To Be Missing:
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDEC:\Program Files\Microsoft Visual Studio 10.0\VC\binC:\Program Files\Microsoft Visual Studio 10.0\Common7\IDEC:\Program Files\Dell\Dell Data Protection\Drivers\TSS\bin\
GRAD076.NE.NCSU.EDU
Contents Of Path Variable:
C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE;C:\Program Files\Microsoft Visual Studio 10.0\VC\bin;C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE;C:\Program Files (x86)\NAG\FL21\fldll214al\batch;C:\Program Files (x86)\NAG\FL21\fldll214al\bin;C:\Program Files (x86)\NAG\FL21\fldll214al\MKL_ia32_8.0\bin;C:\Program Files (x86)\NAG\EFBuilderPro 5.2\nagfor\bin;C:\Windows\SysWOW64\;C:\Windows\SysWOW64\Wbem;C:\Windows\SysWOW64\WindowsPowerShell\v1.0;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files\Dell\Dell Data Protection\Drivers\TSS\bin\
Amount Of Non-Existing Directories Found: 4
Directories Found To Be Missing:
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDEC:\Program Files\Microsoft Visual Studio 10.0\VC\binC:\Program Files\Microsoft Visual Studio 10.0\Common7\IDEC:\Program Files\Dell\Dell Data Protection\Drivers\TSS\bin\
ITECS-DT-19.EOS.NCSU.EDU
Contents Of Path Variable:
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\MATLAB\R2015a\runtime\win64;C:\Program Files\MATLAB\R2015a\bin;C:\Program Files\SASHome\Secure\ccme4;C:\Program Files\SASHome\x86\Secure\ccme4
Amount Of Non-Existing Directories Found: 8
Directories Found To Be Missing:
C:\Windows\system32C:\WindowsC:\Windows\System32\WbemC:\Windows\System32\WindowsPowerShell\v1.0\C:\Program Files\MATLAB\R2015a\runtime\win64C:\Program Files\MATLAB\R2015a\binC:\Program Files\SASHome\Secure\ccme4C:\Program Files\SASHome\x86\Secure\ccme4
Microsoft Proprietary and Confidential Information Page 154
Key Findings ReportConfidential – NC State University
UNO.IE.NCSU.EDU Contents Of Path Variable:
C:\Program Files\NVIDIA Corporation\PhysX\Common;%COSMOSM%;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\MiKTeX 2.9\miktex\bin;C:\Program Files\MATLAB\R2015a\runtime\win32;C:\Program Files\MATLAB\R2015a\bin;C:\Program Files\MATLAB\R2014b\runtime\win32;C:\Program Files\MATLAB\R2014b\bin;C:\Program Files\MATLAB\R2014a\runtime\win32;C:\Program Files\MATLAB\R2014a\bin;C:\Program Files\MATLAB\R2013a\runtime\win32;C:\Program Files\MATLAB\R2013a\bin;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\MIT\Kerberos\bin;C:\Program Files\OpenAFS\Common;C:\Program Files\OpenAFS\Client\Program
Amount Of Non-Existing Directories Found: 1
Directories Found To Be Missing:
C:\Windows\TEMP\{892DDB53-CF72-436F-AA6A-276B5F833421}\program files\COSMOS Applications
VTHLOANERPC.CVM.NCSU.EDU
Contents Of Path Variable:
C:\ProgramData\Oracle\Java\javapath;C:\orant\bin;C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT;C:\orant\jdk\bin;C:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\DLLShared\;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\DLLShared\;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\DLLShared\;C:\Program Files (x86)\Roxio\OEM\AudioCore\;%systemroot%\System32\WindowsPowerShell\v1.0\;%systemroot%\System32\WindowsPowerShell\v1.0\
Amount Of Non-Existing Directories Found: 3
Directories Found To Be Missing:
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-StaticC:\Program Files (x86)\Common Files\Roxio Shared\OEM\DLLShared\C:\Program Files (x86)\Common Files\Roxio Shared\OEM\DLLShared\
Recommended HotFixes for Windows 7 Not InstalledStatusFailedDescription17 node(s) out of 37 node(s) were affected by this issue (45.95%).
Please consider installing the hotfix if it is likely to apply to your environment.Additional InformationImportanceA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
Microsoft Proprietary and Confidential Information Page 155
Key Findings ReportConfidential – NC State University
Recommended Reading"Delayed write failed" error message when .pst files are stored on a network file server that is running Windows Server 2008 R2
http://support.microsoft.com/kb/2732673
You experience a long logon time when you try to log on to a Windows 7-based or a Windows Server 2008 R2-based client computer that uses roaming profiles
http://support.microsoft.com/kb/2728738
Long startup or logon time on a Windows 7-based or Windows Server 2008 R2-based client computer when you apply a Group Policy preference that has OU filtering
http://support.microsoft.com/kb/2693010
Rule AlgorithmSource
WMI_1 Root\CIMv2:Win32_QuickFixEngineering.HotFixID
Detection Logic
Applies to: Windows 7
Either one of the following must be true:
* WMI_1 equal to "KB2732673" does not exist
* WMI_1 equal to "KB2728738" does not exist
Affected Nodesadmpc280.CVM.NCSU.EDU
The following hotfixes are not installed:KB2732673KB2728738KB2693010
ALUMINUM.CNR.NCSU.EDU
The following hotfixes are not installed:KB2732673KB2728738KB2693010
BUSTA.ECE.NCSU.EDU The following hotfixes are not installed:KB2732673KB2728738KB2693010
CLH-9F8NXR1.COM.NCSU.EDU
The following hotfixes are not installed:KB2732673KB2728738KB2693010
crpc11.CVM.NCSU.EDU The following hotfixes are not installed:KB2732673KB2728738KB2693010
EI-SPARE-LT1.DELTA.NCSU.EDU
The following hotfixes are not installed:KB2732673KB2728738KB2693010
Microsoft Proprietary and Confidential Information Page 156
Key Findings ReportConfidential – NC State University
GRAD073.NE.NCSU.EDU
The following hotfixes are not installed:KB2732673KB2728738KB2693010
GRAD076.NE.NCSU.EDU
The following hotfixes are not installed:KB2732673KB2728738KB2693010
ITECS-DT-34.EOS.NCSU.EDU
The following hotfixes are not installed:KB2732673KB2728738KB2693010
ITECS-DT-55.EOS.NCSU.EDU
The following hotfixes are not installed:KB2732673KB2728738KB2693010
Users Are Able To Index Any PathStatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
Microsoft Indexing Service makes it easier for users to search for data on client computers and servers. Indexing Service scans files on Windows 2000 servers and client computers and builds content and property indexes that dramatically improve search capability and performance. When the service is running, users can search for words and phrases in thousands of files in just a few seconds.
Indexing Service has the following features:- Searches by content (for example, searches all files containing "revenue projections").- Searches by document properties (for example, searches all files where AUTHOR contains "Sarah").- Searches with Boolean operators (for example, AND, OR, NOT).- Uses a free-text search, which allows users to enter any combination of words without having to learn a particular search syntax.- Can index volumes on the local computer and also network shares, including NetWare and UNIX servers.- Provides secure query results. Returns only the documents that users are allowed to read. Uses standard Windows access control lists (ACLs). - Integrates with NTFS for better performance and reliability.- Integrates with Internet Information Services (IIS) to provide a search capability for Internet and intranet Web sites.- Can create customized search forms and user interfaces by using OLE-DB or Microsoft® ActiveX#174; Data Objects (ADO) scripting.- Indexes a variety of file formats.- Integrates with Windows user interface and Windows Explorer.
When Indexing Service is running on a system, it monitors the system for file modification. When files are modified, they are opened and their contents indexed. Opening files is done by a low priority background process so that general server performance is minimally impacted. In addition, when running on NTFS, Indexing Service uses a number of NTFS advanced features to minimize overall system overhead.
When you first run the service, it must build its indexes from scratch. This involves scanning all the files on the volume. Initial index construction accesses the disk heavily until the indexes have been built. After the indexes have been generated, only incremental updates are needed as files are modified, so further updates are virtually unnoticeable. In all cases, index update is a low priority task and will pause if server resources are needed for other operations.
Microsoft Proprietary and Confidential Information Page 157
Key Findings ReportConfidential – NC State University
After adding too many locations to the list of indexed locations performance of indexing and search can be decreased.Additional InformationImportanceIf this setting is not configured, users can add any file location.
Recommended ReadingWindows Desktop Search Group Policy
http://technet.microsoft.com/en-us/library/cc732768.aspx
Group Policy for Windows Search
http://technet.microsoft.com/en-us/library/cc732491.aspx
Recommended ResolutionWindows Search does not index the paths you specify. The user cannot enter any path that starts with one of the paths you specified. Please add paths as follows:
Protocol://site/path/file
An example of a local machine path is file:///C:\*
An example of a network share is otfs://{*}/server/path/*
An example of a mapped network drive includes both: file:///X:\* and otfs://{*}/X/*
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsSearch\PreventModifyingIndexedLocations @ REG_DWORD
Registry_Value_2 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsSearch\FavoriteLocations @ REG_DWORD
Registry_Value_3 HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventModifyingIndexedLocations @ REG_DWORD
Registry_Value_4 HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search\FavoriteLocations @ REG_DWORD
Registry_Value_5 HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventIndexingCertainPaths @REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Value_1 is not equal to "1" and Registry_Value_2 is not equal to "1" and Registry_Value_3 is not
Microsoft Proprietary and Confidential Information Page 158
Key Findings ReportConfidential – NC State University
equal to "1" and Registry_Value_4 is not equal to "1" Registry_Value_5 is greater than 1
Affected NodesHLB106PC.CLASSTECH.NCSU.EDU
Users are able index any path, no restrictions are in place.
Verbose Status Messages EnabledStatusFailedDescription37 node(s) out of 37 node(s) were affected by this issue (100%).
Verbose startup messages provide additional detail during the startup process. Rather than displaying the standard startup messages such as "Applying computer settings" you will be presented with verbose messages such as "RPCSS is starting". While this provides an administrator some additional detail regarding the startup process, such information provides unnecessary detail for users.In addition, using verbose status messages can cause increase of system startup time, delaying the user logon process unnecessarily.While it may seem beneficial to have this enabled across the environment for administrators to better see the current startup step being executed, far more detail is available in the system event logs and by performing system boot tracing. This should be the preferred mechanism for administrators to troubleshoot startup/logon issues.Additional InformationImportanceHaving verbose status messages displayed negatively affects boot and logon performance.
Recommended ReadingHow to enable verbose startup, shutdown, logon, and logoff status Messages in the Windows Server 2003 family
http://support.microsoft.com/kb/325376
Recommended ResolutionDetermine the mechanism that currently enabled verbose status messages (e.g., Group Policy, registry change, script etc) and disable verbose status messages. For guidance on where the various configuration options for this setting are located, review the KB article (325376) listed in the Recommended Reading section.
Turn on verbose status messages in the future only when required for troubleshooting purposes.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\VerboseStatus @ REG_DWORD
Detection Logic
Applies to: All operating systems
Microsoft Proprietary and Confidential Information Page 159
Key Findings ReportConfidential – NC State University
The following must be true:
* Registry_Value_1 is equal to 0x00000001
Affected Nodes315BPT01.CALS.NCSU.EDU
VerboseStatus value: 1
admpc280.CVM.NCSU.EDU
VerboseStatus value: 1
ALUMINUM.CNR.NCSU.EDU
VerboseStatus value: 1
BILT-3032A-01.CNR.NCSU.EDU
VerboseStatus value: 1
BUSTA.ECE.NCSU.EDU VerboseStatus value: 1CHASSIT-TEST.CHASS.NCSU.EDU
VerboseStatus value: 1
CLH-9F8NXR1.COM.NCSU.EDU
VerboseStatus value: 1
COLLAB-TEST-HD.EOS.NCSU.EDU
VerboseStatus value: 1
crpc11.CVM.NCSU.EDU VerboseStatus value: 1DELTA-DT-SP03.DELTA.NCSU.EDU
VerboseStatus value: 1
Microsoft Proprietary and Confidential Information Page 160
Key Findings ReportConfidential – NC State University
SecuritySecurity is not binary, and it is not a switch or even a series of switches. In addition, it cannot be expressed in absolute terms, because security is relative. Specifically, there is only more secure and less secure. Furthermore, security is dynamic in that people, process, and technology all change. In other words, security is simply Risk Management.
Security consists mainly of three elements, formerly known as CIA:
▪ Confidentiality – Confidentiality refers to limiting information access and disclosure to authorized users.
▪ Integrity – Integrity refers to the trustworthiness of information resources.▪ Availability – Availability refers, not surprisingly, to the availability of information
resources.
Security and functionality must be carefully balanced in order to achieve the highest possible productivity level for the end user. However, at the same time data confidentiality must be achieved, in order to keep personal data protected from manipulation or theft.
There are some key points which should keep in mind while working on a security management plan:
▪ Security is not black and white.One of the key tenets of security management is that you are in the business of risk management. There is no surefire firewall. There is no impermeable solution. Your plans must consist of a cross-technology, cross-specialty, multitier approach. From your network to your desktops, from security software to security features built into the operating system, you need a stack of solutions (a strategy referred to as "defense in depth"). You must understand how each component protects your infrastructure and how each might be vulnerable. You need to know how best to protect your end users, and how to protect your infrastructure from those end users.Most importantly, remember that security management is a strategy and must be dealt with persistently. There is no "complete" solution and the work is never finished. There is no gauge to tell you that your network or systems are now secure or not secure. And it doesn’t always get easier by simply adding more solutions to the stack.Your environment is never totally secure. There is never a point when you can say the infrastructure is secure and walk away. This is a fundamental concept that needs to be understood. There are too many variables and too many dependencies. A false sense of security can truly be your worst enemy.
▪ The road to least privilege is a long one.Least privilege means different things to different people. You might think of it as follows: users should be allowed only the privileges and rights on their local system and the network absolutely required for them to complete their day-to-day tasks.
▪ Don’t sacrifice security for compatibility.Some organizations create significant security risks by easing file system and registry access control lists (ACLs) to a point where the system’s security footprint could no longer be assessed adequately. The security policy and permission lines that were drawn between the Administrators and Users groups were not drawn arbitrarily by the Windows team.Every step you take to open security restrictions in order to make an application work is a potential security loophole. Choose wisely and understand the risks of each decision
Microsoft Proprietary and Confidential Information Page 161
Key Findings ReportConfidential – NC State University
before making such changes. An application that is updated - or manipulated - to behave within the constraints of Windows security is preferable to an application that makes Windows more porous in order to accommodate the software’s needs.
▪ Your enterprise is only as secure as your most- and least-technical users.This point may seem obvious, but it can be easy to overlook. A key component of your infrastructure is your users. Your security strategy impacts your end users and affects their actions. If your security policy is too oppressive, more technical users are likely to seek ways to set themselves free. Sure, you can put organizational policy into play, but you need to take a step back and examine the underlying reasons your end users don’t want what your organization has prescribed. Do they have good reasons for wanting more power? Is there a happy medium you can achieve?Local Administrators can completely defeat Group Policy. Users who have the local Administrator password can do the same, so that should be a guarded secret. And technically savvy users can often thwart security just as readily by bypassing the primary operating system using software such as Windows PE. If an attacker has unrestricted physical access to your computer, it’s not your computer anymore.On the other end of the spectrum you have to worry about your less-technical users and your ability to control their risky behavior. In a world of phishing, spam, and other forms of malicious trickery, it’s not enough to simply update and lock down systems. You must also educate users. If they run in the Administrators group, this is critical. If they run in the Power Users group, it is equally important. If they run in the Users group, it isn’t as critical - at least to the security of their local system - but should still be a part of your defense strategy. Malware that replicates through e-mail or an instant messaging client can still execute under an account in the Users group. It can then propagate to other users who may be susceptible to further damage if they are running with elevated privileges.
▪ "Not knowing" is often your biggest exposure point.The first step in securing the infrastructure is actually understanding the infrastructure. How many different versions of Windows are you using? What management software are you running? How do you handle Windows and Office patch management? What antivirus, antispyware, and third-party firewall software do you use? How many versions of each product are you using? How secure are your systems - in terms of both network/Internet accessibility and physical accessibility? Are your signature files current? Do your users use IM or e-mail clients you don’t know about?How about your end users? Are they running as Administrators or Users? Do they have strong passwords, and do they change passwords regularly? Do you audit your systems to identify unmanaged software? (Software you don’t manage centrally can pose both security and licensing risks.)Is your network wireless? If so, it is probably a good idea for you to use Wi-Fi Protected Access (WPA). Wired Equivalent Privacy (WEP) should not be used on a business wireless network since it does not provide adequate security.
It’s important that you perform regular audits of your infrastructure. This will help you to know your hardware, your software, and your overall network. Commit this information to documentation in a location known to your entire team and upper management. Work to define a strategy to reduce or mitigate every attack vector you find.
▪ If you trust a single piece of security technology to do everything, you’re making a big mistake.Remember that no single vendor in the security space has "the solution to your security needs." Your strategy should be to build a defense-in-depth - a thorough arsenal of firewalls, antivirus, antimalware, antispyware, application lockdown software, and so on. You need to select the pieces that will define your security strategy, but don’t expect that one piece of the puzzle can obviate many others.
Microsoft Proprietary and Confidential Information Page 162
Key Findings ReportConfidential – NC State University
In today’s world you must layer your solutions: good systems management software, good security management software, and a reliable patch management strategy. Seek out the best solutions in each category, basing your decision on capability, not on price. The best solutions may or may not be the most expensive solutions. Likewise, they may or may not be the cheapest. They also might not be the best-known or most popular name in the space.To sum up, stack your defense forces aggressively - because the larger your enterprise, the more forces there are being aggressively stacked against you.
▪ Any vendor who claims "100% security" is probably lying to you.You should closely examine any security vendor who makes overly strong claims like "bulletproof," "unbreakable," or "impervious." This is marketing speak and nothing more. This probably isn’t news to you. But make sure those you work with maintain a discerning eye and don’t take such claims too seriously. Always remember that no solution is 100 percent secure.
▪ Not deploying updates is expensive.Although much more common in the past, some organizations have held off on deploying a patch until it had run through a suite of compatibility tests. This process could take a considerable amount of time, depending on the suite of applications in use and as long as the system you’re waiting to update is not on a network connected in any way to the Internet. It may appear you can defer updating for a brief period, but as we’ve seen in the occurrence of zero-day exploits, that period is shrinking. And don’t discount this advice just because you have an isolated network. If a system that has been on the Internet (such as a laptop) can connect to your network, it can potentially infect the rest of the network.You should aggressively analyze the threat posed by not applying any patch or update. Unless the threat is effectively benign or the systems being deferred are on a completely isolated network, apply updates as broadly and as soon as possible. Part of your risk management strategy should include being prepared to rapidly recover systems should they, or the applications running on them, prove more harmed by the patch than threatened by the vulnerability. Remember, patch early and patch often.
▪ The next big thing probably won’t do it all.The security space has been greatly evolving over recent years. The most important thing to remember is that there are hundreds of security technologies out there - and none of them is the magic bullet. Applications will require rewriting to behave optimally, installers will still require administrative rights, and you won’t necessarily have the ideal solution to break enterprise users from the administrative logon habit.Any new security offering should be evaluated, tested, and compared. Do not expect to find one that solves 100 percent of your security headaches, or provides a 100 percent solution to any one problem. Just keep in mind that while future products will offer improved technologies, it will still be just as unlikely that any product will offer a complete solution in a single package. Understand the risks and benefits of any solution, and what additional components you may need to put in place. And realize that as new threats arise, new additional solutions may be required. Antivirus Software Is Not Installed On All Clients
QuestionAre antivirus and antispyware software installed on all clients?
Selected AnswerNoAdditional CommentsThere is a University policy saying all machines must use an antivirus product but there is no enforcement done. It
Microsoft Proprietary and Confidential Information Page 163
Key Findings ReportConfidential – NC State University
only comes into play after an incident has taken place.
StatusFailedDescriptionAntivirus software is a mandatory software component for all clients. It helps to identify and remove known malicious software and increases overall security.
Nevertheless, a risk management plan must be in place. Additional InformationInstall AntivirusTo reach a higher level in risk management for corporate security, it is highly recommended that you use both antivirus and antispyware software. Although they do not provide 100 percent security, they can limit the effect of known spyware, malware, and other kinds of malicious code.
Antispyware Software Is Not Installed On All Clients
QuestionAre antivirus and antispyware software installed on all clients?
Selected AnswerNoAdditional CommentsThere is a University policy saying all machines must use an antivirus product but there is no enforcement done. It only comes into play after an incident has taken place.
StatusFailedDescriptionMalware uses many different methods to try replicating among computers. Thus, an antispyware software component is required for all clients.
Nevertheless, a risk management plan must also be in place. Additional InformationInstall AntispywareTo reach a higher level in risk management for corporate security, it is highly recommended that you use both antivirus and antispyware software. Although these do not provide 100 percent security, they can limit the effect of known spyware, malware, and other kinds of malicious code.
Security Center Alerts DetectedStatusFailedDescription19 node(s) out of 37 node(s) were affected by this issue (51.35%).
Microsoft Proprietary and Confidential Information Page 164
Key Findings ReportConfidential – NC State University
Until the arrival of the Security Center in Windows XP Service Pack 2 (SP2), dealing with all of the Windows security settings was difficult. Now, Security Center is all you need to manage important Windows security settings in one place, and it's even more useful since Windows Vista.
With Windows Security Center, you can see which application is acting as your computer's firewall or anti-spyware and antivirus solution. You can also check the status of firewall, automatic update, and user account control settings. Windows Security Center is unique in that it monitors the status of third-party applications in addition to built-in Windows technologies. It checks for the following items:- Whether a firewall is installed and whether it is turned on.- Whether an antivirus program is installed and if the definitions are up to date and real-time scanning is enabled.- Whether an anti-spyware program is installed and if the definitions are up to date and real-time scanning is enabled.
Windows Security Center uses two approaches to detect third-party antivirus and firewall applications. In manual mode, Windows Security Center searches for registry keys and files that let it detect the status of the software. It also queries Windows Management Instrumentation (WMI) providers made available by participating vendors that return the status of features. This means you can use non-Microsoft solutions for antivirus, anti-spyware, or firewall issues and still use Windows Security Center to monitor and protect your computer.
Windows Security Center can be controlled by Group Policy. By default, it is disabled in domain environments. To turn on Windows Security Center, access the Computer Configuration\Administrative Templates\Windows Components\Security Center node. The name of the policy to turn it on is Turn on Security Center (Domain PCs only).
Windows Security Center also monitors the status of User Account Control settings and Internet security settings. User Account Control lets you use your computer as a standard user rather than as an administrator, which is much safer. As a standard user, any changes you make can't affect the entire system and any software you install can only do so much damage.Additional InformationImportanceBy default Security Center is disabled in domain environments. If enabled Security Center alerts show common issues.
The issues detected may be of a serious nature such as antivirus not being installed or up-to-date. Review the security center alerts to determine the impact.
Recommended ResolutionReview the list of security center alerts on the affected nodes. Ensure that any security center alerts are investigated.
It is possible that the security center may report incorrect information, in this instance check with the security software vendor to which the alert corresponds to determine whether the security software is compatible with the Windows Security Center.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Security Center\SecurityCenterInDomain @ REG_DWORD
WMI_1 Root\SecurityCenter2:Win32_AntivirusProduct.DisplayName, Win32_AntivirusProduct.ProductState
CUSTOM_1 WMI_1.ProductState must be converted from hexadecimal to decimal
Microsoft Proprietary and Confidential Information Page 165
Key Findings ReportConfidential – NC State University
Detection Logic
Applies to: Windows Vista and later
Hardware condition:
* Target device is domain joined
The following must be true:
* Registry_Value_1 is 0x00000001
* 5th bit of CUSTOM_1 is greater than 0 (AntiVirus is out of date) or no entries with 13nd bit of CUSTOM_1 greater than 0 available (OnAccessScanner)
Annotation
Affected Nodes315BPT01.CALS.NCSU.EDU
Summary:
Windows Defender (Enabled = False; Up To Date = True)
BILT-3032A-01.CNR.NCSU.EDU
Summary:
Windows Defender (Enabled = False; Up To Date = True)
CHASSIT-TEST.CHASS.NCSU.EDU
Summary:
Windows Defender (Enabled = False; Up To Date = True)
COLLAB-TEST-HD.EOS.NCSU.EDU
Summary:
Windows Defender (Enabled = False; Up To Date = True)
DELTA-DT-SP03.DELTA.NCSU.EDU
Summary:
Windows Defender (Enabled = False; Up To Date = True)
DELTA-DT-SP05.DELTA.NCSU.EDU
Summary:
Windows Defender (Enabled = False; Up To Date = True)
EI-SPARE-LT1.DELTA.NCSU.EDU
Summary:
HLB106PC.CLASSTECH.NCSU.EDU
Summary:
Windows Defender (Enabled = False; Up To Date = True)
ITECS-DT-19.EOS.NCSU.EDU
Summary:
Windows Defender (Enabled = False; Up To Date = True)
MOBILELAB4.IE.NCSU.EDU
Summary:
Microsoft Proprietary and Confidential Information Page 166
Key Findings ReportConfidential – NC State University
Windows Defender (Enabled = False; Up To Date = True)
Full Hard Disk Encryption Is Not Enabled On All Devices
QuestionIs full hard disk encryption activated on your Windows PCs and devices?Selected AnswerNoAdditional CommentsWe do use MBAM and BitLocker but it is an opt in process.
StatusFailedDescriptionProtecting data and sensitive business information is critical for companies.
If a security breach occurs, the risks are considerable: negative impact on brand equity, the cost of notifying affected customers, possible exposure of intellectual property, and failure to comply with government regulations.
These outcomes can also have significant financial consequences for a company. Additional InformationEncrypting Windows DevicesFull disk encryption does not replace file or directory encryption in all situations. Disk encryption can sometimes be used together with file system-level encryption, resulting in a more secure but non-performing implementation. Because disk encryption uses the same key for encrypting the whole volume, all data is capable of decryption when the system runs.
If an attacker gains access to the computer at run-time, that person has access to all files. Instead, conventional file and folder encryption allows different keys for different parts of the disk (for example, a directory can be encrypted for User A, and another directory for User B with a different certificate). If the attacker does not have the user account information, that person cannot extract information from still-encrypted files and folders.
If full disk encryption is not possible in your corporate environment, use at least SecureBoot with value 0x2 or 0x3 and EncryptedFileSystem (EFS) on your data directories.
The Organization Does Not Apply Hardware Security Updates Proactively
QuestionWhich components of your infrastructure do you proactively apply updates for?Selected AnswerWindowsApplicationsAdditional CommentsApplications are only Microsoft updates that come through WSUS.
Status
Microsoft Proprietary and Confidential Information Page 167
Key Findings ReportConfidential – NC State University
FailedDescriptionMicrosoft releases periodic service packs for Microsoft Windows and for applications, while hardware vendors release updated firmware and drivers. Many customers, however, do not proactively schedule and apply these updates. Yet, these service packs, firmware, and driver updates are released in order to help customers proactively avoid known issues. Thus, they should be routinely scheduled, tested, and deployed. Additional InformationApplying Hardware Security Updates Microsoft recommends a 6 month cycle with: the following steps:
· Quantify all streams for the services and the applications that they support (for example, hardware models, applications, and service settings)
· Manage a release cycle for each stream
· Use an automated toolset, such as Desired Configuration Manager (DCM), to ensure that the infrastructure remains in compliance with the releases
The Organization Does Not Apply Security Updates For Both Software And Hardware
ProactivelyQuestionWhich of the following items apply to your security updates management process?Selected AnswerCritical security updates are applied within a month after being released.An emergency process exists for deploying urgent software updatesStatusFailedDescriptionSecurity updates are very important safeguards for an organization. Thus, it is essential that each security update is reviewed and applied when it is applicable to your environment.Additional InformationBest Practice GuidelineRelease Management and staying current consists of much more than just security updates. For example, Microsoft releases periodic service packs for Microsoft Windows and for applications, while hardware vendors release updated firmware and drivers. However, many customers do not proactively schedule and apply these updates.
These service packs, firmware, and driver updates are released in order to help customers proactively avoid known issues. Therefore, they should be routinely scheduled, tested, and deployed.
Recommended ReadingThe Importance of Proactive Update Management:
http://technet.microsoft.com/en-us/library/cc700845.aspx#XSLTsection129121120120
Microsoft TechNet: Service Management Functions - Change Management
Microsoft Proprietary and Confidential Information Page 168
Key Findings ReportConfidential – NC State University
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/smf/smfchgmg.mspx
Microsoft TechNet: Service Management Functions - Release Management
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/smf/smfrelmg.mspx
Recommended ResolutionQuantify all streams for the services and the applications that they support (for example, hardware models, applications, and service settings)
Manage a release cycle for each stream
Use an automated toolset, such as Desired Configuration Management (DCM), to ensure that the infrastructure remains in compliance with the releases.
Users Are Local Administrators By Default
QuestionHow many users are local administrators of their machines?Selected AnswerMost UsersAdditional CommentsThis varies by department, but the majority of departments allow their end users to be administrator because it is just easier, or it's a political problem.
StatusFailedDescriptionIf the company's employees have local administrative rights, the client environment is no longer under your control. To avoid spreading risky malicious code and software, it is recommended that you use only limited privilege accounts.
No Procedures And Tools In Place For Checking Missing Security Updates And Service
PacksQuestionDo you have procedures and tools in place to periodically check that the latest service pack, Microsoft security updates, and third-party security updates, are applied to the environment.Selected AnswerNoStatusFailedDescriptionSecurity is an ongoing, always changing, concern. An experienced Security team and a well-developed process are required to ensure that ongoing changes are propagated to the applications.
Microsoft Proprietary and Confidential Information Page 169
Key Findings ReportConfidential – NC State University
Additional InformationBest Practice GuidelineDesign and configuration changes made to a server have the potential for introducing risk to the environment. To reduce the effect of this risk, all new designs and core changes should undergo a formal security review. In addition, to support this strategy, an organization should define a security process with an understanding of the business requirements and the process for its implementation.
Recommended ResolutionAutomatic verification of installation of the latest service pack and security updates on Domain Controllers (as well as all other machines) is strongly recommended. Microsoft Baseline Security Analyzer and/or System Center Configuration Manager features can be used for verifying any missing Microsoft update.
Built-In Local Administrator Account Is Not DisabledStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The Administrator account has full control of the machine.
A security identifier (SID) is a unique value of variable length that is used to identify a security principal or security group in Windows operating systems. Well-known SIDs are a group of SIDs that identify generic users or generic groups. Their values remain constant across all operating systems.
Due to this it is essential to protect this well-known high-privileged account.Additional InformationImportanceIf built-in local accounts are not disabled by a network administrator they can be used by a malicious user, application or service to illegally log on to a machine using the Administrator account or Guest account.
Recommended ReadingWell-known security identifiers in Windows operating systems:
http://support.microsoft.com/kb/243330
Recommended ResolutionA good security practice for protecting build-in local accounts is to rename or disable them.
Because a built-in local account retains its SID it retains all its other properties such as its description, password, group memberships, user profile, account information, and any assigned permissions and user rights. Due to this built-in local accounts should be disabled.
How to Enable and Disable the Built-in Administrator Account:
http://technet.microsoft.com/en-us/library/hh825104.aspx
Rule Algorithm
Microsoft Proprietary and Confidential Information Page 170
Key Findings ReportConfidential – NC State University
Source
WMI_1 Root\CIMv2:Win32_UserAccount.SID("*500")
WMI_2 Root\CIMv2:Win32_UserAccount.Status
Detection Logic
Applies to: All operating systems
The following must be true:
* WMI_1 exists
* WMI_2 is "OK"
AnnotationLook to disable this for all machines
Affected NodesEB2-2214-LOAN01.CSC.NCSU.EDU
Built-in local Administrator account is not disabled.
EB2-2214-LOAN02.CSC.NCSU.EDU
Built-in local Administrator account is not disabled.
The Organization Does Not Use A Tool To Regularly Scan The Environment For Security
IssuesQuestionDo you use a tool to regularly check your environment for security issues?Selected AnswerNoStatusFailedDescriptionSecurity is an ongoing, always changing, concern. An experienced Security team and a well-developed process are required to ensure that ongoing changes are propagated to the applications.
Design and configuration changes made to PCs have the potential for introducing risk to the environment. To reduce the effect of this risk, all new designs and core changes should undergo a formal security review. In addition, to support this strategy, an organization should define a security process with an understanding of the business requirements and the process for its implementation. Additional InformationCheck for Security IssuesThe Microsoft Baseline Security Analyzer (MBSA) or a similar tool can be used to regularly scan your environment for security issues
Microsoft Proprietary and Confidential Information Page 171
Key Findings ReportConfidential – NC State University
Network Access Protection Is Not Used To Ensure Computer Identity And Compliance
QuestionIs Network Access Protection (NAP) or an equivalent feature in use to secure the network perimeter?
Selected AnswerNoStatusFailedDescriptionNetwork Access Protection (NAP) is a platform and solution that controls access to network resources based on a client computer's identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who the client is, the groups that the client belongs to, and the degree to which that client is compliant with corporate governance policy.
If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access. Additional InformationUsing Network Access ProtectionNetwork Access Protection (NAP) can be used to ensure a computer's identity and its compliance.
This will increase the level of network protection.
http://technet.microsoft.com/en-us/network/bb545879.aspx
Antivirus Exclusion List Should Be Reviewed
QuestionDo you have antivirus exclusions?Selected AnswerYes, according to other guidanceAdditional CommentsWe use a third party antivirus that was setup and deployed by them, so if there were any default exclusion put into place it was by them.
StatusFailedDescriptionThe virus scanning recommendations for computers must be implemented to avoid stability and performance issues. Additional InformationRecommended Antivirus ExclusionsIt is highly recommended that you update the exclusion lists for virus scanning software and implement the exclusions recommended in the following articles:
http://support.microsoft.com/kb/822158
Microsoft Proprietary and Confidential Information Page 172
Key Findings ReportConfidential – NC State University
BIOS Settings Are Not Protected Through System BIOS Password
QuestionAre changes to BIOS settings prevented by using administrative system passwords?
Selected AnswerNoAdditional CommentsThis done on a department by department basis. More groups do not have a BIOS password.
StatusFailedDescriptionPassword protection for the BIOS can prevent unauthorized users who have physical access to your systems from booting from removable media.
Users may change BIOS settings as well as the boot order of devices. They can start preinstallation environments or mini-os images from optical disk to reconfigure the corporate client build.
The security measures you should take to protect your environment against such attacks depend on the sensitivity of the information that the workstation contains and the location of the computer. Additional InformationImplement BIOS passwordIt is strongly recommended that you secure the BIOS settings with passwords.
EnableLinkedConnections Is Not DefaultStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
Configuring this setting might set you on a higher security risk.Additional InformationBest Practice GuidanceIt is strongly recommended not to enable this registry value on any version of Windows Vista, Windows 7, Server 2008, or Server 2008R2. This registry change is not recommended and is meant as a temporary workaround (not a solution) until applications that have issues with drive mapping differences under UAC are fixed or replaced. This workaround may make your system unsafe. You use this workaround at your own risk.
ImportanceThe workaround (registry setting EnableLinkedConnection) from article http://support.microsoft.com/kb/937624 may make your system unsafe.
Microsoft Proprietary and Confidential Information Page 173
Key Findings ReportConfidential – NC State University
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections @ REG_DWORD
Detection Logic
Applies to: All operating systems
The following must be true:
* Registry_Value_1 is equal to 0x00000001
AnnotationLook to set this to the defaults
Affected Nodesadmpc280.CVM.NCSU.EDU
EnableLinkedConnections setting is: 1
crpc11.CVM.NCSU.EDU EnableLinkedConnections setting is: 1
Data Confidentiality Is Not Ensured For Data Stored Inside Or Outside The Corporate
NetworkQuestionDo you use a directory-based solution to allow users to protect content from being copied, printed, or distributed without proper rights and permissions?
Selected AnswerNoStatusFailedDescriptionProtecting data and sensitive business information is as important as ever for companies.
If a security breach occurs, the risks are considerable: negative impact on brand equity, the burdensome costs of notifying affected customers, possible exposure of intellectual property, and failure to comply with government regulations. These outcomes can have significant financial consequences for a company. Additional InformationProtecting Confidential InformationIt is recommended that you use additional services or software components to ensure data confidentiality.
By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information - such as financial reports, product specifications, customer data, and confidential e-mail messages - from intentionally or accidentally getting into the wrong hands.
Microsoft Proprietary and Confidential Information Page 174
Key Findings ReportConfidential – NC State University
http://technet.microsoft.com/en-us/library/cc771627.aspx
No Measure Of The Progress And Success Level Of Security Updates Deployment
QuestionWhich of the following items apply to your security updates management process?Selected AnswerCritical security updates are applied within a month after being released.An emergency process exists for deploying urgent software updatesStatusFailedDescriptionAfter your security update management process is established and running, you will want to ensure effectiveness, monitor performance, and improve results over time. Even with proper planning, there may be improvements to the process that you can identify through monitoring and assessment. The primary areas of importance within security update management that you may want to measure and improve upon are: • Improving security releases
• Improving security policy enforcement
• Improving emergency security response.
No Test Environment Available For Security Update Management
QuestionWhich of the following items apply to your security updates management process?Selected AnswerCritical security updates are applied within a month after being released.An emergency process exists for deploying urgent software updatesStatusFailedDescriptionThorough testing and development of security updates can only be safely conducted in an isolated test environment. The lack of an environment normally means that these activities either do not occur or they occur on production servers. Failure to perform adequate testing is a common cause of production outages. Testing in production is very risky, and can cause as many problems as it was intended to prevent.Additional Information
Microsoft Proprietary and Confidential Information Page 175
Key Findings ReportConfidential – NC State University
Recommended ReadingDeployment in a Lab Environment:
http://technet.microsoft.com/en-us/library/cc755445(v=WS.10).aspx
Setting up a Test Environment:
http://technet.microsoft.com/en-us/library/cc750093.aspx
Microsoft Proprietary and Confidential Information Page 176
Key Findings ReportConfidential – NC State University
Solid State DriveSSD stands for Solid State Disk or Solid State Drive. It refers to a still relatively young memory technology that is appropriate due to falling hardware prices as an alternative to traditional hard drives. SSD drives are offered in different versions, for example, as pure Flash or hybrid plates, which combine traditional hard drives with a solid state memory. In many cases, SSD drives offer distinct advantages compared to "old" hard drives with write-read head, such as:
▪ SSD drives offer better speeds when accessing data, especially at system startup.▪ SSD drives are quieter than ordinary hard drives.▪ SSD hard drives require no cooling on the fly.▪ SSD drives have no mechanical parts such as write head and are therefore more robust.▪ SSD hard drives consume less power during operation.
Currently, you can buy SSD hard drives as internal hard drives for desktop PCs and notebooks or as external USB disks.
While you mostly see an available free slot with SATA port in desktops, notebooks are often forced to exchange the existing drive to an SSD drive. However, you must transfer your operating system and your data to the new drive or reinstall. As an alternative, we offer SSD USB-stick around for data protection.
No matter which solution you choose, remember that you will experience time advantages especially when reading the data - when you start programs or when loading large image or video files. When writing data, SSD disks are so far still not superior to conventional hard disks.
SSD Drive DetectedStatusFailedDescription10 node(s) out of 37 node(s) were affected by this issue (27.03%).
Additional InformationImportanceMany of today’s Solid State Drives (SSDs) offer the promise of improved performance, more consistent responsiveness, increased battery life, superior ruggedness, quicker startup times, and noise and vibration reductions. On traditional clients the HDD is a common bottleneck.
Recommended Readinghttp://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx
Rule AlgorithmSource
Microsoft Proprietary and Confidential Information Page 177
Key Findings ReportConfidential – NC State University
Detection Logic
Applies to: All operating systems
Hardware condition:
* System Disk is SSD
The following must be true:
* no additional verifications
Affected NodesALUMINUM.CNR.NCSU.EDU
SSD drive detection: SSD detected
BILT-3032A-01.CNR.NCSU.EDU
SSD drive detection: SSD detected
BUSTA.ECE.NCSU.EDU SSD drive detection: SSD detectedCHASSIT-TEST.CHASS.NCSU.EDU
SSD drive detection: SSD detected
DELTA-DT-SP05.DELTA.NCSU.EDU
SSD drive detection: SSD detected
LAU-214-29.CHASS.NCSU.EDU
SSD drive detection: SSD detected
MCHAMMER.ECE.NCSU.EDU
SSD drive detection: SSD detected
MOBILELAB4.IE.NCSU.EDU
SSD drive detection: SSD detected
VANILLAICE.ECE.NCSU.EDU
SSD drive detection: SSD detected
WN-133-01.CHASS.NCSU.EDU
SSD drive detection: SSD detected
Microsoft Proprietary and Confidential Information Page 178
Key Findings ReportConfidential – NC State University
VirtualizationThe consumerization of information technology (IT) is impacting how organizations manage their desktop environment. Users expect seamless, reliable, and secure on-demand access to applications and desktops from any location and from a wide range of devices, including Windows desktops, laptops, slates, and non-Windows based devices.
The challenge for IT is to provide users with a consistent experience that works across locations and devices while avoiding business disruptions and securing confidential corporate data. Because modern workers expect access to new capabilities in days or weeks instead of months, IT must provision users with those corporate resources quickly. IT also needs to streamline Windows 7 deployment while maintaining users’ access to their critical business applications.
Microsoft Desktop Virtualization is a comprehensive suite of solutions that helps organizations give their employees the flexibility to work everywhere on a range of devices. It offers a consistent, secure, and personalized experience across locations and devices while helping to improve compliance through centralized control and secure access to confidential data.
Microsoft Desktop Virtualization solutions empower IT to simplify management by unifying IT operations onto a single and centralized infrastructure. It enables instant provisioning of corporate applications and desktops, which gets users up and running sooner, and it equips IT to provide access to legacy applications during the migration to Windows 7. Microsoft Desktop Virtualization integrates fully with Microsoft System Center to help manage both physical and virtual environments with the same management infrastructure, and automatically detect device configurations and network conditions to deliver the most appropriate services to each user.
User State VirtualizationWith user state virtualization, user data and settings are centralized in the data center, thus eliminating the constraints of local storage and giving users the ability to access their data and settings from any PC. It makes backing up, securing, and managing the availability of users’ data and settings easier for IT. In Windows 7, three technologies support user state virtualization:
▪ Roaming user profiles give IT the ability to store user profiles (that is, files stored in C:\Users\Username, including the registry) in a network share, and then synchronize them with users’ computers whenever they log on using their domain credentials.
▪ Folder Redirection centralizes user folders (for example, Documents, Pictures, and Videos) in the data center, making these folders accessible to users from any PC they log on to by using their login ID. The important distinction between roaming user profiles and Folder Redirection is that IT uses roaming user profiles primarily for settings and Folder Redirection for documents.
▪ Offline Files makes files and folders located on a server accessible to users even when they are disconnected from the network. To do so, Offline Files caches copies of the files and folders locally, then synchronizes changes the next time a connection is available.
Microsoft Proprietary and Confidential Information Page 179
Key Findings ReportConfidential – NC State University
Application VirtualizationMicrosoft Application Virtualization (App-V), part of the Microsoft Desktop Optimization Pack (MDOP), enables enterprises to meet user and IT needs by empowering anywhere productivity and accelerated application deployment. It provides users access to applications that are dynamically available anywhere on any authorized PC without installs or reboots.
With App-V, virtual applications run in their own self-contained virtual environments on users’ PCs. This eliminates application conflicts and allows enterprises to reduce application-compatibility testing time, resulting in faster application deployment and updates. Virtual applications and user settings are preserved whether users are online or offline. Combined with user state virtualization, App-V provides a consistent experience and reliable access to applications and business data, regardless of users’ locations.
Organizations can deploy virtual application packages by using App-V servers, which stream the virtual applications on demand to users’ PCs and cache them locally so they can be used offline. Another option is to use System Center Configuration Manager to deploy, upgrade, and track usage of both physical and virtual applications in a single management experience. As a result, IT can use existing processes, workflow, and infrastructure to deliver virtual applications to users.
Another way to virtualize and deliver centrally hosted applications is RemoteApp, a Windows Server 2008 R2 feature that is based on session virtualization. It enables IT to make applications accessed remotely through Remote Desktop Services (RDS). RemoteApp programs run in their own resizable windows, can be dragged between multiple monitors, and have their own icons on the Start menu or the taskbar.
Operating System VirtualizationThe Microsoft Desktop Virtualization stack includes:
▪ Microsoft Virtual Desktop Infrastructure (VDI).VDI is an alternative desktop delivery model that gives users secure access to centrally managed desktops running in the data center. VDI virtualizes an entire desktop environment within Windows Server 2008 R2 Hyper-V. This provides users a rich and personalized desktop experience with an option to have full administrative control. With VDI, users can access their desktops from any connected device, improving their ability to be productive even in the case of disaster. VDI presents the user interface (UI) to users’ devices by using the Remote Desktop Protocol (RDP) with RemoteFX to provide a rich desktop experience. VDI offers enterprises a superior value by providing a high-performance virtual desktop platform while reducing the cost of deploying server hosted desktops. Innovations such as Dynamic Memory in Windows Server 2008 R2 with SP1 Hyper-V and application virtualization help reduce the amount of hardware required to deploy VDI. Additionally, VDI empowers enterprises with unified management of centralized desktops and corporate data through System Center technology. IT can extend existing management tools and processes to the virtual desktop environment as well, reducing management overhead while still enabling rapid deployment and patching by managing images centrally. Partner technology, such as Citrix XenDesktop, adds value to VDI by offering additional scale and flexibility to enterprises. With Citrix technologies, users can access their Windows environment even from non-Windows devices.
Microsoft Proprietary and Confidential Information Page 180
Key Findings ReportConfidential – NC State University
Using App-V in a VDI environment gives organizations the ability to make VDI images generic. With App-V, users can connect to any available VDI session and have access to the applications they need to be productive. Another advantage to App-V in a VDI environment is the App-V read-only shared cache. Without App-V, organizations install applications directly into each virtual machine (VM) image—a scenario that increases the amount of storage required on the Storage Area Network (SAN). With the App-V read-only shared cache, organizations can point many VMs to a single copy of an application on disk, thereby reducing storage requirements on the SAN significantly by eliminating redundant application binaries. Also, user state virtualization maintains users’ data and settings across physical and virtual sessions.
▪ Remote Desktop Services (RDS) Session Virtualization.RDS Session Virtualization is a desktop and application delivery model that provides users access to applications, data, and shared desktops centralized in the data center. RDS gives employees the flexibility to access Windows from the location and device of their choice, giving users access to centrally hosted applications and desktops from a web page, through a SharePoint portal, on a local desktop, or over the Internet. RDS is a server role in Windows Server 2008 R2 that enables users to access Windows-based programs installed on a Remote Desktop Session Host (RD Session Host) server or to access the full Windows desktop. RDS Session Virtualization simplifies business and regulatory compliance through centralized control of desktops and applications. It allows IT to efficiently deploy and maintain software from a central location in an enterprise environment.
▪ Microsoft Enterprise Desktop Virtualization (MED-V).Part of MDOP, MED-V can remove barriers to Windows 7 upgrades by resolving application incompatibility. MED-V enables large-scale deployment of VMs running Windows XP with SP3 to PCs running Windows 7. It does this in a way that is completely seamless for the user. Applications appear and function as though they are installed locally. Legacy applications running in a VM share seamless access to users’ documents, network printers, and USB devices such as flash drives and smart card readers. Disable Autoupdate Drivers
StatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
In a virtual environment, hardware should be well-known, with drivers being provided by Administrators. Therefore it is recommended to configure Windows to not search Windows Update when searching for drivers.Additional InformationRecommended ResolutionConfigure the driver search order to not search Windows Update. The best practice to achieve this is via the following Group Policy setting:
Computer Configuration\Administrative Templates\System\Device Installation\ Policy Specify search order for device driver source locations
Alternatively, this setting can be configured using the following registry key:
HKLM\Software\Policies\Microsoft\Windows\DriverSearching\searchorderConfig
Microsoft Proprietary and Confidential Information Page 181
Key Findings ReportConfidential – NC State University
A decimal value of 0 will cause driver searches to not include Windows Update.
Rule AlgorithmSource
Registry_Value_1 HKLM\Software\Policies\Microsoft\Windows\DriverSearching\SearchOrderConfig @ REG_DWORD
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is not equal to 0x00000000 or does not exist
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
Configuration : n/a
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
Configuration : n/a
Disable Background DefragmentationStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
In a virtual environment, boot defragmentation and optimal layout creation should be disabled. While these features offer significant performance improvements on physical computers in terms of boot time, this is not something that virtual environments will regularly take advantage of. Consider the situations where the machine must boot are minimal, and the overhead associated with performing the layout creation and boot optimizations can be taxing on valuable virtual resources such as the disk and processor.
In addition, the files may be optimally located and defragmented on the virtual drive (such as a VHD), but may still be stored fragmented and sub-optimally on the underlying host (physical) drive.
Therefore, the recommended approach is to disable both the background defragmentation and the auto layout features to ensure maximum performance in a virtual environment.Additional InformationRecommended ReadingDisabling Disk Defragmentation
Microsoft Proprietary and Confidential Information Page 182
Key Findings ReportConfidential – NC State University
http://msdn.microsoft.com/en-us/library/ms932871(v=winembedded.5).aspx
Recommended ResolutionThe following two registry keys control the boot optimization and optimal layout functions respectively:
HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\Enable
Reg_SZ Should be set to "N" to disable the boot optimization.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout\EnableAutoLayout
DWORD Should be set to 0 to disable automatic optimal layout.
Rule AlgorithmSource
Registry_Value_1 HKLM\System\CurrentControlSet\Services\defragsvc\Start @ REG_DWORD
Registry_Value_2 HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\Enable @ REG_SZ
Registry_Value_3 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout\EnableAutoLayout @ REG_DWORD
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is not equal to 0x00000004
* Registry_Value_2 is not equal to "N" and Registry_Value_3 is not equal to 0x00000000
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
DefragService (StartType) : 3Defragmentation : Does Not Exist (Default: Y)Optimal Layout : Does Not Exist (Default: 1)
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
DefragService (StartType) : 3Defragmentation : Does Not Exist (Default: Y)Optimal Layout : Does Not Exist (Default: 1)
Disable HibernationStatusFailed
Microsoft Proprietary and Confidential Information Page 183
Key Findings ReportConfidential – NC State University
Description2 node(s) out of 37 node(s) were affected by this issue (5.41%).
Hibernation is a feature that saves the state of a computer and allows it to power off to conserve power. This feature is not designed for a virtualized desktop environment and should be disabled.
When hibernate is enabled, additional disk space and other resources are consumed by having a hibernation file exist on disk. It also creates an element of risk associated with enabling features and services that are not required. It is a best practice to disable these features for optimal supportability and reliability.Additional InformationBest Practice GuidanceBy default, a hibernation file called « hiberfil.sys » is automatically created on the local disk. The file will be the size of the RAM. Therefore, it will use unnecessary space as a virtual machine will never go to hibernation.
Best practice for virtualization is to disable features such as hibernation for maximum performance and stability. This can be configured within each computer’s power options, centrally via Group Policy, or a system management tool.
Rule AlgorithmSource
Registry_Value_1 HKLM\SYSTEM\CurrentControlSet\Control\Power\HibernateEnabled @ REG_DWORD
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is not equal to 0x00000000
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
Hibernation enabled : 1
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
Hibernation enabled : 1
Disable Service Microsoft Software Shadow Copy ProviderStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The Microsoft Software Shadow Copy Provider Service should be disabled in a virtual environment as it is unlikely to be used and poses potential risks around security and stability.
Microsoft Proprietary and Confidential Information Page 184
Key Findings ReportConfidential – NC State University
Disabling unused services is important to ensure reliability, security and performance are maintained.Additional InformationRecommended ResolutionTo disable the Microsoft Software Shadow Copy Provider Service (swprv), stop the service and set the startup type to Disabled.
Startup types and configuration for services can also be configured via group policy to ensure consistency across a number of machines.
Rule AlgorithmSource
WMI_1 Root\CIMv2:Win32_Service.Name("swprv")
WMI_2 Root\CIMv2:Win32_Service.Started
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* WMI_1 exists
* WMI_2 is "Started"
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
Service : swprvStarted : True
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
Service : swprvStarted : True
Force Offscreen Composition For Internet Explorer Should Be ConfiguredStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
In order to ensure maximum performance and reliability while running Internet Explorer remotely (such as over Remote Desktop), it is recommended that Internet Explorer is configured to compose page elements, even when they are not onscreen.
This setting, called Force Offscreen Composition should be configured on all virtualized desktop environments to prevent composition issues when viewing web pages.
Microsoft Proprietary and Confidential Information Page 185
Key Findings ReportConfidential – NC State University
Additional InformationRecommended ReadingScreen may flicker when you view a Web page that contains animated content over a Terminal Services client session with Internet Explorer
http://support.microsoft.com/kb/271246
Recommended ResolutionTo enable Force Offscreen Composition, configure the following registry setting:
Hive: HKCU
Key: Software\Microsoft\Internet Explorer\Main]
Value: Force Offscreen Composition
Type: DWORD
Set the value of the DWORD to 1 to enable Force Offscreen Composition.
Rule AlgorithmSource
Registry_Value_1 HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Force Offscreen Composition @ REG_DWORD
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is not equal to 0x00000001 or does not exist
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
Offscreen Configuration : n/a
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
Offscreen Configuration : n/a
Microsoft Proprietary and Confidential Information Page 186
Key Findings ReportConfidential – NC State University
Increase The Disk Timeout ValueStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The Disk Timeout value (TimeOutValue) should be increased in a virtualized environment with non-SSD based disks, especially when a number of VMs or other services are utilizing the same physical disk(s). This setting (the TimeOutValue registry key) increases the tolerance for disk latency, which improves resilience to disk latency and other issues. Additional InformationImportanceThis is especially important during peak periods where burst IO from other sources (such as other VMs or services) may increase response times beyond the disk timeout value. While this scenario should be avoided, increasing the disk timeout value will help prevent against disk errors should this happen.
Rule AlgorithmSource
Registry_Value_1 HKLM\SYSTEM\CurrentControlSet\Services\Disk\TimeOutValue @ REG_DWORD
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is less than decimal 200 (Hex: 0x000000c8)
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
Disk Timeout : n/a
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
Disk Timeout : n/a
Disable Boot AnimationStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The Boot animation can be disabled to improve boot performance. This can improve the boot times for virtualized client environments where the boot animation does not contribute to the user experience.Additional Information
Microsoft Proprietary and Confidential Information Page 187
Key Findings ReportConfidential – NC State University
ImportanceYou should disable boot animation to speed up computer startup of the virtual machine.
Recommended ResolutionDisable the boot animation using bcdedit and the quietboot boot type.
For example:
bcdedit /set {current} quietboot true
Rule AlgorithmSource
WMI_1 Root\WMI:BcdObject.Id("{9dea862c-5cdd-4e70-acc1-f32b344d4795}").Property(BcdOSLoaderInteger_BootUxPolicy)
WMI_2 Root\WMI:BcdObject.Id("{9dea862c-5cdd-4e70-acc1-f32b344d4795}").Property(BcdOSLoaderBoolean_DisableBootDisplay)
Detection Logic
Applies to: Windows 7 and later
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* WMI_1 is not equal to 0
* WMI_2 is not equal to "TRUE"
AnnotationLook to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
Both, BootUXPolicy and DisableBootDisplay not configured.BootUXPolicy : DisableBootDisplay :
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
Both, BootUXPolicy and DisableBootDisplay not configured.BootUXPolicy : DisableBootDisplay :
Disable Desktop CleanupStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
Microsoft Proprietary and Confidential Information Page 188
Key Findings ReportConfidential – NC State University
The Desktop Cleanup feature is not designed for use in virtualized client environments.Additional InformationImportanceOperations conducted by Desktop Cleanup could be detrimental to virtualized environments and may have negative performance impact to other users.
Recommended ReadingDesktop shortcuts disappear in Windows 7
http://support.microsoft.com/kb/978980
Recommended ResolutionDisable Scheduled Maintenance via GPO is unique to Win7 and 2008 R2 and must be set via GPMC.
The setting can be found here:
Computer Configuration\Administrative Templates\system\Troubleshooting and Diagnostics\Scheduled maintenance\
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktopCleanUpWizard @ REG_DWORD
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is not equal to 0x00000001
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
Configuration : 0
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
Configuration : 0
Microsoft Proprietary and Confidential Information Page 189
Key Findings ReportConfidential – NC State University
Disable Scheduled Task Microsoft Windows DiskDiagnosticDataCollectorStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The DiskDiagnosticDataCollector ("diskdiagnosticdata") task collects and sends general disk and system information to Microsoft for users participating in the Customer Experience Program.
This task is generally not appropriate or required in a virtualized environment and should be disabled.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "diskdiagnosticdata" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Microsoft Proprietary and Confidential Information Page 190
Key Findings ReportConfidential – NC State University
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollectorStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollectorStatus : Ready
Disable Scheduled Task AnalyzeSystemStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The "AnalyzeSystem" scheduled task in the "\Microsoft\Windows\Power Efficiency Diagnostics" task scheduler path is designed for physical machines with high power efficiency and battery life requirements such as laptops.
This task is generally not appropriate or required in a virtualized environment and it should be disabled.Additional InformationImportanceFrom a performance perspective, it is best to turn off tasks or settings that are not needed in specific environments.
We recommend you to turn off this setting as it might improve performance. However, it is necessary to test it against all line of business applications to ensure that it is not causing issues.
Recommended ResolutionDisable the scheduled task "AnalyzeSystem" on VMs.
To delete a scheduled task, navigate to it and select the task in the Task Scheduler MMC snap-in and then choose Disable from the Action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
Microsoft Proprietary and Confidential Information Page 191
Key Findings ReportConfidential – NC State University
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystemStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystemStatus : Ready
Disable Scheduled Task BfeOnServiceStartTypeChangeStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The BfeOnServiceStart task in the "\Microsoft\Windows\Windows Filtering Platform" task scheduler path adjusts the start type for firewall-triggered services when the start type of the Base Filtering Engine (BFE) is disabled.
As the Base Filtering Engine service should remain enabled, this task is not required in a virtualized environment.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "Bfeonservicestart" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule Algorithm
Microsoft Proprietary and Confidential Information Page 192
Key Findings ReportConfidential – NC State University
Source
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChangeStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChangeStatus : Ready
Disable Scheduled Task ConsolidatorStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
This task provides functionality to the Customer Experience Improvement Program if opted-in and should be disabled in a virtualized environment. The scheduled task is called "consolidator" in the "\Microsoft\Windows\Customer Experience Improvement Program" path.
Disabling this is important because the tasks in a number of VMs may initiate, and degrade the performance for other users and services unnecessarily.
Where practical, disabling tasks such as this can increase reliability and reduce the risk of performance issues.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
Microsoft Proprietary and Confidential Information Page 193
Key Findings ReportConfidential – NC State University
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "consolidator" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Customer Experience Improvement Program\ConsolidatorStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Customer Experience Improvement Program\ConsolidatorStatus : Ready
Disable Scheduled Task KernelCeipTask
Microsoft Proprietary and Confidential Information Page 194
Key Findings ReportConfidential – NC State University
StatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
This task provides functionality to the Customer Experience Improvement Program if opted-in and should be disabled in a virtualized environment. The scheduled task is called "KernelCeip" in the "\Microsoft\Windows\Customer Experience Improvement Program" path.
Disabling this is important because the tasks in a number of VMs may initiate, and degrade the performance for other users and services unnecessarily.
Where practical, disabling tasks such as this can increase reliability and reduce the risk of performance issues.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "KernelCeip" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
Microsoft Proprietary and Confidential Information Page 195
Key Findings ReportConfidential – NC State University
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTaskStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTaskStatus : Ready
Disable Scheduled Task MobilityManagerStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The task MobilityManager in the "\Microsoft\Windows\RAS" task scheduler path is used to provide support for the switching of mobility enabled VPN connections if their underlying interface goes down.
As this is targeting a scenario not used in a virtualized environment, it is recommended that this task is disabled.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "mobilitymanager" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Microsoft Proprietary and Confidential Information Page 196
Key Findings ReportConfidential – NC State University
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Ras\MobilityManager"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Ras\MobilityManagerStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Ras\MobilityManagerStatus : Ready
Disable Scheduled Task ProgramDataUpdaterStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
This task aggregates and uploads Application Telemetry information if opted-in to the Microsoft Customer Experience Improvement Program. The scheduled task is called "ProgramData".
This task should be disabled to ensure maximum reliability and performance in a virtual environment.
Disabling this is important because the tasks in a number of VMs may initiate, and degrade the performance for other users and services unnecessarily.
Where practical, disabling tasks such as this can increase reliability and reduce the risk of performance issues.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Microsoft Proprietary and Confidential Information Page 197
Key Findings ReportConfidential – NC State University
Recommended ResolutionDisable the scheduled task "ProgramData" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Application Experience\ProgramDataUpdaterStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Application Experience\ProgramDataUpdaterStatus : Ready
Disable Scheduled Task ProxyStatusFailed
Microsoft Proprietary and Confidential Information Page 198
Key Findings ReportConfidential – NC State University
Description2 node(s) out of 37 node(s) were affected by this issue (5.41%).
This task provides functionality to the Customer Experience Improvement Program if opted-in and should be disabled in a virtualized environment. The scheduled task is called "Proxy".
Disabling this is important because the tasks in a number of VMs may initiate, and degrade the performance for other users and services unnecessarily.
Where practical, disabling tasks such as this can increase reliability and reduce the risk of performance issues.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "Proxy" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Autochk\Proxy"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation
Microsoft Proprietary and Confidential Information Page 199
Key Findings ReportConfidential – NC State University
Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Autochk\ProxyStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Autochk\ProxyStatus : Ready
Disable Scheduled Task Registry Idle BackupStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The Registry Idle Backup scheduled task performs idle tasks against the registry such as backup.
The task that provides this functionality should be disabled in a virtualized environment. The scheduled task is called "regidle".
Disabling this is important because the tasks in a number of VMs may initiate, and degrade the performance for other users and services unnecessarily.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "regidle" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Microsoft Proprietary and Confidential Information Page 200
Key Findings ReportConfidential – NC State University
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Registry\RegIdleBackup"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Registry\RegIdleBackupStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Registry\RegIdleBackupStatus : Ready
Disable Scheduled Task ResolutionHostStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The Windows Diagnostic Infrastructure Resolution host enables interactive resolutions for system problems that are detected by the Diagnostic Policy Service. This scheduled task starts the Windows Disk Diagnostic User Resolver Wizard (Dfdwiz.exe) when a problem with a hard disk is detected.
The task that provides this functionality should be disabled in a virtualized environment. The scheduled task is called "ResolutionHost".
Disabling this is important because the tasks in a number of VMs may initiate, and degrade the performance for other users and services unnecessarily.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended Resolution
Microsoft Proprietary and Confidential Information Page 201
Key Findings ReportConfidential – NC State University
Disable the scheduled task "ResulutionHost" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\WDI\ResolutionHost"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\WDI\ResolutionHostStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\WDI\ResolutionHostStatus : Ready
Disable Scheduled Task ScheduledStatusFailedDescription
Microsoft Proprietary and Confidential Information Page 202
Key Findings ReportConfidential – NC State University
2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The "scheduled" task located in the "\Microsoft\Windows\Diagnosis" task scheduler path performs periodic maintenance of the computer system by fixing problems automatically or reporting them through the Action Center.
This task is generally not appropriate or required in a virtualized environment and should be disabled.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "scheduled" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Diagnosis\Scheduled"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected Nodes
Microsoft Proprietary and Confidential Information Page 203
Key Findings ReportConfidential – NC State University
OITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Diagnosis\ScheduledStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Diagnosis\ScheduledStatus : Ready
Disable Scheduled Task ScheduledDefragStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The disk defragmenter scheduled task runs regularly when the machine is idle to defragment the contents of the hard disk. This functionality is designed to run on physical hardware, where the temporary performance degradation resulting from the defragmentation is greatly outweighed by the performance gain when the machine is in use.
In a virtualized environment, the task that provides this functionality should be disabled. The scheduled task is called "Defrag".
Disabling this is important because the tasks in a number of VMs may initiate (such as on ‘idle’ VMs), and degrade the performance for other users and services unnecessarily.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "defrag" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Microsoft Proprietary and Confidential Information Page 204
Key Findings ReportConfidential – NC State University
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Defrag\ScheduledDefrag"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
DefragService (StartType) : 3TaskPath : \Microsoft\Windows\Defrag\ScheduledDefragStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
DefragService (StartType) : 3TaskPath : \Microsoft\Windows\Defrag\ScheduledDefragStatus : Ready
Disable Scheduled Task System RestoreStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The System Restore Scheduled Task created regular System Restore points that can be used in conjunction with the System Restore utility to restore the system to a previous point in time.
The System Restore feature is targeted primarily at consumers and should be disabled in an enterprise environment unless it is an IT supported recovery mechanism and the risks and benefits are understood.
In addition, the task that provides this functionality should be disabled in a virtualized environment. The scheduled task is called "SR".
Disabling this is important because the tasks in a number of VMs may initiate, and degrade the performance for other users and services unnecessarily.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against
Microsoft Proprietary and Confidential Information Page 205
Key Findings ReportConfidential – NC State University
all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "SR" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\SystemRestore\SR"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\SystemRestore\SRStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\SystemRestore\SRStatus : Ready
Disable Scheduled Task UpdateLibraryStatus
Microsoft Proprietary and Confidential Information Page 206
Key Findings ReportConfidential – NC State University
FailedDescriptionThe "UpdateLibrary" task in the "\Microsoft\Windows\Windows Media Sharing" task scheduler path updates the cached list of folders and the security permissions on any new files in a user’s shared media library.
As media sharing is not recommended and is unlikely to be used in a virtual environment, this task should be disabled.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "updatelibrary" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Windows Media Sharing\UpdateLibrary"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Microsoft Proprietary and Confidential Information Page 207
Key Findings ReportConfidential – NC State University
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Windows Media Sharing\UpdateLibraryStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Windows Media Sharing\UpdateLibraryStatus : Ready
Disable Scheduled Task UsbCeipStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
This task provides functionality to the Customer Experience Improvement Program if opted-in and should be disabled in a virtualized environment. The scheduled task is called "UsbCeip" in the "\Microsoft\Windows\Customer Experience Improvement Program" path.
Disabling this is important because the tasks in a number of VMs may initiate, and degrade the performance for other users and services unnecessarily.
Where practical, disabling tasks such as this can increase reliability and reduce the risk of performance issues.Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "usbceip" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Microsoft Proprietary and Confidential Information Page 208
Key Findings ReportConfidential – NC State University
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Customer Experience Improvement Program\UsbCeipStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Customer Experience Improvement Program\UsbCeipStatus : Ready
Disable Scheduled Task WinSATStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The WinSAT feature provides relative performance metrics of the underlying hardware and drivers, providing an indication of performance capability of the machine.
In a virtualized environment, the task that provides this functionality should be disabled. The scheduled task is called "Winsat".
Disabling this is important because the tasks in a number of VMs may initiate, and degrade the performance for other users and services unnecessarily. Additional InformationImportanceFrom a performance perspective it is best to turn off tasks or settings that are not needed in specific environments.
We recommend to turn of this setting as it might improve performance but it is also necessary to test it against all line of business applications that it is not causing issues.
Recommended ResolutionDisable the scheduled task "winsat" on virtual machines.
To delete a scheduled task, navigate to and select the task in the Task Scheduler MMC snap-in and choose
Microsoft Proprietary and Confidential Information Page 209
Key Findings ReportConfidential – NC State University
Disable from the action pane.
Alternatively, you can use the schtasks command line utility to perform this operation. For example:
schtasks /change /tn /disable
Rule AlgorithmSource
Registry_Path_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*
Registry_Value_1 {Registry_Path_1}\Path @ REG_SZ
Registry_Value_2 {Registry_Path_1}\Trigger @ REG_BINARY
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is "\Microsoft\Windows\Maintenance\WinSAT"
* Byte 127 of Registry_Value_2 is "C" or "4"
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Maintenance\WinSATStatus : Ready
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
TaskPath : \Microsoft\Windows\Maintenance\WinSATStatus : Ready
Disable Windows Sideshow FeatureStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
The Windows SideShow feature is designed for physical hardware, specifically SideShow-compatible devices.
SideShow support will not be required in a virtual environment and this feature should be disabled.
Microsoft Proprietary and Confidential Information Page 210
Key Findings ReportConfidential – NC State University
Additional InformationRecommended ResolutionTo disable the Windows Sideshow Feature, configure the following registry key to a value of 1:
Hive: HKLM
Key: Software\Policies\Microsoft\Windows\Sideshow
Value: Disabled
Type: Dword
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Policies\Microsoft\Windows\Sideshow\Disabled @ REG_DWORD
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is not equal to 0x00000001 or does not exist
Annotation Look to disable to boost performance
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
Configuration : n/a
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
Configuration : n/a
Modify The Network Location DialogStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
To ensure optimal stability and reliability in a virtualized environment, modify the Network Location Dialog to not prompt when new networks are detected. When a new network is detected, Windows will prompt the user to select the type of network in order to apply the appropriate network profiles. This feature only applies to machines that roam between different networks such as laptop computers.
Microsoft Proprietary and Confidential Information Page 211
Key Findings ReportConfidential – NC State University
In a virtualized environment, this is not required and should be disabled to ensure that users are not prompted if the network administrator makes a change to the network configuration intentionally.Additional InformationRecommended ReadingTurn off the Network Location Wizard
http://technet.microsoft.com/en-us/library/gg252535(v=ws.10).aspx
Recommended ResolutionTo modify the Network Location Dialogue to not prompt the user when new networks are detected, create the following registry key:
Hive: HKLM
Key: SYSTEM\CurrentControlSet\Control\Network
Value: NewNetworkWindowOff
Type: Dword
Rule AlgorithmSource
Registry_Value_1 HKLM\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff @ REG_DWORD
Detection Logic
Applies to: All operating systems
Hardware condition:
* Target device is VIRTUAL
The following must be true:
* Registry_Value_1 is not 0x00000001 or does not exist
Affected NodesOITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
Configuration : n/a
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
Configuration : n/a
Microsoft Proprietary and Confidential Information Page 212
Key Findings ReportConfidential – NC State University
Windows System PerformanceWindows System Performance can be affected by processor scheduling, memory management, the size of the event log, and also by the Windows Search configuration.
Processor Scheduling and Memory Management
Processor scheduling specifies the strategy used for optimizing processor time on the system. Memory management optimization can be divided into four parts:
▪ System Cache – System cache mode controls the partitioning between the memory that Windows allocates to file caching and the memory that Windows allocates to applications.
▪ Kernel Mode Driver and Kernel Mode System Code – When not in use, kernel mode drivers and kernel mode system code can be paged to disk by default.
▪ Unloading DLL Files on Application Close – Windows does not unload DLL files used by programs that have been closed in order to speed up possible restarts of that application.
▪ Pagefile Settings – Fixed pagefile settings of the minimum and maximum values decrease the chance of pagefile file fragmentation on the file system.
Performance Monitor.The units of measurement used to monitor hardware and software resources through Performance Monitor are called counters. These counters are further grouped into categories called objects. In some cases, counters also have instances. For example, when monitoring the processor activity of a Web server, you monitor the % Processor Time counter, which is found under the Processor object. If more than one processor exists in the server, you can choose to monitor the total activity of all the processors or instances for each individual processor.
No Client Performance Testing During Client Lifetime
QuestionAfter deploying a client installation, do you regularly check the current client performance to identify any problems on the platform?Selected AnswerNoStatusFailedDescriptionWindows client performance is one of the most important factors for end-user satisfaction. Therefore, it is important to verify Windows client performance regularly - not only in the design phase. A good practice is to measure Windows client performance during the client's lifetime. Additional InformationMonitoring PerformanceIt is recommended that you define a Windows client performance metric for your environment and verify if your clients meet all the thresholds defined.
You can use an active client monitoring technology such as System Center Operations Manager, or use a tool like the Windows Performance Toolkit for regular performance tests. Those tests should also be performed with any
Microsoft Proprietary and Confidential Information Page 213
Key Findings ReportConfidential – NC State University
major release update.
Windows System ShutdownSystem shutdown brings the system to a condition in which it is safe to turn off the computer. All file-system buffers are flushed to the disk and a message box is displayed informing the user that the computer can be turned off. There is a reboot option that will restart the computer, rather than display this system shutdown message box.
Windows stores a number of values in its registry that are responsible for determining how long to wait before the shutting down process terminates open applications and services after the shutdown command has been given. Actions such as clear Pagefile on shutdown on the Pagefile can delay the shutdown process.
Applications with open handles into the user profile can also heavily delay a system shutdown process.
No Issues Found.
Microsoft Proprietary and Confidential Information Page 214
Key Findings ReportConfidential – NC State University
Windows System StartupThe Windows System Startup Process affects the user experience most, especially when it is slow. To understand what causes the system startup to be slow, you have to first understand how the system startup in Windows works.
The Windows System Startup Process can be separated into six phases in Windows Vista, Windows 7 and Windows 8.
Windows Vista/Win 7/Win 8 32/64 Bit1. Power-on self test (POST) phase
2. Initial startup phase
3. Windows Boot Manager phase
4. Windows Boot Loader phase
5. Kernel loading phase
6. Logon phase
In order to analyze the boot process, you need a solid understanding of these phases. A detailed graphic of the Windows Vista, Windows 7 and Windows 8 System Startup Process is as follows.
To identify possible problems, all of the previously mentioned phases are analyzed in detail and against best practices. Existing issues during the startup phase can also affect overall performance.
High Amount Of Locally Cached ProfilesStatusFailed
Microsoft Proprietary and Confidential Information Page 215
Key Findings ReportConfidential – NC State University
Description4 node(s) out of 37 node(s) were affected by this issue (10.81%).
PC has more than 10 local cached profiles and/or 5 of which have not been used in over 30 days. Besides using up lots of disk space startup performance can be affected by having too many cached profiles. Additional InformationImportanceToo many locally cached user profiles may delay the Windows logon experience and will use extra disk space.
Recommended ReadingMore information about a policy to delete user profiles older than a specified numbers of days:
http://gps.cloudapp.net/#2583
Recommended ResolutionIf the Windows client is used by more than one user, consider deleting user profiles older than a specified number of days on system restart.
This can be done using a policy:
Path: "Delete user profiles older than a specified number of days on system restart"
Policy: Computer Configuration\Administrative Templates\System\User profiles\
Rule AlgorithmSource
Registry_Key_1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
Registry_Value_1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\*\SID @ REG_BINARY
Detection Logic
Applies to: Windows 7 and above
The following must be true:
* Registry_Key_1 contains more than 10 subkeys where Registry_Value_1 exists
AnnotationLook to clean this up via gpo setting
Affected NodesBILT-3032A-01.CNR.NCSU.EDU
Profiles found: 20
Microsoft Proprietary and Confidential Information Page 216
Key Findings ReportConfidential – NC State University
UNO.IE.NCSU.EDU Profiles found: 23VTHLOANERPC.CVM.NCSU.EDU
Profiles found: 50
WN-133-01.CHASS.NCSU.EDU
Profiles found: 21
ReadyBoot Has Low Cache Hit PercentageStatusFailedDescription21 node(s) out of 37 node(s) were affected by this issue (56.76%).
ReadyBoot decreases system boot time by preloading the files and startup programs that are needed to boot the machine. After every boot, the ReadyBoot service uses idle CPU time to analyze file trace information from the five previous boots and identifies which files were accessed and where they are located on disk. ReadyBoot uses this information to determine which files to prefetch during the next boot. It prefetches the files into an in-RAM cache, eliminating the time that it would take for the boot process to retrieve the files from disk. If available random access memory (RAM) is less than 1.7 GB, ReadyBoot compresses the files in the cache.
ReadyBoot is supported on Windows 7 client systems. ReadyBoot is enabled by default and it is part of the sysmain service. If you disable the sysmain service, you disable ReadyBoot. If SuperFetch detects that the system drive is a fast solid-state drive (SSD) (as measured by Windows Experience Index Disk score), then SuperFetch turns off ReadyBoot.Additional InformationImportanceDuring startup, Windows needs to read a significant amount of data from the disk in order to load services and other components. Prefetching significantly improves the performance of this read-intensive process by optimizing disk access patterns by taking locality and storage performance characteristics into account.
If ReadyBoot is not configured properly, boot performance will be significantly impacted.
Recommended ReadingQuick Start: Capturing ReadyBoot Information:
http://msdn.microsoft.com/en-us/library/windows/desktop/ff190976(v=vs.85).aspx
Quick Start: ReadyBoot Graphs:
http://msdn.microsoft.com/en-us/library/windows/desktop/ff190978(v=vs.85).aspx
Recommended ResolutionNormally you should not touch the cache but sometimes it happens that the cache never gets updated because the cache is corrupt and then a rebuild is needed. Deleting will also result in a rebuild but that is not a system triggered rebuild and due to this we do not recommend to delete the cache as a maintenance task. Therefore we use the tool xbootmgr.exe from the Microsoft Performance Toolkit which is part of the Windows ADK to rebuild the cache.
Consult the following URL on how to rebuild the ReadyBoot cache with xbootmgr.exe:
http://msdn.microsoft.com/en-us/library/windows/desktop/ff190998.aspx
Microsoft Proprietary and Confidential Information Page 217
Key Findings ReportConfidential – NC State University
Rule AlgorithmSource
Event_1 EventLog (Microsoft-Windows-ReadyBoost\Operational) @ 100
XML Attributes: RB_CacheHitPercentage
Detection Logic
Applies to: Windows 7 and higher
Hardware condition:
* Target device is not VIRTUAL
* System Disk is not SSD
The following must be true:
* Event_1 is listed in the past 7 days
* Event_1 @ Attribute "RB_CacheHitPercentage" is less than 80 %
Affected Nodes315BPT01.CALS.NCSU.EDU
ReadyBoot cache hit percentage: 45%
admpc280.CVM.NCSU.EDU
ReadyBoot cache hit percentage: 0%
crpc11.CVM.NCSU.EDU ReadyBoot cache hit percentage: 61%DELTA-DT-SP03.DELTA.NCSU.EDU
ReadyBoot cache hit percentage: 15%
EB2-2214-LOAN02.CSC.NCSU.EDU
ReadyBoot cache hit percentage: 72%
EI-SPARE-LT1.DELTA.NCSU.EDU
ReadyBoot cache hit percentage: 48%
GRAD073.NE.NCSU.EDU
ReadyBoot cache hit percentage: 40%
GRAD076.NE.NCSU.EDU
ReadyBoot cache hit percentage: 26%
HLB106PC.CLASSTECH.NCSU.EDU
ReadyBoot cache hit percentage: 64%
ITECS-DT-19.EOS.NCSU.EDU
ReadyBoot cache hit percentage: 37%
High Startup Time Detected For Complete Computer SystemStatusFailedDescription
Microsoft Proprietary and Confidential Information Page 218
Key Findings ReportConfidential – NC State University
4 node(s) out of 37 node(s) were affected by this issue (10.81%).
This issue indicates that the system is taking longer than usual to start up.While occasional degradation is normal due to software or hardware device driver updates, if you determine a continuation of boot time degradation, then chances are that there is a problem. Check with your hardware or software provider to obtain updated device drivers or software.
You may also need to trace the boot process to determine the specifics on what is causing performance issues. Additional InformationImportanceCustomer research has shown that one of the most frequently requested features that users want from their PCs is fast system startup, whether from cold boot or when resuming from standby or hibernation. The Windows development team at Microsoft has taken bold steps in making quickly available PCs a reality.
Recommended ReadingWPR How-to Topics:
http://msdn.microsoft.com/en-us/library/windows/desktop/hh448128.aspx
Recommended ResolutionThe biggest influencers in achieving a fast boot time are to have enough RAM, a fast disk drive and a limited amount of startup applications. Using the Windows Performance Toolkit (Xperf or WPR), it is possible to identify the cause for a slow booting PC.
Rule AlgorithmSource
Event_1 EventLog (Microsoft-Windows-Diagnostics-Performance\Operational) @ 100
XML Attributes: MainPathBootTime
Detection Logic
Applies to: all Operating Systems
The following must be true:
* Event_1 is listed in the past 7 days
* Event_1 @ Attribute "MainPathBootTime" is greater than or equal to 70 seconds
TroubleshootingWPR Quick Start Guide:
http://msdn.microsoft.com/en-us/library/windows/desktop/hh448138.aspx
AnnotationLook further into what is causing the slowdowns
Microsoft Proprietary and Confidential Information Page 219
Key Findings ReportConfidential – NC State University
Affected NodesCHASSIT-TEST.CHASS.NCSU.EDU
System startup(s) in the last 7 days: 1Average system startup time: 187s
HLB106PC.CLASSTECH.NCSU.EDU
System startup(s) in the last 7 days: 1Average system startup time: 142s
OITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
System startup(s) in the last 7 days: 1Average system startup time: 225s
T-131B-2.CHASS.NCSU.EDU
System startup(s) in the last 7 days: 1Average system startup time: 289s
High Startup Time Detected For Explorer InitStatusFailedDescription4 node(s) out of 37 node(s) were affected by this issue (10.81%).
This issue indicates that the Explorer init phase is taking longer than usual to start up.The ExplorerInit subphase begins when Explorer.exe starts. During ExplorerInit, the system creates the Desktop Window Manager (DWM) process, which initializes the desktop and displays it for the first time. This phase is CPU intensive. The initialization of DWM and desktop occurs in the foreground, while in the background the service control manager (SCM) starts services and the memory manager prefetches code and data. On most systems ExplorerInit is CPU bound and timing issues are likely the result of a simple resource bottleneck.
You may also need to trace the boot process to determine the specifics on what is causing performance issues. Additional InformationImportanceThe Explorer initialization phase is when the user shell is started and the desktop starts to appear. If this takes very long it could be that:
a) Disk/CPU resources are fully saturated which causes explorer.exe to load slowly.
b) A high amount of add-ons/plugins are loaded.
Recommended ReadingWPR How-to Topics:
http://msdn.microsoft.com/en-us/library/windows/desktop/hh448128.aspx
Recommended ResolutionLimit the amount of startup applications or shell addons. Make sure the disk is fast enough to cope with the requested I/O.
Using the Windows Performance Recorder (WPR), it is possible to get more detailed information on why this phase takes a long time.
Rule AlgorithmSource
Microsoft Proprietary and Confidential Information Page 220
Key Findings ReportConfidential – NC State University
Event_1 EventLog (Microsoft-Windows-Diagnostics-Performance\Operational) @ 100
XML Attributes: BootExplorerInitTime
Detection Logic
Applies to: all Operating Systems
The following must be true:
* Event_1 is listed in the past 7 days
* Event_1 @ Attribute "BootExplorerInitTime" is greater than or equal to 5 seconds
Annotation Look further into what is causing the slowdowns
Affected NodesCHASSIT-TEST.CHASS.NCSU.EDU
System startup(s) in the last 7 days: 1Average Explorer init time: 56s
EI-SPARE-LT1.DELTA.NCSU.EDU
System startup(s) in the last 7 days: 2Average Explorer init time: 12s
GRAD073.NE.NCSU.EDU
System startup(s) in the last 7 days: 1Average Explorer init time: 8s
HLB106PC.CLASSTECH.NCSU.EDU
System startup(s) in the last 7 days: 1Average Explorer init time: 56s
High Startup Time Detected For Machine Profile ProcessingStatusFailedDescription5 node(s) out of 37 node(s) were affected by this issue (13.51%).
This issue indicates that the machine profile processing is taking longer than usual to start up.Introduced in Windows 2000 Server, Group Policy provides directory-based desktop configuration management. With Group Policy, you can specify settings for registry-based policies, security, software installation, scripts, folder redirection, Remote Installation Services, and Internet Explorer maintenance. The Windows Server 2003 family of operating systems, extends Group Policy in a number of ways - through GPMC, which includes scripting interfaces, Group Policy Results, Group Policy Modeling, and more.
You may also need to trace the boot process to determine the specifics on what is causing performance issues. Additional InformationImportanceBootMachineProfileProcessingTime means time spent processing system (machine) group policy or hardware.
Recommended ResolutionUse the Windows Performance Recorder to trace a system startup to identify why Profile Processing is slow. Update all device drivers to their latest supported version and check any machine policies/scripts.
Microsoft Proprietary and Confidential Information Page 221
Key Findings ReportConfidential – NC State University
Rule AlgorithmSource
Event_1 EventLog (Microsoft-Windows-Diagnostics-Performance\Operational) @ 100
XML Attributes: BootMachineProfileProcessingTime
Detection Logic
Applies to: all Operating Systems
The following must be true:
* Event_1 is listed in the past 7 days
* Event_1 @ Attribute "BootMachineProfileProcessingTime" is greater than or equal to 30 seconds
TroubleshootingWPR How-to Topics:
http://msdn.microsoft.com/en-us/library/windows/desktop/hh448128.aspx
Annotation Look further into what is causing the slowdowns
Affected NodesCHASSIT-TEST.CHASS.NCSU.EDU
System startup(s) in the last 7 days: 1Average machine profile processing time: 41s
HLB106PC.CLASSTECH.NCSU.EDU
System startup(s) in the last 7 days: 1Average machine profile processing time: 52s
ITECS-DT-34.EOS.NCSU.EDU
System startup(s) in the last 7 days: 1Average machine profile processing time: 42s
OITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
System startup(s) in the last 7 days: 1Average machine profile processing time: 79s
T-131B-2.CHASS.NCSU.EDU
System startup(s) in the last 7 days: 1Average machine profile processing time: 55s
High Startup Time Detected For ServiceStatusFailedDescription
Microsoft Proprietary and Confidential Information Page 222
Key Findings ReportConfidential – NC State University
1 node(s) out of 37 node(s) were affected by this issue (2.7%).
This issue indicates a system service is taking longer than usual to start up, resulting in boot time degradation caused by a system startup process. While occasional degradation is normal due to software or hardware device driver updates, if you determine a continuation of boot time degradation, chances are that there is a problem. Check with your hardware or software provider to obtain updated device drivers or software.
You may also need to trace the boot process to determine the specifics on what is causing performance issues. Additional InformationImportanceOne misbehaving service can slow down the overall boot process. A service typically should start within 300 milliseconds (some exceptions apply and given that no hardware recourses are causing the delay)
Recommended ReadingWPR How-to Topics:
http://msdn.microsoft.com/en-us/library/windows/desktop/hh448128.aspx
Recommended ResolutionMake sure no other bottlenecks are causing the service to start slowly (e.g. a fully saturated disk). If this is not the case, check to see if a new version/hotfix of the program/service is available or contact the vendor.
Rule AlgorithmSource
Event_1 EventLog (Microsoft-Windows-Diagnostics-Performance\Operational) @ 103
XML Attributes: FriendlyName, TotalTime, CompanyName, Path
Detection Logic
Applies to: all Operating Systems
The following must be true:
* Event_1 is listed in the past 7 days
* Event_1 @ Attribute "TotalTime" is greater than 10 seconds
Annotation Look further into what is causing the slowdowns
Affected NodesGRAD076.NE.NCSU.EDU
Service(s) with high startup time:
Company: Microsoft CorporationProduct: Service ModulePath: C:\Program Files\Windows Defender\mpsvc.dllStartup time: 15s
Microsoft Proprietary and Confidential Information Page 223
Key Findings ReportConfidential – NC State University
High Startup Time Detected For User Profile ProcessingStatusFailedDescription2 node(s) out of 37 node(s) were affected by this issue (5.41%).
This issue indicates that the user profile processing is taking longer than usual to start up.Introduced in Windows 2000 Server, Group Policy provides directory-based desktop configuration management. With Group Policy, you can specify settings for registry-based policies, security, software installation, scripts, folder redirection, Remote Installation Services, and Internet Explorer maintenance. The Windows Server 2003 family of operating systems extends Group Policy in a number of ways - through GPMC, which includes scripting interfaces, Group Policy Results, Group Policy Modeling, and more.
You may also need to trace the boot process to determine the specifics on what is causing performance issues. Additional InformationImportanceIn this phase, the user profile and policies are applied. The end-user will have to wait until this is applied.
Recommended ResolutionCheck which user group policies are applied and reduce or optimize any scripts in use. In addition make sure that there is a low latency towards the server hosting the roaming profiles (if used).
Use the Windows Performance Record (WPR) to take a boot trace and investigate why this phase takes more time than expected.
Rule AlgorithmSource
Event_1 EventLog (Microsoft-Windows-Diagnostics-Performance\Operational) @ 100
XML Attributes: BootUserProfileProcessingTime
Detection Logic
Applies to: all Operating Systems
The following must be true:
* Event_1 is listed in the past 7 days
* Event_1 @ Attribute "BootUserProfileProcessingTime" is greater than or equal to 20 seconds
TroubleshootingWPR How-to Topics:
http://msdn.microsoft.com/en-us/library/windows/desktop/hh448128.aspx
Annotation Look further into what is causing the slowdowns
Microsoft Proprietary and Confidential Information Page 224
Key Findings ReportConfidential – NC State University
Affected NodesCHASSIT-TEST.CHASS.NCSU.EDU
System startup(s) in the last 7 days: 1Average user profile processing time: 85s
OITTSS-MSRAP02.OITCLIENTS.NCSU.EDU
System startup(s) in the last 7 days: 1Average user profile processing time: 38s
Microsoft Proprietary and Confidential Information Page 225
Key Findings ReportConfidential – NC State University
Windows System Assessment Tool (WinSAT)The Windows System Assessment Tests (WinSAT) are used to analyze the performance of several system components, including CPU, memory, disk, and graphics. Data generated by these tests are used by the following:
▪ Windows components such as the Desktop Window Manager (DWM), and high-definition video playback, to scale functionality.
▪ Logo programs, including SYSFUND_46 (Aero), to assess system quality.▪ Velocity tests to help you make decisions about system-component quality.▪ The WinSAT results are summarized in the Performance Information and Tools Control
Panel item as Windows Experience Index (WEI) scores. These scores show consumers the performance characteristics of their systems.
Windows 7 has a strong focus on reducing the duration of Setup for end users, so that they can begin using their computers as soon as possible. To speed up the experience, the majority of WinSAT assessments can be run either before or after the Windows 7 out-of-box setup. The only WinSAT assessment that must be prepopulated or run during out-of-box setup is the DWM/Aero test. This test is used to determine whether the DWMDWM can enable the Aero user interface, desktop composition, and related features. This test is fast; it can take 15-35 seconds and the average time seen in testing is under 20 seconds. If you prepopulate the DWM test, the initial Out-of-Box Experience (OOBE) will be even faster.
Because the remaining assessments are not run during the OOBE, the WinSAT and WEI scores are no longer generated at this point. Instead, the scores can be generated at three other times, using other mechanisms besides running WinSAT during first boot:
▪ End users can explicitly request an assessment by using the Re-run the assessment option in the Performance Information and Tools Control Panel item.
▪ When the system is idle, subsequent to the first boot, the remaining WinSAT assessments will run if they were not prepopulated. WinSAT Base Score Rating 3.0 - 4.9
StatusFailedDescription4 node(s) out of 37 node(s) were affected by this issue (10.81%).
Windows is a scalable operating system that turns features on/off based on the performance ability of the hardware to perform scenarios well. Therefore, it is designed to take full advantage of the latest high-end equipment, while at the same time is able to run well on less capable hardware.
Because performance is important to delivering the advanced scenarios and applications being developed today, Windows also includes a new system designed to help average users simplify those performance considerations as part of the PC, hardware upgrade and software purchasing process called the Windows Experience Index (formerly named Windows System Performance Rating or WinSPR). The Windows Experience Index provides the user or administrator with a high-level assessment of a given machine's performance capabilities expressed as a number. This number is an easy-to-use metric that indicates what scenarios and applications a user can expect to perform well on a given machine based on its performance characteristics. Windows Experience Index will help users and administrators assess the performance capabilities of a given system, ultimately making it easier to buy or upgrade PCs and software that match their needs.
Microsoft Proprietary and Confidential Information Page 226
Key Findings ReportConfidential – NC State University
The backbone for the Windows Experience Index scores comes from the same new technology built into Windows that enables it to scale, called Windows System Assessment Tools (WinSAT). These tools run tests that discover and assess the performance characteristics and capabilities of a PC. Based on this data, Windows "scales" itself, thereby optimizing the user experience and feature level it delivers for a given computer. The WinSAT data is also available via an API in order to enable software vendors and internal developers to take advantage of WinSAT data for developing software, which determines the optimal application settings based on that system's performance capabilities and scales itself.Additional InformationImportanceThe Windows System Assessment Tool (WinSAT) measures the various performance characteristics and capabilities of the hardware and reports them as a Windows Experience Index score. PCs with a base score of 3.0 to 4.9 are at the minimum specification needed to run Windows Vista or Windows 7 Premium features, including the new Aero user interface.
Recommended ReadingUsing WinSAT http://msdn.microsoft.com/en-us/library/bb530740(VS.85).aspx
WinSPRLevel (IProvideWinSATResultsInfo::SystemRating) http://msdn.microsoft.com/en-us/library/aa969193(VS.85).aspx
The System Assessment Tool http://msdn.microsoft.com/en-us/library/cc948912(VS.85).aspx
What is the Windows Experience Index?http://windows.microsoft.com/en-us/windows-8/what-windows-experience-index
Recommended ResolutionA base score of 4.0 represents the mainstream Windows Vista or Windows 7 upgrade target system. This level of PC may run the Windows Aero feature, but users may see noticeable performance issues from time to time, especially on PCs with base scores of less than 2.5 or 64 megabytes (MB) of graphics memory. Performance issues may also be noticeable when opening many application windows at the same time or when using very large monitors.
It is recommended that you use hardware components to at least reach a WinSAT score rating of 5.x.
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT\LastExitCode @ REG_DWORD
Registry_Value_2 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT\LastExitCodeCantMsg @ REG_DWORD
WMI_1 Root\CIMv2:Win32_Winsat.WinSPRLevel
Detection Logic
Applies to: Windows Vista, Windows 7
Hardware condition:
Microsoft Proprietary and Confidential Information Page 227
Key Findings ReportConfidential – NC State University
* Target device is not VIRTUAL
The following must be true:
* WMI_1 is between 3.0 and 4.9
Affected Nodesadmpc280.CVM.NCSU.EDU
WinSAT Base Score Rating: 3.9
crpc11.CVM.NCSU.EDU WinSAT Base Score Rating: 4.6EI-SPARE-LT1.DELTA.NCSU.EDU
WinSAT Base Score Rating: 4.6
VTHLOANERPC.CVM.NCSU.EDU
WinSAT Base Score Rating: 4.5
WinSAT Should Be Executed After System InstallationStatusFailedDescription10 node(s) out of 37 node(s) were affected by this issue (27.03%).
Windows is a scalable operating system that turns features on/off based on the performance ability of the hardware to perform scenarios well. Therefore, it is designed to take full advantage of the latest high-end equipment, while at the same time is able to run well on less capable hardware.
Because performance is important to delivering the advanced scenarios and applications being developed today, Windows also includes a new system designed to help average users simplify those performance considerations as part of the PC, hardware upgrade and software purchasing process called the Windows Experience Index (formerly named Windows System Performance Rating or WinSPR). The Windows Experience Index provides the user or administrator with a high-level assessment of a given machine's performance capabilities expressed as a number. This number is an easy-to-use metric that indicates what scenarios and applications a user can expect to perform well on a given machine based on its performance characteristics. Windows Experience Index will help users and administrators assess the performance capabilities of a given system, ultimately making it easier to buy or upgrade PCs and software that match their needs.
The backbone for the Windows Experience Index scores comes from the same new technology built into Windows that enables it to scale, called Windows System Assessment Tools (WinSAT). These tools run tests that discover and assess the performance characteristics and capabilities of a PC. Based on this data, Windows "scales" itself, thereby optimizing the user experience and feature level it delivers for a given computer. The WinSAT data is also available via an API in order to enable software vendors and internal developers to take advantage of WinSAT data for developing software, which determines the optimal application settings based on that system's performance capabilities and scales itself.Additional InformationBest Practice GuidanceConsult this link to learn about using WinSAT:
http://msdn.microsoft.com/en-us/library/bb530740(v=vs.85).aspx
Importance
Microsoft Proprietary and Confidential Information Page 228
Key Findings ReportConfidential – NC State University
WinSAT assesses the performance capabilities of the system and generates the Windows Experience Index. The index includes subscores for the systems processor, memory, graphics, and hard disk. Windows uses the Windows Experience Index to determine which default theme to use and whether to enable SuperFetch. If WinSAT has never been executed after system deployment it could be that several built-in Windows optimizations are limited.
Recommended Readinghttp://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/Win7Perf.docx
Recommended ResolutionTo solve this on a single PC: Open an elevated command prompt and issue the following command: "Winsat formal"
Consider adjusting the deployment scenario to run this command after client deployment.
Rule AlgorithmSource
WMI_1 Root\CIMv2:Win32_Winsat.WinSATAssessmentState
Detection Logic
Applies to: Windows Vista, Windows 7, Windows 8, Windows 8.1
Hardware condition:
* Target device is not VIRTUAL
The following must be true:
* WMI_1 is not equal to 1 (uint32)
Affected NodesBUSTA.ECE.NCSU.EDU WinSAT execution state: No Assessment AvailableGRAD073.NE.NCSU.EDU
WinSAT execution state: No Assessment Available
GRAD076.NE.NCSU.EDU
WinSAT execution state: No Assessment Available
ITECS-DT-55.EOS.NCSU.EDU
WinSAT execution state: No Assessment Available
LAU-214-29.CHASS.NCSU.EDU
WinSAT execution state: No Assessment Available
MCHAMMER.ECE.NCSU.EDU
WinSAT execution state: No Assessment Available
PT315B-03.CALS.NCSU.EDU
WinSAT execution state: No Assessment Available
PT315B-04.CALS.NCSU.EDU
WinSAT execution state: No Assessment Available
TEX-OXYGEN.TX.NCSU.EDU
WinSAT execution state: No Assessment Available
UNO.IE.NCSU.EDU WinSAT execution state: No Assessment Available
Microsoft Proprietary and Confidential Information Page 229
Key Findings ReportConfidential – NC State University
WinSAT Base Score Rating 5.0 - 6.9StatusFailedDescription3 node(s) out of 37 node(s) were affected by this issue (8.11%).
Windows is a scalable operating system that turns features on/off based on the performance ability of the hardware to perform scenarios well. Therefore, it is designed to take full advantage of the latest high-end equipment, while at the same time is able to run well on less capable hardware.
Because performance is important to delivering the advanced scenarios and applications being developed today, Windows also includes a new system designed to help average users simplify those performance considerations as part of the PC, hardware upgrade and software purchasing process called the Windows Experience Index (formerly named Windows System Performance Rating or WinSPR). The Windows Experience Index provides the user or administrator with a high-level assessment of a given machine's performance capabilities expressed as a number. This number is an easy-to-use metric that indicates what scenarios and applications a user can expect to perform well on a given machine based on its performance characteristics. Windows Experience Index will help users and administrators assess the performance capabilities of a given system, ultimately making it easier to buy or upgrade PCs and software that match their needs.
The backbone for the Windows Experience Index scores comes from the same new technology built into Windows that enables it to scale, called Windows System Assessment Tools (WinSAT). These tools run tests that discover and assess the performance characteristics and capabilities of a PC. Based on this data, Windows "scales" itself, thereby optimizing the user experience and feature level it delivers for a given computer. The WinSAT data is also available via an API in order to enable software vendors and internal developers to take advantage of WinSAT data for developing software, which determines the optimal application settings based on that system's performance capabilities and scales itself.Additional InformationImportanceThe Windows System Assessment Tool (WinSAT) measures the various performance characteristics and capabilities of the hardware and reports them as a Windows Experience Index score.
Recommended ReadingUsing WinSAT
http://msdn.microsoft.com/en-us/library/bb530740(VS.85).aspx
WinSPRLevel (IProvideWinSATResultsInfo::SystemRating)
http://msdn.microsoft.com/en-us/library/aa969193(VS.85).aspx
The System Assessment Tool
http://msdn.microsoft.com/en-us/library/cc948912(VS.85).aspx
What is the Windows Experience Index?
http://windows.microsoft.com/en-us/windows-8/what-windows-experience-index
Rule AlgorithmSource
Registry_Value_1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT\LastExitCode @
Microsoft Proprietary and Confidential Information Page 230
Key Findings ReportConfidential – NC State University
REG_DWORD
Registry_Value_2 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT\LastExitCodeCantMsg @ REG_DWORD
WMI_1 Root\CIMv2:Win32_Winsat.WinSPRLevel
Detection Logic
Applies to: Windows Vista, Windows 7
Hardware condition:
* Target device is not VIRTUAL
The following must be true:
*WMI_1 is between 5.0 and 6.9
Affected NodesALUMINUM.CNR.NCSU.EDU
WinSAT Base Score Rating: 6.7
CLH-9F8NXR1.COM.NCSU.EDU
WinSAT Base Score Rating: 5.1
ITECS-DT-34.EOS.NCSU.EDU
WinSAT Base Score Rating: 5.3
Microsoft Proprietary and Confidential Information Page 231
Key Findings ReportConfidential – NC State University
Windows Performance ToolkitThe Windows Performance Toolkit (WPT) is built on top of the Event Tracing for Windows (ETW) infrastructure. ETW enables Windows and applications to efficiently generate events, which can be enabled and disabled at any time without requiring system or process restarts. ETW collects requested kernel events and saves them to one or more files referred to as trace files or traces. These kernel events provide extensive details about the operation of the system. Some of the most important and useful kernel events available for capture and analysis are context switches, interrupts, deferred procedure calls, process and thread creation and destruction, disk I/Os, hard faults, processor P-State transitions, and registry operations, though there are many others.
One of the great features of ETW, supported in WPT, is the support of symbol decoding, sample profiling, and capture of call stacks on kernel events. These features provide very rich and detailed views into the system operation. WPT also supports automated performance testing.
The WPT is installed as part of the Windows ADK or Windows SDK and it contains the following tools:
▪ Windows Performance RecorderCaptures detailed system and application behavior and resource usage either from the command line or a graphical user interface.
▪ Windows Performance Analyzer (WPA)Used to review aspects of performance on Windows. WPA opens event trace log files and displays performance data in graphs and tables so that you can easily know where to investigate potential issues. Period SessionInit Phase Between 10 And 25 Sec Without SSD
StatusFailedDescription4 node(s) out of 37 node(s) were affected by this issue (10.81%).
The SessionInit (SMSSInit) phase begins when the kernel passes control to the session manager process (SMSS.exe). During this subphase, the system initializes the registry, loads and starts the devices and drivers that are not marked BOOT_START, and starts the subsystem processes. SMSSInit ends when control is passed to Winlogon.exe.There is no explicit visual cues for the start of SMSSInit, but the blank screen that appears between the splash screen and the logon screen is part of the SMSSInit phase. It ends before the logon screen appears.Additional InformationImportanceThe SessionInit (SMSSInit) phase is slow on system partition located on non-SSD. This may results in slow boot and/or logon issues.
Recommended ResolutionThe SessionInit (SMSSInit) phase appears to be delayed and/or slow. It is recommended that you verify the following:
* Correct HAL has been installed
Microsoft Proprietary and Confidential Information Page 232
Key Findings ReportConfidential – NC State University
* Processor, BUS, and controller device drivers are current
* Phantom devices are not present
* Signatures and files of boot drivers and service entries exist
* Prefetch / Superfetch is configured correctly
* File, directory and pagefile fragmentation
Rule AlgorithmSource
File_1 %systemroot%\system32\LogFiles\BootCKCL.etl
Detection Logic
Applies to: Windows Vista and later
Hardware condition:
* System Drive is no SSD
The following must be true:
* Period "SMSSInit" takes between 10 and 25 seconds
Affected NodesEB2-2214-LOAN01.CSC.NCSU.EDU
Period Runtime: 10.066127 sec
HLB106PC.CLASSTECH.NCSU.EDU
Period Runtime: 12.594784 sec
OITTSS-MSRAP01.OITCLIENTS.NCSU.EDU
Period Runtime: 10.783658 sec
VTHLOANERPC.CVM.NCSU.EDU
Period Runtime: 12.731921 sec
Period PreSMS Phase Between 5 And 10 Sec Without SSDStatusFailedDescription1 node(s) out of 37 node(s) were affected by this issue (2.7%).
The PreSMS phase begins when the kernel is invoked (winload.exe passes control to kernel). During this subphase, the kernel initializes data structures and components. It also starts the PnP manager, which initializes the BOOT_START drivers that were loaded during the OSLoader phase. PreSMSS begins approximately when the "Loading Windows" splash screen appears. There are no explicit visual cues for the end of PreSMSS.
Microsoft Proprietary and Confidential Information Page 233
Key Findings ReportConfidential – NC State University
Additional InformationImportanceThe PreSMS phase is slow on system partition located on non-SSD. This may results in slow boot and/or logon issues.
Recommended ResolutionThe PreSMS phase appears to be delayed. It is recommended that you verify the following:
* Correct HAL has been installed
* Processor, BUS, and controller device drivers are current
* Phantom devices are not present
* Signatures and files of boot drivers and service entries exist
* Disk is not fragmented
* Master File Table (MFT) is not fragmented
* Registry and pagefile are not fragmented
* Prefetch / Superfetch is configured correctly
Rule AlgorithmSource
File_1 %systemroot%\system32\LogFiles\BootCKCL.etl
Detection Logic
Applies to: Windows Vista and later
Hardware condition:
* System Drive is not SSD
The following must be true:
* Period "PreSMS" takes between 5 and 10 seconds
Affected NodesEB2-2214-LOAN01.CSC.NCSU.EDU
Period Runtime: 5.8986 sec
Microsoft Proprietary and Confidential Information Page 234