Bart's Weblog

Just a blog…

Archive for the ‘Tech Stuff’ Category

Technical Stuff

Quick post: Windows 10 1511 will no longer receive security updates

Posted by bartvdw on 1111/1010/2017

Update 27/11/2017: Microsoft will be providing updates to address critical and important security issues until April 2018 for Windows 10 1511 builds, but only for Enterprise and Educational SKU’s. See:


Well that was known well advance, but now it’s really there (10/10/2017): Windows 10 1511 will no longer receive security updates…

MS link:


That means, if you haven’t done so yet, it’s advised to check your environment. Normally you already invested time to upgrade these build versions, but I like to double check things now and then.

  1. Your deployment solution (if you haven’t got one… ;-))
  2. Active Directory


For the first it’s difficult to collect all possibilities as I mainly work with Symantec Altiris (ITMS), but for AD it’s really straight forward.


PowerShell query for all Windows 10 builds before 1607:

Get-ADComputer -Filter {OperatingSystemVersion -like "10.0 (10*"} -Property * | FT Name,OperatingSystem,OperatingSystemVersion -Wrap –Auto


Query for all Windows 10 build 1511 specific:

Get-ADComputer -Filter {OperatingSystemVersion -eq "10.0 (10586)"} -Property * | FT Name,OperatingSystem,OperatingSystemVersion -Wrap –Auto


Build version translations:

  • 1511 = 10586
  • 1607 = 14393
  • 1703 = 1506



Inventorying Computers with AD PowerShell –



Posted in Active Directory, PowerShell, Windows 10 | Leave a Comment »

Quick post: GPO WMI filtering and performance

Posted by bartvdw on 2222/0909/2017

Got triggered recently about WMI filtering on GPO’s and performance impact. It is clear that the filter(s) needs to be processed, and that you shouldn’t use it by default, but killing the logon on a machine? That would mean “DO NOT USE” scenario… So here a summary about WMI filtering, but also a quick overview about the different controls you have to filter GPO’s. Extensive reading material is included at the bottom (references).


Quick recap which controls are available:

  • Organizational units (OUs)
    • Group user/computer objects in OUs
    • Link GPOs to OUs
  • Security
    • Change GPO security so that the GPO applies to specific groups
    • Required permissions: read + apply group policy
    • Works not only for users, but also for computer accounts
  • WMI filters
    • Specify a WMI query
    • The GPO is applied only if the query returns true
    • Applies to entire GPOs
  • Item-level targeting (ILT)
    • Specify targeting criteria
    • A setting is applied only if the criteria match
    • Applies to individual settings (in case of registry settings: can also apply to a collection of settings)
    • Available for Group Policy Preferences (GPPs) only, not for Policies


For WMI filtering there are some good tips:

  • Use when required (obviously)
  • Do NOT use Select *, but target your filter
  • Test performance with Measure-Command, and loop 1000x for more accurate results
  • Use SDM / GPOGuy WMIFTest utility to validate your filters against systems


Test method performance (my preferred option):

$q = ‘Select Version From Win32_OperatingSystem Where Version LIKE “10.0.%”‘

$a = for ($i = 1; $i -le 100; $i++) {

Measure-Command -Expression {

Get-WmiObject -Query $q



$a | Measure-Object TotalMilliseconds -Sum -Average -Maximum –Minimum


(Replace the query with your actual filter and test with targeted and Select *)


I ran the test on some machines using the Version attribute specific for the OS (so 10.%, and 6.3%).


Windows 10 on Surface Pro 4 results:


Test results on 2012 R2 server physical


Test results on 2012 R2 virtual


So results vary, but the difference between targeted filter versus * is clear. This also allows you to show the actual performance hit.


So WMI filtering isn’t all that bad, just use it wisely and when required; see if Item Level Targeting (ILT) is possible for example, or security filtering.


Comments welcome, as always!


How Group Policy Impacts Logon Performance #3: WMI Filters & ILT –

WMI filter queries and thoughts on performance –

Showdown – WMI Filter vs Item Level Targeting –

Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences –

Group Policy and Logon Impact –

WMI Filter Friday –

Digging Into Group Policy WMI Filters and Managing them through PowerShell –

Group Policy WMI filters for Windows 7/8/8.1/10 –

Using Group Policy WMI filters? Computers booting slow? –

Creating WMI Filters and GPOs with PowerShell –

Fun with WMI Filters in Group Policy –

GPO Migration with PowerShell – Now including WMI filters –

WMI Filter Validation Utility

Posted in Active Directory, Group Policy, Windows, Windows Server 2012 | Leave a Comment »

Schemus Active Directory synchronisation tool

Posted by bartvdw on 2121/0505/2015

Recently had some questions in regards to the Schemus tool, which is a tool used to synchronize Active Directory information to cloud services, such as Symantec, Websense, etc. and I wanted to share that specific information.

Before you begin, it’s interesting to know:
& = AND
| = OR
! = NOT

If you use if to synchronize email addresses, you have the option to define the OU’s where to look for users if your AD is segmented accordingly, but the problem can be if both users and mail-enabled user reside in the same OU. To overcome that problem (as in: let’s exclude mail-enabled users), add this to the search filter: (!(msExchRecipientTypeDetails=128))

Full example: (|(&(objectCategory=person)(objectClass=user)(!(msExchRecipientTypeDetails=128)))(objectCategory=group))

(add objectCategory definitions if required, such as distribution groups, public folders, …)

Another thing that can cause troubles is that by default the tool uses %mail% variable to look up the primary email address, however that attribute is not maintained by Exchange, it’s an AD attribute and therefor it can have any value, even empty. That means that if the person who creates users must fill in that attribute correctly or you will have issues. To overcome that, change the Primary Mail attribute to following value: %proxyAddresses{s/(SMTP:|.*:.*)(.*)/$2/}%

By defining ‘SMTP’ (uppercase), we indicate we want the primary email address, the line Mail Aliases defines the same string, but with ‘smtp’ lowercase.

For Websense it can be difficult to synchronize users that have no mailbox or email address (ex. web filtering service, for authentication), in that case change the Primary Mail string to %userPrincipleName% as that should exist and filled in correctly.

msExchRecipientTypeDetails AD values:

Posted in Active Directory, Schemus, Symantec, Websense | Leave a Comment »

VMware: Current known issues vCenter Server 5.5

Posted by bartvdw on 1414/1010/2013

These few issues I’ve encountered myself with VMware vCenter Server 5.5, and I think there are good to know/remember…

Active Directory authentication fails when vCenter Single Sign-On 5.5 runs on Windows Server 2012 and the AD Domain Controller is also on Windows Server 2012 (2060901)

vCenter Single Sign-On 5.5 Not Recognizing Nested Active Directory Groups

vCenter Server not listed in the inventory after installing or upgrading to vSphere 5.5 (2059528)

vCenter Server 5.5 displays a yellow warning in the Summary tab of hosts and reports the error: Quick stats on hostname is not up-to-date (2061008)

Posted in vCenter, vCenter 5.5, VMware, vSphere | Leave a Comment »

Symantec: General availability Backup Exec 2012 SP2 & Backup Exec 2010 SP3

Posted by bartvdw on 2626/0707/2013

Backup Exec 2010 R3 revision 5204 Service Pack 3 Release Notes

Backup Exec 2010 R3 revision 5204 Service Pack 3

Backup Exec 2012 revision 1798 Service Pack 2 Release Notes

Backup Exec 2012 revision 1798 Service Pack 2

Posted in Backup Exec 2010, Backup Exec 2012, Symantec | Leave a Comment »

IBM DS Storage and Windows MPIO

Posted by bartvdw on 2626/0707/2013

Don’t forget to install DSM !

Windows MPIO with IBM storage

Posted in IBM Storage, Windows | Leave a Comment »

Best practices for DNS settings on DC and domain members

Posted by bartvdw on 1717/0707/2013

Very good and to the point summary!

Posted in Active Directory, DNS, Microsoft, Windows | Leave a Comment »

VMware: 101 Free Tools

Posted by bartvdw on 1010/0707/2013


Posted in ESX(i), VMware, vSphere | 1 Comment »

Symantec BE 2012 & VMware: Snapshot problems (unable to quiesce an application)

Posted by bartvdw on 1010/0707/2013

Backup Exec 2012 – An attempt to take a snapshot of a virtual machine failed because it was unable to quiesce an application

Posted in Backup Exec, ESX(i), Tech Stuff, VMware, vSphere | Leave a Comment »

VMware: Cool Tool – VisualEsxtop

Posted by bartvdw on 1010/0707/2013

Cool Tool: VisualEsxtop

Posted in ESX(i), VMware, vSphere | Leave a Comment »