-
Does the above Note mean the article is irrelevant to those of us who don’t have it?
No, it only means that if the key is missing, the default value of “0” (zero) is assumed by the OS.
For Vista, Win 7, Win 8.x and Win 10 this key is valid. Works for Home, Pro and Enterprise editions. Also valid for Server 2008, 2008 R2, SBS 2011, Server 2012, 2012 R2 and Server 2016.
If it does not exist, and you want to change the behavior as described in CH100’s excellent overview, you can add the key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
Create a new DWORD at that location. Name it precisely DisabledComponents . . . caps matter in the registry!
Assign the value you want to force TCPIPv6 behavior as described.
Cheers!
Edited: because spelling . . .
~ Group "Weekend" ~
-
Some of my clients are very small: 5 to 10 users/workstations and a single server running everything network. These are the SMB’s that have relied for years on the ‘Pro” edition to meet their needs. I’m researching how to best support Windows 10 Pro for them. There are – as you and others here have helped identify . . . some odd issues. They are also the companies that have the hardest time justifying budget for a recurring cost subscription. (Recurring costs are the bane of variable – and often slim – budgets for most SMB’s.)
Some are . . . larger. For them running Enterprise is not a problem, and the support/management tools I need to do justice for them work nicely in Win10ENT.
And a shout-out to both of you: knowingly or not this discussion has produced some positive results. Thanks! 🙂
~ Group "Weekend" ~
-
-
I wish all the major affected sites would prominently post this disclosure – positive or negative – on their landing pages.
Thank you!
~ Group "Weekend" ~
1 user thanked author for this post.
-
Yep, I tend to be a bit cautious on these types of reports – even when (and sometimes especially when) they agree with a stance I take with my clients. Self serving reports only damage the perception of what for some companies is legitimate advice.
I do think – strongly – that end users in a corporate environment should not run as admin on their workstations. I also provide a special domain account that’s granted admin on all workstations – but not on the domain – for them to use when they need to update something legitimately.
At the same time, a well trained end user with a clear understanding of what risky behavior to avoid and with good technical mitigations in place can be perfectly fine running as admin.
And training . . . much training . . .
~ Group "Weekend" ~
2 users thanked author for this post.
-
-
-
-
-
I would be very interested in this program if . . . IF . . . they give us a private fast track channel for SMB and small enterprise relevant feedback that would rise above the noise in the normal Feedback Hub. (Note that large enterprises have a fast track reporting and resolution system already – so this program is either being expanded from that, or it’s not for them.)
Case in point: It took Microsoft months to notice a nasty bug being reported by IT professionals about a search related crash in client-side File Explorer when creating folders on server side shares. Once they noticed, they took months longer to raise the priority on the bug because they felt it was a one-off case (it wasn’t – in fact it turned out to be universal for the specific combination of Win 10 1607 combined with Server 2012 R2 on a domain.)
~ Group "Weekend" ~
1 user thanked author for this post.
-
Never – ever – grant your MSA local admin permissions on your workstation.
Why?
I should have clarified more, since part of my original topic was about malware prevention using standard versus admin level user accounts.
My advice about not granting a MSA account local admin permissions (with some exceptions if you are a Microsoft ring tester) is based on the fact that as admin – MSA allows anyone that might compromise your online account total access to your machine – including the right to remotely access things. I’ve personally seen this happen exactly once, but still – it burned. That episode happened when someone enabled the remote file access feature through One Drive, and their MSA was a local admin account, and their MSA was hacked. The ID thief logged onto that machine and extracted saved banking passwords from the victims browser using Nirsoft tools. They were also able to add a system startup malware entry because as admin, they had access to parts of the C: drive that a standard user would not.
There were so many other mistakes made that led to this, but you hopefully get the reasoning behind my advice.
~ Group "Weekend" ~
1 user thanked author for this post.
-
Another approach is to create a separate User Account which is always a MS Account login, but only use that Account when using Cloud-centric apps or other activities which require the use of the MS Account.
I forgot I do this too . . . for precisely the same reasons you outlined. Good catch!
~ Group "Weekend" ~
1 user thanked author for this post.
-
For home / small office workstations I take this a few steps further.
1) On new setup: Create a local Admin account. Finish setup and install your base applications and AV, etc.
2) Now create your user account as a LOCAL account, with Standard user permissions (NOT admin!)
3) Repeat step 2 as needed for adult family members that need their own accounts.
4) If you must, convert your account to a MSA. I leave that decision to the reader but I largely agree with the advice given by Woody and Paul T.
5) If you have children, and want to use Microsoft Family Safety, then you need to convert the child’s local account to a MSA. No way around this, and the benefits for this specific use case may be worth it to you as parent.
Never – ever – grant your MSA local admin permissions on your workstation.
Edit: The exception to the above warning: if you must be on a preview/slow/fast ring on a test machine. You are committed to giving the MSA admin privileges. I would not advise that on a production machine.
The primary reason to start with a local Admin account (and create your real user accounts as a Standard User) is this is one of the very best ways to mitigate potential drive by malware drops.
Some rules: don’t surf the net nor open email from the Admin account you create. Think twice if you are ever prompted for that admin accounts password when you do not expect it. If you are browsing the net, reading email, opening an attachment or a document and you see that password request . . . you know it’s time to close all applications and run a virus scan.
And if your standard user account profile gets a non-admin level infection it’s really easy to clean that up from the Admin account. Unless you fall for the prompt that asked for an admin password the infection won’t get root access.
~ Group "Weekend" ~
4 users thanked author for this post.
-
-
Just my personal opinion/speculation:
1) Roll-ups cannot be separated anymore, not even by the QA teams at Microsoft. They must be tested as one monolithic patch, and thus it all fails or all succeeds before sign-off.
2) If just one patch fails, but with low system repercussions, they would likely pass the roll-up for that month.
3) But if a patch fails in a way that spectacularly causes major grief for (enterprise systems) or (servers) or (large subsets of current hardware builds) then the entire roll-up is held back.
4) We anticipate (hopefully) one specific upcoming patch that is at the very heart of file transfers on a LAN. The SMB vulnerability. The SMB component has been a major pain in the past; changing it has broken file sharing from devices (scanning printers for example) and older clients. It’s also been a source of file lock contention grief in mixed environments (newer plus older clients and servers).
Getting that wrong in any way could be disastrous for file / data integrity for even very small networks.
~ Group "Weekend" ~
1 user thanked author for this post.
Author
