Difference between revisions of "Windows 10 Support"
m (formatting) |
Bunkobugsy (talk | contribs) m |
||
(11 intermediate revisions by 5 users not shown) | |||
Line 5: | Line 5: | ||
==Background== | ==Background== | ||
− | Windows 10 was released in July 2015. Due to changes in the way that trust relationships are established with domain controllers, some modifications to the windows registry | + | Windows 10 was released in July 2015. |
+ | |||
+ | {{Warning box|Due to changes in the way that trust relationships are established with domain controllers, some modifications to the windows registry need to take place}} | ||
+ | |||
+ | (Note: Windows 11 is due soon. This will be revised in the light of experience for Windows 11). | ||
Microsoft [https://support.microsoft.com/en-sg/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and How To detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows] | Microsoft [https://support.microsoft.com/en-sg/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and How To detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows] | ||
− | ==Join a Window 10 client to SME Server | + | ==Join a Window 10 client to SME Server 10== |
− | Previously you needed to edit your Win10 registry to facilitate the joining of a SME Server Domain, however this can more easily be achieved by importing win10samba.reg fix by using | + | Previously you needed to edit your Win10 registry to facilitate the joining of a SME Server Domain, however this can more easily be achieved by importing win10samba.reg fix either by using a usb key or by the network with http.To proceed: |
*Save the Win10 registry patch (win10samba.reg) from https://your-server-ip/server-resources/regedit/ with your favourite web browser | *Save the Win10 registry patch (win10samba.reg) from https://your-server-ip/server-resources/regedit/ with your favourite web browser | ||
Line 19: | Line 23: | ||
'''Using PowerShell'''<br> | '''Using PowerShell'''<br> | ||
− | As seen on https://forums.contribs.org/index.php/topic,54125.0.html there | + | As seen on https://forums.contribs.org/index.php/topic,54125.0.html there is another way (maybe both changes are needed - needs '''verification'''): |
Start Powershell: | Start Powershell: | ||
Line 53: | Line 57: | ||
</gallery> | </gallery> | ||
− | =====MS Windows | + | =====MS Windows Workgroup configuration===== |
Go to the "start menu", right click on computer, select "System", select the link "System Info", then click on "Change settings" Tab. In the field for "Computer name, domain and workgroup settings", type your "workgroup".<br /> | Go to the "start menu", right click on computer, select "System", select the link "System Info", then click on "Change settings" Tab. In the field for "Computer name, domain and workgroup settings", type your "workgroup".<br /> | ||
Line 60: | Line 64: | ||
If you want to be automatically signed into Microsoft's Cloud services (like you would when you login to Windows 10 with a Microsoft Account) you can add your Microsoft Account to your Domain account: | If you want to be automatically signed into Microsoft's Cloud services (like you would when you login to Windows 10 with a Microsoft Account) you can add your Microsoft Account to your Domain account: | ||
− | * Go to: <tt>Start > Settings > Accounts > Your account</tt> | + | |
− | * Scroll down to the section: '<tt>Other accounts you use</tt>' | + | *Go to: <tt>Start > Settings > Accounts > Your account</tt> |
− | * Click on the '<tt>Add a Microsoft account</tt>' link and supply your credentials | + | *Scroll down to the section: '<tt>Other accounts you use</tt>' |
+ | *Click on the '<tt>Add a Microsoft account</tt>' link and supply your credentials | ||
===Setting up network drives=== | ===Setting up network drives=== | ||
If you are using SME Server as a domain controller and the workstations have joined the domain | If you are using SME Server as a domain controller and the workstations have joined the domain | ||
− | you can automate drive mapping and | + | you can automate drive mapping and synchronise the PC time with the netlogon.bat file |
− | Note: [[:SME_Server:Documentation:Administration_Manual:Chapter13#Workgroup |Chapter 13]] has a method for admin to edit the netlogon.bat file without using the command line. You can consider also the [[SME_Server:Documentation:Administration_Manual:Chapter7|chapter 7]] on Configuring the Computers on Your Network | + | Note: [[:SME_Server:Documentation:Administration_Manual:Chapter13#Workgroup |Chapter 13]] has a method for the admin to edit the netlogon.bat file without using the command line. You can consider also the [[SME_Server:Documentation:Administration_Manual:Chapter7|chapter 7]] on Configuring the Computers on Your Network |
nano -w /home/e-smith/files/samba/netlogon/netlogon.bat | nano -w /home/e-smith/files/samba/netlogon/netlogon.bat | ||
Line 82: | Line 87: | ||
and reset file to dos format | and reset file to dos format | ||
− | unix2dos /home/e-smith/files/samba/netlogon/netlogon.bat | + | unix2dos /home/e-smith/files/samba/netlogon/netlogon.bat<br /> |
+ | ===Outlook 2016 on Win10=== | ||
+ | reference: [[Bugzilla:10106]] and SME10 [[Bugzilla:10169]] | ||
− | + | A registry modification has been added to the default win10samba.reg. While setting up an email account on a Windows 10 computer joined to a domain (with roaming profiles) you would get an error code: 0x8004011c without this modification. | |
− | |||
− | |||
− | (with roaming profiles) you would get an error code: 0x8004011c without this. | ||
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb] | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb] | ||
"ProtectionPolicy"=dword:00000001 | "ProtectionPolicy"=dword:00000001 | ||
− | == | + | ==Notes concerning Windows 10 and SME Server 10== |
− | As reported in [[Bugzilla:9555]], with default configuration while samba 4.4.4-12 should be able to use SMB3_11 protocol and Windows 10 should ask for it, it could | + | As reported in [[Bugzilla:9555]], with a default configuration, while samba 4.4.4-12 should be able to use the SMB3_11 protocol and Windows 10 should ask for it, it could occur that the negotiation fails, if so, please report. However, there seem to be two ways to work around this. First, by editing the server config: |
config setprop smb ServerMaxProtocol NT1 | config setprop smb ServerMaxProtocol NT1 | ||
Line 99: | Line 103: | ||
service smb restart | service smb restart | ||
− | + | config setprop smb ServerMinProtocol NT1 | |
+ | expand-template /etc/smb.conf | ||
+ | service smb restart | ||
+ | |||
+ | Second, an alternative would be to patch the registry of every windows 10 client with the following: | ||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry] | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry] | ||
Line 105: | Line 113: | ||
"SMB2"=dword:00000000 | "SMB2"=dword:00000000 | ||
− | + | ==Reverting win10samba.reg changes== | |
− | == | + | If you need to revert the win10samba.reg changes, this is a batch file to do it:<br> |
− | If you need to revert | ||
@echo off | @echo off | ||
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v "DNSNameResolutionRequired" /f | reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v "DNSNameResolutionRequired" /f | ||
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v "DomainCompatibilityMode" /f | reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v "DomainCompatibilityMode" /f | ||
+ | reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters /v "UseProfilePathExtensionVersion" /f | ||
+ | |||
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\\\*\\netlogon" /f | reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\\\*\\netlogon" /f | ||
− | + | ||
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v "SlowLinkDetectEnabled" /f | reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v "SlowLinkDetectEnabled" /f | ||
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v "DeleteRoamingCache" /f | reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v "DeleteRoamingCache" /f | ||
Line 121: | Line 130: | ||
See [[Bugzilla:9205]] and forum post https://forums.contribs.org/index.php/topic,53813.0.html | See [[Bugzilla:9205]] and forum post https://forums.contribs.org/index.php/topic,53813.0.html | ||
− | Re issues when ESET products are installed on Windows 10 | + | Re issues when ESET products are installed on Windows 10. |
− | + | ||
− | + | ==Windows 10 and Windows 11 issues joining domains== | |
− | + | Following reports of issues here: | |
− | + | https://forums.koozali.org/index.php/topic,54919.0.html | |
+ | |||
+ | See here: | ||
+ | https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8 | ||
+ | |||
+ | Possible reg fix: | ||
+ | |||
+ | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] | ||
+ | "NetJoinLegacyAccountReuse"=dword:00000001 | ||
+ | |||
+ | Following reports of issues here: | ||
+ | [Https://forums.koozali.org/index.php/topic%2C55217.0.html https://forums.koozali.org/index.php/topic%2C55217.0.html] it seems that this registry key is ignored since August 13, 2024. | ||
+ | |||
+ | See here: | ||
+ | https://support.microsoft.com/en-gb/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8 | ||
+ | |||
+ | Possible fix: | ||
+ | |||
+ | pdbedit -x pc$ | ||
+ | |||
+ | Please check the bugs for any potential issues. | ||
+ | |||
+ | [[Category:Howto]] | ||
+ | [[Category:Administration]] |
Latest revision as of 06:50, 25 September 2024
Author
Flep based on windows_7_support of David Harper
Background
Windows 10 was released in July 2015.
(Note: Windows 11 is due soon. This will be revised in the light of experience for Windows 11).
Microsoft How To detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows
Join a Window 10 client to SME Server 10
Previously you needed to edit your Win10 registry to facilitate the joining of a SME Server Domain, however this can more easily be achieved by importing win10samba.reg fix either by using a usb key or by the network with http.To proceed:
- Save the Win10 registry patch (win10samba.reg) from https://your-server-ip/server-resources/regedit/ with your favourite web browser
- On your windows desktop, start "regedit" from the start menu and import the win10samba.reg
- Set your domain instead of your workgroup. Add the client machine to the domain as normal.
- When asked on your Windows PC use the 'admin' username and your SME Server admins password.
- You have to reboot your computer to reach the domain
Using PowerShell
As seen on https://forums.contribs.org/index.php/topic,54125.0.html there is another way (maybe both changes are needed - needs verification):
Start Powershell:
Powershell
Run as superuser:
start-process powershell –verb runAs
Check Client settings:
Get-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol"
Enable SMB1:
Enable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol" -All
If you want to disable it:
Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol"
Source: https://winaero.com/blog/enable-smb1-sharig-protocol-windows-10/
(*) Admin or any user in the 'Domain Admins' group can join the domain.
MS Windows Workgroup configuration
Go to the "start menu", right click on computer, select "System", select the link "System Info", then click on "Change settings" Tab. In the field for "Computer name, domain and workgroup settings", type your "workgroup".
Adding a Microsoft account to your domain account
If you want to be automatically signed into Microsoft's Cloud services (like you would when you login to Windows 10 with a Microsoft Account) you can add your Microsoft Account to your Domain account:
- Go to: Start > Settings > Accounts > Your account
- Scroll down to the section: 'Other accounts you use'
- Click on the 'Add a Microsoft account' link and supply your credentials
Setting up network drives
If you are using SME Server as a domain controller and the workstations have joined the domain you can automate drive mapping and synchronise the PC time with the netlogon.bat file
Note: Chapter 13 has a method for the admin to edit the netlogon.bat file without using the command line. You can consider also the chapter 7 on Configuring the Computers on Your Network
nano -w /home/e-smith/files/samba/netlogon/netlogon.bat
REM To set the time when clients logon to the domain: net time \\servername /set /yes REM To map a home directory to drive h: net use h: /home /persistent:no net use j: \\servername\ibay1 /persistent:no net use p: \\servername\ibay2 /persistent:no if exist Z: net use Z: /del /yes
and reset file to dos format
unix2dos /home/e-smith/files/samba/netlogon/netlogon.bat
Outlook 2016 on Win10
reference: Bugzilla:10106 and SME10 Bugzilla:10169
A registry modification has been added to the default win10samba.reg. While setting up an email account on a Windows 10 computer joined to a domain (with roaming profiles) you would get an error code: 0x8004011c without this modification.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb] "ProtectionPolicy"=dword:00000001
Notes concerning Windows 10 and SME Server 10
As reported in Bugzilla:9555, with a default configuration, while samba 4.4.4-12 should be able to use the SMB3_11 protocol and Windows 10 should ask for it, it could occur that the negotiation fails, if so, please report. However, there seem to be two ways to work around this. First, by editing the server config:
config setprop smb ServerMaxProtocol NT1 expand-template /etc/smb.conf service smb restart
config setprop smb ServerMinProtocol NT1 expand-template /etc/smb.conf service smb restart
Second, an alternative would be to patch the registry of every windows 10 client with the following:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry] "SMB1"=dword:00000001 "SMB2"=dword:00000000
Reverting win10samba.reg changes
If you need to revert the win10samba.reg changes, this is a batch file to do it:
@echo off reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v "DNSNameResolutionRequired" /f reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v "DomainCompatibilityMode" /f reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters /v "UseProfilePathExtensionVersion" /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\\\*\\netlogon" /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v "SlowLinkDetectEnabled" /f reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v "DeleteRoamingCache" /f reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v "WaitForNetwork" /f reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v "CompatibleRUPSecurity" /f
Windows 10 update error when using ESET products and can't access SME SERVER : SSL_ERROR_BAD_CERT_ALERT
See Bugzilla:9205 and forum post https://forums.contribs.org/index.php/topic,53813.0.html
Re issues when ESET products are installed on Windows 10.
Windows 10 and Windows 11 issues joining domains
Following reports of issues here: https://forums.koozali.org/index.php/topic,54919.0.html
Possible reg fix:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "NetJoinLegacyAccountReuse"=dword:00000001
Following reports of issues here: https://forums.koozali.org/index.php/topic%2C55217.0.html it seems that this registry key is ignored since August 13, 2024.
Possible fix:
pdbedit -x pc$
Please check the bugs for any potential issues.