Introducing Windows 10 into your SBS 2011 Standard Network 20

Susan Bradley has created a series of how to’s for adding Windows 10 into your small business environments. Here’s the one for SBS 2011. Look for other specific operating systems elsewhere in our blog.

If you need some help implementing these changes, open a ticket with us. Helping you is what we do!

Getting newer OS’s and newer applications to run properly is only going to get more difficult, so when it’s time to migrate, we can help you with that too.


Adjust the supported client operating systems:

As noted in you need to adjust the client supported operating systems.

Add the following lines to your client operating system

Admin needs to add the following two lines to the XML file on the server located at –
C:\Program Files\Windows Small Business Server\Bin\WebApp\ClientDeployment\packageFiles\supportedOS.xml Find the file and open in notepad. Add the following two lines:

<OS id=”9″ Name=”Windows 10, AMD64″ Major=”10″ Minor=”0″ Build=”10240″ SPMajor=”” SPMinor=”” ExcludedSuite=”512″ RequiredSuite=”” RequiredProductType=”1″  Architecture=”9″/>
< OS id=”10″ Name=”Windows 10, x86″ Major=”10″ Minor=”0″ Build=”10240″ SPMajor=”” SPMinor=”” ExcludedSuite=”512″ RequiredSuite=”” RequiredProductType=”1″  Architecture=”0″/>

Adjust the group policy wmi filter to fix the issue where folder redirection does not work:

Instead of the WMI filter included in Essentials R2, please adjust it as follows:

Instead of select * from Win32_OperatingSystem where (Version >= “6.1%”) and ProductType= “1”

Change it to select * from Win32_OperatingSystem where Version like “10.%” or Version >=”6.1″

Click Start, click All Programs, click Accessories, and then click Run. Type gpmc.msc in the text box, and then click OK or press ENTER Once you launch the group policy editor, scroll to the bottom where the wmi filters reside. Right mouse click and click edit, and bring up the filter. Now click on edit and adjust it as noted.


Alternatively remember that if you want to set up a unique wmi filter just for Windows 10 you can use to select * from Win32_OperatingSystem where Version like “10.%”

Note that you may have to edit the quotes and retype them as cut and pasting from this document may not copy over the right formatting.

Change Windows 10’s default printer changes.

Due to a change in Windows 10 build 1511, each time you select a new printer it will make that the default printer. To adjust this perform the following:

1. Click on Windows icon (lower left) then click Settings

2. From the Settings window, click Devices

3. From the Devices window, click Printers & scanners

4. From the Printers & scanners window, scroll down and locate the section Let Windows manage my default printer

5. You can click on the toggle button to turn the option on or off, as desired.

See here for more details:

RWA functionality:

No issues reported with RWA. You can use the Edge browser to connect to the remote web access.

Adjust the group policy to allow RDP access to Windows 10 machines

As noted in SBS 2011 Essentials (and standard) need an adjustment to allow for remote desktop and also RWA into these workstations. To add this ability a new policy and ensure it has a wmi filter so that it applies to Windows 10. Go into the WMI section, right mouse click on new. Add a new WMI filter. Call it Windows 10, For the filter value click add and merely use select * from Win32_OperatingSystem where Version like “10.%”

Click to save the filter.


Now build a new policy. Go up to the policy settings and add a new policy. Right mouse click and click on create a GPO in this domain and link it here. Name your policy. Windows 10 computers (or something equality descriptive).

The policy setting is found at :

Computer Configuration > Policies> Administrative Templates > Windows components> Remote Desktop Services> Remote Desktop Session Host > Connections >

‘Allow users to connect remotely using Remote Desktop Services’


Also set

Computer Configuration > Policies> Administrative Templates > Windows components> Remote Desktop Services> Remote Desktop Session Host > Security >

‘Set Client Encryption Level’

To Enabled and High.


As the final step, change the wmi filter to be the Windows 10 filter you set up before

Changes needed to WSUS server

Our final changes required a needed evaluation of the needs of and control of patching of Windows 10 in a network where WSUS 3.2 will not get the needed fixes in order to manage branch patching for Windows 10. While WSUS 3.2 can handle normal security releases, it will not be getting the hotfix needed to support WSUS deployment of branch updates.

If you have the ability to install the WSUS role on a Server 2012 or 2012 R2 member server inside the SBS 2011 standard or SBS 2008 domain, you may wish to do so. Alternatively you can disable the WSUS services and decide to use a third party patchmanagement tool to deploy updates throughout the network. I would recommend leaving WSUS installed and merely disabling the WSUS services. The installation of WSUS changes IIS compression settings and removing SQL server from a domain controller can be hazardous to the server, thus why I recommend to leave the services installed and merely disable them.

Another option you can do firm wide is to change the group policy to no longer use WSUS in the network and to move all workstations to get their updates automatically from Microsoft update.

Finally you can make a setting to just impact the Windows 10 in your domains.


For those of you on older (non supported) WSUS, you have several options:

Option one: Change the settings to that every workstation in the network doesn’t use WSUS.

To use this option, change these settings in group policy:

In the update services common settings policy>Computer configuration>policies>administrative templates>Windows components>Windows update

Notice all of the enabled policies:


Review each to see which ones you still want to keep, and ones that need to be adjusted.

Specifically you need to change to “Not configured” the Setting for “Specify intranet Microsoft update service location”


Make sure it’s adjusted to not configured:


When you are done it should look like this:




For servers we do not want the patches to auto install


You are aiming to set the workstations to go directly to MU and install critical and important updates every day at 3:00am and reboot as necessary, except the server which will download and notify.

The advantage to this is you no longer have the overhead of WSUS on the server as you can shut down the services. The disadvantage is that you are at the mercy of patch Tuesday.

Option two:

Keep using WSUS for security and normal patching, manually update Windows 10 professional or Enterprise skus to the branch updates. Any Windows 10 workstation on a domain behind WSUS can manually go to Microsoft update merely by going to the Settings, Update and security section and manually force the workstation to check in with Microsoft update. The branch update will be offered up and you can then manually install it. After the install the workstation will once again be fully patchable by WSUS.

Make WSUS 10 not say Vista on the WSUS 3.2 server

As noted in you will need to do a SQL query to fix this. Note this issue is fixed in WSUS on 2012 and 2012 R2, this is only an issue for WSUS 3.2 After each build is released and installed you will have to run this script again.

UPDATE [SUSDB].[dbo].[tbComputerTargetDetail]

SET [OSDescription] = ‘Windows 10’

WHERE [OSMajorVersion] = ’10’

AND [OSMinorVersion] = ‘0’

AND [OldProductType] = ‘1’

AND ([OSDescription] <> ‘Windows 10’ or [OSDescription] IS NULL)


Not a Third Tier customer yet? Let me introduce:  We provide advanced Third Tier support for IT Professionals and IT consulting firms. Stuck? Need Expertise? Just open a ticket.

Follow our social media locations. Attend our next chat or webinar:

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN

Leave a comment

Your email address will not be published. Required fields are marked *

20 thoughts on “Introducing Windows 10 into your SBS 2011 Standard Network

  • Jon

    In the first part of the blog post when you mention editing the supportedOS.xml file, will that code still work if the Win 10 systems are on the newer November 2015 Windows 10 build 10586, instead of the initial July 2015 release 10240 build?

      • Eric

        Will the new lines referencing build 10240 still work with build 1511, or should the build number be set in the XML to Build=”1511″ ?

        • Third Tier Post author

          Susan is going to be updating this article since the build numbers will have to change with each release as currently written.

          • Eric

            I followed the steps but changed to Build=1511. Before I was able to test joining a Win 10 box I had to join another Win 7 Pro box and was unable to do so. Removing the last two lines from the .xml fixed the issue and I was able to join W7 to the domain once again.

            It appears to me that adding these two lines breaks the ability to join Win 7 Pro to the domain.

  • Jim

    Thanks for this Susan. For the WMI filter changes, which filter do you propose we change? We have entries for

    Windows SBS Client
    Windows SBS Client – Windows 7 and Windows Vista
    Windows SBS Client – Windows 8
    Windows SBS Client – Windows XP

    I’m pretty sure no-one added these manually.

    • Third Tier Post author

      I would copy the Windows 8 policy, name is Windows 10 and apply the WMI filter to it. You’ll also want to review your other policies.

  • Al Williams

    WRT to editing the GPO WMI filter you aren’t clear which one to edit in SBS2011 Standard (not Essentials). From what I’ve found, you need to edit the WMI filter named “Windows SBS Client – Windows 7 and Windows Vista” and make it like this:
    select * from Win32_OperatingSystem Where Version like “10.%” or version>=’6.0.6002′
    This will configure the Win10’s PC’s firewall to allow the console to pick up the WMI OS version, etc. You can also rename the filter to “Vista and above” because that’s what it’s for.
    You may also have to edit any Windows 8 WMI filters to add the like “10.%”.

  • Andrew

    after the group policy edit you Wrote”As the final step, change the wmi filter to be the Windows 10 filter you set up before” but don’t explain how to do that.

  • Aaron

    I’m having an ongoing issue after performing an in-place upgrade of a Win7 client to Win10. This client is connected to a SBS 2011 domain. SBS 2011 and the SBS Win10 client are Hyper-V virtual machines on a Windows Server 2012 R2 Host.

    Even though the host is 2012 R2, my belief is that the client is still picking up all it’s settings from SBS. I’ve followed the above post to add a Win10 WMI filter, create a new group policy object and apply the RDP settings. After following these steps (and confirming multiple times), I’m still getting the following error dozens of times a day in my Win10 SBS client:

    The server’s security layer setting allows it to use native RDP encryption, which is no longer recommended. Consider changing the server security layer to require SSL. You can change this setting in Group Policy.

    The RDP session will become unresponsive and sometimes even display the disconnect message (1 of 20), before suddenly reconnecting.

    Does anyone know how to fix this annoying behavior?

  • Aaron

    I followed the advise about adding a WMI filter for Win10 and then applying the GPO for the RDP settings. After creating the entry on SBS 2011 Standard, I’m getting a dozen or so errors a day about RDP connection:

    The server’s security layer setting allows it to use native RDP encryption, which is no longer recommended. Consider changing the server security layer to require SSL. You can change this setting in Group Policy.

    Does anyone know how to get the Win10 client to grab the SSL settings?

    SBS 2011 Standard and the Win10 SBS client are both Hyper-V virtual machines on a Server 2012 R2 host. Even though 2012 R2 is the Hyper-V host, I’ve assumed the RDP settings for the SBS client are coming from SBS and not 2012 R2.

  • Emmmj

    Great Article, i have updated the WMI Filter for windows 7 and Vista (i dont have windows 8 listed) to say:
    select * from Win32_OperatingSystem Where Version like “10.%” or version>=’6.0.6002′.

    Following this on all of the windows 10 machines if i do a gpupdate /force i see a message: [0x7FF8828770E3] ANOMALY: use of REX.w is meaningless (default operand size is 64)
    Updating policy…
    Even after it updates the policy and systems are logged off/on there are no drive mappings or firewall rules applied to any of the windows 10 pro machines.

  • Mark Berry

    So I assume this means that supportedOS.xml must be updated every six months when Windows 10 is upgraded. I hope these lines are right for 1511, 1607, 1703, and 1709:

  • Richard

    I’m having a bit of trouble following the section “Adjust the group policy to allow RDP access to Windows 10 machines”. The instructions don’t seem to be very specific and are, perhaps, assuming a level of knowledge greater than that possessed by a small company trying to look after its own IT with no training other than “on the job”. What msc is used at the various steps? The only msc mentioned in the text is “gpmc” but later, the instructions appear to be for an msc with a different tree structure. Any clarification would be appreciated.