Ask a question

Shawn Lemay

Firewall policy changes in 2016?

In the past year, we've done several SBS upgrades to 2016 Essentials or 2016 Full w/Essentials Role installed (all of these moved Exchange to 365).

Something I can't explain and can't find any documentation on, however, is that when we bring online NEW Windows 10 workstations into the domain, we cannot PING them or see file-sharing services. Yet... all the migrated Windows 10 computers are fine (ping/file sharing). I can't find anything on this anywhere and am wondering if the policies between 2008/2011 changed and are the rules no longer being added? If so - does anyone have a list of what the rules "should" be to allow servers to fully communicate with workstations (this includes pushing software out - which I also discovered today that the remote registry service is now disabled by default - just set a GPO to change that to manual so at least we can push out software again).

Any advice/pointers would be appreciated. Thank you.


  • Windows Firewall
  • Group Policy
  • Windows 10
  • Windows Server Essentials 2016
  • Essentials Experience Role
asked11/29/2018 19:29
9 views
Add Comment
Mariette Knap

Yes, this behavior is caused by the Client Side Extensions from the SBS. Those are installed when a client is joined to the SBS 2008/2011 and sets a heap of settings in the registry. That does not happen if the SBS 2008/2011 has been migrated and the Client Side Extensions have been removed.

Shawn Lemay

That's good info to start with - thank you Mariette - so in Essential Roles (either Server Essential or Server w/Essential Role added) this policy no longer gets pushed out. Do you know what this policy was or what the specific rules were that we're being set? I'd like to review it and see what makes sense to adhere to moving forward with clients vs. just opening up various ports I "THINK" need to be opened. Thanks again.


replied 12/05/2018 14:58
Mariette Knap

Well, it is not just a Group Policy. If you look in the Netlogon folder you will see that several CSE is installed. Those are part of the SBS suite and you are not allowed to use those anymore after the SBS has been demoted.

I have started creating a Group Policy that does offer similar functionality and I apply that already to my own migrated SBS servers but this is part of my personal toolbox and not yet available for the public.

Installing the Connector software from an Essentials software does already a great deal of the SBS CSE did.


replied 12/05/2018 15:04
Last Activity 12/05/2018 15:04

No answers found

Add an Answer