Hi, did you try the download link from Hans Brender's page, just execute the downloaded file, without any parameters/arguments/options ?

(on his pages, he doesn't mention any need for such parameters/arguments/options :)

translate:Is there a setting for the policy to remove 01 user from the organization while holding a meeting?

for Windows?
for Teams?

am assuming that the newer timestamp are newer versions and should replace the older versions, correct?

Yes, correct :)

Once I am done backing up the old .admx/.adml files, should I change the Owner back to TrustedInstaller or leave as User?

I've never had the need to change ownership back.
the Windows templates are these days serviced in each monthly CU for Windows10 anyway, so the local copy is as current as your Windows version is :)

there are a number of suggestions here, may be useful?

https://groups.google.com/g/patchmanagement/c/e_DIsRk4V8U

sorry James, I am struggling with this webtool today :(

the 'ability to shop' setting, only affects who in your org can purchase on behalf of your org, and then only if you have also granted them the Purchaser role.

regardless of the 'ability to shop' setting, AAD users (work or school accts), can by default, acquire and install free apps.

for Google Chrome, the behaviour is determined by Google not by Microsoft.
But anyway, it seems to be an equivalent feature (despite a minor name change)

http://www.chromium.org/administrators/policy-list-3#ManagedBookmarks

according to that client log, it needs to download the payload for KB5000853 (39MB) but got error 0x80190194 (file not found)

this suggests your WSUS doesn't have the file

try running: wsusutil reset

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720466(v=ws.10)?redirectedfrom=MSDN#summary-of-commands-you-can-use-with-wsusutil

I will try to create more OUs so that every admin user just could affect a subset of clients/users in the first place.

this actually is the best practice! :)

the setting is not app-specific, it is a single setting which applies to all apps (hence, 'general'):

HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\common\general

please refer to the linked documentation :)

https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_Workgrouptemplatespath

copy \\servername\sharename\accessfilename.mdb c:\appfolder\accessfilename.mdb /y
c:\appfolder\accessfilename.mdb

Hi @82253083 yes it's safe, I use it all the time.

I use GPMC to create GPO exports/backups, to files/folders, and then I import those exports/backups into PolicyAnalyzer.

nope, your above example shows

<Remove>
<Product ID="SkypeforBusinessRetail">
</Product>
</Remove>

but for your scenario you have to use

<Product ID="O365ProPlusRetail" >
<Language ID="en-us" />
<ExcludeApp ID="Lync" />
</Product>

(this example is not a complete config.xml)

https://docs.microsoft.com/en-us/deployoffice/office-deployment-tool-configuration-options#id-attribute-part-of-excludeapp-element

@jennylee-7288
as per https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

for WS2012R2 the update is:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4571703 (monthly rollup)
or
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4571723 (security only)
(edit: apparently the catalog service was down yesterday but it's back online now :)

these are appearing fine for me in MS catalog.
note that these updates introduce the new behaviour (block non-compliant Windows machines)
so you should check all the involved DCs in all relevant domains/forests for the trust.
check event logs on all DCs involved and look for events 5828 etc

you said that you did add the server "ALPHA" as a member of the security group "Computers", but, the gpresult does not reflect this.
Did you restart the server "ALPHA" after adding the group?
Computers don't recheck their group memberships until a reboot...
Users don't recheck their group memberships until a logoff/logon...