|
Thanks Ants posted:I'm getting into a bit of a rabbit hole with Windows Hello for Business in a hybrid deployment (Azure AD joined clients managed with Intune, on-prem resources joined to AD), and the whole "have a PKI infrastructure" step is not just a simple task on the route to implementing this. one of the hurdles I faced was even in Server 2019 the CA was issuing sha1 certs be default so you will probably want to change that otherwise i am a moron posted:Hah, interesting. I didn't know this required PKI. For what it's worth, getting the certs onto devices via the connector with InTune isn't too bad. Don't do most of these things, but do extend your CRL expiration and your root CA.
|
# ? Nov 24, 2020 20:26 |
|
|
# ? Apr 25, 2024 13:03 |
In my galaxy brain, since I delete the offline root forever I've also protected myself from anyone taking my single-use client/server certificates for SCCM to use HTTPS and using it for anything else and then blaming me. So it isn't setting up a PKI as much as it is satisfying a requirement to get something I loathe to work.
|
|
# ? Nov 24, 2020 20:42 |
|
I'm going to spam everybody that mentions Azure in their profile on Twitter until we get a managed PKI infrastructure that can run there. But in the meantime I'll have a look through those documents and take it slowly.
|
# ? Nov 24, 2020 21:42 |
|
Question about reverse lookup dns records. If you have a server thst has a static ip with no dhcp scope since the whole subnet is static servers. Should doing ipconfig /registerdns register the reverse dns record? The option on the nic is enabled to register the dns and the forward lookup is registered but I don't see the reverse record.
|
# ? Nov 25, 2020 06:40 |
|
Do you have a zone for the subnet?
|
# ? Nov 25, 2020 14:44 |
|
A reverse lookup zone yes
|
# ? Nov 25, 2020 23:14 |
|
Thanks Ants posted:I'm getting into a bit of a rabbit hole with Windows Hello for Business in a hybrid deployment (Azure AD joined clients managed with Intune, on-prem resources joined to AD), and the whole "have a PKI infrastructure" step is not just a simple task on the route to implementing this. I've only implemented it once and it was in a lab environment, but this video got me most of the way there https://www.youtube.com/watch?v=GfYOyFMc8vA One thing I noticed, at least for non-Azure AD, is that if your AD UPN doesn't match your O365 UPN then Hello for Business won't work. I normally use the mail attribute for the O365 UPN. It took me way too long to figure that out.
|
# ? Nov 27, 2020 04:06 |
|
snackcakes posted:One thing I noticed, at least for non-Azure AD, is that if your AD UPN doesn't match your O365 UPN then Hello for Business won't work. I normally use the mail attribute for the O365 UPN. It took me way too long to figure that out. This is really, really, really old limitation and is supported now. That sounds like something more to do with ADFS Claims rules?
|
# ? Nov 27, 2020 04:18 |
|
Thanks, I'll look at that video. I added our email domain as a UPN suffix a while ago, everybody has been logging in locally with their email address for a long time now.
|
# ? Nov 27, 2020 11:32 |
|
I have a fun Windows / Sharepoint 2013 (LOL) question. We ran Windows Updates on one of our test front-ends and an indexer last night to start getting things up to snuff. Getting this error on the main app on the front end we were updating: SQL server is still "unpatched" from this point of view. The front-end is erroring out I *think* on the DB connection: WFE (does not work): Server 2012 R2 -Most recent updates applied .Net Version 4.8.03761 WFE (didn't update, does work): Server 2012 R2 -Patches have been a while .Net Version 4.6.01055 Index (Updated, works): Server 2012 R2 - Most recent updates applied .Net Version: 4.8.03761 SQL (works): Server 2012 R2 - Patches have been a while - .Net Version 4.6.01055 I'm trying to figure out what exactly might be the issue here, I can tell its something with the SQL conversation but can't quite nail down what the exact issue is. Things I have tried: - Editing the configuration string to connect with TrustedConnection=Yes - Editing the configuration string to connect with TransparentNetworkIPResolution=False - https://docs.microsoft.com/en-us/ar...orkipresolution - Checked all the protocols in the registry - Both front ends are the same, nothing changed there TLS is still enabled SSLv3 and below disabled. Questions: 1. Any ideas of things I should try? Rabbit holes to go down? 2. Is there a process to get the Sharepoint Foundation app to try and connect to the DBs again without rebooting the server? I want to try doing some packet captures and compare with the working server and this is the bare metal install (I know). 3. Should I just restore my latest backup to VMWare and slow patch this POS?
|
# ? Dec 15, 2020 20:06 |
|
Can you connect to the SQL server using SQL Management Studio? Somewhere along the lines you have some TLS/SSL option wrong.
|
# ? Dec 15, 2020 20:18 |
|
Bob Morales posted:Can you connect to the SQL server using SQL Management Studio? Yep, I can connect no problem, and the other servers can too. An update could have blown up the registry protocols. Ill take a look. ptier fucked around with this message at 21:03 on Dec 15, 2020 |
# ? Dec 15, 2020 20:28 |
|
ptier posted:Yep, I can connect no problem, and the other servers can too. An update could have blown up the registry protocols. Ill take a look. I looked, Registry says they have the same settings lowest is TLS 1.0. So no SSLv3 shenanigans. Probably just going to restore to VM and play with it. Because really they need to go to VM anyways.
|
# ? Dec 15, 2020 21:04 |
|
Exchange online environment. Question about the Outlook junk filter. Is this controlled separately from Exchange online? Does putting a whitelist on exchange online bypass the local junk filter on outlook? Basically items are being put into the junk folder which aren't actually junk (Email Alerts) I know you could white list it on the client but it's going into a lot of peoples junk folder. I assume this is a separate client side feature not controlled from the exchange online portal.
|
# ? Jan 6, 2021 08:12 |
|
lol internet. posted:Exchange online environment. Question about the Outlook junk filter. Is this controlled separately from Exchange online? Does putting a whitelist on exchange online bypass the local junk filter on outlook? Basically items are being put into the junk folder which aren't actually junk (Email Alerts) I know you could white list it on the client but it's going into a lot of peoples junk folder. I assume this is a separate client side feature not controlled from the exchange online portal. They are separate but, In the rules for exchange online, you can set the from address or other identifying info to set the spam level to bypass. That should cause local outlook to not cover it as junk. One of the things the local junk filter looks at is the SCL ( spam confidence level). If exchange online says it’s clean usually thats enough. We recently migrated to O365 And had a number of emails like that from local systems that had to bypass the filter. ptier fucked around with this message at 12:54 on Jan 6, 2021 |
# ? Jan 6, 2021 12:51 |
|
Is there a program that can visually show a file tree of a drive? Looking to get a visualization of our file server to see the sprawl that’s been introduced and how we can wrangle it in.
|
# ? Jan 8, 2021 04:27 |
|
George H.W. oval office posted:Is there a program that can visually show a file tree of a drive? Looking to get a visualization of our file server to see the sprawl that’s been introduced and how we can wrangle it in.
|
# ? Jan 8, 2021 04:57 |
|
Can Azure Monitor still take SNMP data from agents? The only MS documentation I can find is ancient (https://docs.microsoft.com/en-gb/archive/blogs/msoms/collecting-snmp-data-with-operations-management-suite) and still calls it OMS, so I'm not that hopeful.
|
# ? Jan 8, 2021 17:05 |
|
George H.W. oval office posted:Is there a program that can visually show a file tree of a drive? Looking to get a visualization of our file server to see the sprawl that’s been introduced and how we can wrangle it in. I like SpaceSniffer. WinDirStat is also solid.
|
# ? Jan 17, 2021 18:21 |
|
What are people who are still using WSUS doing for computers that aren't going to be back in the building any time soon? Buddy emailed me and his company turned WSUS off...because they didn't want 100 people pulling updates from home. And for some reason they didn't put their servers in their own group, so their servers also haven't updated since...early last summer? He just got hired and one of his duties is managing updates.
|
# ? Jan 19, 2021 18:49 |
|
Windows Update for Business https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb
|
# ? Jan 19, 2021 18:55 |
|
Internet Explorer posted:Windows Update for Business It’s this. Also, use this as an opportunity to get used to ring based deployments, because I don’t think that concept is going anywhere anytime soon.
|
# ? Jan 19, 2021 19:02 |
|
phased deployment, but we put a ring on it
|
# ? Jan 19, 2021 19:14 |
|
am I missing a core philosophical concept when I think of ring deployment as phased deployment with different words?
|
# ? Jan 19, 2021 19:15 |
|
We switched to using WUfB company wide some time ago. Ditched the pile that was WSUS. I use PDQ Inventory to keep an eye on things (i.e. make sure updates are being installed, feature updates are being applied when I allow them, etc..) We also have delivery optimization configured to operate P2P on the local subnet only.. It works really well actually. 1-2 machines in a given location will download the updates, and then all the machines on that subnet will pull their updates from those machines. Keeps them all from pulling giant updates directly from MS at once. WFH machines will still pull their updates directly from MS, based on the WUfB deferral settings.
|
# ? Jan 19, 2021 19:16 |
|
WU4B with Azure Compliance so far, with thousands upon thousands upon thousands of machines, the windows update compliance solution and adjacent log workspace in Azure haven't cost me a red cent Right now, I am taking the Microsoft-built update compliance enrollment script and turning it into a bunch of CIs with remediation in SCCM
|
# ? Jan 19, 2021 19:20 |
|
We switched from SCCM to Intune (MEM) and WSUS to WuFB over the past 6 months. It's been good. Was quite an involved process and there has been some learning moments, but it's really nice to be on something modern. Still sucks we are stuck with Azure AD Hybrid, but that's not going anywhere anytime soon. I'm glad our engineering team got together and decided to do it, because management surprised us with a large laptop rollout and we're able to do it with Autopilot instead of SCCM imaging. Let's us do neat things like just put a label on a laptop box and ship it, instead of spending hours getting each one ready. We also switched to split-tunnel VPN, Defender web filtering, TeamViewer for remote support, from Skype for Business to Teams, and a bunch of other modernizations. I'm hoping we switch to Teams PBX here shortly. The work from home transition has been good to us, as stressful as it has been at times. Hell, we're even using Planner for our engineering team and doing daily standups. It's not perfect but our poo poo was awful and non-existent before.
|
# ? Jan 19, 2021 19:21 |
|
Dumb question, I haven't done much with managing workstations in years. In 2020 is there anything built into Windows that prevents users exfiltrating data with bluetooth or do I have to completely disable the service? Or how is everyone else handling this issue or do I have to spend $$$ for some fancy utility? Life without bluetooth is insane.
|
# ? Jan 20, 2021 16:34 |
O365 DLP for Endpoints is getting rolled out and I’m phone posting but pretty sure it can do that. You need M365 licenses and the machine has to be on 20H2 AND it’s still in preview.
|
|
# ? Jan 20, 2021 16:53 |
|
Yeah, I'd treat it more like a DLP problem and less like a Bluetooth problem.
|
# ? Jan 20, 2021 17:24 |
|
Right now, our solution has been to completely disable bluetooth across the company. What's awesome is that our new work from home policy basically states that if you need a different keyboard, mouse or headset just buy whatever model you like that's less than $100 and expense it. The problem is that nearly everything sold in stores is bluetooth and doesn't include a dongle.
|
# ? Jan 20, 2021 19:26 |
|
If you want to lock endpoints down and have approved USB device classes that can be connected to PCs then you are by extension signing up to provide the keyboards / mice to people from a list of models that you've approved. At least do that until you have managed to deploy a DLP solution.
|
# ? Jan 20, 2021 19:36 |
|
Is there a way to enforce specific devices to only allow Bluetooth?
|
# ? Jan 20, 2021 19:42 |
|
Is there a good way to rotate wallpapers on domain computers? Basically there's a couple wallpapers we rotate through to communicate with the minions "Look out for covid! Remember to wash your hands!" "Don't click on scary emails! Phishing is bad!" "Don't take any orders of the phone, verbal orders are not allowed!" etc Right now we have some clunky VBscript that changes it based on what's on some file server Then it's linked into bginfo or something anyway it's dumb and they're probably going to want to keep bginfo in it and it's not like microsoft added it as some new feature so nevermind Edit: What we use now.... ForceWallpaper.VBS Dim WinScriptHost Set WinScriptHost = CreateObject("WScript.Shell") WinScriptHost.Run Chr(34) & "\\fs02\data\_GPO_Data\Wallpapers\bginfo.cmd" & Chr(34), 0 Set WinScriptHost = Nothing BFINFO.CMD \\fs02\data\_GPO_Data\Wallpapers\bginfo.exe \\fs02\data\_GPO_Data\Wallpapers\bginfo.bgi /Timer:0 /NoLicPrompt Bob Morales fucked around with this message at 21:01 on Feb 3, 2021 |
# ? Feb 3, 2021 20:55 |
|
Deploy a theme with a slideshow folder
|
# ? Feb 3, 2021 20:56 |
|
Bob Morales posted:Is there a good way to rotate wallpapers on domain computers? I don't have a solution for you but since you're using BGINFO. Do you notice an issue where it jacks up the display when people dock/undock? Also for me at least... I noticed if I had a group policy that forced the wallpaper bginfo didn't work so I removed that policy and used the BFINFO template to set the wallpaper.. are you doing something different? and.. to why I really came to post.. I had a question about GPO trouleshooting. I am seeing this weird issue for machines that have the 20H2 build.. Basically for the most part, 80% of the time gpupdate does not work. It just hangs on applying computer policy. I've checked for permissions on the policies (they all are fine.) I've enabled the logging that requires you to modify the registry and from what I can see is it's actually completing all of the computer policies and then i see some 'dirty bits' for the CSE's.. but then it never begins the user policies. I'm a bit at a loss here. Any suggestions would be greatful but I really don't think it's a SYSVOL\Share issue.
|
# ? Feb 21, 2021 09:38 |
|
I saw something like that on a 20H2 system I set up the other day, but didn't have time to look at the cause. Did you make sure your ADMX/ADML files are updated for 20H2?
|
# ? Feb 24, 2021 00:51 |
|
outdated gpos would merely create registry values that are written correctly but that the system doesn't necessarily use anymore something else is going on
|
# ? Feb 24, 2021 04:20 |
|
So we are migrating about 1k assets from one domain to another, much larger domain and we need to keep the first domain running till the migration is complete. Our networking team created new vlans and we set up some dns pointing to the new domain. We joined a freshly imaged machine to the new domain. The machines from one domain can ping the machines from the other domain while they are in our network, so we figured we'd try to switch the domain on an established test asset. Well, after switching the dns on the old asset, creating the object on the new domain and using our new admin credentials, the machine did successfully join the domain. Or so we thought, after the restart they fail to get an IP. Even after adding the machines to the MAB to bypass the radius they will not get an IP. We know its authentication related, but why wouldn't adding them to the MAB work in this case?
|
# ? Feb 27, 2021 01:05 |
|
|
# ? Apr 25, 2024 13:03 |
|
Probably dumb question: A quick google search says MAB operates at layer 2, and seems to affect layers 2-3/4 in some capacity (depending on what they mean by port) if its an authentication issue, wouldn't that be a completely seperate issue at the application level?
|
# ? Feb 27, 2021 01:17 |