Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
The Fool
Oct 16, 2003


Thanks Ants posted:

I'm getting into a bit of a rabbit hole with Windows Hello for Business in a hybrid deployment (Azure AD joined clients managed with Intune, on-prem resources joined to AD), and the whole "have a PKI infrastructure" step is not just a simple task on the route to implementing this.

The most recent MS documentation that covers this is from 2016 (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786436(v=ws.11)). It at least mentions Server 2016 but I'd be interested in anything more up-to-date if that exists. Or a good third-party post that covers it if there's nothing from MS on the topic - a lot of the stuff I can find says "this is a lab so we'll just pick these settings" but I'd like to understand what those settings are.

From what I can tell, the offline CA seems to be the way to go, and our AD environment lives in Azure so having a 2019 box powered down isn't really a problem, but if there's any way to shift those responsibilities into an Azure service then I'd be up for that.

one of the hurdles I faced was even in Server 2019 the CA was issuing sha1 certs be default so you will probably want to change that

otherwise

i am a moron posted:

Hah, interesting. I didn't know this required PKI. For what it's worth, getting the certs onto devices via the connector with InTune isn't too bad.


There is no service that will replace what the AD Cert servers will do at this point (that I know of). It would be nice if there was.

You can power the Offline CA down, I usually just delete the entire thing. I'm never around long enough to need it again.

I've done this 3-4 times in the past couple of years. In my experience, every article written about deploying this stuff is wrong to some degree. This one is at the top of my google results and looks generally correct:

https://stealthpuppy.com/deploy-enterprise-subordinate-certificate-authority/

edit: I also disable CRL checking and issue the root cert for, like, 20 years. When you do this it would not be advisable to actually use the CA you set up for anything unless you are pretty sure it's for something stupid, like getting SCCM to work with HTTPS because you deployed a CMG on some unsuspecting assholes using HTTP in TYOOL 2020.

Don't do most of these things, but do extend your CRL expiration and your root CA.

Adbot
ADBOT LOVES YOU

i am a moron
Nov 12, 2020

"I think if there’s one thing we can all agree on it’s that Penn State and Michigan both suck and are garbage and it’s hilarious Michigan fans are freaking out thinking this is their natty window when they can’t even beat a B12 team in the playoffs lmao"
In my galaxy brain, since I delete the offline root forever I've also protected myself from anyone taking my single-use client/server certificates for SCCM to use HTTPS and using it for anything else and then blaming me. So it isn't setting up a PKI as much as it is satisfying a requirement to get something I loathe to work.

Thanks Ants
May 21, 2004

#essereFerrari


I'm going to spam everybody that mentions Azure in their profile on Twitter until we get a managed PKI infrastructure that can run there. But in the meantime I'll have a look through those documents and take it slowly.

lol internet.
Sep 4, 2007
the internet makes you stupid
Question about reverse lookup dns records.

If you have a server thst has a static ip with no dhcp scope since the whole subnet is static servers. Should doing ipconfig /registerdns register the reverse dns record?

The option on the nic is enabled to register the dns and the forward lookup is registered but I don't see the reverse record.

Thanks Ants
May 21, 2004

#essereFerrari


Do you have a zone for the subnet?

lol internet.
Sep 4, 2007
the internet makes you stupid
A reverse lookup zone yes

snackcakes
May 7, 2005

A joint venture of Matsumura Fishworks and Tamaribuchi Heavy Manufacturing Concern

Thanks Ants posted:

I'm getting into a bit of a rabbit hole with Windows Hello for Business in a hybrid deployment (Azure AD joined clients managed with Intune, on-prem resources joined to AD), and the whole "have a PKI infrastructure" step is not just a simple task on the route to implementing this.

The most recent MS documentation that covers this is from 2016 (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786436(v=ws.11)). It at least mentions Server 2016 but I'd be interested in anything more up-to-date if that exists. Or a good third-party post that covers it if there's nothing from MS on the topic - a lot of the stuff I can find says "this is a lab so we'll just pick these settings" but I'd like to understand what those settings are.

From what I can tell, the offline CA seems to be the way to go, and our AD environment lives in Azure so having a 2019 box powered down isn't really a problem, but if there's any way to shift those responsibilities into an Azure service then I'd be up for that.

I've only implemented it once and it was in a lab environment, but this video got me most of the way there https://www.youtube.com/watch?v=GfYOyFMc8vA

One thing I noticed, at least for non-Azure AD, is that if your AD UPN doesn't match your O365 UPN then Hello for Business won't work. I normally use the mail attribute for the O365 UPN. It took me way too long to figure that out.

Gucci Loafers
May 20, 2006

Ask yourself, do you really want to talk to pair of really nice gaudy shoes?


snackcakes posted:

One thing I noticed, at least for non-Azure AD, is that if your AD UPN doesn't match your O365 UPN then Hello for Business won't work. I normally use the mail attribute for the O365 UPN. It took me way too long to figure that out.

This is really, really, really old limitation and is supported now. That sounds like something more to do with ADFS Claims rules?

Thanks Ants
May 21, 2004

#essereFerrari


Thanks, I'll look at that video.

I added our email domain as a UPN suffix a while ago, everybody has been logging in locally with their email address for a long time now.

ptier
Jul 2, 2007

Back off man, I'm a scientist.
Pillbug
I have a fun Windows / Sharepoint 2013 (LOL) question.

We ran Windows Updates on one of our test front-ends and an indexer last night to start getting things up to snuff. Getting this error on the main app on the front end we were updating:



SQL server is still "unpatched" from this point of view. The front-end is erroring out I *think* on the DB connection:






WFE (does not work):
Server 2012 R2
-Most recent updates applied
.Net Version 4.8.03761



WFE (didn't update, does work):
Server 2012 R2
-Patches have been a while
.Net Version 4.6.01055

Index (Updated, works):
Server 2012 R2
- Most recent updates applied
.Net Version: 4.8.03761

SQL (works):
Server 2012 R2
- Patches have been a while
- .Net Version 4.6.01055


I'm trying to figure out what exactly might be the issue here, I can tell its something with the SQL conversation but can't quite nail down what the exact issue is.

Things I have tried:

- Editing the configuration string to connect with TrustedConnection=Yes
- Editing the configuration string to connect with TransparentNetworkIPResolution=False
- https://docs.microsoft.com/en-us/ar...orkipresolution
- Checked all the protocols in the registry
- Both front ends are the same, nothing changed there TLS is still enabled SSLv3 and below disabled.

Questions:
1. Any ideas of things I should try? Rabbit holes to go down?
2. Is there a process to get the Sharepoint Foundation app to try and connect to the DBs again without rebooting the server? I want to try doing some packet captures and compare with the working server and this is the bare metal install (I know).
3. Should I just restore my latest backup to VMWare and slow patch this POS?

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

Can you connect to the SQL server using SQL Management Studio?

Somewhere along the lines you have some TLS/SSL option wrong.

ptier
Jul 2, 2007

Back off man, I'm a scientist.
Pillbug

Bob Morales posted:

Can you connect to the SQL server using SQL Management Studio?

Somewhere along the lines you have some TLS/SSL option wrong.

Yep, I can connect no problem, and the other servers can too. An update could have blown up the registry protocols. Ill take a look.

ptier fucked around with this message at 21:03 on Dec 15, 2020

ptier
Jul 2, 2007

Back off man, I'm a scientist.
Pillbug

ptier posted:

Yep, I can connect no problem, and the other servers can too. An update could have blown up the registry protocols. Ill take a look.

I looked, Registry says they have the same settings lowest is TLS 1.0. So no SSLv3 shenanigans. Probably just going to restore to VM and play with it. Because really they need to go to VM anyways.

lol internet.
Sep 4, 2007
the internet makes you stupid
Exchange online environment. Question about the Outlook junk filter. Is this controlled separately from Exchange online? Does putting a whitelist on exchange online bypass the local junk filter on outlook? Basically items are being put into the junk folder which aren't actually junk (Email Alerts) I know you could white list it on the client but it's going into a lot of peoples junk folder. I assume this is a separate client side feature not controlled from the exchange online portal.

ptier
Jul 2, 2007

Back off man, I'm a scientist.
Pillbug

lol internet. posted:

Exchange online environment. Question about the Outlook junk filter. Is this controlled separately from Exchange online? Does putting a whitelist on exchange online bypass the local junk filter on outlook? Basically items are being put into the junk folder which aren't actually junk (Email Alerts) I know you could white list it on the client but it's going into a lot of peoples junk folder. I assume this is a separate client side feature not controlled from the exchange online portal.

They are separate but, In the rules for exchange online, you can set the from address or other identifying info to set the spam level to bypass. That should cause local outlook to not cover it as junk. One of the things the local junk filter looks at is the SCL ( spam confidence level). If exchange online says it’s clean usually thats enough. We recently migrated to O365 And had a number of emails like that from local systems that had to bypass the filter.

ptier fucked around with this message at 12:54 on Jan 6, 2021

George H.W. Cunt
Oct 6, 2010





Is there a program that can visually show a file tree of a drive? Looking to get a visualization of our file server to see the sprawl that’s been introduced and how we can wrangle it in.

wyoak
Feb 14, 2005

a glass case of emotion

Fallen Rib

George H.W. oval office posted:

Is there a program that can visually show a file tree of a drive? Looking to get a visualization of our file server to see the sprawl that’s been introduced and how we can wrangle it in.
quite a few, I like TreeSize Free

Thanks Ants
May 21, 2004

#essereFerrari


Can Azure Monitor still take SNMP data from agents? The only MS documentation I can find is ancient (https://docs.microsoft.com/en-gb/archive/blogs/msoms/collecting-snmp-data-with-operations-management-suite) and still calls it OMS, so I'm not that hopeful.

Moey
Oct 22, 2010

I LIKE TO MOVE IT

George H.W. oval office posted:

Is there a program that can visually show a file tree of a drive? Looking to get a visualization of our file server to see the sprawl that’s been introduced and how we can wrangle it in.

I like SpaceSniffer. WinDirStat is also solid.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

What are people who are still using WSUS doing for computers that aren't going to be back in the building any time soon?

Buddy emailed me and his company turned WSUS off...because they didn't want 100 people pulling updates from home. And for some reason they didn't put their servers in their own group, so their servers also haven't updated since...early last summer? He just got hired and one of his duties is managing updates.

Internet Explorer
Jun 1, 2005





Windows Update for Business

https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb

The Fool
Oct 16, 2003



It’s this.

Also, use this as an opportunity to get used to ring based deployments, because I don’t think that concept is going anywhere anytime soon.

Potato Salad
Oct 23, 2014

nobody cares


phased deployment, but we put a ring on it

Potato Salad
Oct 23, 2014

nobody cares


am I missing a core philosophical concept when I think of ring deployment as phased deployment with different words?

stevewm
May 10, 2005
We switched to using WUfB company wide some time ago. Ditched the pile that was WSUS. I use PDQ Inventory to keep an eye on things (i.e. make sure updates are being installed, feature updates are being applied when I allow them, etc..)

We also have delivery optimization configured to operate P2P on the local subnet only.. It works really well actually. 1-2 machines in a given location will download the updates, and then all the machines on that subnet will pull their updates from those machines. Keeps them all from pulling giant updates directly from MS at once.

WFH machines will still pull their updates directly from MS, based on the WUfB deferral settings.

Potato Salad
Oct 23, 2014

nobody cares


WU4B with Azure Compliance

so far, with thousands upon thousands upon thousands of machines, the windows update compliance solution and adjacent log workspace in Azure haven't cost me a red cent

Right now, I am taking the Microsoft-built update compliance enrollment script and turning it into a bunch of CIs with remediation in SCCM

Internet Explorer
Jun 1, 2005





We switched from SCCM to Intune (MEM) and WSUS to WuFB over the past 6 months. It's been good. Was quite an involved process and there has been some learning moments, but it's really nice to be on something modern. Still sucks we are stuck with Azure AD Hybrid, but that's not going anywhere anytime soon. I'm glad our engineering team got together and decided to do it, because management surprised us with a large laptop rollout and we're able to do it with Autopilot instead of SCCM imaging. Let's us do neat things like just put a label on a laptop box and ship it, instead of spending hours getting each one ready.

We also switched to split-tunnel VPN, Defender web filtering, TeamViewer for remote support, from Skype for Business to Teams, and a bunch of other modernizations. I'm hoping we switch to Teams PBX here shortly. The work from home transition has been good to us, as stressful as it has been at times. Hell, we're even using Planner for our engineering team and doing daily standups. It's not perfect but our poo poo was awful and non-existent before.

Gucci Loafers
May 20, 2006

Ask yourself, do you really want to talk to pair of really nice gaudy shoes?


Dumb question,

I haven't done much with managing workstations in years. In 2020 is there anything built into Windows that prevents users exfiltrating data with bluetooth or do I have to completely disable the service?

Or how is everyone else handling this issue or do I have to spend $$$ for some fancy utility? Life without bluetooth is insane.

i am a moron
Nov 12, 2020

"I think if there’s one thing we can all agree on it’s that Penn State and Michigan both suck and are garbage and it’s hilarious Michigan fans are freaking out thinking this is their natty window when they can’t even beat a B12 team in the playoffs lmao"
O365 DLP for Endpoints is getting rolled out and I’m phone posting but pretty sure it can do that. You need M365 licenses and the machine has to be on 20H2 AND it’s still in preview.

Internet Explorer
Jun 1, 2005





Yeah, I'd treat it more like a DLP problem and less like a Bluetooth problem.

Gucci Loafers
May 20, 2006

Ask yourself, do you really want to talk to pair of really nice gaudy shoes?


Right now, our solution has been to completely disable bluetooth across the company. What's awesome is that our new work from home policy basically states that if you need a different keyboard, mouse or headset just buy whatever model you like that's less than $100 and expense it.

The problem is that nearly everything sold in stores is bluetooth and doesn't include a dongle.

Thanks Ants
May 21, 2004

#essereFerrari


If you want to lock endpoints down and have approved USB device classes that can be connected to PCs then you are by extension signing up to provide the keyboards / mice to people from a list of models that you've approved.

At least do that until you have managed to deploy a DLP solution.

Gucci Loafers
May 20, 2006

Ask yourself, do you really want to talk to pair of really nice gaudy shoes?


Is there a way to enforce specific devices to only allow Bluetooth?

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

Is there a good way to rotate wallpapers on domain computers?

Basically there's a couple wallpapers we rotate through to communicate with the minions

"Look out for covid! Remember to wash your hands!"

"Don't click on scary emails! Phishing is bad!"

"Don't take any orders of the phone, verbal orders are not allowed!"

etc

Right now we have some clunky VBscript that changes it based on what's on some file server

Then it's linked into bginfo or something

anyway it's dumb and they're probably going to want to keep bginfo in it and it's not like microsoft added it as some new feature so nevermind

Edit: What we use now....

ForceWallpaper.VBS

Dim WinScriptHost
Set WinScriptHost = CreateObject("WScript.Shell")
WinScriptHost.Run Chr(34) & "\\fs02\data\_GPO_Data\Wallpapers\bginfo.cmd" & Chr(34), 0
Set WinScriptHost = Nothing

BFINFO.CMD

\\fs02\data\_GPO_Data\Wallpapers\bginfo.exe \\fs02\data\_GPO_Data\Wallpapers\bginfo.bgi /Timer:0 /NoLicPrompt

Bob Morales fucked around with this message at 21:01 on Feb 3, 2021

The Fool
Oct 16, 2003


Deploy a theme with a slideshow folder

lol internet.
Sep 4, 2007
the internet makes you stupid

Bob Morales posted:

Is there a good way to rotate wallpapers on domain computers?

Basically there's a couple wallpapers we rotate through to communicate with the minions

"Look out for covid! Remember to wash your hands!"

"Don't click on scary emails! Phishing is bad!"

"Don't take any orders of the phone, verbal orders are not allowed!"

etc

Right now we have some clunky VBscript that changes it based on what's on some file server

Then it's linked into bginfo or something

anyway it's dumb and they're probably going to want to keep bginfo in it and it's not like microsoft added it as some new feature so nevermind

Edit: What we use now....

ForceWallpaper.VBS

Dim WinScriptHost
Set WinScriptHost = CreateObject("WScript.Shell")
WinScriptHost.Run Chr(34) & "\\fs02\data\_GPO_Data\Wallpapers\bginfo.cmd" & Chr(34), 0
Set WinScriptHost = Nothing

BFINFO.CMD

\\fs02\data\_GPO_Data\Wallpapers\bginfo.exe \\fs02\data\_GPO_Data\Wallpapers\bginfo.bgi /Timer:0 /NoLicPrompt

I don't have a solution for you but since you're using BGINFO. Do you notice an issue where it jacks up the display when people dock/undock? Also for me at least... I noticed if I had a group policy that forced the wallpaper bginfo didn't work so I removed that policy and used the BFINFO template to set the wallpaper.. are you doing something different?



and.. to why I really came to post.. I had a question about GPO trouleshooting.

I am seeing this weird issue for machines that have the 20H2 build.. Basically for the most part, 80% of the time gpupdate does not work. It just hangs on applying computer policy. I've checked for permissions on the policies (they all are fine.) I've enabled the logging that requires you to modify the registry and from what I can see is it's actually completing all of the computer policies and then i see some 'dirty bits' for the CSE's.. but then it never begins the user policies.

I'm a bit at a loss here. Any suggestions would be greatful but I really don't think it's a SYSVOL\Share issue.

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!
I saw something like that on a 20H2 system I set up the other day, but didn't have time to look at the cause. Did you make sure your ADMX/ADML files are updated for 20H2?

Potato Salad
Oct 23, 2014

nobody cares


outdated gpos would merely create registry values that are written correctly but that the system doesn't necessarily use anymore

something else is going on

Cao Ni Ma
May 25, 2010



So we are migrating about 1k assets from one domain to another, much larger domain and we need to keep the first domain running till the migration is complete. Our networking team created new vlans and we set up some dns pointing to the new domain. We joined a freshly imaged machine to the new domain.

The machines from one domain can ping the machines from the other domain while they are in our network, so we figured we'd try to switch the domain on an established test asset. Well, after switching the dns on the old asset, creating the object on the new domain and using our new admin credentials, the machine did successfully join the domain. Or so we thought, after the restart they fail to get an IP. Even after adding the machines to the MAB to bypass the radius they will not get an IP. We know its authentication related, but why wouldn't adding them to the MAB work in this case?

Adbot
ADBOT LOVES YOU

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!
Probably dumb question: A quick google search says MAB operates at layer 2, and seems to affect layers 2-3/4 in some capacity (depending on what they mean by port) if its an authentication issue, wouldn't that be a completely seperate issue at the application level?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply