Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
BaseballPCHiker
Jan 16, 2006



iajanus posted:

Hey, I'm not sure if this is the right place to post this but I'm not sure what to do. I've been thrown in the deep end with a small client who has an HP Windows Server 2012 box that he needs to be able to login to remotely. Every guide is confusing the gently caress out of me but I'm effectively being sent at gunpoint to do this so I'm hoping to find any advice what to do. It's a very basic operation so whatever the simplest solution is should be fine. Thanks heaps in advance for any help or advice where would be best to ask this.

The dumb, but easy, and just a bit safer option, is to allow RDP from the internet (lol) and use something like RDPGuard on the server.

Trust me, I did this for so many dumb cheap stupid podunk operations in my MSP days. Despite us trying to pitch a RD gateway server, in many cases adding a firewall or reverse proxy server, and 2-factor, no one at that scale ever wanted to grow and pay the money it'd require. But they would pay the $50 for RDPGuard software.

Its basically Fail2Ban for RDP servers. Have fun unblocking idiot sales people after they fat finger their passwords to many times trying to RDP in.

Adbot
ADBOT LOVES YOU

wolrah
May 8, 2006
what?


BaseballPCHiker posted:

The dumb, but easy, and just a bit safer option, is to allow RDP from the internet (lol) and use something like RDPGuard on the server.

Trust me, I did this for so many dumb cheap stupid podunk operations in my MSP days. Despite us trying to pitch a RD gateway server, in many cases adding a firewall or reverse proxy server, and 2-factor, no one at that scale ever wanted to grow and pay the money it'd require. But they would pay the $50 for RDPGuard software.

Its basically Fail2Ban for RDP servers. Have fun unblocking idiot sales people after they fat finger their passwords to many times trying to RDP in.
The problem with anything like RDPguard, Fail2Ban, etc is that while it's great against brute force attacks it doesn't do anything about any other kinds of attacks.

https://www.microsoft.com/security/blog/2019/11/07/the-new-cve-2019-0708-rdp-exploit-attacks-explained/ just to pick a recent example, it's far from the only one. Any exploits that work before authentication still work the same way.

That's not of course to say these things aren't good to use anyways, but I still would never expose a service to the open internet that doesn't absolutely need to be accessible to randoms.

I'd use basically any VPN, remote access tool, or something like Apache Guacamole before exposing RDP outside of trusted networks, and if I did end up having to do that I'd only open it up to the smallest number of IPs that I could get away with while still supporting the business needs.

BaseballPCHiker
Jan 16, 2006



wolrah posted:

The problem with anything like RDPguard, Fail2Ban, etc is that while it's great against brute force attacks it doesn't do anything about any other kinds of attacks.

https://www.microsoft.com/security/blog/2019/11/07/the-new-cve-2019-0708-rdp-exploit-attacks-explained/ just to pick a recent example, it's far from the only one. Any exploits that work before authentication still work the same way.

That's not of course to say these things aren't good to use anyways, but I still would never expose a service to the open internet that doesn't absolutely need to be accessible to randoms.

I'd use basically any VPN, remote access tool, or something like Apache Guacamole before exposing RDP outside of trusted networks, and if I did end up having to do that I'd only open it up to the smallest number of IPs that I could get away with while still supporting the business needs.

You arent wrong. The lovely businesses running server 2008 that are vulnerable to BlueKeep ,are the same ones who most desperately need to upgrade and make improvements and the same ones that will be to cheap to do so.

I know for a fact that there were some clients I had in my crappy MSP days that are running their Small Business Servers 08 still. Dont worry though they installed Sophos AV on it after our idiot sales/owner figured out he could make a ton reselling that.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Azure AD Application Proxy is free and can be combined with Remote Desktop Gateway, it's where I'd start

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-integrate-with-remote-desktop-services

iajanus
Aug 17, 2004

#GOAT


Thanks for all the ideas, ended up muddling my way through and the customer's paid the invoice so all's well and I can get appropriately drunk for a Friday evening !

Potato Salad
Oct 23, 2014

Nobody Cares




iajanus posted:

Hey, I'm not sure if this is the right place to post this but I'm not sure what to do. I've been thrown in the deep end with a small client who has an HP Windows Server 2012 box that he needs to be able to login to remotely. Every guide is confusing the gently caress out of me but I'm effectively being sent at gunpoint to do this so I'm hoping to find any advice what to do. It's a very basic operation so whatever the simplest solution is should be fine. Thanks heaps in advance for any help or advice where would be best to ask this.

Yo, the simplest and fastest way to get this done is to use TeamViewer

for the love of God, make sure that every account that is used has a very strong password

Thanks Ants
May 21, 2004

Bless You Ants, Blants



We run a small AD deployment with Azure AD Connect to provision Azure AD accounts, all domain controllers are Server 2019 and the functional level (domain and forest) is 2016. We have maybe 10 desktop computers for admin staff to use that are managed through GPO, some VMs that are AD-joined and managed in the same way, but the bulk of our staff all have laptops that are Azure AD joined and managed with Intune or whatever it's called this week.

There isn't much on-prem services left, but there's enough that we can't go cloud only. For the few file shares that people still need to access, I would like them to be able to access from their Azure AD devices without having to mess around. It seems like the best way to go is to follow this document

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base

I don't want to do any sort of hybrid domain join as I want our momentum to be away from any links to on-prem services, and every time it's come up previously in this forum people have said that hybrid join should be avoided where possible. I've not been keeping up with (Azure) AD developments but is it still worth following the linked guide, or is there better stuff coming shortly that takes a lot of pain out of the deployment? Assuming that going through with this setup is the right way to go, how are people handling the HTTP distribution point for the CRL? Our infrastructure is already in Azure so I was hoping I could just add a service endpoint for the web app service and have the app read straight out of the CRL file share or something, but I've not looked at it too closely.

lol internet.
Sep 4, 2007
the internet makes you stupid

kiwid posted:

Can someone recommend me a remote support/control software that isn't TeamViewer or ConnectWise?


We use Goverlan. As dumb as the name sounds, it's pretty good. You can search domain user, right click set focus, find what PC it's logged into. If you get the enterprise edition you can do scope actions which is mass actions. Remote installs blah blah.


BaseballPCHiker posted:

I am soon going to have even more thrown on my plate I think, by getting tasked to help move our org to Exchange Online. Right now we have nothing in the cloud, or any Azure uses besides an old install of ADSync on our DC.

I am primarily a networking person. I do have my AWS SA cert, so I am comfortable with cloud concepts as a whole. My point to my company is that I am not the person for this job. We should hire an outside firm to get us to Exchange Online and setup ADFS and then our normal/useless Exchange admin can run the day to day operations at that point. However with budget cuts I dont think thats going to happen.

So with all that said, how screwed am I?

My plan right now is to first, sit down with management and all the other department heads and try to scope out what exactly they think this move is going to accomplish and what their end goal is. From their I can determine if ADFS, or Azure AD, or password hash sync is the way to go. Once that is setup we can discuss our Exchange plan. We have roughly 2000 users so it wont be done in a day, making me think that Hybrid deployment is the way to go.

This is going to be very frustrating but I am hoping I learn a lot from the process and can use my new found experience to make a jump for more money somewhere else down the line.

2000 mailboxes ain't bad, as soon as you have the connection and mailflow setup it's pretty straight forward send batch email telling users to they're moving blah blah. Go Azure AD with pass-through/modern authentication. Unless you need to go ADFS. I finally recently moved all our AD FS applications to Azure AD. Whoever externally you get will probably go that route anyways unless again you have a specific reason you need ADFS.

lol internet. fucked around with this message at 06:18 on Nov 11, 2020

iajanus
Aug 17, 2004

#GOAT


Potato Salad posted:

Yo, the simplest and fastest way to get this done is to use TeamViewer

for the love of God, make sure that every account that is used has a very strong password

They refused to pay for it :'(

Thanks Ants
May 21, 2004

Bless You Ants, Blants



lmao it's like £30/month, don't waste your time with those clowns

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



AnyDesk works in a pinch or if you just want to buy one license cheap

Potato Salad
Oct 23, 2014

Nobody Cares




iajanus posted:

They refused to pay for it :'(

small business owners are absolute fffffffff

Internet Explorer
Jun 1, 2005


Thanks Ants posted:

lmao it's like £30/month, don't waste your time with those clowns

This is something that a lot of MSPs need to learn the lesson of.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Is there a way to disable ALL applications from preventing screen lock?

We have a GPO that locks the screen after 7 minutes on all computers. We also have a security station PC where they watch cameras....that disables the screen locking (just like any media player does).

The application for the security cameras doesn't have a 'disable screensaver' checkbox that I can uncheck, like a sane media player would.

Any ideas?

Dirt Road Junglist
Oct 8, 2010

There's a ghost in me
Who wants to say I'm sorry
Doesn't mean I'm sorry






Potato Salad posted:

small business owners are absolute fffffffff

"Why do I need a router and a server? I just put everything in a shared folder on one computer and they're connected with a dumb switch."
"Because you're making medical equipment and HIPAA regulations exist."
"Oh, we've never been hacked! I'm sure we'll be fine."

If you're an amputee, you may want to PM me about the security of your medical information.

BaseballPCHiker
Jan 16, 2006



Bob Morales posted:

Is there a way to disable ALL applications from preventing screen lock?

We have a GPO that locks the screen after 7 minutes on all computers. We also have a security station PC where they watch cameras....that disables the screen locking (just like any media player does).

The application for the security cameras doesn't have a 'disable screensaver' checkbox that I can uncheck, like a sane media player would.

Any ideas?

This is going to sound very dumb because it is. I had a similar scenario, a computer mounted in a fire truck. It HAD to get the GPO that set screen lockout times for us to pass an audit. Despite it being in a fire truck thats parked in a fire station or out on a call at all times. But then the fire fighters would get pissed because one guy would have to sign in so that they could use their dispatch software to see where the hell they needed to go and what they were getting into.

The solution was a simple app called MoveMouse. It moved the mouse, every 30 seconds or so. I'm not sure if its still around or being developed anymore but it worked on older win10 builds.

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

BaseballPCHiker posted:

This is going to sound very dumb because it is. I had a similar scenario, a computer mounted in a fire truck. It HAD to get the GPO that set screen lockout times for us to pass an audit. Despite it being in a fire truck thats parked in a fire station or out on a call at all times. But then the fire fighters would get pissed because one guy would have to sign in so that they could use their dispatch software to see where the hell they needed to go and what they were getting into.

The solution was a simple app called MoveMouse. It moved the mouse, every 30 seconds or so. I'm not sure if its still around or being developed anymore but it worked on older win10 builds.

This?

https://www.microsoft.com/en-us/p/move-mouse/9nq4ql59xlbf?activetab=pivot:overviewtab

Sirotan
Oct 17, 2006

Sirotan is a seal.




Bob Morales posted:

Is there a way to disable ALL applications from preventing screen lock?

We have a GPO that locks the screen after 7 minutes on all computers. We also have a security station PC where they watch cameras....that disables the screen locking (just like any media player does).

The application for the security cameras doesn't have a 'disable screensaver' checkbox that I can uncheck, like a sane media player would.

Any ideas?

https://www.zhornsoftware.co.uk/caffeine/

Internet Explorer
Jun 1, 2005


I think you all may have been misreading. It sounds like there's an app that's stopping the screen from locking. Even the security station PC. Which is kind of odd, I don't know if I'd want to lock something that's solely used to watch cameras if there's no user interaction, but hey.

I'm not aware of what that could be. Applications themselves probably shouldn't be able to prevent screen lock unless they're emulating user interaction, like the apps listed above, but I can't say I've put much thought into it.

Bob Morales - have you tried contacting the vendor? I wouldn't be surprised if they had something hard coded because it cuts down on calls of "my computer went to sleep!"

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Internet Explorer posted:

I think you all may have been misreading. It sounds like there's an app that's stopping the screen from locking. Even the security station PC. Which is kind of odd, I don't know if I'd want to lock something that's solely used to watch cameras if there's no user interaction, but hey.

I'm not aware of what that could be. Applications themselves probably shouldn't be able to prevent screen lock unless they're emulating user interaction, like the apps listed above, but I can't say I've put much thought into it.

Bob Morales - have you tried contacting the vendor? I wouldn't be surprised if they had something hard coded because it cuts down on calls of "my computer went to sleep!"

Right, I want the opposite if what people have suggested.

Iím hoping they have a registry entry or something I can edit. Itís Avigilon by the way.

This is basically a ďwindow is always on topĒ problem

lol internet.
Sep 4, 2007
the internet makes you stupid

Question about LAPS. I assume the answer is yes but wanted to verify without testing on my own.

When you set permissions for the computer objects to update the password in the attribute field. Do those permissions trickle down in the OU? (ie. OU1 has a OU named OU2 in it. If I apply the permission to allow the PC to update the password attribute field on OU1, will OU2 get the inheritance?)

I ask this just because it's not actually in the guide, it just says apply the permission to whatever OU you stick computers in. I essentially want to just apply it to main root OUs ie. Departments which will have OUs underneath it both User and PC OUs instead of individually applying it to each OU.

iajanus
Aug 17, 2004

#GOAT


Thanks Ants posted:

lmao it's like £30/month, don't waste your time with those clowns

They're more than happy to pay me ~500 a month to come out a few times and do trivial stuff, while refusing to pay on a plan. They're loving morons but quite profitable.

devmd01
Mar 7, 2006

Elektronik
Supersonik


lol internet. posted:

When you set permissions for the computer objects to update the password in the attribute field. Do those permissions trickle down in the OU?

Yes. Since itís just setting AD permissions, inheritance follows to the child OUs automatically unless you have it disabled on an OU for some reason.

Toast Museum
Dec 3, 2005

30% Iron Chef


I've got a couple questions about Centralized Deployment for Office add-ins that seem pretty basic, but I don't have admin rights to go check for myself:

  1. Are all deployment methods available for all add-ins, or can an add-in developer restrict which methods can be used for a particular add-in? e.g. allowing fixed deployment but disallowing "available" or "optional."
  2. Is it possible to change the deployment method after an add-in has been deployed? e.g. switching from "fixed" to "optional." If so, how?

i am a moron
Nov 12, 2020

Gettin' woke about vaccines

Toast Museum posted:

I've got a couple questions about Centralized Deployment for Office add-ins that seem pretty basic, but I don't have admin rights to go check for myself:

  1. Are all deployment methods available for all add-ins, or can an add-in developer restrict which methods can be used for a particular add-in? e.g. allowing fixed deployment but disallowing "available" or "optional."

Yes. I have no idea what the mechanics are if you're developing your own, but certain add-ins do not allow you to select the deployment method at all. I haven't seen one that's, like, 2 out of 3.

quote:

  • Is it possible to change the deployment method after an add-in has been deployed? e.g. switching from "fixed" to "optional." If so, how?

  • You press a radio button and switch from one to the other. Then hit save. That's the whole deal.


    Since I answered a question, I'm going to ask one. Does anyone have any experience with Microsoft Endpoint DLP. I'm trying to POC it and it's absolutely driving me crazy. I'll probably just open a support ticket and slowly die inside while I explain the issues to Microsoft over and over again, but if I'm missing something it is not documented. I can see in Defender where it identifies labeled files on the endpoint I'm trying to POC, but the EndPoint DLP stuff in Compliance is flat-out not doing anything. Blocking, auditing, etc..

    kiwid
    Sep 30, 2013



    We have this lovely ERM system where you can't get data in or out of it programmatically. I'm now investigating using a BI tool like Tableau to access the data. I'm not too familiar with BI tools so how would this typically work, does it just connect directly to the SQL database? If so, is there any issues with multiple applications reading data from a single database? I'm worried it might interfere with the ERP software in some way. This would be read-only if it matters.

    The Fool
    Oct 16, 2003



    kiwid posted:

    We have this lovely ERM system where you can't get data in or out of it programmatically. I'm now investigating using a BI tool like Tableau to access the data. I'm not too familiar with BI tools so how would this typically work, does it just connect directly to the SQL database? If so, is there any issues with multiple applications reading data from a single database? I'm worried it might interfere with the ERP software in some way. This would be read-only if it matters.

    Most BI tools can read directly from SQL, but it's usually not recommended. At least not your raw ERM database.

    You want to at least* copy your production database into a read-only reporting db and point your BI tool at that.


    * I want to stress that this is literally the bare minimum.

    nexxai
    Jul 17, 2002

    quack quack bjork

    Fun Shoe

    The Fool posted:

    You want to at least* copy your production database into a read-only reporting db and point your BI tool at that.
    To give some color to this: it's because BI tools typically do crazy amounts of queries and so running them on the live production DB can kill the performance if it's not sized/spec'd correctly.

    Weaponized Autism
    Mar 26, 2006

    All aboard the Gravy train!

    Hair Elf

    One of my company's domains has DNS entries set up in a really weird way. I want to clean it up but I want to make sure it makes sense. This is Windows Server 2012 R2.

    What I've always seen in DNS is forward lookup zones will be configured with the top-level domain. So for example, contoso.com would be a zone. And then underneath that zone you can have subdomains and records to your heart's content. However, my company has configured this domain with zones created for SUBDOMAINS.

    So for example, instead of having a zone just called contoso.com and an A record for subdomain.contoso.com within this zone, they have a ZONE called subdomain.contoso.com and in it a single A record (same as parent folder). And of course the typical NS and SOA DNS entries you see for any zone. It doesn't make sense to me to create zones for subdomains, and what I want to do is just create a zone for the top level domain and move the DNS records from the subdomain zones to this zone. Does that make sense?

    The Fool
    Oct 16, 2003



    Weaponized Autism posted:

    One of my company's domains has DNS entries set up in a really weird way. I want to clean it up but I want to make sure it makes sense. This is Windows Server 2012 R2.

    What I've always seen in DNS is forward lookup zones will be configured with the top-level domain. So for example, contoso.com would be a zone. And then underneath that zone you can have subdomains and records to your heart's content. However, my company has configured this domain with zones created for SUBDOMAINS.

    So for example, instead of having a zone just called contoso.com and an A record for subdomain.contoso.com within this zone, they have a ZONE called subdomain.contoso.com and in it a single A record (same as parent folder). And of course the typical NS and SOA DNS entries you see for any zone. It doesn't make sense to me to create zones for subdomains, and what I want to do is just create a zone for the top level domain and move the DNS records from the subdomain zones to this zone. Does that make sense?

    So yeah, that makes sense.

    subdomain.contoso.com will resolve to the A record on your DNS, but subdomain2.contoso.com (that does not exist in your DNS server) will resolve using your dns forwarder.

    We do the same thing because we have a sister organization that has some subdomains that need to resolve using the internal DNS, and some that need to resolve with the public dns and for dumb reasons neither split-brain or a stub zone would work.

    Weaponized Autism
    Mar 26, 2006

    All aboard the Gravy train!

    Hair Elf

    The Fool posted:

    So yeah, that makes sense.

    subdomain.contoso.com will resolve to the A record on your DNS, but subdomain2.contoso.com (that does not exist in your DNS server) will resolve using your dns forwarder.

    We do the same thing because we have a sister organization that has some subdomains that need to resolve using the internal DNS, and some that need to resolve with the public dns and for dumb reasons neither split-brain or a stub zone would work.

    Of course Upon closer inspection it does seem like there's a need for internal DNS for some of these entries, so that makes sense. Thanks.

    i am a moron
    Nov 12, 2020

    Gettin' woke about vaccines

    Either one of those methods will work. However, The Fools suggestion is superior because you should always ask do I really need to create this zone? I've usually seen people host those zones inside their network to resolve https://www.mycompanysshittylampsite.com to 10.0.0.5 instead of 192.45.66.12 or whatever. Creating a bunch of zones for that purpose is asking for an administrative headache for no reason in my opinion. Let the DNS forwarding do it's job.

    The real hotness is to go <subdomain>.whatevercompany.com for your AD domain (internal.contoso.com or something), and then never ever use Windows DNS for anything else ever again. Is the "official" MS guidance these days too. Got a chance to stand up a new domain once that way, was very nice. Still very clean last I checked, no comparing on-premises DNS zones to public DNS records like a DNS record anthropologist only to find out that everything inside was resolving to the wrong version of some dumb website for 10 years. Or, my favorite, not understanding www vs how Windows handles @ and only being able to go to https://www.mycompanysshittylampsite.com.

    Thanks Ants
    May 21, 2004

    Bless You Ants, Blants



    Yes, don't host company.com in your internal DNS, make everything a subdomain (or a totally different domain that you also own) and if you have to have something like vpn.company.com resolve internally then add a zone just for it.

    There's nothing worse than having to replicate a bunch of poo poo internally to make things like your website work, especially if you're using AWS, Azure etc. and the DNS records are aliases anyway or load balanced and you have to hard-code A records and then manually change them all the time.

    kiwid
    Sep 30, 2013



    In Office 365, what's the best way to give a consultant an internal email address that forwards to their gmail account without using a license or mailbox? There seems to be a few different ways like using a shared mailbox or a distribution group. Should I even be doing this in the first place? Should I just use a license/mailbox?

    GreenNight
    Feb 19, 2006
    Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

    kiwid posted:

    In Office 365, what's the best way to give a consultant an internal email address that forwards to their gmail account without using a license or mailbox? There seems to be a few different ways like using a shared mailbox or a distribution group. Should I even be doing this in the first place? Should I just use a license/mailbox?

    Shared mailbox then you can set auto forwarding in the exchange control panel. No license needed.

    kiwid
    Sep 30, 2013



    GreenNight posted:

    Shared mailbox then you can set auto forwarding in the exchange control panel. No license needed.

    Thanks.

    Thanks Ants
    May 21, 2004

    Bless You Ants, Blants



    Or a distribution list with the only member being a mail contact with their Gmail address in

    chocolateTHUNDER
    Jul 19, 2008

    GIVE ME ALL YOUR FREE AGENTS

    ALL OF THEM


    So, what's the trick to getting 20H2 to show up in wsus? I'd like to start testing it in my environment since I'll be needing to move on from 1809 by spring next year.

    E: I figured this out. Apparently you have to change the view on wsus to "1903 and above" to get it to show. I had just "Windows 10" checked off which...should have be fine? Whatever.

    chocolateTHUNDER fucked around with this message at 21:49 on Nov 23, 2020

    Thanks Ants
    May 21, 2004

    Bless You Ants, Blants



    I'm getting into a bit of a rabbit hole with Windows Hello for Business in a hybrid deployment (Azure AD joined clients managed with Intune, on-prem resources joined to AD), and the whole "have a PKI infrastructure" step is not just a simple task on the route to implementing this.

    The most recent MS documentation that covers this is from 2016 (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786436(v=ws.11)). It at least mentions Server 2016 but I'd be interested in anything more up-to-date if that exists. Or a good third-party post that covers it if there's nothing from MS on the topic - a lot of the stuff I can find says "this is a lab so we'll just pick these settings" but I'd like to understand what those settings are.

    From what I can tell, the offline CA seems to be the way to go, and our AD environment lives in Azure so having a 2019 box powered down isn't really a problem, but if there's any way to shift those responsibilities into an Azure service then I'd be up for that.

    Adbot
    ADBOT LOVES YOU

    i am a moron
    Nov 12, 2020

    Gettin' woke about vaccines

    Thanks Ants posted:

    I'm getting into a bit of a rabbit hole with Windows Hello for Business in a hybrid deployment (Azure AD joined clients managed with Intune, on-prem resources joined to AD), and the whole "have a PKI infrastructure" step is not just a simple task on the route to implementing this.

    Hah, interesting. I didn't know this required PKI. For what it's worth, getting the certs onto devices via the connector with InTune isn't too bad.

    quote:

    The most recent MS documentation that covers this is from 2016 (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786436(v=ws.11)). It at least mentions Server 2016 but I'd be interested in anything more up-to-date if that exists. Or a good third-party post that covers it if there's nothing from MS on the topic - a lot of the stuff I can find says "this is a lab so we'll just pick these settings" but I'd like to understand what those settings are.

    From what I can tell, the offline CA seems to be the way to go, and our AD environment lives in Azure so having a 2019 box powered down isn't really a problem, but if there's any way to shift those responsibilities into an Azure service then I'd be up for that.

    There is no service that will replace what the AD Cert servers will do at this point (that I know of). It would be nice if there was.

    You can power the Offline CA down, I usually just delete the entire thing. I'm never around long enough to need it again.

    I've done this 3-4 times in the past couple of years. In my experience, every article written about deploying this stuff is wrong to some degree. This one is at the top of my google results and looks generally correct:

    https://stealthpuppy.com/deploy-enterprise-subordinate-certificate-authority/

    edit: I also disable CRL checking and issue the root cert for, like, 20 years. When you do this it would not be advisable to actually use the CA you set up for anything unless you are pretty sure it's for something stupid, like getting SCCM to work with HTTPS because you deployed a CMG on some unsuspecting assholes using HTTP in TYOOL 2020.

    i am a moron fucked around with this message at 14:12 on Nov 24, 2020

    • 1
    • 2
    • 3
    • 4
    • 5
    • Post
    • Reply