The icon for Microsoft Edge is now placed by default in every user profile.
It is not placed in Public Desktop, but created for each user at logon (DOH!)
Thank god there is way to stop this behavior.
You can simple add the following registry key:
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
Value: DisableEdgeDesktopShortcutCreation
Data: 1
Type: REG_DWORD
If your using MDT (Microsoft Deployment Toolkit) or ConfigMgr (System Center Configuration Manager)
You can add the following oneliner task sequence step, to stop the creation of the Microsoft Edge icon.
Commandline: reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer /v DisableEdgeDesktopShortcutCreation /t REG_DWORD /d 1
In case your wondering what i have in the steps to disable Cortana, let me share them:
Registry tweaks for Build and Capture or Windows 10 Deployment task sequences
Disable Cortana Voice:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v DisableVoice /t REG_DWORD /d 1
Disable Cortana Search:
reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search” /v “AllowCortana” /t REG_DWORD /d 0 /f
Disable Cortana Search Box:
reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search” /v “SearchboxTaskbarMode” /t REG_DWORD /d 0 /f
The topic is almost self explaining.
You need to monitor specific user-based certificates, to avoid a situation where they have already expired.
You can add this to your daily security compliance checklist.
Prerequisites for running CIs can be found here: Compliance Baseline prerequisites
Go to Assets and Compliance, Compliance settings Configuration Items, right click and select Create a new configuration item:
Provide the name CI – Script – USER CERT Expiration check, leave the configuration item type as Windows and press Next:
Optionally you can provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console.
Select the OS where this configuration item assumes to be applied and click Next
To create Configuration Item, click New:
Type in the name CI – Script, from drop down of settings type select Script and data type as String.
There are two options to specify where a script would reside
– Discovery Script
– Remediation Script
Remediation is not handled in this post.
To place discovery script since to evaluate compliance, click on Add Script.
Please note that this script needs to be runin the logged-on user context, therefore please check “Run scripts by using the logged on user credentials”
Select script language as Windows PowerShell and type in the script (see attached USER_CERT_Expiration _Discovery.ps1) in the Script field:
#
$Compliance = ‘Compliant’
$Check = get-childitem -path cert:\currentuser -recurse | where-object {$_.thumbprint -eq ‘245c97df7514e7cf2df8be72ae957b9e04741e85’}| where { $_.notafter -le (get-date).AddDays(30)}
If ($Check) {$Compliance = ‘NonCompliant’}
$Compliance
#
Script download: [download id=”787″]
and click OK
Click Next
After the script is in place, you can click the “Compliance Rules” tab. Now compliance rule needs to be created. This rule will determine how the compliance is reported once the script runs on a computer (based on how the compliance a machine could be either Compliant or NonCompliant).
Click on New
Type in the com
pliance rule name and click on Browse:
Select the name of the configuration setting that just created (if not already selected and then click on Select):
In the Rule Type select Value and then select if the value returned is Equals to Compliant.
Click OK
Click Next
Next screen presents the summary of the settings, if any changes are needed then you can go back and make changes here. Click Next.
Configuration Item is ready now.
Next step is to create Configuration Baseline.
Right click Configuration baseline and create configuration baseline.
Type the name of configuration baseline CB – Script – USER CERT Expiration check. Click on add and select configuration item from drop down menu.
Please make sure that Purpose set to Required!
Select the configuration item just created and click OK. This would finish creating configuration baseline.
Now it is time to deploy this base line to relevant Users Collection(-s).
Go to configuration baseline and right click and select Deploy.
Select the configuration baseline CB – Script – USER CERT Expiration check.
Browse and point it to targeted Users collection (its recommended to run it for some limited collection for testing before deployment to production)
Change the evaluation schedule as per as your requirements (taking in consideration that in case of it seems to be critical for your environment, in production running this CB probably once a day is recommended)
Again, the key thing here is to be sure that you deploy this CB to users and not to your systems!
Click OK
Note: When the configuration baseline is deployed, please allow that it can be evaluated for compliance within about two hours of the start time that you schedule.
To check it on a Windows PC client (general recommendation to do it for all targeted OS client types)
On a Device, go to Control Panel, System and Security and open the Configuration Manager applet. In the Configurations tab you’ll see what Configuration Baselines the client will evaluate at its specific schedule. Click on configurations and click on “Evaluate”, “Refresh” and then “View Report”.
As shown in the pictures below, Configuration Baseline was evaluated to be Compliant or Not
PREREQUISITES
This setting is located in the Administration workspace under Overview ⇒ Client Settings ⇒ Default Client Agent Settings. Then right-click and select Properties. This will open the properties window for the client settings. By setting the “Enable compliance evaluation on clients” option to “Yes”, you enable this option in the default settings. The default schedule for evaluation is every 7 days.
You can adjust this schedule as necessary for your environment, including using a custom schedule that will allow you more control over when it runs.
The default schedule will typically be adequate for most environments.
You can also modify the default client settings, create new custom client settings, or modify existing custom client settings. You can create or modify custom client settings when you want to apply a group of client settings to specific collections.
1. is to sign the script with your company trusted certificate
2. is to set the PowerShell execution policy to “Bypass”.
If you are not about to sign your scripts, please go to Administration->Client Settings, select the default (or create a new) Client Settings and set the PowerShell execution policy to “Bypass” in the “Computer Agent” section of the client settings. This action allows unsigned PowerShell scripts to run properly when they executed by the Computer Agent. If you don’t use the default client settings, you need to make sure the custom client settings you created are also deployed to the collection you will be checking compliance on.
Should be installed in your environment for reporting.
Assuming this role is already installed as reporting is a core requirement in the majority of SCCM functions.
All the joys of Windows 10….. now on 1709
Last week after upgrading Windows 10, I came a cross this nice new integration for Smart Cards. (tokens)
Windows 10 new has support for eTokens (SafeNet Tokens)
I was very pleased with this update, it will save me yet another application to install.
I’ve been using the SafeNet Application from Gemalto and it has served me well for several years. So time for a changes, the integrated Smart Card application in Windows 10 works perfect for me.
I am using the following it with:
and my tokens? I ALWAYS use digicert for codesigning certificates:)
ps. A new version of Access Director Enterprise is on its way, signed and released to web.
Stay tuned!
A new ransomware has seen the light.
Bad Rabbit ransomware is currently roaming Eastern European countries.
Bad Rabbit is mainly delivered using a fake Flash Update.
This means we a looking a regular drive-by-attack and fake updates/malicious software from websites to get it started.
Secure you clients now!
1. Blacklist the hashes
2. Block the files
3. Lock the registry entries.
4. Remove your local administrative privileges, if you can’t? Limit them and monitor using: Access Director Enterprise
Bad Rabbit IOCs:
install_flash_player.exe: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
infpub.dat: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
cscc.dat (dcrypt.sys): 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6
dispci.exe: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
C:\Windows\infpub.dat
C:\Windows\System32\Tasks\drogon
C:\Windows\System32\Tasks\rhaegal
C:\Windows\cscc.dat
C:\Windows\dispci.exeHKLM\SYSTEM\CurrentControlSet\services\cscc
HKLM\SYSTEM\CurrentControlSet\services\cscc\Type 1
HKLM\SYSTEM\CurrentControlSet\services\cscc\Start 0
HKLM\SYSTEM\CurrentControlSet\services\cscc\ErrorControl 3
HKLM\SYSTEM\CurrentControlSet\services\cscc\ImagePath cscc.dat
HKLM\SYSTEM\CurrentControlSet\services\cscc\DisplayName Windows Client Side Caching DDriver
HKLM\SYSTEM\CurrentControlSet\services\cscc\Group Filter
HKLM\SYSTEM\CurrentControlSet\services\cscc\DependOnService FltMgr
HKLM\SYSTEM\CurrentControlSet\services\cscc\WOW64 1
Local & Remote SMB Traffic on ports 137, 139, 445
caforssztxqzf2nm.onion.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
Submitting Nominations: If you know someone who is deserving of this Award, please send an email to [email protected] and please cover the following criteria in your message:
About the Award:
The Enrique Lima Award is designed to recognize and celebrate the outstanding work of Microsoft Certified Trainers in the MCT Community, being awarded to only those who show knowledge, passion, and commitment to the Microsoft community as a whole, and specifically to the MCT program. This Award was established in memory of Enrique Lima; a husband, a father of two, a Microsoft Certified Trainer (MCT) and Regional Lead, Microsoft Valued Professional (MVP), Krewe member , SharePoint Community leader, and member of the Learn on Demand Systems (LODS) team. Enrique always went above and beyond what was expected, building up both local, regional and international communities and everyday showed us all what the spirit of the MCT community was all about
I would prefer to have access from my local vlan and wireless vlan to the servers.
But didn’t want to all dns traffic into the VM’s (and depend on a testing environment)
Basically I want host resolution, and being able to utilizing the domain services in the testing environment, without interruption of my other services.
This is the solution in went for was using Conditional Forwarders
First the Hyper-V host:
I Installed the DNS Server role within Windows Server 2016.
Setup forwarders to google dns:
After that i will add the Conditional Forwards for my testing domain
I in my previous post I created 2 Domain controllers, both hosting DNS.
I will then add my Hyper-V hosts IP to the DNS server of my router/dhcp on the needed vlans.
When clients send requests for the testing domain, they will get forwarded to the Hyper-V guests (DCs) and all other requests will go to the Google DNS (8.8.8.8, 8.8.4.4) – more info: Getting started with Google Public DNS
I did want a backup as well, so I installed Synology DNS on my Synology DS1511+
Synology DNS supports forwarding zones, with up to 2 forwarders per zone.
That’s perfect for my setup, added the 2 Hyper-V guest DC’s.
The Synology DNS would of course also need Resolution services enabled, so we can forward requests to the Google DNS (8.8.8.8, 8.8.4.4)
Then I will go ahead an update the DNS servers handed out by my DHCP on my normal client network and wireless clients.
This configuration offers failover/backup, because both the Hyper-V hosts and the Synology will be able to handle DNS requests and forwarding.
Now to the good stuff
Usually when working with Hyper-V I use reference disks, mainly to save space on rather expensive disks. But is there much to gain when using deduplication? I was on sure, so asked in Tech Konnect
The response from Tech Konnect confirmed, when using deduplication, it out wages the other issues with reference disks, rather than saving disk space.
Since it’s not possible to create folders or groups within the Hyper-V Management Console, I will be using a naming standard: <Group> – <Generation> – <OS> – <hostname>
The first Virtual Machine will be a Domain Controller, what better way to start?
Virtual Machine Configuration:
Generation: 2
Startup memory: 4096
Dynamic Memory: Enabled
Network Connection: External
Disk size: 60 GB
Boot from the ISO File – Windows Server 2016 Standard (Desktop Experience)
The quick wins for a Generation 2 Virtual Machine
Note: IDE drives and legacy network adapter support has been removed.
For more info: Generation 2 Virtual Machine Overview and Hyper-V feature compatibility by Generation and Guest
The memory assigned might be a bit overkill, but for now it will be OK.
When configuring the second DC i will only assign: 2048.
The complete installation time to logon was 3 minutes and 9 seconds
Both DCs can actually live with 2048 mb ram, so it can always be cut down, but keep in mind we are using Dynamic Memory allocation.
I will of course be setting up MDT and ConfigMgr at a later point, to streamline and gain a bit of speed.
