As businesses increasingly operate in hybrid environments spanning both on-premises and cloud infrastructure, the need for seamless authentication across multiple environments becomes paramount. To address this challenge, organizations are turning to automated processes for implementing and managing Cloud Kerberos Trust. This automated approach streamlines the integration of Kerberos-based authentication in diverse environments, ensuring efficient and secure access to cloud resources.
The PowerShell script Enable-CloudKerberosTrust.ps1 simplifies and automates the process of Configuring Azure AD Cloud Kerberos Trust.
To get a deeper understanding and a great story, You should also read to following article series by Ben Whitemore and Michael Mardahl who inspired the script.
1. Install Azure AD Kerberos PowerShell module
2. Prompt the user for domain admin credentials (if it detects it is not running as domain admin)
3. Create a Kerberos Server object
4. Verify a Kerberos Server object has been created successfully
5. Create "CKT-Policy" Intune configuration profile
6. Create OMA-URI for Cloud Kerberos Trust enablement
7. Assign the configuration profile
1. Azure Active Directory global administrator.
2. Active Directory domain administrator.
3. Approve admin consent for the following permissions in Microsoft Graph application in Azure AD apps:
CloudPC.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, Directory.Read.All
.PARAMETER Domain
Specifies the on-premises Active Directory domain. A new Azure AD Kerberos Server object will be created in this Active Directory domain.
.PARAMETER UserName
Specifies the UPN of an Azure Active Directory global administrator.
.PARAMETER TenantID
Specifies the Azure AD tenant ID for the new Intune configuration policy.
.PARAMETER Group
Specifies the device group to assign the new Intune configuration policy.
.PARAMETER LogPath
Specifies path to save script output to.
.EXAMPLE
.\Enable-CloudKerberosTrust.ps1 -Domain xyz.com -UserName admin@tenant.onmicrosoft.com -TenantID 0570e92c-8fb4-4775-9eb8-61f20dd2ce72 -Group Group1 -LogPath .\
NOTE: THIS SCRIPT IS CONTINUALLY BEING IMPROVED – If you would like to suggest additional checks or improvements, feel free to reach out with your input.
Can Microsoft’s Delivery Optimization and Configuration Manager help solve enterprise network efficiency problems supercharged by the coronavirus pandemic?
The COVID-19 pandemic has forced numerous companies to adopt hybrid working models. This has seen demand for bandwidth capacity increase considerably.
Couple bandwidth-busting traffic connecting from all over with spiraling data costs and network administrators have something to worry about. With no end in sight of this global pandemic, enterprises are now looking for solutions to counter these issues.
As a result, the question that’s now at the fore for many network administrators is how to improve network efficiency as cost-effectively as possible in the New Year.
COVID-19 and Network Efficiency
Pre-COVID,17% of the American workforce worked remotely at least 5 days per week. Since the onset of the pandemic, this number has increased to 44%.
With nearly6% of the population (i.e. 21 million people) having no high-speed connection, enterprises have begun to ask questions such as how best can they keep all their employees connected to their networks?
A range of solutions has been proposed in order to modernize the existing mainframes including the adoption of key technologies such as Microsoft’s Delivery Optimization, Connected Cache, and Configuration Manager.
Let’s examine each of these in greater detail.
What is Delivery Optimization
Delivery Optimization is an inbuilt Windows component. It’s distributed cache technology which means that it is software designed to act as an intermediary between an enterprise’s primary storage solutions and remote employees’ computer.
The benefits that Delivery Optimization provides include optimizing cloud download efficiency, minimizing internet bandwidth, and lowering the latency in data access.
This is excellent because you want to keep your internet bandwidth high. It translates to a faster and better experience for employees, particularly those working remotely.
What is Microsoft Connected Cache?
Microsoft Connected Cache is an application installed on a Windows Server 2012 or later. It is also a high-speed data storage function that works hand-in-hand with Delivery Optimization to reduce latency and improve efficiency.
Connected Cache acts as a dedicated cache on your enterprise network. This server-based solution caches the managed downloads that Delivery Optimization extracts from the Cloud.
It’s ideal for companies because it serves as a local cache on your on-premise network.
What is Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager, formerly known as System Center Configuration Manager (SCCM) or Systems Management Server (SMS) is a full-feature systems management software. It sets out to manage computers on a larger and streamlined scale.
Configuration Manager works by providing patch management, remote control, operating system deployment, software inventory, software distribution, and network access protection capabilities.
Now that we’re up to speed about what each of these features are and what they do, let’s look at the advantages and disadvantages of Delivery Optimization.
Delivery Optimization Pros
No Upfront Costs
For enterprises already encumbered by high remote operating costs, this is a welcome reprieve. There are no upfront costs because Delivery Optimization exists as part of Windows 10. Therefore, it’s a feature that’s paid for through your regular Windows 10 license.
Leverages Peer-to-Peer Efficiency
Delivery Optimization enables PCs connected to your network and to download updates in a more streamlined manner from other peers within the network that have already downloaded the content. In this way, there’s an overall reduction in bandwidth. This also mitigates update-related traffic.
Same Time Send/Reception of Update Files
Gone are the old days of having to wait long periods of time while update files sent and received in succession. Today, Delivery Optimization facilitates simultaneous sending and receiving of update files. This allows updates to easily and seamlessly take place.
Can Resume Interrupted Downloads
Do you remember the times when downloads would interrupt because of a network glitch and had to restart? This meant updating PCs across company networks took longer and sometimes pushed up data costs for enterprises. Thankfully, one of the perks of Delivery Optimization is the ability to resume downloads should they experience an interruption.
Load Balancing Capabilities
Network administrators can use all the help they can get to distribute workloads in a uniform manner across enterprise servers and employee PCs.
Load balancing is an incredibly important process as it promotes more efficient processing. It provides balance, so there are no uneven overloads on individual computer nodes. Delivery Optimization presents itself as a tool that expedites this distribution of network traffic.
Windows Native and Cumulative Updates Enabled
As a Windows 10 native feature, Delivery Optimization is Cumulative Updates enabled. This means that on all the PCs equipped with the DO feature, updates – both old and new – these can be bundled together into a single update package.
But it’s not all fun and games with Delivery Optimization. Here are a couple of disadvantages network administrators have to also contend with.
Delivery Optimization Cons
No Analytics and or Reporting
In Deloitte’sThe Analytics Advantage report, analytics are highlighted as important as they enable companies to drive business strategy and facilitate data-driven decisions. Thus, it comes as a big disappointment that Delivery Optimization provides no such insights neither in the form of analytics nor reports.
No Content Control
Being able to control both the content that’s being downloaded and transmitted across networks is imperative for network safety. The fact that Delivery Optimization doesn’t give network administrators such control is frustrating.
No Support for Windows 7/10 Migration
Are you thinking of migrating from Windows 7 to Windows 10? Well, unfortunately, you’ll have no help from Delivery Optimization. It’s not clear as to why the developers over at Microsoft thought it was a good idea to complicate migration in this way.
No Support Packages and App Deployment
That’s not all, but Delivery Optimization also offers no support for Packages and Application with Configuration Manager stand-alone deployments. This greatly hampers the standardization and streamlining process of installing software on employees’ work devices.
No Smart Agent
Delivery Optimization is a tool full of potential. However, it is baffling trying to understand why this supposed network optimizing resource has no smart agent to facilitate Optimal Source Selection.
No SCCM Support
Microsoft’s System Center Configuration Manager (SCCM) is integral in the management, deployment, and security of connected enterprise devices as well as apps within the network. However, this Windows product doesn’t receive any support which is a major disadvantage.
Needs Manual Boundary Definition
Boundaries, according to Microsoft, are network-specific locations on enterprise intranets that can contain your PCs or other devices making them easier to manage. When using Delivery Optimization, boundaries aren’t automatic, you have to take time to manually define each boundary you want to be created.
Needs Substantial Boundary Configuration
It’s not enough to manually define the boundaries required either, you also need to make sure that each boundary is properly configured. This additional work can be automated so it’s a wonder why Delivery Optimization doesn’t come with boundary configuration pre-set.
5 Steps to Improving Network Efficiency with Delivery Optimization
Faced with hybrid work models and more employees working remotely, enterprises must be smart about network management. Here are the top 5 ways to improve network efficiency using Delivery Optimization, Configuration Manager, and Microsoft Connected Cache in 2022.
When it comes to network efficiency, congestion in the network is one of the major network problems that most enterprises face. There are many causes of bottlenecks in your network which you will need to remove in order to improve network efficiency. These range from:
a) Network Overload
Network overload happens when you have numerous hosts within your broadcast domain. Delivery Optimization can aid in this particular case by allowing optimized cloud-managed downloads which reduce network pressure.
b) Broadcast Storms
Broadcast storms occur when you receive more requests on the network than it can handle.
c) Low Bandwidth
This occurs when there are too many people connected to the network at once. Delivery Optimization and Connected Cache are peer-to-peer cache technology and significantly help to lower the latency and minimize internet bandwidth.
d) Not Enough Retransmitting Hubs
Failure to have sufficient retransmitting hubs slows down your network. Retransmitting hubs are necessary in order to make data transmission across the network easier.
e) Multicasting
While created to help ease congestion, multicasting can in fact cause bottlenecks when two packets transferred simultaneously collide leading to congestion
f) Old Hardware
Technology is changing so fast and hardware components need to be routinely upgraded otherwise servers, routers, and switches can inadvertently lead to network congestion
g) Poor Configuration Management
When scripts are one-off or repetitive, they can introduce bugs that cause congestion. Thankfully Delivery Optimization and Configuration Manager can help to get rid of this issue.
h) Foreign Adapter Broadcasts
When rogue adapters connect to your network, this can increase the network load leading to bottlenecks. A rogue adapter is any device that connects oftentimes illegally onto your network and exists like a parasite until it’s removed. These foreign devices also pose a security threat.
Fortunately, network monitoring tools like Configuration Manager make it possible to handle the life cycle of all the devices and configurations within your network. Such visibility can assist in identifying slow traffic and congestion so you can eliminate it.
It doesn’t matter if it’s an installation of cumulative updates or new hardware, every element joining the company network must be properly configured. Failure to do so can lead to poor network efficiency.
When devices are incorrectly configured, they can’t communicate with their peers effectively. This will lead to routing problems and or increase latency.
Network administrators must ensure that each time a device is configured or reconfigured the network is tested to check network performance. Configuration Manager can be used to see whether the new configuration/reconfiguration is affecting the network negatively.
Improve Network Efficiency Step# 3.Educate Employees on Correct Network Usage
Now with more employees working remotely, it can be difficult to control what people do on the company network. However, it is pivotal to educate them on avoiding applications that are bandwidth-heavy and engaging in activities that consume a lot of data such as downloading movies, music videos, and other large files.
The more bandwidth employees are using in non-work-related activities, the less will be available for work slowing down the entire network. Configuration Manager can be used to curb non-work-related activities if necessary by blocking certain devices.
Improve Network Efficiency Step# 4.Consider Creating a Guest Network
Have you ever thought of creating a separate guest network for people visiting your company?
You don’t want strangers and outsiders to be able to connect to your enterprise network. This is a major security threat. By creating a disparate guest network they will have their own distinct network to connect to.
In this way, guests’ activities don’t interfere with enterprise bandwidth and security threats are reduced.
Improve Network Efficiency Step# 5.Compress Network Traffic and Data
Every day, colossal amounts of data are transmitted across enterprise networks. More so now, in a world where virtual meetings are the order of the day. These data-heavy online activities necessitate data compression and compression of network traffic.
By compressing enterprise data, companies get more out of their internet packages. And with Windows components like Delivery Optimization, you get to stretch your data out more.
You see, Delivery Optimization extracts content from the cloud, stores it in a temporary cache, where peer PCs/devices can easily access said files in smaller, minute data-friendly sizes without having to download all the large files for each connected device.
Wrap up
2020 and 2021 have disrupted the way business is done. With more companies eager to try out hybrid work models that allow employees to work remotely with some days in the office, network administrators have their work cut out for them in terms of making sure networks are efficient and running at optimal round the clock.
And with so much uncertainty about when things will return to normal, enterprises need to get comfortable with the idea of remote work. Resources such as Delivery Optimization and Configuration Manager will prove to be more and more important in 2022 and beyond.
Relying on such Windows features, organizations can rest easy knowing that there are tools to help with improving network efficiency in a cost-effective manner.
With Windows Autopilot, Microsoft gives clients a collection of technologies designed to eliminate the challenges that come with building, maintaining, and applying custom images.
It’s a platform that IT professionals can utilize to set new desktops to join pre-existing configuration groups and apply profiles to the desktops. All of this is so that new users can access fully functional desktops from their first logon.
By using Windows Autopilot, you can simplify the entire lifecycle of Windows devices. Meaning that it covers devices from the initial deployment through to the eventual end of the life cycle. The question, however, is should you allow self-service?
Changing landscape with Windows Autopilot
Over the last few years, we have certainly witnessed a rapid evolution in the remote work landscape. And this evolution has become even more pronounced with the prevailing global pandemic. This has made the need for technology like Windows Autopilot even greater.
Self-service technology has plenty to offer any business. Benefits can include improved end-user experience, effortless coordination for a remote or blended workforce, less complicated management, and significant increases in productivity.
So as the way businesses operate continues to evolve, Windows Autopilot can be the perfect tool to deal with the headaches that we have faced in the past with automated deployment and self-service setups.
Using the self-service setup
The way that Windows Autopilot’s self-service setup works is that it makes workplace devices configured and ready out of the box with its self-deploying mode.
This means that when the employee receives the device they only need to turn it on to start working. Self-deploying mode automatically joins a new device into your company’s Azure Active Directory (Azure AD).
The device is then enrolled into Intune for mobile device management (MDM). Also, you don’t need to worry about apps, certificates, policies, and networking profiles provisioned on the device as they will be dealt with as well.
What this means is that everyone has a lot to gain from using Windows Autopilot, whether you’re IT or the end-user. IT people have their processes simplified and no longer have to deal with the time-consuming, outdated, and overly complex IT processes they had before.
And as for the end-user, all one needs to do is unbox the device, turn it on, connect to the internet, and then verify their credentials.
Self-deploying mode of Windows Autopilot
This feature plays a key role in making Windows Autopilot the platform that it is. Using it will allow you to deploy a device with little to no user interaction. If you have an Ethernet connection then no user interaction will be needed. But, end-users whose devices are connected via Wi-Fi will need to choose the language, locale, and keyboard. And then, they need to make a network connection.
By using self-deploying mode, you can deploy a Windows 10 device as a kiosk, digital signage device, or a shared device. Moreover, it’s also possible to completely automate device configuration by combining self-deploying mode with MDM policies. To deploy in self-deploying mode, you need to follow the steps below:
The first step involves creating an Autopilot profile for self-deploying mode that has the settings you want.
Next, you need to create a device group in Azure AD and assign the Autopilot profile to that group. Before you try to deploy the device, you should check that the profile has been assigned to the device.
Finally, you need to boot the device and connect it to Wi-Fi (if necessary). And then wait for the provisioning process to complete.
Gaining value from technology
As already mentioned earlier, the technological landscape is evolving and so businesses can take advantage of these changes to add value to their operations. The ability to seamlessly deploy devices without IT involvement has huge implications in an increasingly remote-working world.
With countless employees not being on-premises, companies cannot afford to have delays between delivery and deployment. Leveraging Windows Autopilot means that you can eliminate OS image re-engineering and customize the out-of-the-box-experience (OOBE).
By doing this, your processes become easier and faster. And this is going to enhance productivity and potentially increase profitability.
Possible scenarios
Windows Autopilot provides support for a growing list of different scenarios, designed to support the varying needs that most businesses will have. These needs often differ depending on the type of business as well as where you are with moving to Window 10 and transitioning to modern management. Below are some of the common scenarios:
Deployment of devices that will be set up by an employee of the company and configured for that person.
Deployment of devices that will be automatically configured for shared use, as a kiosk, or as a digital signage.
Re-deploying a device in a business-ready state.
Pre-provisioning a device with up-to-date apps, policies, and settings.
Provisioning of WIndows 365 devices
User-empowered modern workplace
Windows Autopilot is one of the key components in the Microsoft ecosystem that are helping to create a more user-centric workplace. An environment where users are empowered by IT rather than restricted as they were with legacy IT.
Users will immediately see this from the very beginning as they unbox new devices and have no time-wasting setup involved. Combined with the streamlined benefits of other solutions in the Microsoft ecosystem, this creates a modern, all-digital workplace.
Leveraging digital transformation with Windows Autopilot
So much technological innovation has come to the fore in the last few decades. However, many outdated facets of legacy IT persist including device setup and configuration. But it certainly doesn’t have to be the case for your organization.
Making use of tools like Windows Autopilot has massive potential benefits for your business. Self-service deployments not only make life simpler, but they can help you to operate faster and with fewer complications.
Not to mention how you can create more productive time. The extensive range of capabilities that you get here gives you more automated and user-friendly processes that can enhance your organization’s performance.
Most organizations could probably gain some benefits from deploying application control policies. This is something that your IT guys could use to make their work easier and improve the overall management of employee devices. AppLocker is a platform that will give admins control over which apps and files users can run including packaged app installers, scripts, executable files, Windows Installer files, DLLs, and packaged apps. Because of its features, AppLocker will help organizations to reduce their admin overhead and the cost of managing computer resources. With that said, let’s go over how AppLocker helps you to control user app access.
Installation
Users that are running the enterprise-level editions of Windows will find that AppLocker is already included. Microsoft allows you to author rules for a single computer or a group of computers. For single computers, you’ll need to use the Local Security Policy Editor (secpol.msc). And for a group of computers, you can use the Group Policy Management Console to author the rules within a Group Policy Object (GPO). However, it’s important to note that you can only configure AppLocker policies on computers running the supported versions and editions of the Windows operating system.
Features of AppLocker
AppLocker offers its clients several great features to help you to manage access control. It allows you to define rules based on file attributes and persisting across app updates. These include publisher name, file name, file version, and product name. You can also assign rules to individual users or security groups as well as create exceptions to rules.
In order to understand the impact of a policy before enforcing it, AppLocker allows you to use audit-only mode to first deploy the policy. Another feature enables the creation of rules on a staging server that you can test before exporting them to your production environment and importing them into a Group Policy Object (GPO). And then by using Windows Powershell cmdlets for AppLocker, you’ll have an easier time creating and managing rules.
Enhancing security
AppLocker works well at addressing the following security scenarios:
Application inventory: AppLocker policies can be enforced in an audit-only mode where all application access activity is registered in event logs.
Protection against unwanted software: you can exclude from the list of allowed apps any app that you don’t want to run and AppLocker will prevent it from running.
Licensing conformance: AppLocker enables you to create rules blocking the running of unlicensed software while limiting licensed software to authorized users.
Software standardization: to have a more uniform application deployment, you can set up policies that will only allow supported or approved apps to run on PCs within a business group.
Manageability improvement: AppLocker has improved a lot of things from its predecessor Software Restrictions Policies. Among those improvements are audit-only mode deployment, automatic generation of rules from multiple files, and importing and exporting policies.
Apps to control
Each organization determines which apps they want to control based on their specific needs. If you want to control all apps, you’ll note that AppLocker has policies for controlling apps by creating allowed lists of apps by file type. When you want to control specific apps, a list of allowed apps will be created when you create AppLocker rules. Apart from the apps on the exception list, all the apps on that list will be able to run. For controlling apps by business group and user, AppLocker policies can be applied through a GPO to computer objects within an organizational unit.
Allow and deny actions
Because each AppLocker rule collection operates as an allowed list of files, the only files that are allowed to run are the ones that are listed in this collection. This is something that differs from Software Restriction Policies. Also, since AppLocker operates by default as an allowed list, if there is no explicit rule allowing or denying a file from running, AppLocker’s default deny action will block that file. Deny actions are typically less secure because a malicious user can modify a file thereby invalidating the rule. One important thing to remember is that when using the deny action on rules, you need to first create rules allowing the Windows system files to run. Otherwise, a single rule in a rule collection meant to block a malicious file from running will also deny all other files on the computer from running.
Administrator control
The last thing most organizations would want is any standard user or worse a malicious one modifying their policies. Therefore, AppLocker only allows administrators to modify AppLocker rules to access or add an application. For PCs that are joined to a domain, the administrator can create AppLocker rules that can potentially be merged with domain-level rules as stated in the domain GPO.
Is AppLocker for you?
If you see the need to improve app or data access for your organization then AppLocker is something you should be considering. Also, if your organization has a known and manageable number of applications then you have an additional reason. Ask the question, does your organization have the resources to test policies against the organization’s requirements? Or the resources to involve Help Desk or to build a self-help process for end-user application access issues? If yes to the above, then AppLocker would be a great addition to your organization’s application control policies.
Wrap up
Software that enhances the way an organization controls access to its applications and data can play a significant role in boosting efficiency. AppLocker is one such platform. With all the great features available, it can easily become a fantastic tool for your IT team. Not only does it simplify access control management, but its various actions will also result in greater security. Without a doubt, AppLocker can be a valuable addition to your application control policies.
The icon for Microsoft Edge is now placed by default in every user profile.
It is not placed in Public Desktop, but created for each user at logon (DOH!)
Thank god there is way to stop this behavior.
You can simple add the following registry key:
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
Value: DisableEdgeDesktopShortcutCreation
Data: 1
Type: REG_DWORD
If your using MDT (Microsoft Deployment Toolkit) or ConfigMgr (System Center Configuration Manager)
You can add the following oneliner task sequence step, to stop the creation of the Microsoft Edge icon.
Commandline: reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer /v DisableEdgeDesktopShortcutCreation /t REG_DWORD /d 1
In case your wondering what i have in the steps to disable Cortana, let me share them:
Registry tweaks for Build and Capture or Windows 10 Deployment task sequences
The malware requires administrator rights to the local computer. Standard users should not have this in permission. Consider restricting who has local admin rights to prevent execution of exploit code within organisations. Home users should also consider using a Standard User Account for day-to-day operations.
Access Director can help you by removing permanent local admins.
Recommendations for Enterprises
Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability.
Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know.
Ensure you have the latest updates installed for your anti-virus software.
Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share
Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs.
Operate a least privileged access model with employees. Restrict who has local administration access.
Petya does not encrypt files. it encrypts the Master File Table, which is the index of where all the files are stored on a hard disk drive.
“Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.”
Mikko Hypponen confirms, Chief Research Officer at F-Secure.
PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.
There seems to be an issue with Trend Micro and Windows Defender after Windows/ Defender patches has been applied.
The quick workaround is to deploy are registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
The dword value should be 1: DisableAntiSpyware
In case it does not exist, go ahead and create it.
Restart and you should see things start working again.
If you have the issue, you should be able to deploy it using Group Policy Preferences.
NOTE: You can also enter safe mode and create the needed key.
