Translate

Monday, November 20, 2017

GPO debug logging

Sometimes you need to search deeper to check why GPOs don't get applied.



Therefore you can enable the debug logging of the GPO client (service).
Please DO NOT FORGET TO DISABLE IT AFTERWARDS!!!

To enable logging in the Gpsvc.log file, follow these step by step guide:

  1. Click Start , click Run , type regedit , and then click OK .

  2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows  NT\CurrentVersion

  3. On the Edit menu, point to New , and then click Key .


  4. Type Diagnostics , and then press ENTER.


  5. Right-click the Diagnostics subkey, point to New , and then click DWORD Value .


  6. Type GPSvcDebugLevel , and then press ENTER.


  7. Right-click GPSvcDebugLevel , and then click Modify .


  8. In the Value data box, type 0x30002 , and then click OK .


  9. Exit Registry Editor.


  10. At a command prompt, type the following command, and then press ENTER:

  gpupdate /force

  11. View the Gpsvc.log file in the following folder:

  %windir%\debug\usermode

Note - if the usermode folder does not exist under %WINDIR%\debug\ the gpsvc.log file will not be created. If the usermode folder does not exist, create it under %windir%\debug.


Thanks to CSS for the hint ;-)


Also check this out: https://technet.microsoft.com/en-us/library/cc749336


If you want to go REALLY DEEP then you find here more guidance.
https://mva.microsoft.com/en-US/training-courses/windows-performance-jump-start-8830
 Then you need the Windows Performance Recorder which is tracking EVERYTHING on your system. Be aware this is searching a needle in the haystack as it produces GB's of binary logs!!!

Thursday, October 26, 2017

Serious vulnerability: RSA-Keys generated by Infineon TPMs are Insecure

Normally I do not talk about single security vulnerabilities except there are really serious ones they are a little bit odd and out of the normal security scope (like patching vulnerable windows services which is done automatically during patch days). Here manual interaction is necessary!

Today we talk about a serious one in Infineon TPMs. Its a bug in the firmware implementation which unfortunatelly affects many different models from many different vendors. It is CVE-2017-15361, also referred to as "Return of Coppersmith's Attack" (ROCA).

ATTENTION!  Application of firmware update is not enough! You will need additional steps depending on Microsoft services and functions you used with TPM before!  e.g. Bitlocker, Active Directory etc!!!




Affected are INFINEON TPM chips which are used widely.

Here the MS Security Advisory (on first access you need to accept the EULA. Afterwards you may need to click this link again!!!)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012

Here is the Infineon Statement
https://www.infineon.com/TPM-update


List of affected models by vendor
(list not complete just major vendors included, but may include already the right firmware update packages by model!)


ACER
https://us.answers.acer.com/app/answers/detail/a_id/51137

Dell (nearly not affected)
http://www.dell.com/support/article/SLN307820

HP (Consumer)
https://support.hp.com/us-en/document/c05792935

HP (Enterprise Support)
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03789en_us

Lenovo
https://support.lenovo.com/us/en/product_security/LEN-15552

Fujitsu
http://www.fujitsu.com/global/support/products/software/security/products-f/ifsa-201701e.html

Toshiba
http://go.toshiba.com/tpmsecuritynotice


Known affected vendors (by 10/24/2017)
(for newer informations check the CVE above again!)
  • Atos SE
  • Dell
  • Fujitsu
  • Gemalto AV
  • Google
  • Hewlett Packard Enterprise
  • Infineon Technologies AG
  • Lenovo
  • Microsoft Corporation
  • Rubrik
  • WinMagic
  • Yubico

Microsoft Devices affected:

If your hardware is a Surface device, firmware updates are yet not available as of October 10, 2017. Microsoft is working to make firmware updates available for following affected devices and will provide links to the updates when they become available.

  • Surface Book
  • Surface Pro 3
  • Surface Pro 4
  • Surface Studio
  • Surface Hub
Note that the Surface 3, Surface Laptop, and the Surface Pro released in June 2017 are NOT affected by this vulnerability.

To check your own machine:
  1. Apply the latest MS October 2017 kummulative patch!
  2. Open "TPM.msc" 
  3. Check for the Status entry



Additional steps are needed!
Checkout therefore the Microsoft Advisory in section "Recommended Actions!"
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012


special thanks to Andreas Erber which brought me to attention of this!

Friday, September 15, 2017

Bitlocker recovery without MBAM and AD

Some of you may miss Bitlocker Active Directory Recovery. This feature was skipped in 1607 (!).
Reference: https://docs.microsoft.com/en-us/windows/device-security/tpm/backup-tpm-recovery-information-to-ad-ds

So you need MBAM instead. Which is in general a good idea.

But for MBAM in general you need MDOP under SA. And there is a constellation where you cant get MBAM normally when buying Windows under CSP.

There is as always a solution. Recovery key out of the Azure AD Box :-)



Pieter Wiegleven had here documented the full solution:
https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2017/06/07/hardware-independent-automatic-bitlocker-encryption-using-aadmdm/

Have fun!

Solution for blurry screen when docking notebook

I got my new surface book and docking station and thought this will boost my 2x27 inch screens. After docking my notebook I got a very blurry experience. After some research I found a solution. The reason are wrong settings you can easily fix. This solution is not limited to surface books. ;-)

Before:


After:

Solution:
You need to make the external monitor as "main display".
Also you need to sign of and on again while you are connected.
After this your screen should be crisp and clear.

Monday, September 4, 2017

Windows Defender Application Guard (updated)

With the new release of Windows 10 - 1709 there is a great new feature out called "Windows Defender - Application Guard"

The idea is to limit the access to the system by isolating the browser experience and lock in hackers potentially using the browser to enter the system.
 
This feature let your Edge browser run in a VM for unknown websites. You will not experience a VM startup. It just feels like a "different private mode" in your browser.

A good idea - how it works behind the scenes - can be found in this video:

 
End-users know the difference by a visual representation.




You can manage it through GPOs telling which trusted websites (e.g. organizational websites) should be open in Edge normally also using the full set of Win32 APIs.

All other websites would be opened in the sandboxed version of Edge. The sandboxing is realized also by Hyper-V virtualization. It includes a kernel with a limited set of Win32 APIs to make it even harder to break in. But even if it is possible to break in the attacker is locked in the virtualization layer. When you close the browser the threat is also gone. As this is a non persistent environment.

Additionally this is tied into Windows Defender Advanced Threat Protection. So you get even notified if someone tried to compromise your environment.



To get more information's on this checkout this site.
https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge


And to get the FULL CURRENT (1709) holistic Microsoft Security view. Please checkout this recent video. Which covers more than just Application Guard which is one brick in a bigger wall.


 
To enable it is relatively simple (depending HW reqs.)
 
But you need to fulfill the requirements:
 
  • Windows 10 Enterprise SKU only
  • PC must support Hyper-V (some older PCs may not support Hyper-V or have this feature disabled in BIOS)
  • Windows Defender Application Guard is Off by default, it must be enabled manually or by policy
  • Hardware Limits:
    • Min. 4 (!) logical processors (E.g. Dual Core + Hyperthreading etc.)
    • Min. 8 GB RAM
    • Min. 5 GB HDD Disk
    • When you follow these limits and you enable GuestVirtualization in the Hyper-V (only possible via Powershell) then it works also in a VM.
Otherwise the feature is greyed out!
 
Currently WDAG reacts a bit tricky with Updates. So it worked in 16299.19 in English-US version of Windows. Update KB4043961 broke the feature so you need to dismiss this update. Also other languages may not work right away. But in later version onwards 17035 is also starts to working in German again.
 
1. You need to enable Windows Application Guard in the "Windows Features"
 
WDAG Turn on and off features.png
 
2. You need to setup the Policies for WDAG (very important!)
  • Network Isolation Policies (defining whats enterprise network)
    Computer Configuration\Administrative Templates\Network\Network Isolation
  • Application Guard Policies (defining WDAG behaviour)
    Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard
More about the policies you find here:

Tuesday, August 22, 2017

Corporate settings - custom default background

One of my customer recently asked me how to preset the default backgrounds to more corporate like backgrounds. After some investigation I found how to change this.

Checkout here the Reg Key and Folders:
The first of the five pictures is the CURRENT background which is stored in another folder as the HISTORICAL ones.




You need to modify the pictures in these folders:

C:\Windows\Web\Wallpaper\Windows -> This is the current img0.jpg (the blue Windows logo)
C:\Windows\Web\Wallpaper\Theme1 -> here you find the history of last used pictures. This will change during usage. 

The responsible Registry key is: 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers

Keep in mind that this CURRENT USER registry key need to be either modified due to the default profile.

But I would recommend to keep the registry key as it is and simply replace the corresponding files img0.jpg in the Wallpaper\Windows folder and the files img1.jpg, img2.jpg, img3.jpg img4.jpg in Wallpaper\Theme1 folder. Please keep in mind the Theme1 folder is hidden!

Windows 10 Passwort Selfservice solution - nearby - builtin

Recently a customer asked me how to add a browser window to the lockscreen before login so they can add their "old" Password selfservice solution add again to the user experience.

Microsoft added the Password self service solution to Azure AD Premium also for local clients without the need for a website. You can reset your password directly on the logon screen. By clicking on "Problems Logging In?"


Sorry the picture shows it on Windows 8 but for Windows 10 I did not find a picture. Microsoft either. But it looks nearly the same in the UI experience. 

To verify your self you will receive a phone call on a pre registered phone. It may also include additional security questions when you add them during the verification process.



You need therefore either Microsoft Identity Manager (MIM) or Azure Active Directory Premium which includes the onpremise license for the full MIM for server and client. Thats why I state "nearby" builtin. You need a "little extra MS".

If you have Enterprise Mobility & Security then you have it already :-)

Here you find more info and screenshots about it.
https://docs.microsoft.com/en-us/microsoft-identity-manager/working-with-self-service-password-reset

Monday, August 21, 2017

Windows cummulative updates cause WSUS to fail

Recently Microsoft released an interesting article about failing WSUS to deliver updates to Windows Clients. Currently affected are Versions before 1703 but due to the nature of the updates and the issue this will be soon the case also for the current Version.



Short Story:
High CPU and Memory consumption on the WSUS process (w3wp.exe IIS worker threat) due to the high volume of meta data caused by later and therefore larger cummulative updates for Windows 10.
 
The symptoms include:
  • High CPU on your WSUS server – 70-100% CPU in w3wp.exe hosting WsusPool
  • High memory in the w3wp.exe process hosting the WsusPool – customers have reported memory usage approach 24GB
  • Constant recycling of the W3wp.exe hosting the WsusPool (identifiable by the PID changing)
  • Clients failing to scan with 8024401c (timeout) errors in the WindowsUpdate.log
  • Mostly 500 errors for the /ClientWebService/Client.asmx requests in the IIS logs
The solution is:
  • Configure IIS to stop recycling the IIS pool
  • Limit the number of inbound connections to IIS
  • Increase the ASP.net timeout
  • Monitor the processes
Long Story with solution details:
https://blogs.technet.microsoft.com/configurationmgr/2017/08/18/high-cpuhigh-memory-in-wsus-following-update-tuesdays/

Thursday, August 17, 2017

Updated Office 365 release cycle and new deployment method

Microsoft just released new informations regarding the new Office 365 release cycle and improved update Management.

Good news first:
  • it is alligned with Windows 10
  • it will be managed like Windows 10 with SCCM (at least SCCM 1610)

Checkout this 9 minute video:
https://www.youtube.com/watch?v=d1xHdHsTspY

Thursday, August 10, 2017

How to get to the cool Windows Icons in your text and PowerPoint presentations

Did you ever tried to pimp your Powerpoints with some of the cool builtin Icons of Windows?

Initally you have two ways.

Way No 1 (Office 365):

If you are happy and you have Office 365 then make use of "ICONS" in PowerPoint or in Word. Go to "Insert" tab first.
This will open this simple to use UI:
Simply select the category and Icon and click on Insert in the lower right corner.

Way No 2 (Older Office versions AND Office 365):

In case you do not have Office365 and still stuck with older versions of Office you may still have the "Symbol" you find in the same ribbon but more to the right! The symbol icon is greyed out as long as you have no cursor in a text box. Keep in mind its in this case a character. In the first case it is a real graphic.

This will open this UI and there you need to select the font "Segoe MDL2 Assets"
If you have both its worth to check both places as the Icons may differ from each other.

Best hidden secret: free snaphot and screen recorder in Windows 10

Recently I had to create a video for a project in my company. I did some research on my possibilities on Windows 10. Reviewing store apps and did some testing with Skype for Business recording.



(UPDATED 08/17/2017)


I have some fast acting animations in my video and it turns out that even Skype screen recording is not fast enough in sampling the frames.

Finally I found the best builtin and free screen recorder available ever
for Windows 10.


Initially to get it running I had to make sure to get the X-Box app back that initially my company removed from my machine. (Thanks to store you can install it back on again on your machine).

How does it work?

1. Open the application you want to record on the window you want to record.
2. open the Game bar by pressing WIN+G

3. After clicking "Yes, this is a game" (Assuming it is a game :-))

4. You will see now the recording panel
There you have the ability to:
- Start the recording with the "Red Button"
- Start a screenshot with the "Camera Button"
- Start a background recording with the "Arrow backward recording"


5. After pressing recording UI changed to this:
And let you stop the recording there as well. You will not see the box in your game and you could even minimize it. ALT+G brings it back if hidden.

6. If clicking on the gear you get the builtin settings but there is even more!
These are the level 1 settings you can set. But there is even more when clicking on "Edit more preferences in Windows Settings"

7. In the settings app you can configure the the Keyboard shortcuts etc.
8. Dont miss the "Game DVR" settings where you can setup the  real stuff like storing location FPS sampling, Video quality, Audio settings etc.

UPDATE 08/17/2017

Sorry but I just missed also to mention the great video cutting capabilities of the XBOX app. You can open in the XBOX app your created video and simply cutting the start and the end you need.

Therfore open the Video in XBOX Game DVR and select "Trim"









Thursday, July 6, 2017

Virtual Touchpad: a great solution for strange websites on Windows touch devices

Did you ever tried to use a website on a windows touch device and thought well with a mouse it works great but not with touch?

Whenever you used Google spreadsheets on a Windows Tablett than you know what I mean!

Thanks to Windows Devs there is now a solution available. The new "virtual trackpad"

Simply enable it in the taskbar options with "Show touchpad button"
NOTE: You see this option ONLY on touch enabled devices!



This enables you the virtual touchpad which also allow gestures when you enable them.

Friday, June 9, 2017

LEGAL is NO EXCUSE anymore against CLOUD

This blog entry is specific for German customers still excusing with "we are not allowed to go to the cloud cause of laws and regulations".  Its a standard excuse without knowing the facts.

I had many discussions about this and NEVER a customer was able to show me the laws applicable to him. If you are honest and willing to "discuss" this then check out this very valuable German Legal Cloud event. It was held by Microsoft in Germany in January 2017.


View the virtual event recording here:
(Sorry its in GERMAN as it focusing on local law situation!)


https://info.microsoft.com/DE-EMS-WBNR-FY17-01Jan-26-Microsoft-Cloud-Event-Classic-269217_02OnDemandRegistration-ForminBody.html

Recommendation if you have just little time and want to know about the past and current situation. As professor for IT law is explains it very well and (also funny): Prof. Dr. Peter Bräutigam starts at 167:13

Monday, April 10, 2017

Insider program is open for business customers

The insider program is now open for business customers. This gives MS much more business relevant feedback for the further development of Windows.

Please use this important program. It allows to give higher precedence of solving current or potential issues in the development phase and making sure that your business process is working right away and you do not need to wait until the CBB release make sure it is working.



The Windows Insider Program for Business was designed to better support the IT Professionals and business users in our Insider community.
You now have the option to download Windows 10 Insider Preview builds using your corporate credentials. This option will also increase the visibility of feedback submitted by you and others in your organization – especially on features that support your productivity and business needs. We’ll also help you deepen your connections with the IT Pro community, collect feedback within your organization, and resolve blocking or critical issues to better support your organization’s needs sooner.
Incorporating Insider Preview Builds into your deployment plans enables you to prepare your organization for the next update of Windows 10, to deploy new services and tools more quickly, to help secure your applications, and to increase productivity and confidence in the stability of your environment.
 
Register HERE
 
 

Monday, February 13, 2017

Windows Update Optimization

Recently I discussed the Windows Update Peer to Peer functionality with one of my customers. And MS also added some GPOs to control this better.


In Windows Update -> Advanced Options -> Choose how updates are delivered
You will find the plain simple setting for this. But you can do much more.


 

 


What it is for:

Windows Update Delivery Optimization enables you to download Windows updates and Windows Store apps from sources other than Microsoft. This can help you get updates and apps more quickly if you have a limited or unreliable Internet connection. If you own more than one PC, Delivery Optimization can reduce the amount of Internet bandwidth that is required to keep all your PCs up-to-date. Delivery Optimization also sends updates and apps from your PC to other PCs on your local network or on the Internet.






You can use Group Policy to configure Windows Update Delivery Optimization. To do this, follow these steps:
  1. Download the Administrative Templates (.admx) file for Windows 10 from the following Microsoft Download Center website:

    Download
    Administrative Templates (.admx) for Windows 10 Version 1607 and Windows Server 2016

    Download Administrative Templates (.admx) for Windows 10 and Windows 10 Version 1511
  2. Copy the following files to the SYSVOL central store:
    • DeliveryOptimization.admx from C:\Program Files (x86)\Microsoft Group Policy\Windows 10\PolicyDefinitions
    • DeliveryOptimization.adml from C:\Program Files (x86)\Microsoft Group Policy\Windows 10\PolicyDefinitions\en-US
  3. Start the Gpeditor tool.
  4. Browse to the following location:
    Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization
  5. Make the following Windows Update Delivery Optimization settings, as appropriate.
Source
https://support.microsoft.com/en-us/help/3088114/how-to-use-group-policy-to-configure-windows-update-delivery-optimization-in-windows-10


Whats new in 1607:



There are also additional GPO settings available in 1607 which added more control on this (The support article refer to an obsolete article at the end!) This is the new replaced blog entry from Michael Niehaus.
https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/

Friday, January 27, 2017

Delete an Azure AD Tenant - Mostly with Powershell

From time to time I need to cleanup my Azure Tenant with old unused Azure ADs. When you are a MS Partner using https://demos.micrsoft.com you get more and more MODxxxxxx tenants in your Azure Portal. Cleaning them up is a bit annoying.


This here will help you.
https://blogs.msdn.microsoft.com/ericgolpe/2015/04/30/walkthrough-of-deleting-an-azure-ad-tenant/

If you have still an EMS subscription connected with. Then you need to open a ticket from the Billing support to release them. This is something you can not do by your own!

Open the ticket from the Azure Portal!

Reveal stored WLAN passwords in Windows 10


Recently a colleague asked me for the WLAN password I used for our guest network in one of our locations. It was a while ago I asked for it and then I saved it for reusing it.

Then I needed it again and thought: "Where is this stored and can I reveal it?"
Yes you can!


1. Simply open a Admin CMD.
2. Type in: netsh wlan show profile  (This shows up all stored WLAN networks on your system!)



3. Type in: netsh wlan show profile "WLAN NAME" key=clear






The "Key Content" reveals the super secret password.
For security reasons this only works with and administrative command prompt.


Enjoy your new passwords ;-)





Wednesday, January 25, 2017

Miracast - Whats it and how to check for it?

Miracast is an open standard to connect your screen wireless with Miracast capable TVs or Miracast dongles. These dongles need typically an external power and provide an HDMI connector for your screen or beamer. 






As it is an open standard it works also with Android devices. Chromecast is nothing else than Googles name for Miracast. ;-) The only exception as always is Apple. Apple only works with Apple and nothing else. Means when you want to use such a function on Apple devices you need specifically Apples Airplay feature.


Miracast is a further development from originally Intels WiDi (Wireless Display). And it is supported since Windows 8.1.


To make sure your device is supporting it please validate that you have the latest wireless NIC and video card drivers.


It uses a standard called WiFi Direct. This is a second direct wireless connection between your Miracast adapter and your device. This ensures that you can surf in the internet while streaming your video to the Miracast capable device.


Wireless Network Interface Card (WLAN NIC)
NDIS Version minimum supported  6.30
Powershell Command to check is:
Get-NetAdapter | Select Name, NdisVersion




Video Driver Support
To check the support for the video driver you need at least an WDDM 1.3 driver version!
Therefore simply start the diagnostic program "DXDIAG" on your system.
Open the tool and click on "DISPLAY" tab and check the driver model.




Troubleshooting tips:
If you encounter issues then this support article may help you:
https://support.microsoft.com/en-us/help/15053/windows-8-project-wireless-screen-miracast