Friday, September 15, 2017

Bitlocker recovery without MBAM and AD

Some of you may miss Bitlocker Active Directory Recovery. This feature was skipped in 1607 (!).

So you need MBAM instead. Which is in general a good idea.

But for MBAM in general you need MDOP under SA. And there is a constellation where you cant get MBAM normally when buying Windows under CSP.

There is as always a solution. Recovery key out of the Azure AD Box :-)

Pieter Wiegleven had here documented the full solution:

Have fun!

Solution for blurry screen when docking notebook

I got my new surface book and docking station and thought this will boost my 2x27 inch screens. After docking my notebook I got a very blurry experience. After some research I found a solution. The reason are wrong settings you can easily fix. This solution is not limited to surface books. ;-)



You need to make the external monitor as "main display".
Also you need to sign of and on again while you are connected.
After this your screen should be crisp and clear.

Monday, September 4, 2017

Windows Defender Application Guard (updated)

With the new release of Windows 10 - 1709 there is a great new feature out called "Windows Defender - Application Guard"

The idea is to limit the access to the system by isolating the browser experience and lock in hackers potentially using the browser to enter the system.
This feature let your Edge browser run in a VM for unknown websites. You will not experience a VM startup. It just feels like a "different private mode" in your browser.

A good idea - how it works behind the scenes - can be found in this video:

End-users know the difference by a visual representation.

You can manage it through GPOs telling which trusted websites (e.g. organizational websites) should be open in Edge normally also using the full set of Win32 APIs.

All other websites would be opened in the sandboxed version of Edge. The sandboxing is realized also by Hyper-V virtualization. It includes a kernel with a limited set of Win32 APIs to make it even harder to break in. But even if it is possible to break in the attacker is locked in the virtualization layer. When you close the browser the threat is also gone. As this is a non persistent environment.

Additionally this is tied into Windows Defender Advanced Threat Protection. So you get even notified if someone tried to compromise your environment.

To get more information's on this checkout this site.

And to get the FULL CURRENT (1709) holistic Microsoft Security view. Please checkout this recent video. Which covers more than just Application Guard which is one brick in a bigger wall.

To enable it is relatively simple (depending HW reqs.)
But you need to fulfill the requirements:
  • Windows 10 Enterprise SKU only
  • PC must support Hyper-V (some older PCs may not support Hyper-V or have this feature disabled in BIOS)
  • Windows Defender Application Guard is Off by default, it must be enabled manually or by policy
  • Hardware Limits:
    • Min. 4 (!) logical processors (E.g. Dual Core + Hyperthreading etc.)
    • Min. 8 GB RAM
    • Min. 5 GB HDD Disk
    • When you follow these limits and you enable GuestVirtualization in the Hyper-V (only possible via Powershell) then it works also in a VM.
Otherwise the feature is greyed out!
Currently WDAG reacts a bit tricky with Updates. So it worked in 16299.19 in English-US version of Windows. Update KB4043961 broke the feature so you need to dismiss this update. Also other languages may not work right away. But in later version onwards 17035 is also starts to working in German again.
1. You need to enable Windows Application Guard in the "Windows Features"
WDAG Turn on and off features.png
2. You need to setup the Policies for WDAG (very important!)
  • Network Isolation Policies (defining whats enterprise network)
    Computer Configuration\Administrative Templates\Network\Network Isolation
  • Application Guard Policies (defining WDAG behaviour)
    Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard
More about the policies you find here: