In March 2020, Microsoft is going to release a update which will essentially disable the use of unsigned LDAP which will be the default. This means that you can no longer use bindings or services which binds to domain controllers over unsigned ldap on port 389. You can either use LDAPS over port 636 or using StartTLS on port 389 but it still requires that you addd a certificate to your domain controllers. This hardening can be done manually until the release of the security update that will enable these settings by default.
How to add signed LDAPS to your domain controllers
You can read more about the specific change here –> https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows you can also read more here –> https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-update-now/ba-p/921536
After the change the following features will be supported against Active Directory.
How will this affect my enviroment?
Clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection stop working after you make this configuration change. This also applies for 3.party solutions which rely on LDAP such as Citrix NetScaler/ADC or other Network appliances, Vault and or authentication mechanisms also rely on LDAP. If you haven’t fixed this it will stop working. This update will apply for all versions.
Windows Server 2008 SP2,
Windows 7 SP1,
Windows Server 2008 R2 SP1,
Windows Server 2012,
Windows Server 2012 R2,
Windows 10 1507,
Windows Server 2016,
Windows 10 1607,
Windows 10 1703,
Windows 10 1709,
Windows 10 1803,
Windows 10 1809,
Windows Server 2019,
Windows 10 1903,
Windows 10 1909
How to check if something is using unsigned LDAP?
If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary under eventid 2888 one time every 24 hours when such bind attempts occur. Microsoft advises administrators to enable LDAP channel binding and LDAP signing as soon as possible before March 2020 to find and fix any operating systems, applications or intermediate device compatibility issues in their environment.
You can also use this article to troubleshoot https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs
The Microsoft Deployment Toolkit (MDT), build 8450, is now available on the Microsoft Download Center. This update supports the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1709, available on the Microsoft Hardware Dev Center(adksetup.exe file version 10.1.16299.15).
Here is a summary of the significant changes in this build of MDT:
- Supported configuration updates
- Windows ADK for Windows 10, version 1709
- Windows 10, version 1709
- Configuration Manager, version 1710
- Quality updates (titles of bug fixes)
- Win10 Sideloaded App dependencies and license not installed
- CaptureOnly task sequence doesn’t allow capturing an image
- Error received when starting an MDT task sequence: Invalid DeploymentType value “” specified. The deployment will not proceed
- ZTIMoveStateStore looks for the state store folder in the wrong location causing it to fail to move it
- xml contains a simple typo that caused undesirable behavior
- Install Roles & Features doesn’t work for Windows Server 2016 IIS Management Console feature
- Browsing for OS images in the upgrade task sequence does not work when using folders
- MDT tool improperly provisions the TPM into a Reduced Functionality State (see KB 4018657 for more information)
- Updates to ZTIGather chassis type detection logic
- Upgrade OS step leaves behind SetupComplete.cmd, breaking future deployments
- Includes updated Configuration Manager task sequence binaries
See the following post on How to get help with MDT.
1. Install the Powershell Get Module
Installing items from the Gallery requires the latest version of the PowerShellGet module, which is available in Windows 10, in Windows Management Framework (WMF) 5.0, or in the MSI-based installer (for PowerShell 3 and 4).
With the latest PowerShellGet module, you can:
Supported Operating Systems
The PowerShellGet module requires PowerShell 3.0 or newer.
Therefore, PowerShellGet requires one of the following operating systems:
- Windows 10
- Windows 8.1 Pro
- Windows 8.1 Enterprise
- Windows 7 SP1
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1
PowerShellGet also requires .NET Framework 4.5 or above. You can install .NET Framework 4.5 or above from here.
2. Find-Module -Name VMware.PowerCLI
3. Install-Module -Name VMware.PowerCLI -Scope CurrentUser
4. When you start Powershell VMware.Powershell is automatically loaded
You might not be able to send email with an Outlook.com, Office 365, or Exchange account until you update to iOS 11.0.1.
If your email account is hosted by Microsoft on Outlook.com or Office 365, or an Exchange Server 2016 running on Windows Server 2016, you might see this error message when you try to send an email with iOS 11: “Cannot Send Mail. The message was rejected by the server.”
To fix the issue, update to iOS 11.0.1 or later.
Learn about the new paths for IT pros:
- PowerShell: Beginner. Step up your IT pro game with foundational knowledge of PowerShell. Learn to use the command line to solve an issue, automate your infrastructure, and more.
- PowerShell: Advanced. Go beyond the basics with scripting, reusable tools, and cmdlets—all taught by the architect and inventor of PowerShell, Jeffrey Snover.
- Security for IT Pros. Beef up your security know-how with practical tips and tricks from the Microsoft security team.
- DevOps for IT Pros. Your devs need you! Learn more about application performance and support monitoring with Microsoft Azure.
- Introduction to Windows Server 2012 R2. Command this leading-edge server with tutorials on installation, roles, Microsoft Active Directory, storage, performance management, and maintenance.
- Windows Server 2012 R2 Security and Identity. Build upon your security knowledge with Windows Server 2016 fundamentals, like Active Directory, basic PKI, and BYOD concepts.
- Windows Server 2012 R2 Compute. Discover everything you need to know about virtualization and storage with courses on IP address management, server networking, Microsoft Hyper-V, and more.
Microsoft have released both Windows 10 version 1703 and ADK 1703 last week, one is on MSDN the other on Microsoft’s download site.
Download the media
Two Know Issues:
OSD – App-V tools are missing in ADK 1703 when being installed on Windows Server 2016 (sometimes)
OS Deployment – Installing ADK 1703 on Windows Server 2016 could fail
Exchange Team announcing an update to our support policy for Windows Server 2016 and Exchange Server 2016. At this time we do not recommend customers install the Exchange Edge role on Windows Server 2016. We also do not recommend customers enable antispam agents on the Exchange Mailbox role on Windows Server 2016 as outlined in Enable antispam functionality on Mailbox servers.
Why are we making this change?
In our post Deprecating support for SmartScreen in Outlook and Exchange, Microsoft announced we will no longer publish content filter updates for Exchange Server. We believe that Exchange customers will receive a better experience using Exchange Online Protection (EOP) for content filtering. We are also making this recommendation due to a conflict with the SmartScreen Filters shipped for Windows, Microsoft Edge and Internet Explorer browsers. Customers running Exchange Server 2016 on Windows Server 2016 without KB4013429 installed will encounter an Exchange uninstall failure when decommissioning a server. The failure is caused by a collision between the content filters shipped by Exchange and Windows which have conflicting configuration information in the Windows registry. This collision also impacts customers who install KB4013429 on a functional Exchange Server. After the KB is applied, the Exchange Transport Service will crash on startup if the content filter agent is enabled on the Exchange Server. The Edge role enables the filter by default and does not have a supported method to permanently remove the content filter agent. The new behavior introduced by KB4013429, combined with our product direction to discontinue filter updates, is causing us to deprecate this functionality in Exchange Server 2016 more quickly if Windows Server 2016 is in use.
What about other operating systems supported by Exchange Server 2016?
Due to the discontinuance of SmartScreen Filter updates for Exchange server, we encourage all customers to stop relying upon this capability on all supported operating systems. Installing the Exchange Edge role on supported operating systems other than Windows Server 2016 is not changed by today’s announcement. The Edge role will continue to be supported on non-Windows Server 2016 operating systems subject to the operating system lifecycle outlined at https://support.microsoft.com/lifecycle.
Help! My services are already crashing or I want to proactively avoid this
If you used the Install-AntiSpamAgents.ps1 to install content filtering on the Mailbox role:
- Find a suitable replacement for your email hygiene needs such as EOP or other 3rd party solution
- Run the Uninstall-AntiSpamAgents.ps1 from the \Scripts folder created by Setup during Exchange installation
If you are running the Edge role on Windows Server 2016:
- Delay deploying KB4013429 to your Edge role or uninstall the update if required to restore service
- Deploy the Edge role on Windows Server 2012 or Windows Servers 2012R2 (Preferred)
Support services is available for customers who may need further assistance