Category: Windows Servers

MS15-122 Security Update for Kerberos to Address Security Feature Bypass (Bitlocker)

This security update resolves a security feature bypass in Microsoft Windows. An attacker could bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker. The bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key, the computer is domain-joined, and the attacker has physical access to the computer.

This security update is rated Important for all supported editions of Windows. For more information, see the Affected Software section.

The update addresses the bypass by adding an additional authentication check that will run prior to a password change. For more information about the vulnerability, see theVulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3105256.

Windows 8.1 with Hyper-V external switch – 802.1x will not work

I have Windows 8.1 with installed Hyper-V and virtual machines connected via Hyper-V Switch – External. 802.1x wired authentication is not working in host or in guest machine (computer is not responding to switch requests).
If I will change switch mode to Internal/Private it will start working.

Windows 8.1 with a Hyper-V external switch with 802.1x will not work!!!

From https://social.technet.microsoft.com/forums/windows/en-US/341cbe70-3fa7-4991-a7e4-4f1af63df4d0/windows-8-hyperv-8021x-eapol-request-missing i read that “official” statement from Microsoft is that 802.1x with Hyper-V on Windows 8.1 is not working by design. #Fail Microsoft.

Administrative Templates (.admx) for Windows 10

Microsoft has released the Windows 10 Group Policy (.ADMX) templates . These .ADMX templates are released as a separate download package so you can manage group policy for Windows 10 clients more easily.

This new package includes additional (.ADMX) templates which are not included in the RTM version of Windows 10.

  1. DeliveryOptimization.admx
  2. fileservervssagent.admx
  3. gamedvr.admx
  4. grouppolicypreferences.admx
  5. grouppolicy-server.admx
  6. mmcsnapins2.admx
  7. terminalserver-server.admx
  8. textinput.admx
  9. userdatabackup.admx
  10. windowsserver.admx

To download the Windows 10 Group Policy (.ADMX) templates, please visit http://www.microsoft.com/en-us/download/details.aspx?id=48257

To review which settings are new in Windows 10, review the Windows 10 ADMX spreadsheet here:http://www.microsoft.com/en-us/download/details.aspx?id=25250

Windows 10 build 10240 has released to the Fast Ring… Release To Manufacturing (RTM) build???

Windows 10 build 10240 has been released to the Fast Ring. That’s what I’m running on my laptop now. There were heavy rumors yesterday that this is the to Release To Manufacturing (RTM) build and is the one to be publically available on July 29th. But there is no hard confirmation on this by Microsoft yet Build 10240 now available for Windows Insiders in Fast and Slow rings.

“Over the past few days we’ve been preparing our release pipelines and processes, and this build is one step closer to what customers will start to receive on 7/29 …

On Monday we announced that builds from here on will only be available through Windows Update, so to get this one you can either wait and it will be installed automatically.”

Here’s how you prepare to roll it out in your company.

In a previous blog post I wrote about the update you needed for your KMS server to be able to activate Windows 10 clients. Read about that in KB3058168: Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows

Meanwhile Microsoft has also published the Windows 10 client KMS activation which keys can be found here Appendix A: KMS Client Setup Keys

Windows 10

Operating system edition
KMS Client Setup Key

Windows 10 Professional: W269N-WFGWX-YVC9B-4J6C9-T83GX
Windows 10 Professional N: MH37W-N47XK-V7XM9-C7227-GCQG9
Windows 10 Enterprise: N: NPPR9-FWDCX-D2C8J-H872K-2YT43
Windows 10 Enterprise N: DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4
Windows 10 Education: NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
Windows 10 Education N: 2WH4N-8QGBV-H22JP-CT43Q-MDWW
Windows 10 Enterprise 2015 LTSB: WNMTR-4C88C-JK8YV-HQ7T2-76DF9
Windows 10 Enterprise 2015 LTSB N: 2F77B-TNFGY-69QQF-B8YKP-D69TJ

Do note this is the key you use when you activate the Windows 10 Client against a KMS server. It is not the KMS license server key. That one you’ll need to obtain from your valid Microsoft licenses.

Update that enables Windows 8.1, Windows Server 2012 R2, Windows 8, and Windows Server 2012 Key Management Service (KMS) hosts to activate a later version of Windows.

Windows 10 will be available on July 29th 2015. Microsoft has prepared for this by already making an Update(KB3058168) that enables Windows 8.1, Windows Server 2012 R2, Windows 8, and Windows Server 2012 Key Management Service (KMS) hosts to activate a “later version of Windows”. This must means Windows 10. I do not know if this means that is even for Windows Server 2016. Windows 10 will be activated by a KMS server running this update but it might.

Select the version you need for the KMS server or servers you use and install them.

image

Deploy Windows 10 with MDT 2013 Update 1 “Preview”

Deploying Windows 10 with MDT 2013 Update 1 Preview

Next you need the MDT 2013 Update 1 Preview. To get the preview, you need to first join the MDT Group on Microsoft Connect, if you’re not a member already. Then, prior to downloading the actual preview bits, you’ll need to grab the Windows ADK for Windows 10 Technical Preview, which is a prerequisite for running MDT.

The Build number which the best to use is the Windows 10 Technical Preview with build number 9926 Winking smile

So i installed some apps automaticly Winking smile
image

Doing some bug check/feature check Winking smile Keep you posted Winking smile

Fixing User Home Folder rights with Powershell

When i visit a lot of company’s i see many times that the home folder directory have not the right rights. To fix this that’s al lot of work. Sow it time to write about it. I wrote a nice powershell script to fix it and save me and you a lot of time.

Three steps :

1.  Set Share Permissions for the Everyone group to Full Control.

2.  Use the following settings for NTFS Permissions (http://support.microsoft.com/kb/274443):

  • CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
  • System – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Everyone – Create Folder/Append Data (Apply onto: This Folder Only)
  • Everyone – List Folder/Read Data (Apply onto: This Folder Only)
  • Everyone – Read Attributes (Apply onto: This Folder Only)
  • Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only)

Pay attention when configuring the home directory or folder redirection policies.  If you enable the setting to give the user exclusive access to the folder, you will override the inherited permissions and need to reset the ACL Winking smile

3. Run the Following script Repair-HomeFolderPermissions.ps1

________________________________________________________________________

#########################################################################
# Script: Repair-HomeFolderPermissions.ps1
# Author: Ward Vissers    http://www.wardvissers.nl
# Date: 20/11/2014
# Keywords:
# Comments:
# Pre-Requisites: Full Control over destination folder.
#
# +————+—–+———————————————————+
# |       Date | Usr | Description                                             |
# +————+—–+———————————————————+
# | 20/11/2014 | WV  | Initial Script                                          |
# |            |     |                                                         |
# +————+—–+———————————————————+
#
#   1. http://support.microsoft.com/kb/274443
#
#   2. Set Share Permissions for the Everyone group to Full Control.
#  
#   3.  Use the following settings for NTFS Permissions:
#
#   CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
#   System – Full Control (Apply onto: This Folder, Subfolders and Files)
#   Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files)
#   Everyone – Create Folder/Append Data (Apply onto: This Folder Only)
#   Everyone – List Folder/Read Data (Apply onto: This Folder Only)
#   Everyone – Read Attributes (Apply onto: This Folder Only)
#   Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only)
#
#
# DISCLAIMER
# ==========
# THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
# RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.
#############################################################################

$dirpath = “D:\Data\user”

# get list of all child directories, in the current directory
$directories = dir $dirpath | where {$_.PsIsContainer}

# iterate over the directories
foreach ($dir in $directories)
{
# echo out what the full directory is that we’re working on now
write-host Working on $dir.fullname using $dir.name

# setup the inheritance and propagation as we want it
$inheritance = [system.security.accesscontrol.InheritanceFlags]“ContainerInherit, ObjectInherit”
$propagation = [system.security.accesscontrol.PropagationFlags]“None”
$allowdeny=[System.Security.AccessControl.AccessControlType]::Allow

# get the existing ACLs for the directory
$acl = get-acl $dir.fullname

# add our user (with the same name as the directory) to have modify perms
$aclrule = new-object System.Security.AccessControl.FileSystemAccessRule($dir.name, “FullControl”, $inheritance, $propagation, “$allowdeny”)

# check if given user is Valid
$sid = $aclrule.IdentityReference.Translate([System.Security.Principal.securityidentifier])

# add the ACL to the ACL rules
$acl.AddAccessRule($aclrule)

# set the acls
set-acl -aclobject $acl -path $dir.fullname
}

__________________________________________________________________________

Deploy Windows 10 and Windows Server vNext Technical Preview Using MDT 2013

1. Mount boot.wim file
Dism /Mount-Image /ImageFile:”D:\DeploymentShare\Operating Systems\Windows Server Technical Preview\sources\boot.wim” /index:1 /MountDir:D:\offline

2. Copy the dism.exe and DISM folder from the Windows 10 Technical Preview boot.wim file to your deployment share, in my case D:\DeploymentShare\Tools\x64.

The dism.exe file and DISM folder are found in the X:\Windows\System32 on your boot image (once booted), or D:\Offline\Windows\System32 if you just mounted the boot.wim.

3. Unmount the image|
Dism /Unmount-Image /MountDir:”D:\Offline” /Discard

4. Edit the Task Sequence
image image 

After copying the files, add two run command line actions to your Windows 10 Technical Preview and Server vNext Preview task sequence after Preinstall – Enable Bitlocker (Offline)

Copy WTP dism.exe
cmd /c copy %deployroot%\tools\%architecture%\dism.exe x:\windows\system32\ /y

Copy WTP DISM subsystem
cmd /c copy %deployroot%\tools\%architecture%\dism\*  x:\windows\system32\dism /y

5. Deploy Machines

image

image

Installing Windows 10 & Server vNext Technical Preview via PXE on Gen 2 VM

If you try to PXE boot a Windows 10 or Server vNext Technical Preview VM running on Hyper-V in Windows Server 2012 R2, you are greeted by a nice error message: Boot Failed. EFI Network. Failed Secure Boot Verification.

The simple fix

Until there is an update available turn off secure boot for the Gen 2 VM.

image

Translate »