Recently, I read an excellent blog post about how a security firm outlined how they could extract the Bitlocker keys from a TPM 1.2 or TPM 2.0 device. This brute force penetration attack (test) was possible because the Bitlocker OS drive did not have a startup PIN enabled but simply a Bitlocker encrypted volume. Denis Andzakovic with Pulse Security (based in New Zealand) detailed how he was able to use open source and logic analyzer tools to extract the VMK (Volume Master Key) to ultimately decrypt the drive.[Read more…] about Require Startup TPM+PIN for Bitlocker Encryption | Enterprise Security
This Windows Server 2019 Active Directory installation beginners guide will provide step-by-step illustrated instructions to create a NEW AD forest, DNS and DHCP services. In addition, I will reference the security recommendations from Microsoft and StigViewer for new Domain Controllers that can be used for server security hardening. Sure you can use a Hydration Kit or other tools to automatically create a domain, DNS, DHCP, and SCCM ConfigMgr server. However, learning from the ground up helps to re-enforce Microsoft concepts and is a great way to learn and troubleshoot using a separate environment. Building a development AD environment is also good to test Windows 10 group policy settings, newer Windows 10 releases, SCCM OSD, Azure cloud services and more.
This blog post can also be used for Server 2016 since the Forest and Domain Functional levels are the same.[Read more…] about Windows Server 2019 – Active Directory Installation Beginners Guide
This blog post will outline how to create an Azure AD Dynamic Group for different device model types such as Dell, HP, Hyper-V Virtual Machine and Vmware Virtual Machines. I hope this blog post can provide assistance, and be a helpful quick guide. To deploy specific applications, BIOS updates or settings to a particular hardware model in Intune, manually added devices to Azure AD groups is not practical. This is especially true for companies that have thousands of devices and many hardware models. In addition, installing VMware Tools or configurations for Hyper-V VMs are common needs for IT admins.
The first task that needs to be performed is running the wmic command to gather the correct model name as listed within WMI. We can gather this information from a command line prompt using the below WMIC syntax.[Read more…] about Create Azure AD Dynamic Group for Model Type | Helpful Quick Guide
Microsoft has released a new feature in Intune called “Intune Connector for Active Directory” which currently is a preview release feature. This feature is used to join devices to the on-premise Active Directory domain (using ODJ – Offline Domain Join) and the Azure AD tenant within Intune, during Autopilot device enrollment. This creates a Hybrid domain joined scenario for client devices to process local group policy and be managed by Intune. This is particularly useful as many customers have on-premise services such as, group policy, mapped network drives and printers that must authenticate from the local AD domain controllers. While testing this feature in my lab and working with a customer, I have seen “Server Error Code 80180005” or “Error code 80070774” on client devices. It turns out in my experience, this error was occurring because the computer name prefix was incorrectly configured.[Read more…] about Intune Hybrid Domain Join Error 80180005
For IT professionals using SCCM or MDT for Windows 10 / Server OS deployment, you may experience failures during the domain join process of your task sequence. Typically, the computer account fails to join the OU because the OU(s) don’t have the correct join account permissions set. Often, when working with customers I see that their Active Directory domain join service account permissions are incorrectly configured. In some cases, customers are using a DOMAIN ADMIN account which is a bad security best practice.[Read more…] about Correct Domain Join Account Permissions – SCCM / MDT OS Deployment
Most people are already familiar with the well know website list of Microsoft Azure management URLs. Microsoft has additional, Azure standalone Management websites for items such as “Preview” and “Intune Only”.
So, I thought it would be good to share these additional newly discovered website URLs. The list of Microsoft Azure Management URLs come in handy when you want to view a subset of information without other clutter. This should make life easier when you want to look at Azure cloud management services and avoid building a custom Dashboard in the Azure Portal.[Read more…] about List of Microsoft Azure Management URLs