Addressing Critical ZeroLogon Vulnerability CVE-2020-1472

Chiyo OdikaAZURE, SecurityLeave a Comment

The ZeroLogon vulnerability is a privilege elevation vulnerability that exists when an attacker establishes a vulnerable NetLogon secure channel connection to a Microsoft Windows Server Domain Controller, allowing the attacker to perform a NetLogon authentication bypass attack, which simply put, can enable an attacker to obtain domain admin access, and take over an organization’s domain and effectively disrupt the organization’s functionality through ransomeware payload installation, for instance. This Zero-day vulnerability was discovered by Security firm, Secura, and Microsoft has recently confirmed that this vulnerability is actively being exploited in the wild. Secura has released a PoC code on their Github, that actually allows exploitation of this vulnerability and it’s use and deployment is quite intuitive. If the increasing discoveries of … Read More

Chiyo OdikaAddressing Critical ZeroLogon Vulnerability CVE-2020-1472

Hybrid Cloud Print Known Issues and Workarounds

Chiyo OdikaAZURE, Azure Active Directory, WINDOWS SERVERLeave a Comment

In a previous post, I outline the steps for deploying Hybrid cloud print. Here are some noteworthy issues and errors you may encounter when deploying/ testing this solution through either of the supported pre-authentication methods, and some ways to remediate them. Publishing permissions. This error indicates that you do not have permissions print server management permissions or permissions to modify the Mopria database file. Address this by following steps #2 and #8 of the referenced post above. Read and Sign-in Authorization for Native client or web apps This error indicates that required permissions are missing on Native client or Web apps it further indicates that you’ve not delegated permissions to the app for required APIs, as outlined in steps #10 … Read More

Chiyo OdikaHybrid Cloud Print Known Issues and Workarounds

Hybrid Cloud Print with Passthrough Authentication – Detailed steps

Chiyo OdikaAZURE, Azure Active Directory, WINDOWS SERVERLeave a Comment

In a previous post, I gave an overview of the Windows Server Hybrid Cloud Print solution. This is a solution that enables organizations to support print functionality for MDM-managed BYOD and Azure AD joined devices. Organizations will find this solution useful if they plan to: Leverage existing global printing investments to support BYOD and non-domain joined devices deploy Azure AD joined devices into existing AD and global print environment support MDM managed BYOD support printing while away from the corpnet   The solution supports single sign-on user authentication and allows your to leverage your existing authorization processes. I briefly covered this in the previous post. In this article, I will go over the steps for configuring Hybrid Cloud Print using … Read More

Chiyo OdikaHybrid Cloud Print with Passthrough Authentication – Detailed steps

Overview of Hybrid Cloud Print Solution

Chiyo OdikaAZURE, Azure Active Directory, WINDOWS SERVERLeave a Comment

Hybrid Cloud Print is a relatively new feature that is built on the Windows Print Server role in Windows Server 2016. It enables users to discover and securely print to on-premises printers from their Azure AD joined, and MDM managed devices, and from wherever they have an internet access. The solution is built on a Windows print service and discovery service endpoints, both of which are running on IIS services supporting the internet Printing protocol and Mopria Alliance industry printer discovery standard, respectively. For the server-side configuration, you will need to : install the Print Server Windows Server feature Install Hybrid cloud Print through for instance, the PowerShell modules Configure IIS endpoints to support SSL Install and configure SQLite package … Read More

Chiyo OdikaOverview of Hybrid Cloud Print Solution

Reinstate Missing BitLocker recovery tab in ADUC

Chiyo OdikaWINDOWS SERVERLeave a Comment

Quick fix for reinstating BitLocker recovery tab for locating and viewing BitLocker Drive Encryption (BDE) recovery passwords stored in Active Directory Domain Services (AD DS). The tab is enabled by the Active Directory BitLocker Recovery Password Viewer tool, which is an optional feature that is part of the BitLocker Drive Encryption Administration Utilities component of the Remote Server Administration Toolkit (RSAT). You can enable this feature manually through server manager or via PowerShell:

If you’d also like to install the manage-bde and repair-bde command line tools for BitLocker Drive Encryption, you can install the BDE Administration utilities.

Once the feature is enabled, you can view recovery passwords for computer objects and search for recovery passwords across your domain(s).

Chiyo OdikaReinstate Missing BitLocker recovery tab in ADUC

Migrate Clients to a ConfigMgr HTTPS Site

Chiyo OdikaConfigMgr, SCCMLeave a Comment

Happy Holidays friends! I’ve been rather busy with several riveting initiatives of recent, and thought I’d share one of them. In this case, some ideas on migrating clients to a ConfigMgr destination hierarchy that is configured for HTTPS which means that all client to server communication happens over HTTPS. This article will expressly cover ideas on said migration. This article will not cover the steps for configuring HTTPs communication in ConfigMgr. Refer to the links below for some guidance on HTTPS configuration for ConfigMgr. https://blogs.technet.microsoft.com/configmgrdogs/2015/01/21/configmgr-2012-r2-certificate-requirements-and-https-configuration/ https://docs.microsoft.com/en-us/sccm/core/plan-design/network/pki-certificate-requirements I strongly recommend that you acquaint yourself with the concepts and material covered in both articles and elesewhere steps before continuing with this article. Additionally, I recommend reading the fairly detailed conceptual guidelines on … Read More

Chiyo OdikaMigrate Clients to a ConfigMgr HTTPS Site

DPM Modify Protection Group Error 31224

Chiyo OdikaDPM, SQL, SYSTEM CENTERLeave a Comment

Here’s a Scenario: I protected some SQL data sources in DPM in a bid to ensure that transaction logs got backed up, and I configured my DPM protection group synchronization frequency accordingly, but wasn’t seeing my data getting backed up as frequently as expected. To remediate this, I modified my protection group by unprotecting said data, and re-protecting by defining desired settings in another protection group. At this point my data was protected and had several recovery points, but not with the desired frequency. I then unprotected to test with different settings, and upon attempting to protect the data again, I encountered the following error below: Modify protection group: [group name] failed: Error 31224: [data path] has recently been migrated. … Read More

Chiyo OdikaDPM Modify Protection Group Error 31224

Migrating from Mixed Mode AD FS to a Full Windows Server 2016 AD FS Farm

Chiyo OdikaADFS, WINDOWS SERVERLeave a Comment

I recently designed a solution to provide AD FS high availability for a client, using Azure IaaS and PaaS. This necessitated deploying Windows Server 2016 AD FS servers to a Windows Server 2012 R2 farm in order to align with desired DR testing plan, and accommodate downtime schedules. This article will review the specific steps for making the cutover from a mixed mode AD FS environment to a full Windows Server 2016 AD FS farm. It will not go into detail about installing the AD FS roles.  At the time of writing this article, adding Windows Server 2016 AD FS servers to a Windows Server 2012 R2 farm in a so-called “mixed-mode” scenario is fully supported, and you can subsequently … Read More

Chiyo OdikaMigrating from Mixed Mode AD FS to a Full Windows Server 2016 AD FS Farm

Configure OMS Connection to ConfigMgr — Step by Step

Chiyo OdikaAZURE, ConfigMgr, Microsoft Operations Management Suite, OMS2 Comments

The 1606 release of System Center Configuration Manager (ConfigMgr) comes with a whole slew of new features, including a pre-release Microsoft Operations Management Suite (OMS) Connector feature. Learn about ConfigMgr 1606 here. The OMS connector will enable you to sync data such as your collections from ConfigMgr to OMS. Once the collection information is synced to OMS you can then subject any OMS agent-managed endpoint to some action, such as patching, by virtue of its membership in a collection. When you combine this capability with existing system update and other update information that exists in OMS, the practical and other applications are rather evident. Note that because this is a pre-release feature it is meant for early pre-production testing, and … Read More

Chiyo OdikaConfigure OMS Connection to ConfigMgr — Step by Step

ESD Decryption Update KB3159706 Breaks WSUS on Server 2012 R2

Chiyo OdikaConfigMgr, SCCM4 Comments

Microsoft recently released an update KB3159706 that enables WSUS for Windows Server 2012/R2 to natively decrypt certain feature updates which are staged in encrypted packages. This is great, especially because this update supposedly fixes an issue with a previous update KB3148812. This update has however been found to break WSUS in Server 2012 R2. I was able to replicate this behavior in my lab environment. My lab environment features a simple WSUS installation integrate with ConfigMgr Software Update Point (SUP). As seen below, after the update is installed the WSUS service crashes and fails to restart, and this adversely affects the SUP role in ConfigMgr.       I also determined that uninstalling the update addressed the issue, but a … Read More

Chiyo OdikaESD Decryption Update KB3159706 Breaks WSUS on Server 2012 R2