Forum Widgets
Latest Discussions
Add Passkey support to Active Directory
Everyone, Please go to the feedback hub and upvote my suggestion to add passkey support to Active Directory Domain Services: https://aka.ms/AAw8z54 The reason I am recommending this is because there needs to be a standard way to use passkeys in an AD environment.
Windows Server OSConfig and DSCv3
Introduction I wanted to formalize putting a post out here to get some discussion going on the attempts at modernization of Windows configuration, and importantly, infrastructure-as-code. Hopefully this is a healthy discussion that others can engage in. Much of what I'm going to try and post about is stuff we already are aware of, but I want to highlight how this is an ongoing concern with the Windows Server platform that makes it difficult to encourage people to even consider Windows in their environment other than for extremely legacy purposes. I want Windows Server to be the best it can be, and I encourage others to join in on the conversation! Problem Statement Windows Server needs a modernized configuration-as-code system. Must be capable of orchestrating without cloud tools (offline orchestration) Must provide for regular validation and attestation Ideally should be easily available to 3rd party configuration tools. Since Microsoft appears to have little interest in building their own modernized system that isn't Azure-based, this means that this MUST be orchestrated easily and securely by 3rd party tools. Should be as robust as GPO at maintaining and enforcing state. Security configurations in Windows are a right pain to manage with any 3rd party tooling, with the closest coming to it being the SecurityDSC module which wraps secedit.exe and security policy INFs. Why is OSConfig not the answer? OSConfig doesn't provide for me, as an engineer, to clearly define what the state of my machines are based on my company's business requirements. While the built-in Microsoft policy recommendations are great, there are reasons to deviate from these policies in a predictable and idempotent manner. Applying an OSConfig Baseline -> Then changing settings as-needed with special PowerShell commands This is not the answer. This is a bunch of imperative code that serves nobody. And it makes implementing this feature extremely challenging in today's modern world of Kubernetes, Docker, etc. I encourage the Windows Server team to engage with the PowerShell team on DSC 3.0. I think that team has it right, but they are a small group of people and do not have the resources to implement everything that would make DSC 3.0 a first-class configuration as code platform on Windows. And this is where the Windows team should come in. Steve Lee and crew have done a bangup job working on DSC 3.0, including taking feedback from folks to leverage Azure Bicep language for configuration. Security Policy Challenge The way to access security policies need to change. Even if I were to take DSC 3.0 I'd end up having to create a similar security policy INF file to import into Windows. It just seems so silly to me to have to write all of that out when Windows really should just provide an interface for doing this. In fact, security policy remains to be one of the largest problems to getting a good platform stood up. Windows Firewall Policy and GPO - The reason why host-based firewalling is painful to manage at scale in a Windows environment. GPO is definitely not the right place to be managing Windows firewall policy at scale. Particularly when you often have a core set of management rules you want to implement and application-specific needs. Making robust changes becomes a challenge since each policy is separate, preventing you from doing things like inheriting rules for higher level policies. While this is an inherent limitation of Group Policy, it highlights the need to get off of GPO as the core policy configuration tool for Windows. My recommendations I'd like for the Windows team to implement DSC 3.0-compatible resources for managing all core functionality of Windows. If you can do it in a GPO, you should be able to do it with Configuration as Code. Please stop relying on the community to make this work. All of this should be first party to the platform itself. Furthermore, I'd like to recommend that Microsoft either work with 3rd party configuration systems (Chef, Ansible, Puppet, Octopus, etc.) OR to also provide a way to hit the ground running. Perhaps something that integrates visually into Windows Admin Center would be nice. Conclusion This is a huge problem in the Windows world and continues to seem to fall on some deaf ears somewhere in the organization. While I no doubt am confident that the engineers on all of these teams very well know these issues and maybe even have discussed fixing them, clearly there's a breakdown somewhere.
Remote Desktop Services Licensing Oddness
Hi all, hoping someone might have some insight on this. I configured a new remote desktop services setup on Windows Server 2025. Everything appears to be working just as it did in our previous RDS environment which was on 2016, and it seems like the licensing is/should be working properly, but I keep getting a warning when logging in on the broker/license server that a license will expire soon, etc. The license diagnoser seems to show the same or a similar warning. I want to ensure that we won't have any disruption in service. I believe I have everything configured properly, but maybe I've missed something? Or is this some sort of red herring message due to the built in temporary license? In RD licensing diagnoser I see this message: In the licensing manager everything appears like it should be good to go, though: Even shows the licenses being assigned to active connections: The license server is set within the RDS config as such: Thanks in advance for any help or advice. I've tried looking at everything I could find off general searching.
Configuring session timeout for Remote Desktop Services web client (HTML5)
Is anyone aware of a way to customize the session timeout in the remote desktop services web client (HTML5)? An issue our users have been experiencing is if they are in a long running remote desktop session and they experience a disconnect, clicking the "reconnect" button on the pop up they receive doesn't do anything. They also can't navigate back to the main menu to select their session collection to reconnect. The fix is they need to click refresh and log in again, it appears that the cause is that the users' login session to the remote desktop web client has timed out. Ideally, we'd like to customize the session timeout to be a long value so they could get through a whole work shift without their existing authentication session being timed out.
VPN on Windows Server 2016 not working
I followed the stand procedure to set up VPN on Windows Server 2016. Let me jump to where I am now. The event viewer has the following two entries when a client connects to the VPN server: A connection between the VPN server and the VPN client 72.74.70.135 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). CoId={23FC7BC4-0885-5E63-715B-8EFAD37B9E15}: The following error occurred in the Point to Point Protocol module on port: VPN2-127, UserName: <Unauthenticated User>. Negotiation timed out I am not familiar with GRE, so add rules for both inbound and outbound GRE on both the Windows Server 2016 and the client machine (Windows 11 Pro). Could anyone offer a direction to guide me in diagnosing this?
Reduce Window Server CAL licenses
Hi, I am building a new production environtment, where client uses Microsoft Dynamics Navision 2016 and I have few question regarding the user/device CALs. I have installed new VM where Windows Server 2022 Datacenter is installed and I installed SQL Server 2019 Standard and applied per core (2x2 vCore) license to it. I know that for SQL Server no CALs are required, since it is Per Core licensed. I installed another VM where Windows Server 2022 Standard is installed and where NAV2016 server is installed. Windows Server is lincesed, but I am not sure, if I need to purchase also user and device CALs? I believe I need user and device CALs, too, and therefore I'd like to reduce the cost of CALs by: 1. creating an AD Security Group X and add all the users who are connecting to the NAV service tier as members into that AD Security Group (20x employees and 5x service accounts for 3rd party apps). Can I purchase exactly 1 user CAL license, or do I need to purchase 25 user CALs? 2. creating an AD Security Group Z and add all the devices that are connecting to the NAV service tier via WS calls (3x barcode scanners). Can I purchase exactly 1 device CAL license, or do I need to purchase 3 user CALs? Thanks Damjan
How to disable the Cocreator feature in the Microsoft Paint app
How can I disable the Cocreator feature in the Microsoft Paint app using the Active Directory Group Policy Management Console (GPMC)? If it is not possible to disable only the feature, please tell me how to disable the Microsoft Paint app itsel.Certificate Authority Revocation issues: CRL db lost in migration
We currently have a CA which was migrated from a retired server no longer available - over 6 months now but they didn't complete the migration, and the revocation database is missing. We're now experiencing issues with certs issued but the former server that it cannot issue renew certs. What is the best approach to this? I can create another CA server but what about the root certificate of the current one? How do you point renew requests to the new server if there is no revocation DB for the already issued certs? What about the current certs issued by the current server if I migrate the current one to a new CA? I do have copies of the system32\certsrv folder and CA backup from the retired server, but this backup was used to migrate the current one which resulted in its current state. Can the revocation db just be imported? Any help would be appreciated! Thanks.
