User Profile
martinj
Brass Contributor
Joined Apr 09, 2019
User Widgets
Recent Discussions
What is the roadmap for FIDO2 passthrough from Hyper-V host to VM?
Using FIDO2 devices physically attached to the Hyper-V host in a virtual machine is greatly needed, for instance for PAWs, where the user on his not-locked-down desktop/production-apps VM needs to do FIDO2 logins. And now that https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/ , one would expect it to be a priority. MS employees have https://www.reddit.com/r/sysadmin/comments/l3mlif/comment/gki75pj/?utm_source=share&utm_medium=web2x&context=3 a year ago, that it was on the roadmap. But when can we expect to see it coming?Re: PrintNightmare for administrators: Trying to sum up the current knowledge for decision-making:
Hello Leon braedachau , Ha ha, yes isn't it great to be mad Yes, I'm actually about to update my blog post about the most recent discoveries. However, I think you might have confused two things here. KB5005010 describes how you can further enhance your security posture after applying the patch. But it is not the one, that determines, whether the machine is still susceptible to Remote Code Execution attacks after the patch. This is what KB5005010 is about: Before the July patch, if you were in for example Print Operators group but not a local administrator, you could install unsigned drivers on a print server. After the July patch, a Print Operator can only install signed drivers. If you set the RestrictDriverInstallationToAdministrators reg value, Print Operators cannot even install signed drivers, only Administrators can. What makes the machine still vulnerable to Remote Code Execution attacks even after installing the July patch is if the "NoWarningNoElevationOnInstall" value is set to 1 under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint key Which maps to this (vulnerable) GP configuration: Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions is enabled and has the setting: Security Prompts: When installing drivers for a new connection = Do NOT show warning and elevation prompt https://twitter.com/wdormann/status/1412813044279910416?s=20Windows 11 pin to Taskbar using Start Layout modifications file
Hello, Using a Start Layout modifications file for the new Start Menu in the new format, how do add info to the file about items to be pinned to the taskbar? I cannot seem to find any other options than "pinnedlist", which seems to be strictly for the Start Menu, not the taskbar.Remove logoff option from Settings Pages
On kiosk-like machines for shared-user purposes, we have provided an automatically logged on user, that is highly specialized for the needed purposes. Among other things, we have removed the logoff option using GPO to ensure, that users are always using the kiosk-like PCs with the autologon-user: User Configuration\Administrative Templates\System\CTRL-ALT-DEL options\Remove Logoff Administrative Templates\Start Menu and Taskbar Remove\Logoff on the Start Menu However, because users need to be able to adjust the screen scaling, we have allowed access to that Settings Page. But when they change the scaling options, the settings page recommends to log off and re-logon. And here it provides a log off option. Example here from WinAero: The users of course uses this option, as it is what Windows recommends them to do. This leads them to the Windows logon prompt, where they by mistake log on using their personal account, instead of the autologon-user (for which they obviously don't know any credentials for). Now, the PC is logged on using a personal account, which is being shared between the users of the PC. There does not seem to be any GPO or registry setting, that can remove the log off option from the Settings Pages. Or am I mistaken? If not, please provide a setting, that can remove the log off option from the Settings Pages.Enable the use of S/MIME for Outlook Web App in MS Edge
S/MIME option is missing in MS Edge (as it does in Google Chrome) Please, enable use of S/MIME from OWA. Currently, a customer of mine is forced to use both IE and Chrome. With IE they use S/MIME for email signing and copy/paste of screenshots into emails. (But when they use S/MIME, they are unable to see the files, they attach to emails) With Chrome they can view which files, they have attached, but cannot use S/MIME. Wouldn't it be awesome, if Edge could be the best of both? PS: I know the OWA version is old, but that part is out of my hands, as I guess it is in many organizations.
