User Profile
MichaelC
Brass Contributor
Joined Apr 13, 2017
User Widgets
Recent Discussions
Re: Windows Server OSConfig and DSCv3
Sorry to pile on the replies here, but my thought process is this: Many teams want cloud-agnostic tooling Azure is not the primary cloud of a lot of bleeding edge, software-dev first environments The one space Azure has a really solid lock on is US Government, because the Azure US Gov team goes through great lengths to get all of the necessary certifications for the cloud stack. Just by the nature of how bullet point 3 works above, it means that there's a good chance that Azure-first systems (the orchestration behind something like DSCv3) will have quite a bit of delay. Therefore, with all those constraints, I feel like some of the teams at MS (whichever team it is, Windows probably?) needs a different strategy than "Azure first"--just like the PowerShell and .NET teams moved away from "Windows first/Windows Only" mindset. A lightweight orchestration system included with the OS, enough to do some get/set/test of Config as Code with module and configuration distribution would be nice. Integrate portions of it (reporting/visibility) into Windows Admin Center. This allows these features to be rolled out almost immediately across every scenario, including compliance scenarios (like ITAR, CUI environments, disconnected environments). Meanwhile, if the Azure team wants to separately build their own system (such as Azure Machine config), they can do so. Maybe theirs is more robust, I dunno. Maybe they build in some wider automatic integrations. I think it's a win/win all around, to be fair. It brings DSCv3 to the forefront, it encourages resource migration from PowerShell DSC to DSCv3 resources, it could integrate across a variety of environments: from disconnected ones, compliant environments, multiple clouds, and the Azure and/or Windows teams can work independently of each other. I think what Steve and team did with DSCv3 is great, and I think helming that knowing they have a small team and little adoption takes a lot of....personal might. I also like how they listen to end users/customers (such as bicep language support). Just need to get the rest of the Windows org to do the same.61Views0likes0CommentsRe: Windows Server OSConfig and DSCv3
I actually have a very practical reason for bringing it up, though. For $DayJob I work out of Azure Government and M365 GCC High, and pretty much anything Azure in that environment lags behind the commercial environment. Hot patch for Azure Arc servers, for example, doesn't yet exist in the Azure US Government environment. This environment can sometimes lag the commercial Microsoft cloud services by quite a bit. As an example, I'm still missing some Intune functionality and it's been 6 years since I started working in that stack. Thankfully, it DOES look like Azure Machine Configuration does exist in USGov (I just looked), which is nice. But it looks like on Windows that's still using PowerShell v2 and not v3. It seems it's using v3 for Linux, however. So I worry the switch from v2 to v3 in USGov could be at least 12 months out on Windows, if not longer. It'll take however long for them to roll it out as a preview, then it has to hit GA, and then there's a multi-month lag time for it to hit the Azure Government environment. So even using Microsoft tooling I'm stuck between a rock and a hard place.98Views1like2CommentsRe: Windows Server OSConfig and DSCv3
Unfortunately I'm specifically looking for functionality that does not depend on Azure Arc nor Azure Machine Config. A hallmark of modern deployment and configuration is to be cloud agnostic. It's a pretty hard selling point if the CIO of an organization has decided they're going all in on GCP and you have to ditch Azure integrations because nobody listens to "the windows folks" anymore. So whatever comes up should not have any dependency on a particular cloud stack.221Views0likes6CommentsRe: Add Passkey support to Active Directory
My personal recommendation is to use Windows Hello, TAP, and External Security keys attached to Entra ID accounts and then use https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises in order to obtain kerberos tickets to on-premises Active Directory. Likewise, you should enable Credential Guard on all endpoints to guard those issued TGTs. Furthermore, for alternate accounts and such, you can leverage X.509 smart card certificates to do things like RDP sign-in as a different account.274Views3likes0CommentsRe: Add Passkey support to Active Directory
The request here is pretty loaded to be honest. But I might put up a blog post on it myself as to why this could be a bit more challenging than you'd think :) Not the least of which would require modifications to PKINIT to support Passkeys directly.240Views1like0CommentsWindows Server OSConfig and DSCv3
Introduction I wanted to formalize putting a post out here to get some discussion going on the attempts at modernization of Windows configuration, and importantly, infrastructure-as-code. Hopefully this is a healthy discussion that others can engage in. Much of what I'm going to try and post about is stuff we already are aware of, but I want to highlight how this is an ongoing concern with the Windows Server platform that makes it difficult to encourage people to even consider Windows in their environment other than for extremely legacy purposes. I want Windows Server to be the best it can be, and I encourage others to join in on the conversation! Problem Statement Windows Server needs a modernized configuration-as-code system. Must be capable of orchestrating without cloud tools (offline orchestration) Must provide for regular validation and attestation Ideally should be easily available to 3rd party configuration tools. Since Microsoft appears to have little interest in building their own modernized system that isn't Azure-based, this means that this MUST be orchestrated easily and securely by 3rd party tools. Should be as robust as GPO at maintaining and enforcing state. Security configurations in Windows are a right pain to manage with any 3rd party tooling, with the closest coming to it being the SecurityDSC module which wraps secedit.exe and security policy INFs. Why is OSConfig not the answer? OSConfig doesn't provide for me, as an engineer, to clearly define what the state of my machines are based on my company's business requirements. While the built-in Microsoft policy recommendations are great, there are reasons to deviate from these policies in a predictable and idempotent manner. Applying an OSConfig Baseline -> Then changing settings as-needed with special PowerShell commands This is not the answer. This is a bunch of imperative code that serves nobody. And it makes implementing this feature extremely challenging in today's modern world of Kubernetes, Docker, etc. I encourage the Windows Server team to engage with the PowerShell team on DSC 3.0. I think that team has it right, but they are a small group of people and do not have the resources to implement everything that would make DSC 3.0 a first-class configuration as code platform on Windows. And this is where the Windows team should come in. Steve Lee and crew have done a bangup job working on DSC 3.0, including taking feedback from folks to leverage Azure Bicep language for configuration. Security Policy Challenge The way to access security policies need to change. Even if I were to take DSC 3.0 I'd end up having to create a similar security policy INF file to import into Windows. It just seems so silly to me to have to write all of that out when Windows really should just provide an interface for doing this. In fact, security policy remains to be one of the largest problems to getting a good platform stood up. Windows Firewall Policy and GPO - The reason why host-based firewalling is painful to manage at scale in a Windows environment. GPO is definitely not the right place to be managing Windows firewall policy at scale. Particularly when you often have a core set of management rules you want to implement and application-specific needs. Making robust changes becomes a challenge since each policy is separate, preventing you from doing things like inheriting rules for higher level policies. While this is an inherent limitation of Group Policy, it highlights the need to get off of GPO as the core policy configuration tool for Windows. My recommendations I'd like for the Windows team to implement DSC 3.0-compatible resources for managing all core functionality of Windows. If you can do it in a GPO, you should be able to do it with Configuration as Code. Please stop relying on the community to make this work. All of this should be first party to the platform itself. Furthermore, I'd like to recommend that Microsoft either work with 3rd party configuration systems (Chef, Ansible, Puppet, Octopus, etc.) OR to also provide a way to hit the ground running. Perhaps something that integrates visually into Windows Admin Center would be nice. Conclusion This is a huge problem in the Windows world and continues to seem to fall on some deaf ears somewhere in the organization. While I no doubt am confident that the engineers on all of these teams very well know these issues and maybe even have discussed fixing them, clearly there's a breakdown somewhere.Official tooling to supersede PSWindowsUpdate?
Will there ever be a release of official tools to supersede having to use PSWindowsUpdate to manage updates? Something that isn't Azure-based, backported to Server 2016? The ability to selectively install updates, on demand, and remotely automatable, when SCCM isn't quite doable in some scenarios? (i.e. Microsoft Tier 0 from the legacy Tiered model) Something that right now doesn't require a combination of GPOs, Security Groups/GPO Security Filtering, and WSUS approvals/deadlines? So I can selectively be like "invoke-update -computername COMPUTER" and it just does it?1.4KViews2likes2CommentsAutopilot Bitlocker PIN + Autopilot GCC High?
Are both of these still on the radar at some point? Bitlocker PINs are critical to preventing key leakage from RAM when protecting assets. Typically, entirely laptops are stolen--not just the drives. So it's imperative that the data be protected even when someone has the entire device. And Autopilot in GCC High would be super nice to have 🙂1.2KViews1like2CommentsYouTube.com does not render properly and appears extremely magnified
I went through the feedback thread and found that this had been addressed previously, but it looks like this bug has reared its ugly head again. Version 85.0.558.0 (Official build) canary (64-bit) Occurs when maximizing some videos.1.1KViews0likes1Comment
Recent Blog Articles
No content to show