User Profile
AlexR91
Brass Contributor
Joined 9 years ago
User Widgets
Recent Discussions
Re: Missing DragnDrop of attachments from new Outlook to browsers (SharePoint) – Please bring it back!
This is a huge issue for our users. Funny enough, it used to work in new Outlook and Microsoft removed it because “security”. If there is a security/DLP concern here, how about you disclose exactly what that is and let me as the admin decide if this policy should be enforced? This is the number one reason our users can’t move to the new Outlook. Microsoft needs to do something about it ASAP.1.8KViews4likes0CommentsRe: After Removing GPO, Intune Policies Not Applying
Interestingly, config refresh did resolve this issue - once I ran the config refresh scheduled task, all the policies applied like they are supposed to. The problem here is that config refresh requires Windows 11. It should come as no surprise that most of the Hybrid joined computers this impacts run Windows 10 (if we upgrade to Windows 11, we reset and Entra join).1.4KViews0likes0CommentsRe: After Removing GPO, Intune Policies Not Applying
I believe policies should have been refreshing every 8 hours by default and these endpoints were allowed to be in this state for 48+ hours without this issue resolving itself. That said, this may be a useful tool in troubleshooting this further. Thanks for sharing!1.5KViews0likes0CommentsRe: After Removing GPO, Intune Policies Not Applying
I agree that targeting the devices with both Intune and GPO enforcing the same policy is a bad idea. The purpose of removing the GPO baselines was to make it so we're no longer doing this. I am 100% sure the policies are not applying. They do not appear in the registry and do not show up in gpresult. Most importantly. when using the device, I can see tell the settings are not applying based on the behavior of the computer (no UAC prompts when there should be, settings enabled and working that should not be, etc...).1.5KViews0likes0CommentsRe: After Removing GPO, Intune Policies Not Applying
I first noticed when our device secure score within the Microsoft Defender portal dropped dramatically. When I went and looked why, it showed policies that were once applied by the baseline were no longer applied. I was able to verify this by looking at some of these settings on the impacted endpoints. For example, I can see if the policy to disable unsolicited remote assistance is working because the setting is visible to the end user within Windows. There are several other settings I was able to verify like this on the endpoint.1.4KViews0likes0CommentsAfter Removing GPO, Intune Policies Not Applying
Part of our fleet remains Entra Hybrid Join (as computers are refreshed, they are Entra Joined instead). We apply Windows Security Baselines through both Group Policy and Intune. Recently, we evaluated the differences between the two baselines and determined they are nearly identical. Accordingly, we decided to disable GPO based security baselines for Entra Hybrid Joined devices and let Intune push security settings for the baseline instead. Here's the expected behavior: Security baseline settings are set by both Intune and GPO. By default, GPO wins, so the Intune setting is not applied. When the GPO settings are removed, at some point in the next 24 hours (I believe it happens every 😎 all Intune policies are reapplied whether or not they have changed. With the GPOs gone, MDM policies that were once blocked by group policy are applied. The end result: all security policies are applied, but most of them are coming from Intune (MDM) instead of from GPOs. However, this is not what is happening. While Intune claims the security baseline have applied, the settings that were once overridden by GPOs never apply and the computer effectively has no security baseline. Here's what I've done to try to fix this: Make a copy of the existing baseline with a new name and assign it to the computers, unassign the original baseline. This does not work. The policies claim to have applied, but never apply on the endpoint. Change a single setting in the baseline hoping the change triggers the whole configuration reapplying. The endpoint only applies the changed setting, other settings in the baseline do not get applied. Unassign the baseline entirely, wait for the computer to sync and reassign the baseline. This works, but is not a viable solution for a large fleet of computers. This would be fine if all of our computers were receiving GPO updates regularly, but they're not (they are remote). This only works if the computer syncs one time while no settings are applied and again after the configurations are reassigned. We can't negotiate the timing on this for our whole fleet of computers. Apply the policy that makes MDM policies take precedence over GPOs. This did not work. Here's what we're not willing to try (I'm preempting some of Microsoft's usual boilerplate responses): We will not reset the computers - there are too many for this to be a scalable solution. We will not unjoin and rejoin the computers from MDM - there are too many for this to be a scalable solution. While I'm tempted to open a support case with Microsoft, this has only ever been a time-consuming and frivolous process. I expect they would pass the ticket around and eventually apologize to me when they decide this is a support case I should actually pay for. Why would MDM policies not apply even after the group policies that once conflicted with them have been removed? This is impacting all Entra Hybrid Joined computers, the vast majority of which are running the latest build of Windows 11 23H2. Some of these computers have sat for 48 hours in this state, so I don't think this is something that will be resolved with time. Any advice would be greatly appreciated!SolvedRe: Secure access client when PC is On-prem
We've been having similar issues, though I believe this may be by design. The Global Secure Access Client appears to not care whether you're on the LAN with the target or not, it always proxies the connection unless you pause the client. I was testing the client with RDP - it worked greate remotely. However, when I was on prem with the server I was RDPing in to with the client active, my round trip time was >100ms, with the client paused, it was <1ms. I appreciate that this allows us to layer on modern auth and conditional access regardless of where the client is in relation to the target resource, but this needs to be a behavior that I as an administrator have control over because - in most cases - we'd rather the client not proxy at all if they don't need to, especially considering the performance implications we've witnessed.1.1KViews0likes0CommentsRe: Session - Sign-in frequency best practice
johos I'm wondering the same thing as you. Microsoft gives some vague guidance and explains how it works, but doesn't perscribe best practice policies for those of us using Conditional Access. Should I have a policy specifying sign-in frequency? If so, how often should I require users to sign in?4.4KViews0likes1CommentRe: Windows Server 2022 - devices not booting when Secure Boot enabled (KB5022842)
Alban1998 I read your comment on "RGE" as "sounds like whatever you're doing should get you fired". I apologize for my response if that wasn't your intention. I find it difficult to read your remark any other way. I also realize that it may have been rather hypocritical for me to call you arrogant when my reply itself may have come off as arrogant. I apologize for that as well. I don't think that all IT consultants lack morals or ethics (I do think this of Microsoft as a whole), I've dealt with some excellent consultants and some terrible ones. I do think that they preach the gospel of the vendors they represent all too often and trusting their judgement has gotten our company in to trouble in the past. This is not a criticism of you personally. It would be unfair of me to pass judgement on you without knowing you. The one interesting difference I'm noticing is that you appear to conflate security and reliability. I do agree that having a supported hardware/software combination is an important component when it comes to reliability. In the case of how we choose to operate, we attempt to mitigate that risk by carefully testing updates and by having a robust failover and disaster recovery strategy. I respect why you would tell a client to buy new hardware to mitigate this risk. However, I'm more dubious of the assumption that using a supported software/hardware combination is as paramount to security as it is to reliability. New hardware certainly introduces new security features that I may not have access to, but the savings associated with pursuing this route means we have capital to invest in other security software/projects/consultants. Dollar for dollar, I think we get more out of those investments than we do if we were to spend that money on new servers. I know this might not be the case for everyone. I imagine it is tough being a consultant in this case. I can make that choice for my company because I understand the environment well enough to do it with confidence. As a consultant, you have to put a lot of faith in your clients and have to make choices based on the fact that they are probably only going to call when something goes wrong. I don't envy the position I imagine you often find yourself in when this happens. I still disagree with your hard line on, "its not a supported configuration, therefore, its your fault." But because of this conversation I do at least respect your opinion. I'm ashamed to admit that I was so jaded by this situation that I did not before. Have a wonderful day.28KViews0likes0CommentsRe: Windows Server 2022 - devices not booting when Secure Boot enabled (KB5022842)
DavidYorkshire Its good to know that Dell is aware of this issue and at least discussing possibly resolving it. I'll reach out to our Dell rep and make them aware of how important this is to us. "I've just retired an R710 which was nearly 12 years old and was still working OK (running Hyper-V Server 2016 as a host for some undemanding test machines)" What an interesting coincidence! In November, we retired our fleet of R710s also running Hyper-V 2016 for about 10 years and replaced them with R730s. The servers were working great even when we replaced them. We ended up replacing them because of the licensing benefits of running our cluster in a more dense configuration. We also continue to run a Dell PowerVault MD3200 in production whose storage controllers were manufactured in 2002. The quality of enterprise class hardware really is astonishing.28KViews0likes0CommentsRe: Windows Server 2022 - devices not booting when Secure Boot enabled (KB5022842)
Alban1998 I do agree this is getting a little off topic. I also apologize if anything I say comes off as personally disrespectful to you. My intention is not to criticize you in a way that is unfair or uninvited. "Well if your customers are fine with losing money because of unsupported stuff, I guess that's OK." My "customer" is the company I work for, which experienced zero downtime as a result of this issue. No downtime means no money lost. If someone is losing money over unsupported hardware, that is a failure of the people and processes that set it up, not the hardware/software combination itself. Buying used servers costs about a tenth of what buying new servers costs, who says anyone is losing money? You know who would love for people to believe this is true? Microsoft and its hardware partners. You know who it doesn't benefit? The companies whose IT staff are naïve enough to believe this and end up paying for new servers they should have never bought in the first place. Needlessly wasting your company's money to replace servers because Microsoft says you should, now that sounds like a "resume generating event" "Defeats the purpose of minimizing costs in the first place tough. Which itself contradicts buying brand new WS2022 licenses and CAL, when you can continue using WS2019, and using physical hardware for servers when you can use VM instead, and so on." We have SA on all of our Microsoft licensing so we don't pay for upgrades. No additional costs related to CALs here. All of these servers are HyperV hosts. It's unclear to me why you thought otherwise. Needlessly wasting your company's money to buy license upgrades that should have been covered under SA, now that sounds like a "resume generating event". "And the next post kinda prove [sic] my point": The only thing this proves is that Dell is hearing from their customers and is discussing if or how they will resolve the issue. This doesn't imply its Dell's issue to solve. Not understanding the typical behavior of (what is likely) one of your largest vendors and making bad assumptions as a result of that naïveté, now that sounds like a "resume generating event". "Or if you are really unable to cope with regular on-premise hardware upgrade, go Azure/AWS/Google." Hosting the same workloads we host on-premise today in Azure would be far more expensive than hosting them the way we do. It would also be more expensive than buying new hardware. The only time it might make financial sense to host in Azure is if you have a highly variable workload that benefits from the scalability of Azure. Many companies are moving from Azure/AWS/Google back in to their own data centers specifically because the promised cost savings simply don't exist. Do you think a company like Microsoft would be pushing so hard to get people in to Azure if it wasn't financially beneficial to them? Needlessly wasting your company's money putting workloads in expensive public clouds, now that sounds like a "resume generating event". "As for disabling Secure Boot to bypass your issue, and claiming VBS/CG are fine without it...yeah, good luck with that." This is working without issue on every server this has effected. Luck is not needed here. The servers I manage have had nearly zero unscheduled downtime over the past decade. Because of the way we manage hardware lifecycles ("unsupported stuff"), I have saved my company tens (if not hundreds) of thousands of dollars over that time period. I wasn't aware that "Resume Generating Event" was an acronym before you brought it up in your post. You know why that might be? Because its not something I've ever had to worry about. There's an important lesson here that you seem to not understand: Microsoft, Dell, and IT consultants are for profit entities that operate in their own financial best interest. Everything they do (including the guidance they provide) is in service of that goal. Be careful not to let your arrogance prevent you from understanding the implications of this lesson. That could end up being a "Resume Generating Event" for you.28KViews0likes2CommentsRe: Windows Server 2022 - devices not booting when Secure Boot enabled (KB5022842)
Alban1998 It is absolutely normal to run more recent OSes on older hardware in a combination that is technically not supported by the hardware vendor. The only parties arguing against this are those who financially benefit from customers constantly having to upgrade their hardware. Many companies cannot afford to spend tens of thousands of dollars on brand new hardware because a consultant or vendor tells them that its too risky not to. Most companies can't afford to drink that Kool-Aid. There are effective ways to mitigate the risk associated with unsupported hardware/software combinations (failover clusters come to mind), but these mitigations don't enrich Microsoft and its hardware partners the same way trying to force people to constantly upgrade their hardware does. "otherwise, Microsoft would have provided a fix". This implies Microsoft actually tests their updates or cares about their customers. They care about making money and will fix issues that cost them money. This is a pretty recent issue, so it is yet to be determined if Microsoft will fix it or not. I'm still hopeful they will, but I don't think it will be out of the kindness of their heart. We experienced this issue on a Dell PowerEdge R730XD and a R430. In the case of the R730XD, this was a clean install of Windows Server 2022. After several clean installs, we were able to narrow down the issue to this particular update. We went so far as to back up the Secure Boot database, perform the update that breaks secure boot, and restore the database to what it was before that and Secure Boot still didn't work. The only thing that changed was Microsoft's update. They can blame whoever they want for this issue, but it happened as a result of their update. Thankfully, virtualization based security (including HVCI and Credential Guard) work just fine without Secure Boot. This is despite Microsoft's claim that these feature require Secure Boot to function.28KViews1like7CommentsRe: How to leverage sharepoint column data in sync'd folder?
DeclanHalpin I think what you’re trying to do just isn’t possible. I’m sure Microsoft’s thought here is that you should just be viewing the files in SharePoint directly. I imagine it would be difficult to implement all of the metadata related features in to OneDrive and File Explorer, but it certainly would be nice to be able to sync files in a specific view and I imagine that wouldn’t be too hard to implement. I can see a future File Explorer behaving more like a web browser and integrating with SharePoint accordingly, but that seems like something we won’t see for some time, if at all.3.5KViews0likes1CommentRe: How to exclude emails from future ZapPhish auto investigations (AIR)
Dimitry Izotov For us, the false positives are from phishing simulation test emails sent by a partner we work with (KnowBe4). In this case, they have a list of domains they use for these tests, they've asked Microsoft (and Microsoft almost certainly knows) that these domains are not malicious, yet Microsoft continues to classify them as such and provides no straight-forward workarounds. I think with Microsoft now offering its own "Attack Simulator", we're going to see them become increasingly hostile and inhospitable towards companies like KnowBe4 who, despite offering a far superior and more mature product that what Microsoft is offering, are being treated as a competitive threat. We were planning on upgrading all of our users to Office 365 ATP Plan 2 but because we can't resolve this issue, new features like AIR that make this upgrade worth it are virtually useless. Its really quite sad that Microsoft can't play nicely with others.4KViews1like0CommentsRe: How to exclude emails from future ZapPhish auto investigations (AIR)
Dimitry Izotov We've been looking in to this and, sadly, I think the answer is no, there is no way to bypass this. We've tried everything to get certain domains excluded and no matter what we do, they continue to trigger AIR investigations. This causes our Investigations list to be cluttered with false positive investigations making it less likely that we'll be able to identify and act on real threats in a timely manner.4.1KViews0likes2CommentsRe: Office 365 ATP in conjunction with a Third Party spam filter
bdelamotte83 So I don't know if you're still looking for an answer to this, but it certainly is possible and it works well. Microsoft has even built functionality in to Office 365 to allow for this, they just don't recommend it because (of course) they prefer you use their product as opposed to someone else's. I'm writing this assuming you route your email through a third-party email security gateway, which then passes email along to Office 365. The feature you are looking for is called https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors: "Enhanced Filtering for Connectors (also known as "skip listing") allows you to filter email based on the actual source of messages that arrive over the inbound connector." In fact, this feature is designed just for the scenario you're describing: "Enhanced Filtering for Connectors is meant to show the value of Exchange Online Protection (EOP) and Advanced Threat Protection (ATP) ... Although it is possible to keep Enhanced Filtering enabled as a permanent solution..." We use Proofpoint's email security gateway and wondered the same thing as you - can we layer on Exchange EOP protection in order to increase email security for our end users? The answer is yes, and we've just rolled this out to our entire organization. Using this feature also allows you to see what sort of emails EOP would have blocked without actually blocking them. EOP still analyzes the emails, but if you have a rule bypassing this filtering, it won't actively block them until this rule is in place. I'm happy to give you more details on how exactly this works and how you can perform phased testing for some users - let me know if you're interested. There is not a lot of documentation on the mechanics of enhanced filtering, but I can attest to the fact that it works well, blocking a lot of additional phishing, BEC, and junk email that Proofpoint doesn't catch.5.5KViews0likes1CommentRe: No way of running OneDrive on Windows Server 2019?
I really just don't understand Microsoft here. We have legacy applications running on a Windows Server 2016 RDSH server. We were waiting for Windows Server 2019 so that we could use OneDrive and files on demand for our file shares and now OneDrive is not supported at all? I know Microsoft's goal here is to get people to use VDI instead, but this is just not something we're going to do. Unfortunately, it looks like we won't be able to roll out OneDrive for Business across our organization so long as Microsoft chooses to not support it on its server products - companies like us still need RDS! Very frustrating.117KViews0likes3CommentsRe: AAD Connect - Password Hash Sync - Seamless SSO - Office 2013/2016
We're having the same issue. My understanding of this is that the app automatically signs in using AD DS on first launch. The users aren't being logged in using ADAL at all, it just so happens that the on-prem UPN is the same as the user's Azure AD login name (https://technet.microsoft.com/en-us/library/jj715259.aspx). You can verify this by opening or saving a document in Word (which generates the user's "recent" list). Then navigate to HKCU\Software\Microsoft\Office\15.0\Word\User MRU. A user properly logged in to Azure AD will have a hive beginning with "ADAL_" in this directory, where one where the domain user is being logged in will begin with "AD_". We have Azure AD Connect with seamless SSO set up properly and can verify it works properly in the browser. We also have modern authentication enabled like you do. When we sign out of the local user, then sign in again using the user's email/UPN, seamless SSO works perfectly and the user connects using their ADAL account. The page linked above includes the following paragraph, entitled "Single sign-on, Active Directory, and federated sign-in" that states: When a user signs in to Office 2013, Office automatically tries to use the Active Directory Domain Services (AD DS) account with which the user logged into the operating system. If that Active Directory account is federated with Office 365, the customer automatically receives all the benefits of signing into Office 365 without having to perform any additional steps. I get the feeling that, in this article, when they say "Federated", they are referring specifically and exclusively to AD FS. Microsoft needs to clarify this.2.8KViews0likes1Comment
Recent Blog Articles
No content to show