User Profile
dretzer
Iron Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Re: Windows 11 assigned access - setting kiosk mode over powershell and WMI
To use the WMI Bridge Provider (which is what you are doing here), you have to run it as local SYSTEM. Administrator ist not enough. You can read more about the WMI Bridge Provider and how to use it with PowerShell here: https://learn.microsoft.com/en-us/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider8.9KViews0likes0CommentsRe: Long adding users to the group in Windows Server 2022
Group Membership is only evaluated on logon. So, if you change the membership of a user (or a group the user belongs to), you must tell the user to logoff and logon again. Afterwards he should immediately have his new permissions.4KViews0likes1CommentRe: Robocopy did something weird and now my iSCSI volume shows it's at 100% capacity
If you use "robocopy.exe /MIR" from one Volume-Root to another Volume-Root, you have to specifically exclude "System Volume Information". If you did not do that, you effectively mirrored the sysvolinfo folder from the source filesystem to the destination filesystem, which may explain a lot of your problems. There could be other reasons for your problems as well, but that would be the first that came to my mind. If you want to copy whole volumes with robocopy you have to make sure not to include "System Volume Information" in your copy job. This is a hidden directory inside any NTFS, exFAT or ReFS Volume which contains (somtimes vital) additional volume information fo the filesystem. Additionally, if there are any reparse points or symlinks in your source, you should only copy the links, not the contents. The correct way to mirror a volume with robocopy.exe would be something like this: robocopy.exe X:\ Y:\ /MIR /XJ /XD "System Volume Information" add to that all additional switches you want. This would give you a full copy of the volume contents, without destroying the target sysvolinfo directory and without recursive copy of symlinks and reparse points.2.4KViews0likes4CommentsRe: Store for Business - Multiple Users in One Machine
This is not correct for Store-Apps. All UWP and many non-UWP Apps from the store can be installed without administrative permissions. That was one of the big ideas for modern Windows Apps, to enable users to install/uninstall their own apps, without security implications or administrative problems. As there are now non-UWP Apps in the store as well, there are some exceptions which actually need administrative permissions to install. But the majority of them are sandboxed user-mode applications only.1.2KViews0likes0CommentsRe: Store for Business - Multiple Users in One Machine
Yes, they both need to install the app seperatley. No, they do not get instaleld twice. Store-Apps get installed into "%PROGRAMFILES%\WindowsApps\" and get linked into "%LOCALAPPDATA%\Microsoft\WindowsApps\". So the first user that installs an App from the store, actually downloads the binaries and puts them into the program files directory. After that, the files get linked into the userprofile and only user-specific data is saved into the users profile. The next user that installs the same app, just has to wait for a binary check (if the app inside program files is the correct version available online) and, if it checks out ok, just gets the corresponding links inside his user-profile. EDIT: The above assumes an up-to-date Windows 10 or Windows 11 version!1.3KViews2likes1CommentRe: How to add a new DC in an existing domain when there is no Windows DNS Server?
No, you don't need to use Microsoft DNS for ADDS (though I would highly recommend it). You can use BIND or another third-party DNS-Service for ADDS, as long as it supports the needed entry types (SRV for example). You can read more about it here: https://www.techopedia.com/2/31981/networking/networking-hardware/dismissing-the-myth-that-active-directory-requires-microsoft-dns This should put you on the right track. Personally, if you really want to do this, I would first check that the current BIND-Zone for ADDS really contains all needed entries (and they are correct), and then try to configure dynamic DNS-Updates for your BIND-Servers. If you can't configure dynamic DNS-Updates for your BIND, you have to create all needed DNS-entries manually. That said, you will still have problems integrating other software which relies heavily on ADDS (for example Exchange Server), and should migrate to a Microsoft DNS solution as soon as you can.6.2KViews0likes1CommentRe: Windows Server 2019 Datacenter host and Windows Server 2019 Standard Virtual Machine / Activation
If you Virtualization Host runs a correctly licensed version of Windows Server 2019 Datacenter, it can use AVMA to activate any WS2019, WS2016 and WS2012R2 VM (Datacenter and Standard). Just provide the correct AVMA-Key for the VM and it will activate automatically via the host. You can get a list of all needed AVMA-Keys here: https://docs.microsoft.com/en-us/windows-server/get-started-19/vm-activation-192.3KViews0likes1CommentRe: Which versions to upgrade to - confused
No, you have to do a fresh install. The reason being, that in the LTSC version components from the SAC version are missing. For example Microsoft Store Apps. An Upgrade would have to migrate from SAC with more software-components to LTSC with less software components. As there is no save way to do this without possible data loss, it is not supported at all. You have to do a clean install with a LTSC version.2.3KViews0likes0CommentsRe: Map drive group policy Preferences not applying consistently
As you are using Item-Level-Targeting, a common problem can be that the evaluation of group membership cannot be done before applying the GPO. 2 possible reasons you could check for: 1. Network connection to a domain controller with global catalog is not possible before user-login (user-vpn, network-level filtering, WLAN,...) 2. The user is member in a group across your domain-boundary (you mentioned a two-way-trust to an old domain) and the evaluation of universal group membership takes to long or has errors for some users.38KViews1like1CommentRe: Locking down the Microsoft Store
You can either disable the Microsoft Store completely, or use the Windows Store for Business only. If you want to do the later, first make sure you configured the Business Store to your liking and then disable the public store either with GPO or Intune: GPO: Computer Configuration > Administrative Templates > Windows Components > Store > Only Display The Private Store within the Microsoft Store Intune: https://docs.microsoft.com/de-de/archive/blogs/beanexpert/block-windows-10-public-store-using-microsoft-intune-but-still-allow-the-business-store87KViews0likes1CommentRe: Kernal DMA Protection in dell inspiron 14 5405
You can read about the limitations of credential guard here: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-protection-limits So, no. If you use only local accounts you don't need credential guard. Regarding WDAC: It depends if you want to use it. WDAC ist a very strong security feature which can protect you from many attack vectors, but it also needs a lot of knowledge to implement correctly. Also it does not work automatically, meaning you have to constantly refine it and alter it to your needs. Without a central management of some sort this will be hard to do. The recommendation for combining it with Applocker (Enterprise feature only) comes from the limitation of WDAC to only work on a system level. With Applocker you can make user-based exceptions for whitelisting/blacklisting. Combining both is the best way for large enterprises.5.9KViews0likes1CommentRe: Kernal DMA Protection in dell inspiron 14 5405
SecurityServicesRunning : {1, 2} This means that credential guard (1) and HVCI (2) is running too. So you already have VBS, Credential Guard and HVCI running correctly. Be aware that credential guard only protects domain credentials! It does not protect any other credentials, like for example, local accounts. So if you want to use CG, make sure that you use only domain accounts and block any creation or usage of local accounts. Mehdi_Sellami6KViews0likes4CommentsRe: Kernal DMA Protection in dell inspiron 14 5405
If you want to check if VBS is running use the following command in an administrative PowerShell console: $dgstatus = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard $dgstatus.VirtualizationBasedSecurityStatus This will return a number from 0 to 2. 0 = VBS not available 1 = VBS available but not running 2 = VBS available and running You can also type $dgstatus to see all information about device guard. You can find a description of all the values on this site: https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity Mehdi_Sellami6KViews0likes6CommentsRe: Kernal DMA Protection in dell inspiron 14 5405
You don't need Kernel DMA Protection for Device Guard. What you need is: 64-bit CPU SLAT IOMMU (Intel-VT-D or AMD-Vi) TPM 2.0 SMM Protection (Firmware) UEFI Memory Reporting MOR2 HVCI compatible drivers That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort: https://www.amd.com/en/technologies/pro-security Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI. To answer your other questions more directly: kernel DMA protection is an additional hardware feature and protects especially from DMA-device security issues (PCIe, Thunderbolt,...). It needs support from your hardware (CPU, Mainboard, Firmware) to work and is not tied to device guard or credential guard. It needs VBS to work correctly, but it is not needed for VBS. coreinfo gives you wrong information because when you run a hypervisor some queries are not returned correctly from the CPU. Make sure you run coreinfo in and administrative prompt, but even then, all the virtualization informations are not reliable when virtualization is running. I'm not sure if you really want device guard (a collection of features that prevents code from running on your machine) or if you just want VBS. Mehdi_Sellami6KViews0likes8CommentsRe: Factory Reset Windows 10 without user intervention
The "OEM stuff" is found in C:\Recovery\*. If you remove all contents in this folder before you initiate the device reset, it should restore a clean windows installation without any "OEM stuff". Keep in mind though, that certain driver packages will be migrated to the new installation. Sometimes these can contain additional software packages included in the device driver package (for example audio control panels from the audio driver). divadiow2208KViews0likes4CommentsRe: Factory Reset Windows 10 without user intervention
Hi. You are trying to run the script with not enough privileges. The needed WMI methods can only be invoked with SYSTEM privileges. Membership in "Administrators" is not enough. To execute a PowerShell script manually with SYSTEM privileges, you can, for example, use psexec.exe from Microsoft Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec Place the .exe file and the .ps1 file in the same directory and execute psexec.exe with administrative privileges the following way (replace the paths as necessary): C:\Scripts\psexec.exe -accepteula -S powershell.exe -command C:\Scripts\wipe.ps1 Another way, which you can do remotely and without psexec (group policy for example), would be to create a scheduled task running as SYSTEM and executing the script. You can then execute the task on demand or with a time/date schedule. DJK463208KViews0likes1CommentRe: Can server 2016/2019 manage domain computers through GPO for Linux(Ubuntu) and MAC
bappaditya The short answer is no. The long answer: Group policies are settings (mostly registry, logon-scripts, security-policies, and so on) which are available on a file-share (SYSVOL) for all domain clients to consume. A Windows client has to apply this policies itself using a client agent (Group Policy Client which you find in Windows services). So the actual GPO-Engine is inside the client, not the domain-controller. The DC just makes sure the client can consume the policies and it also manages which policies the client should consume. Theoretically a Linux or Mac could consume the contents of SYSVOL if it is domain-joined and wants to, but neither operating system has a builtin functionality for this. Furthermore as everything found inside the SYSVOL is very Windows-specific, even if a Mac would try to consume it, it wouldn't know what to do with a registry setting for example. You can use third party solutoins for this. There are solutions which let a Linux-Domain-Client consume shell-scripts from a SYSVOL share on logon, which would allow you to implement something similiar to group policies. In the end, group policies are a Windows operating system feature and the other platforms do not have anything comparable to that (shell-scripts and config-files alone cannot get you the full featureset of GPOs). If you want to manage settings on Macos and Linux, try using intune instead. Microsoft Intune can manage Linux and Mac Clients. You can combine it with MS Defender ATP and get configuration and compliance monitoring this way.5.5KViews0likes0CommentsRe: Regarding Windows 10 file system access and privacy
Ysera_Dreamer The main switch for the setting enables the functionality. So setting this to OFF disables it entirely. Having this setting ON just means that Windows will support the functionality, but apps still need to ask for this permission on a per-app basis. If you turn it OFF an app can't even ask for it as the basic functionality to even get file-system-access is disabled. Regarding your games on Steam: as they are not using UWP it's the steam-clients responsibility to make sure your system is safe. Sadly history showed that Valve is very bad at this. There are sad storys with how they treated security researches in the past regarding bugs in the steam-client. If security is your concern, I recommend looking for your games on the microsoft store before you buy them on steam. Only get games on steam if the game is not available on the Microsoft Store. Also make sure your Windows account does not have administrative permissions but instead use a standard user account to use steam and steam games. Remember that non-UWP software always has the same permissions as you (and UAC for admin-accounts is not a security boundary).10KViews0likes4Comments
Recent Blog Articles
No content to show