Active Directory, Azure

Five steps to securing your identity infrastructure in Azure Active Directory

This link to the Microsoft document will help you get a more secure posture using the capabilities of Azure Active Directory by using a five-step checklist to inoculate your organization against cyber-attacks.

This checklist will help you quickly deploy critical recommended actions to protect your organization immediately by explaining how to:

  • Strengthen your credentials.
  • Reduce your attack surface area.
  • Automate threat response.
  • Increase your awareness of auditing and monitoring.
  • Enable more predictable and complete end-user security with self-help.

https://docs.microsoft.com/en-us/azure/security/azure-ad-secure-steps

Advertisements
Active Directory, DISM, Group Policy Objects, Group Policy Preferences, Uncategorized, Windows 10

Setting Acrobat Reader DC as the default PDF viewer on Windows 10 with a GPO

  1. Create a AdobeReaderAssociations.xml file that’s in the Adobe Enterprise Administration Guide or create your own using DISM
  2. Copy that file on a shared location. Using group policy preferences copy the XML file to the local device
  3. Apply the XML file by opening up the group policy and navigate to Computer Configuration\Administrative Templates\Windows Components\File Explorer\Set a default associations configuration file
  4. Select Enabled and specify the path for the XML file and click Apply
  5. The corresponding registry entry is HKLM\Software\Policies\Microsoft\Windows\System\DefaultAssociationsConfiguration
Thanks to the GuruPackager
Active Directory, Administration, Azure, Configuration Manager 2012, Configuration Manager 2016, Deployment, EMS, Intune, Microsoft, Office 365, Security, Training & Workshop, Uncategorized, Windows 10

Microsoft Ignite – Configuration Manager What’s Next?

System Center Configuration Manager Overview and Roadmap

Learn about the latest developments in System Center Configuration Manager (ConfigMgr), watch demos, and understand what is coming next.

Windows has evolved. Simplify Windows 10 management and lower the Total Cost of Ownership (TCO) with the Microsoft Cloud. See how Enterprise Mobility + Security (EMS) and Windows 10 can be used together to ease procurement, simplify provisioning and lower TCO through modern management & security, and deliver cloud-based updates without the need for an on-premises infrastructure.

windows-10-management-ems

Active Directory, Azure, BitLocker, Windows 10

Enable BitLocker on Azure AD Joined windows 10 Device

Windows 10 devices will automatically encrypt the local drive when joining to Azure Active Directory (AAD). The device must be InstantGo capable.

InstantGo (formerly known as Connected Standby) is a very low power state that some devices support. It’s very like your mobile phone, it’s almost switched off but still can receive text messages, e-mails and switch to a different power state when receiving phone calls.

How do you check this?

Open a command prompt, type powercfg /a

Devices that have InstantGo support will return “Network Connected”:

clip_image002

 Where do I find the recovery key?

Users can retrieve their recovery key by going to http://myapps.microsoft.com, select Devices and select the device for which they would like to get the recovery key:

clip_image006

Active Directory, Administration, Deployment, MDT, PowerShell, Script, Windows 10, Windows Preinstallation Environment

PowerShell – Configure Active Directory Permissions to Join Computer to the Domain

In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.

These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample Set-OUPermissions.ps1 script and copied it to C:\Setup\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.

  1. On DC01, using Active Directory User and Computers, browse to contoso.com / Contoso / Service Accounts.
  2. Select the Service Accounts organizational unit (OU) and create the MDT_JD account using the following settings:
    1. Name: MDT_JD
    2. User logon name: MDT_JD
    3. Password: P@ssw0rd
    4. User must change password at next logon: Clear
    5. User cannot change password: Select
    6. Password never expires: Select
  3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press Enter after each command:
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
    Set-Location C:\Setup\Scripts
    .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
    
  4. The Set-OUPermissions.ps1 script allows the MDT_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted:
    1. Scope: This object and all descendant objects
      1. Create Computer objects
      2. Delete Computer objects
    2. Scope: Descendant Computer objects
      1. Read All Properties
      2. Write All Properties
      3. Read Permissions
      4. Modify Permissions
      5. Change Password
      6. Reset Password
      7. Validated write to DNS host name
      8. Validated write to service principal name
Active Directory, Deployment, Group Policy Objects

Microsoft Local Administrator Password Solution (LAPS)

To setup the Microsoft Local Administrator Password Solution (LAPS) in Active DirectoryMicrosoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as help desk administrators, are authorized to read passwords.

LAPS simplifies password management while helping customers implement recommended defenses against cyber attacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers.

LAPS stores the password for each computer’s local administrator account in Active Directory, in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.

The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration.

https://www.microsoft.com/en-us/download/details.aspx?id=46899

How to: To setup the Microsoft Local Administrator Password Solution (LAPS) in Active Directory

https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-active-directory/

 

 

Active Directory, Group Policy Objects, Group Policy Preferences, Windows 10

Windows 10 Group Policy Settings

Microsoft has released the latest Windows 10 Group Policy settings. As usual there is a handy spreadsheet with all the settings, plus new filtering capabilities that make find the new polices easier.

Download the spreadsheet: http://www.microsoft.com/en-us/download/details.aspx?id=25250

Get all the templates from any Windows 10 machine. They are located in the C:\Windows\PolicyDefinitions folder. Then copy them into your domain central store (C:\Windows\SYSVOL\sysvol\{domain}\Policies\PolicyDefinitions).

Active Directory, Azure, Lab, Microsoft, Training & Workshop

IT Camp: Extend your Datacenter with Microsoft Azure

Just finishing up an IT Camp with Microsoft. Great overview of Microsoft Azure. Good labs using virtual machines, SQL and a web frontend. Looking forward to get stuck into Azure AD. It is nice to have time to complete this course and get have some good food from Clifton’s kitchen. Thanks to Regan Murphy for leading a good MS event.

IT Camp: Extend your Datacenter with Microsoft Azure

Active Directory, Administration, Group Policy Objects, Group Policy Preferences

Enabling Group Policy Logging and Tracing

Need to debug what is happening with your group policy preferences? Then enable the logging and tracing setting under:

Computer Configuration\Policies\Administrative Templates\System\Group Policy

Enable one or more of the preference client-side extensions.

Reboot the machine and logon.

The logs will be written to:

  • User trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\User.log
  • Computer trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Computer.log
  • Planning trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Planning.log