I have configured “Network Security: Restrict NTLM: NTLM authentication in this domain” months ago, here is why it catched me

Today I would like to share my experience with troubleshooting a overcommitted security admin with less knowledge than it would be required (In fact, I’m talking about me here). Some month ago, I read about NTLM (v2 as well), and I decided to restrict NTLM in my LAB, to check what is working afterwards, and what stops working. To my surprise, everything went smooth, and I could not find an issue. So I forgot about this setting, everything seems to work, and it did.

Lastly I decided to cut off Direct Access, since Microsoft does not invest in its future, and for other reasons, I’m not required to have a permanent connection to the LAB from remote, a VPN would be sufficient. I’m using WorkFolders as well, and secured it with Azure MFA, the same should apply to my VPN connection, the authentication should be not only be covered by Username and Password. With this, the goal was set, and I built up the LAB. Everything went nice, until the first VPN client wanted to connect. The NPS Server gave me the error:
“The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.”

Continue reading

Create your own Software Deployment Repository with Azure and Intune

As you might know, within Intune you can only install applications on devices, if they are coming as an MSI. If you want to deploy anything else, this blog might be helpful for you.
Let me talk about the requirements:

  • Azure Subscription for Storage
  • Intune Subscription (obviously)
  • This blog will provide the information how you can achieve this, and at the end, you will get a sample implementation from my LAB.

    Yes, that’s it. Now let us start creating the Azure Storage, and how you can access it. Go to the Azure portal, and open the storage accounts section. You can use the classic storage account as well, but I would recommend the newer ones:

    Continue reading

    Office 365 – Content Search and eDiscovery

    Today I would shed some light on the two options “Content Search” and “eDiscovery” from the Security and Compliance center of Office 365. You can reach the security and compliance center through the following URL:

    Office 365 – Security & Compliance Center

    The first questions that may raise up, what is content search and eDiscovery, and what is the difference of those two options.
    With content search, you can search all the content that is actually available, regarding existent policies (given example: Exchange Hold). Content search may help you in various occasions, where it may not be required to use eDiscovery. For legal documentation the eDiscovery should be used, where you also can specify Mailboxes, SharePoint Locations and OneDrive for Business to set hold policies on them.

    The next question might be: Who has access to those features by Default?

    It depends… Continue reading

    SCCM – Configure a pointer record for your Cloud Management Gateway

    Lets assume you want to set a pointer record (PTR) for your System Center Configuration Manager Cloud Management Gateway (CMG).

    First of all, you will need to install the “Azure PowerShell Service Management module”, and Login to your Tenant. This process is documented on the Microsoft Website:
    Installing the Azure PowerShell Service Management module

    When this is done, you may want to change the subscription, in my case it was necessary. To do so, simply show all of your subscriptions with “Get-AzureSubscription” and select the appropriate subscription with “Select-AzureSubscirtion” afterwards:

    When you have selected the correct subscription, you can list the Azure Services with “Get-AzureService”.
    With the following command, you can set the Pointer record for your CMG:
    Set-AzureService -ServiceName "YOURSERVICENAME" -ReverseDnsFqdn "HOSEBECMG01.hosebei.ch."

    Intune – NDES Enrollment

    I recently changed my Intune Subscription from SCCM Hybrid to Intune Standalone. Within this change, I face an issue with the NDES, respectively the SCEP, enrollment for the certificates.
    After I have configured the SCEP profile within Intune, my Windows 10 Clients show th following error Message within the eventlog:

    A security error occurred 0x80072f8f (WinHttp: 12175 ERROR_WINHTTP_SECURE_FAILURE)
    Continue reading

    Azure AD Connect – Configure the “Enable-ADSyncExportDeletionThreshold” wisely

    Today would shed some light on the cmdlet “Enable-ADSyncExportDeletionThreshold” which comes with the Azure AD Connect. If you are using Azure AD Connect to synchronize your On-Premise Active Directory to Azure Active Directory, Azure AD Connect will never execute a batch of more than 500 objects to delete. You can check the current value by using “Get-ADSyncExportDeletionThreshold”:

    Continue reading