Hi Guys,
I have a file client.msi. The properties > Digital signature Tab says that the certificate is explicitly revoked by its issuer.
Seems the file is not trusted on one single machine whereas on other machines, it says the certificate is ok.
What went wrong and why the certificate is revoked?
Can somebody shed some light on this as its much appreciated?
Hi,
I want to bring New Root CA and Subordinate Enterprise issuing CA in AD domain without shutting down the old CA infrastructure. As per my research there is no technical limitation from Microsoft to have two Root CA in AD forest or Domain. My goal is to bring new Enterprise CA online and revoke certificates on old Enterprise CA one by one. AIA and CRL is LDAP so on old server. Also I would like to have different CA Name and host name on New Root CA and Enterprise issuing CA. Following steps will not work for me. Please google search not able to post the link. "Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One" by Amerk [MSFT] Any feedback is greatly appreciated.
Hi, we were recently at the wrong end of a phishing attack campaign that contained a link which included an exclamation mark. The link pointed to a shared file hosted on OneDrive (1drv.ms/<blah>) with the external shared file then containing a link
to another external site which hosted a fake Office365 login page. The problem was with the link to OneDrive that was in the original phishing email that contained a '!'. When I tried to add this link to the Advanced Threat Protection (ATP) Safe Links organisational
block list I received an error "Invalid URL format" when I clicked save. After some quick tests I found that ATP doesn't accept the URL to be blocked if it contains an exclamation, even through an exclamation is deemed to be valid URL character.
This needs to be updated as admins are currently unable to use ATP Safe Links to block any URL containing an exclamation.
Thanks
Adam
Hi, I am trying to setup a Guarded Host with TPM mode, and I having issue on Code Integrity policy active.
When I do the command, Get-HgsTrace -RunDiagnostic -Detailed, this is the result.
For the Code Integrity Policy Active: Fail
I have Enable virtualization-based protection of code integrity apply GPO, as Host have done gpupdate /sync and verified policy been applied.
as for HGS server Get-HgsTrace result.
article I have reference
https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-tpm-trusted-attestation-capturing-hardware#create-and-apply-a-code-integrity-policy
Please guide me on resolve Code Integrity for Shielded VM.
Thank you.
Yours sincerely,
Lee Leng
Hello, I've been locked out of account for some unknown reason and I would like to get it back, I can't log in on chrome, firefox or even my phone. Please can this get fix asap. I do need the mail that come on this e-mail account.
I would also like to known on how this happened in the first place.
Thank You
In our environment, we have enabled domain-wide file and folder auditing, but have selected only a few folders on needed servers (file servers etc.).
However a few of our servers are logging a lot of file events (4656,4658,4663) on folders without any security auditing enabled on the folders.. Currently ~2 million events are logged since yesterday (non-fileserver)
This is a 2012R2 server in a 2012R2 level Forest/domain - DC's are running server 2016
Anyone else have this problem ?
-TIA
Lennert Holmberg
I am in the process of setting up Windows Event Forwarding, the push method. An IRS policy states I can only allow access to the security log via the administrators group.
WinRm is a big part of Windows Event Forwarding, and uses the Network Service account by default. I also cannot add the Network Service account to the local Administrators group, per security policy.
I have created a service account to comply with both security policies, but I have two questions:
1. Does changing the account WinRM uses, create issues elsewhere? Such as services failing to start or dependencies lost for other services.
2. What is the best way to change the account for the WinRM service accross the whole domain? (startup script?)
Thanks,
KISO
Windows server 2016 Workgroup hosts Hyper-V
D Drive does not host vhdx
D: Drive is separate drive from c: and RAID 5
Cannot delete or move or rename
( "d:\downloads\Microsoft\Windows 10\SW_DVD9_Win_Pro_Ent_Edu_N_10_1803_64BIT_English_-4_MLF_X21-87129.ISO" )
Have run takedown and icacls
D:\Downloads\Microsoft\Windows 10>icacls "d:\downloads\microsoft\windows 10\SW_DVD9_Win_Pro_Ent_Edu_N_10_1803_64BIT_English_-4_MLF_X21-87129.ISO"
d:\downloads\microsoft\windows 10\SW_DVD9_Win_Pro_Ent_Edu_N_10_1803_64BIT_English_-4_MLF_X21-87129.ISO: Access is denied.
Successfully processed 0 files; Failed processing 1 files
Hi
I have Windows 2008R2 installed and there is a need to increase the size of a DH modulus from the current default to 2048.
There is a Microsoft security advisory with instruction how to do this,
but I'm not sure if is will work (if it is applicable) in Windows 2008R2.
I found appropriate KB
but it is not applicable for Win 2008R2.
Maybe someone could help me to find a clue?
Hi,
How to verify Code Integrity success applied on server ? After I reboot server check on event log it still require reboot, it seem like Code Integrity not applied event reboot.
Is it normal ?
Hi, we were recently at the wrong end of a phishing attack campaign that contained a link which included an exclamation mark. The link pointed to a shared file hosted on OneDrive (1drv.ms/<blah>) with the external shared file then containing a link
to another external site which hosted a fake Office365 login page. The problem was with the link to OneDrive that was in the original phishing email that contained a '!'. When I tried to add this link to the Advanced Threat Protection (ATP) Safe Links organisational
block list I received an error "Invalid URL format" when I clicked save. After some quick tests I found that ATP doesn't accept the URL to be blocked if it contains an exclamation, even through an exclamation is deemed to be valid URL character.
This needs to be updated as admins are currently unable to use ATP Safe Links to block any URL containing an exclamation.
Thanks
Adam
I am trying to Configure Active Directory to Store BitLocker Recovery Keys on server 2019, and have done the following process:
1) From powershell --Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools
When I check the properties of my computers in AD Users and Computers , I don't see the "BitLocker Recovery" tab.
I also ran the command -- Install-WindowsFeature RSAT-Feature-Tools-BitLocker-BdeAducExt -- which says no such feature exists
When I go to server manager > Remote Server Administration Tool> Feature Administration Tools> BitLocker Drive Encryption Administration Utilities> there is no feature called "BitLocker Recovery Password Viewer"
I am trying to Configure Active Directory to Store BitLocker Recovery Keys on Microsoft Windows Server 2016 Standard, and have done the following process:
1) From powershell --Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools
When I check the properties of my computers in AD Users and Computers , I don't see the "BitLocker Recovery" tab.
I also ran the command -- Install-WindowsFeature RSAT-Feature-Tools-BitLocker-BdeAducExt -- which says no such feature exists
When I go to server manager > Remote Server Administration Tool> Feature Administration Tools> BitLocker Drive Encryption Administration Utilities> there is no feature called "BitLocker Recovery Password Viewer"
Hello,
I have a question about ADCS. I have a cert template that is used to provide DC's a cert that includes Kerberos. Auto enrollment is configured and working normally, although the DC's require a manual issue to get the cert. I had to make a change to the template, upping the lifetime of the cert. Now I want to have one DC get the new cert, as a test that I didn't break something I suppose. I am looking how to do that. I know you can select reenroll all certificate holders. But as I understand that would make it effective for all cert holders. I would like to force one DC to request a new cert, so I can issue and make sure it gets a new cert based off the cert template changes. I tried certutil -pulse but I don't think that did anything. Any suggestions?
Chris
Hi - I'm hoping someone can help me figure out what I'm missing on this NDES install.
I am getting the following error when installing NDES in an environment. Here is the relevant information on the environment:
CAs are installed in the root forest domain
NDES server is installed in the same forest in a child domain (supported according to the technet article "Configure infrastructure to support SCEP with Intune"
Account logged into the machine is an enterprise administrator
The service account is a member of the local administrator group on the NDES server, and has rights to manage CA on the CA.
The error received is:
I'm trying to remove an old enterprise CA using this article
https://support.microsoft.com/en-us/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-r
but...
Step 1 is revoke all certificates but the console only loads like 400 at a time. There are over 50000 and this is not an appropriate way to handle this. I need either a command to revoke all certificates or a way to load much more into the console view to select all and revoke as described.
Please help!
Hello everyone!
I am working in my test environment. I built a tier 2 CA with an Off-line CA, Enterprise CA, and a Web Server the last two on the same VM.
All the domain machines got certificates from Enterprise CA without any issues.
Now I am trying to use EAP-TLS with a non-domain computer using CES/CEP I install the roles on the same Enterprise CA server and use username password for the service. I tried CES service on a Windows 10 machine in a workgroup, and I can get all the certificates
available from CA. The issues come when I try to get certificates for a non-Windows device outside the domain. I am working with a Chromebook the response I got from Chromebook is "No enrollment uris available to enroll to." which means no templates
available to request a certificate.
There is any way to troubleshoot CES/CEP? Does anyone know if I am missing something?
I appreciate all your help, thanks in advance.
Windows 10 1809 Workgroup
Twice now have had to reset computer from Public to Private
Start, Settings, Network and Internet (missing a step, don't know how to get back to change)
Changed from public to private
What could be causing the change from private to public
Customer changes nothing on their OS purposely.
I have posed this question on another Windows Forum with no replies. I suspect it is the wrong place. I hope this is the place.
We have recently been informed by our parent company that their Rapid7 Scanner has detected HTTP Options Method and HTTP Delete Method enabled on several of our Windows 2012 servers. The problem is that none of the servers have IIS installed.
How do I solve these vulnerabilities without IIS Mgr?