Save
Saving
  • F
    fabio.teles

    Hello @Mike-Rodrick,
    So I checked the configuration for revocation lists and this is the result:

    • The RootCA I deleted all locations except the local C:\ path and added a http one, http://pki...../cerdata/... and then I create a DNS CNAME for the web servers that will hold that (for LAB I only have one, but in real life I would have at least 2 with round robin DNS.

    • The Enterprise CA, connected to AD, has the default option, published on AD. In production I have 3 domain controllers so there I'll have the redundancy I need

    So I think for CRL locations we are good to go, and I know understand a little more about the PKI.
    Thank you again!

    posted in Microsoft read more
  • F
    fabio.teles

    Hello @Mike-Rodrick,
    Thank you for your answer. It clarified the idea, I was missing the CRL in the process. Well in my LAB I have the RootCA and then a Subordinate, Enterprise CA, domain joined. Also in the LAB I have the CRL over HTTP connection, for the CRL I got from the RootCA, and for sake of resources on my test LAB the WEB address is an IIS on the Subordinate CA, that is domain joined.

    As for the Enterprise CA, the subordinate one, I didn't configure anything related to the CRL. In the end, in the LAB, I didn't have erros but need to check where the CRL is available. I think on the domain joined CA is over LDAP but tomorrow, at work, I'll check on my test machines and also, if needed, spin up the VMs again from scratch and review this.

    I made a step by step guide with some old videos from Microsoft I found, but the CRL is a great question. I'll post the configuration I have so it can help others ad also help me explain how I made it and with your help I'll learn a lot more!

    Thank you Mike, again, for all the help! A very big thank you from Portugal :-)

    posted in Microsoft read more
  • F
    fabio.teles

    Hell ITPro's!
    With all the help I received regarding PKI and CAs, I now more confident in using them, after testing it some times on a home Lab. Now I have a question, and after looking for it on the Internet didn't found an answer.

    I thinking of using a RADIUS server to use authentication through certificates (computer certificates) from my Enterprise CA (domain joined). With that I want to verify the certificate issuer so I can validate the authenticity. When this is done is there a connection to the CA server or the Trusted Authority on the RADIUS server contain the certificates (that I distributed through GPO - for the offline CA)? Just in case if the CA is down temporarily or went bad and I need to add a new one.

    Thank you in advance for the help! Keep the great work!
    Regards,
    Fábio

    posted in Microsoft read more
  • F
    fabio.teles

    Thank you Angie for the answer. Until further integration it could just be a message on the video page mentioning that this video has a correspondent LAB to it.
    Thank you again and keep up the good work.

    posted in Security read more
  • F
    fabio.teles

    Hello.
    I'm checking the Security+ series (not the accelerated) and I was wondering if there is something that map the available LABs to the videos/parts. I'm in the 1.0 part so it might be there later, but I would like to know.
    Thank you for the help!

    Regards!
    Fábio

    posted in Security read more
  • F
    fabio.teles

    Thank you Adam for the feedback. We are using the Current Version. In fact I was trying to re-use the Recovery Password for re-image, but after some test on the Task Sequences I realized if I suspend the protection and then clean the disk I need a new encryption. Well when I'm re-imaging a computer in reality I want a clean base so on a new encrypt, the AD will have the new key. If there is only one key there (no USB recovery password for example) I just delete the account and start fresh.

    Thank you again :)

    posted in Microsoft read more
  • F
    fabio.teles

    Hello Adam,

    Thank you for the link. Yesterday found this link: https://miketerrill.net/2017/04/19/how-to-detect-suspend-and-re-enable-bitlocker-during-a-task-sequence/ and tried it. In fact it worked. Never started a deployment from Windows (normally, as we talking about dozens of computers on a LAB in an University we just wipe them down, so never tried really to re-image from the OS.

    But created a new collection, added the computer, made the task available for that collection on Config Manager Client, updated the policy and then from software center installed all again. I used the CMD line disable described in the link because on the OSD I would have at least 2 restarts. In the end enable it again with TPM only.

    Bottom line, I have a new recover password. the idea was retrying to use the same but I think that is the way Windows work, new Bitlocker enabling, new recovery password, for security measures I'm sure. I just wanted to avoid to many recovery keys on AD and I'm not going to MBAM because it's going to be discontinued by MS. But I think like this is still great because, in fact, it's working.

    Regards.

    posted in Microsoft read more
  • F
    fabio.teles

    Hello!
    After the help that I had from previous questions, I have another one that someone might have the experience to give an opinion.
    We are implementing Bitlocker on a new AD so we are starting fresh and more secure. I'm ending the tests on this environment and until now I have all green (saving keys to AD, etc. etc.)

    Now the question is: this encryption was made manually on Windows. We use SCCM and on another test I successfully encrypted the disk as the last step of my Task Sequence. Now I'm thinking the next step - what is the correct step to re-imagine the computer? I now that if I decrypt the disk prior to WinPE boot (we enter there by Network boot) I can do the task without any issue. But with that I would:

    • Reset the computer account prior to re-join to the domain

    • The last recovery key will be there

    • Upon encryption I will have a new set of keys

    I can also wipe the disk without decrypt, avoiding data recovery from the decryption. But I wanted to know if it's possible to re-imagine the disk maintaining the encryption and the same recovery key.
    I have no PINs, just TPM as the authentication method during boot.

    I searched on the Internet, MS forums, saw all the possibilities but missing what the correct step to do for this re-image mainting encripted. Thank you in advance!

    posted in Microsoft read more
  • F
    fabio.teles

    Hello.

    Just to give an update regarding this. After installing a fresh DC on my laptop just for testing the Default Domain Controllers policy has the option "Enable computer and user accounts to be trusted for delegation" enabled for BUILTIN\Administrators. Someone removed it because it was on a best practice from Microsoft to lock down DCs. I added this on the Policy, then a forced gpupdate and voilá, the verification all went well.
    I'm going to investigate where this bets practice is just for understanding if this is the best practice indeed or not.

    Regards,
    Fábio

    posted in Microsoft read more
  • F
    fabio.teles

    Hello Adam,
    Thank you for your message. I tried that and it returned Access Denied...very strange. What do you think I compara my default DC policy with a clean one of a fresh promoted DC?

    posted in Microsoft read more