• F
    fabio.teles

    Hello ITPros!

    I have a question regarding SCCM. My knowledge of it was based on many research, trial and error and LAB, lot's of LAB!

    I have up and running but I have a doubt regarding updates. I had configured the updates to clean up after syncs, supersed, expire, etc., and I think they are running OK. Also used the clean up tool that is provided on the install directory, and it cleans up the SCCM library. But what about the download folder, the source that is downloaded and then distributed to the DPs?

    SCCM doesn't touch there, because I think it doesn't know nothing about it, so how can we clean up that folder? With the IDs there is not easy to manually delete the non update members. After some research I didn't find concise information about it, so I hope someones can give me some light about this.

    Thank you in advance!

    posted in Microsoft read more
  • F
    fabio.teles

    Hello all!
    Again I have a new challenge with a new implementation (testing). After all the help I receved here regarding AD CS and a lot of testing and reading, I successfully installed an internal 2 tier PKI.

    Now for the next part: I want to configure OpenVPN to use the NPS for authentication (thinking of certificates also). So on OpenVPN I need to have certificates from ADCS and not creating a CA on OpenVPN per se, as for the majority of tutorials online.

    Does anyone has some experience with this, using an external CA? I found a guide on Web Archive but most information is no longer available...
    Thank you in advance for the help!

    Regards,
    Fábio Teles

    posted in General Discussion read more
  • F
    fabio.teles

    Hello @Mike-Rodrick,
    So I checked the configuration for revocation lists and this is the result:

    • The RootCA I deleted all locations except the local C:\ path and added a http one, http://pki...../cerdata/... and then I create a DNS CNAME for the web servers that will hold that (for LAB I only have one, but in real life I would have at least 2 with round robin DNS.

    • The Enterprise CA, connected to AD, has the default option, published on AD. In production I have 3 domain controllers so there I'll have the redundancy I need

    So I think for CRL locations we are good to go, and I know understand a little more about the PKI.
    Thank you again!

    posted in Microsoft read more
  • F
    fabio.teles

    Hello @Mike-Rodrick,
    Thank you for your answer. It clarified the idea, I was missing the CRL in the process. Well in my LAB I have the RootCA and then a Subordinate, Enterprise CA, domain joined. Also in the LAB I have the CRL over HTTP connection, for the CRL I got from the RootCA, and for sake of resources on my test LAB the WEB address is an IIS on the Subordinate CA, that is domain joined.

    As for the Enterprise CA, the subordinate one, I didn't configure anything related to the CRL. In the end, in the LAB, I didn't have erros but need to check where the CRL is available. I think on the domain joined CA is over LDAP but tomorrow, at work, I'll check on my test machines and also, if needed, spin up the VMs again from scratch and review this.

    I made a step by step guide with some old videos from Microsoft I found, but the CRL is a great question. I'll post the configuration I have so it can help others ad also help me explain how I made it and with your help I'll learn a lot more!

    Thank you Mike, again, for all the help! A very big thank you from Portugal :-)

    posted in Microsoft read more
  • F
    fabio.teles

    Hell ITPro's!
    With all the help I received regarding PKI and CAs, I now more confident in using them, after testing it some times on a home Lab. Now I have a question, and after looking for it on the Internet didn't found an answer.

    I thinking of using a RADIUS server to use authentication through certificates (computer certificates) from my Enterprise CA (domain joined). With that I want to verify the certificate issuer so I can validate the authenticity. When this is done is there a connection to the CA server or the Trusted Authority on the RADIUS server contain the certificates (that I distributed through GPO - for the offline CA)? Just in case if the CA is down temporarily or went bad and I need to add a new one.

    Thank you in advance for the help! Keep the great work!
    Regards,
    Fábio

    posted in Microsoft read more
  • F
    fabio.teles

    Thank you Angie for the answer. Until further integration it could just be a message on the video page mentioning that this video has a correspondent LAB to it.
    Thank you again and keep up the good work.

    posted in Security read more
  • F
    fabio.teles

    Hello.
    I'm checking the Security+ series (not the accelerated) and I was wondering if there is something that map the available LABs to the videos/parts. I'm in the 1.0 part so it might be there later, but I would like to know.
    Thank you for the help!

    Regards!
    Fábio

    posted in Security read more
  • F
    fabio.teles

    Thank you Adam for the feedback. We are using the Current Version. In fact I was trying to re-use the Recovery Password for re-image, but after some test on the Task Sequences I realized if I suspend the protection and then clean the disk I need a new encryption. Well when I'm re-imaging a computer in reality I want a clean base so on a new encrypt, the AD will have the new key. If there is only one key there (no USB recovery password for example) I just delete the account and start fresh.

    Thank you again :)

    posted in Microsoft read more
  • F
    fabio.teles

    Hello Adam,

    Thank you for the link. Yesterday found this link: https://miketerrill.net/2017/04/19/how-to-detect-suspend-and-re-enable-bitlocker-during-a-task-sequence/ and tried it. In fact it worked. Never started a deployment from Windows (normally, as we talking about dozens of computers on a LAB in an University we just wipe them down, so never tried really to re-image from the OS.

    But created a new collection, added the computer, made the task available for that collection on Config Manager Client, updated the policy and then from software center installed all again. I used the CMD line disable described in the link because on the OSD I would have at least 2 restarts. In the end enable it again with TPM only.

    Bottom line, I have a new recover password. the idea was retrying to use the same but I think that is the way Windows work, new Bitlocker enabling, new recovery password, for security measures I'm sure. I just wanted to avoid to many recovery keys on AD and I'm not going to MBAM because it's going to be discontinued by MS. But I think like this is still great because, in fact, it's working.

    Regards.

    posted in Microsoft read more
  • F
    fabio.teles

    Hello!
    After the help that I had from previous questions, I have another one that someone might have the experience to give an opinion.
    We are implementing Bitlocker on a new AD so we are starting fresh and more secure. I'm ending the tests on this environment and until now I have all green (saving keys to AD, etc. etc.)

    Now the question is: this encryption was made manually on Windows. We use SCCM and on another test I successfully encrypted the disk as the last step of my Task Sequence. Now I'm thinking the next step - what is the correct step to re-imagine the computer? I now that if I decrypt the disk prior to WinPE boot (we enter there by Network boot) I can do the task without any issue. But with that I would:

    • Reset the computer account prior to re-join to the domain

    • The last recovery key will be there

    • Upon encryption I will have a new set of keys

    I can also wipe the disk without decrypt, avoiding data recovery from the decryption. But I wanted to know if it's possible to re-imagine the disk maintaining the encryption and the same recovery key.
    I have no PINs, just TPM as the authentication method during boot.

    I searched on the Internet, MS forums, saw all the possibilities but missing what the correct step to do for this re-image mainting encripted. Thank you in advance!

    posted in Microsoft read more
  • F
    fabio.teles

    Hello.

    Just to give an update regarding this. After installing a fresh DC on my laptop just for testing the Default Domain Controllers policy has the option "Enable computer and user accounts to be trusted for delegation" enabled for BUILTIN\Administrators. Someone removed it because it was on a best practice from Microsoft to lock down DCs. I added this on the Policy, then a forced gpupdate and voilá, the verification all went well.
    I'm going to investigate where this bets practice is just for understanding if this is the best practice indeed or not.

    Regards,
    Fábio

    posted in Microsoft read more
  • F
    fabio.teles

    Hello Adam,
    Thank you for your message. I tried that and it returned Access Denied...very strange. What do you think I compara my default DC policy with a clean one of a fresh promoted DC?

    posted in Microsoft read more
  • F
    fabio.teles

    Hello!
    I have 2 production domain controllers, and wanted to add a third one, just in case. As we restarted for some roles we had some issues on boot that were resolved and now the AD is OK between the 2 DCs without any erros (already checked).

    When trying to add this 3rd DC I have this error on the Verification phase: Verification of Administrator rights failed. The Administrator account does not have the "Enable computer and user accounts to be trusted for delegation" right enabled.

    I didn't install the other 2 DCs. When I started there, they were already in place. On the DCs Default Policies, on that item, it's blank. I don't know of any other changes.

    What might be causing this? I looked online and wanted to check if anyone share an issue like this from their history.
    Thank you!

    posted in Microsoft read more
  • F
    fabio.teles

    Hi again! I sent an email to Adam :) I was looking for some info for Bitlocker and then PKI for the DRA and send the email explaining the doubts to him. Thank you again. You guys are awsome :)

    posted in Microsoft read more
  • F
    fabio.teles

    Hello Mike!
    I was watching the videos this days and testing on my home lab but the Root CA mentioned in the video was an Enterprise CA, domain joined. I had red some information regarding the OFFLINE CA and is the part of configuring the CRL, etc,, that is the most difficult to understand to me until now.

    Any further assistance or guidance?
    Thank you again!

    posted in Microsoft read more
  • F
    fabio.teles

    Thank you Adam for the link. I already had that one, and the amount of mixed information does not make it a easy reader, but I'll go from there. I always feel lack of guiding for the backup your keys on AD...normally we have information for encrypt a server or encrypt a client...the first preparatory steps normally are not that clear, but I'll continue to search. Thank you.

    posted in Microsoft read more
  • F
    fabio.teles

    Hello. I was just wondering the best course to refresh the Bitlocker process and to integrate with AD DS the key + TPM backup. I want to make some test so I can then move to production. I know how it works just wanted a refresher for Server 2016 + Windows 10.

    Thank you!

    posted in Microsoft read more
  • F
    fabio.teles

    @mike-rodrick said in PKI Infrastructure:

    Hello @fabio-teles ,

    Look for MCSA Windows Server 2016 - 70-742 in the course library. There are 10 episodes on Implement Active Directory Certificate Services. We look at setting up a two-tier PKI, using an offline root CA and an Enterprise subordinate CA. I would definitely recommend against a single CA in a production environment.

    Hope this helps, if you have any more questions, let me know.

    Thanks for watching!

    Thank you! I was looking for PKI in the search so I didn't saw that...Thank you Mike! I made the MCSA Update to Server 2016 but wanted a more deep dive in the PKI. I'm sure it will help a lot!

    Thank you again!

    posted in Microsoft read more
  • F
    fabio.teles

    Hello. Any possibility for the near future for a video series regarding PKI infrastructure, but one that explains a production environment? Normally is just on CA but in reality is not recommended. It was a great help for a topic that for me is very advanced!
    Thank YOU!

    posted in Microsoft read more
  • F
    fabio.teles

    Hello,
    Is the update for 70-744 material scheduled? Also would be great to have the LABs for it. I'm not using my subscription as I would like and in fact these more advanced courses would be great. Thank you.

    posted in Microsoft read more