WSUS 2012 R2 and Windows 10 1703

DKIMI have been working on WSUS and Windows 10 for the last few days, following some rather annoying updates to newly deployed Surface Pro devices, and more importantly a grumbling comment from a co-worker ‘can’t we automate this stuff anymore?’.

Well i have to say that was the final straw. Windows 10 and WSUS has been a pain for me since it was released.

With hotfixes, tweaks and dances required and failing to get Windows 10 talking and working with WSUS consistently it perhaps was no surprise that i had opted to point 10 directly to Windows update and only control the schedule and ring, rather than the more traditional granular approach taken with Windows 7 and 8.

So, Yes, the answer is we should be able to manage patching with Windows 10.

Yes, we are going to manage it.

Read more of this post

Update to Windows Management Framework 5.1 on Windows 7

mslogo3Over the weekend i read this article about PowerShell Security in the Enterprise. I decided whilst reading it, i should probably make sure my clients machines have the latest WMF installed.

Assuming this was just a KB article i searched WSUS for KB and found nothing. Reading the blog article about the 5.1 release and then the Install and Configure guidance, we see that WMF 5.1 is released to Windows 7, but, manual steps are required to install it.

The download comes as a ZIP file with a PowerShell script (Install-WMF5.1.ps1) and an MSU for the architecture of the PC.

Read more of this post

Configure and Deploy Microsoft LAPS

IT Security is essentially a risk mitigation game. There is no such thing as a totally secure system, certainly nothing you can ‘set and forget’ and so we are left to decide what we can do, to best protect our systems.

We don’t want an unauthorised person to use our computer, so we use a password. We know passwords can be guessed, or cracked, so we choose more difficult passwords. More powerful attackers can crack more difficult passwords, so we use 2 Factor Authentication.

The list goes on and on and on, but with each risk we can look for a mitigation that works in our environment, knowing that there is nothing we can do to fully protect ourselves but we can make things as difficult as possible for a would be attacker, in the hopes that he or she may look for some lower hanging fruit elsewhere.

With that in mind we are going to look at managing the Local Administrator password for your client computers to help prevent lateral movement through your network.

Read more of this post

Using Office 365 to Protect Your Email

exchange-2014No doubt everyone reading this is familiar with spoofed email. Where an attacker crafts a message to appear as though it comes from a legitimate sender, in the hopes the recipient will reveal personal information or part with their hard earned cash.

With the rise in so called ‘spear phishing’, being able to effectively block spoofed email is no longer just desireable, it is critical.

Also bear in mind that whilst technologies like Sender ID and DKIM exist, they require both parties of an email to be using them for them to be effective.

You may think any domain you have moved to Office 365 recently is automatically protected by Exchange Online Protection however, like previous versions of Exchange, SenderID checking is disabled by default, as are advanced spam filtering and malware protection. Read more of this post

Migrate SBS 2011 Standard to Windows Server 2016

Drawing1

Your trusty old SBS 2011 is finally being retired. It had a good run. It probably still works but you cant get the parts, and the cloud is so appealing and for whatever reason you have, you are putting in a new on premises DC.

Hey, you don’t have to justify it to me. Chances are you shipped Exchange off to the cloud long ago, your clients never really ‘got’ SharePoint and SQL was just used by the backup software and WSUS.

The only thing we want to migrate is Active Directory and File & Print services. Read more of this post

PowerShell Password Reminder Script Updated!

mslogoToday I finally released my updated version of the now infamous, PowerShell Password Reminder script.

It has been a long time coming, and I have tried to incorporate a lot of the feedback (if not all from the 230 Q&As from the TechNet Gallery.

Read more of this post

DHCP Option Values and PowerShell

Following on from my previous post, i wanted to share a small bit of PowerShell i created whilst on a site visit.

This was before i had worked on Vendor Classes but actually follows on quite nicely. In the previous post i mentioned a requirement to set an alternate NTP Server address, and used 1.uk.pool.ntp.org.

For those who may have worked with those NTP Servers in the past you may know that (as the name suggests) they are a pool of servers and the IP address returned changes frequently. So, setting that value statically and forgetting about it led me to find a new Phone on a clients desk was not syncing the time.  Read more of this post

%d bloggers like this: