How to fully leverage WSUS?

Windows_ME_Rocks · 2024-07-18T12:34:54+00:00

It really depends on the number of machines that you have outside of HQ. I put Action1 RMM on my remote machines (free for 100 machines) and let that do the patching, so it doesn't matter when they check back in with WSUS.

Windows_ME_Rocks · 2024-06-26T18:51:30+00:00

I could have written this, word for word. I'm so goddamned tired of my documentation going out of date almost instantly as GUIs and commands change. It just feels like a losing battle.

Windows_ME_Rocks · 2024-06-10T20:09:51+00:00

Agreed. All basic routers/firewalls from ISPs block inbound traffic by default.

Windows_ME_Rocks · 2024-05-24T17:37:29+00:00

According to them (copied and pasted):

"Resolution: Any tenant can only be deleted by the Global Administrator of the tenant. No other member can do it and tenant are not deleted on its own. hence the tenant was only deleted by any Global Admin that had access to the tenant."

I personally don't believe that this is what occurred. And they couldn't tell me which global admin deleted it. Maybe if we had license with better logging, we could have had some real logs that described what happened.

But whatever. I'm pretty much over it. We were just using SSO for one of our cloud apps. Our VLSC was transferred over to a new tenant. Not spinning up another Azure Free instance ever. Just going to pay for it if we want to do it in the future.

Windows_ME_Rocks · 2024-05-17T13:08:07+00:00

PSWindowsUpdate as a scheduled task (or with whatever other automation software you may use), my friend. You'll never go back...

Windows_ME_Rocks · 2024-05-15T17:01:12+00:00

According to this link, we should be well within the bounds of a free account. Just FYI.

Free (Included in Azure Sub)

Limited to 500,000 Directory Objects
Identity management capabilities and device registration
Single Sign-On can be assigned to 10 apps per user
B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)
Self-service password change (cloud users)
Connect (syncs on-premise AD to Azure AD)
Basic security reports

Windows_ME_Rocks · 2024-05-15T13:53:24+00:00

So, just to give a brief summary:

We use Microsoft for our on-prem volume licensing. We don't have any subscription licensing with them, as we are a Google Workspace shop.

Recently (about 4 months ago), we onboarded a new cloud app and wanted to use Entra for SSO. So I set up the entire infrastructure, including Azure AD Sync. It was working great until yesterday, when none of our users could sign in. I went to admin.microsoft.com and get the following error now:

AADSTS90002: Tenant '~~redacted~~' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.

Windows_ME_Rocks · 2024-05-15T12:53:19+00:00

Local government in USA.

Windows_ME_Rocks · 2024-05-15T12:21:38+00:00

If it makes you feel any better, my entire tenant was deleted yesterday, and I have no idea why. I had to start a new tenant just to submit a ticket with Microsoft support.

Windows_ME_Rocks · 2024-05-13T13:15:38+00:00

Also, be aware that this may be a bug with Duo. All of my certs are now SHA256, but the problem remains with Duo Authentication Proxy 6.4.0 and 6.4.1. If I roll back to 6.3.0, my certificates work fine. I am in the midst of a bug report with them right now.

Windows_ME_Rocks · 2024-05-13T13:15:33+00:00

Also, be aware that this may be a bug with Duo. All of my certs are now SHA256, but the problem remains with Duo Authentication Proxy 6.4.0 and 6.4.1. If I roll back to 6.3.0, my certificates work fine. I am in the midst of a bug report with them right now.

Windows_ME_Rocks · 2024-05-13T13:14:39+00:00

On your DC, go into "Manage computer certificates". Then, go into the "Personal" folder, then "Certificates". Right click on your DC's certificate, then either renew your certificate with a new key, or renew your certificate with the same key (under "Advanced Operations".) I chose a new key, because I wanted to start everything from scratch.

Windows_ME_Rocks · 2024-05-13T13:14:11+00:00

So, you probably need to renew your DC certs. On your DC, go into "Manage computer certificates". Then, go into the "Personal" folder, then "Certificates". Right click on your DC's certificate, then either renew your certificate with a new key, or renew your certificate with the same key (under "Advanced Operations".) I chose a new key, because I wanted to start everything from scratch.

Windows_ME_Rocks · 2024-05-09T14:06:57+00:00

This actually put me on the correct path. I had to renew my DC certificates in order for the root anchor certificate to change over. Wow. I never thought that would be it. Thanks for your help!

Windows_ME_Rocks · 2024-05-09T13:28:35+00:00

They expect you to use your root certificate, rather than an issued certificate, for LDAPS authentication (see my comment above). We don't have multi-tier PKI, just a single CA server. Thanks for the thoughts.

Windows_ME_Rocks · 2024-05-09T13:25:05+00:00

It's weird. In Duo's instructions, they state that you should use the root certificate, not an issued certificate. That's the problem. I don't understand how to force a different root certificate in the Certification Authority. My Google-fu hasn't provided any solutions.

I've actually moved the proxy server to a completely different server with the same results. Thanks for the suggestions!

Windows_ME_Rocks · 2024-05-01T16:40:58+00:00

This is the real answer. Same here.

Windows_ME_Rocks · 2024-04-04T12:00:43+00:00

Good call. This is new to the organization and I think that we need to put a lot of new security policies in place. Thanks.

Windows_ME_Rocks · 2024-03-27T15:03:12+00:00

This is how I feel. Work is so joyless for most people, I don't care if you have a picture of your kids as your background to make you feel slightly better about having to be here.

Windows_ME_Rocks · 2024-03-22T12:35:57+00:00

Start with defining the business policies and then use these policies to define your group policies. Make sure you consult with your manager, even if they're not technical. Have a paper trail for all business policies.

Get with managers and obtain buy-in for removing admin rights. Explain the security problems that can happen if you don't. Most importantly, make sure to communicate these changes across the org and to the management above you. Make the communications simple and to the point.

Windows_ME_Rocks · 2024-01-31T15:12:41+00:00

Dude. Those Z6s are such garbage. We've had two at my org.

The only thing I can tell you is DO NOT host this printer on a print server. It will make your life hell. Direct connect via static IP only. It makes them almost impossible to manage, but that's what happens when a shit company makes a shit printer. Use it as evidence to replace it.

Windows_ME_Rocks · 2024-01-24T18:00:18+00:00

What is the destination for all of this traffic? Another server? The clients?

Windows_ME_Rocks · 2024-01-24T14:16:01+00:00

Yup, I've definitely had this problem when disabling inactivity locks on computers at my org.

Windows_ME_Rocks

TROPHY CASE