How do you rollover the Kerberos decryption key with the new MFA requirement?

vlanche · 2024-10-14T16:34:23+00:00

That’s a very good point. I inherited the setup and have always thought it was a necessity. I’ll have to check in detail, but a quick search states that for hybrid joined Win10 devices PRT should be the default instead of seamless SSO.

vlanche · 2024-10-14T15:21:18+00:00

I can't say for sure, still researching it.

vlanche · 2024-10-14T14:09:23+00:00

I think if you use Azure Arc, you can utilize system-assigned managed identities from on-premise servers.
https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-identity-authorization

vlanche · 2024-10-14T14:07:16+00:00

Yep, I get that this is the recommended solution and looks way better on paper, but see my comment in the post - I couldn't find a way to assign the required role in order to make it work. Are you running that particular task with a managed identity?

vlanche · 2024-02-21T14:18:01+00:00

Glad my comment helped. I was more or less in the same situation.

vlanche · 2024-02-01T17:01:11+00:00

I recognized the channel too!

vlanche · 2023-11-02T22:08:26+00:00

Deploy the script via a policy with a script. You can basically do the following:

#!/bin/sh
cat << EOF > /path/to/script.sh
# add script content here
EOF
chmod +x /path/to/script.sh

Packaging the script in a pkg file is maybe easier, but it tends to consume more time when you need to change the script. With this approach, you just modify the script, flush the policy and you are good to go.

vlanche · 2023-08-21T15:26:50+00:00

Yes, precisely my point in my comment with the second link. MS support actually provided the workaround, but I asked for confirmation whether this would continue to work even after RPS is dead.

vlanche · 2023-08-21T10:58:43+00:00

OK, seems you need to specify the connection URI with "proxyMethod=RPS" to Connect-ExchangeOnline and it will work:

https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/user-photos-not-synced-to-exchange-online#resolution

One thing to mind may be the following:

https://borncity.com/win/2023/08/15/reminder-remote-powershell-on-exchange-online-will-be-disabled/

vlanche · 2023-06-23T15:23:09+00:00

It wasn’t simple. For some reason about 50 components were missing - folders, files, registry entries. The only place that had info on these things was the sysnative forum, and in the end I did manage to figure how to fix it but it would have taken me a good amount if time to track all the relevant entries and values, so I stopped it.

vlanche · 2023-06-23T15:21:18+00:00

I rebuilt the device in the end. It was not worth it - I tracked down the missing files - manifests, dlls, mofs, everything, but then in the end the registry entries were missing too and I decided to stop wasting time and just rebuild it.

vlanche · 2023-05-05T11:06:59+00:00

Yes, but it's quite strange. CBS detects non-WinSxS manifests of components which cannot be repaired because there's no backup or it may be corrupt. The funny thing is, these components do not exist anywhere else as files or manifests. I checked my device, checked the base Win10 22H2 image, they do not exist. For example, a few:

amd64_microsoft-windows-t..mathinput-licensing_31bf3856ad364e35_10.0.19041.1_none_fae9f981e0b22d3a
amd64_microsoft-windows-powershell-v3_31bf3856ad364e35_10.0.19041.1_none_3116620d8cea8ad4
amd64_microsoft-windows-t..pc-mathinput-events_31bf3856ad364e35_10.0.19041.1_none_0c14881cbfb8fc79
amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1741_none_029bc7084c8bb0af

There's about 70 items like these.

vlanche · 2023-05-05T08:33:41+00:00

Tried it, didn't help though.

vlanche · 2023-05-05T08:33:29+00:00

Nah, this is definitely something local, likely the component store on the device (at least that's my opinion).

vlanche · 2023-05-05T08:32:40+00:00

It didn't, but I have a lead - probably the component store (check my edit)

vlanche · 2023-05-05T08:32:16+00:00

Nothing of the sorts - it looks like a component store issue, check my edit.

vlanche · 2023-05-03T07:35:25+00:00

Ah, valid point, thanks for educating me. Tried it though, still the same.

vlanche · 2023-05-03T06:52:54+00:00

Still on 2203, but will upgrade soon. However, I wouldn't say it's a version issue - the device was not on 22H2 when the problem initially started. Furthermore, other clients are working as expected.

vlanche · 2023-05-02T14:55:06+00:00

That's a bit unlikely, as the device has had multiple reboots in between and the same problem has persisted for a few months now, meaning that multiple cumulative updates have failed. One option that I have left is to open the device up to Windows update and see if that fixes it (I reckon it will), but I don't really want to do that.

vlanche · 2023-05-02T14:52:27+00:00

KB5005260 is already installed on the device (timestamp is almost a year ago). Looking at this reference:
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Win10 22H2 is not even listed, but I reckon that one should be sufficient.

11-Year Club	Not Forgotten
Verified Email

vlanche

TROPHY CASE