16 November 2024

Remove the annoying "Learn more about this picture" icon - And get a new one to OneDrive

I wanted to remove the annoying new "learn more about this picture icon" and saw a tip in the newsletter from @samilaiho over at https://win-fu.com.

When changing the registry to the required setting I made a mistake (I didn't read correctly) and change another registry entry.

In doing so I came across a new folder on my desktop:


This is a shortcut to the OneDrive folder, maybe it's possible to get it to show another way but this how I got it:

Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel' -Name '{018D5C66-4533-4307-9B53-224DE2ED1FE6}' -Value 0

To remove the annoying "learn more about this picture icon" you have to set this:

Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel' -Name '{2cc5ca98-6485-489a-920e-b3e88a6ccce3}' -Value 1

25 October 2024

Add (or Remove) Users to (or from) a group from a CSV with UPN's (email addresses)

 Last week I needed a quick way to remove a large number of users from an on-premises AD group.

The only info I had was the email address. Now the PowerShell command that I used didn't like to parse the email address so I had to find another way of doin the same thing.

I came up with this, and it's only here because I use this a lot and I don't want to reinvent every script that I make because I can't remember where I put it.

Add Users To Group From CSV:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# Path to your CSV file
$csvPath = "C:\Temp\Add-UserstoGroupFromCSV\Add-UserstoGroupFromCSV.csv"
 
# Import the CSV file
$users = Import-Csv -Path $csvPath

# Define the group to which you want to add the users
$groupName = "Your super secret group name"
# $groupName2 = "Your super secret group name2"
# Loop through each user in the CSV file foreach ($user in $users) { # Get the email address from the CSV $emailAddress = $user.Email # Find the user in Active Directory by email address $ADUser = Get-ADUser -Filter { EmailAddress -eq $emailAddress } # Check if the user exists if ($adUser) { # Add the user to the group Add-ADGroupMember $groupName -Members $ADUser -Confirm:$false #-whatif # Add-ADGroupMember $groupName2 -Members $aduser -Confirm:$false #-whatif Write-Output "$User has been removed from the $groupname / $groupname2." } else { # Output a message if the user is not found Write-Output "No user found with email address $emailAddress." } }

Remove Users From Group From CSV:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# Path to your CSV file
$csvPath = "C:\Temp\Remove-UsersFromGroupFromCSV\Remove-UsersFromGroupFromCSV.csv"
 
# Import the CSV file
$users = Import-Csv -Path $csvPath

# Define the group from which you want to remove the users
$groupName = "Your super secret group name"
# $groupName2 = "Your super secret group name2"

# Loop through each user in the CSV file
foreach ($user in $users) {
    # Get the email address from the CSV
    $emailAddress = $user.Email
 
    # Find the user in Active Directory by email address
    $ADUser = Get-ADUser -Filter { EmailAddress -eq $emailAddress }
 
    # Check if the user exists
    if ($adUser) {
        # Remove the user from the group
    Remove-ADGroupMember $groupName -Members $ADUser -Confirm:$false #-whatif
    # Remove-ADGroupMember $groupName2 -Members $aduser -Confirm:$false #-whatif
    
    Write-Output "$User has been removed from the $groupname / $groupname2."

    } else {
        # Output a message if the user is not found
        Write-Output "No user found with email address $emailAddress."
    }
}

22 August 2024

Install the New Teams client on Windows Server 2019 and 2022

The classic Teams client is out of support as of july 2024.
So the new client needs to be installed for server operating systems.

Here's how to do this:

Download the VClibs from here:
Microsoft.VCLibs.x64.14.00.Desktop.appx 

Then download the new Teams MSIX installer:
MSTeams-x64.msix

Then enable sideloading apps like this:

Open Settings:Go to Update & Security.
Select For developers.

Enable Sideloading:Under “Use developer features,” select the Sideload apps option.
Confirm the prompt by clicking Yes.

Or using PowerShell (if needed):
Open PowerShell with administrator privileges.
Run the following command to enable sideloading:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowAllTrustedApps" /d "1"

Then install the VClibs package:
Add-AppPackage -Path C:\path\to\Microsoft.VCLibs.x64.14.00.Desktop.appx

And then install the new Teams client package:

Add-AppPackage -Path C:\path\to\MSTeams-x64.msix

And there you have it, start the new Teams client on your server OS.

17 July 2024

Get all Enterprise Apps and add at least 2 owners with PowerShell

Following the script from Vasil Michev I came across:
https://www.michev.info/blog/post/5940/reporting-on-entra-id-application-registrations

When the script has run the output will probably show that there are a number of Enterprise Apps that haven't got an owner associated to them.
This can become a problem when trying to identify it's usage, and when a secret or certificate is almost expiring or has expired.

To make sure you have your owners set, I created this script.

It get's all Enterprise apps and filters the ones without an owner. It then add the owners you want to all the apps that haven't got an owner.

Remember to test this out first.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Install AzureAD module if not already installed
try {
    Import-Module AzureAD -ErrorAction Stop
} catch {
    Install-Module AzureAD -Force
    Import-Module AzureAD
}

# Connect to Azure AD
Connect-AzureAD

# Define the owners you want to add
$owner1 = "user1@domain.com"
$owner2 = "user2@domain.com"

# Retrieve all enterprise apps
$apps = Get-AzureADServicePrincipal -All $true

# Filter apps without an owner
$appsWithoutOwners = $apps | Where-Object {
    (Get-AzureADServicePrincipalOwner -ObjectId $_.ObjectId).Count -eq 0
}
$appsWithoutOwners.count

# Display the filtered apps
foreach ($app in $appsWithoutOwners) {
    Write-Host "App without owner: $($app.DisplayName)"
}

# Add the owners
foreach ($app in $appsWithoutOwners) {
    # Add the two specific owners
    $owner1ObjectId = (Get-AzureADUser -Filter "UserPrincipalName eq '$owner1'").ObjectId
    $owner2ObjectId = (Get-AzureADUser -Filter "UserPrincipalName eq '$owner2'").ObjectId

    Add-AzureADServicePrincipalOwner -ObjectId $app.ObjectId -RefObjectId $owner1ObjectId
    Add-AzureADServicePrincipalOwner -ObjectId $app.ObjectId -RefObjectId $owner2ObjectId

    Write-Host "Added owners to App: $($app.DisplayName)"
    $app = $null
   }

Write-Host "Process completed."

14 June 2024

PowerShell script to check TLS 1.2 settings on Entra ID connect server - Enable TLS 1.2 with PowerShell

You can use the following PowerShell script to check the current TLS 1.2 settings on your Entra ID connect server

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Function Get-ADSyncToolsTls12RegValue
{
    [CmdletBinding()]
    Param
    (
        # Registry Path
        [Parameter(Mandatory=$true,
                   Position=0)]
        [string]
        $RegPath,

# Registry Name
        [Parameter(Mandatory=$true,
                   Position=1)]
        [string]
        $RegName
    )
    $regItem = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction Ignore
    $output = "" | select Path,Name,Value
    $output.Path = $RegPath
    $output.Name = $RegName

If ($regItem -eq $null)
    {
        $output.Value = "Not Found"
    }
    Else
    {
        $output.Value = $regItem.$RegName
    }
    $output
}

$regSettings = @()
$regKey = 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SystemDefaultTlsVersions'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SchUseStrongCrypto'

$regKey = 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SystemDefaultTlsVersions'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SchUseStrongCrypto'

$regKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'Enabled'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'DisabledByDefault'

$regKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'Enabled'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'DisabledByDefault'

$regSettings

And then you can enable TLS 1.2 with the script below if it is not enabled.
Remember to reboot the server after making changes to the registry.
This script can be used on all Windows 20XX servers.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
If (-Not (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'))
{
    New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'))
{
    New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'))
{
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'))
{
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.2 has been enabled. You must restart the Windows Server for the changes to take affect.' -ForegroundColor Cyan

Exchange Server TLS configuration best practices - Enable TLS 1.2 with PowerShell

This documentation describes the required steps to properly configure (enable or disable) specific TLS versions on Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. The article also explains how to optimize the cipher suites and hashing algorithms used by TLS. If TLS isn't configured correctly, you can face various issues when interacting with Microsoft 365 or other systems, which are configured in such a way that they require a certain minimum TLS standard.

Important

Read carefully as some of the steps described here can only be performed on specific operating systems or specific Exchange Server versions.
At the beginning of each section there is a matrix that shows whether a setting is supported or not and if it has already been pre-configured from a certain Exchange Server version.


Things to consider before disabling a TLS version

Tip

You can use the Exchange HealthChecker script to check the current TLS configuration of your Exchange server.

Please make sure that every application supports the TLS versions, which remain enabled. Considerations such as (but not limited to):
Do your Domain Controllers and Global Catalog servers support, for example, a TLS 1.2 only configuration?
Do partner applications (such as, but not limited to, SharePoint, Lync, Skype for Business, etc.) support, for example, a TLS 1.2 only configuration?
Have you updated older Windows 7 desktops using Outlook to support TLS 1.2 over WinHTTP?
Do your load balancers support TLS 1.2 being used?
Do your desktop, mobile, and browser applications support TLS 1.2?
Do devices such as multi-function printers support TLS 1.2?
Do your third-party or custom in-house applications that integrate with Exchange Server or Microsoft 356 support a strong TLS implementation?

As such we strongly recommend any steps you take to transition to TLS 1.2 and away from older security protocols are first performed in labs which simulate your production environments before you slowly start rolling them out in production.

  • The steps used to disable a specific TLS version as outlined below, will apply to the following: Exchange Server functionalities:Simple Mail Transport Protocol (SMTP)
  • Outlook Client Connectivity (Outlook Anywhere / MAPI/HTTP)
  • Exchange Active Sync (EAS)
  • Outlook on the Web (OWA)
  • Exchange Admin Center (EAC) and Exchange Control Panel (ECP)
  • AutoDiscover
  • Exchange Web Services (EWS)
  • REST (Exchange Server 2016/2019)
  • Use of PowerShell by Exchange over HTTPS
  • POP and IMAP

Prerequisites

TLS 1.2 support was added with Exchange Server 2013 CU19 and Exchange Server 2016 CU8. Exchange Server 2019 supports TLS 1.2 by default.

Exchange Server cannot run without Windows Server and therefore it is important to have the latest operating system updates installed to run a stable and secure TLS implementation.

It's also required to have the latest version of .NET Framework and associated patches supported by your CU in place.

Based on your operating system, make sure that the following updates are also in place (they should be installed if your server is current on Windows Updates):

If your operating system is Windows Server 2012 or Windows Server 2012 R2, KB3161949 and KB2973337 must be installed before TLS 1.2 can be enabled.

Make sure to reboot the Exchange Server after the TLS configuration has been applied. It becomes active after the server was restarted.

Preparing .NET Framework to inherit defaults from Schannel

The following table shows the Exchange Server/Windows Server combinations with the default .NET Framework Schannel inheritance configuration:
Expand table

Exchange ServerWindows ServerSupportedConfigured by default
Exchange Server 2019 CU14 or laterAnyYesYes (new installations only)
Exchange Server 2019AnyYesPartially (SchUseStrongCrypto must be configured manually)
Exchange Server 2016AnyYesNo (OS defaults will be used)
Exchange Server 2013AnyYesNo (OS defaults will be used)

The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used by .NET Framework 4.x. If the value is set to 1, then .NET Framework 4.x inherits its defaults from the Windows Secure Channel (Schannel) DisabledByDefault registry values. If the value is undefined, it behaves as if the value is set to 0.

The strong cryptography (configured by the SchUseStrongCrypto registry value) uses more secure network protocols (TLS 1.2 and TLS 1.1) and blocks protocols that are not secure. SchUseStrongCrypto affects only client (outgoing) connections in your application. By configuring .NET Framework 4.x to inherit its values from Schannel we gain the ability to use the latest versions of TLS supported by the OS, including TLS 1.2.

Enable .NET Framework 4.x Schannel inheritance

Run the following commands from an elevated PowerShell window to configure the .NET Framework 4.x Schannel inheritance:
1
2
3
4
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord

Enable .NET Framework 3.5 Schannel inheritance

Note

Exchange Server 2013 and later do not need this setting. However, we recommend configuring it identically to the .NET 4.x settings to ensure a consistent configuration.

Run the following commands from an elevated PowerShell window to configure the .NET Framework 3.5 Schannel inheritance:
1
2
3
4
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" -Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" -Name "SchUseStrongCrypto" -Value 1 -Type DWord

Steps to configure TLS 1.2

The following table shows the Exchange Server/Windows Server combinations on which TLS 1.2 is supported. The table also shows the default configuration:
Exchange ServerWindows ServerSupportedConfigured by default
Exchange Server 2019AnyYesYes (enabled)
Exchange Server 2016AnyYesNo
Exchange Server 2013AnyYesNo


Enable TLS 1.2

Run the following command from an elevated PowerShell window to enable TLS 1.2 for client and server connections:
1
2
3
4
5
6
7
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.2" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Client" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Server" -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "Enabled" -Value 1 -Type DWord

Disable TLS 1.2

Run the following command from an elevated PowerShell window to disable TLS 1.2 for client and server connections:
1
2
3
4
5
6
7
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.2" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Client" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Server" -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "DisabledByDefault" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "DisabledByDefault" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "Enabled" -Value 0 -Type DWord

Steps to configure TLS 1.1

The following table shows the Exchange Server/Windows Server combinations on which TLS 1.1 is supported. The table also shows the default configuration:
Exchange ServerWindows ServerSupportedConfigured by default
Exchange Server 2019AnyYesYes (disabled)
Exchange Server 2016AnyYesNo
Exchange Server 2013AnyYesNo


Enable TLS 1.1

Note

The Microsoft TLS 1.1 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, it is recommended to carefully plan and disable TLS 1.1. Failure to plan carefully may cause clients to lose connectivity.

Run the following command from an elevated PowerShell window to enable TLS 1.1 for client and server connections:
1
2
3
4
5
6
7
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.1" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Client" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Server" -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -Value 1 -Type DWord

Disable TLS 1.1

Run the following command from an elevated PowerShell window to disable TLS 1.1 for client and server connections:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
<!-- HTML generated using hilite.me --><div style="background: #ffffff; overflow:auto;width:auto;border:solid orange;border-width:.1em .1em .1em .8em;padding:.2em .6em;"><table><tr><td><pre style="margin: 0; line-height: 125%">1
2
3
4
5
6
7</pre></td><td><pre style="margin: 0; line-height: 125%"><span style="color: #007020">New-Item</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols&quot;</span> -Name <span style="background-color: #fff0f0">&quot;TLS 1.1&quot;</span> -ErrorAction SilentlyContinue
<span style="color: #007020">New-Item</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1&quot;</span> -Name <span style="background-color: #fff0f0">&quot;Client&quot;</span> -ErrorAction SilentlyContinue
<span style="color: #007020">New-Item</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1&quot;</span> -Name <span style="background-color: #fff0f0">&quot;Server&quot;</span> -ErrorAction SilentlyContinue
<span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client&quot;</span> -Name <span style="background-color: #fff0f0">&quot;DisabledByDefault&quot;</span> -Value 0 -Type DWord
<span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client&quot;</span> -Name <span style="background-color: #fff0f0">&quot;Enabled&quot;</span> -Value 1 -Type DWord
<span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server&quot;</span> -Name <span style="background-color: #fff0f0">&quot;DisabledByDefault&quot;</span> -Value 0 -Type DWord
<span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server&quot;</span> -Name <span style="background-color: #fff0f0">&quot;Enabled&quot;</span> -Value 1 -Type DWord
</pre></td></tr></table></div>

Steps to configure TLS 1.0

The following table shows the Exchange Server/Windows Server combinations on which TLS 1.0 is supported. The table also shows the default configuration:
Exchange ServerWindows ServerSupportedConfigured by default
Exchange Server 2019AnyYesYes (disabled)
Exchange Server 2016AnyYesNo
Exchange Server 2013AnyYesNo


Enable TLS 1.0


Note

The Microsoft TLS 1.0 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, it is recommended to carefully plan and disable TLS 1.0. Failure to plan carefully may cause clients to lose connectivity.

Run the following command from an elevated PowerShell window to enable TLS 1.0 for client and server connections:
1
2
3
4
5
6
7
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.0" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Name "Client" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Name "Server" -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 1 -Type DWord

Disable TLS 1.0

Run the following command from an elevated PowerShell window to disable TLS 1.0 for client and server connections:
1
2
3
4
5
6
7
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.1" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Client" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Server" -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "DisabledByDefault" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "DisabledByDefault" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -Value 0 -Type DWord


21 May 2024

Windows 11 with local account during setup

To set up a Windows 11 device without a Microsoft account disabling the internet requirements, use these steps:

Use the "Shift + F10" keyboard shortcut to open Command Prompt on the Windows 11 setup.

Type the following command to disable the internet connection requirement to set up Windows 11 and press Enter:

oobe\bypassnro


07 May 2024

Backup your Entra ID configuration, zip the output and move to a Team or network share with PowerShell

I came across a blogpost over at https://o365reports.com on how to backup your Entra ID configuration.

The EntraExporter tool is a nifty PowerShell module designed to export details of an Entra ID tenant's configuration. It generates JSON files containing information on various objects within the tenant, such as groups, policies, and users.

This tool is useful for capturing point-in-time snapshots of an Entra ID (Azure AD) configuration, which can be invaluable for restoration or analysis purposes. Although it does not support replaying data to recreate objects, having detailed information on hand provides a solid foundation for any necessary recovery operations.

The EntraExporter tool represents a significant step forward in managing and backing up Entra ID configurations, streamlining the process for administrators and IT professionals.


The tool itself creates a lot of files and folders depending on the size of the tenant.
To makes this easier to manage and backup I created a script to write to a temp folder, compress all the output files and move the file to a Teams or file share location.

And here it is:


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# Install-Module EntraExporter -Scope AllUsers -Force
# https://o365reports.com/2023/08/24/entra-exporter-tool-effortlessly-backup-microsoft-entra-id-configurations/

$Module=Get-InstalledModule -Name EntraExporter
if($Module.count -eq 0)
{
 Write-Host EntraExporter module module is not available  -ForegroundColor yellow 
 $Confirm= Read-Host Are you sure you want to install the EntraExporter module? [Y] Yes [N] No
 if($Confirm -match "[yY]")
 {
  Install-Module -Name EntraExporter -AllowClobber -Scope AllUsers -Force
 }
 else
 {
  Write-Host EntraExporter module is required.Please install module using Install-Module EntraExporter cmdlet.
 }
}

Import-Module -Name EntraExporter

Connect-EntraExporter -TenantId yourtenantid
Get-MgOrganization

# Get the current date
$currentDate = Get-Date -Format "yyyy-MM"

# Change to working dir
CD "C:\Temp"
$DestinationPath = "C:\Temp"
$MoveToPath = "C:\Users\Username\Company\Microsoft Entra\Backup\Entra-Export"

# Create a folder with the current date
$folderPath = Join-Path -Path $DestinationPath -ChildPath $currentDate

# Check if the folder already exists
if (-not (Test-Path $folderPath)) {
    New-Item -ItemType Directory -Path $folderPath
    Write-Host "Folder '$currentDate' created successfully."
} else {
    Write-Host "Folder '$currentDate' already exists."
}

Export-Entra -Path "$folderpath" -All

$compress = @{
  Path = "$folderPath"
  CompressionLevel = "Optimal"
  DestinationPath = "$folderPath.zip"
}
Compress-Archive @compress

Move-Item -Path "$folderPath.zip" -Destination $MoveToPath

Remove-item $folderPath -recurse -Confirm:$false

16 February 2024

Adding a SharePoint Site Administrator Group to all Sites

In this blog post, we're talking about a PowerShell script designed to add a group as site collection administrators across all SharePoint Online sites.

Let's break down the PowerShell script:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
# Tenant name
$TenantUrl = "https://yourtenant-admin.sharepoint.com/"

# Get the group ID for the Entra ID group you want to add
$Group = "C:0t.c|tenant|99033653-dxch-4912-83sw-e90117886144"

# Connect to Sharepoint Online Admin site
Connect-SPOService -Url $TenantUrl

# Get all Sharepoint sites
$SPOSites = Get-SPOSite

# Add the group to all sites
foreach ($SPOSite in $SPOSites)

{
Set-SPOUser -Site $SPOSite.Url -LoginName $Group -IsSiteCollectionAdmin $true -WarningAction Stop
Write-Host "Added group $Group as Site Collection Administrator to $($SPOSite.Url)"
}

After this all users added to the group you specified are added as a site collection admin

Of course this can also be done with individual users:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# Tenant name
$TenantUrl = "https://yourtenant-admin.sharepoint.com/"

# Add a single user as siteadmin to all SPO sites
$User = "username@domain.com"

# Connect to Sharepoint online
Connect-SPOService -Url $TenantUrl

# Get all Sharepoint Online sites
$SPOSites = Get-SPOSite

# Add the user to all sites
foreach ($SPOSite in $SPOSites)
{
Set-SPOUser -Site $SPOSite.Url -LoginName $User -IsSiteCollectionAdmin $true
}


Adjust the following values in the Script:

1. $TenantUrl: Specifies the URL of the SharePoint Online admin site.

2. $Group: Represents the unique identifier of the group (in this case, "Entra ID group") to be added as a site collection administrator.

And there you go, now you can easily switch admins and site admins within all your SharePoint Online sites within one group.
Or add a single user in a fast and consistent way.

22 December 2023

Add a SAN to certificate request into additional attributes - SAN does not show in certificate

Hi, fellow certificate enthusiasts! Today I'm going to show you how to add a Subject Alternative Name (SAN) to a certificate request with certsrv and what you must do in certutil to make the CA accept the SAN. Let's get started.

First, you need to create a certificate request with certsrv. You can do this by opening a web browser and navigating to http://<your CA server>/certsrv. Then, click on "Request a certificate" and choose "advanced certificate request". On the next page, select "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file". This option allows you to upload a certificate request file (.csr) that you have created with another tool, such as OpenSSL.

Now, here comes the fun part. To add a SAN to your request, you need to use the additional attributes field at the bottom of the page. This field allows you to specify any extra information that you want to include in your certificate request. To add a SAN, you need to use the following syntax:

san:dns=<your domain name>

For example, if you want to add a SAN for www.example.com, you would type:

san:dns=www.example.com

You can add multiple SANs by separating them with an ampersand ( & ) like this:

san:dns=www.example.com&dns=example.com

You can even add an ip address

san:dns=www.example.com&dns=example.com&ipaddress=10.0.0.15

Once you have entered your SANs, click on "Submit" and wait for your request to be processed.

But wait, there's more! You're not done yet. You see, by default, the CA will ignore any SANs that you have specified in your request. That's because the CA needs to be configured to accept SANs from certificate requests. To do that, you need to use certutil.

Certutil is a command-line tool that allows you to manage certificates and CAs. You can use it to enable SAN support on your CA by running the following command on your CA server:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

This command will modify the registry value of EditFlags under the policy key of your CA configuration. It will add the flag EDITF_ATTRIBUTESUBJECTALTNAME2, which tells the CA to copy any SANs from the additional attributes field of the request to the certificate.

After running this command, you need to restart the CA service for the changes to take effect. You can do this by running:

net stop certsvc

net start certsvc

And that's it! You have successfully added a SAN to your certificate request with certsrv and enabled SAN support on your CA with certutil.



I hope you enjoyed this post and learned something new. If you have any questions or comments, feel free to leave them below.