Corporate Windows 10 devices pointing to WSUS

If you're not on Twitter, get on Twitter.

Famous words from @samilaiho, and you know why?
Because of tweets like these:

You should check your settings as this is a common error and can prevent a lot of nasty problems.

When Windows is pointed at a WSUS server, it stops trying to repair corrupted components from Microsoft servers.

Check the whole thread here:
https://twitter.com/SwiftOnSecurity/status/1561827619242475521

Install RSAT for Windows Server 2019 and Windows 10 with PowerShell

Windows Server 2019

Run the cmdlet below with the -whatif switch to check what will is allready installed and will be installed:

Install-WindowsFeature -IncludeAllSubFeature RSAT -WhatIf
Get-WindowsFeature -Name RSAT* | where 'install state' -NE Installed

To install all the tools run the cmdlet below:

Install-WindowsFeature -IncludeAllSubFeature RSAT
Or
Install-WindowsFeature -Name RSAT -IncludeAllSubFeature -IncludeManagementTools

Windows10

Check whether RSAT components are installed on your computer:

Get-WindowsCapability -Name RSAT* -Online

View the status of installed RSAT components in a easy view:

Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State

You can use the Add-WindowsCapacity cmdlet to install these Windows features.
To install a specific RSAT tool, such as AD management tools (including the ADUC console), run the command:

Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”

To install the DNS management console only, run:

Add-WindowsCapability –online –Name “Rsat.Dns.Tools~~~~0.0.1.0”

And all the other single install options:

Add-WindowsCapability -Online -Name Rsat.FileServices.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.IPAM.Client.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.LLDP.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.NetworkController.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.NetworkLoadBalancing.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.CertificateServices.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.DHCP.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.FailoverCluster.Management.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.RemoteAccess.Management.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.RemoteDesktop.Services.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.ServerManager.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.Shielded.VM.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.StorageMigrationService.Management.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.StorageReplica.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.SystemInsights.Management.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.VolumeActivation.Tools~~~~0.0.1.0
Add-WindowsCapability -Online -Name Rsat.WSUS.Tools~~~~0.0.1.0

To install all the available RSAT tools at once, run:

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability –Online

To install only disabled RSAT components, run:

Get-WindowsCapability -Online |? {$_.Name -like "*RSAT*" -and $_.State -eq "NotPresent"} | Add-WindowsCapability -Online

If installing RSAT you encounter an error Add-WindowsCapability failed.
Error code = 0x800f0954, most likely your computer is configured to receive updates from the internal WSUS or SUP server.

To install RSAT components, you need to temporarily disable the update from the WSUS server in the registry.
Open the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU and change the UseWUServer to 0 and restart the Update Service.

Or run this script:

$currentWU = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" | select -ExpandProperty UseWUServer
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value 0            
Restart-Service wuauserv            
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability –Online            
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value $currentWU
Restart-Service wuauserv

Microsoft Store - Something happened on our end

Look familiar?

Probably a policy is preventing you from accessing the Microsoft store downloads.
Quick fix:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotConnectToWindowsUpdateInternetLocations"=dword:00000000

Allow workgroup machine to administer Hyper-V server

Got a Windows 10 machine running in a workgroup but want to administer a Hyper-V server(s)



Enable PSRemoting on the Windows 10 machine:

Enable-PSRemoting

Then enable CredSSP on my Hyper-V server:

Enable-WSManCredSSP –Role Server
Add the Hyper-V server to the TrustedHosts list on the Windows 10 machine:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "HV-Host"
Enable CredSSP on the Windows 10 machine:

Enable-WSManCredSSP -Role client -DelegateComputer "Windows10Client"
Or to allow everything:
Run this in an elevated PowerShell Session:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value '*'

Change Hyper-V Network Category from Public to Private and from Private to DomainAuthenticated with Powershell

This is one of those things that you can do multiple ways.
In my case however the normal routine of changing the network category type from Public to Private didn't work because my machine is domain joined.

When trying to create a HomeGroup you get this on a domain joined machine:

So PowerShell saves the day once again.
First see what adapters you have and what their current category is:

Get-NetConnectionProfile

Name             : Unidentified network
InterfaceAlias   : vEthernet (Internal Virtual Switch)
InterfaceIndex   : 8
NetworkCategory  : Public
IPv4Connectivity : NoTraffic
IPv6Connectivity : NoTraffic

Then set the adapter to category private:

Set-NetConnectionProfile -InterfaceIndex 8 -NetworkCategory Private

Check the settings:

Get-NetConnectionProfile

Name             : Unidentified network
InterfaceAlias   : vEthernet (Internal Virtual Switch)
InterfaceIndex   : 8
NetworkCategory  : Private
IPv4Connectivity : NoTraffic
IPv6Connectivity : NoTraffic

And from Private to Domain:

Check the current settings:

Get-NetConnectionProfile

Name             : Network
InterfaceAlias   : vEthernet (External V-Switch)
InterfaceIndex   : 17
NetworkCategory  : Private
IPv4Connectivity : LocalNetwork
IPv6Connectivity : LocalNetwork

Set to DomainAuthenticated:

Set-NetConnectionProfile -InterfaceIndex 17 -NetworkCategory DomainAuthenticated

Then restart the Network Location Awereness Service (NLA):

Restart-Service -Name NlaSvc -Force

And check again:

Get-NetConnectionProfile

Name             : domain.lan
InterfaceAlias   : vEthernet (External V-Switch)
InterfaceIndex   : 17
NetworkCategory  : DomainAuthenticated
IPv4Connectivity : Internet
IPv6Connectivity : Internet

Start Menu locations - Or add a simple Start Menu yourself without 3rd party tools

I keep forgetting the path to the Start Menu:

"C:\Program Data\Microsoft\Windows\Start Menu\Programs"

This is the same for Windows 7 up to Windows 10, and for Server 2012 to Server 2016.

But, wouldn't it be nice to have some sort of start menu without installing some malware/spyware infested tool? Then this quick fix is for you:

• Display "Hidden items" on your C: Drive.
• Open File Explorer and browse to your C: Drive. 
• On the View tab, check the "Hidden items" checkbox.
• Add a New Toolbar on your Taskbar.
• Right-click on a blank area of your Taskbar and select Toolbars > New Toolbars.
• Browse to the Start Menu\Programs folder.
• In the New Toolbar dialog box, browse to the "C:\Program Data\Microsoft\Windows\Start Menu\Programs" folder. 
• Click the "Select Folder" button.
• Click the "Select Folder" button to add the new Toolbar to your Taskbar.

Here's what it looks like:

Windows 10 Store not opening

When clicking the Store app in Windows 10 (version 1607) nothing happens.
This could be because of the anniversary update.

There are several method to resolve this, for me number 4 worked.

Possible solution 1

Right-click the start button, select "Command prompt (Admin)" and type wsreset.exe. Didn't work for me, I was getting: "You'll need a new app to open this ms-windows-store".

A possible error that you can get is this:

Possible solution 2

Start an elevated PowerShell:

Set-ExecutionPolicy Unrestricted -Force

And then
Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\WinStore\AppxManifest.XML

Didn't work for me either. I got this:Cannot find path 'C:\WINDOWS\WinStore\AppxManifest.XML' because it does not exist.
I simply had no "WinStore" folder in my "C:\Windows". Possibility for this is that the WinStore folder is located in "C:\Program Files\WindowsApps"

Possible solution 3

Start an elevated PowerShell:
Set-ExecutionPolicy Unrestricted -Force

For me it was this that worked:

Get-AppXPackage | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

For others it could be this:

Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Finally, it worked.

If none of the above solutions works for you - create a new administrator user and repeat the steps under the new account. You will have to transfer all the existing data to the new user profile from the old one.

To remove the Store completely:

Get-AppxPackage -AllUsers | Remove-AppxPackage

Find the Windows Store Location:

Get-AppxPackage -AllUsers

To reinstall the Windows 10 Store:

Add-AppxPackage -DisableDevelopmentMode -Register "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\AppXManifest.xml"

PSGallery and NuGet on WIndows 10 build 1607 (Anniversary Edition)(OneGet)

Since the Windows 10 anniversary edition things have change a little for NuGet. (OneGet)
The new way to add a repository is this:

PS C:\> Get-PackageSource

 Name                             ProviderName     IsTrusted  Location
----                             ------------     ---------  --------
PSGallery                        PowerShellGet    False      https://www.powershellgallery.com/api/v2/

 
 PS C:\> Set-PackageSource -Name PSGallery -Trusted

 Name                             ProviderName     IsTrusted  Location
----                             ------------     ---------  --------
PSGallery                        PowerShellGet    True       https://www.powershellgallery.com/api/v2/

 
 PS C:\> Get-PackageProvider -Name Chocolatey

 The provider 'chocolatey v2.8.5.130' is not installed.
chocolatey may be manually downloaded from https://oneget.org/ChocolateyPrototype-2.8.5.130.exe and installed.
Would you like PackageManagement to automatically download and install 'chocolatey' now?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y

 Name                     Version          DynamicOptions
----                     -------          --------------
Chocolatey               2.8.5.130        SkipDependencies, ContinueOnFailure, ExcludeVersion, ForceX86, PackageSaveMode, FilterOnTag, Contains, AllowPrereleaseVersions, ConfigFile, SkipValidate

 
 PS C:\> Set-PackageSource -Name Chocolatey -Trusted

 Name                             ProviderName     IsTrusted  Location
----                             ------------     ---------  --------
chocolatey                       Chocolatey       True       http://chocolatey.org/api/v2/

 
 PS C:\> Get-PackageSource

 Name                             ProviderName     IsTrusted  Location
----                             ------------     ---------  --------
PSGallery                        PowerShellGet    True       https://www.powershellgallery.com/api/v2/
chocolatey                       Chocolatey       True       http://chocolatey.org/api/v2/

 
 PS C:\> Find-Package -Name Firefox

 The provider 'nuget v2.8.5.208' is not installed.
nuget may be manually downloaded from https://oneget.org/Microsoft.PackageManagement.NuGetProvider-2.8.5.208.dll and installed.
Would you like PackageManagement to automatically download and install 'nuget' now?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y

 Name                           Version          Source           Summary
----                           -------          ------           -------
Firefox                        50.0.1           chocolatey       Bringing together all kinds of awesomeness to make browsing better for you

 
 PS C:\> Find-Package -Name Adobe

 Name                           Version          Source           Summary
----                           -------          ------           -------
adobereader                    2015.007.20033   chocolatey       Adobe Reader - View and interact with PDF files
AdobeAIR                       23.0.0.257       chocolatey       Adobe AIR runtime is necessary for AIR based applications.
adobeshockwaveplayer           12.2.4.197       chocolatey       Displays Web content that has been created by Adobe Director
adobereader-update             15.017.20053.1   chocolatey       Adobe Reader - View and interact with PDF files
adobe-creative-cloud           1.0              chocolatey       Adobe Creative Cloud Client Installer for installing creative cloud subscription applications
simnetsa-adobereader-fr        11.0.7           chocolatey       Le logiciel Adobe Reader est la norme internationale libre, permettant de visualiser, imprimer et commenter des documents PDF
BR.AdobeReaderFR               11.0.09          chocolatey       BR.AdobeReaderFR

 
 PS C:\>

Top 30 Quick reminders for SysOps

Came across this over at gfi.com/blog, this is just here for my own quick sneak and peek.
But if you have more quick wins, tips or oneliners let me know and i'll add them.

Networking

1. netsh int ip reset all will reset your NIC back to DHCP quickly, blanking out all static settings.
2. net use will show you all open SMB connections on your machine.
3. If you need to grab a quick network capture, but aren’t allowed to install Wireshark or another similar tool, open an admin command prompt and run netsh trace start capture=yes tracefile=c:\capture.etl to create a file you can open in Wireshark or Netmon later. Use netsh trace stop to end the capture.
4. If you just need to know what is happening, but not capture a trace, use netstat as a poor man’s packet analyzer. netstat –ano 1 | findstr X will update once a second and highlight whatever you replace X with, like :443 or SYN_SENT or the destination ip.addr you are trying to confirm your machine is attempting to communicate with.
5. netstat –e can give you a quick diagnosis of layer 2. Watch out for high or increasing numbers of errors.
6. Grab the TCPING utility from http://www.elifulkerson.com/projects/tcping.php and use it to monitor not just when a server reboots, but when a service is back up. Try tcping –t –b 2 addr 3389 when you reboot a Windows server. It will start to use your default beep sound when the service starts responding to SYN requests, so you know you can RDP back into the box after a reboot.
7. Use netstat –r to dump your IP routing table so you can see if everything goes to the default gateway, or somewhere unexpected.
8. Download BIND for Windows from https://www.isc.org/downloads/# and use the Windows ports of DIG and HOST to do DNS queries.
9. And if you like DIG and HOST, grab the whois port from https://technet.microsoft.com/en-us/sysinternals/bb897435 to do command line lookups of domain names and IP networks.

Active Directory

10. netdom query fsmo will list all the Flexible Single Master Operations members in your domain, so you can find the PDC emulator, schema master, etc.
11. repadmin /replsummary will give you a quick status on AD replication. It will also let you know if you cannot reach a domain controller from the machine on which you run the command.
12. repadmin /syncall will trigger an AD replication so you don’t have to wait.
13. net accounts will list the domain security policy.
14. gpresult /v will dump all the Group Policy Object settings affecting you and the machine you’re on.
15. whoami and whoami /groups will confirm your AD account and group memberships.
16. set l will let you know what domain controller authenticated you, or if you are running with cached credentials.

Windows

17. Use the Windows+Arrow Keys to move windows around, including both half- and quarter-monitor views.
18. Windows+Tab to bring up a quick preview of all running applications.
19. Windows+X brings up the Quick Access Menu.
20. Windows+P brings up projection options for when you connect to a second monitor or projector.
21. Windows+number will launch whatever app is in that numeric position, from left to right, on your taskbar.
22. CTRL+SHIFT+P launches an “In Private” session of Internet Explorer.
23. Use the Problem Steps Recorder to automatically capture screenshots of a process or procedure. It’s great for documentation and training too. Windows+R, PSR, Enter!
24. Run powercfg –h off to turn off hibernation, and buy back several GB of disk space by dropping the hiberfil.sys file that is just taking up space on your hard drive.
25. Look up most error codes at the command prompt by downloading the Microsoft ERR tool and saving it in your path.
26. All the Sysinternals command-line tools can be executed from the web using \\live.sysinternals.com\tools\toolname*. Check out http://live.sysinternals.com/ for all the tools that are there.

PowerShell

27. If you are not sure of a command, run get-command *something* to get a list of appropriate commands.
28. Use get-help command to get help on a command. –full gives you everything, -examples just lists some examples, and –online brings up the online help.
29. PowerShell v4 and later has copy and paste already turned on, and can use the highlight, CTRL-C, CTRL-V just like any other Windows app.
30. There are 155 aliases in PowerShell v5, making cmdlets from DOS and Linux available to you in PowerShell. Run alias to see all the ones that are built-in, and use the alias command to create your own.

Disable SSL 3.0, Weak Ciphers and enable TLS 1.1 and 1.2

Windows Server 2008 (R2) using IIS 7 allows SSL 2.0 and SSL 3.0 by default. Unfortunately, this means you will fail a PCI Compliance scan by default. To properly secure your server and ensure that you pass your PCI-DSS scans, you will need to disable SSL 2.0 and disable weak ciphers. In order to disable SSL 2.0 and SSL 3.0 in IIS 7 and make sure that the stronger TLS 1.0 is used, even better enable TLS 1.1 and TLS 1.2.

Below you can find how to disable SSL 3.0 and the weak Ciphers, and enable TLS 1.1 and TLS 1.2.

Remember that this only works after a server reboot, stopping services or IIS is not enough

UPDATE: 27-05-2016 I found an error in the registry key settings, below are the correct settings.

Disable SSL3.0. and Weak Ciphers and Enable TLS 1.1 and 1.2

Copy the text below and paste in to a .reg file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

Change cipher order and remove unsafe ciphers:

Open gpedit.msc =>> go to Administrative Templates =>> Network =>> SSL Configuration Settings =>> double click SSL Cipher Suite Order.



In the SSL Cipher Suite Order screen select "Enabled" and under options select and delete everything in that text field.



Then copy this line in that text field:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA

Click "Apply" and "OK".

Now you have to reboot the server in order to activate these changes,
After the reboot go to https://www.ssllabs.com/ssltest/ and see if you get any errors or warnings.

Another way to do this is by using IISCrypto by Nartac Software, this freeware does the same but in a GUI. But for some reason it didn't do what i axpected it to do, so this way you can do it manually.

How to Microsoft LAPS Local Administrator Password Solution

This is something I implemented at our company.
It's pretty straight forward, if you get the access rights right.

Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as help-desk administrators, are authorized to read passwords.
Compromised identical local account credentials could allow elevation of privilege if an attacker uses them to elevate from a local user/administrator to a domain/enterprise administrator. Local administrator credentials are needed for occasions when logon is required without domain access. In large environments, password management can become complex, leading to poor security practices, and such environments greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack.
LAPS simplifies password management while helping customers implement recommended defenses against cyber-attacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers.

This part came from PeteNetLive, and worked like a charm:

Download LAPS from here

Install Laps on a DC with all the options. (if you apply the defaults it will only install the GPO Extensions), which is what you would want on the 'controlled machines'.

Install the LAPS software to the target machines, in fact it's just a copy of some files.

msiexec /i \\Server\Share\laps.x64.msi /quiet

or
msiexec /i c:\laps.x64.msi /quiet

Extend Active Directory Schema:

On the management machine run the following two PowerShell commands, to add the two new attributes to Active Directory.

Import-Module AdmPwd.PS
Update-AdmPwdADSchema 

Check/Set Permissions to Read Local Admin Passwords

grant the rights to the computers themselves to be able to update the password in Active Directory. (If you have nested OU's, simply apply on the top level OU). Change the value in red to suit your own OU/OU's.

Set-AdmPwdComputerSelfPermissions -OrgUnit 'Domain Computers'

To see who has rights to view the passwords in AD (for a given OU), use the following command. Below you can see the default of SYSTEM and Domain Admins is displayed.

Find-AdmPwdExtendedRights -Identity 'Domain Computers'

To grant read password permissions to a particular group, use the following syntax, below I have an AD group called HelpDesk setup and I'm adding them into the AD ACL to be able to read local administrator passwords for the Domain Computers OU.

Set-AdmPwdReadPasswordPermissions -Orgunit 'Domain Computers' -AllowedPrinciples PeteNetLive\HelpDesk

Note: If you have multiple groups you can separate/delimit them with a comma.

Deploy the GPO Extensions to 'Controlled' Machines

On the management machine, create a new GPO object, and link it to the OU containing the computers/servers you want to apply the password settings to.

Edit the GPO.

Navigate to:

      

Computer Configuration > Policies > Administrative Templates > LAPS

The policy that turns LAPS on is the last one 'Enable local admin password management' > Enable it.

The actual complexity and age of the password is set in the 'Password Settings' policy, > Enable it and accept the defaults.
Note: the other two policies are;
Name of the administrator account to manage: Use if you you have manually created another common admin account on all your machines NOT if you have renamed the local administrator account.
Do not allow password expiration time longer than required by policy: Set to Enabled.

View the Local Admin Passwords for Controlled Machines.

1. You can do this from PowerShell with the following command;

Get-AdmPwdPassword -ComputerName hostname

Or if you have installed the Fat client, you can launch that from;

C:\Program Files\LAPS\AdmPwdUI.exe

Or as it's an AD object attribute, you can view it on the Computers AD object.

Source 1
Source 2