We use cookies on this page to better serve you. You can find more information about cookies here.

Latest posts

Securing GlobalProtect
by

Out of the box, you can’t just add a Security Profile to the interface that runs GlobalProtect fortunately there’s a relatively easy way to do it with minimal impact to your existing GlobalProtect setup.

In this post, I will show you step-by-step how to secure GlobalProtect by adding protection with a Vulnerability Protection Profile or a Security Profile Group to an already existing GlobalProtect setup by using a loopback interface.

The Process

  • Log in to the Palo Alto Networks Firewall
  • Click on Objects
  • Click on Addresses
  • Add a new address for your loopback address

I will be using the address 192.168.187.2 for this example.

  • Click on Network
  • Click on Zones
  • Add a new Zone. I will be using the name GP-WAN. (This zone will be the zone allocated to the GlobalProtect loopback interface later on.)
    • Set the Type to Layer3
    • Select your Zone Protection Profile. In my case, I will use the one called Recommended_Zone_Protection
    • Select the option to Enable Packet Buffer Protection.
  • Click on Interfaces
  • Click on Loopback
Read more
IT
FirewallGlobalProtectHow ToNetworkingPalo Alto NetworksPAN-OSsecurityVPN

Registry Check Setter
by

In the past, I’ve made a few one-off PowerShell scripts to set various registry settings. I find myself needing to do this more and more. I’ve always just forced my registry settings with no regard to whether the settings were already correct.

A perfect example of this is my PowerShell script to Disable Auto Windows Updates

While this method works I felt like it could be better. I decided to make a brand new script that would be less forceful and more modular and use functions and parameters.

This resulted in the creation of the PowerShell script that I call the Registry Check Setter.

The PowerShell script enables you to set multiple registry settings very easily while checking if the settings are already correct or not.

You can find the script on my GitHub https://github.com/thedxt/Registry-Check-Setter

How It Works

The script starts by checking if the registry key path exists, if the key path doesn’t exist the script considers it safe to just set the settings and sets them. If the key path does exist the script then moves on to checking if the registry value name exists.

If the registry value name is not found in the registry key path the script then creates the value with the needed setting and exists. If the registry value name exists the script then checks if the registry value name setting is correct.

If the registry value name setting is not correct the script then changes the setting to make it correct and then exits.

An example of this would be if I was trying to prevent a Windows 10 system from upgrading to Windows 11 and I wanted to turn off auto updates.

To lock the system to Windows 10 the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate needs a registry value named ProductVersion that is a String with a setting of Windows 10.

To lock the system to a specific feature update of Windows 10 the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate needs a registry value named TargetReleaseVersionInfo that is a String with a setting of 22H2.

To enable locking the system to Windows 10 22H2 the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate needs a registry value named TargetReleaseVersion that is a DWord with a setting of 1.

To turn off auto updates the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU needs a registry value named NoAutoUpdate that is a DWord with a setting of 1.

Yes, I could just force the settings to be correct but if I run the script multiple times it constantly changes the settings and doesn’t take into account if the Windows Update service is running. If the Windows Update service is already running these settings won’t properly take effect until the Windows Update service is restarted or the whole system is rebooted.

My thought process is you could combine the results of the Registry Check Setter to have another script take action.

Read more
ITScripts
MicrosoftPowerShellRegistryScriptWindows

Intune Device Filters
by

As the end of Windows 10 starts creeping up we have to adapt some of our methods to support mixed environments with Windows 10 and Windows 11.

Most settings in Microsoft Intune aren’t specific to Windows 10 or Windows 11 some settings are specific to the version. For example, one of them is the Windows Start Menu. Windows 10 uses an XML file and Windows 11 uses a JSON file. Technically there’s no impact if you deploy those settings to either version of Windows but that might not always be the case. It’s a better idea to only target the intended version of Windows.

A way that I like to handle this is with Intune Device Filters. In this post, I’ll show you step-by-step how to create Device Filters for Windows 10 and Windows 11 in Microsoft Intune.

The Process

  • Login to Microsoft Intune admin center
  • Click onĀ Devices
  • Click on Filters
  • Click on Create > Managed devices
  • Give your Filter a name. Like Windows 10 or Windows 11.
  • Set the Platform as Windows 10 and later
Read more
IT
How ToIntuneMicrosoftMicrosoft Endpoint ManagerWindowsWindows 10Windows 11

Install vCenter
by

VMware vCenter is a wonderful application that lets you take full advantage of your ESXi hosts. If you have more than one ESXi host you should look at vCenter. The full name of vCenter is vCenter Server Appliance or VCSA.

In this post, I will show you step-by-step how to install vCenter 8. The process is broken up into two stages. Stage 1 is the deployment on the vCenter VM and Stage 2 is the final settings to the vCenter VM.

The Process

Stage 1

  • Using a system that has access to the ESXi host you plan to use to create the vCenter VM download the vCenter ISO from VMware.
  • Mount or extract the ISO. I’m going to mount it.
  • Browse to \vcsa-ui-installer\win32 and run Installer.exe
  • Select Install

The next screen is the intro screen which lets you know that the process will be in two stages. The first stage is deploying the VM and the second stage is the final settings for the vCenter VM.

Read more
IT
How ToInstallVCSAVMware

HPE iLO Firmware Upgrade
by

HPE iLO (Hewlett Packard Enterprise Integrated Lights-Out) is a wonderful tool when your servers are remote. It’s important to keep it up to date as if not properly secured it could be a risk of compromise to your environment.

In this post, I’ll show step-by-step how to update the HPE iLO firmware on your server. This will cover iLO 5 specifically however, older versions of iLO will follow a similar process.

The Process

  • Download the latest iLO firmware from HPE.
  • Login to iLO.
  • Click on Firmware & OS Software
  • Click Update Firmware
  • Select the iLO firmware file you downloaded from HPE.

If you have a TPM you will see a warning saying CAUTION: Suspend or back up any software that uses the installed TPM or TM, or risk losing your data. Select the Confirm TPM override check box to proceed.

Double-check your OS documentation to see if there is a risk of data loss and if you should be disabling items like BitLocker first.

It’s normal to not see this if you don’t have a TPM. If all is safe then select Confirm TPM override.

Read more
IT
FirmwareHow ToHPEiLOUpdateUpgrade

New Teams Desktop Shortcut
by

Microsoft has stopped deploying the original version of Microsoft Teams (now called Microsoft Teams Classic) with new Microsoft 365 apps installs. I’ve been using New Microsoft Teams for quite a while now and I honestly can’t tell the difference between the two anymore.

An issue I do have with New Teams is that it doesn’t seem to place a shortcut on the desktop. Having a desktop shortcut for Microsoft Teams is great for shared computers like meeting rooms.

In this post, I’ll show you step-by-step how to deploy a desktop shortcut for New Teams and I will show you how I figured it out as there seems to be very little documentation about this.

The Discovery

If you search around for how to make a desktop shortcut for New Teams you will find a large number of posts saying to run shell:AppsFolder and just drag the New Teams Icon to the desktop. While this process does technically work, I don’t like it. It looks ugly and always seems to use your account’s accent color as the background color.

Shortcut to New Teams via shell:AppsFolder and the normal shortcut to Teams Classic

If you look at the details of the shortcut created via the shell apps folder way, it points to the UWP ID of New Teams and thankfully not just the version. I suspect this method is perfectly fine. However, I don’t like it.

Details of the shortcut for New Teams via shell:AppsFolder method

A neat thing with UWP apps is that they sometimes have a URI (Uniform Resource Identifier) defined. When CVE-2022-30190 for the Microsoft Support Diagnostic Tool Vulnerability aka the Follina exploit was very active, one of the early mitigations was to disable the URI for ms-msdt by deleting the registry key for it which is located at HKEY_CLASSES_ROOT\ms-msdt if you go digging around in HKEY_CLASSES_ROOT there are a lot of interesting things in there like other applications that also use URIs. Such as both versions of Microsoft Teams.

Registry entries for the URIs for Teams

If you’ve used the web version of Microsoft Teams or clicked on a Teams meeting link and ended up opening it in a web browser then you’ve run into the Teams web launcher.

Read more
ITScripts
EUCHow ToMicrosoftMicrosoft 365Microsoft TeamsOffice 365PowerShellRabbit HoleScript

New Teams Mass Install Script
by

New Teams is a UWP (Universal Windows Platform) app and that presents its own challenges when it comes to system-wide mass installs.

If you download the MSIX directly and install it, it actually tricks you into thinking it’s installed for all users but in reality, it is only installed for the user that downloaded and installed it, this is why no local admin is needed to install it.

In this post, I will show how my new Teams mass install PowerShell script works.

Microsoft has provided a way to bulk install new Teams for all users and I’ve adapted the Microsoft method to be a bit more modular and make it always current.

The official method to bulk install new Teams is to use the Teams bootstrapper and run teamsbootstrapper.exe -p which will download the latest version of the new Teams MSIX and install it for all users. This used to be the only method for deployment.

Microsoft has since updated the new Teams bootstrapper to support an offline install allowing you to specify the location of the new Teams MSIX instead of downloading it. This is done with the argument -o

Rather than just using the new Teams bootstrapper to download and install the latest version of new Teams I decided to make the script download the latest version of the new Teams MSXI as this allows for more verbosity. You could also adapt the script to use a UNC path or an alternate location instead.

The goal of the script is to always be current and to be used with various deployment methods such as RMMs.

For the toggle for new Teams to work correctly in classic Teams, you need to make sure you have a compatible version of classic Teams installed. An easy way to do that is to use my Teams Machine Wide Install update script. Doing so will make sure everyone has a version of classic Teams that allows for toggling to new Teams.

The Script

The script is only intended to be run on Windows 10 or Windows 11 systems. It is not intended to be run on Windows Servers as some versions have very different install methods for new Teams.

Read more
ITScripts
EUCMicrosoftMicrosoft 365Microsoft TeamsNew TeamsOffice 365PowerShellScriptUpdate

Delete Microsoft 365 Tenant
by

There are various reasons why you may need to delete a Microsoft 365 tenant. The most common one I run into is after a corporate merger or acquisition. In this post, I will show step-by-step how to delete a Microsoft 365 tenant.

Prerequisites

  • All invoices are paid
  • All domains are removed other than the CompanyName.onmicrosoft.com domain name
  • All users are deleted and deleted from deleted users except for one Global Admin.
  • All App registration and Enterprise applications are deleted.
  • No Azure subscriptions.
  • All licenses are deleted and removed.

Completing all of those perquisites will take time and sometimes things are stuck but it is possible to complete all of them.

The Process

  • Login to Entra admin center
  • Click on Identity > Overview
  • Click on Manage tenants
  • Select the tenant and click Delete
  • It will check if the tenant can be deleted.
Read more
IT
How ToMicrosoftMicrosoft 365Office 365

Saved Browser Passwords
by

It’s super convenient to save your passwords to your web browser but it isn’t very secure. In this post, I will show you step-by-step how to easily reveal a saved browser password.

Normally if you want to view a saved password you need to go into settings and click on it, then enter the password of the logged-in user account to view it. This isn’t always true, let me show you how to get around this.

The Process

  • Go to any website that has the login credentials saved.
  • Right-click on the password field and select inspect or just inspect the whole page.
  • Find the line for the password field this should show up as type="password"
Read more
IT
How Topasswordssecurityweb browsers

Control Microsoft 365 Group Creation
by

Controlling who can and can’t create Microsoft 365 groups can be a very powerful tool. In this post, I will detail step-by-step how to prevent users from creating Microsoft 365 groups unless they are members of a specific security group.

Prerequisites

  • Microsoft Entra ID P1 or P2 is needed for the users who are allowed to create groups. (The old name was Azure Active Directory Premium P1 or P2)
  • Microsoft Graph Beta Installed.

The Process

  • Login to Microsoft Entra admin center
  • Click on Groups > All Groups
  • Click on New group
  • Make sure the Group type is set to Security.
  • Give your group a name. In my example, I will use the name Group Creators.
  • Add anyone that you want to have the power to create Microsoft 365 Groups to the security group you just created.
  • Open PowerShell ISE.
  • Copy the script from Microsoft here.
  • On line 6 enter the name of the security group you just created. In my case, that group is called Group Creators.

The beginning of the script should look something like this.

Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Beta.Groups

Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All"

$GroupName = "Group Creators"
$AllowGroupCreation = "False"

$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
Code language: PowerShell (powershell)
Read more
IT
Azure ADCustomizeEntra IDEUCHow ToMicrosoftMicrosoft 365Microsoft GraphOffice 365PowerShell
theDXT on GitHub
theDXT on Twitter
theDXT on YouTube