Some notes from work
Enable BitLocker Drive Encryption in Control Panel or PowerShell Start gpedit.msc Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operatin System Drives Enable following Settings Require additional authentication at startup Allow enhanced PINs for startup (OPTIONAL) Configure minimum PIN legnt for startup (OPTIONAL) Configure pre-boot PIN in PowerShell
Import SSL Certificate on all servers to CERT:\LocalMachine\My run following powershell command on ADFS server run following powershell command on WAP server Verify function with navigating to /adfs/ls/idpinitiatedsignon.htm
To be sure that UAC is disable, make the configuration in registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA = Dword 0
It is vital that CRL is fresh and available otherwise your PKI is not healthy. Often i hear that Customer create a reminder in ther calender. Even that kind of effort the PKI outage is quite common, and reson is CRL that have exiperd. I stumbled over this tool get-crlfreshness. This powershell cmdlet in short… Continue Reading Monitor CRL refreshness
Some times for some reason this issue occure. It can be a pain because when google on it you be adivsed to follow steps that will remove the computer from domain and then rejoin. You do not always want to do that. It is much easier to just reset the password for the computer object.… Continue Reading The trust relationship between this workstation and the primary domain failed
When creating a CSR from example DMZ servers information on what template that will be used is not include. Therfore you have to specify that in signing of CSR.
I did experience some odd thing when I run tests for new template for a customer. The template is straight forward a Workstation Authentication template with machine-template as superseded.
All seems fine, machine template were removed and the new certificate was issued. But after a reboot of the client a new certificate was issued. So the client now got two issued certificate from Workstation Authentication template. After enabling debug on client I found this event:
Source:Â CertificateServicesClient-CertEnroll
EventID: 35
General: Certificate enrollment for Local system detected that the DNS name in the TEMPLATENAME certificate does not match the DNS name of the local computer. A new enrollment for a TEMPLATENAME certificate will be attempted in 24 hours.
The problem was that the client that was given to me had an _ in hostname. That character is not supported in DNS names. More information is described in this article https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and.
Some of windows services is running under same process. Windows update for an example is running under svchost process among other services. To find out what process a service is running you can use tasklist cod command. https://technet.microsoft.com/en-us/library/bb491010.aspx