You need an enterprise grade client management tool

I still see enterprises trying to go simple with their Windows clients: somehow deploying Windows 10, applying GPOs and just using WSUS to apply updates. But this leaves many points open in the management of the client ecosystem. Firmware-settings The new Windows 10 guards heavily depend on virtualization technologies, so beyond TPM 2.0, UEFI and […]

VMware Workstation Pro Tech Preview 2017

VMware Workstation Pro Tech Preview 2017 is available. But even if it is now supporting Virtualization Based Security (VBS) features in Windows 10 guests, it still can’t be used on VBS enabled Windows 10 hosts. So, in enterprises VMware-based VMs still need to be converted in Hyper-V-based VMs.

Extend Configuration Manager Hardware Inventory with INTEL-SA-00075 discovery information

Intel discovery tool Download the Intel discovery tool: If the Intel-SA-00075-console.exe is executed with ‘-c’ it creates registry entries for the scan result, e.g. Extend hardware inventory I used RegKeytoMOF 3.3 (credits to Mark Cochrane – with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker) to create the mof-files to extend the […]

Credential Guard w/o Hyper-V Hypervisor? – NO!

Starting Windows 10 1607 the pre-installation of Hyper-V Hypervisor for Credential Guard is no longer necessary (s. Protect derived domain credentials with Credential Guard). After activating Credential Guard via GPO or registry the process lsaIso.exe is running. Msinfo32 is showing Credential Guard activated and a hypervisor is detected. But Windows Features shows Hyper-V Hypervisor not […]

Virtualization Based Security vs. Thunderbolt DMA attacks

Direct memory Access (DMA) attack DMA Allows I/O devices to transfer data directly to or from memory without having the data handled by the CPU   DMA controller (DMAC) Defines the operational mode interactions with CPU (system bus) DMAC does not control access to memory areas First party DMA Peripherals can have their own DMAC, […]

Using Windows 10 internal rings in Workplaces changes

After the internal ring concept is implemented it should be used for processing all changes in Workplace configuration: settings, standard applications, quality updates and feature updates. GPO To test new settings in the rings, run ring specific settings in separate GPOs, selected by WMI filters Configuration Manager To create collections based on the rings, the […]

Windows 10 internal rings & WMI branding

Windows-as-a-service (WaaS) requires a stable process for testing feature updates. You don’t want to discuss all over again, who is involved in testing what applications multiple times a year. But once you have the process in place it should be used for testing all changes: new or updated standard applications, software updates or settings. Continued […]

VMware Horizon & Windows 10 Virtual Secure Mode

The current version of VMware Horizon 7 (VDI) is not able to handle Windows 10 Enterprise features based on Virtual Secure Mode (VSM). This is based on issues with nested hypervisors from different manufacturers. VMware tries to solve the situation by explaining that a VDI infrastructure that regularly refreshes the virtual machines (VM) is not […]