Microsoft published yesterday a security advisory (ADV170012 -Vulnerability in TPM could allow Security Feature Bypass), that shows a key generation weakness in Infineon’s TPM chip firmware. To solve the issue we first have to update the firmware of all vulnerable machines, so we have to identify them. As always, ‘Configuration Manager – Hardware Inventory’ can […]
I still see enterprises trying to go simple with their Windows clients: somehow deploying Windows 10, applying GPOs and just using WSUS to apply updates. But this leaves many points open in the management of the client ecosystem. Firmware-settings The new Windows 10 guards heavily depend on virtualization technologies, so beyond TPM 2.0, UEFI and […]
VMware Workstation Pro Tech Preview 2017 is available. But even if it is now supporting Virtualization Based Security (VBS) features in Windows 10 guests, it still can’t be used on VBS enabled Windows 10 hosts. So, in enterprises VMware-based VMs still need to be converted in Hyper-V-based VMs.
This week Kaspersky Lab filed complaints against Microsoft at the European Commission and German Federal Cartel Office on Windows Defender Anti-Virus (Antitrust: Pursue It in Europe We Must) Home users So, Kaspersky do you really want to bring us back to the time users bought devices with 3rd party anti-malware apps pre-installed, that required them […]
The load and execution of devices for the DMA based technologies Thunderbolt and IEEE1394 (Firewire) can be blocked via GPO (see Microsoft KB2516445) Since Windows 10 Enterprise security technology can mitigate the risk by enabling virtualization-based security with DMA protection (see here), it would be great if the GPO only applies on systems not meeting […]
Intel discovery tool Download the Intel discovery tool: https://downloadcenter.intel.com/download/26755 If the Intel-SA-00075-console.exe is executed with ‘-c’ it creates registry entries for the scan result, e.g. Extend hardware inventory I used RegKeytoMOF 3.3 (credits to Mark Cochrane – with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker) to create the mof-files to extend the […]
Starting Windows 10 1607 the pre-installation of Hyper-V Hypervisor for Credential Guard is no longer necessary (s. Protect derived domain credentials with Credential Guard). After activating Credential Guard via GPO or registry the process lsaIso.exe is running. Msinfo32 is showing Credential Guard activated and a hypervisor is detected. But Windows Features shows Hyper-V Hypervisor not […]