All posts by moh10ly

Skype for Business IM integration with Exchange 2016 OWA–Part 1

The Story

A good and detailed documentation is everything we need to implement any kind of project especially if it’s an integration between two different servers that perform different roles.

And with PKI involved the complications multiply thus a good article write up is what we need.

Previously I have tried a test lab with Skype for Business 2015/2019 IM Integration with Exchange 2016/2019 and the result was a complete failure and endless search for what’s missing to get IM to work from OWA?

image

ERROR

Upon completion of the steps mentioned in Microsoft’s Official documentation and after restarting Exchange IIS or OWAAppPool you will see this when you try to login to OWA with your user

There’s a problem with instant messaging. Please try again later.

image

MS Official Documentation

In their Official documentation Microsoft says that the certificate in question must be trusted by all the servers involved meaning Skype for Business Frontend and Mailbox Servers.

Meanwhile this is true, it still would not get the IM to login/work although it might drop the initialize event ID 112 in the event log.

clip_image001

Here is what MS says about the certificate.

Exchange and Skype for Business integration requires server certificates that are trusted by all of the servers involved. The procedures in this topic assume that you already have the required certificates. For more information, see Plan to integrate Skype for Business Server 2015 and Exchange. The required IM certificate thumbprint refers to the Exchange Server certificate assigned to the IIS service.

REF URL: https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-im-integration-with-owa?view=exchserver-2019#what-do-you-need-to-know-before-you-begin

image

Step by Step Deployment

To do things the way that should get this to work, I will detail steps one by one so we can be sure to get the positive results we are all waiting for when dealing with Exchange and Skype for Business.

Exchange IM URL 1: mail.domain.com

Skype for Business Pool FQDN: SBG-Pool01.domain.com

Autodiscover URL : Autodiscover.Domain.com

Prerequisites

  1. For Default and Web Service Internal, Your Skype for Business Frontend Server/Pool must use a certificate that is generated from an internal CA which you can use later to generate Exchange’s IM Certificate.
  2. UCMA must be installed (Doesn’t matter if version 4 or 5) both are supposed to work with Exchange 2016.
  3. Local Certification Authority must already be deployed in the domain.

Configuration Steps – Part 1

  1. On SfB: Set CsAuthConfiguration Autodiscover URL for Skype server to find Exchange Autodiscover
  2. On SfB: Get-CsSite to see what is the current site ID.
  3. On Exchange: Check AutodiscoverServiceInternalURI
  4. On SfB: Create new Partner
  5. On SfB: Create new Trusted Application Pool
  6. On SfB: Create new Trusted Application ID

Configuration Steps – Part 2

7. On Exchange: Enable OWA VD Instant Messaging
8. On Exchange: Enable Messaging on OWA Policy
9. On Exchange: Create Enterprise Application for Skype Pool.
10. On Exchange: Create new SettingOverride for Skype for Business.
11- Generate a new Certificate for Exchange IM
12. Assign the newly imported certificate to IIS Exchange Back End site
13. On Exchange: Restart the WebAppPool
14. Log out and sign back in to OWA to Check
15. Troubleshooting methods

Prerequisites

1- Update or Create Server Default and Web Service Internal Certificate for SfB Pool servers

The certificate installed on the Skype for Business Pool Frontend servers must be generated from a local Certification Authority which can be trusted by Exchange Server services.

The Certificate generated for Skype for Business pool as in the below screenshot is generated from my CA and includes the names of the servers:

  • Skype for Business Pool
  • Skype for Business Frontend FQDNs
  • Exchange Servers
  • Autodiscover FQDN
  • Lyncdiscover.domains.com
  • Lyncdiscoverinternal.domains.com
  • sip.domains.com
  • meet.domains.com
  • dialin.domain.com
  • External.domain.com

image

image

2- UCMA must be installed

On both Exchange and Skype for Business servers I already have UCMA 4.0 version installed, but if you don’t have it or have an older version then you can’t continue without it.

image

3- Make sure you have a Local Certification Authority deployed in your domain.

Configuration Steps – Part 1

1- On SfB: Set CsAuthConfiguration Autodiscover URL for Skype server to find Exchange Autodiscover

For Skype for Business Server to find Exchange Autodiscover Service point and to be able to authenticate servers we’ll be using the below cmdlet

This enables both servers to authenticate and share information when needed and without user’s interference.

Set-CsOauthConfiguration -ExchangeAutodiscoverUrl https://autodiscover.domain.com/autodiscover/autodiscover.svc

image

image

Ref:

https://docs.microsoft.com/en-us/powershell/module/skype/set-csoauthconfiguration?view=skype-ps

2- On SfB: Get-CsSite to see what is the current site ID.

Getting a site ID will be useful for later use to setup the Trusted Application Pool.

On Skype for Business Management shell. Type the following

Get-CsSite

So the Site ID is 1. I will keep this for later use

image

3- On Exchange: Check AutodiscoverServiceInternalURI

Specify the AutodiscoverServiceInternalURI for internal Autodiscover service. Make sure it points to your public URL and certificate not the internal one otherwise your users will get a certificate error through Outlook and might cause IM chat not to work.

The Cmdlet would be

Get-ClientAccessService | Set-ClientAccessService –AutoDiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml

image

4- On SfB: Create new Partner Application

On Skype for Business Server, Launch Management Shell and use this cmdlet to add Exchange as a trusted Application to the SfB topology.

New-CsPartnerApplication -Identity Exchange -ApplicationTrustLevel Full -MetadataUrl “https://autodiscover.domain.com/autodiscover/metadata/json/1

image

5- On SfB: Create new Trusted Application Pool

New-CsTrustedApplicationPool -Identity mail.domain.com -Registrar sbg-pool01.domain.com -Site 1 -RequiresReplication $false

image

6- On SfB: Create new Trusted Application ID

From SfB Management Shell run the following cmdlet .

New-CsTrustedApplication -ApplicationId OutlookWebAccess -TrustedApplicationPoolFqdn mail.domain.com -Port 5199

image

Finally

clip_image001[4]

Click on the link below for Part 2

Skype for Business IM integration with Exchange 2016 OWA–Part 2

an Exchange mailbox was mistakenly migrated over another user’s object used by another user

The Story

If you ever used Prepare moverequest command to migrate a user and forgot to use ADMT to rewrite user’s properties with the old attributes. You might have used ADMT again to rewrite the properties.

If you use ADMT you will need to exclude all Exchange Attributes from the source since its already copied using Prepare-move request script however, in some cases some people do make mistakes and you might have came through the same mistake my colleague  have done during one of these extremely complicated Cross forest Migrations where you’d prepare a CSV files through PowerShell and names wouldn’t match Sam accounts.

Don’t Panic

If however, you forgot again to exclude the Exchange attributes while using ADMT then you most likely wont see the user in the Target forest which will cause to panic thinking the user is gone .. But no the user is not gone don’t panic.

When you look for the user’s mailbox on the target forest after the move request is completed you’ll get an error reporting the user can’t be found

image

Solution

To fix the problem you’ll need to change to attributes only for this migrated user. (In the target forest after user mailbox move is completed).

The attributes are

msExchRecipientDisplayType    1073741824
msExchRecipientTypeDetails    128

The wrong Attributes are as following.

image

You will need to fix them to look like the following

image

Once you apply the change you’ll need to wait for a minute or few depending on your AD replication speed.
The problem will be then solved

image

Onboarding Linux Client (DEEPIN) to Microsoft Azure Threat protection ATP using ubuntu repository

Installing Microsoft Azure Threat Protection (ATP) on Linux Devices

While playing with ATP on some windows devices, I was in the mood of trying the new Deepin 20 desktop flavor which is a famous Chinese Linux OS based system.

Microsoft doesn’t indicate anywhere that installation of ATP on a Linux client is possible but Linux server is mentioned in the official ATP installation documents.

How to Install?

After I installed the Deepin OS, I was really impressed by the new beautiful Linux design so I plan to use it and have it secure with ATP.

image

Prerequisites:

  1. Configure the Linux software repository for Ubuntu and Debian
  2. Application Installation
  3. Download the onboarding Package
  4. Client Config

1-Configure the Linux software repository for Ubuntu and Debian

You will need to install the required libraries, install Gpg, apt-transport-https and update repository metadata using the following commands one by one.

  • sudo apt-get install curl

image

  • sudo apt-get install libplist-utils

image

image

  • sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-ubuntu.list
  • sudo apt-get install gpg

image

image

image

After successfully installing all the libraries, I will go ahead and install the application

2- Application Installation

From the Linux client Terminal using sudo power user run the following script

sudo apt-get install mdatp

image

Once finished, You can go back to the ATP portal and download the Linux Onboarding package on the linux server/client you want to onboard

3- Download the onboarding Package

Since I am doing a single deployment not bulk, then I will go to the Microsoft Defender Security Center’s setting page and download the Linux package from the device management section.

image

The steps for the onboarding is already mentioned on that page so after you download the script you’ll know exactly what to do next.

The file is 9kb python in size

image

Copy the file to your Linux Desktop

image

4- Client Config

From the terminal type in chmod a+x MicrosoftDefenderATPOnBoardingLinuxServer.py and hit enter

Note: python must be installed on this linux dervice.

Then type python /MicrosoftDefenderATPOnBoardingLinuxServer.py

image

This will run pretty quick and will assign your Linux server/client with your Organization ID.

To see the Organization ID type:

mdatp –health orgId

image

Few minutes later you’ll be able to see the installation completion and the status through this command

Check if WDATP is functioning as expected

mdatp –health healthy

image

Check if WDATP agent is enabled

mdatp –health realTimeProtectionEnabled

image

Let’s check on our ATP portal and see if the machine is showing there.

Note: It might take 5-15 mins to update the definitions of WDATP when onboarding.

image

Running a detection Test:

curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

image

In few seconds the file has disappeared

image

Checking for threats

mdatp –threat –list –pretty

image

Let’s see this on the ATP Portal

image

image

This is just a test malware not a real one therefore it wont harm your machine at all.

Hope this helps you with your deployments

Ref:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually

Deepin 20 Beta version

https://www.deepin.org/en/2020/04/15/deepin-20-beta/

Microsoft Exchange 2010 SP3 Link HACKED

Update: Microsoft replied to me and fixed the link. see screenshot below

WATCH Microsoft Exchange URL Hacked

If you have Exchange 2010 SP3 and planning to download the latest Rollup , Google will take you to the following link

https://www.microsoft.com/en-us/download/details.aspx?id=100910

Once you click on that link to download the RollUp update, You might want to check the system requirements links and that would list two main links

image

The Exchange 2010 Prerequisites link will first redirect you to this URL which has an expired certificate.

http://www.microsoftpinpoint.com/

And that will then redirect you to this link (Seems to be a Chinese website)

http://123.wo80.com/

Luckily the antivirus managed to catch and block this page however, on any server that’s not running any antivirus this would certainly infect the server.

Phishing Alert!

image

image

Video here

Contacting Microsoft

After I got in contact with Microsoft about the issue. Microsoft replied stating they have informed their security team and fixed the issue.

Azure RDWEB page is blank when accessing it with authorized users

Blank page on RDWeb for users

When you have finished deploying Azure WVD machines and added those machines in the correct hosts you might fall into this error by a chance and not easily be able to understand or see it.

clip_image001[4]

During the creation of Host Pools and AppGroups you might want to create your own fancy Host pool names and app group names, This is something normal but not when you want to use Azure WVD.

What Happens?

When you create an app group name other than the ones already existing (Desktop Application Group) you have to make sure that you would type this group name into the ARM Template since while deploying the VMs and typing the template would choose the default Application Group Name.

image

Error 1

The connection to the remote PC was lost. This might be because of a network connection problem. If this keeps happening, ask your admin or tech support for help.

clip_image001[6]

clip_image002

Error 2

User is assigned to the wrong Application Group

add-RdsAppGroupUser : The specified UserPrincipalName is already assigned to a RemoteApp AppGroup in the specified HostPool.

ActivityId: feb39a7b-b74f-49d3-a100-1fc22ec66454

Powershell commands to diagnose the failure:

Get-RdsDiagnosticActivities -ActivityId feb39a7b-b74f-49d3-a100-1fc22ec66454

At line:4 char:1

+ add-RdsAppGroupUser -TenantName cagriandMoh10ly -HostPoolName WVD-Hos …

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : FromStdErr: (Microsoft.RDInf…RdsAppGroupUser:AddRdsAppGroupUser) [Add-RdsAppGroupUser], RdsPowerShellException

+ FullyQualifiedErrorId : UpnAlreadyHasRemoteAppAssignment,Microsoft.RDInfra.RDPowershell.AppGroupUser.AddRdsAppGroupUser

clip_image003

Solution:

Remove the user from the other application group and add him to the one where you have your RdsSessionHost that you would like your users to access.

Connect to Azure-AD first and run the following command, Make sure you specify the AppGroupName that you want to remove your users from and the AD Group that’s relevant to those users.

foreach($UPN in (Get-AzureADGroupMember -ObjectId ((Get-AzureADGroup | Where-Object DisplayName -Like “WVDUsers”).ObjectId)).UserPrincipalName)

{

Write-Output $UPN

Remove-RdsAppGroupUser -TenantName cagriandMoh10ly -HostPoolName WVD-Host-Pool01 -AppGroupName “Desktop App Group” -UserPrincipalName $UPN

}

clip_image004

Add the Users again and see what happens

foreach($UPN in (Get-AzureADGroupMember -ObjectId ((Get-AzureADGroup | Where-Object DisplayName -Like “WVDUsers”).ObjectId)).UserPrincipalName)

{

Write-Output $UPN

Add-RdsAppGroupUser -TenantName cagriandMoh10ly -HostPoolName WVD-Host-Pool01 -AppGroupName “Desktop Application Group” -UserPrincipalName $UPN

}

clip_image005

Refresh the RDWEB Page and see if you can access your host

clip_image006

clip_image007

The same desktop came back since we are using FSLogix profile container

clip_image008

VM fails to join Domain during Azure Windows Virtual desktop deployment

Azure Windows Virtual Desktop

WVD or Azure Virtual Desktop has become popular these days during the COVID-19 Virus where everyone started working from home. Companies wanting to adapt to the situation started deploying WVD and so I started to test this feature to keep up with the technology around.

Deployment

I tried using different scenarios during the deployment of Azure WVD, I am going to list them down and explain where did I get my problem exactly.

1- Deploying using Azure Gallery VM.

2- Deploying using a VM Image (This scenario)

3- Deploying using uploaded VM.

My first deployment was using Azure Gallery and in that deployment the machine was deployed without an issue although the domain error has occurred.

In the second Scenario, When you try to use the Github link that has the ARM template

clip_image001

Error 1

{

“status”: “Failed”,

“error”: {

“code”: “ResourceDeploymentFailure”,

“message”: “The resource operation completed with terminal provisioning state ‘Failed’.”,

“details”: [

            {

“code”: “VMExtensionProvisioningError”,

“message”: “VM has reported a failure when processing extension ‘joindomain’. Error message: \”Exception(s) occured while joining Domain ‘moh10ly.local’\”\r\n\r\nMore information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot

            }

        ]

    }

}

Error 2

clip_image001[6]

{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”Conflict”,”message”:”{\r\n \”status\”: \”Failed\”,\r\n \”error\”: {\r\n \”code\”: \”ResourceDeploymentFailure\”,\r\n \”message\”: \”The resource operation completed with terminal provisioning state ‘Failed’.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”VMExtensionProvisioningError\”,\r\n \”message\”: \”VM has reported a failure when processing extension ‘dscextension’. Error message: \\\”DSC Configuration ‘CreateHostPoolAndRegisterSessionHost’ completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service.\\nActivityId: ef602cd9-7efd-474d-bc70-ccfd340ecb08\\nPowershell commands to diagnose the failure:\\nGet-RdsDiagnosticActivities -ActivityId ef602cd9-7efd-474d-bc70-ccfd340ecb08\\n PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: WVD-Host-Pool01 Hostpool does not exist in CagriandMoh10ly Tenant The SendConfigurationApply function did not succeed.\\\”\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot \”\r\n }\r\n ]\r\n }\r\n}”}]}

Solution:

Original Setting

clip_image001[10]

Change To

  1. Domain to join needs to reflect your Active Directory domain not AD Connect Public Domain.
  2. The Credentials must be for a domain user that has the privileges’ to join any PC to the domain

clip_image001[8]

The Tenant Admin UPN must reflect a user who is allowed to Create a WVD tenant

image

After this, In the Tenant Admin UPN or Application ID use one of the Tenant creator account and you’ll get the below result.

Don’t forget to change the Virtual Network’s DNS to point to your DNS Server whether it is on Azure or On-premises network which must have VPN to access if there.

clip_image001[12]

clip_image001[14]

clip_image002

https://docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directory

https://docs.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-set-up-issues

ADFS and wAP trust breaks with 500 Internal Server error

Error code

Yesterday my colleague sent me a message informing me that ADFS is not working. When I tried to login to Office 365 Portal page with a federated domain’s user I got a 500 Internal Server Error.

When it occurs:

If you are using Office 365 with ADFS Integration in place, You might get this error when trying to authenticate your users to login to Office 365 or any of its services.

image

WAP Server

In this environment I am using WAP Proxy server behind ADFS and when installing this I configured a trust using a Public Certificate but for some reason this trust was broken.

image

Investigation and Solution:

After investigating the WAP proxy it seems it had couple of problems:

1- Could not resolve ADFS server name on WAP Server.

  • In my environment where we are using Sentinel, We have isolated the primary DC in the environment and due to this the WAP server could not reach to the DNS Server. I solved this by pointing the machine to the secondary DC and add the ADFS hostname to the host file.

2- The Web Application Proxy Service would not start.

  • The errors related to the service not starting in the event viewer were all pointing to a certificate thumbprint which didn’t even exist in the WAP’s personal store.

Event Viewer Errors

There were couple of errors related to the certificate and Service issue, Event ID 224, Event ID 12025, Event ID 7023 and Event ID 224.

The one which mostly got my attention was the 224:

The federation server proxy configuration could not be updated with the latest configuration on the federation service.

Retrieval of proxy config data from federation server using trust certificate with thumbprint failed with status code unauthorized. The remote server returned an error code 401.

clip_image001

Resolution:

From WAP server’s fire up PowerShell as an admin and list the certificate you have got on your Personal store and match the ThumbPrints of the certificate in the error to make sure it exists or not.

Even if the certificate exists you will still need to re-establish trust with ADFS to make sure WAP can connect to ADFS without an issue.

Dir Cert:\localmachine\my

This should show the certificates you have got on your store.

image

Now pick up the valid Public certificate which you want to use for the trust and use the below command to establish the trust

Install-WebApplicationProxy –CertificateThumbprint “Enter Certificate ThumbPrint here” –FederationServiceName “ADFS Public FQDN Here”

image

After few moments you should see that WAP services went back to normal and you can now login your users to Office 365 portal through ADFS.

image

clip_image001[6]

Reset Azure VM Admin password with Domain Controller installed

Active Directory Admin Password

We had a security lab on Azure with 12 machines, It included 2 DCs and 10 other machines of different OS and had RDP closed on all the machines except one machine to use.

The Password was set for something simple however it seems that someone has changed it and no one was able to access the domain controller anymore nor any of the machines.

I had another user created for backup but it seems that user was also changed.

The usual method of resetting Azure VM is going through portal or PowerShell

Resetting Via Azure Portal

When you try to reset the password from Azure Virtual machine itself. If the VM has Domain Controller it will fail to reset the password with the following error:

Failed to reset RDP configuration

VM has reported a failure when processing extension ‘enablevmaccess’. Error message: “VMAccess Extension does not support Domain Controller.” More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot

image

Through PowerShell

To reset a password, we first need to define the VM we’re working with. To do this, we can use the Get-AzureRmVm cmdlet. I’ll go ahead and assign variables to both the VM name and the resource group since we’ll need to reference those later, as well.

$vmName = 'YOURVMNAMEHERE'
$resourceGroupName = 'YOURRGHERE'
$vm = Get-AzureRmVm -Name $vmName -ResourceGroupName $resourceGroupName

Next, we’ll need some way to pass the username and password into the script. A great way to do that is through the Get-Credential cmdlet.

$credential = Get-Credential

Once the credential is saved, we can then execute the command to actually make the password change using the variables we set earlier. Notice we had to use the GetNetworkCredential() method on the pscredential object. This method will not work if the credential is retrieved from another computer or from another user account. This shouldn’t be a problem, though, since you’re likely to execute this in a single script.

$extensionParams = @{
    'VMName' = $vmName
    'Username' = $Credential.UserName
    'Password' = $Credential.GetNetworkCredential().Password
    'ResourceGroupName' = $resourceGroupName
    'Name' = 'AdminPasswordReset'
    'Location' = $vm.Location
}

$result = Set-AzureRmVMAccessExtension @extensionParams

Once this completed (hopefully successfully), the VM will need to be rebooted. We can do that by using the Restart-AzureRmVm cmdlet.

$vm | Restart-AzureRmVM

While this PowerShell script might work with a normal VM, It will not work with a DC and would result in the same error as in the portal.

Solution

The solution is to write a script which would run through the CustomScriptExtension that you can deploy from the Azure Portal on the intended VM that has the Domain Controller Deployed on it.

Once you get the script ready to change the administrator Password you can upload the script and deploy it.

Let’s get the script ready and demonstrate these steps one by one.

– On my Computer I will write a tiny script that will say

Net User domainadmin Adm!nPassw0rd1

image

– Save the file on your desktop for later use. Go to Azure Portal, Virtual Machines and select your Domain Controller.

– Go to Extensions.

– Click on Add

image

– Select Custom script Extension

image

– Click Create

– Browse the PowerShell script on your Desktop.

– Select Storage Account

– Select an existing container or create new one

– Upload the file to the container

image

image

image

image

image

Result

Once deployed, it’ll take few mins to reset the password and you don’t have to restart the server.

Through PowerShell

image

After this I was able to access the machine again using the new password in the script.

ref:

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-windows#troubleshoot-vm-extensions

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command

https://mcpmag.com/articles/2017/12/13/azure-vm-password-with-powershell.aspx

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/reset-local-password-without-agent

Microsoft Exchange Vulnerability affects all Exchange versions

image

CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Security Vulnerability

Date of Publishing: February/11/2020

Microsoft has announced a vulnerability has been found in all Exchange Server 2010 through 2019 versions, The vulnerability allows an attack to send a specially crafted request to the affected server in order to exploit it.

When could this happen?

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.

Affected Versions:

  • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
  • Microsoft Exchange Server 2013 Cumulative Update 23   
  • Microsoft Exchange Server 2016 Cumulative Update 14   
  • Microsoft Exchange Server 2016 Cumulative Update 15   
  • Microsoft Exchange Server 2019 Cumulative Update 3   
  • Microsoft Exchange Server 2019 Cumulative Update 4

image

Solution:

Until now Microsoft has not provided any solution or work around to cover this vulnerability.

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

NOTE:

Keep an eye on the below link for any change

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

Microsoft Windows 10 security updates KB4532695 and KB4528760 causes TPM driver to fail and results in windows 10 BSOD

Update: For the solution scroll to the end of the page.

Windows 10 Update :

Yesterday and today Microsoft released KB4532695 and KB4528760 causes TPM 2.0 driver to stop functioning and causes BSOD with error “Memory Management” Issue.

clip_image001

image

Windows Hello Face Authentication

In the first KB Microsoft says they have improved the accuracy of Windows Hello Face authentication however this would cause your PIN to be reset, TPM driver stop functioning and BitLocker to change in Pause state.

Check KB Article here

clip_image001[4]

image

The BSOD will generate an event ID 1001 stating the bugcheck code and saves a dump. ( I haven’t analyzed that yet).

clip_image001[6]

After Uninstalling the updates it was a no go but at least the Memory Management BSOD stopped..

Interesting thing is that not just TPM stopped, now even Virtual Box says no Virtualization Capabilities supported on my Device which I had over 20 VMs on it and was working fine also before these updates.

The TPM is indeed firmware as it’s fixed on the board..

In the event viewer related to Device Manager (Trusted Platform Module 2.0) I see couple of errors sourced from Kernel-PnP and UserPnp

KernelPnp error

Device ACPI\MSFT0101\1 had a problem starting.

Driver Name: tpm.inf
Class Guid: {d94ee5d8-d189-4994-83d2-f68d7d41b0e6}
Service: TPM
Lower Filters:
Upper Filters:
Problem: 0xA
Problem Status: 0xC0000001

—-

Device ACPI\MSFT0101\1 was configured.

Driver Name: tpm.inf
Class Guid: {d94ee5d8-d189-4994-83d2-f68d7d41b0e6}
Driver Date: 06/21/2006
Driver Version: 10.0.18362.267
Driver Provider: Microsoft
Driver Section: Tpm2BaseInstall
Driver Rank: 0xFF0002
Matching Device Id: *MSFT0101
Outranked Drivers: tpm.inf:ACPI\MSFT0101:00FF0001
Device Updated: true
Parent Device: ACPI_HAL\PNP0C08\0

—-

UserPnp (Informational event) happens after Kernel-Pnp fail

Driver Management concluded the process to install driver tpm.inf_amd64_aaaa339206cb706e for Device Instance ID ACPI\MSFT0101\1 with the following status: 0x0.

Solution:

After two days of struggling I managed to find the solution.

Disable Device Guard from Group Policy and PowerShell.

  • To disable from PowerShell you’ll need to download the Device Guard and Credential Guard hardware readiness tool which contains a script that would disable/enable Device Guard.
  • Use the following cmdlet .\DG_Readiness_Tool_v3.6.ps1 -Disable after extracting the the DG readiness tools from the link below

https://www.microsoft.com/en-us/download/details.aspx?id=53337

  • From Run type gpedit.msc and launch Group Policy then navigate to Computer Configuration > Administrative Templates > System > Device Guard and set “Turn On Virtualization Based Security” To Not Configured.

Once this is done, Restart your Computer and Press F3 to disable Device Gaurd twice. When restarting the Computer will restart again and you’ll see that your TPM is back to normal.