Monthly archives: oktober, 2017

Print drivers and Microsoft Update KB3170455

Typically users get their printers mapped by Group Policies or Group Policy Preferences. Especially in Citrix environments, users should not have the right to add their own printers or drivers that are not approved for multi-user environments. On July 12th 2016, Microsoft released a security update (KB3170455) to safeguard Man-in-the-Middle (MITM) attacks for clients and print servers. Then an updated version was released again September 12th 2017.

Users could encounter the dialog boxes below if the driver did not meet the requirements of Microsoft where the driver would be packaged and signed with a certificate:

Scenario 1

For non-package-aware v3 printer drivers, the following warning message may be displayed when users try to connect to point-and-print printers:


Do you trust this printer?

Scenario 2

Package-aware drivers must be signed with a trusted certificate. The verification process checks whether all the files that are included in the driver are hashed in the catalog. If that verification fails, the driver is deemed untrustworthy. In this situation, driver installation is blocked, and the following warning message is displayed:


Connect to Printer

Even if you enabled Point and Print restrictions in GPO and specified which server’s clients could get drivers from, users could encounter an installation prompt and request administrator privileges to install.

For most printers this is not an issue if there is an up-to-date driver which is compliant. Some manufacturers do not always provide printers drivers that is both packaged and signed. The first thing you should do is update the driver to one that both is signed and packaged. Usually the drivers from the manufacturer are signed according to Microsoft Windows Hardware Quality Labs (WHQL) but may not be packaged correctly and the users get prompted for administrator credentials when the printer is being added to the client computer or in the remote desktop session.

Since KB3170455 we need to enable point and print restrictions and specify our print servers in the GPO. For most printers there is no issues, however a couple of printers will not be pushed out by Group Policy Preferences since the update. Even though the print server was listed in the point and print GPO. Browsing the print share and trying to connect the printer manually would result in the ”Do you trust this printer” pop up which will then prompt for administrator credentials to install the driver. Looking at Print Management on the server in question shows that the problem printer drivers have a ”Packaged” status of false.


If you are pushing out printers via Group Policy or Group Policy Preferences and they are of Non-Packaged type you will always get a prompt to install, ignoring the point and print GPO, which will cause the install to fail. A workaround to this is a registry edit on the print server – test and verify this first before putting it into production:

  • HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers\<…>\<Driver name>\PrinterDriverAttributes

Change the value from 0 to 1 and reboot the printspool service or/and server. The value for other print drivers may not be 1, but to make this work the value needs to be set to an odd number. For example, if the value is 4 change it to 5. Only do these changes if you have no other means of getting a valid driver or printer swapped. In RDS/Citrix environments you could pre-install the printer driver on the host if viable and you only have a few session-hosts.

Back in Print Management you will see the Packaged status is now changed to true, and the printer should deploy. If you can find packaged print drivers then use those, but some manufacturers have not bothered supplying them.


PrintManagement – Packaged True


RfWebUI idle timeout

There seems to be an issue with the idle timeout in RfWebUI (verified in NetScaler version 12.0) and I’ve created a workaround until it is solved.

It is all based on a JavaScript that checks if the user is logged on, if logged on it starts a timer and when the timer is reached logs the user out.

Change the parameter at the top ”var timeout = xyz” where xyz is the time out in seconds. Because I wasn’t able to only insert this script when the user is logged in (always had to refresh) I chose to create a check that checks every five seconds for the cookie NSC_AAAC which is created upon logon and removed during logout. In this case, we reset the timer if the mouse is moved, a page is loaded or a key is pressed. This can be changed based on your requirements (for example removing document.onclick = resetTimer; if you don’t want a click to reset the idle timer).

When using it in Netscaler, add it like this:

If you are using the NetScaler Web UI to create the rewrite, the action expression will look like this:


Remove ”Password 2” from RfWebUI


Seems like the first method actually removes a password field when changing password. This shouldn’t do that:

Original post:

Have you had an issue with RfWebUI where you need to remove the ”Password 2”-field when for example using RADIUS as primary authentication source (challenge based) and LDAP as secondary?

As always, the great Sam Jacobs has the answer on Citrix Discussions.

If you don’t want to edit any files yourself or not create a a new theme you can use a rewrite to do this for you: (I’m editing style.css and not theme.css)

It should now look as expected:

Advanced Security Management i Office 365

Redan från start har Office 365 många säkerhetsfunktioner i Security and Compliance Center men med Advanced Security Mannagement får du ännu mer, nämligen:

  • Threat Detection – Låter dig identifiera och få larm på ovanliga aktiviteter i din Office 365. Det finns över 70 olika indikationer på att något inte står rätt till. Till exempel om en användare loggar in från en IP-adress i New York och strax därefter loggar in från andra sidan världen och laddar ner ovanligt mycket data från SharePoint.
  • Enhanced Control – Skapa policies och spåra specifika aktiviteter. Till exempel om någon laddar ner ovanligt många filer under kort period eller om det är ovanligt många felaktiga inloggningar från en ovanlig IP-adress. Om administratören får ett sådant larm kan man sedan hantera detta.
  • Discover and Insights – Låter dig hitta andra molnapplikationer som används i organisationen. Ofta används sådana applikationer (Salesforce, Dropbox, Box etc) utan att IT-organisationen känner till det och det är viktigt att få kontroll på dessa.

Advanced Security Management ingår i Office 365 E5 eller kan köpas separat för varje användare.

Ett demo i hur funktionen fungerar:

Exchange Online mailbox move – Unable to connect to Remote MRS proxy server

Recently in an Exchange Hybrid environment with Exchange Server 2016 on-premise and Exchange Online in Office 365 I encountered the following error message when trying to move a mailbox from on-premise to Exchange Online using New Migration Batch on Remote MRS proxy server:

”The connection to the server ‘’ could not be completed”

On the on-premise Exchange Server I ran the Test-MigrationServerAvailability command with the following parameters to verify the availability with migrating cross-forest:

The result returned with Failed and looking at the error message, we can see the following:

The call to ‘’ failed”.

Trying manually to go to the URL, it returned with an error code of: ”Server Error in ‘/EWS’ Application.”
Normally it would have returned ”The webpage cannot be found” with an 404 error code.

Going to the on-premise Exchange Admin Center, Servers > Virtual Directories > EWS (Default Web Site) I wanted to verify that MRS is enabled for that server – but as the picture shown below, it wasn’t.

I enabled the MRS Proxy Endpoint for the server by selecting the checkbox and press Save:

Restarting the WebAppPool MSExchangeServersAppPool on the specific server using the following command to make sure everything applied and any cache are cleared:

Going again to the URL I now received the correct ”error code” of ”The webpage cannot be found” and 404.

Rerunning the Test-MigrationServerAvailability command, I now received a Success as the result:

Going back to the new migration batch, I could now proceed with the move of the mailbox to Exchange Online.

Palo Alto Networks: Command-And-Control (C2) category has been added to URL-Filtering

A new category has been added to Palo Alto Networks URL-filtering. The category is ”Command and Control” or ”C2” and the recommendation is to immediately set the action to BLOCK in your security profiles.

C2 was previously included in the Malware category but has now been separated to get more effective management. For the malware-category you will normally recognize that the threat was stopped by your Palo Alto Networks Firewall and no further compromises has been made. When C2 is logged an endpoint has likely been compromised, this happens when an compromised endpoint attempts to communicate with an attackers remote server to receive malicious commands or extract information.

The default URL-profile should automatically have C2 action to BLOCK if you are using PAN-OS version 8.0.2 or later. If you are using customized profiles or other versions you need to set it manually.

These are the steps required:

  1. Go to Objects > Security Profiles > URL Filtering









2. Click on your URL-profile and find ”command-and-control” in the list. Set the action to BLOCK and press OK.

Also make sure the URL-profile are applied to your security-profiles.

Press commit and you are done!

More information can be found on


Reducing the network impact of Windows 10 Feature and Quality Updates

During Microsoft Ignite I got some great tips of how you can reduce the network impact of Windows 10 Feature and Quality Updates. I would like to share them with you in this blog post.

Since Microsoft changed their strategy to Windows as a service concept with continuously Feature Updates instead of releasing new versions every few years, we have to accept and adapt our way to update our systems. A quick review about the difference between these updates:

Quality Updates – A single cumulative update each month with no features.
Feature Updates – Twice per year with new capabilities.

This means that we need to push out a larger amount of updates to each and every PC in our organization which will impact the network. On average the Quality Updates are 1GB per month which means 12GB traffic per PC per year. The Feature Updates are 3.5GB twice per year, which gives us 7GB traffic per PC per year. The total amount of traffic for these updates to each PC each year will be around 19GB multiplied with the number of PCs in your environment.

So how to we reduce the network impact for these updates? This could be solved by a number of methods.

  • Express packages
  • Peer-to-peer distribution
  • Bandwith thottling
  • Scheduled distribution
  • Express packages are a way to significant reduce the amount of data that each Cumulative Quality Update. The way these Express Updates work is that when a new update comes out, only the CAB file ”chunks” for components that need to be updated are downloaded to each client instead of the whole package, like a delta download. To is easiest to view in a graph.

    This can be enabled in WSUS and it’s now also supported by Configuration Manager 1702 and above. The one thing you must know when using Express Updates is that you need to ensure that you got sufficient disk space on your WSUS server. The recommended amount is five times the current space and that’s because the full updates are kept on the server for fallback scenarios and must be stored locally.

    The same idea with Express Feature Updates. Determine what files have changed since the last feature update and will only download those. This could potentially save about 35% over current ESD sizes. Note that this is only available with Windows Update and Windows Update for Business with Windows 10 1709, but it’s coming for WSUS, ConfigMgr and third-party tools next year. The end user experience will be unchanged where the update is deployed and Windows performs an in-place upgrade which normally takes around 30-90 minutes depending on hardware. It’s also important to know that this will not work if you skip versions.

    Microsoft said that they are working on reducing the amount of time it takes to deploy Feature Updates with each release, as the updates continuously getting better and smarter.

    Peer-to-Peer distribution is something that Microsoft recommends using when dealing with Quality and Feature Updates. Approximately 90% or more of the traffic can be shifted from servers to the edges of the networks using this technology. Multiple tools are available for implementing this in your environment. BranchCache, which is supported by WSUS and ConfigMgr makes the clients an available source for distributing the updates around the local network. ConfigMgr Peer Caching is another method and there are also third-party alternatives to choose from.

    BITS Throttling is another way to control the network impact of the updates. When activated you limit the amount of network bandwidth that each PC can consume. In this way you can distribute content to PCs over a period of time, like days or weeks. If you combine this with BranchCache you can determine that a client can throttle traffic from the servers but go full speed from the peers in the local network. Note that implementing BITS could be challenging if BITS is already being used for other purposes in your environment.

    Scheduled distribution is a way to control how content is distributed from server to server and server to client. Bandwidth usage can be limited/throttled and restrictions can be set up based on time of the day. Servers or PCs can often be used to hold content, like distribution points around the network.

    I want to summarize this post with a picture of the updating tools I’ve been talking about and where they are supported or not.

    More information about the technologies described above can be found on You can also learn more about Windows as a service here.

    New modern management features

    On Microsoft Ignite this year I learned that we are going from a classic workplace to a modern workplace. Microsoft refer to this as the digital transformation and that require us to change the way we manage our environments today. The characteristics of traditional PC management is on-premise infrastructure, high control with Configuration Manager/GPOs and business-owned devices while the characteristics of mobile device management is cloud services, a simpler IT process and BYOD.

    Microsoft suggest that a new organization should go cloud-first, while existing companies should go for one of the other methods, like the Big Switch Transition or the Group by Group Transition. The paths to modern management is illustrated by this picture:

    One of the most common ways for companies to follow this path will be with a new management feature called Co-management. This feature uses a combination of Configuration Manager and Intune so the transition to the modern workplace can be done by an iterative way instead of switching to a cloud based management right away, like the Big Switch Transition illustrated above.

    Another reason for using Co-Management is because Intune doesn’t have all the existing ConfigMgr policies and settings available yet, something that Microsoft is currently working on to bring more features and functionality into Intune. A good way to check which policies and settings that can be replaced with Intune in your existing environment is to use a tool called MMAT. The tool can be downloaded here. Like the picture below illustrates you will get a report stating which policies and settings you can replace with Intune. Note that the report doesn’t care about the order or precedence of the policies and settings.

    A computer managed by Co-management can be managed both by on-premise ConfigMgr and cloud based Intune. Like I mentioned before, Microsoft is currently working towards bringing more settings and policies into Intune to extend the MDM capabilities for the cloud based management. Some of those new features are shown below.

    To get more information about the transition to the modern management, please read Microsofts documentation here.