Use PowerShell to see if you are mitigating Meltdown and Spectre

Microsoft has released a PowerShell module on PSGallery that can test if you are mitigating the issues that Meltdown and Spectre are using.

Simply run the following command in an elevated PowerShell window:

Install-Module SpeculationControl

Then use the following command to verify mitigations:


This was the result om my laptop (Lenovo X1 Yoga) before patching it:


Then I installed this patch (via regular Windows Update):

Update history

After installing the patch and rebooting, it looked much better:

SpeculationControl-X1_efter update

Note that some of my older hardware only managed to mitigate some of them, and some mitigations are sometimes not turned on by default, due to some dependencies.

Posted in Meltdown, PowerShell, Spectre, Updates | Tagged , , , | Leave a comment

Get a free publicly trusted certificate using Let’s Encrypt, PowerShell and DNS

I have previously blogged about the free publicly trusted certificate solution Let’s Encrypt, see here.

In this post, I will show how you can request a certificate with a PowerShell script and prove ownership of the domain name using DNS validation. It is perhaps more common and faster to validate ownership of domain names by publishing a challenge response via HTTP (since it can be validated immediately), but sometimes you want to request a certificate for a domain name that does not host a webserver, such as email and RDP servers.

I am using the PowerShell module ACMESharp, which is an implementation of ACME, the protocol that Let’s Encrypt is using for validation and requests.

For more information about Let’s Encrypt, take a look at their FAQ.


  • Totally free
  • Simple with few steps
  • Publicly trusted certificate
  • Since we export a PFX (including the private key), the request can be performed on any computer (not necessarily from the server that will use the certificate).


  • Requires you to manually add DNS records.
  • Waiting for the new DNS record to show up can take some time (due to DNS caching).
  • The certificate is only valid for 3 months. There is no support for renewal in the PowerShell implementation yet, but on the other hand, it is quick, easy and free to request a new certificate for the same domain name again.


  • I take no responsibility for what this script does, test before running in production.
  • I am not a coder, so this PowerShell-script probably breaks all of the practice rules.
  • The script automatically downloads and installs nuGet (which is then used to download the PowerShell module ACMESharp) using PackageManager. PackageManager is included in PowerShell v5 but has to manually be installed as an addon if you run PowerShell v3 and v4. Find you PowerShell version running $PSVersionTable and look at the value PSVersion.
    PackageManager for PowerShell v3 and v4 can be downloaded here:


Note: The video below shows these steps.

  1. Run the PowerShell script in an elevated PowerShell console.
  2. Supply the following parameters
    1. ExpirationEmail
      1. This email will receive an email notification when the certificate is about to expire. I have never received any other email, but you can enter a bogus email address.
    2. PFXPassword
      1. The PFX file will be protected by this.
    3. SANList
      1. A comma-separated list of domains you want in the certificate. You can add as many as you want, but you will need to add a DNS record for each of them (for domain name ownership verification). Note that wildcards are not allowed right now, but that has been announced to become available in 2018.
  3. Answer any questions the script asks.
  4. Done! The PFX will be created in the same folder as the script.
    The PFX will have the domain names as the file name.
  5. If you need more than the PFX, look in the following folder:
    There you will find the certificate request, the certificate in PEM/KEY format, Issuing CA certificates etc.


This is what a certificate will look like:



Here is a 4 minute video where I run the script, so you can see how it looks:

Note that I do not show adding the DNS records to the public DNS in the video since it differs depending on your DNS provider. For me it looks like this:


The script

Here is a link to the latest version of the script:

Any feedback and improvement suggestions are highly welcome.

Thanks for reading!



Posted in CA, Certificates, LetsEncrypt, PKI, SAN, SSL | Tagged , , , , , | Leave a comment

Force update of Advanced Threat Analytics (ATA) on Windows Server 2016

When there is an update available for ATA you will get a blue arrow notification in the portal. Hovering with the mouse pointer over the icon will show what’s new in the available update:


The update notification tells you to go to Windows Update on the machine running the ATA Center. But when you check for updates, there are none available:


What is going on here?

It is because ATA updates are technically not classified as Recommended updates. There are a lot of extra hoops and requirements to get this classification (since everyone will get them). Using Optional is more flexible.

On Windows Server 2016 there is no obvious way to look for Optional updates, like there is on Windows Server 2012 R2 and earlier:


But you can use a tool that normally is used to configure Core installations called sconfig.

On the ATA Center, running on Windows Server 2016, run sconfig:


Select option 6 (Download and Install Updates):


You will be asked if you want to search for All or Recommended updates only:


Note that if you chose Recommended here, you will get the same result as in the normal settings interface:


If you instead chose All updates, you will find the ATA update (and any other Optional Updates):


I do not want to install Silverlight, so I chose to Select a single update and chose the number of the ATA update:


After a while, the installation wizard of the ATA update will start:


After you finish the installation you will see the installation result:


When you now go to the ATA Portal you will see that the update notification is gone:


The ATA gateways might be automatically updated now, depending on how you have configured updates in ATA:


You will have health alerts as long as the gateways are not updated:


I hope this blog post helped someone.

Posted in ATA, Updates | Tagged , , , | 1 Comment

Certificate related problems when using a web proxy server

I have several times encountered these issues, so it decided it was time to write a blog post about it.

The situation

You are using a proxy server for web communication. Direct communication to the Internet is blocked. The proxy is configured in Internet Explorer Options, as shown in these screenshots:



If you do not configure this, you cannot reach the Internet.
If you do configure this, you can reach the internet.
Just as expected.

The issue

Even if the proxy is configured correctly, as seen above, some Internet communication is still blocked.

One common problem area is certificate validation, specifically downloading CRLs from the Internet. I have seen problems when starting CA servers (after Root CA CRL renewal) and/or when or accessing NDES web pages. See examples at the end of this post for details. If you solve something else, let me know so I can add it to help others.

The reason

There are actually two different proxy settings in Windows, WinINet and WinHTTP.

This is what we configure in the screenshots above. Most applications use this setting.

This is a separate proxy setting. Most Windows services use this setting, including the one responsible for certificate revocation checking. This proxy setting has no GUI but can be configured using the command netsh.

You can read more about the differences between WinINet and WinHTTP here.
Especially note Services Support (Can be run from a service or a service account [Yes/No]).

The solution

The solution is to configure WinHTTP with the same proxy settings as WinINet.

This command shows the current WinHTTP proxy configuration:

netsh winhttp show proxy


As you can see, no proxy server is configured for WinHTTP.

You can manually add the proxy configuration (and optional Bypass List) by entering the relevant proxy information:

set proxy bypass-list=”*”

But there is an easier way. You can simply copy and apply the current WinINet proxy configuration to WinHTTP:

netsh winhttp import proxy source=ie


Note that this requires an elevated prompt, otherwise you will get the error message “Error writing proxy settings. (5) Access is denied.”

This has solved many communication issues I have had where a web proxy server is used.

If you wish to reset the WinHTTP proxy setting back to the no proxy setting you can use the following command:

netsh winhttp reset proxy


Example errors that were solved

Starting Active Directory Certificate Services

When trying to start the CA server you get this error message:

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

The event log shows Event Id 100 from source CertificationAuthority:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate <CA name>. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Also, Event Id 48 from source CertificationAuthority:

Revocation status for a certificate in the chain for CA certificate 0 for <CA Name> could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Note: A dirty trick to quickly get the CA up and running is to disable CRL checking on the CA server:

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

This is of course not recommended and must be turned back on as soon as the CRL is available again, but might be justified in some rare cases.

Accessing NDES / SCEP web pages

Visiting https://FQDN works great (shows IIS standard home page).

But when trying to access the URL https://FQDN/certsrv/mscep/mscep.dll you get this error message:

500 – Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.

The same message appears when going to the URL http://<FQDN>/certsrv/mscep_admin

The Application event log on the NDES server shows the following error:

Event ID 10: The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.

followed by:

Event ID 2: The Network Device Enrollment Service cannot be started (0x80070057).  The parameter is incorrect.

These two error events occur every time I revisit the URLs.

Have you solve an issue

If you run into any issues solved by this, please let me know so I can add them here to help others.

Posted in CA, Certificates, CRL, NDES, PKI, SCEP | Tagged , , , | 1 Comment

Information protection with EMS [video]

Here’s a new short video from Microsoft that shows how you can protect your organisation’s information, using solutions that are part of the Enterprise Mobility + Security suite, such as Cloud App Security, Intune and Azure Information Protection.

Posted in AIP, CAS, EMS, Rights Management Services, RMS | Tagged , , , , | Leave a comment

ATA Center – Installation failed. Error code: 0x80070002

When I recently installed an ATA Center I encountered the following error message:

Installation failed. Error code: 0x80070002

I got the error message right after entering the Center configuration information, as seen below:

When looking on the ATA logs (which I unfortunately didn’t save, so I can’t show them here), I eventually saw that the installation had issues finding the setup executable file?

It then hit me.

I had downloaded an ISO-file with the ATA installation media on it. I double-clicked the iso to auto-mount it in Windows, and then ran the Microsoft ATA Center Setup.exe from the mounted drive.

This normally doesn’t cause any issues. But since .Net Framework wasn’t installed on the server, the ATA Center installation Wizard kindly asked to do this for me:


That installation required a reboot of the server.

When I logged in again, the ATA Center installation automatically resumed, but failed with the error above.

Here’s the thing: Mounting iso files does not persist a reboot. So the the wizard was looking for a virtual drive that didn’t exist at that time.

As it turns out, this is a know problem and it is even listed in the ATA Deployment documentation:


Kudos to the ATA team for being clear about this. I do not know how I managed to miss it.

Note that the ATA Center seems to be installed after this error occurs:


Although it is not (no folder called Microsoft Advanced Threat Analytics here):


Simple choose to “uninstall” it before trying to install the ATA Center again, otherwise you will see this message:


Posted in ATA | Tagged , , , | Leave a comment

Quickly find all GPOs with PKI settings

When doing PKI audits and also when troubleshooting autoenrollment I want to see if there are multiple Group Policies that configure contradictory PKI settings.

Instead of manually going through all GPOs I wrote a PowerShell script that lists all GPOs that have PKI-settings in them, and also singles out those that configure autoenrollment.

Here is a sample output:


As you can see I look in both Computer and User scope of the GPOs.

The script utilizes the commands Get-GPO and Get-GPOReport, so you need to run the script on a computer that has the Group Policy Management feature installed (like a DC) or a computer with the Remote Server Administration Tools installed.

As always, there is room for improvement. Besides error management, perhaps showing the actual settings and also where the GPOs are currently linked. Feel free to improve it, and let me know if I can reshare it.

You can view and download the PowerShell script here:!ApDVTW2lda1rtekXQkWvT-SJTQYlvA

Standard Disclaimer: I am NOT a professional coder. I am not responsible for what this script does. Do a code audit and testing in test environment if you run it in a sensitive environment.

Please leave any feedback you have as a comment to this post.

Posted in Okategoriserade | Leave a comment

What is Azure Information Protection


One of the security solutions I work with is called Azure Information Protection.

It is Microsoft’s solution for labeling and protecting information and it has some awesome features:

  • Super simple to use for end users, just a click away or fully automatic (based on location, recipient or content)
  • Access is based on your identity, no static passwords or keys that needs to be remembered, shared or managed
  • The information can be encrypted, which keeps the bad guys out
  • You can set policies for what users are allowed to do with the information once they have access, such as printing, copying or forwarding, which makes it easier for good guys to follow the rules and avoid mistakes
  • The information is labeled in a way so that other solutions, such as Exchange, SharePoint, Cloud App Security and even third party DLP services, can make decision based on it
  • Custom watermarking and header/footer can be added to the information
  • The protection follows the information where ever it goes
  • You can share safely with anyone
  • All file types and most platforms (including Mac, iOS and Android) are supported
  • You can track who accessed your protected information
  • You can remotely kill a document (without access to the file), making it totally unreadable for anyone from that point on. Can you current information protection solution do this?
  • Microsoft never needs to have access to your information, they only manage the authentication part
  • The team at Microsoft behind this service are not only really nice people, but also really attentive to customer’s needs and have shown remarkable agility in their development
  • I could go on, but, I’m sure most of you stopped reading this list by now and jumped to the video below 🙂

If you want to know more, see this 2 minute overview video, or contact me for further discussions:

Note that this service used to be called Rights Management Services and the RMS technology is very much still used for the encryption and policy parts, but when Microsoft added the user friendly labeling part, that can be used for so much more than just RMS protection, they renamed it to Azure Information Protection. In other word, RMS went from being the front-end solution to being one of the consequences that can be applied based on the chosen labeling. Using the RMS features without the labeling is still available and works just as great.

Posted in AIP, information protection, Rights Management Services, RMS | Tagged , , , | Leave a comment

My two sessions from TechX [in Swedish]

I gave two talks at the TechX conference held at Microsoft headquarters in Stockholm on February 13-17 2017.


The sessions were recorded and are now available to watch on YouTube [see links below]. Note that they are delivered in Swedish.

Both sessions covered the same three security solutions from Microsoft:

  • Windows Defender Advanced Threat Protection
  • Office 365 Advanced Threat Protection
  • Advanced Threat Analytics

I know, they all have very similar names. But this image shows how they relate and how they complement each other to provide protection on several layers:


In the first session I talked about what the products actually are. In the second I talked about how to get started with them. Both have demos Ler

Unfortunately I had sound issues, which was a bummer since I had several embedded videos in my presentation, but hey, that’s life…

Here are the videos:

TechX 2017 – Detektera och förhindra intrång

TechX 2017 – Hur kommer du igång med WDATP + ATA + Office ATP ?

Posted in ATA, OATP, TechX, WDATP | 1 Comment

Translate Windows messages in other languages

Sometimes I run into error messages in foreign languages, like this French one:


Ok, I admit it, I made the dialog box myself, but the message text is real. And I have no idea what it means.

So, how can I find out what “Le contenu a été bloqué, car il utilise un protocole de chiffrement non sécurisé.” really means? Preferably with the exact wording of the corresponding English message in Windows.

As in most cases, Google is usually your friend. There are also many online translation services, but since a word can have multiple meanings they might alter the wording, and that can make further troubleshooting Googling harder.

But did you know that Microsoft has a Language Portal, where you can search and translate Microsoft official terminology?

The address is
and it look like this:


In the search result for the message above can see what the message says:


You can also search translations from English to other languages. The list contains a whopping 115 languages! Did you for instance know that the word administrator is called alábòójútó in the language Yoruba and umlawuli in the language ixiXhosa?

You do not have to search the exact string, partial matches will work as well. You can also filter your results based on 118 different products. Here I have limited my search results of the word administrator to only show results from the product Intune:


I hope this tip will help others that sometimes also has to troubleshoot Windows machines with foreign languages configures.

Posted in Okategoriserade | Leave a comment