SPF, DKIM and DMARC

/ thomasgud / Leave a comment

What is it?
SPF, DKIM and DMARC are security standards used for reducing spoofing of your e-mail. By implementing SPF, DKIM and DMARC, you help the receiving party verify that the mail they just received is in fact from you, and not someone pretending to be you. This will help them determine what do do with incoming e-mail – allow it to pass, mark it as junk, quarantine it or reject it. I highly recommend using SPF, DKIM and DMARC. I’ve explained them briefly below.

SPF
SPF (Sender Policy Framework) is an email authentication method designed to detect forging sender addresses during the delivery of the email. The goal is to have a mechanism to tell the receiving mail provider what mail servers are allowed to send e-mail on your behalf. This is done by adding a DNS record stating the servers (their IP or an include to a server lookup) that are allowed to send mail for that domain. An example record could look like this: v=spf1 include:spf.protection.outlook.com -all

DKIM
DKIM (DomainKeys Identified Mail) is an email security standard designed to make sure messages aren’t altered in transit between the sending and recipient servers. It uses public-key cryptography to sign email with a private key as it leaves a sending server. Recipient servers then use a public key published to a domain’s DNS to verify the source of the message, and that the body of the message hasn’t changed during transit. Once the signature is verified with the public key by the recipient server, the message passes DKIM and is considered authentic.
DKIM is something you set up within your mail infrastructure. For Exchange Online, this can be set in the Microsoft Defender portal https://security.microsoft.com/dkimv2

DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that prevents spammers from using your domain to send email without your permission — also known as spoofing. Spammers can forge the “From” address on messages so the spam appears to come from a user in your domain. DMARC is used with SPD and DKIM . DMARC can also be set up to receive aggregate and/or forensic reports from certain mail providers, giving you visibility into who sends e-mail on your behalf.
A simple example DMARC record could look like this: v=DMARC1; p=quarantine; rua=mailto:clientid@mailpartner.com;

Update-Help fails

/ thomasgud / 3 Comments

I just found a solution to a problem I’ve had with updating the PowerShell help files using the Update-Help cmdlet. I kept getting this error:
Failed to update Help for the module(s) ‘Microsoft.PowerShell.Operation.Validation’ with UI culture(s) {en-US}.

It turns out that a simple command forces it way passed that.

Use UpdateHelp  -Force -Ea 0

Thanks to JRV for posting this on an other forum.

Office 365 deployment with ConfigMgr

/ thomasgud / Leave a comment

Some of you may have tried to deploy Office 365 ProPlus (Click to run) with System Center Configuration Manager (aka. SCCM). If you get the annoying error message 0x87D00324, this is something you can try:

Change the detection method to one of the following detection methods

Option 1) Windows Installer. Set the Product code to:
{90160000-008F-0000-1000-0000000FF1CE}
O365_detmeth_file

Option 2: File system, type file
Path: %ProgramFiles(x86)%\Microsoft Office\root\Office16
File name: Winword.exe
Checkbox status: checked
Set the property to Version – greater than 16.0

O365_detmeth_guid

Option 3: Regkey

Setting type: Registry
Hive: HKEY_LOCAL_MACHINE
Key:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\O365ProPlusRetail -[Language code]

O365_regkey

Hope this helps!

 

Thomas

Error downloading from Microsoft Learning Download Center

/ thomasgud / 2 Comments

This post is for Microsoft Certified Trainers (MCT) out there that have just noticed that the old download center has been moved to the cloud. I received an error message trying to download some files for a class I am about to teach.

Error message: Unable in downloading file
Error i downloading file

There is an easy solution. Click F12 in your Internet Explorer browser and lower the document mode and user agent string to e.g. IE 9.

If you use document mode 11, you may see this error:
error2

As always, you will also need to have Microsoft’s File Transfer Manager installed.

SSL Network Extender Service is down on Windows 10

/ thomasgud / 10 Comments

I recently tried to connect to a remote site using Check Point SSL Network Extender. I got an error message stating that the “SSL Network Extender Service is down or could not be started”.

After some research, it was became clear that this error appeared only on Windows 10 devices.

The solution is quite easy however. Start Internet Explorer using “Run as administrator” – and your problem is long gone.

PS: Edge is not supported thus far.

Error 0x80070643 updating 1511 With KB3122947

/ thomasgud / Leave a comment

After trying for 30 minutes to install KB3122947 using the GUI, I tried using DISM. The package had already been downloaded to  C:\Windows\SoftwareDistribution\Download

What to do on a 64 bit system:
Start CMD.
Enter this command (all on one line):
dism /online /add-package /packagepath:C:\Windows\SoftwareDistribution\Download\c4a1b8896ce9fbfea96c1ee6890d52a5\windows10.0-kb3122947-x64.cab

dism

What to do on a 32 bit system:
Start CMD.
Enter this command (all on one line):
dism /online /add-package /packagepath:C:\Windows\SoftwareDistribution\Download\b0a5da1b24245bc4237166e09bae92da\windows10.0-kb3122947-x86.cab
Go back to the Windows  Update GUI, verify that the problem is gone and be amazed by the Power of DISM.

Happy days!

Give feedback to Microsoft

/ thomasgud / Leave a comment

More and more people are starting to use Windows 10. Most of the are very pleased with the new user interface (which is the best of Windows 7 and Windows 8.x).

But from time to time, we might think that app X is not as good as before, or the functionality isn’t as expected. I would suggest taking the time to give feedback to Microsoft. After all, if you do not tell them, how are they going to fix it.

What can you do? Well, it turns out it is very easy. In the start menu, type feedback. Select the “Windows Feedback” app. Find the app you want to comment on and send your comments to the developers.

Windows Feedback App

With the Windows-as-a-Service approach, updates might make it in faster than you think.

Changes to updates for Windows 10

/ thomasgud / 1 Comment

OK, it’s time to learn a few new acronyms.

CB – Current Branch
LTSB – Long Term Service Branch

Let’s jump right in. Current branch is what Microsoft regards as the new normal. It is the default branch for all Windows 10 Home and Education editions. What does that mean? Well, basically it helps Microsoft keep your computer up-to-date with the latest updates AND features. There will a few smaller upgrades per year instead of the few but more impactful major upgrades that we are used to today. Some will argue that it takes away some user control, but for most Windows users, faster upgrades just means getting the new stuff faster.

For Enterprise customers that have specialized computers that run business critical applications – a forced upgrade may be out of the question. For those customers, Microsoft provides the Long Term Service Branch (LTSB) option. Microsoft will provide security updates, features and fixes on a regular basis like today – and major versions from time to time (yearly, every other year). Very much the same kind of control that enterprise customers enjoy today with WSUS and/or Configuration Manager. Only security patches are mandatory. This branch is primarily for computers that cannot -or should not be upgraded frequently. Computers on factory floors, in emergency rooms or bank teller computers. There is a limited number of computers that have these requirements. How to you get LTSB edition operating systems? Well, either through MSDN subscriptions or your Volume Licensing Service Center (VLSC), and it is only available if you have the right software agreement with Microsoft.

For Windows 10 Pro users there is an option called Current Branch for Business (CBB). This options is similar to the Windows Insider program – with a fast and a slow ring. Imagine using the fast ring for your pilot group, and the slow ring for production. This option gives IT departments’ time to start validating updates in their environments the day changes are shipped broadly, or in some cases earlier, if they have users enrolled in the Windows Insider Program.

So how does this work? On my enterprise Edition Windows 10 computer, I can select a few options. I can continue to be a Windows Insider and get the updates as soon as possible. I can let the default Current Branch settings apply by doing nothing – or I can defer updates for a few months.

Windows Updates with comments

So to summarize a bit.
Windows Insider: If you are comfortable with testing the latest and greatest, and enjoy having the latest upgrades first. You are not a stranger to some troubleshooting and perhaps even a rollback.

Current Branch: The new normal. Updates and feature upgrades are automatically installed on your computer after being tested internally at Microsoft and with thousands of Windows Insiders. Option to temporarily postpone updates (a simple checkbox).

Current Branch for Business: The same as above, but with the better options to defer upgrades. This option is well suited for small and medium size businesses that enjoy a certain level of test on a group of computers before the updates are installed on the rest of the computeres.

Long Term Service Branch: A special option for enterprise customers that have computers that run business critical applications or other critical software.

So there are a few new things to know about. Happy patching!