In the blog post (2017-03-01) Hardening – Disabling Weak Ciphers, Hashes And Protocols On ADFS, WAP, AAD Connect, Azure AD MFA Server And Azure AD Application Proxy I explain how to harden several hybrid identity related servers. I provide the individual settings and I also provide at the end of the blog post how you can use a GPO to configure all the settings from AD. For the registry settings I configured one server using the REG ADD commands and then I used the Registry Wizard in the GPP to consume all the settings I configured. The GPO I used also contained other regular policy settings.
–
After having all the settings in the GPO as described above, I found out the registry settings specifically never were applied to the servers, although the GPO was being processed. I confirmed processing of the GPO by using GPRESULT remotely and locally. I also looked at the registry settings multiple times to see if I could find any anomalies, but unfortunately I did not see anything strange. Well it took me some time, but if you look very carefully there is something strange to it
Figure 1: Setting Registry Values Through A GPO
–
I’m going to spare you the time that it took me to find what was wrong and guide you through the steps so that you understand where it goes wrong and how you can fix it.
If you look at figure 2 below what are you noticing? Hint: Look at the values in every column!
Correct! The “Hive” column does not have any value specified. THAT is the reason the registry setting is not applied at all to targeted servers
Figure 2: A Sample Registry Setting That Was Read Through The Registry Wizard – Empty Hive Value
–
However, if you open a registry setting for which the “Hive” value is not listed as shown in figure 2, you can see in figure 3, the “Hive” value IS listed. Confusing right?!
Figure 3: A Sample Registry Setting That Was Read Through The Registry Wizard – Populated Hive Value
–
The solution here is to reconfigure the “Hive value and committing the change into the GPO. Bu if you look at the [Apply] button figure 3 you see it is grayed out.
As shown in figure 4 just reselect the already listed “Hive” value.
Figure 4: A Sample Registry Setting That Was Read Through The Registry Wizard – Reselecting The Hive Value
–
After doing that the [Apply] button becomes available to be clicked/pressed.
Figure 5: A Sample Registry Setting That Was Read Through The Registry Wizard – Recommitting The Hive Value
–
After you have clicked/pressed the [Apply] button, you can see the “Hive” value is indeed populated as shown in the figure 6.
Figure 6: Sample Registry Setting That Was Read Through The Registry Wizard – Populated Hive Value For One Setting
–
Now do this for every registry setting read by the wizard
Figure 7: Sample Registry Setting That Was Read Through The Registry Wizard – Populated Hive Value For Another Setting
–
Because the “Hive” value was not specified for the registry settings in the GPO, those same registry settings were not applied, although the GPO that contained them was processed! Respecifying the “Hive” value solved the problem. And yes you will have to do this for every registry setting.
This issue only occurs when you use the Registry Wizard within the GPP and specify a remote server as the target server. If you specify the local server as the target then “Hive” value is populated correctly.
This occurred on both W2K12R2 and W2K16 servers
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 