Category Archives: Active Directory Certificate Services

What's New in Microsoft Defender for Identity in December 2023

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures. It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory, AD FS, and Certification Authority […]


Another Critical Active Directory Certificate Services NTLM Relay Vulnerability allows for Domain Takeover (DFSCoerce, Critical)

This week, new Proof of Concept code was publicly published to coerce a Certificate Authority (CA) to authenticate the domain controller using NTLM. This vulnerability was named DFSCoerce and has been published by Filip Dragovic. It is another vulnerability in the PetitPotam (or PrintNightmare) family of vulnerabilities, and is as difficult to mitigate as former […]


PFX Encryption Security Feature Bypass Vulnerability (CVE-2021-1731, Important)

Today, for its February 2021 Patch Tuesday, Microsoft released an important security update for certificates in Windows and Windows Server. This vulnerability is known as CVE-2021-1731 and rated with CVSSv3.0 scores of 5.5/4.8. When glancing over the vulnerability, it might not be a particularly important vulnerability, but its implications are wide and deep; This PFX […]


On-premises Identity updates & fixes for February 2020

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for February 2020: Windows Server 2016 We observed the following updates for Windows Server 2016: KB4537764 February 11, 2020 The February […]


Requirements per Windows Hello for Business Deployment Type

Windows Hello for Business is awesome technology, that allows for multi-factor authenticated sign-in on Windows 10 devices.   About Windows Hello for Business In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to […]


Passing Microsoft Exam 70-742: Identity with Windows Server 2016

There is a good and free way to prepare for Microsoft exam 70-742: Identity with Windows Server 2016. In the past years, I conducted webinars that can serve as a primer on Active Directory in terms of forests, domains, trusts, security and on Group Policy. They are not and were never intended as the sole […]


Windows Server 2016’s January 2018 Quality Update fixes several AD CS issues

Windows Server 2016’s January 2018’s Cumulative Quality Update, bringing the OS version to 14393.2034, offers several fixes for Certification Authorities (CAs) running Active Directory Certificate Services (AD CS).   About Windows Server 2016 Updates Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost. […]


KnowledgeBase: Install-ADCSCertificationAuthority fails without a network adapter present

An issue has been identified in situations where you would configure a Windows Server installation as an Offline Root Certification Authority (CA). The Install-ADCSCertificationAuthority Windows PowerShell Cmdlet would error out, while you could achieve the scenario without problems using the Graphical User Interface (GUI).    The situation In multi-tier Public Key Infrastructure (PKI) implementations, you […]


KnowledgeBase: A hotfix is available that records more information in event ID 5125 for an OCSP response

Last month, Microsoft released a KnowledgeBase article for Active Directory Certificate Services running on Windows Server 2008 R2 with Service Pack 1 and Windows Server 2012. Note: This KnowledgeBase article doesn’t apply to Windows Server 2012 R2, although the same issue exists as in Windows Server 2008 R2 and Windows Server 2012.   The situation […]


KnowledgeBase: An update is available that improves management of weak certificate cryptographic algorithms in Windows

Last month, Microsoft has released KnowledgeBase article 2862966 An update is available that improves management of weak certificate cryptographic algorithms in Windows as a helping hand to administrators to indicate and/or eradicate the use of weak cryptographic algorithms in their networking environments.