The remediation of CVE-2023-24932, discovered in May 2023, is taking longer than Microsoft's initial timeline. This flaw allows attackers to bypass Secure Boot and disable security features like BitLocker. The April 2024 update introduces a new fix that admins should thoroughly test because it has significant ramifications and will be automatically activated in October.

Active Directory and Entra ID (formerly known as Azure AD) have their own password policies to prevent users from using weak and insecure passwords. While these policies can be combined, the level of protection achieved through this approach is still limited.

The Windows setup goes through several phases, with the last one being the Out-of-Box Experience (OOBE). It presents users with multiple dialogs for system configuration. Some settings are security-related, while others may be unclear to many users. Using an answer file, they can be automatically customized.

iVentory allows for easy Windows 11 deployment using a PXE server. The solution includes a DHCP server, provides image management, including automation through answer files, and can be managed via a web console. It's free for private and 49 USD per server for commercial use.

Adding a PIN to a TPM protector helps safeguard BitLocker against known attacks. However, this additional security comes with a trade-off. It reduces the user's convenience, and they risk forgetting the PIN and consequently locking themselves out. In such cases, only the recovery key can unlock the drive.

If you want to pin the same program icons to the Start menu of many computers, you can export a reference configuration in JSON format and distribute it to the target PCs on the network. However, in Windows 11, this method no longer works when using Group Policy. If you don't have an MDM solution, two workarounds exist.

Following Broadcom's takeover of VMware, the new owner significantly streamlined the portfolio, primarily selling products through bundles to large companies. However, small and medium-sized enterprises (SMEs) often only require vSphere, of which there are now only a few editions available. The Essentials Plus Kit often turns out to be the most expensive due to the peculiarities of the subscription-based licensing per core.

Microsoft is known to regularly use its platform to push its software and cloud services onto users. They often provide only little value but tend to bloat the system or siphon off data. The latter applies to a number of Edge browser features. They are active by default but can be disabled via GPO.

Usually, you want to secure your Windows account with a strong password or other authentication methods. However, there may be situations where you want to set up a Windows computer to log in automatically without requiring a password. If only one user operates a PC and the computer is physically protected from unauthorized access, you can afford the convenience of bypassing password login. Although Microsoft has reduced the auto-login options, enabling autologon in Windows 10/11 is still feasible.

Users will gradually receive the new Teams client depending on the license and update channel. Microsoft now offers a bulk installer for businesses looking to migrate to the new version. Subsequently, admins can enforce a specific client for users using a policy.

One of the most noticeable innovations of Windows 11 is the redesigned Start menu. This changes not only its appearance but also its technical foundations. However, the settings in the Group Policy have remained mainly the same, so it is unclear which ones still apply.

JSON (JavaScript Object Notation) is gaining popularity as a format for configuration files. Unlike XML or the still-used INI format, editing JSON in a text editor can be tedious and error-prone. However, there are free JSON editors and plugins for Notepad++ that simplify this task.

If you want to centrally manage proxy settings for the Mozilla browser in a network, a Group Policy is available. Unlike Google Chrome or Microsoft Edge, Firefox cannot only inherit the proxy configuration from Windows but can also receive it directly via GPO.

Before deploying to clients, you should update a Windows image with the latest patches and customize it to meet their needs. Depending on the deployment method, you need to provide the WIM archive on a bootable ISO file. This can be created using the tools from the Windows Assessment and Deployment Kit (ADK).

Before deployment, Microsoft ISO's install .wim or custom images should be updated. With the DISM module in PowerShell, you can add .msu updates, apps, and drivers to a Windows image offline without the need to boot it up.

The announced support for SMB over QUIC in all editions of Windows Server 2025 marks a significant advancement for the file services role. In addition, the upcoming LTSC server release brings several new mechanisms designed to enhance the security of traditional SMB over TCP or RDMA.

Windows still includes some legacy protocols that pose significant security risks. This applies to SMBv1/CIFS, which Microsoft is gradually phasing out. While it is still present in new Windows versions, it is disabled by default. The audit feature can detect SMBv1 requests and assess whether the protocol is still required.

Microsoft has integrated AI features under the brand Copilot into almost all of its products, including Windows and the Edge browser. For businesses that haven't developed an AI strategy yet, these consumer versions of Copilot are often undesired. Fortunately, they can be blocked using group policies.

For some time now, Microsoft has been offering a simplified installation of WSL via the wsl.exe utility. Hence, most guides refer to this method. However, in practice, it is not quite as straightforward because this command does not work on Server Core and is only suitable for WSL 2.

The post Install Windows Subsystem for Linux (WSL) on different Windows editions and Server Core first appeared on 4sysops.