Another Error code 0x80070643 when installing Microsoft Defender for Identity sensor

Description:

You got another 0x80070643 error when installing Microsoft Defender for Identity sensor. This time you don't use proxy to connect to internet or you have make sure that there's no proxy issue causing the error.

When you look at the Microsoft.Tri.Sensor.Updater log file you notice there's an error saying "PerformanceCounterLib System.InvalidOperationException: Category does not exist."

Also at Microsoft.Tri.Sensor.Deployment.Deployer log file you saw "System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed" exception.

When you ran perfmon.exe you some error popup saying "Unable to add several counters"

Resolution:

You need to rebuild the Performance Counter

1. Launch Command Prompt as Administrator.

2. Change Directory to "C:\WINDOWS\System32"

3. Rebuild resource counters by typing the command: lodctr /r

Verify by running perfmon.exe again, and it should start without an error.

After that you should be able to install the MDI Sensor.

Cannot Install PowerShell Module - Unable to find module repositories

Description:

You try to Install a new PowerShell Module. But you got an error saying "No match was found for the specified search criteria and module name ' ' Try Get-PSRepository to see all available registered module repositories". However when you try to run Get-PSRepository command you got "Unable to find module repositories error".

You have try the following, but still have the problem:

• Make sure to Run as Administrator, 
• Make sure to use TLS 1.2 

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

• Unregister and Register
• Unregister-PSRepository -Name PSGallery
• Register-PSRepository -Default

Resolution:

Make sure there's no blocking at the Internet (proxy). Switch using different Internet connection and try to install again.

Modifying AdminSDHolder Permission Delegation

Description:

You want to delegate permission to write certain user attribute for member of protected groups in Active Directory to a "normal" users. You have add the permission at the AdminSDholder container through GUI for that "normal" users. However during testing, you find that the "normal" users is still unable to modify the protected groups users attribute.

Resolution:

You need to use command line instead of GUI.

In order to grant access to a specific user object attribute, for example department, use dsacls:

dsacls “CN=AdminSDHolder,CN=System,DC=example,DC=com” /G Allow-User-Management:WP;department;

Using Microsoft Graph to Find Inactive Guest Users in Azure Active Directory

Description:

You have been using Azure Active Directory for a while. Now you notice you have several "external - guest" user listed in your Azure AD users. You need to gather the list of inactive guest user account.

Resolution:

We can try to get the list of inactive users by using Microsoft Graph.

Connect-MgGraph -Scopes "User.Read.All","AuditLog.Read.All"

 #Logon using Global Admin

$guestUsers = Get-MgUser -Filter "userType eq 'Guest' and accountEnabled eq true" -Property DisplayName, UserPrincipalName, SignInActivity, CreatedDateTime

$inactiveGuestUsers = $guestUsers | Where-Object {($_.SignInActivity.LastSignInDateTime -lt (Get-Date).AddDays(-90)) -or ($_.SignInActivity.LastSignInDateTime -eq $null)}

# Display the list of inactive guest users

$inactiveGuestUsers | Select-Object DisplayName, UserPrincipalName, @{Name="LastSignInDateTime"; Expression={$_.SignInActivity.LastSignInDateTime}}, CreatedDateTime

Windows 2019 NPS Server Firewall Exclusion

Description:

You have completed the NPS configuration using Windows Server 2019. You have put the correct secrets at the VPN servers. You also have make sure there's no Network Firewall between the VPN server and NPS Server. 

However client machine cannot connect to the VPN. And you cannot see the traffic reaching the NPS Server. There's nothing in the NPS Server event viewer.

Resolution:

At the NPS server, open command prompt with elevated permission and type:

sc sidtype IAS unrestricted

Restart the server after that.

Windows Defender Firewall on the NPS should be automatically configured with exceptions, during the installation of NPS, to allow this RADIUS traffic to be sent and received.

With Server 2019 this firewall exception requires a modification to the service account security identifier to effectively detect and allow RADIUS traffic. If this security identifier change is not executed, the firewall will drop RADIUS traffic. The above command changes the IAS (RADIUS) service to use a unique SID instead of sharing with other NETWORK SERVICE services.