Fixed: Powershell prompts to run scripts when importing sessions – change %temp%

Powershell Security warning

My new work computer has had issues attempting to run Office365 commands for a while. After successfully connecting to Office365, using connect-exchangeonline (as an example), I would get a security warning – “Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run c:\temp\temp\tmp_rnncyvj4.v10\tmp_rnncyvj4.v10.format.ps1xml?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is “D”):

And this would repeat with the appropriate .psm1 file too.

The usual solution is to use unblock-file or set-executionpolicy -remotesigned.

However, in this case the files are dynamically downloaded and will have a different filename everytime and setting the execution policy did not make any difference.

I ended up changing my temp folder from c:\temp\temp to c:\andy\temp and now I no longer get prompted.

Very odd behaviour that is not too annoying until you run scripts across all the office365 tenants!

Fixed: ScreenConnect / Control missing from Labtech / Automate

Automate screenshot

For the past two days my Automate window was missing all of the Screenconnect plugins that allow one click remote access to client machines. Both the one that shows at the top of the computer list and also when the machine window is launched. (Screenshot below shows how it should look)

Screenshot showing the control icon in Automate for computers

A reinstall of the software (including renaming the left over Labtech files in Program files and Program Data after removing the software) did not fix the issue.

However, reviewing the C:\ProgramData\LabTech Client\Logs\yyyymmdd_LTcErrors.txt showed lots of plugin exceptions including the following:-

An attempt was made to load an assembly from a network location which would have caused the assembly to be sandboxed in previous versions of the .NET Framework. This release of the .NET Framework does not enable CAS policy by default, so this load may be dangerous. If this load is not intended to sandbox the assembly, please enable the loadFromRemoteSources switch. See http://go.microsoft.com/fwlink/?LinkId=155569 for more information

Following that link provided the hint that loadFromRemoteSources needs to be enabled.

Editing “C:\Program Files (x86)\LabTech Client\LTClient.exe.config” and adding <loadFromRemoteSources enabled=”true”/> just before the /runtime> line, Automate now includes the control button.

LTClient config file showing the loadfromremotesources element

Fixed: Lastpass seems to randomly add incorrect data to Forms.

We use a web based documentation system at work and have had a couple of instances where data for companies (ie Company X) seems to have been randomly edited in forms to include data from another form (ie Company Y) in the system. In a form that had a username, password, url and notes field we discovered that a tech could go in and edit the notes (and only the notes field) and without realising it, the username and password were also being updated in the form. The tech would hit save and now the saved password was incorrect.
Thankfully the documentation system has revision histories to allow us to revert back to the previous settings. but it is still a painful process to go back and review recent changes to see which ones were genuine edits and which were changed incorrectly.

We initially blamed it on LastPass filling out data as the issue would not occur if we disabled LastPass, however a search in LastPass would not return the data that was being added to the form. It took us a while to track down, but Chris, one of our techs worked out what was going on.

Sample lastpass password screen with extra field button highlighted

LastPass has additional fields that don’t show up when you browse (and apparently search) and the data from these extra fields were automatically being filled in for some reason. Click the wrench, highlighted in the above screenshot to see the extra hidden fields.

Our solution was to delete these extra fields, save the record in LastPass and we no longer have LastPass corrupting our data.

Fixed: NPS using Azure AD not prompting for 2 factor on phone

Screenshot of Yubico numbers for 2FA verification

We were recently came across an issue with configuring the NPS (Network Policy Server) to use Azure AD’s 2FA authorization to validate VPN access to one of our clients. The initial configuration was fairly straightforward with the instructions at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension but after connecting to the VPN server, we were not getting the push notification to our phone for the final verification steps.

Going through the Network Policy Server logs in event viewer we saw an error message as follows ” NPS Extension for Azure MFA: CID: 341b704d-03f1-4ba6-ae92-eb19ae2f2bf3 :Exception in Authentication Ext for User myusername :: ErrorCode:: CID :341b704d-03f1-4ba6-ae92-eb19ae2f2bf3 ESTS_TOKEN_ERROR Msg:: Verify the client certificate is properly enrolled in Azure against your tenant and the server can access URL in Registry STS_URL. Error authenticating to eSTS: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Error in retreiving token details from request handle: -895352831 AADSTS7000112: Application ‘981f26a1-7f43-403b-a875-f8b09b8cd720′(Azure Multi-Factor Auth Client) is disabled. “

The key was the last line – Azure Multi Factor Auth Client is disabled. Despite the fact that 2FA was already in use to verify access to the Office365 portal and desktop apps, it seems that the client was not enabled in Office365.

This was fixed by running the following in a powershell window connected to Azure AD..

Set-MsolServicePrincipal -AppPrincipalId “981f26a1-7f43-403b-a875-f8b09b8cd720” -AccountEnabled $True
Set-MsolServicePrincipal -AppPrincipalId “1f5530b3-261a-47a9-b357-ded261e17918” -AccountEnabled $True

This then enabled 2FA to work with NPS. I put in a PR request to the official documentation to have this as an official troubleshooting step but the PR was closed. Hopefully this post and the PR will help others in their configuration as it did seem to be a fairly common problem.

LinkedIn no longer seems to be the preferred location to publicize new Microsoft certifications

Last week I passed my “Microsoft Certified: Azure Administrator Associate” exam. This is actually a transition exam to catch up my previous Azure certification to the state of Azure as of 2019. I had passed the original “Implementing Microsoft Azure Infrastruct Solutions” exam back in 2015 and Microsoft have now retired that certification and replaced with the Administrator associate classification. I don’t know about you, but I think the previous qualification sounds more official and impressive than just being an Associate.

The other interesting thing is that I received an email from Microsoft after passing to say I can claim my badge from Acclaim – a company I have never heard of. Nowhere in the email did it mention LinkedIn. Considering Microsoft purchased LinkedIn, I would have expected them to be pushing this platform as the place to show off the new certifications.

Not only that, but when I logged into LinkedIn, it is no longer possible to order the certifications (so the new one shows up at the bottom of the list under more…) and it doesn’t announce to LinkedIn followers that you’ve passed a certification exam.

To make matter worse, attempting to sign up for Acclaim with Chrome fails as the page does not allow you enter any password (but it works with Edge). The account also is created with my work email address rather than my personal email address that my Microsoft certifications are tied to.

By using Edge I was able to create an account. It is then possible to go into the account settings and add my Microsoft account as the primary email address, copy/pasting the confirmation link into Edge each time.

Once logged into Acclaim, it is recommended to activate 2FA under the Password section but make sure you change the description of the website to Acclaim in your 2FA app rather than leaving it as the default which is your email address.

Happy Anniversary Absoblogginlutely!

16 years ago today I registered Absoblogginlutely.net and started to blog at this location. I totally missed the fact that back in March, helsby.net became 20 years old, a domain that I registered as an early birthday present to myself and is now used as my main email service.
This means I’ve been blogging on or off for about 20 years – how time flies!
Unfortunately I’ve not been updating this blog as often as I’d like as a lot of the tweaks and discoveries that I would normally blog about have become more work related and therefore more confidential.
However I would like to get back into the habit of documenting more so watch this space.
I’m heading to the Columbus Infosec Summit on Thursday and Friday this week which has always been full of interesting talks and demonstrations. It is sold out, but the twitter tag is .

Paula Januszkiewicz is one of the keynotes this year and her presentations are always valuable with a lot of takeaways and simultaneously manages to impress and scare me with the state of IT Security nowadays.

Fixed – Screenconnect blocked by Windows Smartscreen

Due to an expired code sign certificate, the version of Screenconnect that is launched from Connectwise Automate (aka Labtech) fails to run on 2 of my Windows 10 machines but works fine on the rest of the machines. The error message “Your administrator has blocked this application because it potentially poses a security risk to your computer”. The ones that fail are running Windows 1809 and 1903 so I suspect that there is some of the new features of SmartScreen are enabled and older versions do not have these settings.

Your administrator has blocked this application because it potentially poses a security risk to your computer

Checking out the file used for Screenconnect, I saw that the certificate used to sign the exe file expired on February 1st this year, but I’m not sure why my machines suddenly started to refuse to run it the last few days of March.

The Screenconnect.WindowsClient.exe is downloaded to a random subdirectory of appdata\local\apps\2.0 so I recommend you navigate to this directory and then search for *.exe and check the correct screenconnect file as per the screenshot below which shows the certificate expiring on the 1st February

ScreenConnect certificate expiry dates

After searching around and contacting Connectwise Support they advised me this would be fixed in an upcoming version. In the meantime setting the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\Security\TrustManager\PromptingLevel\Internet to a string type of Enabled will allow the ClickOnce application to popup and this allows the dialog box to give an option as to whether the file should be run or not (the previous setting was Disabled). This then allows the user to select yes to install and run the file overriding the invalid SSL certificate.

Obviously this is not a great idea but it does allow you to run Screenconnect from within the Automate window. (The other alternative is to use the Screenconnect website itself to connect).

Fixed: pihole -up gives “Could not update local repository”

I received a notification on my pihole web console that it needed an update and the process is usually simple – log into the server and run pihole -up

However, this time I received the error “Could not update local repository. Contact support” – not very helpful.

pihole -up gives a Could not update repository. Contact support error messageReading several articles it seems that any change to the pihole files means the local git repository can get out of sync with the master repository and therefore cannot be updated. I had installed the bandwidth test plugin so I suspect that was the issue. As this plugin didn’t work it was not a huge problem resetting back to a vanilla install.
There were several articles on the pihole site and piecing a few of them together I came up with the following solution.

  cd /var/www/html/admin
  sudo git fetch –tags
  sudo git reset –hard
This gave me the following error:-

fatal: Unable to create ‘/var/www/html/admin/.git/index.lock’: File exists.

Another git process seems to be running in this repository, e.g.
an editor opened by ‘git commit’. Please make sure all processes
are terminated then try again. If it still fails, a git process
may have crashed in this repository earlier:
remove the file manually to continue.

Removed with the following

  cd .git
  sudo rm index.lock
Final update command and this time it completed successfully.

  pihole -up

This completes the install with 

Update Complete!

Current Pi-hole version is v4.2.2
Current AdminLTE version is v4.2
Current FTL version is v4.2.2

Fixed: PDF’s will not load over insecure http but will on secure https (if you have a Meraki firewall)

Had a weird issue this morning where pdf files that were served over http were getting blocked and would not load. Some sites also have https so we were able to just change the url to https and the file would then download.

After checking various browser settings I checked the Meraki firewall. By Disabling the Advanced Malware Protection (AMP) under Security/Threat Protection the files were downloaded successfully.
Instead of leaving AMP off, I then put a whitelist url of http://*.pdf and now pdf files load successfully with AMP still protecting the network.

Whitelisting pdf files in Meraki
Meraki pdf whitelisting

The frustrating thing is that AMP does not seem to be logged anywhere so it was not obvious that this was the cause of the problem. It also turns out that this has been a problem with AMP in the past as this 2 year old thread on Reddit shows!

Twitter only seems to have rudimentary support for Yubico keys?

I was fortunate enough to get a Wired Yubico key earlier in the year and a NFC key for Christmas that I can use with my phone. My intention was to use the new NFC key as my primary key with the Wired key as a backup key in case I lose all my keys or just the NFC key. This is the first in a series of enabling the keys to work with a variety of services. See my

I was originally hoping that I could also use the NFC key with my Surface Pro 2 so I would not have to keep plugging the key into the one usb port but apparently the Surface Pro does not support NFC.

Twitter:-

My first service that I setup was Twitter. I figured it would be fairly simple to setup and not earth shattering if I lost access to Twitter temporarily. By following the Two Factor authentication page on Twitter I had to jump through a couple of hoops to get it working. First I had to enable 2 Factor Authentication that defaulted to my mobile. Once this was enabled and I had verified my identity through an sms message I was then able to add a Security key. I plugged the NFC key into the USB port, pushed the button twice and I was successfully logged in. I was then able to add an authenticator app option and generate a backup key code in case I lose my key and then finally delete the txt authentication method as this is the 2nd weakness in the security chain (after poor password choice.

The Downsides

Unfortunately it seems that you can only use one hardware key with Twitter which means you have to not lose that original Yubico key! This risk can be mitigated by having a 2FA app on your phone and also saving the backup key somewhere safe – I use Authy for the Key generator and keep the backup code in Lastpass and tag each site entry with #2FA so I can easily search Lastpass to find all the sites that require 2 Factor. I’ve also added #2faNFC to keep track of which key is used for which service.

The other downside is that it appears that the Twitter mobile client for Android does not support hardware keys and generates a “This browser doesn’t support security key logins” error message.

Twitter login prompt failure when using a hardware key on a mobile device.

It appears that only desktop pc apps using a browser can support the USB Hardware keys – hopefully this will change in the future as hardware keys get more and more popular. For the mobile login, select “Choose a different verification method” and then use the authenticator app option.

I also have to come up with a way to make the key easy to plug into the laptop(s) – the surface only has one USB port (with a docking station attached) and reaching around to a docking station to plug in a key will get annoying pretty quickly. I think I’ll be getting a USB extension cable that it can be plugged into.

As mentioned earlier, this is my first experience with the hardware key. It was easy to setup but just a little frustrating that the new NFC device can’t be used on a mobile (for Twitter at least).

Have you used a hardware token such as a Yubikey? Please et me know in the comments below!