In some cases, you need to establish VPN before you login to Windows. As some VPN clients offer this method (not all of them, of course), I had a requirement to create this option with Windows build in client.
Here I found a trick; If you want to create VPN connection thru Windows settings, it will not appear on logon screen and this is not useful for me. If you create VPN thru network and sharing centre it is different – VPN connection appears on logon screen. Makes sense? No, but if you need it, is good to know how to configure it.
So, here you can follow the step by step instructions:
- Open Control Panel
- In Control Panel click View Network status and Tasks
- In Network and Sharing Centre you will find a wizard to create a new VPN connection by clicking on Set up a new connection or network. It is almost the same as in other ways, but if you create VPN here, it will appear on the start screen. It is important, that you create VPN for all users!
- On the Set up a Connection or Network wizard you have to choose Connect to workplace
- On the next step you can use an existing VPN connection or create a new one. If you already have a VPN configured, you can just modify it. In my case I will create a new one (I prefer always to create a new connection). If I have an old configuration, I always delete it and recreate a connection from the scratch
- On How do you want to connect, choose Use my Internet connection (VPN)
- Write the name or IP of the VPN endpoint, destination name and do not forget to check Allow other people to use this connection. Then click on Create
- If you want to do additional setting on this connection (specify protocol, add certificate …), you have to open the ncpa.cpl (Network Control panel) and from there you can review or change all settings you want
A connection done in this way will appear on logon screen and it is possible to establish VPN before you login in Windows.
Lately I had a lot of problems with TLS 1.0 standards, which have changed. For a lot of secure applications you have to disable TLS 1.0, if you want the connection to work.
Well, set settings for any user it makes no sense and the only acceptable way it is thru GPO settings. There is no real setting for change-enabled protocol (you have to do it in Internet Explorer settings). The only way I found was changing the registry value of SecuredProtocol, located in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings.
But here is only a numerical value and I had to find how is it calculated. I found some values in an article and from here you can calculate the desired value. The basic numbers are:
0 = Do not use secure protocols
2 = PCT 1.0
8 = SSL 2.0
32 = SSL 3.0
128 = TLS 1.0
512 = TLS 1.1
2048 = TLS 1.2
If you want to enable more protocols, just sum the desired numbers. For example, to enable TLS 1.1, TLS 1.2 and SSL 3.0 is 512 + 2048 + 32 = 2592. This is a decimal value for a registry key SecuredProtocol. Deploy a registry value true GPO and the setting is done.
Well as I know many users are trying to find Windows key with some key viewer software. Nothing wrong, but this software is not always “nice” and can do something else than just show you a key. Of course, with Windows 8.1 and Windows 10 you have many times a key in BIOS, so there is no need to search for it.
Anyway, if you feel better when you have a key printed on a piece of paper, you can do that simply with one PowerShell cmdlet:
Get-WmiObject -query ‘select * from SoftwareLicensingService’
This will show you more than only a key. There are a lot of information on licensing, like KMS server, OS version, … In some cases it can be useful.
I recently bought Minix Z83 mini PC and the first think I did was to upgrade it to the latest version of OS. Unfortunately, I received immediately an upgrade error with a code 0xc1900200. This means that UEFI partition on the disk is too small. It should be at least 350MB, but deployed size is 64MB.
Well, no problem, you have just to resize the partition and this is very simple. I use a tool named EaseUS Partition Master, which gave me very good results everywhere. But there was a second disappointment: I was not able to move or resize the partition “Other” with size 16MB and in Minix forums there is no explanation what this partition is used for or if I can delete it.
I did some research what to do with current file system, why we have an additional partition and finding some answers I decided to delete this 16MB partition.
So, my steps to solve the problem were:
- Install and start EaseUS Partition Master
- Resize the system partition (C:) in a way to reduce size for 270MB and apply free space in a front of partition
- Restart the computer (EaseUS needs to restart a computer to apply changes on system partition)
- Start EaesUS Partition Master again
- Delete the partition with the size 16MB
- Resize UEFI partition to 350MB
- Apply all changes (You can see the final situation on the image)
- Close EaseUS Partition Master and restart the computer
- Update Windows with Windows 10 Upgrade Assistant.
This step will guarantee you to upgrade your OS to the latest version and avoid problems in the future. The steps are valid also for other systems and other configurations, but be careful when you have more than only needed partitions. Any additional partition is there for some reason and is better to find why before you remove or resize it.
Of course you have heard about the new malware, which yesterday created a lot of problems in industry. Unfortunately it is not an unknown problem.
Microsoft released a patch for this type of vulnerability already in March, but it seems once again that administrators are not patching their systems.
So, if you haven’t patched your systems at least every month, if you haven’t patched your system from March, is time to do it. And don’t forget to have a good defense system (antivirus and other prevention mechanisms). Update them to!
You can find additional information in this link.
Here is a link to post how was neutralized and who did this.
Anyway, we have already a version 2.0; you can read about this version here.
Again, please patch your systems! This update will solve a vulnerability. And don’t forget: this is not the first malware who was written on known vulnerability – patch your systems constantly!
Additionally, please disable SMB1 protocol – it is not new that it is not secure. Here and here are some guidelines how to do it via GPO.