Hi everyone hope you guys are enjoying your weekend, today is actually the day where Malaysian votes for their new leader (Prime Minister).
Prove that I have voted! This year voting allocation for special needs and old folks was really convenient.
Anyway, let’s start the topic of today!
Microsoft recently alerts tenant’s Defender for Identity admin portal due to new requirements require to implement on the domain controller’s GPO.
The warning should look like this in your Defender for Identity Admin portal:
There is a link of recommendations that it should guide you to how to resolve this issue. However, I realize the article by Microsoft did not CLEARLY wrote the steps on how to locate the Group Policy. This feedback had been raised to the authors and they had already attended to it.
In your domain controller’s Event viewer logs you should receive an event ID showing 8004.
It would affect to those domain controllers that does not have this policy enabled. To enable the policy, you should follow the steps below.
- Login to a writable domain controller with the right permission that can modify the GPO
- Go to Start > Search and Launch Group Policy Management
- Select Group Policy Objects > Find Default Domain Controllers Policy > Right click and edit Default Domain Controllers Policy
- Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
- Select “Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers” > Choose Audit all > OK
- Select “Network security: Restrict NTLM: Audit NTLM authentication in this domain” > Choose Enable all > OK
- Select “Network security: Restrict NTLM: Audit Incoming NTLM Traffic” > Choose Enable auditing for all accounts > OK
- Go to Start > Search and launch Command Prompt > Run this command “
gpupdate /force“. (For immediate apply, do this to all the available Domain controllers with the sensor agent too)