Category: Security

Fix for: Can’t Connect to Azure VM via RDP

RDP errI use Azure Virtual Machines (VMs) a lot for demos and testing.  Recently when I tried to connect to some of my VMs using remote desktop I got a error message.  The message read “An authentication error has occurred. The function requested is not supported.”  Researching this error on the Internet led me to a security update applied to Windows 10 and Windows Server 2016 that was rolled out on April 17, 2018.  This update includes an update for the Remote Desktop Client (RDP) to fix a CredSSP authentication protocol vulnerability.  After the update is applied you can no longer RDP to any machine that isn’t fully updated.  My problem was that my Windows 10 laptop had been updated, but my Azure VMs had not been updated.

I’ve seen several fixes on the Internet to workaround this problem temporarily using registry settings or Group Policy Objects (GPO). Unfortunately, the only Active Directory server involved was also on Windows Server 2016, so there was no way to attach to it make registry changes or modify GPO settings. But I was able to find another workaround that let me access the affected servers via RDP so that I could update them.

The Solution

The trick was to find a server or workstation that hadn’t been updated yet. In my case I had a local Windows 8.1 Hyper-V VM that I hadn’t updated in a while.  Using that I was able to access the affected VMs and run Windows Update.  Once the update was applied I could RDP into them from my Windows 10 laptop.

I also found that I could still RDP from my iPhone to the affected servers to apply the update.  I admit that the screen size is pretty small and difficult to work with, but it is possible.  So if you don’t have a workstation or server that hasn’t been upgraded recently you can try to RDP in from your non-Microsoft phone.  Note: I didn’t try using Android, but I assume it will also work.

Changing Default Permissions in Office 365 Group Sites

CloudLockChanging the permissions assigned to the default Owners, Members, and Visitors groups in a SharePoint site is easy.  You just navigate to Site Settings > Site Permissions.  Then select the group whose permissions you want to change and assign them a new permission level using the Edit User Permissions button in the Ribbon.  But that won’t work in the Site created behind an Office 365 Group.  When you try to use the same procedure you find that the Edit User Permissions button is greyed out if you select any of the built in administrative groups.  (See the Screenshot below.

EditGroupPermissions

The problem is that Office groups are created when you create a Security Group in Office 365. By default that security group is added to the built-in Members group of the Site Collection.  To make sure that you don’t inadvertently lock users out of the site Microsoft disables your ability to change the permission on the default Administrative groups when using an Office Group based site. 

But there is still a way to modify the permissions for the users in the groups.  If you navigate to the home page of the site and select Site Permissions from the Settings menu (the gear) you will see a panel open on the right hand side of the browser window.  Under Site Members you will see the security group that provides the basis for the Office group you created. If you select Edit under that group you can change the permissions for the members of the group to either Read or Full Control. However, instead of changing the permission level for the group it will actually move the security group to either the Site Visitors or Site Owners groups respectively.

O365Change Group permissions

But what if I want to change the default group’s permissions to Contribute instead of Edit? To do that you’ll need to use two different SharePoint groups. 

  • First, use the Site permissions panel to move the underlying security group from the Site Members group to the Site Visitors group.  This will give all your users Read permissions to the site.
  • Second, click on the Advanced permissions settings link at the bottom of the panel.  This will take you to the regular site permissions page that you are used to.  Now you can create a new SharePoint group and assign it whatever permission level you want.  After you create the group add the same security group you moved above as a member of the new SharePoint group.  Since SharePoint permissions are additive this will give all your users both Read permission and whatever new permission level you assigned, for example Contribute.

I hope that clarifies how to manage Permissions in the new Office 365 group sites.  Since Team sites are based on Office Groups, the same procedure applies to any Team sites you’ve created.

SharePoint Fest – DC Wrap-up and Slides

SPFDC17PortalBadgev2I continue to feel honored that SharePoint Fest invites me to present at their conferences.  The most recent even was in DC a couple weeks ago.  The attendees were great and both of my talks were well received. As always I really enjoyed the conference and the discussions I had with attendees and the other presenters. This is one of the few times each year that I get to see a lot of my friends who live all over the world.  The next conference is in Denver in June.  I hope to see you there.

I had lots of attendees at both sessions who asked for the slides so I’ve uploaded them here.  They are also available on the SharePoint Fest DC site.  If you have any follow-up questions please email me at paul.stork@bluechip-llc.com.  You can download a copy of the slides from each talk using the links below:

BV 202 – SharePoint 2016: What’s New and Why should I Upgrade?

ECM 104 – Protecting your Content: Demystifying Data Loss Prevention (DLP) in SharePoint 2016