Dead on Domain Arrival

Dead on Domain Arrival

Recently I experienced an unusual issue that caused all new laptops, independent of brand, to either brick or be caught in an infinite repairing loop when joined to a domain.

Lost AD Trust and Your Local Account Doesn’t Work!
Surviving and Passing SOC Audits – Part One
Moving files up a folder level

Recently I experienced an unusual issue that caused all new Windows 10 OS laptops, independent of brand, to either brick or be caught in an infinite repairing loop when joined to a domain. To make things even more confusing this did not happen to laptops older than 6 months. As long as the laptops were not domain joined everything was fine, Windows 10 OS installed with no issues, updates performed, applications installed no issue. However, as soon as it was joined to the domain it would brick on the next reboot. The Computer AD object was still in the built-in “Computers” OU, which would only have default domain policy applied, so that was the suspect.

Turns out back in 2018 when the Meltdown/Spectre Vulnerability was big news, many places put in a couple of registry fixes. In this case the GPO containing these registry changes was the Default Domain GPO.

HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management FeatureSettingsOverride 00002048
HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management FeatureSettingsOverrideMask 00000003

Those registry keys affect the CPU side channel function, which apparently newer chip sets do not like, by removing those keys everything worked normally again. Supposedly most of the Spectre/Meltdown has been patched over time by Microsoft, and firmware updates by Intel/AMD, so the registry keys may not be need at all at this point. In any case you can create a separate OU for newer laptops without the GPO, and keep an OU for older laptops with the GPO still applied just in case your vulnerability scanner still picks up the missing registry keys and you get dinged for it on an audit, at least it would minimize your attack surface.

 

COMMENTS

WORDPRESS: 0