Re: Windows 11 Pro For Workstations Iso
Odina Conkright
I hope everyone is doing well! I'm reaching out today with a concern regarding workstations and their compatibility with Microsoft Teams. As a user who heavily relies on Teams for communication and collaboration, I've recently encountered some challenges that I believe are related to my workstation setup.
To give you a bit of context, I'm using Microsoft Teams on a daily basis for video conferences, file sharing, and instant messaging. However, I've noticed that my workstation (a Windows 10 PC) sometimes struggles to handle the demands of Teams, leading to performance issues that can be quite frustrating.
I'd like to hear from the community about their experiences with Teams on different workstations and any tips or best practices you've found to improve performance. Additionally, if there are any Microsoft experts or representatives here, I'd greatly appreciate some insights into the hardware requirements and optimization strategies for Teams.
If you're still experiencing performance issues after following these tips, you may want to consider upgrading your workstation hardware. Teams is optimized for newer hardware, so upgrading your CPU, RAM, and/or GPU can make a significant difference in performance.
I'm not an official Microsoft representative, but I am Microsoft 365 Certified: Teams Administrator Associate MS-700 and I've done a lot of research on this topic because I am working every day with those issues.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
End to end zero trust security for privileged access requires a strong foundation of device security upon which to build other security assurances for the session. While security assurances may be enhanced in the session, they will always be limited by how strong the security assurances are in the originating device. An attacker with control of this device can impersonate users on it or steal their credentials for future impersonation. This risk undermines other assurances on the account, intermediaries like jump servers, and on the resources themselves. For more information, see clean source principle
All users and operators benefit from using a secure workstation. An attacker who compromises a PC or device can impersonate or steal credentials/tokens for all accounts that use it, undermining many or all other security assurances. For administrators or sensitive accounts, this allows attackers to escalate privileges and increase the access they have in your organization, often dramatically to domain, global, or enterprise administrator privileges.
The successful deployment of a secure workstation requires it to be part of an end to end approach including devices, accounts, intermediaries, and security policies applied to your application interfaces. All elements of the stack must be addressed for a complete privileged access security strategy.
At all levels, good security maintenance hygiene for security updates will be enforced by Intune policies. The differences in security as the device security level increases are focused on reducing the attack surface that an attacker can attempt to exploit (while preserving as much user productivity as possible). Enterprise and specialized level devices allow productivity applications and general web browsing, but privileged access workstations do not. Enterprise users may install their own applications, but specialized users may not (and are not local administrators of their workstations).
Web browsing here refers to general access to arbitrary websites which can be a high risk activity. Such browsing is distinctly different from using a web browser to access a small number of well-known administrative websites for services like Azure, Microsoft 365, other cloud providers, and SaaS applications.
Essential to a secured workstation is a supply chain solution where you use a trusted workstation called the 'root of trust'. Technology that must be considered in the selection of the root of trust hardware should include the following technologies included in modern laptops:
This guidance shows how to harden Windows 10 and reduce the risks associated with device or user compromise. To take advantage of the modern hardware technology and root of trust device, the solution uses Device Health Attestation. This capability is present to ensure the attackers cannot be persistent during the early boot of a device. It does so by using policy and technology to help manage security features and risks.
As far as running a script...sure, but you'd have to be a lot more specific as to how you want to connect to the computers, whether you want it to run once remotely or at login, scheduled, etc. etc. etc.
You haven't said which version of Windows the workstations are running, but the easiest thing to do is to launch Group Policy editor to create the policies (like TheCleaner described). Then copy the user and computer folders from the first machine's %systemroot%\system32\grouppolicy\ to the new machine's same location, then either reboot or run gpupdate /force. This should work fine for both XP and 7.
As for running these remotely, you could either use PSExec to run gpupdate force, or you could use shutdown /r /m \\computername. Both of these assume that you're running the command/script from a local account with credentials that have administrative rights on the target machine, or have specified those credentials for PSExec.
I am having issues with some of the Windows workstations not being able to be discovered in my work's environment. These machines are primarily returning with the "RPC server is unavailable" error, and it occurs most on one of the domains than the other.
I have tried the troubleshooting presented in all the previous postings people have made in the community about the "RPC server is unavailable" error. I have tested the credentials from the MID server machine using the cmd prompt and powershell scripts, used RDC to connect to one of the workstations having the issue from the MID server, confirmed with our network group that traffic wasn't being restricted, checked that the RPC service was up and running, repaired WMI on one of the machines, and tested that the 135 port was open using telnet.
The only thing I can find in common on these machines is that these machines reverse DNS lookup results in incorrect workstation names being returned. Also when I test the credentials using the powershell script "gwmi win32_operatingsystem -computer -credential" I get "The RPC server is unavailable" if I enter the IP address of the machine, but if I enter the host name I get a clear response back. Any suggestions on anything I might be missing with this issue?
Edit: I should add that these are machines that were able to be discovered before by ServiceNow, and one of the machines having the discovery issue is my work laptop which has been my main test machine.
Hi -- You've obviously done a lot of troubleshooting already, nice job. But its unclear if the windows firewall on the target windows servers to be scanned, might be blocking. These 2 KB's on HI discuss this issue with RPC unavailable:
KB0549834 .... 1 of the issues that stood out from this KB was "This indicates that the MID Server is not able to access the remote machine using RPC. Usually that is caused by a Windows firewall on the remote machine not letting RPC requests go through."
And also KB0564282 .... 1 possible issue mentioned "A firewall blocks Remote Procedure Call (RPC) calls from the MID Server to the Microsoft Windows Server preventing the discovery process. The problem can be caused either by Windows Firewall (embedded) or an external firewall.
Firewall is not configured correctly to let through RPC calls from the MID Server. Typically, RPC uses large range of ports. The MID Server initiates the RPC connection on port 135, but once the connection is established, it uses any port in the range of 1024 and up."
I have seen the DNS problem in one of our servers before after I fix those DNS entries in our DNS servers the issue got resolved. Contact your wiindows team to update the false DNS entry on DNS server.
Thank you for the links sir. I actually tried both of these shortly after posting this in the community, and unfortunately they did not work to resolve my issue. It seems to be that because reverse DNS is failing to resolve correctly, then WMI is failing to connect.
Hypothetically speaking if my Domain team was aware of the issue, and responded with "DNS is tricky and there is nothing we can do" would you have any follow up suggestions for workarounds? We are seeing this DNS issue on servers as well as Windows workstations.
The OneAgent also monitors all processes running on this machine including all network connections, log files and is also keeping an eye on key events on that machine, e.g: deployment changes, process restarts or crashes. The following screenshot shows the second part of the host details dialog:
The crash information alone is already great to pass on to developers. Additionally, the customer and his team looked into traffic patterns of the Pace Application at the time of the crash. Dynatrace is also recording this type of data. In their instance, it showed them that the problem was not a result of high or unusual traffic or transactions.
If you want to give this a try yourself simply sign up for the Dynatrace Trial (either SaaS or On-Premises), install the OneAgents on your workstations, and dig into the data it provides in case your end users experience any problems. Remember leveraging metadata, tags & host groups to better organize your monitoring data as well as to streamline your alerting!
This tweak/tip guide will be full of caveats. Why? Because tweak guides should be full of caveats, of course. There are always implications and side effects to any choices you make when customizing a system.
d3342ee215