1. ForeverYoung2

    ForeverYoung2 MDL Novice

    Dec 5, 2015
    39
    24
    0
  2. By default, Windows stores 10 user profiles on the device. They are saved on the device indefinitely. So the login servers shouldn't be the problem.
     
  3. ForeverYoung2

    ForeverYoung2 MDL Novice

    Dec 5, 2015
    39
    24
    0
    #3 ForeverYoung2, Mar 26, 2020
    Last edited: Mar 26, 2020
    (OP)
    I know that but I'm sure there's a catch somewhere somehow. I've never done IT work, so I was hoping someone with DC experience could shed some light.
    Of course, an employee can go abroad for a long time and not be connected to AD, but I doubt it's permanent, ofc %UserProfile% remains permanently on the machine regardless, but does it also "comply" regardless..?

    I want more details on what is the most basic config to achieve this. Furthermore, we could potentially mock the AD network responses when an account is deployed on the machine and release it, similar to KMS solutions here.
     
  4. MS_User

    MS_User MDL Guru

    Nov 30, 2014
    4,659
    1,364
    150
    u want to trick your machine to think is log in DC but your really not and have the security policies that apply when your log in to DC?
     
  5. ForeverYoung2

    ForeverYoung2 MDL Novice

    Dec 5, 2015
    39
    24
    0
    I can apply the policies myself as a user, to my understanding. The issue is applications categorize you as a "consumer", "general public" and dont respect the policies.

    upload_2020-3-26_21-20-18.png

    The point I was trying to make by writing all that bs up there was that even if GP Rules don't have this writing on the rules, they still don't respect your configuration once they see youre a localuser/username
    So, what does chrome check for to know if the user is part of DC or not? it could be as simple as a reg path. But the issue goes beyond chrome.

    BTW Device management is something google offers, with Google Apps for biz, its on the Admin Console.
     
  6. bfoos

    bfoos MDL Guide Dog

    Jun 15, 2008
    757
    703
    30
    I don't have the answer to OP's question but I must say that this is an intriguing idea.
     
  7. ForeverYoung2

    ForeverYoung2 MDL Novice

    Dec 5, 2015
    39
    24
    0
    Think of it this way, in business you don't respect the rules, you get sued. The business could be handling state secrets, nuclear weapons and whatever, when you select no telemetry option, telemetry goes away.
    At my old job, the rule that was pushed thru was only port 443 is allowed as an outgoing or incoming connection, period. I tried every trick in the book to no avail, the only way out was to tunnel out thru port 443 or proxy... etc.

    Here's some examples you can try, on whatever windows super enterprise .. as a local user.
    -Try creating a firewall rule to block all ipv6 connections, monitor the activity and see if svchost or any win exe gives a rats ass about your rule.
    -Try blocking UDP... you shouldn't be able to resolve ping google.com and yet you do. Try to disable NetBios, you actually can but then weird things you cant explain start happening randomly.
    -Try disabling ipv6 globally, you can't no matter what, loopback interface still alive and well thru ipv6. Try this in powershell: "Get-NetAdapterBinding -IncludeHidden"
    I can keep going...
    Although rules over MMC are taken more seriously, but still svchost dont give a f.

    Long story short, I just don't have time to dive in to Win Server just for this project.
    All I need is a 123 buttons to click to:
    1. create a Domain, with one or more users (or open?)
    2. where user has GOD privileges.
    3. Is there anything else needed? to maintain this status over time?

    Heck, I bet someone has an Azure template ready for this.

    Ill make a VMDK with a snapshot of this windows server, and start joining from another vm as a user, reverting changes over and over in order to capture/understand all network activity.
    Even if I suck, we'll still have the VM for our community.
    And I believe this is worth far more than all the scripts, package removals and tricks that 1/3 of the posts are here about and yet, everything goes back the way it was on the next cumulative update.
    I'll pay for your AWS expense, just launch an instance and record a video doing it. But deep inside, I fear it should be more difficult than this.
     
  8. ForeverYoung2

    ForeverYoung2 MDL Novice

    Dec 5, 2015
    39
    24
    0
    For those who dont know what Im talking about try using some Nirsoft tools like LiveTcpUdpWatch
    For the next level up try Microsoft Network Monitor 3.4

    Wireshark is good but no exe origin information.
     
  9. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,071
    10
    #9 shewolf, Mar 27, 2020
    Last edited: Mar 27, 2020
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,071
    10
  11. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,730
    60
    As far as I know, you should not be able to fake AD from windows itself - it would be a security issue bigger than the wall of China.
    But looking at how kms-emulators work, a tunnel with an emulated server or directly hooking kernel functions might be doable. A lot of effort, tough.
    It's more feasible to use another device (windows server) to set it up.
    Recently there's been quite some progress on Android and IOS support for managing AD's, it might be the easier path to follow.

    I've been beating the Enterprise LTSC is less safe on home PC's mantra on this forum for a long time exactly for this reason - no domain joined, ad-secured, enterprise-level av subscription? get f**ked! Even more-so than an up-to-date consumer build, because at the very least, that one has an improved set of mitigations.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. ForeverYoung2

    ForeverYoung2 MDL Novice

    Dec 5, 2015
    39
    24
    0
    Just setup Enterprise 2004
    Turn off Cortana, turn off web results, turn off everything. Nothing, bing still there, web results still there 0 fuks given by microsoft
     
  13. rcstar6696

    rcstar6696 MDL Senior Member

    Jun 11, 2017
    447
    351
    10
    #14 rcstar6696, Jun 10, 2020
    Last edited: Aug 2, 2020
    -snip-
     
  14. WindowsGeek

    WindowsGeek MDL Expert

    Jun 30, 2015
    1,493
    435
    60
    His trying to fake a simulated server log in trick his computer to think is log in to the server?
     
  15. ForeverYoung2

    ForeverYoung2 MDL Novice

    Dec 5, 2015
    39
    24
    0
    What registry settings did you apply, can you please point me to a link?

    I picked up this here as an ESD and turned it into ISO without touching anything, all editions are there as default19041.264.200511-0456.VB_RELEASE_SVC_REFRESH_CLIENTENTERPRISE_VOL_X64FRE_EN-US
    After posting here I setup Win Server 2019 on a VM, joined it, applied GPO and same results for both localuser and domain user.

    upload_2020-6-10_20-54-5.png
     
  16. ForeverYoung2

    ForeverYoung2 MDL Novice

    Dec 5, 2015
    39
    24
    0
    I setup win Enterprise because Pro 1902 was doing the same thing.

    Lastly, here's another example, you know the notification for internet connectivity. You connect to Wifi and it always pings microsoft, if it fails "No internet" but internet works fine everywhere. So yes, I've always disabled the rule under Admin Templates/System/Internet Communi.... etc. That warning no internet has always applied, since 1607.