daknetworks.com

You are here: Blog

Dell Powershell Bios | DellSmbios

Install-Module DellBIOSProvider

get-dellbiossettings

get-psdrive

ls DellSmbios

ls DellSmbios:\SystemInformation

set-item DellSmbios:\SystemInformation\asset $foovar

#Get all settings
$DellSettings = Get-ChildItem -Path DellSmbios:\
ForEach ($Setting in $DellSettings)
{
Get-ChildItem -Path "DellSmbios:\$($Setting.Category)" -WarningAction SilentlyContinue | Select-Object PSChildName,Attribute,CurrentValue,PossibleValues
}

NOTES:
https://www.configjon.com/working-with-the-dell-command-powershell-provider/
https://www.configjon.com/dell-bios-settings-management/

Last Updated on Wednesday, 13 September 2023 09:45

Jumbo Frames | Dell Compellent | CT-SCv3000 | VMware ESXi | Windows Server | Cisco Nexus 3000 , 3172

They say jumbos frames are faster.

A normal frame MTU is 1500.

A jumbo frame MTU is 9000.

All devices (server-nics, iscsi-hbas, switches and san-nics) need to support and be configured for jumbo frames.

Windows Physical Server MTU Settings

For each network adapter or iSCSI HBA on the Windows Physical Server:

via command line:
netsh interface ipv4 show subinterfaces
netsh interface ipv4 set subinterfaces [indexnumber] mtu=xyzz store=persistent

via gui:
open network & internet settings.
change adapter options.
right-click adapter name.
properties.
configure.
advanced tab.
jumbo-packet.
set to 9014.

VMware ESXi Host MTU Settings (vmk nic)

In vSphere, click:
HOST-NAME > CONFIGURE > VIRTUAL-SWITCHES
find the VMK.
elipses.
view/edit the MTU settings.

Dell Compellent SC Series Storage MTU Settings

Dell Compellent | SC 280184 | CT-SCv3000 | SC-Series are all the same. Commonly referred to as Compellent, the line of storage is being phased out in favor of simplifying Dell offerings.

The jumbo frames need to be set in the fault-domains. This can be done via the web gui but most Dell EMC ProSupport techs I talk to like to use the Dell Storage Manager Client (DSMC).

  • STORAGE > FAULT-DOMAINS > iSCSI > iSCSI-FAULT-DOMAIN-1
  • EDIT-SETTINGS
  • find ADVANCED > MTU (towards the bottom)
  • set to 9000 (JUMBO)

Setting this will automatically set the MTU on the physical ports.

compellent-jumbo-frames

 

Also note that the Compellent has data-tier's; fast, medium,slow. The idea is to put SSD's in the fast, 15K's/10K's in the medium and 7K's in the slow.

It will automatically try to get you to set to Automatic tiering.

But if you only have all the same drives, put the volume on Tier 1 as it gives better performance.

 

Cisco Nexus 3172T | Nexus 3000 Series

This is a tough one.

In large corporate networks, different teams handle different areas. For the sake of discussion, let's say there is a virtual/VMware team and a networking team.

From what I can tell, VMware SysAdmins have trouble explaining to network admins what is needed. I find this is mostly a lack of understanding of networking by the VMware sysadmins. I don't criticize them; it is confusing. Especially when converged systems have an abstract layer.

On the other side, good networking teams are hard to find. Anyone can type the commands if it is in a work instruction but actually knowing and understanding the concepts and diagnosing the situation-at-hand is farther and fewer between than you might imagine.

A good networking team will want to have a proper datacenter setup with top-of-rack (TOR) and aggregation switches using Cisco Nexus switches. These are setup in a VPC fail-over. Note that this is not a stack. Like a stack, they do communicate to each other. But unlike a stack, they are independent. So if one fails, the other takes over. The communication is simply for knowing what the other is doing. Not for traffic.

As a result, the VMware Sysadmins don't understand this VPC concept and gravatate towards stacking with Cisco Catalyst switches. Plug 2 x48 port switches together in the back and they show as a 96 port single switch. Simply plug everything in and boom dot done. Of course on the con side of the coin, this is a single point of failure. If a switch fails, there is an outage.

The trade-off here is that they don't have to involve the network team as much. It gives VMware Sysadmins more control and they like that.

We try to do things properly around here. We are using a Cisco Nexus 3172T - Nexus 3000 series. 

While the higher-end untis of Nexus 7000-series and the Nexus 9000-series have per-port MTU settings, the Cisco Nexus 3172T does not have per port MTU settings. The MTU settings need to be set on the QOS policy.

Getting this to work properly is a bear.

Dell has some docs on the setup here:
https://www.delltechnologies.com/asset/en-us/products/storage/industry-market/cisco-nexus-up-dell-sc-series-switch-configuration-guide-scg.pdf

class-map

policy-map

service-policy

interface

sh queuing interf e1/7

sh int prio

sho int flowcontrol

 sh int e1/7 | i i mtu
(yes, double "i"; first is for "include" & second is for "ignore case")

or
sh int e1/7 | grep ig mtu

sh class-map

sh policy-map

Notes:
https://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/118994-config-nexus-00.html

Test Jumbo Frames

You can test the jumbo by using ping:

ping -f -l 1472 11.11.11.40
ping -f -l 1473 11.11.11.40

ping -f -l 8972 11.11.11.40
ping -f -l 8973 11.11.11.40

The 1472 will test the MTU set at 1500. Overhead needs 28 bytes; 20 bytes for IP header + 8 bytes for ICMP header.
The 1473 should fail.

The 8972 will test the MTU set at 9000. Overhead needs 28 bytes; 20 bytes for IP header + 8 bytes for ICMP header.
The 8973 should fail.

Another tool to use is mturoute, just search and download:
mturoute.exe 11.11.11.40

 

 

Last Updated on Friday, 16 June 2023 22:03

OpenManage Enterprise

Finally, after all these years. Setting up an OpenManage Enterprise.

There is the following:
iDRAC: out of band management for cold boot.
OpenManage Server Administrator (OMSA): single server management.
OpenManage Essentials: older.
OpenManage Enterprise (OMENT): one-to-many management.

OMENT is a VM with the necessary info already included. Just download the package, unzip and deploy the OVF and VMDK files:
https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=fmk91&oscode=naa&productcode=poweredge-m640p

Boot it up and off you go.

  1. change the password.
  2. set the ip address.
  3. hit the address in a browser.
  4. do an initial scan of subnet: ie 10.62.27.0/24
  5. click CONFIGURATION > FIRMWARE > CATALOG-MANAGEMENT
  6. click ADD
  7. type a name; ie DELL-SUPPORT
  8. bullet  "Latest component versions on Dell.com"
  9. change to AUTOMATIC and select a time for daily sync.
  10. click CREATE-BASELINE
  11. select the catalog; ie DELL-SUPPORT
  12. type a baseline name; ie DELL-SUPPORT-BASELINE
  13. click NEXT
  14. bullet SELECT-GROUPS
  15. select ALL-DEVICES for everything.
  16. click FINISH

OMENT will automatically check the compliance. If not, you can start it manually without harm.

Once finished, you view the report, it will show all devices (compute, storage, chassis, etc) and show everything that is out of date with the version that is installed and the version that is available.

Simply checkmark the item(s) and click MAKE-COMPLIANT.

You can run the job now or schedule for later time such as overnight. It will let you know if an reboot is required or not. I choose an update that does not require a reboot and simply bullet UPDATE-NOW and click UPDATE as a test.

This puts the job in the queue and runs it automatically. You can view the job if want and it will show the status of each update and the entire process. After a few minutes, it shows the item updated successfully.

As a next test, I checkmark the entire compute and click MAKE-COMPLIANT. I select UPDATE-NOW and bullet "Stage for Next Server Reboot." It took a bit of time but it downloaded all the packages to the LifeCycle Controller and staged them for update durning next reboot.

With the system logged in, I rebooted the system. With the virtual console, I could see the packages be applied as the system booted up.

The update included the bios, network firmware, perc, ssd firmware and a few other firmware items.

Last Updated on Wednesday, 12 April 2023 14:18

Upgrade VMware to 7.0.3

1-How to update the disks in the VRTX.
https://www.dell.com/support/kbdoc/en-us/000134181/dell-poweredge-how-to-update-disks-on-a-vrtx#:~:text=%20Article%20Content%20%201%20Connect%20the%20Chassis,the%20Keyboard%20section%20to%20filter%20the...%20See%20More.

2-Disk Firmware
https://www.dell.com/support/home/en-us/drivers/DriversDetails?driverID=4P9DW

3-How to upgrade the switch firmware.
https://www.dell.com/support/kbdoc/en-us/000193156/how-to-upgrade-the-firmware-on-a-dell-vrtx-network-1gbe-r2401-switch

4-How to update the CMC of a Dell PowerEdge VRTX
https://www.dell.com/support/kbdoc/en-us/000144612/how-to-update-the-cmc-of-a-dell-poweredge-vrtx#:~:text=1%20Log%20into%20the%20CMC%20IP%20with%20the,updated%2C%20starting%20from%20the%20active%20to%20the%20standby

5-CMC firmware 3.41
https://dl.dell.com/FOLDER09210287M/1/vrtx_cmc.bin

6-Lastly Dell ESXi ISO ESXi 7.0 U3 Build 20842708 Release Date 2023-02-17
https://customerconnect.vmware.com/downloads/details?downloadGroup=OEM-ESXI70U3-DELLEMC&productId=974

https://www.youtube.com/watch?v=TnWyuyxuk5k&t=2s
https://www.dell.com/support/kbdoc/en-us/000176963/dell-emc-customized-image-of-vmware-esxi-availability-and-download-instructions

 

==========================================
-find service tag number.
-had TOSHIBA - KPM5XVUG480G.
-wanted to update the disk firmware, cmc, idrac.
-all of these can be done without an production interruption.
-use support site to download the following:
--disk firmware
--cmc bin file
--idrac
-login to the cmc.
-click STORAGE (on the left-hand side).
-click UPDATE (at the top).
-click CHOOSE-FILE.
-select SAS-Drive_Firmware_4P9DW_WN64_B026_A00.EXE (yes, the entire EXE file; no do not extract; yes, the x64 if possible).
-click UPDATE.
-it will go through disk by disk (all x16 disks) and update the firmware.
-again, this will not interrupt any system in production.

-click CHASSIS-OVERVIEW.
-click UPDATE.
-find CMC Firmware (towards the top).
-find cmc-active & cmc-standby.
-checkmark the cmc-standby.
-click APPLY-CMC-UPDATE.
-click CHOOSE-FILE.
-select "vrtx_cmc.bin" (be sure the version is correct as it is not included in the file name; mine was 3.41.200).
-click BEGIN-FIRMWARE-UPDATE.
-it will go through and update the firmware.
-again, this will not interrupt any system in production.
-be patient.
-it will eventually show as updated with the correct version number (start continuous ping to cmc ip address; it will stop responding and then start responding again).
-start the same process for the cmc-active (you do not need to manually switch over; this will happen automatically).
-the same process will complete and both will have the same version.

-login to the idrac.
-click MAINTENANCE.
-click SYSTEM-UPDATE.
-click CHOOSE-FILE.
-select iDRAC-with-Lifecycle-Controller_Firmware_T9J9H_WN64_6.10.30.20_A00.EXE (yes, the entire EXE file; no do not extract; yes, the x64 if possible).
-click UPLOAD.
-checkmark the new idrac firmware.
-click INSTALL.
-the idrac will update and reboot the bmc without interfering with the live production system.

-login to the idrac.
-click MAINTENANCE.
-click SYSTEM-UPDATE.
-click CHOOSE-FILE.
-select the firmware for the nic-X550; Network_Firmware_F52F0_WN64_21.5.9_A02.EXE (yes, the entire EXE file; no do not extract; yes, the x64 if possible).
-click UPLOAD.
-checkmark the new network firmware.
-click INSTALL UPON NEXT REBOOT.


-go to https://customerconnect.vmware.com/
-download the esxi custom image for Dell systems.
-the Dell custom iso has the drivers slipstreamed for use with the vrtx. Without this, you risk the system not being able to recognize some of the hardware.
-use the idrac to bring up the virtual console.
-click VIRTUAL-MEDIA.
-click CONNECT-VIRTUAL-MEDIA.
-find MAP CD/DVD.
-click CHOOSE-FILE.
-select the VMware-VMvisor-Installer-7.0.0.update03-20842708.x86_64-Dell_Customized-A10.iso
-click MAP-DEVICE.
-click CLOSE.
-click BOOT.
-click VIRTUAL CD/DVD/ISO.
-click YES.
-this will tell it to boot from the ISO as a one-time-process.
-go to the VCENTER.
-move all vms to other hosts.
-put in maintenance mode.
-right-click > power > reboot.
-watch virual console.
-be patient.
-it will reboot and begin to update network firmware.
-once idrac is updated, it will boot the ESXI iso.

-you will see the Welcome to the VMWARE ESXI installation.
-click ENTER.
-press F11 to accept EULA.
-select disk to install. Usually, this is the LOCAL drive.
-press ENTER to continue.
-it will find the existing installation.
-it will automatically select UPGRADE ESXI, PRESERVE VMFS DATASTORE.
-press ENTER to continue.
-press F11 to confirm & upgrade.
-the upgrade will continue to 100%.


-click ENTER (to reboot; it will automatically reboot to the local drive and not use the ISO).
-click VIRTUAL-MEDIA.
-click DISCONNECT-VIRTUAL-MEDIA.
-click YES > CLOSE.
-the reboot will load the new version of ESXI.
-it may take longer than usual; this is normal.
-once up, go to VCENTER and take out of maintenance-mode.
-you are finished. The entire cluster updated firmware, drivers and ESXI os without any production downtime.

 

Last Updated on Tuesday, 11 April 2023 10:01

Eight Way WSUS Maintenance

After initial setup, find way to perform WSUS maintenance. The following seven items are the ways I've tried to perform WSUS maintenance. I started with more than 38K updates in WSUS.

 

1-Optimize-WsusServer
get script:
https://github.com/awarre/Optimize-WsusServer/blob/master/Optimize-WsusServer.ps1
Install-Module SqlServer -allowclobber
Optimize-WsusServer.ps1 -FirstRun
Optimize-WsusServer.ps1 -DeepClean

 

2-Wsus-Maintenance
Install-Script -Name Wsus-Maintenance
Wsus-Maintenance (to see the readme)
Wsus-Maintenance -Run

 

3-DeploymentBunny
get script:
https://deploymentbunny.com/2016/02/03/working-in-the-datacenter-keeping-wsus-happy-using-powershell/
https://github.com/DeploymentBunny/Files/tree/master/Tools/Invoke-WSUSMaint


4-Bryan Dam
get script:
Invoke-DGASoftwareUpdateMaintenance
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -DeclineSuperseded -UpdateListOutputFile c:\installs\Invoke-DGASoftwareUpdateMaintenance\ScriptsDeclinedUpdates.csv -DeclineByTitle @('*Itanium*','*ia64*','*Beta*') -DeclineByPlugins -RunCleanUpWizard -firstrun -StandAloneWSUS localhost -whatif
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -firstrun -StandAloneWSUS localhost -UseCustomIndexes -whatif

Probably the best once you customize and activate the plugins.


5-Powershell oneliner
get script:
Get-WSUSUpdate -Classification All -Status Any -Approval AnyExceptDeclined `
    | Where-Object { $_.Update.GetRelatedUpdates(([Microsoft.UpdateServices.Administration.UpdateRelationship]::UpdatesThatSupersedeThisUpdate)).Count -gt 0 } `
    | Deny-WsusUpdate

Nothing returns since the Invoke-DGASoftwareUpdateMaintenance takes care of everything.


6-Microsoft script
get script:
https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/decline-superseded-updates
DeclineSupersededUpdates.ps1 -skipdecline -UpdateServer localhost -Port 8530

I mean, sure... why not. Nothing returns since the Invoke-DGASoftwareUpdateMaintenance takes care of everything.


7-Powershell step commands, individually (as a group they time out):
Invoke-WsusServerCleanup -CleanupUnneededContentFiles -CompressUpdates
Invoke-WsusServerCleanup -DeclineSupersededUpdates
Invoke-WsusServerCleanup -DeclineExpiredUpdates
Invoke-WsusServerCleanup -CleanupObsoleteComputers
Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CompressUpdates


8-CleanUP-WSUS
get-script v3.2:
.\CleanUP-WSUS.ps1 -firstrun
#kept here

 

NOTES
This was my acutal procedure:

.\CleanUP-WSUS.ps1 -firstrun
.\CleanUP-WSUS.ps1 -scheduledrun
.\CleanUP-WSUS.ps1 -daily
.\CleanUP-WSUS.ps1 -monthly
.\CleanUP-WSUS.ps1 -quarterly
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -configfile .\config_wsus_standalone.ini
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -configfile .\config_wsus_standalone.ini #uncomment whatifpreference
.\Decline-SupersededUpdates.ps1 -SkipDecline -UpdateServer localhost -port 8530
.\Decline-SupersededUpdates.ps1 -UpdateServer localhost -port 8530 #remove -SkipDecline
.\Optimize-WsusServer.ps1 -firstrun
Get-WSUSUpdate -Status Any -Approval unapproved |?{$_.products -match "2003" -or $_.products -match "2007" -or $_.products -match "2010" -or $_.products -match "2013"} |Deny-WsusUpdate -verbose
Get-WSUSUpdate -Status Any -Approval unapproved |?{$_.products -match "Windows 10 and later Dynamic Update" -or $_.products -match "Windows 10 and later Dynamic Update, Windows Safe OS Dynamic Update" -or $_.products -match "Windows 10 and later GDR-DU" -or $_.products -match "Windows 10 GDR-DU FOD" -or $_.products -match "Windows 10 Feature On Demand" -or $_.products -match "Windows 10 LTSB, Windows 10" -or $_.products -match "Windows GDR-Dynamic Update"} |Deny-WsusUpdate -verbose

Get-WSUSUpdate -Classification critical -Status Any -Approval unapproved |Approve-WsusUpdate -Action Install -TargetGroupName "All Computers" –Verbose
Get-WSUSUpdate -Classification security -Status Any -Approval unapproved |Approve-WsusUpdate -Action Install -TargetGroupName "All Computers" –Verbose

get-module
get-module -listavailable
get-installedmodule
get-command -module pswindowsupdate
Get-WSUSUpdate -Classification Critical -Status Any -Approval unapproved |get-member 
Get-WSUSUpdate -Classification Critical -Status Any -Approval unapproved |select product -unique

Last Updated on Monday, 13 March 2023 04:57

Windows Server TLS 1.2 Check

Here it is:

wget https://raw.githubusercontent.com/microsoft/azure-devops-tls12/main/AzureDevOpsTls12Analysis.ps1 -outfile AzureDevOpsTls12Analysis.ps1
.\AzureDevOpsTls12Analysis.ps1
.\Mitigation-NetFramework.ps1

It's confusing for sure. With all the regedits documented everywhere and what not. Here is one page filled with regedits:
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

I do have personal powershell script with regedit gets/sets. But it seems like Sysadmins want a GUI and I'm finding out are afraid of the shell/powershell.

The DevOps Azure team finally came up with a powershell script that will check the server and will create a customized script that changes the server to the recommended values.

The goto for a GUI is IISCrypto.exe. It is nice to have a GUI for reference as it has the Protocols, Ciphers, Hashes and Key-Exchanges.

For reference, here is the security Protocol through history:

  • PCT 1.0 (1995)
  • SSL 2.0 (1995)
  • SSL 3.0 (1996)
  • TLS 1.0 (1999)
  • TLS 1.1 (2006)
  • TLS 1.2 (2008)
  • TLS 1.3 (2018)

Then there is the fact that the protocols have different settings depending on if:

  • the server OS is acting as a server or as a client.
  • the protocol is disabled or disabled-by-default.
  • the protocol is enforced or just available.
  • the protocol is set for the OS or for DOTNET.
  • the Key-Exchange order preference.

Notes

https://en.wikipedia.org/wiki/Transport_Layer_Security

Last Updated on Monday, 30 January 2023 07:20

Server 2019 Not Updating Cumulative Update | WSUS Cumulative Update

Multiple Server 2019 Not Updating Cumulative Update. It would just keep trying to download and install.

TLDR;

-Reset-WUComponents.
-remove VMWARE TOOLS
-uninstall all hotfixes to get back to realse-to-manufacturing (rtm)
-reboot
-DISM /Online /Cleanup-Image /RestoreHealth
-sfc /scannow
-reboot
-get-windowsupdate -microsoftupdate -verbose
-install-windowsupdate -mcirosoftupdate -verbose
-install one-by-one; leaving the CUMULATIVE-UPDATE last.
-removed failed drivers from C:\Windows\INF\setupapi.dev.log
-install CUMULATIVE-UPDATE

Story

Tried newest SSU
Tried Reset-WUComponents.
Tried manual reset.
Tried DISM /Online /Cleanup-Image /RestoreHealth
Tried sfc /scannow
Tried sfcfix
Tried dotnet repair.
Tried setting sc query appreadiness to automatic.
Tried Troubleshooter Windows Update.
Tried VM Console (no RDP).

The installation would go through but the reboot would fail with the error message:
"We couldn’t complete the updates. Undoing changes."

Manual intervention was required.

First, let us stop the automatic update so we can inspect what is happening without the system continuously updating:
net stop cryptsvc
net stop bits
net stop wuauserv

Next, let us see what patch/hot-fix is failing:
get-wuhistory
You will see the failed patches/hotfixes/KBArticleIDs. 

get-windowsupdate -microsoftupdate -verbose
This will show a list of available. The updates were:
KB4589208 Update for Windows Server 2019
KB5021085 2022-12 Cumulative Update for DotNet
KB2267602 Microsoft Defender Antivirus
KB5022286 2023-01 Cumulative Update January

install-windowsupdate -microsoftupdate -verbose
Install one at a time; select yes to the first and no to the rest. Leaving the last as the Cumulative Update

Let's make sure the services are set to start automatically:
sc query cryptsvc
sc query bits
sc query wuauserv
sc query trustedinstaller

sc qc cryptsvc
sc qc bits
sc qc wuauserv
sc qc trustedinstaller

sc config wuauserv start=auto
sc config bits start=auto
sc config cryptsvc start=auto
sc config trustedinstaller start=auto
(trustedinstaller/"windows module installer" will reset itself to DEMAND_START/"manual" after the Cumulative Update)

cleanmgr
reboot

Try to install the Cumulative Update. We know it will fail but it generate logs on reboot.
install-windowsupdate -microsoftupdate -verbose

Next, we can look at the following logs:
get-windowsupdatelog (this is the overall update log)
c:\windows\logs\cbs.log (this is the details of the update which kicks it off to the reboot log)
c:\windows\logs\cbspersist log (this is the reboot log details when the "Trusted Installer" takes over)

Let's grep/search/findstr for the error:
Get-Content .\CbsPersist_20230125113018.log |findstr /i hresult

Shows the following:
DriverUpdateUninstallUpdates failed [HRESULT = 0x80070003

Let's grep/search/finstr for the error:
get-content C:\Windows\INF\setupapi.dev.log -tail 500 |findstr !

Shows the following:
! sto: Unable to open configuration key for driver package 'oem8.inf'. Error = 0x00000002
! sto: Unable to open configuration key for driver package 'wpdfs.inf'. Error = 0x00000002
! sto: Unable to invalidate all dependent driver configurations. Error = 0x00000002
! idb: Could not locate driver package 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\ntprint.inf' for publishing. Error = 0x00000003
! cpy: Unable to publish 'ntprint.inf_amd64_83aa9aebf5dffc96\ntprint.inf' to 'ntprint.inf' via hardlink. Error = 0x00000003
!!! cpy: Failed to publish 'ntprint.inf_amd64_83aa9aebf5dffc96\ntprint.inf' to 'ntprint.inf'. Error = 0x00000003
!!! idb: Failed to unpublish 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_a87eceb9bd76580c\ntprint.inf'. Error = 0x00000003
!!! sto: Failed to unpublish driver package. Error = 0x00000003
!!! sto: Failed to unpublish all driver updates. Error = 0x00000003
!!! idb: Cannot unregister published driver package 'ntprint.inf_amd64_92093dc83a6de3db'. Error = 0x00000032
!!! idb: Failed to unregister driver package 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_92093dc83a6de3db\ntprint.inf'. Error = 0x00000032
!!! sto: Failed to delete driver package from Driver Store. Error = 0x00000032
!!! sto: Failed to unstage all driver updates. Error = 0x00000032
! sto: Driver package already imported as 'oem14.inf' (C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_92093dc83a6de3db\ntprint.inf).
! dvi: Access denied from Query and Remove
! dvi: Access denied from Query and Remove
! dvi: Access denied from Query and Remove
! dvi: Access denied from Query and Remove
! dvi: Access denied from Query and Remove
!!! idb: Cannot unregister published driver package 'ntprint.inf_amd64_92093dc83a6de3db'. Error = 0x00000032
!!! idb: Failed to unregister driver package 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_92093dc83a6de3db\ntprint.inf'. Error = 0x00000032
!!! sto: Failed to delete driver package from Driver Store. Error = 0x00000032
!!! sto: Failed to unstage all driver updates. Error = 0x00000032
! sto: Driver package already imported as 'oem14.inf' (C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_92093dc83a6de3db\ntprint.inf).

>>> [Delete Device - SWD\PRINTENUM\{D94CF386-60BA-424C-AAC6-92B3F6144E4D}]
>>> Section start 2023/01/25 06:31:48.466
cmd: C:\Windows\System32\spoolsv.exe
! dvi: Access denied from Query and Remove
<<< Section end 2023/01/25 06:31:48.466
<<< [Exit status: SUCCESS]

Looks like it is related to Printers/PrintNightmare.

Remove VMware Tools
-get-package "VMware Tools" |uninstall-package

Get Updates
-get-windowsupdate -microsoftupdate -verbose

Install Updates
-install-windowsupdate -mcirosoftupdate -verbose

===============================
Not sure if this section is needed

Open regedit.exe as Administrator
Load Hive select "C:\Windows\System32\config\DRIVERS"
Enter Key Name "TEMP"
Go to "REGPATH\TEMP\DriverDatabase\DriverInfFiles\ntprint.inf"
Take Ownership of this key.
Grant Administrators Full Control in Permissions.
Edit "Default" remove ntprint.inf_ntprint.inf_amd64_83aa9aebf5dffc96 and ntprint.inf_x86_a87eceb9bd76580c
Edit "Active" enter the remaining key example for my system was "ntprint.inf_amd64_83aa9aebf5dffc96".

Take Ownership and also Delete the referenced package.
HKEY_LOCAL_MACHINE\TEMP\DriverDatabase\DriverPackages\ntprint.inf_amd64_83aa9aebf5dffc96
HKEY_LOCAL_MACHINE\TEMP\DriverDatabase\DriverPackages\ntprint.inf_x86_10ccc41e998ac968

========

Go to "REGPATH\TEMP\DriverDatabase\DriverInfFiles\ntprint4.inf"
Take Ownership of this key.
Grant Administrators Full Control in Permissions.
Edit "Default" remove all data
Edit "Active" remove all data

Take Ownership and also Delete the referenced package.
HKEY_LOCAL_MACHINE\TEMP\DriverDatabase\DriverPackages\ntprint.inf_amd64_83aa9aebf5dffc96

Unload the "TEMP" hive.

============================
https://thatonecomputerguy.wordpress.com/2015/10/06/windows-update-fails-with-error-code-0x80073701-error_sxs_assembly_missing-solved/

Get-Content .\CBS.log |findstr /i hresult

Error                 CSI    00000042 (F) HRESULT_FROM_WIN32(ERROR_SXS_ASSEMBLY_MISSING) #197922# from Windows::ServicingAPI::CCSITransaction::ICSITransaction_PinDeployment(Flags = 0, a = 6f29c89d491b36146c2ff9acd3327914, version 4.0.15713.815, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}, cb = (null), s = (null), rid = 'Package_2_for_KB5013641~31bf3856ad364e35~amd64~~10.0.3946.2.5013641-38_neutral', rah = '9', manpath = (null), catpath = (null), ed = 0, disp = 0)[gle=0x80073701]

net stop spooler
del %systemroot%\System32\spool\printers\* /Q
HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments
net start spooler

Let's remove the KB:

wusa.exe /uninstall /KB:5013641 /quiet /norestart

Or try to go back to Release To Manufacturing (RTM) by removing all the hotfixes:
(get-hotfix).hotfixid.replace("KB","") | % {& wusa.exe /uninstall /KB:$_ /quiet /norestart}

Sometimes the wusa does not work as well as the remove-windowspackage:

Get-WindowsPackage -Online `
|?{$_.ReleaseType -like "*Update*"} `
|%{Get-WindowsPackage -Online -PackageName $_.PackageName} `
|?{$_.Description -like "*KB5009543*"} `
|Remove-WindowsPackage -Online -NoRestart

Or if you need to remove all the updates to get back to release to manufacturing (rtm):
Get-WindowsPackage -Online `
|?{$_.ReleaseType -like "Update"} `
|Remove-WindowsPackage -Online

Get-WindowsPackage -Online |?{$_.ReleaseType -like "Update"} |%{Get-WindowsPackage -Online -PackageName $_.PackageName} |select
Get-WindowsPackage -Online |?{$_.ReleaseType -like "Update"} |%{Get-WindowsPackage -Online -PackageName $_.PackageName} |Remove-WindowsPackage -Online -NoRestart
Get-WindowsPackage -Online |?{$_.ReleaseType -like "Update"} |%{Get-WindowsPackage -Online -PackageName $_.PackageName} |?{$_.Description -like "*KB3151864*"} |Remove-WindowsPackage -Online -NoRestart

Last Updated on Sunday, 12 March 2023 11:29

WSUS Uninstall Package

DISM Uninstall Remove Stubborn Packages

I find that for stubborn packages, using DISM is best.

Take a look at all the "Update" packages:
Get-WindowsPackage -Online |?{$_.ReleaseType -like "Update"} | `
ForEach-Object {Get-WindowsPackage -Online -PackageName $_.PackageName} |select Description |ft -autosize

Remove a single package:
Get-WindowsPackage -Online |?{$_.ReleaseType -like "Update"} | `
ForEach-Object {Get-WindowsPackage -Online -PackageName $_.PackageName} | `
Where-Object {$_.Description -like "*KB5020874*"} |Remove-WindowsPackage -Online -NoRestart

Or uninstall all patches/hotfixes to get back to Release To Manufacturing (RTM):
Get-WindowsPackage -Online |?{$_.ReleaseType -like "Update"} |Remove-WindowsPackage -Online -NoRestart

Hotfix Uninstall

Get all packages from get-hotfix that classified as "Updates":
get-hotfix |?{$_.description -eq "Update"}

if (get-hotfix -id KB5009543) {
wusa /uninstall /kb:5009543
}

PSWindowsUpdate Uninstall

Remove-WindowsUpdate -KBArticleID KB5020874

$KBs = Get-WUHistory -Last 7 | Select-Object -ExpandProperty kb
Foreach ($KB in $KBs) {
Uninstall-WindowsUpdate -KBArticleID $KB
}

Get-WUHistory | ?{$_.Description -like "*Update*"} |Select -ExpandProperty kb |`
Foreach ($KB in $KBs) {
Uninstall-WindowsUpdate -KBArticleID $KB
}

 

Last Updated on Thursday, 23 February 2023 06:23

VMWare Errors - There is no more space for virtual disk

Here are the error messages:

0xc1d0000b due to failure pre-committing: Out of memory

Could not stat LFB on volume VRTX_Datastore: Out of memory

Heap vmfs3 already at its maximum size

exceeded for caller Fil3_FileIOInt

Max no space retries (10) exceeded for caller Fil3_SetFileLength (status 'No space left on device')

There is no more space for virtual disk 'VMNAME-HERE.vmdk'. You might be able to continue this session by freeing disk space on the relevant volume, and clicking Retry. Click Cancel to terminate this session.


Here is what I did. Transfer some of the VM off the Host to another host.

Last Updated on Monday, 16 January 2023 19:40

Everything Is So Slow | Network Is Slow

Everything Is So Slow | Network Is Slow

It can't be DNS.
It can't be DNS.
It's DNS.

-set the DNS interface to be IPv4 only; remove all other interfaces.
-be sure the interface is set to DOMAIN/PRIVATE.

In short, check DNS and make sure the bindings are only on the IPv4 Interface. Remove the other IP Interfaces like the IPv6 and the "Remote NDIS Compatible Device." Again, YMMV as the IPv6 might be needed in the environment.

Also set the interface to DOMAIN/PRIVATE. For whatever reason, the Network Location Awareness service starts too early and set the location to PUBLIC. You can set to PRIVATE through:
get-netconnectionprofile |set-netconnectionprofile -networklocation PRIVATE

As well as set the NLA service to be a dependency on the DNS and NTDS:
sc config nlasvc depend=NSI/RpcSs/TcpIp/Dhcp/Eventlog/DNS/NTDS

In reality, the problem could be many items in the network configuration. But in this case, the vPC on the Cisco Nexus ToR switches wasn't create correctly and the NIC Team wasn't created correctly on the Windows Server. So when I created the NIC Team, it enabled DNS respondes on all the new IP Addresses/Interfaces of that NIC Team as well as other adapters. So I set DNS to only respond on the IPv4 interface and disabled the others. I went so far as to remove IPv6 altogther with:
Disable-NetAdapterBinding –InterfaceAlias “Ethernet Interface Name Here” –ComponentID ms_tcpip6

When DNS was set to only the IPv4 interface, it took a few minutes for everything to sort itself out but it finally settled down and hummed along nicely afterwards.

Last Updated on Tuesday, 03 January 2023 20:05

Fix Domain Controller Sync | Fix SYSVOL Sync

(Get-ADDomainController -Filter *).Name |Foreach-Object { repadmin /syncall $_ (Get-ADDomain).DistinguishedName /AdeP }
Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess

DFS Replication is not working.

Set the replication to a higher number of days:
wmic /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=500

Then follow:
https://www.youtube.com/watch?v=UWF-pVr1JHg

Stop the DFSR service on all DC servers:
Invoke-command server-1, server2 -scriptblock {stop-service DFSR}

ASDIEdit:
set all servers to FALSE
set primary server to 1

Sync the servers:
repadmin /syncall server-1 /APed

ASDIEdit:
set primary server to TRUE

Sync the servers:
repadmin /syncall server-1 /APed

Start the DFSR service on all DC servers:
Invoke-command server-1, server2 -scriptblock {start-service DFSR}

Set the Days back to the default of 60:
wmic /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=60

https://www.powershellgallery.com/packages/ADEssentials/0.0.149

Last Updated on Monday, 02 January 2023 11:58

Dell Wake On LAN (WOL)

Windows Service Update Server (WSUS) will patch the Windows OS (Windows 10, Windows 11, etc).

PDQ will deploy/patch 3rd party software (Chrome, Firefox, SAP, Acrobat Reader, etc). And I'm all for agent controlled systems like Ivanti/LANDesk/MobileIron.

AlienVault SEIM/USMA will track changes in the network.

Rapid7 will test for vulnerabilities and adhere to a standard.

But all the scheduling for after-hours scanning/patching/updating/deploying doesn't mean anything if the system isn't turned on.

As a Dell "shop", we are familiar with some of the abilities that are available, such as Dell Command Update:
dcu /scan

But Dell also has Dell Command PowerShell. This is a PowerShell module to control BIOS settings. Wait... what? Yup... awesome!

First, let's get the module which is convently stored in the PowerShell Gallery:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-Module -Name DellBIOSProvider

Note that PDQ recently put out a HowTo install PowerShell Modules through PDQ:
https://help.pdq.com/hc/en-us/articles/4404308051483-Installing-PowerShell-Modules-With-PDQ-Deploy

After the PowerShell module is deployed, there are get/set commands to do the following:

  • set the WOL to enabled.
    gi .\WakeOnLan
    si .\WakeOnLan LanOnly -verbose
    (Disabled | LanOnly | WlanOnly | LanWlan | LanWithPXEoot)
  • set the DEEPSLEEP to disabled.
    gi .\DeepSleepCtrl
    si .\DeepSleepCtrl Disabled -verbose
    (Disabled | S5Only | S4AndS5)
  • set the BLOCKSLEEP to enabled.
    gi .\BlockSleep
    si .\BlockSleep Enabled -verbose
    (Disabled | Enabled)

There are other settings as well such as get/set the wifi feature.

Note: here is the KB that has the matrix of when WOL will/won't work:

https://downloads.dell.com/manuals/common/dell-emc-remote-wake-up-config-dell-client-cmd-suite.pdf

Last Updated on Friday, 30 December 2022 11:14

Dell PowerSwitch LAG LACP

In a datacenter spine-leaf model, 2 leaf switches are in the Top of Rack (ToR). Typically, the switches do not stack because they are not designed to stack. By design, each switch operates independently. This is for high availability. When both switches are working, there are 2 paths from the rack to the spine/core layer. In the event one switch goes down, one path remains. Having the switches stacked would result in a single path to the core. If the stack goes down, all paths to the spine goes down; not the desired result.

Lower in the rack, servers hum along with multiple NICs. This could be a single server or a modular server like a Dell VRTX or an Dell FX. Each host in the chassis will have to independently go to each ToR switch.

While the ToR switches are independent, they still need to communicate. This is done through a vPC connection. The vPC connection is broken into 2 separate links; a peer-link and a keep-alive link. The peer-link sends the data over a high-speed connection (40G) for synchronization. Because the link is vital, 2 ports on each switch (say 1/49 and 1/50) should be used and bonded together through a LAG/Team/PortChannel. LAG's show as Po1, Po2 and so on.

The other link, a keep-alive link, is a simple heartbeat link and can be a slower connection (1G) such as the management port; mgmt0. It just asks/responds to keep-alive queries. If it fails, it automatically takes action.

Just as the switchports have a LAG, the NICs on the server should have a LAG. Windows Server calls this a TEAM and Linux calls this a BOND (Intel calls this Advanced Network Services - ANS). I have other articles on creating a TEAM/BOND, so I won't do it here.

The goal is to have 2 NICs in a Team with one NIC going to the top switch and one NIC going to the bottom switch. Horizontally, the Nexus switches talk to each other to share information over the Peer-Link and check their other's status through the keep-alive link. Altogether, graphically, it looks like this:

vpc-v1

The TEAM has different modes; STATIC (hard assignment to Po1) or DYNAMIC/LACP (automatically negotiate and assigned).

For LACP to work, configuration must be done on both side; on the OS and on the Switch.

On the OS, enable NIC Teaming, LACP and Dynamic, like so:

lacp-os-v1

 

For Dell PowerSwitches, the LAG is set with simple numbers; 1 for Po1. Just find the port that is needed (hint: use the ADDRESS-TABLES tab to lookup the MAC) and assign the LAG number. After the LAG number is assigned, click the LACP box to toggle and show an "L". Click APPLY.

Afterwards, find the next switchport and complete the same steps.

lacp-switch-v2

Where some get confused is that they create the LAG with all the ports/members and then they try to change to LACP. This will error with a message, "Cannot add a dynamic member to a LAG with static members." You have to remove all the ports/members from the LAG and add them one at a time.

NOTES:

https://networkdirection.net/articles/virtual-port-channels-vpc/virtualportchannels/

Last Updated on Sunday, 01 January 2023 12:37

Cisco Network Models | 3 Tier | Spine Leaf | Top of Rack (ToR)

racktables

cisco packet tracer

eve-ng

 

-----------------------
Heirarchial Model - 3 tier

CORE
Catalyst 9500-x/9600
https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9600-series-switches/nb-06-cat9600-series-data-sheet-cte-en.pdf

DISTRIBUTION/LAYER-3
Catalyst 4500-x/9500-x
https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9500-series-switches/nb-06-cat9500-ser-data-sheet-cte-en.pdf

ACCESS
Catalyst C9200-48P
https://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-9200-series-switches/nb-06-cat-mig-guide-cte-en.pdf

The selection of the CORE really depends on the number of ports and bandwidth needed. If it is a larger site/campus, then the 9600 will be required

-----------------------
Heirarchial Model - Collapsed Core - 2 tier

CORE/DISTRIBUTION/LAYER-3
Catalyst 4500-x/9500
https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9500-series-switches/nb-06-cat9500-ser-data-sheet-cte-en.pdf

ACCESS
Catalyst C9200-48P
https://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-9200-series-switches/nb-06-cat-mig-guide-cte-en.pdf

If it is a smaller site/campus, then the CORE layer becomes redundant. There is no reason to send the traffic from the DISTRIBUTION layer to the CORE layer over 10G/25G/40G/100G just to have it, in turn, uplink that traffic to the firewall. Instead, just remove the CORE layer and let the firewall connection(s) become another port on DISTIBUTION switch.

-----------------------
Spine/Leaf Model ToR

SPINE
Nexus 9500
https://www.cisco.com/c/en/us/products/switches/nexus-9000-series-switches/datasheet-listing.html

AGGREGATION
Nexus 5000/7000/9300
https://www.cisco.com/c/en/us/products/switches/nexus-9000-series-switches/datasheet-listing.html

LEAF - Top-of-Rack (Tor)
Nexus 3172TQ
https://www.cisco.com/c/en/us/products/collateral/switches/nexus-3000-series-switches/data_sheet_c78-729483.pdf

-----------------------
Spine/Leaf Model EoR

SPINE
Nexus 9500
https://www.cisco.com/c/en/us/products/switches/nexus-9000-series-switches/datasheet-listing.html

AGGREGATION
Nexus 5500 End-of-Row (EoR)
https://www.cisco.com/c/en/us/products/switches/nexus-5000-series-switches/datasheet-listing.html

LEAF - Top-of-Rack (Tor)
Nexus 2000
https://www.cisco.com/c/en/us/products/switches/nexus-5000-series-switches/datasheet-listing.html

vxlan

Last Updated on Friday, 30 December 2022 06:10

Windows Diff for Exchange Customizations

Windows Diff for Exchange Customizations.

The customizations in Exchange are manual edits to config files that are not exposed to the gui or ECP.

They are overwritten upon patching/upgrading to newer Cumulative Updates or Security Updates (CU's or SU's).

Be sure to save a copy of the configs in an immutable directory that are clearly marked with the date.

To inspect differences after and patch/upgrade, use the DIFF command.

diff (cat 'E:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp\Web.config') (cat e:\atemp\overrides\V15\ClientAccess\ecp\Web.config-v221013)

This will also work over UNC paths:

diff (cat 'E:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp\Web.config') (cat \\server-name-here\e$\directory-name-here\overrides\V15\ClientAccess\ecp\Web.config-v221013)

VMware VM Task Already In Progress

Task already in progress:

vim-cmd vmsvc/getallvms
vim-cmd vmsvc/power.getstate 1234 (vm_id)
vim-cmd vmsvc/get.tasklist 1234 (vm_id)
vim-cmd vimsvc/task_info haTask-1234-vim.task-here
(vim-cmd vimsvc/task_info haTask-1234-vim.VirtualMachine.removeAllSnapshots-869472401)

You can try to shutdown or power-off the VM, but this never worked for me:
vim-cmd vmsvc/power.shutdown VMID
vim-cmd vmsvc/power.off VMID

 

=================================
You can try to kill the VM, but this never worked for me:

esxcli vm process list
esxcli vm process kill -t=soft -w=WorldID
esxcli vm process kill -t=hard -w=WorldID
esxcli vm process kill -t=force -w=WorldID

Soft is the most graceful
Hard performs an immediate shutdown
Force should be used as a last resort

 

============================================
There might be a lock on one of the files:

cd ~
cd /vmfs/volumes/DATASTORE-NAME-HERE/VM-NAME-HERE/
(ie: cd /vmfs/volumes/MDL_64TB_0/DC-FL-02)

Or if you want the actual volume identifier:
find -iname VM-NAME-HERE
cd /vmfs/volumes/5f241452-2001c64a-3959-1c721d715751/VM-NAME-HERE

lsof |grep -i "VM-NAME-HERE"
ls |while read x; do vmfsfilelockinfo -p $x |grep -i "is locked"; done

If there is a lock from a MAC address, try to return the VM to the host that has the MAC address and consolidate the snapshots. Check to see if the lock is removed.

In some cases, I can log into the vm and gracefully shutdown the guest OS and that removes the lock.

If 2 mac addresses show, find that hosts that are the culprit but note that HA can handle multiple mac addresses gracefully:
esxcli network ip neighbor list

You can try to restart the following services, but this never worked for me:
/etc/init.d/vpxa stop
/etc/init.d/hostd stop
/etc/init.d/vpxa start
/etc/init.d/hostd start

Find any deltas:
ls -la /dev/deltadisks
(There should be no vmdk's here).

Shows mappings from device to uuid:
esxcli storage vmfs extent list

cd /var/log
less vmkernel.log |grep -i "VM-NAME-HERE"

cd /var/run/log
less vmkernel.log |grep -i "VM-NAME-HERE"

============================================
Finally just hard reboot the host via iDRAC.

Eventually found an error message:
There is no more space for virtual disk 'VM-NAME-HERE1_1-000003.vmdk'. You might be able to continue this session by freeing disk space on the relevant volume, and clicking _Retry. Click Cancel to terminate this session.

What is strange is that there is 40TB free on the Datastore-0.
Migrated vm data files to independent datastore; Datastore-4 with 123TB free.
Removed oldest snapshot.

In some situations, Veeam Backup software will create a snapshot prior to backing a VM. However, it fails. The snapshot will not show in the snapshot-manager.

Try to create a new snapshot and then choose the delete all. This should consolidate the snapshot chain.

However, if it keeps failing the consolidation, you might find that there is a .lck on it (see the instructions above).

Rebooting the host should unlock it. If it does not, stop all services associated to the backup software on the VM and try again.

Veeam locks the file when it fails. So, once the file is no longer locked, it should create a snapshot and then delete all.

NOTES:
https://kb.vmware.com/s/article/10051
https://kb.vmware.com/s/article/1004340
https://kb.vmware.com/s/article/84475

cd /vmfs/volumes/datastore_name/virtual_machine_name/

Last Updated on Saturday, 29 April 2023 13:06

VMware /storage/log Directory Full

Here is the link from VMware for the /storage/log directory being full:
https://kb.vmware.com/s/article/89009

  1. Connect to the VCSA by means of SSH
  2. to resolve the space issue temporarily, purge the content from content-library-runtime.log.stdout:
    # cd /storage/log/vmware/content-library/
    # echo > content-library-runtime.log.stdout  
  3. replace the content in /etc/vmware-content-library/log4j.properties with the contents of the file attached to this KB:
    # cd /etc/vmware-content-library/
    # cp -R log4j.properties log4j.properties.old
    # cat /dev/null > log4j.properties
    # vi log4j.properties - insert data from file attached to this document
  4. Verify the file ownership/permissions and change accordingly:
    # chown content-library:cis log4j.properties
    # chmod 640 log4j.properties
  5. Restart the content library service using:
    # service-control --restart content-library

Outlook 365 Task Bar on Left-

Did the TASK BAR in Outlook suddenly move the left-hand side?

This happens in Office365/Outlook365 as part of Microsoft's continuous updates and feature upgrades. This upgrade is intended to be permanent and cannot be turned off.

However, to put the Outlook Task Bar back in the proper place at the bottom:

  • -click START
  • -type CMD
  • -in the command prompt, type (copy/paste):

reg add "HKCU\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides" /t REG_SZ /v "Microsoft.Office.Outlook.Hub.HubBar" /d "false"

Note that since this is a CURRENT-USER change, it happens as the current user; do not run AS-ADMIN or else you will be changing the ADMINISTRATOR account and not the account that is currently being used.

Last Updated on Tuesday, 16 August 2022 12:16

vCenter "HTTP Status 500 – Internal Server Error"

CHECK SSL CERTIFICATES IN VCENTER SERVER

https://kb.vmware.com/s/article/2015600

Run the following to check the certificates in vCenter:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

 

Here is the result:

[*] Store : MACHINE_SSL_CERT
Alias : __MACHINE_CERT
            Not After : Jul 30 04:55:53 2022 GMT
[*] Store : TRUSTED_ROOTS
Alias : 1de53225634a45f52840baf7b4a8e7dd6f8f1493
            Not After : Jul 24 16:55:52 2030 GMT
[*] Store : machine
Alias : machine
            Not After : Jul 24 16:55:52 2030 GMT
[*] Store : vsphere-webclient
Alias : vsphere-webclient
            Not After : Jul 24 16:55:52 2030 GMT
[*] Store : vpxd
Alias : vpxd
            Not After : Jul 24 16:55:52 2030 GMT
[*] Store : vpxd-extension
Alias : vpxd-extension
            Not After : Jul 24 16:55:52 2030 GMT
[*] Store : hvc
Alias : hvc
            Not After : Jul 24 16:55:52 2030 GMT
[*] Store : data-encipherment
Alias : data-encipherment
            Not After : Jul 24 16:55:52 2030 GMT
[*] Store : APPLMGMT_PASSWORD
Alias : location_password_default
[*] Store : SMS
Alias : sms_self_signed
            Not After : Jul 29 17:00:11 2030 GMT
[*] Store : wcp
Alias : wcp
            Not After : Jul 24 16:55:52 2030 GMT

 

===================================================

CHECK STS CERTIFICATES IN VCENTER SERVER

https://kb.vmware.com/s/article/79248

-download checksts.py
-python checksts.py

STS certs are valid for 2910 days.
No expired certs.

 

=====================================================

From the info above; __MACHINE_CERT is expired.

https://kb.vmware.com/s/article/82332

https://kb.vmware.com/s/article/2097936

-shutdown vCenter in the ESXi interface.
-take offline snapshot.
-verify the snapshot is complete.
-start the vCenter vm.
-/usr/lib/vmware-vmca/bin/certificate-manager
-press 3
-ran through defaults using the ip address as the hostname and vCENTER as VMCA name.
-wait 15 minutes.
-try vCenter web ui again.

Last Updated on Friday, 30 December 2022 06:07

VCSA Update

-ssh root
-no shell
-software-packages list
-software-packages stage --url
-software-packages list --staged
-software-packages list --staged --verbose
-software-packages install --staged

VMWare VCSA 6.7 Enable SMB 2

root@VCSA [ /var/log/vmware ]# /opt/likewise/bin/lwregshell add_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' Smb2Enabled REG_DWORD 1
root@VCSA [ /var/log/vmware ]# /opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' Smb2Enabled 1
root@VCSA [ /var/log/vmware ]# /opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]'
+  "Smb2Enabled"      REG_DWORD       0x00000001 (1)
   "EchoInterval"     REG_DWORD       0x0000012c (300)
   "EchoTimeout"      REG_DWORD       0x0000000a (10)
   "IdleTimeout"      REG_DWORD       0x0000000a (10)
   "MinCreditReserve" REG_DWORD       0x0000000a (10)
   "Path"             REG_SZ          "/opt/likewise/lib64/librdr.sys.so"
   "ResponseTimeout"  REG_DWORD       0x00000014 (20)
   "SigningEnabled"   REG_DWORD       0x00000001 (1)
   "SigningRequired"  REG_DWORD       0x00000000 (0)
root@VCSA [ /var/log/vmware ]# /opt/likewise/bin/lwsm restart lwio

Or force a reboot.

NOTES:
https://kb.vmware.com/s/article/2150832

Last Updated on Sunday, 17 July 2022 13:35

vSphere Client Error after Hostname and Network Settings Change | Failed to connect to endpoint

VCSA
vCenter Server with an embedded Platform Services Controller (PSC)

This has an internal ldap for single sign on (SSO); typically called VSPHERE.LOCAL. This can be changed to use SSO with another ldap or Windows Active Directory. Internally, this is called VMWare Directory or vmdir.

The VCSA system name/hostname should be in line with the domain; vcsa.company.tld

SSO: VSHPERE.LOCAL
HOSTNAME.DOMAIN.LOCAL
VCSA: v6.7.0.51000
ESXI: v6.7.0
USER: administrator@vsphere.LOCAL

=====================================
-On VCSA, new gateway, from 192.168.21.1 to 192.168.21.120
-On VCSA, changed hostname from 192.168.21.152 to HOSTNAME.DOMAIN.LOCAL
-Reboot
-Error: Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE


=====================================
Try to fix by:
-ssh in as root
-let us look at the logs

cat /var/log/vmware/messages

Failed to connect to VMware Lookup Service - https://HOSTNAME.DOMAIN.local:443/lookupservice/sdk


cd /var/log/vmware/vmdird/vmdird-syslog.log
ls -la
zcat vmdird-syslog.log.7.gz |grep 2022-07-15 |more

2022-07-15T02:20:10.930380+00:00 info vmdird  t@140164554802944: VmDir State (2)
2022-07-15T02:20:10.930719+00:00 info vmdird  t@140164554802944: Srv_RpcVmDirSetState: VmDir State (2)
2022-07-15T02:20:11.429906+00:00 info vmdird  t@140164554802944: VmDir State (3)
2022-07-15T02:20:11.430213+00:00 info vmdird  t@140164554802944: Srv_RpcVmDirSetState: VmDir State (3)
2022-07-15T02:34:26.608866+00:00 info vmdird  t@140163900499712: Add Entry (cn=HOSTNAME.DOMAIN.local,cn=Servers,cn=Pittsburgh,cn=Sites,cn=Configuration,dc=vsphere,dc=LOCAL)(from 127.0.0.1)(by cn=Administrator,cn=Users,dc=vsphere,dc=
LOCAL)(via Ext)(USN 19454,0)
2022-07-15T02:34:26.663220+00:00 info vmdird  t@140163900499712: Add Entry (cn=HOSTNAME.DOMAIN.local,ou=Domain Controllers,dc=vsphere,dc=LOCAL)(from 127.0.0.1)(by cn=Administrator,cn=Users,dc=vsphere,dc=LOCAL)(via Ext)(USN 19455,
0)
2022-07-15T02:34:26.666660+00:00 info vmdird  t@140163900499712: MOD 1,rep,member: (cn=192.168.21.152,ou=Domain Controllers,dc=vsphere,dc=LOCAL)
2022-07-15T02:34:26.666908+00:00 info vmdird  t@140163900499712: MOD 2,rep,member: (cn=HOSTNAME.DOMAIN.local,ou=Domain Controllers,DC=vsphere,DC=LOCAL)
2022-07-15T02:34:26.723039+00:00 info vmdird  t@140163900499712: Modify Entry (cn=DCAdmins,cn=Builtin,dc=vsphere,dc=LOCAL)(from 127.0.0.1)(by cn=Administrator,cn=Users,dc=vsphere,dc=LOCAL)(via Ext)(USN 19456,0)
2022-07-15T02:34:26.760656+00:00 info vmdird  t@140163900499712: Add Entry (cn=vmca/HOSTNAME.DOMAIN.local@VSPHERE.LOCAL,cn=Managed Service Accounts,dc=vsphere,dc=LOCAL)(from 127.0.0.1)(by cn=Administrator,cn=Users,dc=vsphere,dc=t
pxca)(via Ext)(USN 19457,0)
2022-07-15T02:34:26.800188+00:00 info vmdird  t@140163900499712: Add Entry (cn=ldap/HOSTNAME.DOMAIN.local@VSPHERE.LOCAL,cn=Managed Service Accounts,dc=vsphere,dc=LOCAL)(from 127.0.0.1)(by cn=Administrator,cn=Users,dc=vsphere,dc=t
pxca)(via Ext)(USN 19458,0)
2022-07-15T02:34:26.850848+00:00 info vmdird  t@140163900499712: Add Entry (cn=host/HOSTNAME.DOMAIN.local@VSPHERE.LOCAL,cn=Managed Service Accounts,dc=vsphere,dc=LOCAL)(from 127.0.0.1)(by cn=Administrator,cn=Users,dc=vsphere,dc=t
pxca)(via Ext)(USN 19459,0)
2022-07-15T02:34:26.894935+00:00 info vmdird  t@140163900499712: MOD 1,rep,vmwLKUPPropertyValue: (HOSTNAME.DOMAIN.local)
2022-07-15T02:34:26.931662+00:00 info vmdird  t@140163900499712: Modify Entry (cn=Property3,cn=06bd9be7-5a98-4435-9a40-8c11d7847b69,cn=ServiceRegistrations,cn=LookupService,cn=Pittsburgh, cn=Sites,cn=Configuration,dc=vsphere,dc=LOCAL)(fr
om 127.0.0.1)(by cn=Administrator,cn=Users,dc=vsphere,dc=LOCAL)(via Ext)(USN 19460,0)
2022-07-15T02:34:26.935916+00:00 info vmdird  t@140163900499712: MOD 1,rep,serverName: (cn=HOSTNAME.DOMAIN.local,cn=Servers,cn=Pittsburgh,cn=Sites,cn=Configuration,dc=vsphere,dc=LOCAL)
2022-07-15T02:34:26.950811+00:00 info vmdird  t@140163900499712: Modify Entry (cn=DSE Root)(from 127.0.0.1)(by cn=Administrator,cn=Users,dc=vsphere,dc=LOCAL)(via Ext)(USN 19461,0)
2022-07-15T02:34:26.953615+00:00 info vmdird  t@140163900499712: MOD 1,rep,vmwDCAccountDN: (cn=HOSTNAME.DOMAIN.local,ou=Domain Controllers,dc=vsphere,dc=LOCAL)
2022-07-15T02:34:26.956569+00:00 info vmdird  t@140163900499712: Modify Entry (cn=DSE Root)(from 127.0.0.1)(by cn=Administrator,cn=Users,dc=vsphere,dc=LOCAL)(via Ext)(USN 19462,0)
2022-07-15T02:34:26.959271+00:00 info vmdird  t@140163900499712: MOD 1,rep,vmwDCAccountUPN: (HOSTNAME.DOMAIN.local@VSPHERE.LOCAL)
2022-07-15T02:34:26.962386+00:00 info vmdird  t@140163900499712: Modify Entry (cn=DSE Root)(from 127.0.0.1)(by cn=Administrator,cn=Users,dc=vsphere,dc=LOCAL)(via Ext)(USN 19463,0)
2022-07-15T02:34:26.989844+00:00 info vmdird  t@140163900499712: Add Entry (cn=Replication Agreements,cn=HOSTNAME.DOMAIN.local,cn=Servers,cn=Pittsburgh,cn=Sites,cn=Configuration,DC=vsphere,DC=LOCAL)(from 127.0.0.1)(by cn=Administrat
or,cn=Users,dc=vsphere,dc=LOCAL)(via Ext)(USN 19464,0)
2022-07-15T02:34:29.046587+00:00 err vmdird  t@140163900499712: VmDirSRPGetIdentityData (HOSTNAME.DOMAIN.local@vsphere.LOCAL) failed, (9611)
2022-07-15T02:34:29.047219+00:00 err vmdird  t@140163900499712: VmDirSRPGetIdentityData (HOSTNAME.DOMAIN.local@vsphere.LOCAL) failed, (9611)
2022-07-15T02:34:29.047458+00:00 err vmdird  t@140163900499712: SASLSessionStart: sasl error (-20)(SASL(-13): user not found: no secret in database)
2022-07-15T02:34:29.047654+00:00 err vmdird  t@140163900499712: VmDirSendLdapResult: Request (Bind), Error (49), Message ((49)(SASL start failed.)), (0) socket (127.0.0.1)
2022-07-15T02:34:29.047838+00:00 err vmdird  t@140163900499712: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "", Method: SASL

-the error is: "user not found: no secret in database"
-it is referring to the following account:
(HOSTNAME.DOMAIN.local@vsphere.LOCAL)


=====================================
Let's see if the VMWare Directory/SSO/VSPHERE.LOCAL exists and is working.

We can test using curl:
curl -v telnet://192.168.21.152:636

Or we can test using the vdcadmintool:
/usr/lib/vmware-vmdir/bin/vdcadmintool
GetVmDirState failed: VmDirGetState() failed. error(382312694)
test ldap
Please enter LDAP server host: 192.168.21.152
Please enter LDAP server port: 389
Please enter LDAP server SSL port: 636
Please enter LDAP Bind DN: dc=vsphere,dc=LOCAL
Please enter LDAP Bind UPN: administrator@vsphere.LOCAL
Please enter LDAP Bind password:

Now we know and have verified that the VMWare Directory is indeed working.


==============================================
Let's reset the password for the account found in the error from the logs: (HOSTNAME.DOMAIN.local@vsphere.LOCAL)

/usr/lib/vmware-vmdir/bin/vdcadmintool

select 3

Enter the vCenter server: HOSTNAME.DOMAIN.local@VSPHERE.LOCAL

It will generate a random password for that account, but you may need to run more than once if it puts invalid characters or blanks in the password.

Note: The tool does not filter out invalid characters from the generated password such as:
& (ampersand)
; (semicolon)
" (double quotation mark)
' (single quotation mark)
^ (circumflex)
\ (backslash)
% (percentage)

Copy that password because you have to past it in the registry.

pA$$&;^\#*2i)W}nqK!~.Jd8z


==============================================
The system mimics Windows Registry and has a registry of its own.
Windows has REGEDIT/REG QUERY but VCSA has LWREGSHELL. This can view/change the registry.

Run these commands to view the reg key:
/opt/likewise/bin/lwregshell
cd HKEY_THIS_MACHINE\services\vmdir\
list_values

+  "Arguments"            REG_SZ          "/usr/lib/vmware-vmdir/sbin/vmdird -s -l 0 -f /usr/lib/vmware-vmdir/share/config/vmdirschema.ldif"
+  "dcAccount"            REG_SZ          "HOSTNAME.DOMAIN.local"
+  "dcAccountDN"          REG_SZ          "cn=HOSTNAME.DOMAIN.local,ou=Domain Controllers,dc=vsphere,dc=LOCAL"
+  "dcAccountOldPassword" REG_SZ          "pA$$&;^\#*2i)W}nqK!~.Jd8z"
+  "dcAccountPassword"    REG_SZ          "pA$$&;^\#*2i)W}nqK!~.Jd8z"
+  "DirtyShutdown"        REG_DWORD       0x00000000 (0)
+  "LduGuid"              REG_SZ          "28bf4aaa-b564-49b2-a354-abcde1234567"
+  "MachineGuid"          REG_SZ          "bcf160ba-cb01-4dc3-b574-abcde1234567"
+  "SiteGuid"             REG_SZ          "4f2b0b44-4da7-43e3-b1a9-abcde1234567"
   "Autostart"            REG_DWORD       0x00000001 (1)
   "Dependencies"         REG_SZ          "lsass dcerpc vmafd"
   "Description"          REG_SZ          "VMware Directory Service"
   "Environment"          REG_SZ          ""
   "Path"                 REG_SZ          "/usr/lib/vmware-vmdir/sbin/vmdird"
   "Type"                 REG_DWORD       0x00000001 (1)


Run these commands to update the password in the reg key:
set_value dcAccountPassword "pA$$&;^\#*2i)W}nqK!~.Jd8z"
quit

Then reboot the VCSA.


==============================================
The vSphere Client has a red bar complaining about not being able to connect to SSO.
We will need to regenerate all the certificates.

-ssh in as root
/usr/lib/vmware-vmca/bin/certificate-manager
8
-Fill in as appropriate but be sure use the ip addresswhen it says "optional" so that it will put the ip address in the Subject Alternative Name (SAN) of the certificate.
-Wait about 15 minutes.
-You should be able to access vSphere login page.


==============================================
Here are some interesting areas I found along the way:

https://192.168.21.152/sso-adminserver/sdk/vsphere.LOCAL
https://192.168.21.152:443/lookupservice/sdk
https://192.168.21.152/sts/STSService/vsphere.LOCAL
https://192.168.21.152/websso/SAML2/SLO/vsphere.LOCAL
https://192.168.21.152:443/sms/sdk
https://localhost:9090/vsphere-client/
https://192.168.21.152:443/invsvc/vmomi/sdk
https://HOSTNAME.DOMAIN.LOCAL:443/appliance/support-bundle
https://192.168.21.152:9090/vsphere-client/


/etc/vmware/vsphere-client/webclient.properties
/etc/vmware-vpx/vpxd.cfg
/etc/applmgmt/appliance/appliance.conf:
/etc/resolv.conf:search vsphere.LOCAL
/etc/systemd/network/10-eth0.network:Domains= vsphere.LOCAL
/etc/vmware/install-defaults/vmdir.domain-name


Find PNID:
During the initial configuration of the VMware vCenter Server, the system name (FQDN or IP address) is used as the PNID, Primary Network Identifier.
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
HOSTNAME.DOMAIN.local


Change the hostname can be done either via:
VAMI; or VMware Appliance Management Interface
-click NETWORKING (on left-hand side).
-find NETWORK SETTINGS (in the middle).
-click EDIT (on the right-hand side).
-run through the settings wizard.

or by ssh:
/opt/vmware/share/vami/vami_config_net


The root password has a default lockout of 3 attempts. Then you gotta wait 5 minutes to reset. To view:
pam_tally2 -u root

To reset manually:
pam_tally2 -u root -r


To shutdown/restart all the services:
service-control --all --stop
service-control --all --start


https://www.nakivo.com/blog/503-service-unavailable-error-on-the-vsphere-web-client/
(Long article but see Password Issues)
https://docs.vmware.com/en/VMware-Integrated-OpenStack/7.2/com.vmware.openstack.admin.doc/GUID-02577103-96E9-49B0-A2B1-4D6BE6B2E103.html
https://kb.vmware.com/s/article/2147280
https://communities.vmware.com/t5/vCenter-Server-Discussions/The-Reset-all-Certificates-option-in-the-certificate-manager/td-p/2247608

Failed to connect to endpoint

Last Updated on Sunday, 17 July 2022 07:18

ADFS Update

ADFS allows outside services to use your local AD accounts. Sometimes this can be done through:

-local connectors (such as MobileIron and AzureAD).
-Azure AD connections (such as GoToConnect).
-LDAPS connections on port 636 (such as Mimecast).
-ADFS connections (such as Dropbox, Cisco, Adobe, Zoom).

ADFS is certificate based. If the certificate is correct and sent to the outside service, they can then connect to the ADFS and use the accounts locally.

One problem becomes when the certificate is expiring and needs to be updated. The outside service needs to be made aware of the change. This will depend on the outside service.

The ADFS can have multiple certificates; primary and secondary. As the primary one is expiring/expired, the secondary one should be considered. Again, this depends on the outside service.

What we did was activate a secondary certificate with the updated information and valid dates.

Then we went through all the vendors individually over the next few weeks to make sure that they were aware we were updating the metadata of the ADFS. Some of them said "no problem, just update the metadata in your such-and-such account." Others would only consider the first certificate.

To see all the certificates the computer account personal store:

get-childitem -path cert:\LocalMachine\My

This will come back with the Thumbprint and Subject.

Or if you want to look at all the properties of a single certificate:

get-childitem -path cert:\LocalMachine\My\CE4B4EFC3FA0FB7FAE5DEE80B8814C7F14BDA4CD | fl -property *

Most will want the thumbprint, issuedto, friendlyname, expiration-date and the dnsnamelist:

get-childitem -path cert:\LocalMachine\My |select thumbprint,friendlyname,notafter,@{Label = 'IssuedTo'; Expression ={$_.GetNameInfo('SimpleName', $false)}} -expandp dnsnamelist |ft


To update the certificate on the ADFS servers:

set-AdfsSslCertificate -Thumbprint abcdefghijklmnopqrstuvwxyz1234567890
(Thumbprint of the new ssl cert)

Then update the certificate on the ADFS web proxy servers:

set-WebApplicationProxySslCertifiate -Thumbprint abcdefghijklmnopqrstuvwxyz1234567890
(Thumbprint of the new ssl cert)

If you have a certificate but do not know where it is, you can search for it:

get-childitem -path "abcdefghijklmnopqrstuvwxyz1234567890" -recurse

NOTES:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap

Last Updated on Monday, 07 November 2022 10:43

Remove Local Administrators

-created gpo c-administrators-local
-added companylocaladmin & added domain admins
-added %DOMAINNAME%\AdminLocal.%COMPUTERNAME%
-linked to test ou
-created OU: DIV > _LocalResources > GroupsAdminLocal

For POC:
-created group: AdminLocal.SYSTEM-155
-added test account to the group.
-gpupdate /force /target:computer
-gpresult /r /scope:computer

To filter:
Get-WmiObject  -Class Win32_GroupUser | Select-Object GroupComponent,PartComponent,PSComputerName
Get-WmiObject -Class Win32_GroupUser -Filter "GroupComponent=""Win32_Group.Domain='LT-LOCATION-073',Name='Administrators'""" |Select-Object GroupComponent,PartComponent,PSComputerName
Get-WmiObject -Class Win32_Group
Get-WmiObject -Class Win32_Group -Filter "Domain='DOMAIN-HERE'"
Get-WmiObject -Class Win32_Group -filter "Domain='DOMAIN-HERE' AND Name='Domain Admins'"
Get-WmiObject -Class Win32_Group -filter "Domain='%DomainName%' AND Name='AdminLocal.%ComputerName%'"

Test:
-start > run
-wbemtest
-click CONNECT
-for local: root\cimv2
-for remote: \\SYSTEM-NAME\root\cimv2
(add account with domain admin privledges)

NOTES:
https://community.spiceworks.com/how_to/907-gpo-to-push-out-local-administrators-across-a-domain
https://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Last Updated on Saturday, 28 May 2022 13:10

Windows Capability Manager

Windows Capability Manager is a bit different than the Windows Package Manager. The Package Manager manages installed app/software/packages. Like so:

get-windowspackage -online |?{$_.packagename -like "*foo*"}

dism /online /get-packages

See the article on Windows Package Manager.

Windows already has builtin capabilities but only some are turned on by default.

The other capabilites need to be enabled only on an as-needed basis.

To get the capabilities:

get-windowscapability -online

get-windowscapability -online |?{$_.name -like "*rsat*"}

To add the capabilities:

add-windowscapability -online -name Microsoft.Windows.Noptepad~~~~0.0.1.0

get-windowscapability -online -name RSAT* |add-windowscapability -online

To remove the capability:

remove-windowscapability -online -name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Note that if you get a message about "Permanent Package Cannot be Unistalled"; that usually indicates that you are trying to uninstall a capability that another capability is depending on. In other words, remove the other capability first, then you can remove the dependency.

To get optional features:

dism /online /get-features /format:table

get-windowsoptionalfeature

Last Updated on Thursday, 05 May 2022 07:43

The Message Store Has Reached Its Maximum Size

You have a heavy email account who receives a message:

The message store has reached its maximum size.

All messages are stored in a single file. In the past, this was an PST file. In modern times, this is either an OST file or an NST file.

The size can get too large and this can happen because they receive/send too many messages.

The is can be solved by:

1- manual archive:
If needed, you can archive items older than a certain date:
-OUTLOOK
-click FILE > CLEANUP-TOOLS > ARCHIVE:

2- in-place archive
See article here: http://www.daknetworks.com/blog/445-in-place-archive-exchange-2013

Another contributing factor is SHARED-MAILBOXES as they count towards the OST/NST file size.

There is a manual setting:
-OUTLOOK
-click FILE > ACCOUNT-SETTINGS > ACCOUNT-SETTINGS
-click CHANGE
-click MORE-SETTINGS
-click ADVANCED tab (at the top)
-uncheck DOWNLOAD-SHARED-FOLDERS
-click OK > NEXT > FINISHED

This can also be done by registry edit. Here is a one-liner:

REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\Cached Mode" /v "CacheOthersMail" /t REG_DWORD /d 0 /f

Managing Modern Apps | Managing Appx Packages

Managing modern apps | Managing Appx Packages

Location

Modern apps are located at the following:

%WINDIR%\SystemApps
(For system apps; ie Edge, Cortana, etc)

%PROGRAMFILES%\WindowsApps
(For personal apps; ie Pictures, Videos, Calculator, etc)

The Way Appx Packages Works

Modern Apps are "provisioned" on the system. This means they are available to every account on the system to be installed. When this happens, the appx is now on a "manifest-list" or provisioned-list. When a new account signs in for the first time, all the provisioned-appx packages are installed for that account.

Modern Apps are then installed per account.

Get Modern Apps

Here is how to get a list of all provisioned packages on a system:

get-appxprovisionedPackage -online |select Packagename

Here is how to get a list of all Modern Apps installed for all accounts on the system:

Get-AppxPackage -allusers |select PackageFullName

Or for a specific account:

Get-AppxPackage -user "domain\FooAccount"

Removing Modern Apps

Here is how to remove a single Modern App:

Remove-AppXProvisionedPackage -Online -PackageName <PackageName>

Since AppX packages use random names, it is probably easier to:

Get-AppxPackage |where {$_packagefullname -like "*zune*"} |remove-appxpackage

Here is how to remove all Modern Apps:

Get-AppXProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online

If you want to remove all but keep a certain set of Modern Apps, following will work but the Appx packages will come back during OS verion upgrade (ie v2004 to v2009).

##Remove All Packages
$appname = @(
"*BingWeather*"
"*ZuneMusic*"
"*ZuneVideo*"
"*King*"
)
ForEach($app in $appname){
Get-AppxPackage -AllUsers -Name $app | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue
}

Removing Modern Apps from the Manifest List / Provisioned List

But how to remove appx packages from the provisioned-list. Here's how:

##Remove Provisioned Packages 
$appname = @( 
"*BingWeather*" 
"*ZuneMusic*" 
"*ZuneVideo*" "*king*" 
) 
ForEach($app in $appname){ 
Get-AppxProvisionedPackage -Online | where {$_.PackageName -like $app} | Remove-AppxProvisionedPackage -AllUsers -Online -ErrorAction SilentlyContinue }

Adding Modern Apps

Adding Modern Apps can be challenging because of the random characters in the PakcageName.

There are 4 steps:

1-find the URL of the app
To do this, simply go to https://www.microsoft.com and find the URL of the app. For SpeedTest, that is:
https://www.microsoft.com/en-us/p/speedtest-by-ookla/9nblggh4z1jc

2-Generate the Microsoft Store link
To do this, go to https://store.rg-adguard.net
Be sure to change the option to RETAIL

3-Download the appxBundle

4-Install the appxBundle:
add-appxpackage -path "c:\path\to\file\Ookla.SpeedtestbyOokla_1.13.154.0_neutral_~_43tc6nmvykmb6.appxbundle"
add-appxprovisionedpakage -online skiplicense -packagepath "c:\path\to\file\Ookla.SpeedtestbyOokla_1.13.154.0_neutral_~_43tc6nmvykmb6.appxbundle"

Reference the PDQ article below, they are the experts.

Basically, the following will install an appx package to an account:

#########################################################
##THIS WILL INSTALL ALL CANDY CRUSH GAMES! DO NOT RUN! ##
#########################################################
$path = Get-ChildItem -Path "C:\Program Files\WindowsApps" | Where-Object {$_.BaseName -like "*Candy*"} | select fullname $registerpath = $path.FullName + "\appxmanifest.xml"
Add-AppxPackage -DisableDevelopmentMode -Register $registerpath

Adding Modern Apps to the Manifest

Basically, the following will provision an Appx package:

$ManifestPath = (Get-AppxPackage -Name "*WindowsCalculator*").InstallLocation + "\Appxmanifest.xml"
Add-AppxPackage -Path $ManifestPath -Register -DisableDevelopmentMode

Winget

winget can do the same.

winget

If you need to set settings:

winget settings

If you want to see the source list:

winget source list

You will see the msstore in the list.

If you want to reset the sources/repos:

winget source reset

Now search the repo:

winget search |findstr msstore |more

winget search white |findstr msstore

winget search 9MSPC6MP8FM4

winget search Whiteboard

Now simply install from the rep:

winget install "Dell Command | Update"

echo y |winget install "Microsoft Whiteboard"

Notes

This article says it better than I can:
https://www.pdq.com/blog/removing-windows-10-apps-and-advertising/
https://www.pdq.com/powershell/add-appxpackage/

Last Updated on Wednesday, 26 January 2022 11:55

Group Policy for Interactive Logon Message

Group Policy

COMPUTER-CONFIGURATION > POLICIES > WINDOWS-SETTINGS > SECURITY-SETTINGS > LOCAL-POLICIES > SECURITY-OPTIONS

" " ","This computer is the property of COMPANY.","- information system usage may be monitored or recorded, and is subject to audit";" ","- unauthorized use of the information systems is prohibited";" ","- unauthorized use is subject to criminal and civil penalties";" ","- use of the information system affirms consent to monitoring and recording";" ","- the information system contains CUI with specific requirements imposed by the Department of Defense";" and","- use of the information system may be subject to other specified requirements associated with certain types of CUI such as Export Controlled information."," " " ","(cmmc ac.2.005 | nist 800-171 3.1.9)

Upgrading the Sentry

Upgrading the Sentry

Must be done in step-upgrade:
9.7.0 > 9.7.3 > 9.8.1 > 9.9.0 > 9.13.0 > 9.14.0

-login to the local sentry: https://ip.address.of.sentry:8443
-click MAINTENANCE > SOFTWARE-UPDATES
-fill in USERNAME/PASSWORD for the software downloads which is the same as https://support.mobileiron.com/support/CDL.html
-leave the URL as DEFAULT.

Or type in the specific repo (rarely needed):
https://support.mobileiron.com/mi/sentry/9.7.3/
https://support.mobileiron.com/mi/sentry/9.8.1/
https://support.mobileiron.com/mi/sentry/9.9.0/

-click CHECK-UPDATES
-bullet the version.
-click DOWNLOAD-NOW
-wait 1 minute.
-bullet the version.
-click STAGE-FOR-INSTALL.
-wait 1 minute.
-bullet the version.
-click REBOOT-TO-INSTALL.
-wait 5 minutes.

Run TLS check:
ssh into the Sentry:
enable
install rpm url https://support.mobileiron.com/tlscheck/mobileiron-sentry-tlscheck-1.0.0-1.noarch.rpm
tlscheck all

wget / invoke-webrequest | powershell

The wget command in powershell might give an error. Try this:
(note that this is a bios update file from Dell official web site)

PS>wget https://dl.dell.com/FOLDER05650607M/1/O9020A25.exe -outfile "O9020A25.exe"

The output is an error:

wget : Access Denied
You don't have permission to access

This is because the server has a robots.txt file that refuses powershell useragent. The default useragent for powershell is:

([Microsoft.PowerShell.Commands.PSUserAgent]::InternetExplorer)

To fix, specify the USERAGENT, like so:

PS>wget https://dl.dell.com/FOLDER05650607M/1/O9020A25.exe -outfile "O9020A25.exe" -UserAgent "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Last Updated on Thursday, 18 November 2021 14:10

Trust Custom Root Certificate Authority | Trust Custom Root CA

Internal web site with domain.corp name.
Site has certificate from custom root-CA and custom intermediate-CA.

How to trust for entire internal domain.

Get the Certificates

-open INTERNET-EXPLORER (as-admin).
-go to site with custom security.
-view certificate.
-click DETAILS
-click COPY-TO-FILE.
-save type as BASE-64-ENCODED (not DER).
-save as: sub.domain.tld.cer

-click CERTIFICATION-PATH
-click the INTERMEDIATE certificate (the one in the middle).
-click VIEW-CERTIFICATE.
-click DETAILS.
-click COPY-TO-FILE.
-save type as BASE-64-ENCODED (not DER).
-save as: intermediate-hostname-as-in-certificate.cer

-click CERTIFICATION-PATH
-click the ROOT certificate (the one at the top).
-click VIEW-CERTIFICATE.
-click DETAILS.
-click COPY-TO-FILE.
-save type as BASE-64-ENCODED (not DER).
-save as: root-hostname-as-in-certificate.cer

FOR SINGLE PC CLIENT

-open cmd.
-type: mmc
-add/remove snap-ins
-open CERTIFICATES
-select COMPUTER-ACCOUNT

-expand to TRUSTED-ROOT-CERTIFICATION-AUTHORITIES > CERTIFICATES
-right-click CERTIFICATES
-click IMPORT
-select root-hostname-as-in-certificate.cer

-expand to INTERMEDIATE-RTIFICATION-AUTHORITIES > CERTIFICATES
-right-click CERTIFICATES
-click IMPORT
-select intermediate-hostname-as-in-certificate.cer

Reboot system.

FOR GROUP POLICY DOMAIN

-start new GP
-click COMPUTER > POLICIES > WINDOWS-SETTINGS > SECURITY-SETTINGS > PUBLIC-KEY-POLICIES
-click TRUSTED-ROOT-CERTIFICATION-AUTHORITIES
-click IMPORT
-select root-hostname-as-in-certificate.cer

-expand to INTERMEDIATE-RTIFICATION-AUTHORITIES
-click IMPORT
-select intermediate-hostname-as-in-certificate.cer

Firefox to Trust

-open FIREFOX
-in address bar, type: about:config
-accept the warning message that appears.
-type: security.enterprise_roots.enabled
-toggle to TRUE (default is FALSE).

Test

To test, either visit the site or get OPENSSL for system and check manually:
echo GET | openssl s_client -connect processes.domain.corp:443

Last Updated on Monday, 08 November 2021 08:13

Show Additional Permissions on All Mailboxes on Exchange 2013

Show Additional Permissions on All Mailboxes on Exchange 2013

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v10.csv

Add Company Holiday to Everyone Mailbox in Exchange

Single Export:

New-MailboxExportRequest –Mailbox company.holidays –FilePath \\SERVER01\PST\hol.pst -IncludeFolders “#Calendar#”

Single Import:

New-MailboxImportRequest –Mailbox foo.user –FilePath \\SERVER01\PST\hol.pst -IncludeFolders “#Calendar#”

Mass Import:

$users = Get-Mailbox -ResultSize Unlimited
ForEach ($u in $users)
{
     New-MailboxImportRequest –Mailbox $u –FilePath -IncludeFolders “#Calendar#”
}

NOTES:
https://4sysops.com/archives/how-to-add-holidays-to-the-exchange-calendar-with-powershell/

Dell Bios Recovery Menu Loop

dell-bios-recovery-menu

Not matter what option chosen, the bios operation fails. Upon closer inspection, you might notice a that the ME updated failed with error 0x000001B9.

Dell has an office KB doc here:
https://www.dell.com/support/kbdoc/en-us/000133018/me-firmware-upgrade-failure-with-error-code-0x000001b9-during-bios-update

But it is not obvious how to end the loop.

Here is how to get out of the Dell Bios Recovery Menu loop on a Dell Precision (7550/7750):

  • -get service tag.
  • -go to https://dell.com/support (on another system).
  • -get newest bios (it will be an exe file).
  • -put the file on USB drive (does not have to be a bootable USB).
  • -power off system.
  • -unplug power source.
  • -hold CTRL+ESC buttons.
  • -plug power source in (you will not need to press the power button).
  • -BIOS RECOVERY MENU eventually shows with 3 options (as shown in pic above):
    • 1-RECOVER BIOS
    • 2-SET BIOS SETTINGS TO DEFAULT
    • 3-ROLLBACK BIOS
  • -press CTRL+ALT+DELETE (sometimes CTRL+ALT+END)
  • -system will reboot.
  • -press F12 for one-time boot menu.
  • -select FLASH BIOS UPDATE.
  • -plug in USB DRIVE.
  • -select the BIOS exe file.

The BIOS update will start and should go all the way through and reboot on its own.

Last Updated on Monday, 18 October 2021 14:43

Excel Get Right Word | Get Left Word

Excel Get Right Word | Get Left Word

=TRIM(RIGHT(SUBSTITUTE(text," ",REPT(" ",100)),100))
=LEFT(a1,FIND(" ",a1)-1)

Powershell 5 | Powershell 6 | Powershell 7 | Modules

Powershell 5 | Powershell 6 | Powershell 7 | Modules

BACKGROUND

Powershell v5: comes with Windows-10 and only works on Windows. Scripting language only.
Powershell Core (aka v6):  used for .NET development. Installable on all systems Windows, Mac, Linux.
Powershell v7: separate install. Co-exist install with v5. One SHELL for both Windows and .Net.


MODULES

Modules are packages that contains PowerShell items, such as cmdlets, providers, functions, workflows, variables, and aliases. Modules are kept and found in repositories or repos. In the repos, they are listed out as Script, Binary, Manifest.
get-module


PACKAGEPROVIDERS

Packageproviders is a wrapper around a package management system (apt-get, yum, winget, etc). This is needed because there are different types of providers. To explain, let's look at the builtin providers which are found with:
get-packageprovider

It will output:
msi: Microsoft Installation
msu: Microsoft Update
powershellget: From online gallery/repository.
programs: From Add/Remove Programs

Since not all items are .deb or .rpm, this is why there is a need for different packageproviders.

To see other providers:
find-packageprovider

To install other providers:
install-packageprovider nuget


REPOS

Repositories (aka Repos, aka galleries)
PSGallery: self publish repo for PowerShell users. While this is a MS platform, it is not trusted automatically as there is no code review.
NuGet: self publish repo for PowerShell and .Net users. While this is a MS platform, it is not trusted automatically as there is no code review.
Chocolatey: both a packageprovider and a repo, chocolately is an independent provider free from large corporation regulation.
get-packagesource

To install packagesource:
Register-PackageSource -Name Nuget -Location "http://www.nuget.org/api/v2" -ProviderName Nuget

But there is a newer version of Nuget for newer clients. So let's un-register:
unRegister-PackageSource NuGet

To install packagesource:
register-PackageSource -Name Nuget -Location "https://api.nuget.org/v3/index.json" -ProviderName Nuget


INSTALLATION

There are a few ways to install PowerShell v7:

1-Winget:
winget install PowerShell

2-PDQ:
PowerShell is available in the PDQ Library/Repo. Simply download the PowerShell Package and deploy to as many systems as needed.

3-PowerShell:
PowerShell-v5 can be used to install Powershell-v7 with the following one-liner:
Invoke-Expression "& { $(irm https://aka.ms/install-powershell.ps1) } -UseMSI"

4-GitHub
You can manually download the msi file at GitHub:
wget https://github.com/PowerShell/PowerShell/releases/download/v7.1.4/PowerShell-7.1.4-win-x64.msi -outfile PowerShell-7.1.4-win-x64.msi
msiexec.exe /i "PowerShell-7.1.4-win-x64.msi" ALLUSERS=1 /qn /norestart /log output.log

Once installed, PowerShell-v5 and PowerShell-v7 will co-exist and run at the same time.


INSPECT ENVIRONMENT

To inspect some of PowerShell items, run the following:

$env:psmodulepath -split(';')

To see the current version:
$PSVersionTable

To list the modules in the current session:
get-module

To get the modules that are installed on the system through PowerShellGet:
get-installedmodule

To get the modules that are installed on the system but not yet imported into the current session. Note that Get-Module looks for available modules in the path specified by the $env:PSModulePath environment variable as listed above:
get-module -listavailable

Some modules are built-in modules and automatically installed with Powershell.

You will see in the list is PowerShellGet. The PowerShellGet module is the module used to discovering, installing, updating and publishing other PowerShell modules.
To get the commands in a module:
Get-Command -Module <module-name>
Get-Command -Module PackageManagement
Get-Command -Module PowerShellGet

To get help with the commands:
Get-Help <command-name>
Get-Help <command-name> -Online

And to import a module into the session:
Import-Module <module-name>

To get the repos that are available on the system:
get-psrepository

NOTES

https://4sysops.com/archives/how-to-install-and-upgrade-to-powershell-71/
https://docs.microsoft.com/en-us/powershell/module/powershellget/?view=powershell-7.1
https://www.red-gate.com/simple-talk/sysadmin/powershell/managing-packages-using-windows-powershell/
https://www.youtube.com/playlist?app=desktop&list=PLyJiOytEPs4etH7Ujq7PU7jlOlHL-9RmV

Last Updated on Thursday, 23 February 2023 06:30

Upgrade TPM 1.2 to 2.0 for Windows 11

If you have TPM enabled on the system BIOS, the TPM might show as v1.2 and not v2.0. Windows 11 will not like that.

If a recent system, ie newer than 2016, then the chances are the TPM can be upgraded.

Get the conversion tool at the Dell support page.

  • -enable TPM in the BIOS
  • -reboot
  • -start powerhell (as-administrator)
  • -disable the TPM autoprovisioning: disable-tpmautoprovisioning
  • -check the TPM: get-tpm
  • -clear the TPM: clear-tpm
    • -click SETTINGS > WINDOWS-SECURITY
    • -click DEVICE-SECURITY > SECURITY-PROCESSOR-DETAILS
    • -click SECURITY-PROCESSOR-TROUBLESHOOTING
    • -cllick CLEAR TPM
  • -reboot.
  • -press F12 (when it reboots).
  • -perform the upgrade: DELLTPM2.0_FW1.3.2.8_V3_64.EXE /s /r /l="c:\installs\log-tpm.txt"

 

Last Updated on Friday, 12 November 2021 07:43

Convert MBR to GPT for Windows 11

With Windows 11 debut, security measures are raised to require Secure-Boot with TPM 2.0.

If you find yourself with a system that is on LEGACY/MBR (not on UEFI/GPT but) then you need to convert to UEFI/GPT.

Note that there can only be a maximum of 3 primary partitions on the disk; so that the process can add a 4th.

First validate the conversion:

  • -boot to recovery
  • -select COMMAND-PROMPT
  • -mbr2gpt /validate

If it validates, then try the conversion:

  • -mbr2gpt /convert

If it fails and you are on a Dell system, this is because Dell has a recovery parition on the disk. Try the following:

  • -mbr2gpt.exe /convert /disk:0 /map:222=ebd0a0a2-b9e5-4433-87c0-68b6b72699c7

The command says that the conversion should take place but keep the disk as a BASIC disk rather than a DYNAMIC disk. This is the number part of the command.

Last Updated on Monday, 11 October 2021 14:46

Message Tracking in Exchange for Messages From Gmail

How to get the messages in Exchange that come from @gmail.com:

[PS] C:\>Get-MessageTrackingLog -Start "09/01/2021" -Recipient This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Resultsize Unlimited |?{[string]$_.sender -like "*@gmail.com*"} |Select eventid,source,messagesubject,originalclientip

Last Updated on Friday, 08 October 2021 12:31

WiFi Command Line

Make sure wifi-service is running:
sc query WlanSvc

Start wifi service if not running:
sc start WlanSvc

Get Adapters:
get-netadapter

Get only wifi adapters:
netsh wlan show interfaces

Get wifi networks in range:
netsh wlan show networks

Get wifi profiles on the system:
netsh wlan show profiles

Get wif profile on the system with key/password:
netsh wlan show profile name="wifi-profile-name-here" key=clear

Set wifi profile to private:
set-netconnectionprofile -name "wifi-profile-name-here" -NetworkCategory Private

Show wifi capabilities:
netsh wlan show wirelesscapabilities

Get network profiles currently in use on the system:
get-netconnectionprofile

Last Updated on Wednesday, 06 October 2021 12:49

Winget Installation | Winget Package Manager

Windows is finally getting a Package-Manager like YUM or APT-GET along with a repository. The Package-Manager is called WINGET (apparently after APT-GET; someone at MS must be a Ubuntu/Debian fan).

It was awkward getting WINGET which is kinda ironic. Reportedly, it will be in WINDOWS-UPDATES automatically at some point.

Until then, to get WINGET, I had to:

If you want to do it manually/visually:

To use WINGET, simple type:

winget

winget list

winget search replace-with-lazy-search-keywords-here
(ie winget search shell)
(means "shell" will show "Shell Notebook" "open shell" but also "TortoiseGit" because it is tagged with "shell")

winget install -h foo-app

winget upgrade -h foo-app

winget settings
This will open the settings file. It is a JSON file for customizations. Mine looks like this.

So if the Windows 10/11 system were from fresh install, it would look something like this:

=========================================

cd \
cd .\installs\
wget https://github.com/microsoft/winget-cli/releases/download/v1.5.1881/Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle -outfile Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle
.\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle
winget
winget search chrome
winget install google.chrome -h --accept-package-agreements --accept-source-agreements
winget search firefox
winget install mozilla.firefox -h --accept-package-agreements --accept-source-agreements
winget search notepad
winget install Notepad++.Notepad++ --scope machine -h --accept-package-agreements --accept-source-agreements
winget search putty
winget install putty.putty --scope machine -h --accept-package-agreements --accept-source-agreements
winget search winscp
winget install WinSCP.WinSCP --scope machine -h --accept-package-agreements --accept-source-agreements
winget search office |findstr /i micro
winget install microsoft.office -h --accept-package-agreements --accept-source-agreements
winget search mremote
winget install mremoteng.mremoteng --scope machine -h --accept-package-agreements --accept-source-agreements
winget search totalc
winget install Ghisler.TotalCommander --scope machine -h --accept-package-agreements --accept-source-agreements
winget search adobe
winget install Adobe.Acrobat.Reader.64-bit --scope machine -h --accept-package-agreements --accept-source-agreements
winget search 7zip
winget install 7zip.7zip --scope machine -h --accept-package-agreements --accept-source-agreements
winget search openvpn
winget install openvpntechnologies.openvpn --scope machine -h --accept-package-agreements --accept-source-agreements
winget search keepass
winget install DominikReichl.KeePass --scope machine -h --accept-package-agreements --accept-source-agreements
winget search vlc
winget install videolan.vlc --scope machine -h --accept-package-agreements --accept-source-agreements
winget search discord
winget install discord.discord -h --accept-package-agreements --accept-source-agreements
winget search shell
winget install Open-Shell.Open-Shell-Menu -h --accept-package-agreements --accept-source-agreements
winget search advanced
winget install Famatech.AdvancedIPScanner -h --accept-package-agreements --accept-source-agreements
cat C:\users\usernamehere\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

==================================================================

NOTES:

https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage?view=windowsserver2019-ps&viewFallbackFrom=win10-ps

Last Updated on Wednesday, 19 July 2023 08:38

MS Teams Photo | Microsoft 365 Photo | Profile Picture

Microsoft 365 profile pictures will source photos from a few places:

1-Teams
The admin might have turned off the ability to easily edit the photo directly in MS Teams:
https://teams.office.com

2-delve/contact-info
In addition, the admin might have turned off the ability to view, access or change contact information in Delve:
https://delve.office.com

3-outlook
Further, the admin might not assign email accounts @domain.tld. As a result, we cannot login to email to access anything:
https://outlook.office.com

4-sharepoint
The following might work if MS Teams photo cannot be changed, Outlook365 is not being used and Delve is not available. If it allows the change, give 72 hours before it fully syncs the photo:
https://domain-my.sharepoint.com/_layouts/15/editprofile.aspx

NOTES:

-sharepoint start is here:
https://domain.sharepoint.com/_layouts/15/sharepoint.aspx

-sharepoint personal is here:
https://domain-my.sharepoint.com
(ie: https://domain-my.sharepoint.com/personal/firstname_lastname_domain_com/_layouts/15/onedrive.aspx)

-sharepoint GLOBAL is here:
https://domain.sharepoint.com

-sharepoint blog site is here:
https://domain-my.sharepoint.com/personal/firstname_lastname_domain_com/Blog/_layouts/15/people.aspx?MembershipGroupId=0&FilterField1=ContentType&FilterValue1=Person

-all photos:
https://domain-my.sharepoint.com/User%20Photos/
https://domain-my.sharepoint.com/User%20Photos/Profile%20Pictures/

-personal photo:
https://domain.sharepoint.com/_layouts/15/userphoto.aspx?size=S&accountname= This e-mail address is being protected from spambots. You need JavaScript enabled to view it
https://domain.sharepoint.com/_layouts/15/userphoto.aspx?size=L&username= This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Last Updated on Friday, 24 September 2021 15:45

Microsoft365 Cannot Send Email | 550 5.1.8 Access Denied

Microsoft365 Cannot Send Email | 550 5.1.8 Access Denied

To see the policy that triggered this:

  • - go here: https://protection.office.com/antispam
  • -click Anti-spam outbound policy (Default).
  • -click EDIT-PROTECTION.
  • -change to NO-ACTION, ALERT-ONLY (note that this is NOT RECOMMENDED).
  • -or keep the default of RESTRICT-THE-USER-FROM-SENDING-MAIL-UNTIL-THE-FOLLOWING-DAY

To see the emails that went out in the last 24 hours:

Last Updated on Wednesday, 15 September 2021 13:51

Deploy Office365 | Deploy Microsoft365

Start here:
http://aka.ms/ODT

Process:
-download MSI from above.
-extract files by running the download.
-in the extracted files, use the XML to install office365-enterprise (e3,e5) or Volume-License (office365-business is separate)
-customize xml for the environment.

Customize XML
Customizing the XML can be cumbersome. There are many resources on the web but here are a few to make life easier:

XML-OPTIONS:
https://docs.microsoft.com/en-us/deployoffice/office-deployment-tool-configuration-options

INSTALL-FROM-LOCAL:
https://docs.microsoft.com/en-us/deployoffice/deploy-microsoft-365-apps-local-source

XML-CONFIG:
https://config.office.com/deploymentsettings

REMOVE MSI:
https://docs.microsoft.com/en-us/deployoffice/upgrade-from-msi-version

VISIO/PROJECT/OFFICE ON SAME SYSTEM:
https://docs.microsoft.com/en-us/deployoffice/install-different-office-visio-and-project-versions-on-the-same-computer

GENERIC-VOLUME-KEYS
https://docs.microsoft.com/en-us/deployoffice/use-the-office-deployment-tool-to-install-volume-licensed-editions-of-visio-2016

Download the install files:
The call to setup.exe can be local in the directory or can be from a share/UNC path (ie \\server\share).

If local, the path is not needed:
setup.exe /download myConfiguration-v1.xml

If share, the path is required:
\\server\share\setup.exe /download \\server\share\myConfiguration-v1.xml
(not: \\server\share\setup.exe /download myConfiguration-v1.xml)

Install Office365 | Install Microsoft365:
This is used to install, configure, remove, update O365:

If local, the path is not needed:
setup.exe /configure myConfiguration-v1.xml

If share, the path is required:
\\server\share\setup.exe /configure \\server\share\myConfiguration-v1.xml
(not: \\server\share\setup.exe /configure myConfiguration-v1.xml)

The script for installation will be:
REBOOT
UNINSTALL
REBOOT
INSTALL
REBOOT

PDQ:
https://www.pdq.com/blog/deploying-office-365-the-right-way/

NOTES:

<Configuration ID="4834409d-6c6c-4652-b6a7-2db2aa62ca60">
    <Info Description="v1" />


<!--
<Configuration ID="a2b6b9c8-3cab-4ec4-971d-46e7bae1fda3">
-->


    <Add OfficeClientEdition="64" Channel="SemiAnnual" SourcePath="\\server\share\Office365" AllowCdnFallback="True" MigrateArch="TRUE">
        <Product ID="O365ProPlusRetail">
            <Language ID="en-us" />
            <!--Language ID="de-de" />
            <Language ID="pt-br" />
            <Language ID="es-es" /-->
            <ExcludeApp ID="Groove" />
            <ExcludeApp ID="Bing" />
            <ExcludeApp ID="Teams" />
            <ExcludeApp ID="Onedrive" />
            <ExcludeApp ID="Lync" />
        </Product>
        <Product ID="ProofingTools">
            <Language ID="en-us" />
            <!--Language ID="de-de" />
            <Language ID="pt-br" />
            <Language ID="es-es" /-->
        </Product>
        <Product ID="VisioStdXVolume" MSICondition="VisStd,VisStdR" PIDKEY="NY48V-PPYYH-3F4PX-XJRKJ-W4423">
            <Language ID="en-us" />
            <Language ID="MatchPreviousMSI" />
        </Product>
        <Product ID="VisioProXVolume" MSICondition="VisPro,VisProR" PIDKEY="69WXN-MBYV6-22PQG-3WGHK-RM6XC">
            <Language ID="en-us" />
            <Language ID="MatchPreviousMSI" />
        </Product>
        <Product ID="ProjectStdXVolume" MSICondition="PrjStd,PrjStdR" PIDKEY="D8NRQ-JTYM3-7J2DX-646CT-6836M">
            <Language ID="en-us" />
            <Language ID="MatchPreviousMSI" />
        </Product>
        <Product ID="ProjectProXVolume" MSICondition="PrjPro,PrjProR" PIDKEY="WGT24-HCNMF-FQ7XH-6M8K7-DRTW9">
            <Language ID="en-us" />
            <Language ID="MatchPreviousMSI" />
        </Product>
    </Add>


<!--
<Add OfficeClientEdition="64" Channel="SemiAnnual" SourcePath="\\server\share\Office365" Version="16.0.13127.21506">
<Product ID="ProjectPROXVolume">
<Language ID="de-de" />
<Language ID="nl-nl" />
<Language ID="en-us" />
<Language ID="fr-fr" />
<Language ID="ja-jp" />
<Language ID="ko-kr" />
<Language ID="pt-br" />
<Language ID="es-es" />
</Product>
</Add>

<Add OfficeClientEdition="64" Channel="PerpetualVL2016" SourcePath="\\server\share\Office365" Version="16.0.12527.21416">
<Product ID="ProjectStdXVolume">
<Language ID="de-de" />
<Language ID="nl-nl" />
<Language ID="en-us" />
<Language ID="fr-fr" />
<Language ID="ja-jp" />
<Language ID="ko-kr" />
<Language ID="pt-br" />
<Language ID="es-es" />
</Product>
</Add>

<Add OfficeClientEdition="64" Channel="PerpetualVL2016" SourcePath="\\server\share\Office365" Version="16.0.12527.21416">
<Product ID="VisioPROXVolume">
<Language ID="de-de" />
<Language ID="nl-nl" />
<Language ID="en-us" />
<Language ID="fr-fr" />
<Language ID="ja-jp" />
<Language ID="ko-kr" />
<Language ID="pt-br" />
<Language ID="es-es" />
</Product>
</Add>

<Add OfficeClientEdition="64" Channel="SemiAnnual" SourcePath="\\server\share\Office365" Version="16.0.13127.21506">
<Product ID="VisioStdXVolume">
<Language ID="de-de" />
<Language ID="nl-nl" />
<Language ID="en-us" />
<Language ID="fr-fr" />
<Language ID="ja-jp" />
<Language ID="ko-kr" />
<Language ID="pt-br" />
<Language ID="es-es" />
</Product>
</Add>

<Add OfficeClientEdition="64" Channel="PerpetualVL2019" SourcePath="\\server\share\Office365">
<Product ID="ProPlus2019Volume">
<Language ID="de-de" />
<Language ID="nl-nl" />
<Language ID="en-us" />
<Language ID="fr-fr" />
<Language ID="ja-jp" />
<Language ID="ko-kr" />
<Language ID="pt-br" />
<Language ID="es-es" />
</Product>
<Product ID="LanguagePack">
<Language ID="de-de" />
<Language ID="nl-nl" />
<Language ID="en-us" />
<Language ID="fr-fr" />
<Language ID="ja-jp" />
<Language ID="ko-kr" />
<Language ID="pt-br" />
<Language ID="es-es" />
</Product>
<Product ID="ProofingTools">
<Language ID="de-de" />
<Language ID="nl-nl" />
<Language ID="en-us" />
<Language ID="fr-fr" />
<Language ID="ja-jp" />
<Language ID="ko-kr" />
<Language ID="pt-br" />
<Language ID="es-es" />
</Product>
</Add>


<Add OfficeClientEdition="64" Channel="SemiAnnualPreview" SourcePath="\\server\share\Office365">
<Product ID="VisioStd2019Volume">
<Language ID="en-us" />
</Product>
</Add>

<Add OfficeClientEdition="64" Channel="SemiAnnual" SourcePath="\\server\share\Office365" Version="16.0.12527.21416">
<Product ID="AccessRuntimeRetail">
<Language ID="de-de" />
<Language ID="en-us" />
<Language ID="fr-fr" />
<Language ID="nl-nl" />
<Language ID="ja-jp" />
<Language ID="ko-kr" />
<Language ID="pt-br" />
<Language ID="es-es" />
</Product>
<Product ID="ProofingTools">
<Language ID="en-us" />
<Language ID="de-de" />
<Language ID="nl-nl" />
<Language ID="fr-fr" />
<Language ID="ja-jp" />
<Language ID="ko-kr" />
<Language ID="pt-br" />
<Language ID="es-es" />
</Product>
</Add>

<Add OfficeClientEdition="64" Channel="Monthly">
<Product ID="O365ProPlusRetail">
<Language ID="en-us" />
</Product>
<Product ID="VisioProRetail">
<Language ID="en-us" />
</Product>
<Product ID="VisioPro2019Volume" PIDKEY="NY48V-PPYYH-3F4PX-XJRKJ-W4423">
<Language ID="en-us" />
<ExcludeApp ID="Groove" />
<ExcludeApp ID="Lync" />
</Product>
<Product ID="ProjectPro2019Volume" PIDKEY="NY48V-PPYYH-3F4PX-XJRKJ-W4423">
<Language ID="en-us" />
<ExcludeApp ID="Groove" />
<ExcludeApp ID="Lync" />
</Product>
</Add>

<Add >
<Product ID="ProjectProRetail" MSICondition="PrjStd,PrjPro,PrjStdR,PrjProR">
<Language ID="en-us" />
<Language ID="MatchPreviousMSI" />
</Product>
</Add>
<RemoveMSI />

<Add >
<Product ID="VisioProRetail" MSICondition="VisStd,VisPro,VisStdR,VisProR">
<Language ID="en-us" />
<Language ID="MatchPreviousMSI" />
</Product>
</Add>
<RemoveMSI />

<RemoveMSI>
    <IgnoreProduct ID="InfoPath" />
    <IgnoreProduct ID="InfoPathR" />
    <IgnoreProduct ID="PrjStd" />
    <IgnoreProduct ID="PrjPro" />
    <IgnoreProduct ID="PrjStdR" />
    <IgnoreProduct ID="PrjProR" />
    <IgnoreProduct ID="SharePointDesigner" />
    <IgnoreProduct ID="VisStd" />
    <IgnoreProduct ID="VisPro" />
    <IgnoreProduct ID="VisStdR" />
    <IgnoreProduct ID="VisProR" />
</RemoveMSI>
-->


    <Property Name="FORCEAPPSHUTDOWN" Value="TRUE" />


    <Updates Enabled="TRUE" UpdatePath="\\server\share\Office365" />


    <AppSettings>
        <Setup Name="Company" Value="Company Name Here" />
    </AppSettings>


    <Display Level="None" AcceptEULA="TRUE" />  


    <RemoveMSI />
    
    
</Configuration>

Last Updated on Friday, 03 September 2021 18:49

Find AD Accounts Older Than 60 Days

Get-ADUser -Filter * -Property LastLogonDate |?{$_.LastLogonDate -le (Get-Date).AddDays(-60) -and ($_.enabled -eq $true)} |sort lastlogondate -desc |ft name, lastlogondate

Run troubleshooter via Command Line

Run troubleshooter via command line:

msdt.exe /id <troubleshooter>

Troubleshooting Pack IDDescriptionApplication or Feature Dependency
AeroDiagnostic Troubleshoots problems displaying Aero effects like transparency. Aero Display Theme installed
NetworkDiagnosticsDA Troubleshoots problems connecting to a workplace network over the Internet using Direct Access. Direct Access installed
DeviceDiagnostic Troubleshoots problems using hardware and access devices connected to the computer.  
HomeGroupDiagnostic Troubleshoots problems viewing computers or shared files in a homegroup. HomeGroup installed
NetworkDiagnosticsInbound Troubleshoots problems with allowing other computers to communicate with the target computer through Windows Firewall.  
NetworkDiagnosticsWeb Troubleshoots problems connecting to the Internet or to a specific Web site.  
IEDiagnostic Helps the user prevent add-on problems and optimize temporary files and connections. Internet Explorer installed
IESecurityDiagnostic Helps the user prevent malware, pop-ups, and online attacks. Internet Explorer installed
NetworkDiagnosticsNetworkAdapter Troubleshoots problems with Ethernet, wireless, or other network adapters.  
PerformanceDiagnostic Helps the user adjust settings to improve operating system speed and performance.  
AudioPlaybackDiagnostic Troubleshoots problems playing sounds and other audio files. Audio output device installed
PowerDiagnostic Helps the user adjust power settings to improve battery life and reduce power consumption.  
PrinterDiagnostic Troubleshoots problems printing.  
PCWDiagnostic Helps the user configure older programs so that they can run in the current version of Windows.  
AudioRecordingDiagnostic Troubleshoots problems recording audio from a microphone or other input source. Audio input device installed
SearchDiagnostic Troubleshoots problems with search and indexing using Windows Search. Search enabled
NetworkDiagnosticsFileShare Troubleshoots problems accessing shared files and folders on other computers over the network.  
MaintenanceDiagnostic Helps the user clean up unused files and shortcuts and perform other maintenance tasks.  
WindowsMediaPlayerDVDDiagnostic Troubleshoots problems playing a DVD using Windows Media Player. Windows Media Player installed
WindowsMediaPlayerLibraryDiagnostic Troubleshoots problems with adding media files to the Windows Media Player library. Windows Media Player installed
WindowsMediaPlayerConfigurationDiagnostic Helps the user reset Windows Media Player settings to the default configuration. Windows Media Player installed
WindowsUpdateDiagnostic Troubleshoots problems that prevent Windows Update from performing update tasks.
Last Updated on Friday, 30 July 2021 10:58

Dell Docks

Here are the Dell docks that supply enough power to the Latitudes/Precisions:

https://www.delltechnologies.com/resources/en-us/asset/data-sheets/products/electronics-accessories/dell_docking_compatibility_guide.pdf

OAB 0x8004010F | HAFNIUM Fix | Outlook Address Book Deep Dive Fix

There are 2 things at play here - the regeneration of the Offline Address Book on the exchange side, and the downloading of the address book in Outlook.

You can control the regeneration of the OAB through the Exchange Control Panel, however you cannot change how often outlook downloads the OAB from exchange - it's an automatic every approximate 24 hours.

You can force it to download the address book through send/receive > Download Address book - but you can't set it up automatically as far as I know.

check if the OAB has been tagged to the database, if it's blank, that means you're using the default OAB:
Get-MailboxDatabase | Ft Name, offlineaddressbook

Update the OAB and check if it's successfully updated:
Get-OfflineAddressBook | Update-OfflineAddressBook

Navigate to the following and check the files are recently created:
%ExchangeInstallPath%\ClientAccess\OAB\<ObjectGuid>

Check the Event Viewer for Event 17001 and 17002:
Get-WinEvent -LogName Application |?{$_.id -eq "17001" -or $_.id -eq "17002"} | select -First 3
Get-WinEvent -LogName Application |?{$_.id -eq "17001" -or $_.id -eq "17002"} | select -First 3 |fl

Check the following log and search for "error":
C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog

Check to see the the url of the OAB:
Get-OabVirtualDirectory| fl Identity, *url*
Get-OabVirtualDirectory -ADPropertiesOnly |fl Identity, *url*

Get-OabVirtualDirectory |fl Identity, *Auth*
Get-OabVirtualDirectory -ADPropertiesOnly |fl Identity, *Auth*

In Exchange 2013, OAB is processed by mailbox server role which owns the copy of the database of the Arbitration system mailbox with OAB PersistedCapabilities. OAB resides on the mailbox server in the folder “C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB”. The database homing the System mailbox should be active and mounted. Clients will contact the mailbox server on which the OAB files are and downloads directly using AutoDiscover.

Get-OfflineAddressBook |fl generatingmailbox,guid
GUID: 534234b8-9177-465a-b5fb-867ef091f721
SystemMailbox{bb548c35-97f1-4cb9-8ff7-d53741de928c}

Make sure the server where the Arbitration-Mailbox is located is the same as where the DatabaseCopyStatus is located:
Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “*OAB*”} | ft Name, Servername, Database
Get-MailboxDatabaseCopyStatus <database name>

See the details of the arbitration-mailbox:
get-mailbox -arbitration | ?{$_.PersistedCapabilities -like "*OAB*"} |fl

Compare the MAXSEND size with the acutal size:
get-mailbox -arbitration | ?{$_.PersistedCapabilities -like "*OAB*"} |fl *max*
%ExchangeInstallPath%\ClientAccess\OAB\<ObjectGuid>

Set-OabVirtualDirectory -ExternalUrl https://exchange.domain.tld/OAB

Visit the ExternalURL: https://exchange.domain.tld/OAB
Prompt for login.
Nothing.

If AutoDiscover is not able to retrieve the AutoDiscover.XML file with all URL’s to Outlook, then the client will have trouble – not just with OAB but with EWS and other features.

-hold CTRL
-right-click OUTLOOK mini-icon
-click TEST-EMAIL-AUTOCONFIGURATION
-click XML

There is no line for OAB

Local system:
del "C:\Users\%USERNAME%\AppData\Local\Microsoft\Outlook\Offline Address Book"
Nothing in folder.

https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/offline-address-books/offline-address-books?view=exchserver-2019
-the OAB is generated every 8 hours.
-outlook updates every 24 hours.
-OAB distribution to clients depends on Internet Information Services (IIS) virtual directories and the Autodiscover service.

https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/offline-address-books/oab-procedures?view=exchserver-2019#use-the-exchange-management-shell-to-configure-any-virtual-directory-in-the-organization-to-accept-download-requests-for-the-oab
Get-OfflineAddressBook |fl *virt*
VirtualDirectories : {SYSTEM-EXCHANGE\OAB (Exchange Back End)}

Get-OfflineAddressBook |fl *distrib*
PublicFolderDistributionEnabled  : False
GlobalWebDistributionEnabled     : False
WebDistributionEnabled           : True
ShadowMailboxDistributionEnabled : False

Official docs recommend the following:
get-offlineaddressbook |Set-OfflineAddressBook -VirtualDirectories $null -GlobalWebDistributionEnabled $true

I guess the HAFNIUM changes/fixes took the OAB in a state of inaccessibility until a post-mortem could be done.

Last Updated on Monday, 03 May 2021 18:53

RDP Expired Password

BACKGROUND

Server is in another domain from the workstation.

Credentials are given.

Upon logging in, the password must be changed.

or

Upon logging in, the password is expired.

The password cannot be changed via RDP.

RDP

You can try to save the RDP file and edit with a text editor.

Change or add to: enablecredsspsupport:i:0

In our experience, this didn't work since NLA is turned on in the server and the system being used is not part of the domain.

RDP/IIS

https://server.domain.tld/RDWeb/Pages/en-US/password.aspx

There is a page in the RDWeb server that can be turned on. Check to see if this page exists on the server.

 

Last Updated on Tuesday, 27 April 2021 13:33

Outlook Automatically Deletes Email | Outlook Junk E-mail Filter

Outlook Automatically Deletes Email | Outlook Junk E-mail Filter

Background Story

Them: I'm not getting email from Foo User.

Me: According to server logs the message is being received. Are you sure you don't see the message in the Inbox.

Them: Yes, I am sure. The message is not there.

Me: OK, I'll look into it.

Trace/Tail the Message Through the Server

First, trace the message to see where it is going:

Get-MessageTrackingLog -Start "04/20/2021" -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Resultsize Unlimited -MessageSubject:"foo-subject"

And see if there are any FAIL's:
Get-MessageTrackingLog -EventId FAIL  -Start "04/01/2021" -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it
<null>

This will verify that the message is indeed being received.

Trace/Tail the Message in Outlook

Next, let's take a look at where the messages are in Outlook. This will generate a report and put it in your Mailbox. The report will collect the message info and let us know where the messages are in Outlook:

Get-Mailbox foo.user | Search-Mailbox -SearchQuery {Received:"03/01/2021..04/20/2021" AND Subject:"foo-subject"} -TargetMailbox "my.account" -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full

The result is that the messages are being received and are in OUTLOOK but they are in the DELETIONS folder and they have not been read:

 Outlook-Junk-Email-v1

The DELETIONS folder is a special folder that is different than the DELETED-ITEMS folder. The DELETIONS folder is for email that has been deleted from the DELETED-ITEMS.

How is that happening?

To start with the DELETION folder, let's see how many items are in the DELETIONS folder:
Get-MailboxFolderStatistics foo.user |Select Name, ItemsInFolder |findstr /i deletions

IGNORE

The IGNORE button will automatically send messages-in-the-conversation to the DELETIONS folder.

This can be recovered by:

  • -click DELETED-ITEMS (on the left-hand side)
  • -click RECOVER-DELETED-ITEMS-FROM-SERVER (at the top)
  • -select the messages in the list.
  • -click OK to restore.
  • -if the IGNORE button is shaded, then IGNORE is turned on. Click it to toggle it OFF.

Outlook-Junk-Email-v2

As an administrator, the only way to see if IGNORE is on is through MFCMAPI (just search for it, comes right up):

  • -load the mailbox.
  • -QUICK-START > OPEN-FOLDER > IPM_SUBTREE
  • -new window opens.
  • -click IPM_SUBTREE
  • -right-click CONVERSATION-ACTION-SETTINGS
  • -click Open-Associated-Contents-Table

This will show if there are any IGNORE conversations with the SUBJECT and DATE so that you can target the message in the RECOVER-DELETED-ITEMS-FROM-SERVER.

Updated Story

Them: The messages are not IGNORED.

Me: hmmm.... Messages are automatically deleted and are not ignored.

Looking into it on the Exchange Server 2013

Just to double-check, let's make sure IMAP and POP are stopped. The reason we want to do this is so that there are no IMAP client problems happeing.
get-service -Name MSExchangeIMAP*
get-service -Name MSExchangePOP*

Even if the services are stopped, we want to check the settings for the services to ensure the LoginType is SecureLogin:
get-ImapSettings |fl
get-POPSettings |fl

get-IMAPSettings |select *log*
get-POPSettings |select *log*

And make sure that the logs are turned on incase something gets turned on by someone else on the team:
Set-ImapSettings -ProtocolLogEnabled $true
Set-PopSettings -ProtocolLogEnabled $true

Also, let's turn off mailbox access to IMAP, POP and OWA:
get-casmailbox | ?{$_.OWAEnabled -eq $true} |set-casmailbox -OWAEnabled $false
get-casmailbox | ?{$_.POPEnabled -eq $true} |set-casmailbox -POPEnabled $false
get-casmailbox | ?{$_.IMAPEnabled -eq $true} |set-casmailbox -IMAPEnabled $false

Check the mailbox Spam Confidence Level (SCL) to see if anything is enabled:
Get-ContentFilterConfig |fl Enabled
Enabled : False

Get-OrganizationConfig |fl *scl*
SCLJunkThreshold : 8

Get-Mailbox foo.user |fl AntispamBypassEnabled
AntispamBypassEnabled : False

Get-Mailbox foo.user |fl SCL*
SCLDeleteThreshold     :
SCLDeleteEnabled       :
SCLRejectThreshold     :
SCLRejectEnabled       :
SCLQuarantineThreshold :
SCLQuarantineEnabled   :
SCLJunkThreshold       :
SCLJunkEnabled         :

Junk E-Mail Configuration Exchange

Junk E-mail options are included in Exchange/Outlook. This happens on both the server-side in EXCHANGE but also can happen in the local OUTLOOK client directly as OUTLOOK uses its own SMARTSCREEN filter technology; a client-side filter.

(Note that this is why the settings in EXCHANGE don't always reflect the settings in OUTLOOK.)

This happens because OUTLOOK can be used with accounts other than EXCHANGE accounts. Again, the local OUTLOOK client has its own Junk Mail filter that is independent from the server-side EXCHANGE Junk Mail filter.

To add more, on 11/01/2016, Microsoft stopped generating updates for the OUTLOOK client SMARTSCREEN client-side filter.

As a result, for Email Protection to work properly/efficiently, Junk Email filtering should be:
-enabled in OWA/EMS.
-disabled in Outlook client.

The server-side EXCHANGE filter happens through a hidden INBOX-RULE on the mailbox. Let's see the server-side filter:
Get-InboxRule -Mailbox foo.user
Get-InboxRule -Mailbox foo.user -IncludeHidden

Let's check the configuration for the Junk E-mail on the server-side EXCHANGE. This can be done in the OWA (web email access) or through EMS (Exchange Management Shell); both have the same effect (but does not change the client-filter in OUTLOOK):
Get-MailboxJunkEmailConfiguration foo.user

Let's set the mailbox Junk E-mail Settings:
set-MailboxJunkEmailConfiguration foo.user-enabled $true
(or $false if needing to turn off)

(Note OWA changes can be done via the URL: https://mail.domain.tld/owa/ This e-mail address is being protected from spambots. You need JavaScript enabled to view it /#path=/mail)

While the client-side filter OPTIONS-tab (off | low | medium | high) cannot be changed by settings on the mailbox, the SAFE-SENDERS, SAFE-RECIPIENTS, BLOCKED-SENDERS tabs can be changed on the server which will update the settings in OUTLOOK:
(Get-MailboxJunkEmailConfiguration foo.user).BlockedSendersAndDomains

Outlook-Junk-Email-v3

To set and make changes on the client-side filter and set just one domain:
set-MailboxJunkEmailConfiguration foo.user -trustedsendersanddomains foobar.tld

Or add the domain without changing what is already set in place:
set-MailboxJunkEmailConfiguration foo.user -trustedsendersanddomains @{Add="foobar.tld"}

Headers

With the server-side EXCHANGE settings set, let's look at the message headers to see if there are any server-side junk-email tags in the headers:
Get-Mailbox foo.user | Search-Mailbox -SearchQuery {Received:"03/01/2021..04/20/2021" AND Subject:"foo-subject"} -TargetMailbox "my.account" -TargetFolder "SearchAndDeleteLog"

RESULT: no EXCHANGE tags are found the message headers.

Junk E-Mail Configuration Outlook

Again, to reiterate, the state of the junk email rule on the mailbox doesn't affect the client-side junk email settings that are available in the Outlook Junk Email Filter. Even when the junk email rule is disabled in the server-side mailbox, Outlook can still move messages to the Junk Email folder or automatically delete messages.

When the local client-side Outlook Junk Email Filter is set to Low or High, the Outlook Junk Email Filter uses its own SmartScreen filter technology to identify and move spam to the Junk Email folder. This spam classification is separate from the SCL Junk Email threshold that's configured on the Exchange organization or on the mailbox. In fact, Outlook ignores the SCL value that's set on a message by Exchange (for all SCL values other than -1), and uses its own criteria to determine whether the message is spam.

So how to change the local Outlook Junk Email Filter that uses its own SmartScreen filter technology?

While Microsoft recommends that to enable, disable, and configure the client-side Junk Email Filter settings that are available in Outlook to use Group Policy, there are regedits that can be made to control a policy. When the regedits are made, the setting is greyed-out and cannot be changed by the local account.

On the client system with OUTLOOK, check to see if any policies exist:
reg query HKCU\Software\Policies\Microsoft\office\16.0\outlook
reg query HKCU\Software\Policies\Microsoft\office\16.0\outlook\Options\Mail

Disable the local OUTLOOK client JUNK E-MAIL SMARTSCREEN filter but Options can still be changed (no visual queue shows the filter is disabled):
echo y |reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Outlook" /v DisableAntiSpam /t REG_DWORD /d 1

Change the JUNK E-MAIL OPTIONS to LOW:
echo y |reg add "HKCU\Software\Policies\Microsoft\office\16.0\outlook\Options\Mail" /v JunkMailProtection /t REG_DWORD /d 0xfffffff

Change the JUNK E-MAIL OPTIONS to OFF:
echo y |reg add "HKCU\Software\Policies\Microsoft\office\16.0\outlook\Options\Mail" /v JunkMailProtection /t REG_DWORD /d 4294967295

Updated Story

Them: I am finally getting the report now. Thank you for helping me!

NOTES:

https://docs.microsoft.com/en-us/powershell/module/exchange/set-mailboxjunkemailconfiguration?view=exchange-ps
https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecating-support-for-smartscreen-in-outlook-and-exchange/ba-p/605332

Last Updated on Thursday, 22 April 2021 14:09

Offline Address Book | OAB

Offline Address Book (OAB) is found with the following:
Get-OfflineAddressBook |fl

To get the needed info:
Get-OfflineAddressBook |select name,GUID,GeneratingMailbox,VirtualDirectories |fl
Get-OabVirtualDirectory |fl

OAB logs are here (default location):
C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog

OAB changes are kept here (default location):
OC:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB\{guid-from-get-offlineaddressbook}

The files inside have a randomly generated GUID2. The manifest is the xml file.

Force an update of OAB:
Get-OfflineAddressBook |update-OfflineAddressBook

The OAB locally is found here:
%LOCALAPPDATA%\Microsoft\Outlook\<GUID2>

The GUID2 matches the GUID2 found on the server.

Please see the following for a deep-dive fix:
http://www.daknetworks.com/blog/584-oab-0x8004010f-hafnium-fix-outlook-address-book-deep-dive-fix

NOTES:
https://techcommunity.microsoft.com/t5/exchange-team-blog/the-case-of-constant-oab-generation-and-full-oab-downloads/ba-p/1031610
https://msexchangeguru.com/2013/12/04/e2013-oab/
https://www.youtube.com/watch?v=AvywR9CWYHs#t=2246

Last Updated on Monday, 03 May 2021 18:53

Find Dell Dock Via Powershell

Find Dell Dock Via Powershell

wget https://downloads.dell.com/FOLDER07071810M/1/DSIAPC_2.4.0.0.msi -outfile DSIAPC_2.4.0.0.msi
msiexec.exe /i "DSIAPC_2.4.0.0.msi" ALLUSERS=1 /qn /norestart /log output.log
start-sleep 120
gwmi -n root\dell\sysinv dell_softwareidentity | select versionstring, elementname |sort elementname |more

Last Updated on Friday, 09 April 2021 09:34

HAFNIUM Scheduled Tasks

HAFNIUM exploit for Exchange servers has caught everyone by storm.

In short, see if there are any IOC by running a script Test-ProxyLogon.ps1:
https://github.com/microsoft/CSS-Exchange/tree/main/Security

Next, run the Microsoft Support Emergency Response Tool (MSERT) to eliminate any glaring errors:
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

The notes on the MSERT are here:
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Some are reporting about Scheduled Tasks doing damage. Here is how to view the Scheduled Tasks:

Get-ScheduledTask |select taskname,actions -ExpandProperty actions |select taskname,execute,arguments |ft -wrap

Some reports of newly created accounts/group so let's check those as well:

$days = (Get-Date).AddDays(-30)
Get-ADUser -Filter * -Property whenCreated | where {$_.whenCreated -gt $days} | ft Name, whenCreated
Get-ADUser -Filter * -Property whenChanged | where {$_.whenChanged -gt $days} | ft Name, whenChanged
Get-ADGroup -Filter * -Property whenCreated | where {$_.whenCreated -gt $days} | ft Name, whenCreated
Get-ADGroup -Filter * -Property whenChanged | where {$_.whenChanged -gt $days} | ft Name, whenChanged

Last Updated on Thursday, 11 March 2021 23:40

Setup Jive | Setup GoTo

Here are my notes on changing to Jive/GoTo:

PBX Server URL:
https://my.jive.com/pbx

SETUP ACCOUNTS IN JIVE:
-click USERS (on left-hand side)
-type in account with phone-set-mac-address.

PROVISIONING-SERVER:
http://$companydomain.onjive.com/p
(or possibly $companydomain.onjive.com/p/$MA)
In DHCP Scope-Options, set the 160-Polycom-Boot-Server-Name to: http://$companydomain.onjive.com/p

TYPE: http (would like for it to be https)
USER: none
PASS: none

JIVE-PASS:
The JIVE Cloud Phone Server (aka JIVE PBX) automatically changes the password to each device. This is found here:
https://my.jive.com/pbx/$companydomain/security

JIVE-NETWORKS:
Phones will need access to the JIVE servers through the firewall:
https://static.jive.com/meta/networks.txt
+199.87.120.0/22
+162.250.60.0/22
+199.36.248.0/22
208.34.80.0/21
208.34.96.0/20
45.12.196.0/24

JIVE-PORTS:
Phone will need access to the following ports:
TCP
5060-5062
80
443

UPD
5060-5062
10000-65500
4000-4999
123

JIVE-SUPPORT-SITE:
https://support.goto.com/connect

JIVE-REBOOT:
Reboot the phone sets and they will automatically change to JIVE. Rebooting can be done through switch POE or if needed, the following package can be used to reboot phone sets.

PolycomVVXControl.exe -a 10.123.123.123 -w password-here reboot
PolycomVVXControl.exe -a 10.123.123.123 -w password-here factoryreset

JIVE-REBOOT-PROBLEMS:
In a few cases, systems were rebooted and changed to the new JIVE PBX server before the account was added in the JIVE PBX PANEL. Since there is no account, the phone changes to the JIVE server but no extension or account is added to the phone.

Trying to factory reset through the phone-web page or PolycomVVXControl doesn't work because JIVE has already changed the password.

But since the new account isn't provisioned, the new password isn't provisioned as well.

What to do? Well, JIVE temporarily sets a provisioning password. Here it is:

POLYCOM PHONES JIVE PROVISION
PASS: 8647

Last Updated on Thursday, 11 March 2021 14:08

Yahoo Email App Password

-go to ATT.com.
-Account > Sign in.
-Manage Profile.
-Sign-in info.
-select Manage secure mail keys (at the bottom)
-Add secure mail key.
-type in a nickname for the secure mail key (example: Outlook).
-click Create-Secure-Mail-Key.
-the new secure mail key is shown and should be used for email access in Outlook/Thunderbird/Mail app.

Last Updated on Monday, 08 March 2021 16:35

HAFNIUM | Verify KB5000871 is Installed

Exploit: HAFNIUM
PATCH: KB5000871

So how do you verify if KB5000871 is installed? Here's how:
 
SHORT:
 
Get-WinEvent -LogName System | where{$_.message -match "KB5000871"} | select -First 3
 
LONG:
 
Get-WinEvent -LogName System | where{$_.message -match "KB5000871"} | select -First 3 |fl
 
For me, the following had null results:
 
get-hotfix | findstr /i KB5000871
 
or
 
Get-WinEvent -LogName Setup | where{$_.message -match "KB5000871"}

M365 Find E5 Licenses

Here is how to find all accounts with an E5 license:

get-msoluser -maxresults 1000 |?{($_.islicensed -eq $true) -and ($_.licenses.accountskuid -like "*e5*")}

Here is how to bulk remove everyone with an E5 license (Careful! Be sure you want to do this):

get-msoluser -maxresults 1000 |?{($_.islicensed -eq $true) -and ($_.licenses.accountskuid -like "*e5*")} | set-msoluserlicense -RemoveLicenses "domain-here:SPE_E5"

Last Updated on Tuesday, 16 February 2021 13:57

Install MS Whiteboard

See an appxpackage:

Get-AppxPackage -allusers *Microsoft.Whiteboard*

Here it is in powershell:

Get-AppxPackage -allusers *Microsoft.Whiteboard* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Last Updated on Monday, 08 February 2021 18:00

Azure AD Joined

Let's say that you have a new system in a remote location. The local staff opens the box, powers the system on and logs into the system with their 365 credentials. During that process, that system has become Azure AD Joined.

Systems cannot be both Azure AD joined and Local AD joined.

So, if you have a local AD and try to join the system to the local AD, an error message will show that joining the local AD cannot be done until it is no longer Azure AD Joined.

You can do this one by one but your not just tech support... you are a system administrator!

We need to do this in some type of shell command (command shell or power shell).

See if the system is joined to Azure AD or Local AD:

dsregcmd.exe /status

If it is Azure AD joined, leave the Azure AD:

dsregcmd /debug /leave
shutdown -r -t 3

After reboot, you can join the system to the Local AD:

For a single system:

add-computer -domainname domain.tld -Credential domain.tld\firstname.lastname -restart –force

Or to automate a group of systems:

$domain = "domain.tld"
$username = "domain.tld\foo.user.with.joining.privledges" (could be an admin account or an account setup to do just this task.)
$password = "password-here" |ConvertTo-SecureString -asPlainText -Force
Start-Sleep -s 10
$credential = New-Object System>management.Automation.PSCredential($username,$password)
Start-Sleep -s 20
add-computer -DomainName $domain -credential $credential
Start-Sleep -s 10
restart-computer

Last Updated on Monday, 27 September 2021 16:02

Allow Mobile Devices In Exchange

First get the current ALLOWED/BLOCKED state of the devices for an account"
Get-CASMailbox -Identity foo.user | Select-Object "*ActiveSync*"

Next get the device id for an account:
Get-MobileDevice -Mailbox foo.user| fl identity,deviceid

Allow the devices for the account:
Set-CASMailbox -Identity foo.user -ActiveSyncAllowedDeviceIDs @{add='D17VGSSFTP7VB799BVU1HTNH68'}
Set-CASMailbox -Identity foo.user -ActiveSyncAllowedDeviceIDs @{add='7044450f9e54415d907e56e5c09d517f'}

Last Updated on Thursday, 21 January 2021 09:45

RSAT For Bitlocker

DISM.exe /Online /add-capability /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 /CapabilityName:Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0 /CapabilityName:Rsat.CertificateServices.Tools~~~~0.0.1.0 /CapabilityName:Rsat.DHCP.Tools~~~~0.0.1.0 /CapabilityName:Rsat.Dns.Tools~~~~0.0.1.0 /CapabilityName:Rsat.FailoverCluster.Management.Tools~~~~0.0.1.0 /CapabilityName:Rsat.FileServices.Tools~~~~0.0.1.0 /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 /CapabilityName:Rsat.IPAM.Client.Tools~~~~0.0.1.0 /CapabilityName:Rsat.LLDP.Tools~~~~0.0.1.0 /CapabilityName:Rsat.NetworkController.Tools~~~~0.0.1.0 /CapabilityName:Rsat.NetworkLoadBalancing.Tools~~~~0.0.1.0 /CapabilityName:Rsat.RemoteAccess.Management.Tools~~~~0.0.1.0 /CapabilityName:Rsat.RemoteDesktop.Services.Tools~~~~0.0.1.0 /CapabilityName:Rsat.ServerManager.Tools~~~~0.0.1.0 /CapabilityName:Rsat.Shielded.VM.Tools~~~~0.0.1.0 /CapabilityName:Rsat.StorageReplica.Tools~~~~0.0.1.0 /CapabilityName:Rsat.VolumeActivation.Tools~~~~0.0.1.0 /CapabilityName:Rsat.WSUS.Tools~~~~0.0.1.0 /CapabilityName:Rsat.StorageMigrationService.Management.Tools~~~~0.0.1.0 /CapabilityName:Rsat.SystemInsights.Management.Tools~~~~0.0.1.0

DISM.exe /Online /add-capability /CapabilityName:Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools

:: Get Bitlocker status:
manage-bde -status

:: Get Bitlocker status powershell:
Get-BitLockerVolume -MountPoint "C:"

:: Suspend Bitlocker for a drive:
manage-bde -protectors -disable C:

:: Suspend Bitlocker for a drive powershell:
Suspend-BitLocker -MountPoint "C:" -RebootCount 0

:: Resume Bitlocker for a drive:
manage-bde –resume C:

:: Resume Bitlocker for a drive powershell:
Resume-BitLocker -MountPoint "C:"

:: Enable Bitlocker for a drive:
manage-bde -protectors -enable C:

:: Enable Bitlocker for a drive powershell:
Enable-BitLocker C:

:: Encrypt the used space only, skip the hardware test and store the recovery password in the Active Directory:
Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector

::Powershell command on device to get the status of the local volume (ie C drive):
get-bitlockervolume
get-bitlockervolume |fl

:: Powershell command on device to get the RecoveryPassword
(Get-BitLockerVolume).KeyProtector

 

NOTES:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer
https://4sysops.com/archives/enable-bitlocker-with-powershell/
https://4sysops.com/archives/configure-and-enabling-bitlocker-on-windows-server/
https://4sysops.com/archives/store-and-retrieve-bitlocker-recovery-keys-from-active-directory/
https://www.rebeladmin.com/2019/09/step-step-guide-enable-bitlocker-cloud-managed-windows-10-devices-using-microsoft-intune/

Last Updated on Monday, 10 October 2022 14:08

Social Media Secret Agent

Perception is reality. Nothing defines our modern brave new world better than that statement.

If you are an agent or hold a position and nobody knows about it; you're a secret agent. The reason nobody knows about it is because they don't see you in their daily incessant stream of information.

Breaking through clutter is one topic. Another is having the information there when they are searching for you.

Truth be told; most don't even do that. The general public searches and they find no information. None. That is a death blow.

To be found, the following must be established:

  1. contact email address
  2. contact phone number
  3. about me / about us / what we do
  4. headshot / lead shot
  5. main photo

This is the most basic information. This needs to be determined. If not, then they will find information, it just won't be what you want it to be.

Moving on will be determined upon the industry you are in. For example, if you are in real estate sales, the following may apply:

  1. realtor.com
  2. trulia.com
  3. zillow.com
  4. broker web site / company web site
  5. personal web site
  6. facebook.com/yourbusinesspage
  7. twitter
  8. instagram
  9. linkedin
  10. maps
  11. yelp
  12. mls / board membership
  13. youtube
  14. far
  15. nar
  16. dbpr / state licensing

Spend some time making sure that all your contact info at the industry specific places are the same.

Last Updated on Wednesday, 25 November 2020 07:15

Install Certificate on Tomcat 7

I did the following:

  1. -created a request (CSR) at the TomCat install.
  2. -bought a certificate at GoDaddy (I know, I know... client request).
  3. -submitted the CSR.
  4. -received the certificate back.

At this point, all I had to do was install the intermediate and then install the certificate reply to the CSR. TomCat says no.... chain not valid.

I tried many intermediate and root certficates in the GD repository but the final certificate would not install.
https://certs.godaddy.com/repository

Nothing worked for me at this point.

Here is how to fix:

  1. -uninstall any certificate intermediate or root that I installed.
  2. -open the certificate from GD in Windows.
  3. -click the tab for the Certificate Path (at the top).
  4. -click the intermediate certificate (the one in the middle).
  5. -click VIEW-CERTIFICATE > DETAILS > COPY-TO-FILE
  6. -click BASE-64-ENCODED-X-509

Now combine them:

  1. -open the certificate from GD in a text editor.
  2. -open the certificate from Intermediate in a text editor.
  3. -copy and past the intermediate certificate directly below the GD certificate, like so:
    -----BEGIN CERTIFICATE-----
    MIICajCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVSzEa ....
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIICkjCCAfugAwIBAgIJAKm5bDEMxZd7MA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNV ....
    -----END CERTIFICATE-----
  4. -save the certificate.
  5. -install the certificate in TomCat.

Find TomCat Version

TomCat runs on Java. To find the Tomcat version, you have to find were Java is installed. This can be anywhere.

For me, the location is:

C:\Program Files\HelpSystems\GoAnywhere\jre\bin

So open cmd and change to the location:

cd "C:\Program Files\HelpSystems\GoAnywhere\jre\bin"

Find the Java version:

java -version

I get:

openjdk version "1.8.0_192"
OpenJDK Runtime Environment (Zulu 8.33.0.1-win64) (build 1.8.0_192-b01)
OpenJDK 64-Bit Server VM (Zulu 8.33.0.1-win64) (build 25.192-b01, mixed mode)

To find the TomCat version:

java -cp "C:\Program Files\HelpSystems\GoAnywhere\tomcat\lib\catalina.jar" org.apache.catalina.util.ServerInfo

I get:

Server version: Apache Tomcat/7.0.105
Server built:   Jul 2 2020 12:25:26 UTC
Server number:  7.0.105.0
OS Name:        Windows Server 2016
OS Version:     10.0
Architecture:   amd64
JVM Version:    1.8.0_192-b01
JVM Vendor:     Azul Systems, Inc.

Enable 2FA in Microsoft365 | Enable MFA in Microsoft365

MFA seems to be in a few places. Here it is:

1
AAD > USERS
MULTI-FACTOR-AUTHENTICATION (at the top)
checkmark usernames
ENABLE (on the right)

mfa1

mfa2

 


2
AAD > SECURITY > IDENTITY-PROTECTION
MFA-REGISTRATION-POLICY
Sometimes the one in IDENTITY-PROTECTION does not work if you do not have a P2 license.

 


3
AAD > SECURITY > AUTHENITCATION-METHODS

 


4
AAD > SECURITY > MULTIFACTOR-AUTHENITCATION

 


5
AAD > USERS > USER-SETTINGS > MANAGE-USER-FEATURE-SETTINGS

 


6
AAD > USERS > PROPERTIES > MANAGE-SECURITY-DEFAULTS

 


If you need to check the MFA settings for an account through powershell:

Get-MsolUser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it |select strongauthentication*

If you need to clear the MFA settings for an account through powershell:
Set-MsolUser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it -StrongAuthenticationMethods @()

 

NOTES:
https://endpoint.microsoft.com
https://security.microsoft.com
https://entra.microsoft.com
https://aka.ms/mfasetup

Last Updated on Wednesday, 05 October 2022 15:07

Exchange Queue

Let's say that you have a loop because someone setup an INBOX RULE to forward to an outside domain that is having problems.

How do you clear the queue of 1M messages that show as a result?

To clear the incoming messages that have arrived in the inbox:

Get-Mailbox account.name | Search-Mailbox -SearchQuery {from: This e-mail address is being protected from spambots. You need JavaScript enabled to view it } -DeleteContent

To clear the messages in the queue for the recipient:

Get-ExchangeServer |?{$_.IsHubTransportServer -eq $true} |Get-Queue |get-message -ResultSize unlimited |?{$_.recipient -eq ' This e-mail address is being protected from spambots. You need JavaScript enabled to view it '} |Remove-Message -WithNDR $False -Confirm $False

To clear the messages in the queue for the postmaster <>:

Get-ExchangeServer |?{$_.IsHubTransportServer -eq $true} |Get-Queue |get-message -ResultSize unlimited |?{$_.sender -eq '<>'} |Remove-Message -WithNDR $False -Confirm $False

Hyper V General access denied error

Hyper V General access denied error

IDE/ATAPI Account does not have sufficient privilege to open attachment 'E:\VMs\VMName\Disk0.vhd. Error: 'General access denied error'

What this is trying to tell you is that HYPER-V has a user account for each VM. This user account is a random string of letters & numbers. This user account is hidden. This user account has access to the the VHD's.

If you were to do something like move the VHD's off the drive, expand the drive and move them back on the new drive, the user account would no longer have access.

No problem. Just add the permissions back in.

Looke at the details of the error message and it will let you know the user account name. Something like:

AE78918D-FE0E-4E6D-AFF5-25B32D4FE243

In command prompt (as admin), type something like:

C:\>icacls "F:\VHD\VHD-NAME-HERE.avhdx" /grant "NT VIRTUAL MACHINE\AE78918D-FE0E-4E6D-AFF5-25B32D4FE243":(F)

It will repsond with something like:

processed file: F:\VHD\VHD-NAME-HERE_756DFD7E-5E29-4ABA-B12F-40BAD636E2A2.avhdx
Successfully processed 1 files; Failed processing 0 files

Now start the VM and it should start without hassle.

NOTES:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/hyper-v-virtual-machine-not-start-0x80070005

Last Updated on Tuesday, 15 September 2020 14:43

Nic Teaming Cisco Flapping For Server Host Hypver-v or VMware

This is solved by creating a port-bond/lag/etherchannel on the Cisco Switch.

Here is my config:

interface Port-channel1
description LAG to Server Host 1
switchport
switchport trunk allowed vlan 1-3
switchport mode trunk
switchport nonegotiate

!

interface GigabitEthernet1/1
description LAG Server Host 1 Member 1
switchport
switchport trunk allowed vlan 1-2
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on

!

interface GigabitEthernet1/2
description LAG Server Host 1 Member 2
switchport
switchport trunk allowed vlan 1-3
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on

Recovering Foreign/Unconfigured (bad) drives

Recovering Foreign/Unconfigured (bad) drives

The controller says a foreign configuration was detected during boot. All of hte drive bays have red lights on them. I try to import the configuration, but it fails.

Failure to import arrays usually means that the drives were unexpectedly powered off or disconnected from the RAID controller, which puts them in the Unconfigured(bad) state. This is done as a precautionary measure to prevent drives with bad connections from joining the array, as sudden disconnects can result in data corruption.

These scenarios may also be accompanied by errors regarding preserved-cache on the controller, where if there were pending write operations at the time of the failure the controller holds the data until the disks are verified working, again as a preventative measure against data corruption.

Drives stuck in the Unconfigured(bad) state need to be manually set back to Unconfigured(good) before they will be importable. Please be aware that this procedure does not guarantee that your data will be restored, and has the potential to further damage your data if the drives are failing due to hardware defects. 

If you want to import the configuration anyway, you can set drives to Unconfigured(good) through the MegaRAID BIOS, then retry to import configuration.

1. Start the LSI/AVAGO/MEGARAID

megaraid-bios-v1

2 click DRIVES (on the left-hand side).

megaraid-bios-v2

3. -select an unconfigured drive, click on the PROPERTIES > GO

megaraid-bios-v3

4. click Make Unconf Good > Go.
Do this for every Unconfigured(bad) drive.

megaraid-bios-v4

5. Once all the drives have been marked good, head back to the MegaRAID BIOS home page, then click on Scan Devices to initiate a rescan of the enclosures. This should then prompt you with any foreign configurations detected, which you can then import.

megaraid-bios-v5

 

Last Updated on Sunday, 11 October 2020 17:00

Find Cluster Size in Partition

Dealing with a data array of 24 physical disks. The controller is a MegaRaid/LSI/Avago/Broadcom 3108 firmware v24.9.0-0022. The physical disks are 500GB drives giving about 9TB.

Wanting to upgrade the storage space, I replaced the drives with 2 TB physical disks. This was done on-the-fly, 1-at-a-time so that the office was not disrupted. Fail disk, remove disk, insert new disk, let it re-raid. The process took about an hour a disk and I was able to complete over a few days.

With the new space available, I was able to grow the virtual-disk on the fly. Took about 8 hours to initialize.

With the disk space available, I wanted to expand the volume in Windows Disk Manager but got an error message:

"The volume cannot be extended because the number of clusters will exceed the maximum number of clusters supported by the file system."

virtual-disk-manager

Well, how many clusters do I have:

-type: fsutil fsinfo ntfsinfo f:

number-of-clusters

This shows that the cluster size is 4kb; this is the default-size.

As such, the official docs say that the max size is 16TB:

Cluster sizeLargest volumeLargest file
4 KB (default size) 16 TB 16 TB
8 KB 32 TB 32 TB
16 KB 64 TB 64 TB
32 KB 128 TB 128 TB
64 KB (maximum size) 256 TB 256 TB

The only way around this is to reformat the drive with a larger cluster size.

NOTES:
https://docs.microsoft.com/en-us/windows-server/storage/file-server/ntfs-overview

Last Updated on Wednesday, 19 July 2023 12:34

Outlook 365 Will Not Connect to Gmail

Outlook 365 Will Not Connect to Gmail

1- turn on 2-STEP-VERIFICATION here:
https://myaccount.google.com/security

2- create an APP-PASSWORD
(select MAIL > WINDOWS)
(it will give a random password such as: sdfs sdfd dfas hfgr)

3- disable SIMPLE ACCOUNT CREATION in OUTLOOK:
(download disable SIMPLE ACCOUNT CREATION)
(double-click to import)

4- restart OUTLOOK

5- add the gmail account
(use the APP-PASSWORD with no-spaces)
(do NOT use the password to access the account)

Last Updated on Friday, 04 September 2020 15:41

Dell Latitude 7490 BSOD | WHEA UNCORRECTABLE ERROR

Dell Latitude 7490 BSOD | WHEA UNCORRECTABLE ERROR

  • -go to the Device Manager.
  • -click DISPLAY ADAPTER
  • -uninstall the display adapter and delete the driver.
  • -reboot.
  • -repeat until the base driver shows: Microsoft Display Adapter
  • -download the video driver from: https://support.dell.com
  • -run file and EXTRACT (not install).
  • -right-click Microsoft Display Adapter.
  • -update driver.
  • -manually select the extracted-folder\Graphics
  • -let it install.
  • -reboot.

NOTES:
-https://www.dell.com/support/article/en-us/sln313066/latitude-5x80-5x90-7x80-7x90-and-precision-3520-windows-hardware-error-architecture-whea-blue-screen-or-system-hang?lang=en

Last Updated on Wednesday, 12 August 2020 09:57

WSUS Server Keeps Stopping

WSUS Server Keeps Stopping

Internet Information Services (IIS) Manager → Server → Application Pools → Select “WSUSPool” → Actions Advanced → Recycling → change “Private Memory Limit (KB)“.

-set to 0 (no limit).
-started WSUSPool.
-started Windows WSUS service.
-started cleanup.

The default setting for WSUS are woefully inadequate. See either the of the following for either a WSUS Setup speedrun or a WSUS Complete Setup in-depth:
http://www.daknetworks.com/blog/408-wsus-setup
http://www.daknetworks.com/blog/658-wsus-complete-setup

Last Updated on Sunday, 12 March 2023 13:06

Surface Pro Keyboard Does Not Work | Surface Pro Type Pad Does Not Work | Surface Book Keyboard Does Not Work

Surface Pro Keyboard Does Not Work | Surface Pro Type Pad Does Not Work | Surface Book Keyboard Does Not Work

-open CMD (as admin)
-type:systeminfo (to verify Surface model:Surface Pro 4).
-download/install newest drivers/firmware for Surface model.
-reboot.
-device-manager.
-show hidden devices (click VIEW at the top).
-human-interface-devices.
-surface type pad integrator > delete > checkmark to remove drivers.
-keyboard.
-uninstall all keyboards.
-shutdown.
-hold volume-up and power button for full 30 seconds.
-power on.
-type pad should work.

Cisco Set Trunk For Watchguard AP

Have a Watchguard AP 325. The Cisco switches are 2960. They are POE.

The Watchguard AP 325 powers and get IP address. The Watchguard Firebox cannot see the AP. What gives?

Well the port that it is on is not set a trunk port. A trunk port is a network port that allows data to flow across a network for multiple VLANs. Perhaps a trunk port is thought of as a “bundle.”

Since the AP is going to have multiple devices connected for traffic, it needs to be set as a trunk port.

Here's how:

enable
show interface status | include trunk
config t
int Gi3/0/34
Description Whatever AP Name Here
switchport mode trunk
switchport access vlan 1
switchport trunk native vlan 300
no switchport voice vlan
switchport trunk allowed vlan 300-306
end

show int Gi3/0/34 switchport
show int Gi3/0/34 trunk

write mem
copy run start

Class dismissed!

Last Updated on Wednesday, 29 July 2020 17:57

aksfridge.sys BSOD on Windows Update | Sentinel Causes BSOD

-updated RST driver.
-wget https://downloadmirror.intel.com/29647/eng/SetupRST.exe -outfile setuprst-v17.9.1.1009.exe
-setuprst-v17.9.1.1009.exe -accepteula -s
-reboot

-bsod being caused by aksfridge.sys
-this is the SENTINEL bug.
-download the command line:
https://supportportal.gemalto.com/csm?sys_kb_id=979a4e21db92e78cfe0aff3dbf9619c6&id=kb_article_view&sysparm_rank=7&sysparm_tsqueryId=4ad5b82e1bfc5410f12064606e4bcb15&sysparm_article=KB0018319

a. Go to this site: https://sentinelcustomer.safenet-inc.com/sentineldownloads/
b. Click: Sentinel LDK RunTime & Drivers
c. Download: "Sentinel HASP/LDK - Command Line Run-time Installer".
d. Unzip the files.
e. In an elevated command prompt (run cmd.exe as an administrator) navigate to the location where you unzipped haspdinst.exe.
f. Type the command “haspdinst.exe -remove” without quotes and press Enter.
g. When it finishes successfully, type the command “haspdinst.exe -purge” without quotes and press Enter.
h. When this finishes successfully, the HASP drivers should now be uninstalled. Re-boot and try the upgrade again.

Fix Microsoft Windows Store | Fix Windows Calculator App

Fix Microsoft Windows Store | Fix Windows Calculator App

-go to: C:\Program Files\WindowsApps
-change ownership to ADMINISTRATORS.
-change permissions to ADMINISTRATORS | FULL-PERMISSIONS
-look in the list for the APP that won't work (ie CALCULATOR).
-delete the folders.

1. Copy URL for the Microsoft Windows Store app: https://www.microsoft.com/en-gb/p/microsoft-store/9wzdncrfjbmp?activetab=pivot:overviewtab
2. Paste copied URL into search box: https://store.rg-adguard.net/
3. Find WINDOWS STORE. There will be 2 versions
12007.1001.213.0
12007.1001.213.70
4. Download second latest version ending (.0 not .70)
5. Run the file and select Install
6. SETTINGS > APPS
7. click STORE
8. click ADVANCED-OPTIONS
9. click RESET

Last Updated on Friday, 17 July 2020 17:33

Dell Installation Command Lines

Dell Installation Command Lines just in case anyone needs:

dism /online /add-provisionedappxpackage /packagepath:C:\\DELL\27T76\175eee77761
0486798c16be30cbbe29b.appxbundle /dependencypackagepath:C:\\DELL\27T76\Microsoft
.NET.Native.Framework.2.0_2.0.27427.0_x64__8wekyb3d8bbwe.appx /dependencypackage
path:C:\\DELL\27T76\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x64__8wekyb3d8b
bwe.appx /dependencypackagepath:C:\\DELL\27T76\Microsoft.VCLibs.140.00_14.0.2732
3.0_x64__8wekyb3d8bbwe.appx /dependencypackagepath:C:\\DELL\27T76\Microsoft.NET.
Native.Framework.2.0_2.0.27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:
C:\\DELL\27T76\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x86__8wekyb3d8bbwe.a
ppx /dependencypackagepath:C:\\DELL\27T76\Microsoft.VCLibs.140.00_14.0.27323.0_x
86__8wekyb3d8bbwe.appx  /licensepath:C:\\DELL\27T76\175eee777610486798c16be30cbb
e29b_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:C:\\DELL\2PGXF\f68432bfe31
a4034a94b2fa07b206df6.appxbundle  /licensepath:C:\\DELL\2PGXF\f68432bfe31a4034a9
4b2fa07b206df6_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:C:\\Apps\334CH\DELL\334CH\
11023d4f34c14610a6161cf4fb3c0d78.appxbundle /dependencypackagepath:C:\\Apps\334C
H\DELL\334CH\Microsoft.NET.Native.Framework.2.0_2.0.27427.0_x64__8wekyb3d8bbwe.a
ppx /dependencypackagepath:C:\\Apps\334CH\DELL\334CH\Microsoft.NET.Native.Runtim
e.2.0_2.0.25709.0_x64__8wekyb3d8bbwe.appx /dependencypackagepath:C:\\Apps\334CH\
DELL\334CH\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe.appx /depende
ncypackagepath:C:\\Apps\334CH\DELL\334CH\Microsoft.NET.Native.Framework.2.0_2.0.
27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:C:\\Apps\334CH\DELL\334CH
\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x86__8wekyb3d8bbwe.appx /dependenc
ypackagepath:C:\\Apps\334CH\DELL\334CH\Microsoft.VCLibs.140.00_14.0.27323.0_x86_
_8wekyb3d8bbwe.appx  /licensepath:C:\\Apps\334CH\DELL\334CH\11023d4f34c14610a616
1cf4fb3c0d78_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\5NT2Y\RstHsaBridge
_17.5.1005.0_x64_bundle.appxbundle /dependencypackagepath:c:\dell\5NT2Y\Microsof
t.VCLibs.140.00.UWPDesktop_14.0.27323.0_x64__8wekyb3d8bbwe.appx  /licensepath:c:
\dell\5NT2Y\2ab1a93c7f5944c7a5d2413b3f1decaf_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\8R3T7\2ccd06ab93a5
461080ec95e9acfddb44.appxbundle /dependencypackagepath:c:\dell\8R3T7\Microsoft.N
ET.Native.Framework.1.7_1.7.27413.0_x64__8wekyb3d8bbwe.appx /dependencypackagepa
th:c:\dell\8R3T7\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe
.appx /dependencypackagepath:c:\dell\8R3T7\Microsoft.VCLibs.140.00_14.0.26706.0_
x64__8wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\8R3T7\Microsoft.NET.Nativ
e.Framework.1.7_1.7.27413.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:c:\de
ll\8R3T7\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x86__8wekyb3d8bbwe.appx /d
ependencypackagepath:c:\dell\8R3T7\Microsoft.VCLibs.140.00_14.0.26706.0_x86__8we
kyb3d8bbwe.appx  /licensepath:c:\dell\8R3T7\2ccd06ab93a5461080ec95e9acfddb44_Lic
ense1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\9R2CY\d8eb3d301c8e
44c893460c573e2524e3.appx /dependencypackagepath:c:\dell\9R2CY\Microsoft.NET.Nat
ive.Framework.2.1_2.1.27427.0_x64__8wekyb3d8bbwe.appx /dependencypackagepath:c:\
dell\9R2CY\Microsoft.NET.Native.Runtime.2.1_2.1.26424.0_x64__8wekyb3d8bbwe.appx
/dependencypackagepath:c:\dell\9R2CY\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8
wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\9R2CY\Microsoft.NET.Native.Fram
ework.2.1_2.1.27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\9R2
CY\Microsoft.NET.Native.Runtime.2.1_2.1.26424.0_x86__8wekyb3d8bbwe.appx /depende
ncypackagepath:c:\dell\9R2CY\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8
bbwe.appx  /licensepath:c:\dell\9R2CY\d8eb3d301c8e44c893460c573e2524e3_License1.
xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\CPWK1\99a6dd26bc56
45b3a738200b2f69ca51.appxbundle  /licensepath:c:\dell\CPWK1\99a6dd26bc5645b3a738
200b2f69ca51_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\NXM09\5fb8f189f280
4baeb42a158867b0ba1d.appx  /licensepath:c:\dell\NXM09\5fb8f189f2804baeb42a158867
b0ba1d_License1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:c:\dell\P17DD\6b148b557f42
489bad3fd35943962277.appxbundle /dependencypackagepath:c:\dell\P17DD\Microsoft.N
ET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe.appx /dependencypackagepa
th:c:\dell\P17DD\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe
.appx /dependencypackagepath:c:\dell\P17DD\Microsoft.VCLibs.140.00_14.0.27323.0_
x64__8wekyb3d8bbwe.appx /dependencypackagepath:c:\dell\P17DD\Microsoft.NET.Nativ
e.Framework.2.2_2.2.27405.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:c:\de
ll\P17DD\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x86__8wekyb3d8bbwe.appx /d
ependencypackagepath:c:\dell\P17DD\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8we
kyb3d8bbwe.appx  /licensepath:c:\dell\P17DD\6b148b557f42489bad3fd35943962277_Lic
ense1.xml /Region="all"

dism /online /add-provisionedappxpackage /packagepath:C:\Apps\YR2T2\560274d333d4
453891d8ec26f03f7a7c.appxbundle /dependencypackagepath:C:\Apps\YR2T2\Microsoft.N
ET.Native.Framework.2.0_2.0.27427.0_x64__8wekyb3d8bbwe.appx /dependencypackagepa
th:C:\Apps\YR2T2\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x64__8wekyb3d8bbwe
.appx /dependencypackagepath:C:\Apps\YR2T2\Microsoft.VCLibs.140.00_14.0.27323.0_
x64__8wekyb3d8bbwe.appx /dependencypackagepath:C:\Apps\YR2T2\Microsoft.NET.Nativ
e.Framework.2.0_2.0.27427.0_x86__8wekyb3d8bbwe.appx /dependencypackagepath:C:\Ap
ps\YR2T2\Microsoft.NET.Native.Runtime.2.0_2.0.25709.0_x86__8wekyb3d8bbwe.appx /d
ependencypackagepath:C:\Apps\YR2T2\Microsoft.VCLibs.140.00_14.0.27323.0_x86__8we
kyb3d8bbwe.appx  /licensepath:C:\Apps\YR2T2\560274d333d4453891d8ec26f03f7a7c_Lic
ense1.xml /Region="all"

Cisco Router VRF

Cisco Router VRF's are virtual routers. Basically Cisco version of HyperV/VMWare.

The advantage of this is that you can take a single internet connection/MPLS connection and break it into 2 connections. Each connection will have its own outside-ip and inside-ip.

When this happens, the routes move from the physical connection to the virtual connection/VRF connections.

Show VRF connections:
show vrf

Show VRF routes:
show ip route vrf vrf-name-here

Add VRF route:
enable
config t
router bgp 65000
network 10.162.116.0
address-family ipv4 vrf vrf-name-here
network 10.162.116.0
exit-address-family
exit
ip route vrf vrf-name-here 10.162.116.0 255.255.255.0 10.162.100.1
(The above is: subnet subnet-mask gateway)
exit

Verify the config and save it as the startup config:
show run
copy run start

Last Updated on Wednesday, 15 July 2020 14:19

Windows Catalog MSU Download and Install

The June 2020 updates have caused problems.

To fix, Microsoft has put out an update. Found here (select your Windows version on the left-hand side):
https://support.microsoft.com/en-us/help/4555932

The trick is that the update will not be pushed out through Windows Updates and it will not be pushed out through Windows Server Updates (WSUS).

So the only option is to get it from Windows Catalog.

Here is how to download:
wget "http://download.windowsupdate.com/c/msdownload/update/software/updt/2020/06/windows10.0-kb4567512-x64_2ea636c671529de2154d48a1181c0f02cd919da5.msu" -outfile "windows10.0-kb4567512-x64_2ea636c671529de2154d48a1181c0f02cd919da5.msu"

Here is how to install:
wusa.exe "c:\installs\windows10.0-kb4567512-x64_2ea636c671529de2154d48a1181c0f02cd919da5.msu"

Outlook 365 | Windows Security Box Keeps Showing

Open Outlook 365. The Windows Security Box shows. You type in the password. The box shows again. And again. And again. What gives?

 This could happen for a few reasons.

1- check the DNS records. There should be an autodiscover on the company domain name. In other words: autodiscover.daknetworks.com should go somewhere. And that somewhere should be correct.

2- check the DNS records. If there is more than 1 domain, then the autodiscover needs to be on all of the domains. In other words, autodiscover.daknetworks.net should go somewhere as well. That somewhere should be the same somewhere as the main domain.

3- check the Control-Panel > Credential Manager. Close Outlook. Delete any username/password that indicates Outlook. If there are incorrect username & password saved in there, they will be used to access the email. Since the username/password are incorrect, it will ask for the correct username/password.

4- check the registry at:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover\

There are 2 parts to Outlook. The client software, what you are using on your system, and the server software, what the entire company is using to store/send/receive email.

Beginning with Outlook 2016/Outlook 365 some of the options to manually set what happens are removed in an effort to try to make setup easier.

If you have Outlook 365, then most likely you have Microsoft 365 for the company and it tries to automatically connect to the Microsoft 365 server.

But if you have Outlook 365 and have a private Exchange server, that can cause a mismatch. This results in Outlook always asking for a username/password for the Microsoft 365 server.

Outlook 365 automatically goes through a list to get autodiscover information. This is as follows:

- PreferLocalXML
- Office 365 | ExcludeExplicitO365Endpoint
- Root domain look up (Fancy way of saying it queries the A record) | ExcludeHttpsRootDomain
- Secure URL look up | ExcludeHttpsAutoDiscoverDomain
- Local Autodiscover (SCP object) | ExcludeScpLookup
- HTTP redirect | ExcludeHttpRedirect
- SRV record look up | ExcludeSrvRecord
- Last Known URL | ExcludeLastKnownGoodURL

To skip a method, this is set via a registry edit. All items below skip/exclude the method of finding the AutoDiscover settings except the PerferLocalXML setting which dictates that a local override is to be used:

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v PerferLocalXML /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_SZ /v domain-name-here.tld /d 'C:\path\to\autoDiscover-domain-name-here.tld.xml'
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeHttpRedirect /d 0
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeHttpsAutoDiscoverDomain /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeHttpsRootDomain /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeScpLookup /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeSrvRecord /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeLastKnownGoodURL /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeExplicitO365Endpoint /d 1

5- trial software. There might be Office trial software installed along side of the Office software:

  • -Open COMMAND-PROMPT (as admin)
  • -Check the license, type:
    C:\Program Files (x86)\Microsoft Office\Office16\cscript ospp.vbs /dstatus
  • -Uninstall the license, type:
    cscript ospp.vbs /unpkey:[productkey]
    (ie: cscript ospp.vbs /unpkey:VMFTK)
  • -Restart the system.

NOTES:
-https://docs.microsoft.com/en-us/outlook/troubleshoot/domain-management/unexpected-autodiscover-behavior
-https://support.microsoft.com/en-us/help/3211279/outlook-2016-implementation-of-autodiscover
-
https://docs.microsoft.com/en-us/Exchange/architecture/client-access/autodiscover?redirectedfrom=MSDN&view=exchserver-2019
-
https://practical365.com/exchange-server/fixing-autodiscover-root-domain-lookup-issues-mobile-devices/

Last Updated on Wednesday, 31 May 2023 10:18

Windows 10 Activation Error | SLMGR

Windows 10 Activation Error | SLMGR

slmgr.vbs /dlv
-access denied: 0xc0000022

-software-protection service is not started (sppsvc).
-try to start: access denied

-regedit
-go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
-go to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Software Protection
-go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPPSVC
-go to: HKEY_LOCAL_MACHINE\SYSTEM\WPA

-permissions
-USER: NT Service\SPPSVC
-add: FULL CONTROL

-restart

slmgr.vbs /dlv
Find the Activation Code.

slmgr.vbs /dli activation-code-here
Find the details.

changepk.exe /ProductKey 12345-12345-12345-12345-12345

NOTES:
https://digitalbamboo.wordpress.com/tag/windows-software-protection-will-not-start-access-denied-5/

QCA9377 Ubuntu 18.04

Here are my travels getting QCA9377/ath10k working with Ubuntu 18.04 LTS.

The system needs both the driver and the firmware.

$lspci
02:00.0 Network controller: Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter (rev 31)

$ sudo dmesg | grep ath10k
[ 23.189587] ath10k_pci 0000:02:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0
[ 23.497366] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:02:00.0.bin failed with error -2
[ 23.497373] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/cal-pci-0000:02:00.0.bin failed with error -2
[ 23.553780] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/QCA9377/hw1.0/firmware-6.bin failed with error -2
[ 23.725428] ath10k_pci 0000:02:00.0: qca9377 hw1.1 target 0x05020001 chip_id 0x003821ff sub 17aa:0901
[ 23.725429] ath10k_pci 0000:02:00.0: kconfig debug 0 debugfs 1 tracing 1 dfs 0 testmode 0
[ 23.725786] ath10k_pci 0000:02:00.0: firmware ver WLAN.TF.1.0-00002-QCATFSWPZ-5 api 5 features ignore-otp crc32 c3e0d04f
[ 23.823833] ath10k_pci 0000:02:00.0: board_file api 2 bmi_id N/A crc32 8aedfa4a
[ 24.455129] ath10k_pci 0000:02:00.0: htt-ver 3.44 wmi-op 4 htt-op 3 cal otp max-sta 32 raw 0 hwcrypto 1
[ 25.139469] ath10k_pci 0000:02:00.0 wlp2s0: renamed from wlan0

https://www.dell.com/support/article/en-us/sln306440/killer-n1535-wireless-firmware-manual-update-guide-for-ubuntu-systems?lang=en

$cd /lib/firmware/ath10k/QCA9377/HW1
$cp WLAN.TF.2.1/firmware-6.bin_WLAN.TF.2.1-00016 firmware-6.bin
(Be sure to use the higher/newest firmware number)

$dmesg | grep -i "error\|warn\|fail"
[ 1.162573] RAS: Correctable Errors collector initialized.
[ 7.807736] EXT4-fs (sda5): re-mounted. Opts: errors=remount-ro
[ 23.497366] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:02:00.0.bin failed with error -2
[ 23.497373] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/cal-pci-0000:02:00.0.bin failed with error -2
[ 23.553780] ath10k_pci 0000:02:00.0: Direct firmware load for ath10k/QCA9377/hw1.0/firmware-6.bin failed with error -2

$ uname -r
4.15.0-99-generic

$sudo apt-get update
$sudo apt-get upgrade
$sudo apt-get dist-upgrade

$sudo nmcli dev wifi list

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

# v18.04.4 has a newer kernel but it is not installed automatically on LTS.
# Let's install the newer kernel:
$sudo apt install --install-recommends linux-generic-hwe-18.04 xserver-xorg-hwe-18.04

$ uname -r
5.3.0-51-generic

 

Remote Domain Exchange 2013

Let's say that you have an external domain that your company regurlarly works with. You want to customize some items for this external domain such as you want them to get out of office replys and you want the domain to not have a MailTip message that it is an external user.

New-RemoteDomain -DomainName externaldomain.tld -Name externaldomain
set-remotedomain externaldomain -IsInternal $true -AutoReplyEnabled $true -AutoForwardEnabled $true

No more MailTips for this set.

Get the details by:

get-remotedomain externaldomain |fl

Outlook 2016 MailTips | Exchange 2013 MailTips

If someone is set to Out of Office and you try to send them an email, before you hit the SEND button, you might get a message that states the Out of Office message. This is a MailTip. There are other MailTips as well. The most common are enabled by default. The advanced MailTips are disabled by default.

One advanced MailTip is a notice when sending an email to outside the company. This can be helpful for certain companies. Here is how to see the current settings:

To get the MailTip setting:
Get-OrganizationConfig |findstr /i mail

To set a MailTip to show when sending outside the company:
set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $true

Ideally, I wanted to turn this on for a group of people but leave it off for everyone else. I could not find a way, so I just left it on for everyone. Going ISO27001 and getting certified will probably encourage this setting anyway.

NOTES:
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips
https://docs.microsoft.com/en-us/powershell/module/exchange/organization/set-organizationconfig?view=exchange-ps

Last Updated on Thursday, 23 April 2020 14:09

VPN, Home Network Not Set to Private

Here is how to diagnose remotely.

  1. Show network connections (in CMD):
    netsh wlan show interfaces
  2. Get the profile:
    get-netconnectionprofile -name "wifi-profile-name-here"
  3. If the get-netconnectionprofile/set-netconnectionprofile says "Provider load failure" then check the bitness:
    [Environment]::Is64BitProcess
    (If says "false" then you are running 32-bit.)
  4. Get the profile (in Powershell):
    get-netconnectionprofile -name "wifi-profile-name-here"
  5. Set the profile to Private (in Powershell):
    set-netconnectionprofile -name "wifi-profile-name-here" -NetworkCategory Private
  6. Set the firewall to allow:
    Set-NetFirewallRule -DisplayGroup 'File And Printer Sharing' -Enabled True -Profile 'Private, Domain'

NOTES:

Here is the registry key to change the CATEGORY (1 = private, 0 = public):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Last Updated on Wednesday, 14 July 2021 09:19

See What Teams an Account is a Member Of

Microsoft Teams has its own Powerhell Module. Please see the article on connecting to Azure/Office365.

Once connect to Microsoft Teams, you have a few options:

See all Teams:

get-teams

See all Teams a user is a member of:

get-teams -user This e-mail address is being protected from spambots. You need JavaScript enabled to view it

NOTES:
https://docs.microsoft.com/en-us/powershell/module/teams/?view=teams-ps

See Soft Deleted Accounts in AzureAD | Restore Soft Deleted Accounts in AzureAD

See Soft Deleted Accounts in AzureAD | Restore Soft Deleted Accounts in AzureAD

To see all the accounts in AzureAD:
Get-MsolUser -All $true
Get-AzureADUser -All $true

To see all the "Guest" accounts in AzureAD:
Get-MsolUser -All $true | ? {$_.UserType -eq "Guest"}
Get-AzureADUser -All $true |where {$_.UserType -eq 'Guest'}

To get the details:
Get-AzureADUser -All $true |where {$_.UserType -eq 'Guest'} |select objectid,userprincipalname

This will return the userprincicpal names of the guest accounts. Usually in the format of:
accountname_domainoutside.com#EXT#@tenant-name-internal.onmicrosoft.com

If you delete a "guest" user or "member" user, the account is "soft-deleted" and is still in AAD. The account will be in this state of 30 days until the account is permanently deleted:
Remove-MsolUser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Remove-AzureADUser -ObjectID This e-mail address is being protected from spambots. You need JavaScript enabled to view it

While the account is in this state, the account can be restored. However, the account cannot be added/invited to another Team.

To view account in the state of "soft-deleted":
Get-MsolUser -All -ReturnDeletedUsers
Get-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c
This doesn't help much because we don't know the ObjectId. The only way I could find the ID is by looking at the AAD logs and filter for "Delete User".

To look at the logs, the AzureADPreview module must be installed:
Install-module AzureADPreview

After the AzureADPreview module is installed, run the following to check the logs for user deletion:
Get-AzureADAuditDirectoryLogs -Filter "category eq 'UserManagement' and OperationType eq 'Delete'" |ft
(The "Correlation ID" is the one you want.)

To permanently delete/hard-delete a guest:
Remove-MsolUser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it -RemoveFromRecycleBin
Remove-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c

To restore an account:
Restore-MsolUser -UserPrincipalName This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Restore-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c

NOTES:
Get-AzureADMSDeletedUser/Restore-AzureADMSDeletedDirectoryObject does not exist, yet.
AzureAD Module v2.0 documentation: https://docs.microsoft.com/en-us/powershell/module/AzureAD/?view=azureadps-2.0
AzureAD v2.0-preview documentation: https://docs.microsoft.com/en-us/powershell/module/AzureAD/?view=azureadps-2.0-preview
(Check out the difference in the documentation for "Deleted Objects" section to get a feel of where development is happening.)

Last Updated on Monday, 06 April 2020 15:28

Fail2Ban

Fail2Ban is amazing. It is a python script that monitors the apache logs and if it finds something bad, it blocks the IP address for a certain amount of time.

Overall config:

/etc/fail2ban/fail2ban.conf

Defining filter list:

/etc/fail2ban/jail.conf

Defining individual filters based on regex:

/etc/fail2ban/filter.d/filter-name.conf

Defining ignorecommands:

/etc/fail2ban/filter.d/ignorecommands/ignorecommand

You can test by using filters using fail2ban-regex <logfile> <filter> <ignorecommand>:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf

Or with an ignorecommand:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf /etc/fail2ban/filter.d/ignorecommands/ignorecommand

It will even pick up the ignorcommands already in the filter-name.conf:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf /etc/fail2ban/filter.d/apache-scan.conf

You can print the matches:

fail2ban-regex --print-all-matched /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf

There are a bunch of filters already available. It is just a matter of enabling them and defining them with a reach-back number (ie within the last 24 hours), a miss number (ie 3 strikes) and a block time (2 hr, 2 day, etc).

Since I've noticed that most traffic is through bad bots, that happens to be one of my favorites.

 

Last Updated on Sunday, 12 April 2020 15:28

Create Shared Calendar

Create Shared Calendar

You have a few options.

  1. -create a shared mailbox. Doing so, you can force this on someone's Outlook. However, they will not receive calendar reminders. Bummer.
  2. -create a normal mailbox. Doing so, you will need to manually add the account to Outlook. Bummer.
  3. -create a shared calendar from a typically mailbox. A little complicated, especially if a large group. But for a small group, this might work.
  4. -create a public calendar. Available to everyone but they have to look for the calendar.
  5. -create a room account. This allows the meeting to be scheduled on the room account and puts an event on the personal calendar where reminders happen.
  6. -create Office 365 group / Unified Group. All Members of the group will automatically have the Group in Outlook. All members will automatically receive invites and notifications. Bummer.

I chose to setup a room account. This seems to be the most in line with what the client wants.

Turn on Skype-for-Business/Teams for All Accounts

Let's say there is a world wide pandemic. Everyone suddenly wants-to/required-to work from home. How do you license everyone for Skype-for-Business/Teams? Here's how:

get-msoluser -maxresults 1000 | set-msoluser -usagelocation US | set-msoluserlicense -AddLicenses "foodomain:TEAMS_COMMERCIAL_TRIAL"

Now everyone is licensed for Skype-for-Business/Teams.

The problem becomes that there are accounts that should not be licensed; namely the "Health" mailboxes.

Here is how to find them:

get-msoluser -maxresults 1000 |where {$_.islicensed -eq $true -and $_.signinname -like "*Health*"}

Here is how to unlicense them:

get-msoluser -maxresults 1000 |where {$_.islicensed -eq $true -and $_.signinname -like "*Health*"} |set-msoluserlicense -removelicenses "foodomain:teams_commercial_trial"

Completely Remove Office 365 Group | Completely Remove Unified Group

Let's say you have an Office 365 Group. You add a bunch of people. They add events to the calendar. Everyone is getting the calendar invites. They don't want that.

OK, first step is to delete the Office 365 Group through the GUI. Easy enough.

Now it still shows in Outlook. We want it completely gone.

  • -start POWERSHELL (as administrator).
  • -connect to the AzureAD endpoint.
  • -type: Get-AzureADMSDeletedGroup

It will show the ID.

  • -type: Remove-AzureADMSDeletedDirectoryObject -id 6546513213652165361654

NOTES:
https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureadmsdeleteddirectoryobject?view=azureadps-2.0-preview

Last Updated on Wednesday, 01 April 2020 15:49

Create Dynamic Group for Office 365 Groups | P1 License

Want to create a dynamic group for Office 365 Groups?

In Azure Active Directory, you should be able to create a group that is set dynamically depending on rules. This can be done through something called RULE-BUILDER.

It can be done. But it requires a P1 license for every account a part of the Office 365 Group/Unified-Group. This is $6 per month.

1-start POWERSHELL (as-admin).
2-type: Import-Module AzureADPreview
3-type: $LiveCred = Get-Credential
4-type in your username/password.
5-type: Connect-AzureAD -Credential $LiveCred
6-type: get-azureadmsgroup
7-type: get-azureadmsgroup -id 6541651431314646546541 |fl

You will see that MembershipRule and MembershipRuleProcessingState are blank. Let's set those items (2 options are given for MembershipRule as example).

  • set-azureadmsgroup 654654654654 -membershipruleprocessingstate on
  • set-azureadmsgroup 654654654654 -membershiprule $dynamicmembershiprule
  • set-azureadmsgroup 654654654654 -MembershipRule "(user.department -contains ""Marketing"")"
  • set-azureadmsgroup 654654654654 -GroupTypes "DynamicMembership"

Requires a P1 license. $6/user/month.

NOTES:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsgroup?view=azureadps-2.0

Last Updated on Wednesday, 01 April 2020 14:29

Skype for Business Powershell

Do you have Skype for Business? If so, you either have a Lync server on-site (Lync is the former name of Skype for Business) or you have a cloud service with Office-365.

If you have an Office-365 service, do you want to control Skype for Business through powershell? Here's how:

1-install SKYPE-FOR-BUSINESS POWERSHELL-MODULE: https://www.microsoft.com/en-us/download/confirmation.aspx?id=39366
2-start POWERSHELL (as-admin).
3-type: Import-Module SkypeOnlineConnector
4-type: $LiveCred = Get-Credential
5-type in your username/password.
6-type: $sfbSession = New-CsOnlineSession -Credential $LiveCred
7-type: Import-PSSession $sfbSession

type: Get-CsConferencingPolicy -identity global
type: Set-CsConferencingPolicy –Identity global –EnableDialInConferencing $True

Office365 Groups | Unified Groups

Office365 Groups | Unified Groups

Typically, Exchange has Distribution Groups. An email is sent to the group and everyone in the group receives a copy of the email.

Office365-Groups or Unified-Groups are now available.

Difference Between Exchange Groups and Office365 Groups

How is that different? Why would I want an Office365 Group instead of a traditional Distribution Group.

Mainly because there are the following additional features:

  • -shared mailbox. Members still receive a copy in their personal inbox.
  • -shared files.
  • -shared calendar.
  • -invite external guests.

The following article actually says it better than I can:

https://support.microsoft.com/en-us/office/why-you-should-upgrade-your-distribution-lists-to-groups-in-outlook-7fb3d880-593b-4909-aafa-950dd50ce188

Creating a Unified Group:

new-unifiedgroup foogroup

Adding members:

Add-DistributionGroupMember

Upgrading a group from a Distribution-Group to a Unified-Group:

Upgrade-DistributionGroup -DlIdentities This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Upgrade Error

When I tried to upgrade one DistributionGroup to a UnifiedGroup, I got an error message, "ErrorReason: The specified distribution group is not eligible to be upgraded or you are not allowed to upgrade this distribution group."

What gives?

Well, this is because the Owner of the DistributionGroup was an unlicensed account, the Office365 Admin. Changing the owner to a licensed account, allowed the upgrade to happen.

Last Updated on Wednesday, 01 April 2020 14:07

Enabling Perfect Forward Secrecy | Fixing Perfect Forward Secrecy

Enabling Perfect Forward Secrecy | Fixing Perfect Forward Secrecy

Using ssllabs.com to test the certificate on a server will grade the certificate with a score (A, B, C, D, F). The grade was capped to B due to Perfect Forward Secrecy and gave the following for a reference:
https://www.digicert.com/kb/ssl-support/ssl-enabling-perfect-forward-secrecy.htm

OK, I don't know what Perfect Forward Secrecy is. All I really care about is getting the grade to A. What do I have to do?

Reading the link, I thought the certificate was incorrect and started to look for how to recreate the certificate using ECDHE instead of RSA. That is because of the lines, "Instead of using the RSA method for exchanging session keys, you should use the Elliptic Curve Diffie-Hellman (ECDHE) key exchange" and my inability to understand where I "can still use the RSA public-key cryptosystem as the encryption algorithm, just not as the key exchange algorithm."

Recreating the certificate is incorrect. The certificate is fine using the instructions found in the other article on this site.

The solution is found in the Apache/HTTPD server with the settings found in the following file on the server:
/etc/httpd/config/httpd.conf

The server already had the following:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
#SSLHonorCipherOrder on

All I had to do was turn on the SSLHonorCipherOrder:
SSLHonorCipherOrder on

And while I was at it, turn off TLSv1.1 since that was removed in January 2020 from most major browsers:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

That left us with:
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on

Restart Apache/HTTPD with:
apachectl -k restart

Enjoy the grade of letter A!

ssl-report

NOTES:
-use the following to see what ciphers are accepted: openssl ciphers -v
-the server didn't have the option to turn on the CipherOrder, I had to create a template fragment called 35SSL10SSLHonorCipherOrder and filed bug 10916. This will probably make its way into the base.
-for the curious, the following are the short steps:
config setprop modSSL HonorCipherOrder on
config setprop httpd-e-smith TLSv1.1 disabled
signal-event domain-modify
signal-event email-update

 

Last Updated on Sunday, 29 March 2020 14:24

Skype for Business Microphone Not Working

Skype for Business Microphone Not Working

Here's how to fix:

-click START > SETTINGS
-type: MICROPHONE-PRIVACY-SETTINGS
-checkmark ALLOW-APPS-TO-ACCESS-YOUR-MICROPHONE
Last Updated on Wednesday, 15 April 2020 17:03

AutoCad Installation Error 1606 | Could Not Access Network Location

Installing AutoCad from AutoDesk. Result: 

Here's how to fix:

Go to run.

Type ‘regedit’

click ‘ok’.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Check the location for “Common Documents”

It will be pointing to a non-existent location Eg. "Common Documents"="C:\\Users\\Public\\Documents"

Change the value data of common document as: "Common Documents"="d:\\Users\\Public\\Documents"

OR

create that non-existent folder Run AutoCAD 2014 setup again

Page 1 of 6

  • «
  •  Start 
  •  Prev 
  •  1 
  •  2 
  •  3 
  •  4 
  •  5 
  •  6 
  •  Next 
  •  End 
  • »

Contact Dak Networks

We are not taking on new clients at this time.