Category: Microsoft

Automate tasks with use of XenServer Powershell Module

Working with backups of your virtual machines is obviously essential. Working with exports in XenServer can some times be time consuming, particularly with bigger virtual disks attached to your virtual machine. In this scenario I will show you an alternative to manually export via XenCenter, by doing it with Powershell to an remote server using XenServer Powershell module.



Flickering Desktop Icons and re-directed folders

This blog post will only cover a scenario with Microsoft Windows Server 2016 Remote Desktop Services (RDS) and re-directed folders where flickering icons appear. Other solutions may apply to different scenarios.
Since the release of Windows 10 / Server 2016 and their different releases 1607, 1703, 1709 and 1803 there has been several issues regarding flickering icons on the Start-menu, in File Explorer and taskbar.

SCENARIO

During the deployment of Citrix Virtual Apps and Desktops 7.15 on Windows Server 2016 with published Desktops and re-directed Desktop folder, users could experience that the desktop icons kept flickering continuously. The more shortcuts, folders or files on the Desktop the more prevalent the issue was. Constantly blinking icons on the desktop looked like refreshing the desktop with F5 or Ctrl+R and would also flash when browsing network shares.

My first thought was to activate ”Always show icons, never thumbnails” in Folder Options since there seemed to be a constant query to network shares where the re-directed Desktop folder resided.

File Explorer - Options

File Explorer – Options

File Explorer - Always show icons

File Explorer – Always show icons

INVESTIGATION

The moment I clicked on View in Folder Options the desktop icons ceased flashing in my session. Dwelling deeper with Procmon investigating what actually happens when opening View tab in Folder Options I found out that explorer.exe queries a registry key in the users HKEY_CURRENT_USER registry. If the registry entry does not exist it will be created.

  • HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}
Explorer query and creation of registry key

ProcMon – Explorer.exe query and creation of registry key

SOLUTION

With the knowledge that the registry key was missing and creating they key would stop the icons from flashing for users on Windows Server 2016 RDS, the appropriate solution was to use Group Policy Preferences (GPP) that created the registry key for users during logon (run in logged-on users’s security context) and apply it to Windows 2016 RDS servers.
Gorup Policy Preferences - User Configuration - Registry

Gorup Policy Preferences – User Configuration – Registry

Apply to Current User

Apply to HKEY_CURRENT_USER and set Key Path

Run in logged-on users security context

Run in logged-on users security context

Step 1: Create a USER GPP that will be applied to affected targets

Step 2: Create a Registry Item

Step 3: Add registry key

  • Hive: HKEY_CURRENT_USER
  • Key Path: SOFTWARE\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}
  • Tab Common: [v] Run in logged-on user’s security context (user policy option)

If you have any questions regarding above solution, or ideas on how to handle above in a better way, please contact me at viktor.glinski@xenit.se or post a comment below.



Specific computer model not joining the domain.

I recently had an issue with a specific computer model not joining the domain. The Task Sequence had not been updated for a while, and we had not done any significant changes to the environment. With other computers working flawlessly, we had issues with a HP EliteDesk 800 G3 DM 35W not joining the domain for some unclear reason. This was the start of an interesting discovery.

The issue began when this EliteDesk 800 G3 wouldn’t join the domain. Usually when a Task Sequence finishes, the computer reboots and you see a login screen, stating the domain and asking for credentials, as shown in this picture.

Usual image after a successful Task Sequence

This time the EliteDesk didn’t show any domain, just asking for local Administrator credentials. My first guess was network drivers, so I started by updating the boot image with fresh network drivers for EliteDesk 800 G3. Even with up-to-date drivers the computer wouldn’t join the domain. I started going through the SMSTSLog, BDD.log, checked if something had failed during the Task Sequence. No errors were found. But still, the computer would not join the domain.

I started digging deeper and went through the “panther\UnattendGC\setupact.log” and the “debug\NetSetup.log”. It was here where I started to find some interesting issues.

We have an environment built around an OU structure based on location and computer type (desktop, laptop or virtual machine). The ComputerTypeOU property is saved in to a variable used in the Task Sequence. What OU the computer is added to is decided in the CustomSettings.ini-file. 

In both the setupact.log and NetSetup.log I found out that no value was saved in the “%ComputerTypeOU%”-variable.

NetSetup.Log of EliteDesk 800 G3 DM 35W

My initial thought was that the log prints the string without any value connected to the variable, but after going through the same logs on a newly installed computer, that had no issues joining the domain, I quickly found out that I was wrong. The variable should definitely contain the value generated by the CustomSettings.ini file.

NetSetup.Log of EliteBook Folio 9480m

As shown in the first image, the EliteDesk 800 G3 did for some reason not receive any value to this variable. I started going through logs once more, trying to find out why this computer was unable to fetch the required value.

Since we unfortunately do not have an OU named “%ComputerTypeOU%” in the domain, and the Join Domain-account was unable to create one, the computer did not join the domain because of the account used in our Task Sequence having insufficient rights.

But why this variable was missing its value was the main question. I started going through logs again, and this time I had something to look for instead of searching for the unknown. The BDD.log gave me a good overview of all the client properties. I compared a domain joined client with the EliteDesk 800 G3. Here I stumbled upon an interesting fact. The EliteDesk did not report as a laptop, a desktop nor a server, as shown below.

BDD.Log of a EliteDesk 800 G3 DM 35W

BDD.Log of a EliteBook Folio 9480m

 

Since the EliteDesk 800 G3 did not report any of the values needed for our structure, the solution was to add Model to the Priority list and associate EliteDesk 800 G3 with the “ComputerTypeOU”-property set to workstations.

After adding the Model property to the CustomSettings.ini file, the EliteDesk 800 G3 joined the domain flawlessly after running a Task Sequence.

This might not be the best solution to this matter, but it sure is a practicable fix. If anyone has a preferable solution, feel free to email me at johan.nilsson@xenit.se



Upgrade Task Sequence (1803) with BitLocker active

With the new 1803 feature update for Windows 10 we got some new and exciting commands for the Windows Setup that we can use in a upgrade task sequence in SCCM to be able to upgrade without suspending BitLocker. For more information about the 1803 feature update, please see this blogpost.

With these new Setup commands you can set a specific value in your task sequence that will try to keep BitLocker active or force it to be active during the upgrade. You can also use the AlwaysSuspend option but as the word explains this will actually suspend BitLocker and that’s not what we want in this post. The different commands are as follows:

  • /BitLocker TryKeepActive
  • /BitLocker ForceKeepActive
  • /BitLocker AlwaysSuspend

In your upgrade task sequence you need to set the variable OSDSetupAdditionalUpgradeOptions to one of the options above depending on how you want the upgrade to handle BitLocker. In this scenario we are using the /BitLocker TryKeepActive value that will attempt to do the upgrade without suspending BitLocker, but if the upgrade fails, Windows Setup will suspend BitLocker and complete the upgrade.

Please note that there are some requirements to get this setup to work.

  • The device being upgraded should be Windows 10 1709 or higher.
  • The Windows device needs to be using Secure Boot and have a TPM.
  • BitLocker needs to be using a TPM protector only.
  • The user profile folder can’t be on a separate volume that is also BitLocker protected.

 

If setup correctly you will find that the command line for the Windows Setup upgrade will add the /BitLocker TryKeepActive to it, as shown below. This can be viewed in the smsts.log.

 

If you have any questions, feel free to email me at tobias.sandberg@xenit.se.



Palo Alto introduces new feature to support Terminal Service (TS) Agent on Windows Server 2016

In the latest release of Palo Alto Networks Terminal Service Agent 8.1.1, we were introduced to a new feature where it is now supported to install the agent on Windows Server 2016.

This is a very welcome feature that a lot of us have been waiting for. There are no other features added to this version or the one before.

This release is also compatible with all the PAN-OS versions that Palo Alto Networks still support.

For more information see:

Where Can I Install the Terminal Service (TS) Agent?

Release Notes – Terminal Service Agent 8.1



Spring Creators update (1803) for Windows 10

Microsoft released the next feature update on April 30th 2018 that we all have been waiting for. The Spring Creators update (Version 1803) for Windows 10.

It comes with a bunch of new features and I will list some of them that you can benefit from in a deployment perspective.

 

Windows Autopilot

Now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned.

This means that by the time the user gets to the desktop, the device is secured and configured correctly and can be used right away.

Windows 10 in S mode

The new Windows 10 mode suitable for affordable, cloud-ready devices that offers simple, secure and efficient use for tailored solutions like kiosk, digital sign and task work.

In S mode you will get the following features:

Windows Setup

The ability to control BitLocker under setup with the following commands:

OS uninstall period

Control the OS uninstall period with Intune or DISM.

Windows 10 Subscription Activation

Now supports Inherited Activation that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host.

Feature update improvements

Reduced the time it takes to install the feature update with up to 63% from the Creators Update.

 

Read more about the newest version here.

Very important to notice is the features that Microsoft has removed or not developing anymore. Please see this article for all information about that.

 

Our recommendation is to download this update right now and deploy it to your designated test group. This is an important step to find out if any of your business applications have compatibility issues with the new feature update so you take actions as fast as possible. When you are done with the testing and the feature update (1803) goes Business Ready (usually in a couple of months), you are ready to roll out the update to the rest of the company so everyone can take benefit of the new features.

 

If you have any questions, feel free to email me at tobias.sandberg@xenit.se.

 



Use PowerShell & Windows Update to force drivers to be downloaded from the Internet in a Task Sequence

Working with client driver packages for me is related to a never-ending story. Drivers are frequently being updated and results in manually handling updates of Driver Packages in Configuration Manager. But since some computer manufacturers are releasing updates through Windows Update, so we thought; What if you can use a Task Sequence to force Windows Update to look for updates and drivers over the Internet instead of using manually handled Driver Packages? So I decided to try with a Surface Book.

With help from the PowerShell Module PSWindowsUpdate, created by Michal Gajda (downloaded from TechNet), and with a post from Waingrositblog, I had all the necessary bits forcing a Surface Book to download drivers from Windows Update, over the Internet, while running a Task Sequence. I started by modifying the steps, created by Waingrositblog, in the Task Sequence steps a bit. I found having one step running a PowerShell script instead of three steps, two of which was running cmd lines, more suitable.

This image illustrates the Task Sequence step.

I added the update step just after applying Windows- and Network Settings, where we usually apply driver packages.

The RPS (Run PowerShell) – Microsoft Update step is running the following script:

To verify the success of the script I went through the WindowsUpdateLog.Log and found that during the Task Sequence, a lot of drivers were installed. Here I would like to use PCI drivers as an example. As shown in the image below, the WindowsUpdateLog successfully downloaded and applied the drivers.

This is the WindowsUpdateLog.Log generated after successfully running the Update Drivers sequence.

I also tried the running the Task Sequence without the Windows Update / Driver script and found out the device had conflicts with the PCI drivers. These drivers is just used as an example in this process, there are several conflicts and other drivers missing as shown in the image below.

This image illustrates conflicts with, among others, the PCI drivers after not running the Update Drivers sequence.

This image illustrates when the drivers are applied.

As shown in these images, the Install Driver step running in the Task Sequence finds the correct and necessary drivers. After a Task Sequence successfully has gone through no exclamation marks are found in the Device Manager.

Some computer manufacturers are using Windows Update as a secondary source for updates, and because of this some drivers can be out of date. This is a reason why the Surface is a great example of using Windows Update for drivers since Microsoft release their updates, up to date.

If you have any questions, opinions or improvements, feel free to email me at Johan.Nilsson@Xenit.se



Change OS disk on server using Managed disk in Azure

Recently a new capability was released for Azure Virtual Machines using Managed disks.

We have been missing the possibility to change OS disk of VMs using Managed disks. Until now that has only been possible for Unmanaged disks. Before release of this feature we have been forced to recreate the Virtual Machine if we want to use the snapshot and managed disk.

This feature come in handy while performing updates and or changes to OS or applications and where you might want to rollback to previous state on existing VM.

As of today Azure backup only supports restore to a new VM. With this capability we can hope to see a change for this in the feature. But as for now we can use Powershell to change OS disk of VM and restore a older version of that OS disk on existing VM.

In the exemple below we are:

  • Initiating a Snapshot
  • Creating a Managed disk from snapshot using the same name as the original disk but adds creation date.
  • Stop the VM – The server must be stop deallocated state.
  • Swap OS disk of existing VM
  • Start the VM
Source: https://azure.microsoft.com/en-us/blog/os-disk-swap-managed-disks/



Sending CSS formatted tables in Outlook

If you’ve ever used Powershell to send HTML tables in Outlook containing CSS you’ve probably been disappointed of the outcome.
There is some archived documentation for Outlook 2007 that is still viable for Outlook 365 (https://msdn.microsoft.com/en-us/library/aa338201(v=office.12).aspx).

Basically the function accepts a csv and css file, hardcodes the css into the table and outputs a formatted HTML table that is compatible with Outlook.

Example table sent using the function and send-mailmessage
The css has odd/even for readability, bolded column 1/4 and red text for column 3.
This is by default impossible to achieve using just css in outlook.

Commandline

HTML output

CSS

Since the CSS does not work perfectly the style.css file imported needs some specific configuration..

  • classes has some specific name structure”
    • columns are named .coln
      • n is the number of the column starting with 1 to infinity. .col1 .col2 and so on
    • one whitespace is required between class name and the curlybrackets.
      • Curlybrackets must be on the same row as class name
      • Ending curlybrackets must be on a separate line
    • Data must be on separate rows
  • Odd/even css is the only tr handled code.
    • Must be named exactly
      • tbody tr:nth-child(odd) {
      • tbody tr:nth-child(even) {

Example style.CSS

Function

 



Windows Server 2019 Preview is now available

It’s finally here – the preview of Windows Server 2019!

Windows has release the first preview of the completely new Windows Server 2019. In this article I will summarize the main news and tell you a little about them. The final version of Windows Server 2019 are planned to be released in the second half of the calendar year 2018.

 

Hybrid cloud scenarios

  • Windows Server 2019 will come with the previously announced Project Honolulu (which is a modern server management interface). This will help you to more easily integrate Azure services (like Azure Backup, Azure File Sync disaster recovery) so you can use these services in a more convenient way.

Security

  • Shielded VMs was first introduced in Windows Server 2016 and was only available for Windows Server. In Windows Server 2019, support are added for Shielded VMs for Linux. VMConnect will be improved for troubleshooting of Shielded VMs for both Windows Server and Linux. Another new feature is called Encrypted Networks which will let admins encrypt network segments to protect the network layer between servers. Microsoft is also embedding Windows Defender Advanced Threat Protection (ATP) feature in the operating system which provides preventative protection, detects attacks and zero-day exploits.

Application Platform

  • Microsofts Goal is to reduce the Server Core base container image to a third if its current size of 5 GB. That will reduce the download time for an image by up to 72 % which will be a significant performance boost. Also, in Windows Server 2019 the choices available when it comes to orchestrating Windows Server container deployments are event better. Another new feature is the ability to run Linux containers side-by-side with Windows containers on a Windows Server.

Hyper-converged infrastructure (HCI)

  • Windows Server 2019 are adding adding scale, performance and reliability to HCI environments. With Project Honolulu (mentioned above) you will have the ability to manage HCI deployments which are a great new feature. This will help you simplify the management and day-to-day activities on HCI environments.

 

Read more about the preview here.

(if you want to compare this release with the previous release of Windows Server 2016, read this article)