Category: Microsoft

Spring Creators update (1803) for Windows 10

Microsoft released the next feature update on April 30th 2018 that we all have been waiting for. The Spring Creators update (Version 1803) for Windows 10.

It comes with a bunch of new features and I will list some of them that you can benefit from in a deployment perspective.

 

Windows Autopilot

Now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned.

This means that by the time the user gets to the desktop, the device is secured and configured correctly and can be used right away.

Windows 10 in S mode

The new Windows 10 mode suitable for affordable, cloud-ready devices that offers simple, secure and efficient use for tailored solutions like kiosk, digital sign and task work.

In S mode you will get the following features:

Windows Setup

The ability to control BitLocker under setup with the following commands:

OS uninstall period

Control the OS uninstall period with Intune or DISM.

Windows 10 Subscription Activation

Now supports Inherited Activation that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host.

Feature update improvements

Reduced the time it takes to install the feature update with up to 63% from the Creators Update.

 

Read more about the newest version here.

Very important to notice is the features that Microsoft has removed or not developing anymore. Please see this article for all information about that.

 

Our recommendation is to download this update right now and deploy it to your designated test group. This is an important step to find out if any of your business applications have compatibility issues with the new feature update so you take actions as fast as possible. When you are done with the testing and the feature update (1803) goes Business Ready (usually in a couple of months), you are ready to roll out the update to the rest of the company so everyone can take benefit of the new features.

 

If you have any questions, feel free to email me at tobias.sandberg@xenit.se.

 



Use PowerShell & Windows Update to force drivers to be downloaded from the Internet in a Task Sequence

Working with client driver packages for me is related to a never-ending story. Drivers are frequently being updated and results in manually handling updates of Driver Packages in Configuration Manager. But since some computer manufacturers are releasing updates through Windows Update, so we thought; What if you can use a Task Sequence to force Windows Update to look for updates and drivers over the Internet instead of using manually handled Driver Packages? So I decided to try with a Surface Book.

With help from the PowerShell Module PSWindowsUpdate, created by Michal Gajda (downloaded from TechNet), and with a post from Waingrositblog, I had all the necessary bits forcing a Surface Book to download drivers from Windows Update, over the Internet, while running a Task Sequence. I started by modifying the steps, created by Waingrositblog, in the Task Sequence steps a bit. I found having one step running a PowerShell script instead of three steps, two of which was running cmd lines, more suitable.

This image illustrates the Task Sequence step.

I added the update step just after applying Windows- and Network Settings, where we usually apply driver packages.

The RPS (Run PowerShell) – Microsoft Update step is running the following script:

To verify the success of the script I went through the WindowsUpdateLog.Log and found that during the Task Sequence, a lot of drivers were installed. Here I would like to use PCI drivers as an example. As shown in the image below, the WindowsUpdateLog successfully downloaded and applied the drivers.

This is the WindowsUpdateLog.Log generated after successfully running the Update Drivers sequence.

I also tried the running the Task Sequence without the Windows Update / Driver script and found out the device had conflicts with the PCI drivers. These drivers is just used as an example in this process, there are several conflicts and other drivers missing as shown in the image below.

This image illustrates conflicts with, among others, the PCI drivers after not running the Update Drivers sequence.

This image illustrates when the drivers are applied.

As shown in these images, the Install Driver step running in the Task Sequence finds the correct and necessary drivers. After a Task Sequence successfully has gone through no exclamation marks are found in the Device Manager.

Some computer manufacturers are using Windows Update as a secondary source for updates, and because of this some drivers can be out of date. This is a reason why the Surface is a great example of using Windows Update for drivers since Microsoft release their updates, up to date.

If you have any questions, opinions or improvements, feel free to email me at Johan.Nilsson@Xenit.se



Change OS disk on server using Managed disk in Azure

Recently a new capability was released for Azure Virtual Machines using Managed disks.

We have been missing the possibility to change OS disk of VMs using Managed disks. Until now that has only been possible for Unmanaged disks. Before release of this feature we have been forced to recreate the Virtual Machine if we want to use the snapshot and managed disk.

This feature come in handy while performing updates and or changes to OS or applications and where you might want to rollback to previous state on existing VM.

As of today Azure backup only supports restore to a new VM. With this capability we can hope to see a change for this in the feature. But as for now we can use Powershell to change OS disk of VM and restore a older version of that OS disk on existing VM.

In the exemple below we are:

  • Initiating a Snapshot
  • Creating a Managed disk from snapshot using the same name as the original disk but adds creation date.
  • Stop the VM – The server must be stop deallocated state.
  • Swap OS disk of existing VM
  • Start the VM
Source: https://azure.microsoft.com/en-us/blog/os-disk-swap-managed-disks/



Sending CSS formatted tables in Outlook

If you’ve ever used Powershell to send HTML tables in Outlook containing CSS you’ve probably been disappointed of the outcome.
There is some archived documentation for Outlook 2007 that is still viable for Outlook 365 (https://msdn.microsoft.com/en-us/library/aa338201(v=office.12).aspx).

Basically the function accepts a csv and css file, hardcodes the css into the table and outputs a formatted HTML table that is compatible with Outlook.

Example table sent using the function and send-mailmessage
The css has odd/even for readability, bolded column 1/4 and red text for column 3.
This is by default impossible to achieve using just css in outlook.

Commandline

HTML output

CSS

Since the CSS does not work perfectly the style.css file imported needs some specific configuration..

  • classes has some specific name structure”
    • columns are named .coln
      • n is the number of the column starting with 1 to infinity. .col1 .col2 and so on
    • one whitespace is required between class name and the curlybrackets.
      • Curlybrackets must be on the same row as class name
      • Ending curlybrackets must be on a separate line
    • Data must be on separate rows
  • Odd/even css is the only tr handled code.
    • Must be named exactly
      • tbody tr:nth-child(odd) {
      • tbody tr:nth-child(even) {

Example style.CSS

Function

 



Windows Server 2019 Preview is now available

It’s finally here – the preview of Windows Server 2019!

Windows has release the first preview of the completely new Windows Server 2019. In this article I will summarize the main news and tell you a little about them. The final version of Windows Server 2019 are planned to be released in the second half of the calendar year 2018.

 

Hybrid cloud scenarios

  • Windows Server 2019 will come with the previously announced Project Honolulu (which is a modern server management interface). This will help you to more easily integrate Azure services (like Azure Backup, Azure File Sync disaster recovery) so you can use these services in a more convenient way.

Security

  • Shielded VMs was first introduced in Windows Server 2016 and was only available for Windows Server. In Windows Server 2019, support are added for Shielded VMs for Linux. VMConnect will be improved for troubleshooting of Shielded VMs for both Windows Server and Linux. Another new feature is called Encrypted Networks which will let admins encrypt network segments to protect the network layer between servers. Microsoft is also embedding Windows Defender Advanced Threat Protection (ATP) feature in the operating system which provides preventative protection, detects attacks and zero-day exploits.

Application Platform

  • Microsofts Goal is to reduce the Server Core base container image to a third if its current size of 5 GB. That will reduce the download time for an image by up to 72 % which will be a significant performance boost. Also, in Windows Server 2019 the choices available when it comes to orchestrating Windows Server container deployments are event better. Another new feature is the ability to run Linux containers side-by-side with Windows containers on a Windows Server.

Hyper-converged infrastructure (HCI)

  • Windows Server 2019 are adding adding scale, performance and reliability to HCI environments. With Project Honolulu (mentioned above) you will have the ability to manage HCI deployments which are a great new feature. This will help you simplify the management and day-to-day activities on HCI environments.

 

Read more about the preview here.

(if you want to compare this release with the previous release of Windows Server 2016, read this article)



Using NetScaler as OpenID Connect SP with ADFS as IDP

How do you configure Citrix NetScaler OpenID Connect Service Provider with Microsoft ADFS as OpenID Connect Identity Provider? I’ve tried making it easy to understand and how you do it using CLI (NetScaler CLI and powershell).

Read this post for doing this with SAML.



Using NetScaler as SAML SP with ADFS as IDP

How do you configure Citrix NetScaler SAML Service Provider with Microsoft ADFS as SAML Identity Provider? I’ve tried making it easy to understand and how you do it using CLI (NetScaler CLI and powershell).

Before we begin, let us look at what we need to establish the federation:

  • NetScaler (with at least Enterprise license)
  • Active Directory domain and ADFS (read this post if you want to load balance and use NetScaler as ADFS Proxy)
  • Website (lb vserver) we want to protect with AAA (will be referred to as the service provider)
  • AAA vserver to bind SAML Service Provider policy

In my case, the following FQDNs are used:

  • LB vserver: webapp-test.domain.com / LB-WEBAPP-TEST
  • AAA vserver: sp.domain.com / AAA-SP-DOMAIN.COM (note: it will actually not be access by the web browser)
  • ADFS: adfs.domain.com

When installing ADFS two self signed certificates are issued for Token-signing and Token-decryption. When it comes to the NetScaler, we could always use whatever certificate for the signing and decryption – but I recommend using a certificate that isn’t used for web site communication. That’s why I create a self signed certificate that I use: (note: I do this on my computer, modify the variables to match your environment – and even though this certificate and key is self signed – keep them secure)

The certificate (not the key) needs to be copied to the ADFS server for when we create the Relying Party Trust, and we also need to copy the ADFS Token-signing certificate to the NetScaler (below called adfs.domain.com-signing).

Copy the newly created certificate and key to the NetScaler, as well as the ADFS Token-signing certificate:

Now we need to create the SAML Service Provider action and profile, as well as bind it to the AAA vserver:

(Note: As I stated before, this policy is bound to the AAA vserver but the expression is matching the hostname of the LB vserver – since the web browser actually never is redirected to the AAA vserver in this scenario)

As a last step, create (if it isn’t already) an authentication profile and bind it to the LB vserver:

Now configure ADFS (modify the variables to match your need):

 



How to join a Windows 10 computer to your Azure Active Directory

Introduction

Some of the benefits of having your Windows 10 devices in your Azure AD is that your users can join the computer to your Azure AD without any extra administrator privileges, assuming you have configured this in your Azure AD. They can also login to the computer without the need of being connected to a specific company network the first time, as long as they have internet connection. You can also manage your Windows 10 devices wherever it may be in the world.



HOW-TO IMPORT DHCP-LEASES TO WINDOWS SERVER FROM PALO ALTO

In some cases you will come across DHCP-scopes that are configured on the edge-device or similar and wanting to move it to your dedicated Windows Server instead.
Below is an example where you can export DHCP-leases from your Palo Alto Networks device and add them to your dedicated Windows Server.

In this example I will be using Putty.

Step 1.
Start Putty and connect to your Palo Alto Networks firewall. Then go to the Putty Reconfiguration page, Session > Logging and select ”All Session output”.
Choose your filename and where to save it. Select Apply.

Step 2.
Log in to your Palo Alto Networks firewall and issue one of the below commands. Choose the second one if you need to specify an interface. For example if you have several DHCP-scopes configured on your firewall.

Close your session when the output has been printed.

Step 3.
Inactivate the DHCP-scope on your Palo Alto Netoworks firewall so there are no new leases being added.

Step 4.

Open the file where the output has been pasted and remove any unnecessary information.

Import the values to Excel and it should look something like this: (We are only importing IP, MAC and Hostname in this example)

Step 5.
Now we need to add the information to the command that we will be using in Powershell on the new DHCP-server.

Go to a new column on the same sheet and add the below:

This will get the information for the IP on column A and row 2, MAC-adress on column B and row 2 and the Hostname on column C and row 2.

Go the new cell and hover to the right corner. Drag down to fill in the rest of the rows.

Step 6.
If you have not already created the new DHCP-scope this is the time to do it.

Step 7.
Start Powershell on your DHCP-server and paste the below commands.

Step 8.
Activate the new scope and remember to configure DHCP-relay on your Palo Alto Networks firewall if needed.



Nyheter på väg till RDS 2016

Microsoft presenterade tidigare i höstas nyheter som är på väg till Remote Desktop Services (RDS) 2016. Det är några stora förändringar på gång som är viktiga att känna till, och detta inlägg sammanfattar några av de nyheter som ska komma inom kort.

Infrastruktur

I en traditionell RDS infrastruktur måste alla servrar i uppsättningen vara med i domänen. Det innebär att RD Gateway och Webaccess servrarna både är med i domänen och har direkt kontakt mot internet, vilket gör dem sårbara för attack.

Med den nya infrastruktur design som Microsoft presenterar så är Gateway, Webaccess och de övriga rollerna ej längre med i domänen. Kontakten från domänen till infrastrukturen görs endast genom utgående trafik på port 443. Förutom att detta ökar säkerheten, så möjliggör det för organisationer att drifta flera olika miljöer med samma RDS infrastruktur. Inte längre behövs den en RDS miljö för varje domän, utan nu kan infrastrukturen sättas upp en gång för att drifta flera olika miljöer och låta användare ansluta till deras respektive domän och Sessionhosts.

Microsoft presenterar även en ny roll inom Remote Desktop Services; Diagnostics, vilket har som uppgift att samla in information om uppsättningen och kan användas för att felsöka anslutningsproblem.

Azure

Integration med Azure Active Directory (AAD) är snart här. Med hjälp av AAD så kan Multi-Factor Authentication, Intelligent Security Graph och övriga Azure tjänster nyttjas i RDS miljön. Azure AD är något som många organisationer redan nyttjar, om de använder sig av Office 365 tjänster.

 

Om RDS miljön sätts upp i Azure så kan organisationer installera RDS rollerna som Platform as a Service (Paas) tjänster. Det innebär att det inte längre krävs ett VM för varje roll i infrastrukturen, Administratörer slipper alltså managera varje VM individuellt, samt de får tillgång till den smidiga skalbarheten som Azure erbjuder. Denna uppsättning stödjer även hybrid-lösningar, Sessionhosts kan alltså ligga on-premise och resten av infrastrukturen i Azure.

Det finns fortfarande ingen ETA på när dessa nyheter görs tillgängliga. För mer information och demo på några av dessa funktioner, se inlägget från Microsoft.