Having recently changed from using PowerShell ISE to VS Code I’m still discovering all the super awesome new features of it (be sure to get a copy of the Keyboard shortcuts from this page – https://code.visualstudio.com/docs/getstarted/keybindings). To get started I’ve changed the default new file language to PowerShell (not that you can’t change it to anything else though!).

To do this follow the short guide in the screenshots adding in the line shown in the gist below.

In putting together a small RDS (Session Based) environment on Server 2016 today today I kept running across the error message below during the installation.

Failed: Unable to install the role services.

After much back and forth between forums and event viewer it turns out our default policy to disable TLS 1.0 on servers was the issue. Enabling TLS 1.0 (through the registry or with the fantastic IIS Crypto – https://www.nartac.com/Products/IISCrypto) ended up sorting the issue for us.

Thanks to the organising committee of the (Oxford and Cambridge) College IT Conference 2018 held at the RAF Museum (Hendon) for the invite to talk about PowerShell and Server Core! As promised the video from the presentation is now up on YouTube; in addition the slides as PowerPoint and PDF can be seen below.

  Presentation (PowerPoint) (28.5 MiB, 53 hits)

  Presentation (PDF) (4.9 MiB, 47 hits)

30/03/2018 Update

Microsoft have published this blog post – https://cloudblogs.microsoft.com/windowsserver/2018/03/29/windows-server-semi-annual-channel-update which clarifies the difference between the Long-Term Servicing Channel (Server 2016/2019/so on) against the Semi-Annual Channel. Do have a read!

If you have ever seen this post Server Room – The latest you will notice we have a pretty awesome HPE Aruba 5400R zl2 Core Switch; however (at least until now), I’ve been yet to find a really simple guide which shows the best way to reboot the management modules following a firmware update.

So after much research and a live firmware update this morning (last time round I just reloaded both management modules at the same time) I’m going to go with the following plan.

  1. Update the firmware (wait a few minutes for the firmware to copy from the primary to the secondary module – this is automatic)
  2. Reboot the standby module using the boot standby command (and wait a few minutes)
  3. Confirm that the standby module is now running the new firmware with  show redundancy
  4. Failover from the active to the standby module – this caused a few seconds of downtime in my environment
  5. Once the failover is complete the previously active module will now also be running the new firmware

For easy copy and paste see the commands on GitHub below along with the screenshot sequence which shows you how this will look on a switch running the 16.x branch firmware.

With thanks to the 50 staff from across the University for attending please see below the links to the videos and PowerPoints of the day!

Direct link to Playlist – https://www.youtube.com/watch?list=PLRxbdlgJzwyjAf820T0u4GpP0E01a9LEX&v=u-GVJ_0VuRM

Slides as PowerPoint

  1 Intro (4.3 MiB, 174 hits)

  2 MDT (85.2 MiB, 185 hits)

  3 PowerShell (27.5 MiB, 144 hits)

  4 PRTG Network Monitor (47.5 MiB, 176 hits)

  5 OpenVAS (32.9 MiB, 147 hits)

  6 WSUS and Chocolatey (60.3 MiB, 152 hits)

  7 NPS and VLANs (10.7 MiB, 184 hits)

Slides as PDF

  1 Intro (2.0 MiB, 168 hits)

  2 MDT (2.2 MiB, 193 hits)

  3 PowerShell (1.8 MiB, 177 hits)

  4 PRTG Network Monitor (3.2 MiB, 193 hits)

  5 OpenVAS (2.3 MiB, 201 hits)

  6 WSUS and Chocolatey (2.9 MiB, 212 hits)

  7 NPS and VLANs (1.4 MiB, 183 hits)

Stay tuned over the coming days for the scripts that are mentioned through the video which will be linked to from this post.

One of the often forgotten about features of gpresult is that it can output reports as HTML format (in a similar format to Group Policy Modelling) as well as to the command line – simply use the /h switch followed by a path. This includes much more useful data including how long it took to apply various aspects of the policy.

In the example below we can see that Group Policy Infrastructure took much longer to apply than expected (normally only a second or two), you can then dig into the cause by clicking the View Log link to the right which pops out even more detail to dig through. In this case the cause of the slow policy application appeared to be old ADM files (Windows XP era) being included with the policy; deleting the files resolved the issue.

In my environment all of our network connected devices are configured to respond to PINGs; this mainly comes about from using PRTG Network Monitor to confirm that devices and services are up even in the most simple of fashions. The same also applies to client PCs which through Group Policy are configured to reply to PING. Thus to save OpenVAS some work while doing it’s scans I’ve got a custom scan configured (which will be used in later blog posts) that will only scan hosts which reply to PING.

Have a look at the screenshot sequence below to see how to configure such a scan.

A little bit of fun today with Milestone XProtect (in our case the express version) today; with the goal of improving our documentation I wanted to somehow obtain a list of all of the hardware devices (and to some degree the cameras) including there names, MAC addresses and IP addresses from our XProtect server.

Lone behold the configuration.xml file typically stored at “C:\ProgramData\Milestone\Milestone Surveillance\configuration.xml” held just the information I wanted; a little bit of PowerShell later and I had CSVs with the information in a human readable form.

To do the same on your server follow the guide using the Export-MilestoneConfig.ps1 script show below.

Download Export-MilestoneConfig.ps1 (download from GitHub)

If you are running an HPE Aruba (formally ProCurve) switch you may come across cases where your switch (in the example above a 5400R zl2) has multiple IP Addresses/VLANs and you need it to talk to another service (in my case syslog and sFlow receivers) on a set interface.

When this occurs you can use the ip source-interface command (make sure you are in config mode first) to define the IP Address or VLAN that you want the switch to talk out on. In my case VLAN2 which is used as the management network for the network switches (VLAN1 being the default network that switches use if multiple addresses are configured).

Not the first time I’ve run into this issue and probably won’t be the last! While building a new Windows Server 2016 (Full) Microsoft Deployment Toolkit server when attempting to run the ‘Update Deployment Share’ wizard I was getting the following error message.

Unable to mount the WIM, so the update process cannot continue.

The solution is simple; if you are running this machine on Hyper-V (presumably other Hypervisors as well) you will need to shutdown the VM, disable Secure Boot (on the VM only) and then power it back on. The next time you run the wizard it will complete as normal.

The error message in full context for reference.

=== Making sure the deployment share has the latest x86 tools ===
=== Making sure the deployment share has the latest x64 tools ===

=== Processing LiteTouchPE (x64) boot image ===

Building requested boot image profile.
Determining if any changes have been made in the boot image configuration.
No existing boot image profile found for platform x64 so a new image will be created.
Calculating hashes for requested content.
Changes have been made, boot image will be updated.
Windows PE WIM C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim will be used.
Unable to mount the WIM, so the update process cannot continue.

=== Completed processing platform x64 ===

 

=== Processing complete ===