Category Archives: Expert advice on Windows based systems and hardware

Expert advice on Windows based systems and hardware

What are the steps for an Exchange certificate renewal?

An expired Exchange certificate can bring your messaging platform to a halt, but it’s easy enough to check and replace the expired certificate.

When mail stops flowing, Outlook access breaks and the Exchange Management Console/Shell gives errors, then it might be time to see if an Exchange certificate renewal is in order.

Exchange adds a certificate by default with your protocols during its installation, including Simple Mail Transfer Protocol and Internet Information Services (IIS). Many companies do not allow access to Outlook on the web, so mail is only accessible internally. This limits the Exchange Server capabilities as Microsoft designed it to be accessible from anywhere on any device.

For companies that choose to limit Exchange’s functionality, the IT staff often opts to use the default certificate, which has a five-year life span. In five years, IT might forget about the Exchange certificate renewal until they receive countdown emails warning that it will expire. If nobody sees these emails and the certificate expires, then problems will start, as Exchange services that require a valid certificate might not work.

To check a certificate’s status, run the following PowerShell command:

Get-ExchangeCertificate | fl

Assign a new certificate for Exchange 2010

If Exchange breaks due to an expired certificate, then you might want to push for a quick fix by issuing a certificate to an internal certificate authority. This won’t work because the certificate authority will not sign the certificate.

If you start to panic as help desk tickets start to flood in, this is when trouble typically happens. You might try to adjust the settings in IIS, but this can break Exchange. However, the fix is simple.

Run the New-ExchangeCertificate command to initiate the Exchange certificate renewal process. This PowerShell cmdlet will create a new self-signed certificate for Exchange 2010. The command prompts you to replace the existing certificate. Click Yes to proceed.

Exchange certificate replacement
Execute the PowerShell New-ExchangeCertificate cmdlet to build a new self-signed certificate for Exchange 2010.

Next, assign the services from the old certificate to the new one and perform an IISReset from an elevated command prompt to get Exchange services running again.

Finally, ensure the bindings in IIS are set to use the new certificate.

Explore the Cubic congestion control provider for Windows

Administrators may not be familiar with the Cubic congestion control provider, but Microsoft’s move to make this the default setting in the Windows networking stack means IT will need to learn how it works and how to manage it.

When Microsoft released Windows Server version 1709 in its Semi-Annual Channel, the company introduced a number of features, such as support for data deduplication in the Resilient File System and support for virtual network encryption.

Microsoft also made the Cubic algorithm the default congestion control provider for that version of Windows Server. The most recent preview builds of Windows 10 and Windows Server 2019 (Long-Term Servicing Channel) also enable Cubic by default.

Microsoft added Cubic to Windows Server 2016, as well, but it calls this implementation an experimental feature. Due to this disclaimer, administrators should learn how to manage Cubic if unexpected behavior occurs.

Why Cubic matters in today’s data centers

Congestion control mechanisms improve performance by monitoring packet loss and latency and making adjustments accordingly. TCP/IP limits the size of the congestion window and then gradually increases the window size over time. This process stops when the maximum receive window size is reached or packet loss occurs. However, this method hasn’t aged well with the advent of high-bandwidth networks.

For the last several years, Windows has used Compound TCP as its standard congestion control provider. Compound TCP increases the size of the receive window and the volume of data sent.

Cubic, which has been the default congestion provider for Linux since 2006, is a protocol that improves traffic flow by keeping track of congestion events and dynamically adjusting the congestion window.

A Microsoft blog on the networking features in Windows Server 2019 said Cubic performs better over a high-speed, long-distance network because it accelerates to optimal speed more quickly than Compound TCP.

Enable and disable Cubic with netsh commands

Microsoft added Cubic to later builds of Windows Server 2016. You can use the following PowerShell command to see if Cubic is in your build:

Get-NetTCPSetting| Select-Object SettingName, CcongestionProvider

Technically, Cubic is a TCP/IP add-on. Because PowerShell does not support Cubic yet, admins must enable it in Windows Server 2016 from the command line with the netsh command from an elevated command prompt.

Netsh uses the concepts of contexts and subcontexts to configure many aspects of Windows Server’s networking stack. A context is similar to a mode. For example, the netsh firewall command places netsh in a firewall context, which means that the utility will accept firewall-related commands.

Microsoft added Cubic-related functionality into the netsh interface context. The interface context — abbreviated as INT in some Microsoft documentation — provides commands to manage the TCP/IP protocol.

Prior to Windows Server 2012, admins could make global changes to the TCP/IP stack by referencing the desired setting directly. For example, if an administrator wanted to use the Compound TCP congestion control provider — which was the congestion control provider since Windows Vista and Windows Server 2008 — they could use the following command:

netsh int tcp set global congestionprovider=ctcp

Newer versions of Windows Server use netsh and the interface context, but Microsoft made some syntax changes in Windows Server 2012 that carried over to Windows Server 2016. Rather than setting values directly, Windows Server 2012 and Windows Server 2016 use supplemental templates.

In this example, we enable Cubic in Windows Server 2016:

netsh int tcp set supplemental template=internet congestionprovider=cubic

This command launches netsh, switches to the interface context, loads the Internet CongestionProvider template and sets the congestion control provider to Cubic. Similarly, we can switch from the Cubic provider to the default Compound congestion provider with the following command:

netsh int tcp set supplemental template=internet congestionprovider=compound

Microsoft shuts down zero-day exploit on September Patch Tuesday

Microsoft shut down a zero-day vulnerability launched by a Twitter user in August and a denial-of-service flaw on September Patch Tuesday.

A security researcher identified by the Twitter handle SandboxEscaper shared a zero-day exploit in the Windows task scheduler on Aug. 27. Microsoft issued an advisory after SandboxEscaper uploaded proof-of-concept code on GitHub. The company fixed the ALPC elevation of privilege vulnerability (CVE-2018-8440) with its September Patch Tuesday security updates. A malicious actor could use the exploit to gain elevated privileges in unpatched Windows systems.

“[The attacker] can run arbitrary code in the context of local system, which pretty much means they own the box … that one’s a particularly nasty one,” said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah.

The vulnerability requires local access to a system, but the public availability of the code increased the risk. An attacker used the code to send targeted spam that, if successful, implemented a two-stage backdoor on a system.

“Once enough public information gets out, it may only be a very short period of time before an attack could be created,” Goettl said. “Get the Windows OS updates deployed as quickly as possible on this one.”

Microsoft addresses three more public disclosures

Administrators should prioritize patching three more public disclosures highlighted in September Patch Tuesday.

Microsoft resolved a denial-of-service vulnerability (CVE-2018-8409) with ASP.NET Core applications. An attacker could cause a denial of service with a specially crafted request to the application. Microsoft fixed the framework’s web request handling abilities, but developers also must build the update into the vulnerable application in .NET Core and ASP.NET Core.

Chris Goettl of IvantiChris Goettl

A remote code execution vulnerability (CVE-2018-8457) in the Microsoft Scripting Engine opens the door to a phishing attack, where an attacker uses a specially crafted image file to compromise a system and execute arbitrary code. A user could also trigger the attack if they open a specially constructed Office document.

“Phishing is not a true barrier; it’s more of a statistical challenge,” Goettl said. “If I get enough people targeted, somebody’s going to open it.”

This exploit is rated critical for Windows desktop systems using Internet Explorer 11 or Microsoft Edge. Organizations that practice least privilege principles can mitigate the impact of this exploit.

Another critical remote code execution vulnerability in Windows (CVE-2018-8475) allows an attacker to send a specially crafted image file to a user, who would trigger the exploit if they open the file.

September Patch Tuesday issues 17 critical updates

September Patch Tuesday addressed more than 60 vulnerabilities, 17 rated critical, with a larger number focused on browser and scripting engine vulnerabilities.

“Compared to last month, it’s a pretty mild month. The OS and browser updates are definitely in need of attention,” Goettl said.

Microsoft closed two critical remote code execution flaws (CVE-2018-0965 and CVE-2018-8439) in Hyper-V and corrected how the Microsoft hypervisor validates guest operating system user input. On an unpatched system, an attacker could run a specially crafted application on a guest operating system to force the Hyper-V host to execute arbitrary code.

Microsoft also released an advisory (ADV180022) for administrators to protect Windows systems from a denial-of-service vulnerability named “FragmentSmack” (CVE-2018-5391). An attacker can use this exploit to target the IP stack with eight-byte IP fragments and withholding the last fragment to trigger full CPU utilization and force systems to become unresponsive.

Microsoft also released an update to a Microsoft Exchange 2010 remote code execution vulnerability (CVE-2018-8154) first addressed on May Patch Tuesday. The fix corrects the faulty update that could break functionality with Outlook on the web or the Exchange Control Panel. 

“This might catch people by surprise if they are not looking closely at all the CVEs this month,” Goettl said.

PowerShell commands to copy files: Basic to advanced methods

Copying files between folders, drives and machines is a common administrative task that PowerShell can simplify. Administrators who understand the parameters associated with the Copy-Item commands and how they work together will get the most from the PowerShell commands to copy files.

PowerShell has providers — .NET programs that expose the data in a data store for viewing and manipulation — and a set of common cmdlets that work across providers. These include the *-Item, *-ItemProperty, *-Content, *-Path and *-Location cmdlets. Therefore, you can use the Copy-Item cmdlet to copy files, Registry keys and variables.

The example in the following command uses variable $a:

Copy-Item -Path variable:a -Destination variable:aa

When working with databases, administrators commonly use transactions — one or more commands treated as a unit — so the commands either all work or they all roll back. PowerShell transactions are only supported by the Registry provider, so the UseTransaction parameter on Copy-Item doesn’t do anything. The UseTransaction parameter is part of Windows PowerShell v2 through v5.1, but not in the open source PowerShell Core.

When working with databases, administrators commonly use transactions — one or more commands treated as a unit — so the commands either all work or they all roll back.

PowerShell has a number of aliases for its major cmdlets. Copy-Item uses three aliases.

Get-Alias -Definition copy-item

CommandType     Name           Version    Source

———–     —-            ——-    ——

Alias           copy -> Copy-Item

Alias           cp -> Copy-Item

Alias           cpi -> Copy-Item

These aliases only exist on Windows PowerShell to prevent a conflict with native Linux commands for PowerShell Core users.

Ways to use PowerShell commands to copy files

To show how the various Copy-Item parameters work, create a test file with the following command:

Get-Process | Out-File -FilePath c:testp1.txt

Use this command to copy a file:

Copy-Item -Path C:testp1.txt -Destination C:test2

The issue with this command is there is no indication if the operation succeeds or fails.

When working interactively, you can use the alias and positional parameters to reduce typing.

Copy C:testp1.txt C:test2

While this works in scripts, it makes the code harder to understand and maintain.

To get feedback on the copy, we use the PassThru parameter:

Copy-Item -Path C:testp1.txt -Destination C:test2 -PassThru

    Directory: C:test2

Mode          LastWriteTime    Length Name

—-          ————-     —— —-

-a—-       13/08/2018  11:01    40670 p1.txt

Or we can use the Verbose parameter:

The Verbose parameter
Administrators can use the Verbose parameter to see detailed output when running PowerShell commands.

The Verbose parameter gives you information as the command executes, while PassThru shows you the result.

By default, PowerShell overwrites the file if a file with the same name exists in the target folder. If the file in the target directory is set to read-only, you’ll get an error.

Copy-Item -Path C:testp1.txt -Destination C:test2

Copy-Item : Access to the path ‘C:test2p1.txt’ is denied.

At line:1 char:1

+ Copy-Item -Path C:testp1.txt -Destination C:test2

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo          : PermissionDenied: (C:testp1.txt:FileInfo) [Copy-Item], UnauthorizedAccessException

+ FullyQualifiedErrorId : CopyFileInfoItemUnauthorizedAccessError,

Microsoft.PowerShell.Commands.CopyItemCommand

You need to be a PowerShell Jedi to overcome this. Use the Force parameter:

Copy-Item -Path C:testp1.txt -Destination C:test2 -Force

As part of the copy process, you can rename the file. You must include the new file name as part of the destination. For example, this code creates nine copies of the p1.txt file called p2.txt through p10.txt.

2..10 | foreach {

 $newname = “p$_.txt”

 Copy-Item -Path C:testp1.txt -Destination C:test$newname

}

PowerShell commands to copy multiple files

There are a few techniques to copy multiple files when using PowerShell.

Copy-Item -Path C:test*.txt -Destination C:test2

Copy-Item -Path C:test*  -Filter *.txt -Destination C:test2

Copy-Item -Path C:test* -Include *.txt -Destination C:test2

These commands copy all the .txt files from the test folder to the test2 folder, but you can also be more selective and only copy files with, for instance, a 6 in the name.

Copy-Item -Path C:test* -Include *6*.txt -Destination C:test2 -PassThru

    Directory: C:test2

Mode        LastWriteTime       Length Name

—-         ————-      —— —-

-a—-       13/08/2018 11:01    40670 p6.txt

-a—-       13/08/2018 11:01    40670 x6.txt

You can also exclude certain files from the copy operation. This command copies all the text files that start with the letter p unless there is a 7 in the name:

Copy-Item -Path C:test*  -Filter p*.txt  -Exclude *7*.txt -Destination C:test2

PowerShell copying
Administrators can fine-tune the PowerShell commands to copy certain files from a folder and exclude others.

You can combine the Path, Filter, Include or Exclude parameters to define exactly what to copy. If you use Include and Exclude in the same call, PowerShell ignores Exclude. You can also supply an array of file names. The path is simplified if your working folder is the source folder for the copy.

Copy-Item -Path p1.txt,p3.txt,x5.txt -Destination C:test2

The Path parameter accepts pipeline input.

Get-ChildItem -Path C:testp*.txt |

where {(($_.BaseName).Substring(1,1) % 2 ) -eq 0} |

Copy-Item -Destination C:test2

PowerShell checks the p*.txt files in the c:test folder to see if the second character is divisible by 2. If so, PowerShell copies the file to the C:test2 folder.

[embedded content]

How to use PowerShell cmdlets to copy, move
and delete files

If you end up with a folder or file name that contains wild-card characters, use the LiteralPath parameter instead of the Path parameter. LiteralPath treats all the characters as literals and ignores any possible wild-card implications.

To copy a folder and all its contents, use the Recurse parameter.

Copy-Item -Path c:test -Destination c:test2 -Recurse

The recursive copy will work its way through all the subfolders below the c:test folder. PowerShell will then create a folder named test in the destination folder and copy the contents of c:test into it.

When copying between machines, you can use UNC paths to bypass the local machine.

Copy-Item -Path \server1fs1testp1.txt -Destination \server2arctest

Another option is to use PowerShell commands to copy files over a remoting session.

$cred = Get-Credential -Credential W16ND01Administrator

$s = New-PSSession -VMName W16ND01 -Credential $cred

In this case, we use PowerShell Direct to connect to the remote machine. You’ll need the Hyper-V module loaded to create the remoting session over the VMBus. Next, use PowerShell commands to copy files to the remote machine.

Copy-Item -Path c:test -Destination c: -Recurse -ToSession $s

You can also copy from the remote machine.

Copy-Item -Path c:testp*.txt -Destination c:test3 -FromSession $s

The ToSession and FromSession parameters control the direction of the copy and whether the source and destination are on the local machine or a remote one. You can’t use ToSession and FromSession in the same command.

Copy-Item doesn’t have any error checking or restart capabilities. For those features, you’ll need to write the code. Here is a starting point:

function Copy-FileSafer {

 [CmdletBinding()]

 param (

   [string]$path,

   [string]$destinationfolder

 )

 if (-not (Test-Path -Path $path)) {

   throw “File not found: $path”

 }

 $sourcefile = Split-Path -Path $path -Leaf

 $destinationfile = Join-Path -Path $destinationfolder -ChildPath $sourcefile

 $b4hash = Get-FileHash -Path $path

 try {

    Copy-Item -Path $path -Destination $destinationfolder -ErrorAction Stop

 }

 catch {

   throw “File copy failed”

 }

 finally {

   $afhash = Get-FileHash -Path $destinationfile

   if ($afhash.Hash -ne $b4hash.Hash) {

      throw “File corrupted during copy”

   }

   else {

     Write-Information -MessageData “File copied successfully” -InformationAction Continue

   }

 }

}

In this script, the file path for the source is tested and a hash of the file is calculated. The file copy occurs within a try-catch block to catch and report errors.

With additional coding, the script can recursively retry a certain number of times. After each copy attempt, the script can calculate the hash of the file and compare it to the original. If they match, all is well. If not, an error is reported.

Create and configure a shielded VM in Hyper-V

Creating a shielded VM to protect your data is a relatively straightforward process that consists of a few simple steps and PowerShell commands.

A shielded VM depends on a dedicated server separate from the Hyper-V host that runs the Host Guardian Service (HGS). The HGS server must not be domain-joined because it is going to take on the role of a special-purpose domain controller. To install HGS, open an administrative PowerShell window and run this command:

Install-WindowsFeature -Name HostGuardianServiceRole -Restart

Once the server reboots, create the required domain. Here, the password is P@ssw0rd and the domain name is PoseyHGS.net. Create the domain by entering these commands:

$AdminPassword = ConvertTo-SecureString -AsPlainText ‘P@ssw0rd’ -Force

Install-HgsServer -HgsDomainName ‘PoseyHGS.net’ -SafeModeAdministratorPassword $AdminPassword -Restart

Install the HGS server.
Figure A. This is how to install the Host Guardian Service server.

The next step in the process of creating and configuring a shielded VM is to create two certificates: an encryption certificate and a signing certificate. In production, you must use certificates from a trusted certificate authority. In a lab environment, you can use self-signed certificates, such as those used in the example below. To create these certificates, use the following commands:

$CertificatePassword = ConvertTo-SecureString -AsPlainText ‘P@ssw0rd’ -Force
$SigningCert = New-SelfSignedCertificate -DNSName “signing.poseyhgs.net”
Export-PfxCertificate -Cert $SigningCert -Password $CertificatePassword -FilePath ‘c:CertsSigningCert.pfx’
$EncryptionCert=New-SelfSignedCertificate -DNSName “encryption.poseyhgs.net”
Export-PfxCertificate -Cert $EncryptionCert -Password $CertificatePassword -FilePath ‘C:certsEncryptionCert.pfx’

Create the certificates.
Figure B. This is how to create the required certificates.

Now, it’s time to initialize the HGS server. To perform the initialization process, use the following command:

Initialize-HGSServer -HGSServiceName ‘hgs’ -SigningCertificatePath ‘C:certsSigningCert.pfx’ -SigningCertificatePassword $CertificatePassword -EncryptionCertificatePath ‘C:certsEncryptionCert.pfx’ -EncryptionCertificatePassword $CertificatePassword -TrustTPM

The initialization process
Figure C. This is what the installation process looks like.

The last thing you need to do when provisioning the HGS server is to set up conditional domain name service (DNS) forwarding. To do so, use the following commands:

Add-DnsServerConditionalForwardZone -Name “PoseyHDS.net” -ReplicationScope “Forest” -MasterServers

Netdom trust PoseyHDS.net /domain:PoseyHDS.net /userD:PoseyHDS.netAdministrator /password: /add

In the process of creating and configuring a shielded VM, the next step is to add the guarded Hyper-V host to the Active Directory (AD) domain that you just created. You must create a global AD security group called GuardedHosts. You must also set up conditional DNS forwarding on the host so the host can find the domain controller.

Once all of that is complete, retrieve the security identifier (SID) for the GuardedHosts group, and then add that SID to the HGS attestation host group. From the domain controller, enter the following command to retrieve the group’s SID:

Get-ADGroup “GuardedHosts” | Select-Object SID

Once you know the SID, run this command on the HGS server:

Add-HgsAttestationHostGroup -Name “GuardedHosts” -Identifier “

Now, it’s time to create a code integrity policy on the Hyper-V server. To do so, enter the following commands:

New-CIPPolicy -Level FilePublisher -Fallback Hash -FilePath ‘C:PolicyHWLCodeIntegrity.xml’

ConvertFrom-CIPolicy -XMLFilePath ‘C:PolicyHwlCodeIntegrity.xml’ -BinaryFilePath ‘C:PolicyHWLCodeIntegrity.p7b’

Now, you must copy the P7B file you just created to the HGS server. From there, run this command:

Add-HGSAttestationCIPolicy -Path ‘C:HWLCodeIntegrity.p7b’ -Name ‘StdGuardHost’

Get-HGSServer

At this point, the server should display an attestation URL and a key protection URL. Be sure to make note of both of these URLs. Now, go back to the Hyper-V host and enter this command:

Set-HGSClientConfiguration -KeyProtectionServerURL “” -AttestationServerURL “

To wrap things up on the Hyper-V server, retrieve an XML file from the HGS server and import it. You must also define the host’s HGS guardian. Here are the commands to do so:

Invoke-WebRequest “/service/metadata/2014-07/metadata.xml” -OutFile ‘C:certsmetadata.xml’

Import-HGSGuardian -Path ‘C:certsmetadata.xml’ -Name ‘PoseyHGS’ -AllowUntrustedRoot

Shield a Hyper-V VM.
Figure D. Shield a Hyper-V VM by selecting a single checkbox.

Once you import the host guardian into the Hyper-V server, you can use PowerShell to configure a shielded VM. However, you can also enable shielding directly through the Hyper-V Manager by selecting the Enable Shielding checkbox on the VM’s Settings screen, as shown in Figure D above.

Microsoft Ignite 2018 conference coverage

Introduction

Microsoft continues to gain market momentum fueled in part by an internal culture shift and the growing popularity of the Azure cloud platform that powers the company’s popular Office 365 product.

When CEO Satya Nadella took the helm in 2014, he made a concerted effort to turn the company away from its proprietary background to win over developers and enterprises with cloud and DevOps ambitions.

To reinforce this new agenda, Microsoft acquired GitHub, the popular software development platform, for $7.5 billion in June and expanded its developer-friendly offerings in Azure — from Kubernetes management to a Linux-based distribution for use with IoT devices. But many in IT have long memories and don’t easily forget the company’s blunders, which can wipe away any measure of good faith at a moment’s notice.

PowerShell, the popular automation tool, continues to experience growing pains after Microsoft converted it to an open source project that runs on Linux and macOS systems. As Linux workloads on Azure continue to climb — around 40% of Azure’s VMs run on Linux according to some reports — and Microsoft releases Linux versions of on-premises software, PowerShell Core is one way Microsoft is addressing the needs of companies with mixed OS environments.

While this past year solidified Microsoft’s place in the cloud and open source arenas, Nadella wants the company to remain on the cutting edge and incorporate AI into every aspect of the business. The steady draw of income from its Azure product and Office 365 — more than 135 million users — as well as its digital transformation agenda, have proven successful so far. So what’s in store for 2019?

This Microsoft Ignite 2018 guide gives you a look at the company’s tactics over the past year along with news from the show to help IT pros and administrators prepare for what’s coming next on the Microsoft roadmap. 

1Latest news on Microsoft

Recent news on Microsoft’s product and service developments

Stay current on Microsoft’s new products and updated offerings before and during the Microsoft Ignite 2018 show.

2A closer look

Analyzing Microsoft’s moves in 2018

Take a deeper dive into Microsoft’s developments with machine learning, DevOps and the cloud with these articles.

3Glossary

Definitions related to Microsoft products and technologies

Windows troubleshooting tools to improve VM performance

Whether virtualized workloads stay on premises or move to the cloud, support for those VMs remains in the data center with the administrator.

When virtualized workloads don’t perform as expected, admins need to roll up their sleeves and break out the Windows troubleshooting tools. Windows has always had some level of built-in diagnostic ability, but it only goes so deep.

Admins need to stay on top of ways to analyze ailing VMs, but they also need to find ways to trim deployments to control resource use and costs for cloud workloads.

VM Fleet adds stress to your storage

VM Fleet tests the performance of your storage infrastructure by simulating virtual workloads. VM Fleet uses PowerShell to create a collection of VMs and run a stress test against the allocated storage.

This process verifies that your storage meets expectations before deploying VMs to production. VM Fleet doesn’t help troubleshoot issues, but it helps confirm the existing performance specifications before you ramp up your infrastructure. After the VMs are in place, you can use VM Fleet to perform controlled tests of storage auto-tiering and other technologies designed to adjust workloads during increased storage I/O.

VM Fleet tests the performance of your storage infrastructure by simulating virtual workloads.

Sysinternals utilities offer deeper insights

Two Windows troubleshooting tools from the Microsoft Sysinternals collection, Process Explorer and Process Monitor, should be staples for any Windows admin.

Process Explorer gives you in-depth detail, including the dynamic link library and memory mapped files loaded by a process. Process Explorer also lets you dig in deep to uncover issues rather than throwing more resources at an application and, thus, masking the underlying problem.

Process Explorer
Process Explorer lets administrators do a technical deep dive into Windows processes that the Task Manager can’t provide.

Process Monitor captures real-time data of process activity, and Registry and file system changes on Windows systems. It also provides detailed information on the process trees.

Administrators can use Process Monitor’s search and filtering functions to help administrator focus on particular events that occur over a longer period of time.

VMMap and RAMMap detail the memory landscape

Another Sysinternals tool called VMMap shows what types of virtual memory is assigned to a process and its committed memory, which is the virtual memory reserved by the operating system. This tool shows where allocated memory is used with a visual presentation.

VMMap measurements
VMMap shows how the operating system maps physical memory and uses memory in the virtual space to help administrators analyze how applications work with memory resources.

VMMap doesn’t check the hypervisor layer, but it does detail virtual memory use provided by the OS. Combined with other tools that view the hypervisor, VMMap gives a complete picture of the applications’ memory usage.

Another tool called RAMMap is similar to VMMap, but it works at the operating system level rather than the process level. Administrators can use both tools to get a complete picture of how applications are getting and using the memory.

BgInfo puts pertinent information on display

BgInfo is a small Sysinternals utility that displays selected system information on the desktop, such as the machine name, IP address, patch version and storage information.

While it’s not difficult to find these settings, making them more visible can help when you log into multiple VMs in a short amount of time. It’s also helpful to avoid installations on the wrong VM or even rebooting the wrong VM.

Learn the tricks for using Microsoft Teams with Exchange

Using Microsoft Teams means Exchange administrators need to understand how this emerging collaboration service connects to the Exchange Online and Exchange on-premises systems.

At its 2017 Ignite conference, Microsoft unveiled its intelligent communications plan, which mapped out the movement of features from Skype for Business to Microsoft Teams, the Office 365 team collaboration service launched in March 2017. Since that September 2017 conference, Microsoft has added meetings and calling features to Teams, while also enhancing the product’s overall functionality.

Organizations that run Exchange need to understand how Microsoft Teams relies on Office 365 Groups, as well as the setup considerations Exchange administrators need to know.

How Microsoft Teams depends on Office 365 Groups

Each team in Microsoft Teams depends on the functionality provided by Office 365 Groups, such as shared mailboxes or SharePoint Online team sites. An organization can permit all users to create a team and Office 365 Group, or it can limit this ability by group membership. 

When creating a new team, it can be linked to an existing Office 365 Group; otherwise, a new group will be created.

Microsoft Teams layout
Microsoft Teams is Microsoft’s foray into the team collaboration space. Using Microsoft Teams with Exchange will require administrators to stay abreast of roadmap plans for proper configuration and utilization of the collaboration offering.

Microsoft adjusted settings recently so new Office 365 Groups created by Microsoft Teams do not appear in Outlook by default. If administrators want new groups to show in Outlook, they can use the Set-UnifiedGroup PowerShell command.

Microsoft Teams’ reliance on Office 365 Groups affects organizations that run an Exchange hybrid configuration. In this scenario, the Azure AD Connect group writeback feature can be enabled to synchronize Office 365 Groups to Exchange on premises as distribution groups. But this setting could lead to the creation of many Office 365 Groups created via Microsoft Teams that will appear in Exchange on premises. Administrators will need to watch this to see if the configuration will need to be adjusted.

Using Microsoft Teams with Exchange Online vs. Exchange on premises

As an Exchange Online customer, subscribers also get access to all the Microsoft Teams features. However, if the organization uses Exchange on premises, then certain functionality, such as the ability to modify user profile pictures and add connectors, is not available.

Microsoft Teams’ reliance on Office 365 Groups affects organizations that run an Exchange hybrid configuration.

Without connectors, users cannot plug third-party systems into Microsoft Teams; certain add-ins, like the Twitter connector that delivers tweets into a Microsoft Teams channel, cannot be used. Additionally, organizations that use Microsoft Teams with Exchange on-premises mailboxes must run on Exchange 2016 cumulative update 3 or higher to create and view meetings in Microsoft Teams.

Message hygiene services and Microsoft Teams

Antispam technology might need to be adjusted due to some Microsoft Teams and Exchange integration issues.

When a new member joins a team, the email.teams.microsoft.com domain sends an email to the new member. Microsoft owns this domain name, which the tenant administrator cannot adjust.

Because the domain is considered an external email domain to the organization’s Exchange Online deployment, the organization’s antispam configuration in Exchange Online Protection may mark the notification email as spam. Consequently, the new member might not receive the email or may not see it if it goes into the junk email folder.

To prevent this situation, Microsoft recommends adding email.teams.microsoft.com to the allowed domains list in Exchange Online Protection.

Complications with security and compliance tools

Administrators need to understand the security and compliance functionality when using Microsoft Teams with Exchange Online or Exchange on premises. Office 365 copies team channel conversations in the Office 365 Groups shared mailbox in Exchange Online so its security and compliance tools, such as eDiscovery, can examine the content. However, Office 365 stores copies of chat conversations in the users’ Exchange Online mailboxes, not the shared mailbox in Office 365 Groups.

Historically, Office 365 security and compliance tools could not access conversation content in an Exchange on-premises mailbox in a hybrid environment. Microsoft made changes to support this scenario, but customers must request this feature via Microsoft support.

Configure Exchange to send email to Microsoft Teams

An organization might want its users to have the ability to send email messages from Exchange Online or Exchange on premises to channels in Microsoft Teams. To send an email message to a channel, users need the channel’s email address and permission from the administrator. A right-click on a channel reveals the Get email address option. All the channels have a unique email address.

Administrators can restrict the domains permitted to send email to a channel in the Teams administrator settings in the new Microsoft Teams and Skype for Business admin center.

Understand Windows Insider Program for Business options

The Windows Insider Program for Business provides features that help IT plan for and deploy GA builds when they arrive.

The Windows Insider Program, which Microsoft introduced in 2014, lets IT try out new features in the upcoming Windows release before Microsoft makes them generally available. Microsoft added the Windows Insider Program for Business in April 2018 to provide organizations with tools to better prepare for upcoming releases.

Windows Insider Program for Business

Microsoft designed the Windows Insider Program for Business specifically for organizations to deploy preview builds from Windows 10 and Windows Server to participating employees for testing before they are GA.

IT pros can register their domains with the service and control settings centrally rather than registering users or configuring machines individually. Individual users can also join the Windows Insider Program for Business on their own, independently of IT’s corporate-wide review.

Microsoft designed the Windows Insider Program for Business specifically for organizations to deploy preview builds from Windows 10 and Windows Server to participating employees for testing before they are GA.

The preview builds don’t replace the channel releases because IT doesn’t deploy the new builds across its organization. They’re simply earlier Windows 10 builds IT teams can use to prepare their organizations for the updates.

The Windows Insider Program for Business preview build releases make it possible for IT to implement new services and tools more quickly once the GA release is available. The previews also help IT ensure that Microsoft addressed data security and governance issues in advance of the release.

The Windows Insider Program for Business allows administrators, developers, testers and other users to see what effect a new release might have on their devices, applications and infrastructures. Microsoft includes the Feedback Hub for IT pros and users to submit reactions about their experiences, make requests for new features and identify issues such as application compatibility, security and performance problems.

Microsoft also offers the Windows Insider Lab for Enterprise, a test deployment for insiders who Microsoft specially selects to test new, experimental or prerelease enterprise security and privacy features. The lab provides insiders with a virtual test infrastructure that comes complete with typical enterprise technologies such as Windows Information Protection, Windows Defender Application Guard and Microsoft App-V.

Getting started with the insider program

Microsoft recommends organizations sign up for the Windows Insider Program for Business and dedicate at least a few devices to the program. IT pros must register their users with the service and set up the target devices to receive preview builds.

Microsoft also recommends that organizations use Azure Active Directory work accounts when registering with the service, whether an organization registers users individually or as part of a domain account. A domain registration makes it easier for IT to manage the participating devices and track feedback from users across the organization. Users that want to submit feedback on behalf of the organization must have a domain registration, as well.

IT can install and manage preview builds on individual devices or on the infrastructure and deploy the builds across multiple devices in the domain, including virtual machines. Using Group Policies, IT can also enable, disable, defer or pause preview installations and set the branch readiness levels, which determine when the preview builds are installed.

Microsoft’s three preview readiness branches

IT can configure devices so the preview builds install automatically or allow users to choose their own install schedules. With mobile device management tools such as Microsoft Intune, IT can take over the preview readiness branch settings, assigning each user one of three preview deployment branches.

Fast. Devices at the Fast level are the first to receive build and feature updates. This readiness level implies some risk because it is the least stable and some features might not work on certain devices. As a result, IT should only install Fast builds on secondary devices and limit these builds to a select group of users.

Slow. Devices at the Slow level receive updates after Microsoft applies user and organization feedback from the Fast build. These builds are more stable, but users don’t see them as early in the process compared to the Fast builds. The Slow level generally targets a broader set of users.

Release Preview. Devices at the Release Preview level are the last to receive preview builds, but these builds are the most stable. Users still get to see and test features in advance and can provide feedback, but they have a much smaller window between the preview build and the final release.

Is the Windows Insider Program for Business for everyone?

An organization that participates in the Windows Insider Program for Business must be able to commit the necessary resources to effectively take advantage of the program’s features. To meet this standard, organizations must ensure that they can dedicate the necessary hardware and infrastructure resources and choose users who have enough time to properly test the builds.

An organization’s decision to invest in these resources depends on its specific circumstances, but deploying a Windows update is seldom without a few hiccups. With the Windows Insider Program for Business, IT can avoid some of these issues.

How to start using Ansible for Windows management

Get started
Bring yourself up to speed with our introductory content.

Ansible is a configuration management offering that runs on Linux but controls Windows systems with PowerShell. Find out how to get the tool running in your data center.


As more enterprises mix Linux and Windows machines into the IT stack, it makes sense to find a tool that manages…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

both platforms.

There are several tools designed for this purpose, but Ansible is making great strides to establish itself as the leader in this space. Ansible manages Linux and Windows systems. It has PowerShell support, so Windows admins can use their scripts once they learn Ansible’s management structure. The Ansible stack needs to run on Red Hat, Debian, CentOS, macOS or a similarly architected OS server or virtual machine.

Ansible doesn’t use the typical server/client architecture of other remote management tools, so the setup work might be foreign to some administrators. Ansible manages Windows systems via PowerShell remoting or Windows Remote Management (WinRM).

It only takes a few steps to set up the control machine, configure a Windows Server, execute individual commands on the configured machine and use custom scripts on Ansible for Windows management. Being able to copy and run your current PowerShell scripts is a quick way to get started with the Ansible console before learning how to dive deep into the Ansible playbook management approach.

Set up the control machine

To configure the Ansible control machine to manage hosts, enable PowerShell remoting on the host and give the appropriate credentials to Ansible for Windows administration, usually with a Secure Socket Shell key.

Make sure the Ansible control machine runs on a valid version of Python with an updated version of pip, then run the following command to install the pywinrm module:

$ pip install “pywinrm>=0.2.2”

Being able to copy and run your current PowerShell scripts is a quick way to get started with the Ansible console before learning how to dive deep into the Ansible playbook management approach.

Use the following code to add the Windows machine you want to control to the /etc/ansible/hosts file so Ansible registers the Windows machine:

[groupname]
192.168.1.1

Next, add the following configuration to Ansible in the /etc/ansible/group_vars/groupname.yaml file for basic authentication:

ansible_user: ‘YourHostsUsername’
ansible_password: ‘YourHostsPassword’
ansible_connection: ‘winrm’
ansible_winrm_transport: basic
ansible_port: ‘5986’
ansible_winrm_server_cert_validation: ignore
validate_certs: false

Set up the host

Be sure the Windows machine you want to manage is on a supported version of Windows — version 7 or later for desktops and 2008 or later for Windows Server — and PowerShell 3.0 or later.

Next, enable PSRemoting with this command:

Enable-PSRemoting -force

Then, set up the WinRM service — required to use PowerShell remoting — to start automatically.

Set-Service WinRM -StartMode Automatic

On the local machine, confirm you’ve started the WinRM service with the following cmdlet:

Test-WSMan

From a remote computer, add the -ComputerName parameter:

Test-WSMan -ComputerName “server123”

[embedded content]

A primer on Windows management via Linux

Next, set up a WinRM Listener with the PowerShell script below from Ansible. It sets up an HTTP and HTTPS listener, as well as configure basic authentication on the host. It might require some adjustments to use in a production environment.

$url=”https://raw.githubusercontent.com/ansible/ansible/devel/ examples/scripts/ConfigureRemotingForAnsible.ps1″
$file=”$env:tempConfigureRemotingForAnsible.ps1″

(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)

powershell.exe -ExecutionPolicy ByPass -File $file

For this tutorial, we use basic authentication, which you enable with the following command:

Set-Item -Path WSMan:localhostServiceAuthBasic -Value $true

Lastly, complete the host configuration for Ansible by creating the WinRM listener.

winrm quickconfig

This Ansible for Windows tutorial is tailored for managing an individual server. To deploy this configuration on many machines, create a group policy and deploy that to the Windows servers. The group policy should set the WinRM service to start automatically, run the configuration script and configure the WinRM listeners.

How to work with Ansible for Windows machine management

After finalizing the configuration from the Ansible server to the remote managed machine, you can run tasks remotely from the Ansible server.

First, test connectivity with a ping from the Ansible host.

$ ansible groupname -m win_ping

192.168.1.158 | SUCCESS => {
    “changed”: false,
    “ping”: “pong”
}

To run ad hoc commands on Windows from Ansible, you can easily create one-liners by calling the win_shell module. A simple example is stopping a service remotely for a group of machines from the Ansible console:

$ ansible groupname -m win_shell -a “Get-Service -Name servicename | Stop-Service”

You also have access to the win_command module to run executables remotely.

$ ansible groupname -m win_command -a whoami.exe

How to run an Ansible for Windows script

Another example of Ansible management of remote Windows servers is to copy a local PowerShell script to the remote managed machine.

$ ansible groupname -m win_copy -a “src=/path/to/script.ps1 dest=C:tempscript.ps1”

You can then run the script with the win_command module.

$ ansible groupname -m win_command -a “powershell.exe -ExecutionPolicy ByPass -File C:tempscript.ps1”

Ansible opens the door to advanced management capabilities

Ansible is worth learning due to its cross-platform capabilities that scale to manage a large number of devices. Once you’ve learned the basics, you can perform more in-depth tasks, such as using PowerShell Desired State Configuration with Ansible and working with custom modules.

Dig Deeper on Windows administration tools