Project Honolulu

With the recent release of Server 1709 (and the fact that it’s Server Core only), Microsoft have also recently released a preview of a new server management product. This product is currently code-named ‘Project Honolulu’, and is a light-weight web-based management console for Windows Server. Details of the original preview release can be found here.

In the past, when you wanted to manage remote servers (and especially Server Core instances), you either had to:

  • RDP in to configure it
  • Enable WinRM and use remote powershell
  • Enable WinRM and use a remote Server Manager instance from Server 2012 R2 or Server 2016

Depending on what you were trying to achieve, you also may have had to use remote consoles like Computer Management, Event Viewer, Storage Management, Certificate Management, Firewall Management – none of which are built in to Server Manager, but can be launched from there.

Based on initial impressions of Project Honolulu, it looks like Microsoft is trying to improve that experience, and it looks like they’re actually moving in the right direction.

As you can see from the above image, they’ve actually rolled a bunch of the above tools into a single interface – and the really surprising part, is that it’s actually fast. Not like Server Manager where sometimes it can take quite a while to refresh or load.

Obviously it’s not a complete product yet, and there’s a bunch of stuff in Server Manager that it would be nice to see in Honolulu – mostly around dashboards, additional tool sets (Active Directory tools, for example), and additional functionality in the existing tools.

Some of the things I found quite good with Honolulu:

  • The speed of loading remote information (event logs, services, etc)
  • The ability to remotely import a certificate PFX file without having to resort to painful powershell commands and scripts!
  • Set basic IP config on a remote server
  • Remote process monitor (graphical – not tasklist.exe!)
  • Remote storage management without setting up additional firewall rules
  • Virtual Machine dashboards/management. I haven’t had too much of a play with this so I’d say there’s stuff missing, but what’s there is actually quite good.
  • Remote Windows Update management (for those of you not using SCCM/WSUS to automate update installation)

Things it can’t do yet, but I’m hoping they add in:

  • Dashboards for overall status of servers
  • Search function for Registry viewing/editing
  • More settings for Services (eg: Logon details)
  • Editing of certificate private key permissions
  • Additional remote tools – such as Active Directory Users and Computers, DHCP, DNS, Remote Access Management, IIS, etc

If you’re interested in trying out Project Honolulu, it can be downloaded here. Installation instructions can be found here. To be honest, it’s a super simple setup – whether that changes in the future is yet to be seen!.

Note: remote management via Honolulu does require Windows Management Framework 5.0, so you’ll need to install that on non-2016 servers.

Server 2016 LTSC vs Server 1709 Semi-Annual

In September 2016, Microsoft released Server 2016. A couple months ago, they then released Server 1709. You’d be forgiven for thinking that Server 1709 is an upgrade to 2016 – because it’s actually not.

Much like Windows 10, Microsoft have gone down the path of having multiple ‘Channels’ with the Server products. Essentially:

  • Server 2016 is the server equivalent of Windows 10 LTSB (Long Term Servicing Branch)
  • Server 1709 is the server equivalent of Windows 10 CBB (Current Branch for Business)

Instead of using LTSB and CBB, the server OS’s are ‘Channels’ – so LTSC (Long Term Servicing Channel) and SAC (Semi-Annual Channel).

So what are the main differences?

Server 2016

  • Available in Standard, Datacenter and Essential editions
  • Available as Server Core, or Server with a GUI
  • 5 year mainstream support, 5 year extended support
  • New release expected every 2-3 years

Server 1709

  • Available in Standard or Datacenter (no Essential edition)
  • Only available as Server Core
  • 18 months mainstream support, no extended (much like Windows 10 CB and CBB)
  • Releases semi-annual

So why would you go with 1709 over Server 2016? In general, it depends on your use-case scenario. The largest improvements for 1709 are around Containers and Nano Containers (with Nano Server being deprecated), along with some Hyper-V. Obviously you’re going to be restricted to Server Core, but that’s not as big of a deal these days when you’re talking about built-in roles (due to significant improvements in remote management for Server 2016). In general, you’re only going to be considering 1709 (or any SAC release) in the following scenarios:

  • You’re looking to build a new Server Core server and you don’t mind upgrading it every 12-18 months
  • There’s specific features available in 1709 that aren’t available in 2016

For a full list of updated features in 1709, here’s the full list. There’s also a new management interface on the way, currently named ‘Project Honolulu’ – this may help with some of the Server Core management concerns.

A couple of gotchas:

  • If you’re using Automatic Virtual Machine Activation (AVMA) on Datacenter Hyper-V hosts, it doesn’t seem to work with Server 1709 – at this stage I’m unable to find official information about this, so it seems that you’ll need to use Manual Activation Keys (MAK) in the mean-time (or…ongoing).
  • You can’t upgrade from Server 2016 to Server 1709 (even if it’s 2016 Core) – much like you can’t upgrade from Windows 10 LTSB to CBB.

 

Preparing to update for Intel® Management Engine Critical Firmware Update (Intel SA-00086)

Intel released a security advisory yesterday (22/11/2017) advising of vulnerabilities with their management engine firmware – which can he found here

The reason why this is concerning for corporate customers is that basically every PC, Server and laptop that you have, most likely will be exposed, as the vast majority of corporate level hardware contains this hardware.

Intel has provided a detection tool available at https://downloadcenter.intel.com/download/27150. Contained within is a couple of applications, the GUI version will probably be handy for those orgs with only a handful of makes and models – where-as the command line tool will be more useful for larger organisations to run and centralise results via tools such as SCCM.

 

The original page contains links for various vendors update, the downside is that there doesnt seem to be many patches as yet, as per this page (at the time of writing, all Dell entries are marked as “TBD”, where-as Lenovo lists a target date of 24/11/2017)

 

So, what can you do while waiting for the patches to be released?

  • Test your systems using the provided tool to see if they are vulnerable. Testing at least one of each make/model will give you a good idea what you will need to target
  • Setup SCCM collections ready to go, which would entail
    • A collection for each make and model (I imagine many places would have this already)
    • A series of collections which each include one/make model and the criteria “AMT Agent – Flash is NOT equal to <insert version number of patched FW – once released>” – This will enable you quickly identify machines which need to be targeted with the update
    • (Please note the above is an assumption, some vendors may patch this via a BIOS update, in which case, the BIOS version may be the identifier instead)

 

Please post a comment if there are any questions – and ill update thios post once the patches are released – if there are any gotcha’s we run into.

KB4038777 fails on some Windows 2008 R2 servers

Recently, we had an issue where KB4038777 was failing to install on some Windows 2008 R2 servers, but was fine on others.

Sometimes, this indicates that the “maximum run time” on a patch has been set ludicrously low (generally 10 minutes) on a specific patch – and the servers that it is failing on, are those that don’t perform so well – and therefore time out.

In this case, the patch was failing with the following line in the CBS.log

Failed to find file: x86_microsoft-windows-directwrite_31bf3856ad364e35_7.1.7601.23688_none_c657164201eacd8d\DWrite.dll [HRESULT = 0x80070002 – ERROR_FILE_NOT_FOUND]

We tried a number of things to “fix” this, including comparing file versions of Dwrite.dll, cleaning out the softwaredistribution cache, disabling AV etc – to no avail.

After a few hours, we found that installing the “desktop experience” feature (which requires a reboot), then running a disk cleanup (including windows updates) on the server then allowed us to install this update.

Its not an ideal “solution” – and quite frankly – all Windows 2008 R2 server should be in the process of being decommissioned… but aside from that, it seems that admins have the option of

a) installing desktop experience, rebooting, then running a disk cleanup

b) waiting for next months rollup – which may not have the same issue.

 

SMB 1 no longer installed by default in Win 10 1710/Server 2016 (next release)

https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows-10-rs3-and-windows-server

As per the link above, SMB 1 will no longer be installed by default in Win 10 1710 (which, given the release date, I’m guess that’s what it will be called) or the next version of Server 2016 (whatever that ends up being called).

Considering the recent-ish SMB1 targeted attacks, this isn’t surprising – and is a good move in my opinion. Issue is of course, the companies likely to hit by SMB1 (or other old-school attacks) are likely to not be up to date with their patching and even less likely to be up to date with OS versions – so it wont help secure the more vulnerable networks out there….

Welcome aboard Jamie Brooks

We are proud to introduce the newest addition to the Adexis team of senior consultants, Jamie Brooks.

We’ve known for some years of Jamie’s outstanding reputation for quality and technical skill and we are honoured to have him onboard.

Jamie brings to Adexis a new set of talents including expert skills in Microsoft Azure. This is an exciting addition which expands the cloud and hybrid services and solutions we can bring to our clients.

Jamie also brings with him extensive skills in our existing engagements with our customers such as SCCM, AD, Exchange and more.

I would like to thank our customers who continue to support us, making this increase in our team possible.

Welcome aboard Jamie, we are proud to have you onboard and look forward to achieving great things together.

Windows 7 unsupported CPU’s starting to hit the market

As has been well documented

https://support.microsoft.com/en-us/help/4012982/the-processor-is-not-supported-together-with-the-windows-version-that-

 http://www.intel.com.au/content/www/au/en/support/graphics-drivers/000005526.html

 http://www.dell.com/support/article/us/en/19/SLN304217/microsoft-windows-operating-system-support-for-intel-kaby-lake-processors?lang=EN

The newest Intel and AMD processors are not supported when using Windows 7, 8.1, Server 2008R2 and Server 2012 R2… While this has been known for a while, however its always variable how much time the new hardware takes to hit the market.

A client recently had ordered a number of Dell 3040’s….. but Dell apparently decided to send 3050’s instead due to stock issues…. leading to this clients build’s not working.

While I, like many others, hate being “forced” to move versions (of anything), Win 10 is actually a pretty good OS and with Windows 7 extended support ending in 2020, its simply time to start planning to migration.

SCCM – BADMIF error 4

It is very common to get the following errors in your SCCM component status window for the component “SMS_Inventory_Data_loader” – the most of common of which goes something along the lines of

Inventory Data Loader failed to process the file D:\Program Files\Microsoft Configuration Manager\inboxes\auth\dataldr.box\Process\H38H6C71.MIF because it is larger than the defined maximum allowable size of 5000000.

The size of the MIFs can be checked by navigating to D:\Program Files\Microsoft Configuration Manager\inboxes\auth\dataldr.box\BADMIFS\ExceedSizeLimit and taking note of the largest MIF, then adding a bit of headroom, modifying the registry as per https://thedesktopteam.com/heinrich/event-id-2719-sms_inventory_data_loader-error-sccm-2012-r2/

For one client recently, once that was done, the larger MIFs started processing, however they then got many entry’s in D:\Program Files\Microsoft Configuration Manager\inboxes\auth\dataldr.box\BADMIFS\ErrorCode_4

This article – https://blogs.technet.microsoft.com/umairkhan/2014/10/01/configmgr-2012-hardware-inventory-resync-and-badmif-internals/ nicely documents some of the errors you may get, but not specifically what error code 4 relates to. This TechNet forum post seems to nail the issue, but not necessarily how to solve it.

In my case, I navigated to the SCCM logs directory, open dataldr.log and searched for errors to find the specific line of SQL which was not being imported nicely – it was pretty easy to find thanks to CMTrace’s desire to highlight lines with “error” in them to red.

With this, its fairly easy to see that the troublesome statement is

*** [23000][547][Microsoft][SQL Server Native Client 11.0][SQL Server]The INSERT statement conflicted with the FOREIGN KEY constraint “WINDOWS8_APPLICATION_USER_INFO_DATA_FK”. The conflict occurred in database “CM_xxx”, table “dbo.System_DATA”, column ‘MachineID’. : pWINDOWS8_APPLICATION_USER_INFO_DATA

 

Armed with this information, you can then choose if you care about this hardware inventory information – and if not, you can exclude it from inventory.

Importing AD powershell module into Windows PE and then using encrypted creds

Powershell makes life much easier than vbscript…. however it does have its downsides…  signing policy can sometimes be a bit of pain and the modules you need have to be available…. which is an issue in particular for Windows PE.

Mick (good aussie name there) was nice enough to write a blog on how to import powershell into PE – without having to add it statically to the boot wim – http://mickitblog.blogspot.com.au/2016/04/import-active-directory-module-into.html

As a little shortcut from the blog, you can copy both the x86 and x64 required directories via robocopy rather than determining the version via powershell.

The next step however is the more important one…. a task sequence doesn’t allow us to run a powershell command in PE with credentials, we need a secure way of running the command. In this case, we want to delete a computer object….

Step 1 – Generate a key file (perform on any full OS)

$KeyFile = “\\sccm\PSource$\OSD.DeleteComputer\DeleteComputer.key“

$Key = New-Object Byte[] 16

[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)

$Key | out-file $KeyFile

 

Step 2 – Encrypt a password using the key

$PasswordFile = “\\sccm\PSource$\OSD.DeleteComputer\DeleteComputer.txt“

$KeyFile = “\\sccm\PSource$\OSD.DeleteComputer\\DeleteComputer.key“

$Key = Get-Content $KeyFile

$Password = “Your password here” | ConvertTo-SecureString -AsPlainText -Force

$Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile

 

Step 3 – Create your script utilising the creds – (Below is the one I use to delete a computer object)

Import-module ActiveDirectory

#SCCM TS Object
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

#SCCM Variables
$CompName = $tsenv.Value(“_SMSTSMachineName”)

# Get current path in order to get encrypted password
$MyDir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition)
$User = “Domain\Account”
$PasswordFile = “$MyDir\DeleteComputer.txt”
$KeyFile = “$MyDir\DeleteComputer.key”
$key = Get-Content $KeyFile
$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)

# Remove the computer from AD
Remove-ADComputer -Identity $CompName -server <DC name required> -Credential $MyCredential -confirm:$false

 

One obvious risk is, this is not very secure. It will stop a random snooper type person from seeing a plain text password…. but it will not stop someone who is capable of pressing F8 to get into the running TS (if you have it enabled) and then grabbing the key and txt and being able to use them…. So, take this into consideration when choosing to use (or not use) for your environment.

UEV now included in Windows 10 1607 (and above)

User Experience Virtualization (UEV) use to be part of the MDOP packs…. however MDOP’s last update was in 2015…. leaving some of us wondering what was happening to awesome tools contained within.

Given Microsoft’s strong movement towards cloud platforms, it seemed likely that these tools were dead.

Fortunately for UEV, its now included in Windows 10 Enterprise as a default service, for versions 1607 and 1703 (and we may be able to assume future releases as well). Some details on the release are here – https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows

Unfortunately, the documentation is somewhat unhelpful.

The UEV documentation is located here – https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2

However, there are a couple of quite important things that anyone deploying this should be aware of

  • Even though it isn’t stated anywhere in the doco, and seems quite counter-intuitive based on what’s presented in the GPO settings, the default Microsoft included templates do not automatically register on clients. These can be copied to your custom templates path, or you can register them with powershell on each machine as per http://ccmexec.com/2017/02/synchronizing-ie-favorites-with-ue-v-in-windows-1607/
  • The UEV template generator is part of the ADK (1607 or 1703) – however, it does not show up if you try and run the ADK installer on Windows 8.1 or server 2012 R2. I haven’t tried on Windows 10 versions below 1607 or 1703 – but it will show/be installable on those versions.