MDT Build 8443 Automatically move computers to the right OU.

On December 2010 i wrote an article: automatically move computers to the right OU.
In MDT 2012 update 1 this was an issue: MDT 2012 settings per task sequence

In MDT 2013 Update 2 this is still a issue:

How to fix:

I changed DeployWiz_SelectTS.vbs file and it work again Glimlach

1. Edit DeployWiz_SelectTS.vbs
2. Add after Function ValidateTSList and  Dim oTS
   
Dim oItem
Dim sCmd
Set Oshell = createObject(“Wscript.shell”)
3. Add between  End if and End Function
sCmd = “wscript.exe “”” & oUtility.ScriptDir & “\ZTIGather.wsf”””
oItem = oSHell.Run(sCmd, , true)

Download DeployWiz_SelectTSMDT8843.7z

IIS Crypto the best tool to configure SSL/TLS cipher suites

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

Features

– Single click to secure your website using best practices
– Create custom templates that can be saved and run on multiple servers
– Stop DROWN, logjam, FREAK, POODLE and BEAST attacks
– Disable weak protocols and ciphers such as SSL 2.0, 3.0 and MD5
– Enable TLS 1.1 and 1.2
– Enable forward secrecy
– Reorder cipher suites
– Built in Best Practices, PCI, PCI 3.1 and FIPS 140-2 templates
– Site scanner to test your configuration
– Command line version

Screenshot1

WMI Filters for OS version

DESKTOPS

ANY WINDOWS DESKTOP OS

  • Any Windows Desktop OS – 32-bit
    select * from Win32_OperatingSystem WHERE ProductType = “1” AND NOT OSArchitecture = “64-bit”
  • Any Windows Desktop OS – 64-bit
    select * from Win32_OperatingSystem WHERE ProductType = “1” AND OSArchitecture = “64-bit”

WINDOWS 7

  • Windows 7
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″
  • Windows 7 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 7 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 8.1

  • Windows 8.1
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″
  • Windows 8.1 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 8.1 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 8.1

  • Windows 8.1
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″
  • Windows 8.1 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 8.1 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 10

  • Windows 10
    select * from Win32_OperatingSystem WHERE ‘Version like ‘10.0.%’ AND ProductType=”1″
  • Windows 10 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “10.0.% AND ProductType=”1” AND NOT OSArchitecture = “64-bit”
  • Windows 10 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “10.0.%””6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

SERVERS

ANY WINDOWS SERVER OS

  • Any Windows Server OS
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”)
  • Any Windows Server OS – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server OS – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”) AND OSArchitecture = “64-bit”
  • Any Windows Server – Domain Controller
    select * from Win32_OperatingSystem where (ProductType = “2”)
  • Any Windows Server – Domain Controller – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server – Domain Controller – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) AND OSArchitecture = “64-bit”
  • Any Windows Server – Non-Domain Controller
    select * from Win32_OperatingSystem where (ProductType = “3”)
  • Any Windows Server – Non- Domain Controller – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “3”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server – Non-Domain Controller – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “3”) AND OSArchitecture = “64-bit”

WINDOWS SERVER 2008 R2

  • Windows Server 2008 R2 – 64-bit – DC
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”2″
  • Windows Server 2008 R2 – 64-bit – non-DC
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”3″

WINDOWS SERVER 2012 R2

  • Windows Server 2012 R2 – 64-bit – DC
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”2″
  • Windows Server 2012 R2 – 64-bit – non-DC
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”3″

WINDOWS SERVER 2016

Don’t Deploy Exchange Server 2016 on Windows Server 2016 For Now Due to Stability Issues

Since the release of Exchange Server 2016 Cumulative Update 3 (CU3), which added support for installing Exchange 2016 onto Windows Server 2016 servers, there’s been a series of reports in support forums and blog comments about errors that customers are seeing.

Now Microsoft has acknowledged that there is in fact a known issue, and there is no current workaround for it.

If you attempt to run Microsoft Exchange 2016 CU3 on Windows Server 2016, you will experience errors in the IIS host process W3WP.exe. There is no workaround at this time. You should postpone deployment of Exchange 2016 CU3 on Windows Server 2016 until a supported fix is available.

That’s all the detail that has been publicly released by Microsoft at this time, but the guidance is clear. You should deploy Exchange 2016 only on Windows Server 2012 R2 until further notice.

Source: https://exchangeserverpro.com/dont-deploy-exchange-server-2016-windows-server-2016-now-due-stability-issues/

Windows Server 2016 certification

Microsoft is pleased to announce the release of the new MCSA: Windows Server 2016 certification.

The new MCSA can be earned by taking and passing the following three exams:

  • 70-740 – Installation, Storage, and Compute with Windows Server 2016
  • 70-741 – Networking with Windows Server 2016
  • 70-742 – Identity with Windows Server 2016

Exam 740 is scheduled for beta release in early October 2016, with the other exams following soon after.

Individuals who currently hold either an MCSA: Windows Server 2012 or MCSA: Windows Server 2008 certification will be able to upgrade to the new 2016 certification through a single, upgrade exam:

  • 70-743 – Upgrade Your Skills to MCSA: Windows Server 2016

Exam 743 is scheduled for beta release in late July 2016. 

MOC courses corresponding to all four Windows Server 2016 exams are scheduled for release in September 2016, while practice tests will be available shortly after each exam beta period ends.

New options for specialization and continuing education through the MCSE program will be announced later this summer.

Cumulative Update 2 for Exchange Server 2016

.Net 4.6.1 Support

Support for .Net 4.6.1 is now available for Exchange Server 2016 and 2013 with these updates. We fully support customers upgrading servers running 4.5.2 to 4.6.1 without removing Exchange. We recommend that customers apply Exchange Server 2016 Cumulative Update 2 or Exchange Server 2013 Cumulative Update 13 before upgrading .Net FrameWork. Servers should be placed in maintenance mode during the upgrade as you would do when applying a Cumulative Update. Support for .Net 4.6.1 requires the following post release fixes for .Net as well.

Note: .Net 4.6.1 installation replaces the existing 4.5.2 installation. If you attempt to roll back the .Net 4.6.1 update, you will need to install .Net 4.5.2 again.

AutoReseed Support for BitLocker

Beginning with Exchange 2013 CU13 and Exchange 2016 CU2, the Disk Reclaimer function within AutoReseed supports BitLocker. By default, this feature is disabled. For more information on how to enable this functionality, please seeEnabling BitLocker on Exchange Servers.

SHA-2 Support for Self-Signed Certificates

The New-ExchangeCertificate cmdlet has been updated to produce a SHA-2 certificate for all self-signed certificates created by Exchange. Creating a SHA-2 certificate is the default behaviour for the cmdlet. Existing certificates will not automatically be regenerated but newly installed servers will receive SHA-2 certificates by default. Customers may opt to replace existing non-SHA2 certificates generated by previous releases as they see fit.

Migration to Modern Public Folder Resolved

The issue reported in KB3161916 has been resolved.

 

This cumulative update fixes the following issues:

This cumulative update also fixes the issues that are described in the KB 3160339 MS16-079: Security update for Microsoft Exchange: June 14, 2016 and KB 3134844 Cumulative Update 1 for Exchange Server 2016

Microsoft Knowledge Base articles.
This update also includes new daylight saving time (DST) updates for Exchange Server 2016. For more information about DST, go to Daylight Saving Time Help and Support Center.

Download: https://www.microsoft.com/en-us/download/details.aspx?id=52968

MDT 2013 Update 2 Automatically move computers to the right OU.

On December 2010 i wrote an article: automatically move computers to the right OU.
In MDT 2012 update 1 this was an issue: MDT 2012 settings per task sequence

In MDT 2013 Update 2 this is still a issue:

How to fix:

I changed DeployWiz_SelectTS.vbs file and it work again Glimlach

1. Edit DeployWiz_SelectTS.vbs
2. Add after “Dim sTemplate”
Dim sCmd
Set Oshell = createObject(“Wscript.shell”)
3. Add before “End Function” (bottom of page)
sCmd = “wscript.exe “”” & oUtility.ScriptDir & “\ZTIGather.wsf”””
oItem = oSHell.Run(sCmd, , true)

Download DeployWiz_SelectTSMDT2013Update2.7z

Don’t forget to change every TaskSequence

clip_image002

Setup MDT 2013 (Update 2) to encrypt Windows 10 devices (Laptops) automaticlly

This  will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

  • A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
  • To configure your environment for BitLocker, you will need to do the following:
  1. Configure Active Directory for BitLocker.
  2. Download the various BitLocker scripts and tools.
  3. Configure the rules (CustomSettings.ini) for BitLocker.

Configure Active Directory for BitLocker

To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.

Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.

In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.

figure 2

Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.

Add the BitLocker Drive Encryption Administration Utilities

The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):

  1. On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
  2. On the Before you begin page, click Next.
  3. On the Select installation type page, select Role-based or feature-based installation, and click Next.
  4. On the Select destination server page, select DC01.contoso.com and click Next.
  5. On the Select server roles page, click Next.
  6. On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
    1. BitLocker Drive Encryption Administration Utilities
    2. BitLocker Drive Encryption Tools
    3. BitLocker Recovery Password Viewer
  7. On the Confirm installation selections page, click Install and then click Close.

figure 3

Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.

Create the BitLocker Group Policy

Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.

  1. On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
  2. Assign the name BitLocker Policy to the new Group Policy.
  3. Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:

    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives

    1. Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
      1. Allow data recovery agent (default)
      2. Save BitLocker recovery information to Active Directory Domain Services (default)
      3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This Winking smile)
    2. Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
    3. Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.

      Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services

    4. Enable the Turn on TPM backup to Active Directory Domain Services policy.

(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)

Set permissions in Active Directory for BitLocker

In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.

  1. On DC01, start an elevated PowerShell prompt (run as Administrator).
  2. Configure the permissions by running the following command:
    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
    

figure 4

Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.

Add BIOS configuration tools from Dell, HP, and Lenovo

If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.

Add tools from Dell

The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:

cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP

The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:

BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234

And the sample content of the TPMEnable.REPSET file:

English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo

The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:

cscript.exe SetConfig.vbs SecurityChip Active

CustomSettings.ini

[Default]
SkipBitLocker=YES

[LAPTOP]
TaskSequenceID=LAPTOP
MachineObjectOU=OU=Bitlocker,OU=LAPTOPS,OU=Clients,DC=wardvissers,DC=local
BDEKeyLocation=\\mdt01.wardvissers.local\Bitlocker$

Source

Exchange Updates installing slow on Windows Server 2012 R2

For customers who are running Exchange on Windows Server 2012 R2, we want to make certain you are aware of a condition which can substantially increase the amount of time it takes to install Exchange Updates on this OS. Working with the .Net team, we have discovered that systems which have applied Windows Update KB3097966 can take 50% more time to install Exchange. The .Net team is working on a resolution to this and will include a fix in a future product update. In the meantime, customers who have deployed this Windows update can take a one-time action on their server before installing Exchange or a Cumulative Update to bring installation time back to normal. This procedure needs to be done once on every Exchange server running Windows Server 2012 R2. The command to execute is:

“%windir%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update”

Errors and warnings encountered running this command can be safely ignored provided the final exit status code of 0 is reported in the output.

Staying up-to-date with Windows Server updates for Remote Desktop Services (RDS)

Microsoft Remote Desktop Team get customer enquiries asking which RDS updates are available for a particular Windows Server platform; or when providing support we need to verify if certain hotfixes and servicing rollups are installed on the customers’ servers. To make it easier for customers and ourselves, we regularly revise KB articles that list all of the available updates specific to Remote Desktop services for each Windows Server release:

Translate »