Keeping WSUS Happy using PowerShell

Some time ago i found a great WSUS cleanup script. I used this at my demo lab and customer sites. WSUS need a little help Winking smile

  • Someone need to deny all patches that are superseeded, this does not happen automatically.
  • Someone needs to cleanup old content, computers, patches and such, this does not happen automatically.
  • Someone needs to care for the database, this does not happen automatically.

https://github.com/DeploymentBunny/Files/tree/master/Tools/Invoke-WSUSMaint

image

The script will do the following

Connect to a database

you might need to change this in the script.

#For Windows Internal Database, use $WSUSDB = ‘\\.\pipe\MICROSOFT##WID\tsql\query’
#For SQL Express, use $WSUSDB = ‘\\.\pipe\MSSQL$SQLEXPRESS\sql\query’

Get the Superseeded Updates

Here is the Posh that fixes that:

$SuperSeededUpdates = Get-WsusUpdate -Approval AnyExceptDeclined -Classification All -Status Any | Where-Object -Property UpdatesSupersedingThisUpdate -NE -Value ‘None’ -Verbose
$SuperSeededUpdates | Deny-WsusUpdate –Verbose

Cleanup WSUS

We run each step sepratly, however, you can change that and run everything in one line…

Cleanup the DB

Last part runs sqlcmd using a .SQL file from MSFT Gallery, and yes, you can download and install the PowerShell tools for SQL and use that instead. Most of your customers dont have thoose tools installed, so sqlcmd.exe it is

Source: https://deploymentbunny.com/2016/02/03/working-in-the-datacenter-keeping-wsus-happy-using-powershell/

Configure your Exchange 2016 server with Configure-Echange2016.ps1

The Script is based on my Configure Exchange 2013 Script Download: https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-2013-e0ffb2a6

At this moment there is only v1.0 so now new features.

You can download this script here:
https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-2016-0e3c8288

Configure your Exchange 2013 server with Configure-Echange2013.ps1 Updated to V3.2

Updated to V3.2

Change List:

# V1.0 Begin
# V1.1 Added Some New Options 12-10-2014
# V1.2 Added Hyper-V Best Practise & NTFS Partition Offset
# V1.3 Added KB2995145 .NET Framework 4.5 garbage collector heap Fix
# V1.4 Added Set Minimum Disk Space Warning level (180GB Default CU6 200GB CU5)
# V1.5 Added Some new features
# V1.6 Changed the Layout & Add Move Arbitration Mailbox
# V1.7 Added PST Export & KB2990117
# V1.8 Added Full backup, Database in GB and Mailbox Size in GB Export CSV
# V1.9 Added Outlook AnyWhere & SafetyNetHoldTime
# V2.0 Added Check DatacenterActivationMode, Get-DatabaseAvailabilityGroupNetwork, Add Static Route, Disable Replation Network on DAG, Database Copies Per Volume (AutoReseed)
# V2.1 Added Edge Subscription
# V2.2 Added Check Transaction Log Growth
# V2.3 Changed the Menu to Submenu’s
# V2.4 Added Check Database White Space
# V2.5 Added MAPI HTTP External URL
# V2.6 Fixed OWA Virtual URL & HTTP URL
# V2.7 Added Fixes & Mountpoints & Changed Set Minimum Disk Space Warning Level from REG to GlobalOverride
# V2.8 Maintaince Added
# V2.9 Set Power to Highperformance
# V3.0 Check of Microsoft.Exchange.Management.PowerShell.SnapIn is loaded
# V3.1 Added Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com & Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:*.domain.com
# V3.2 VMware Best Practises & Fixed soms things

Download: https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-2013-e0ffb2a6

Setup MDT 2013 (Update 2) to encrypt Windows 10 devices (Laptops) automaticlly

This  will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

  • A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
  • To configure your environment for BitLocker, you will need to do the following:
  1. Configure Active Directory for BitLocker.
  2. Download the various BitLocker scripts and tools.
  3. Configure the rules (CustomSettings.ini) for BitLocker.

Configure Active Directory for BitLocker

To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.

Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.

In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.

figure 2

Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.

Add the BitLocker Drive Encryption Administration Utilities

The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):

  1. On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
  2. On the Before you begin page, click Next.
  3. On the Select installation type page, select Role-based or feature-based installation, and click Next.
  4. On the Select destination server page, select DC01.contoso.com and click Next.
  5. On the Select server roles page, click Next.
  6. On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
    1. BitLocker Drive Encryption Administration Utilities
    2. BitLocker Drive Encryption Tools
    3. BitLocker Recovery Password Viewer
  7. On the Confirm installation selections page, click Install and then click Close.

figure 3

Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.

Create the BitLocker Group Policy

Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.

  1. On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
  2. Assign the name BitLocker Policy to the new Group Policy.
  3. Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:

    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives

    1. Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
      1. Allow data recovery agent (default)
      2. Save BitLocker recovery information to Active Directory Domain Services (default)
      3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This Winking smile)
    2. Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
    3. Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.

      Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services

    4. Enable the Turn on TPM backup to Active Directory Domain Services policy.

(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)

Set permissions in Active Directory for BitLocker

In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.

  1. On DC01, start an elevated PowerShell prompt (run as Administrator).
  2. Configure the permissions by running the following command:
    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
    

figure 4

Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.

Add BIOS configuration tools from Dell, HP, and Lenovo

If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.

Add tools from Dell

The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:

cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP

The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:

BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234

And the sample content of the TPMEnable.REPSET file:

English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo

The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:

cscript.exe SetConfig.vbs SecurityChip Active

CustomSettings.ini

[Default]
SkipBitLocker=YES

[LAPTOP]
TaskSequenceID=LAPTOP
MachineObjectOU=OU=Bitlocker,OU=LAPTOPS,OU=Clients,DC=wardvissers,DC=local
BDEKeyLocation=\\mdt01.wardvissers.local\Bitlocker$

Source

DNS Best Practise

I thing i see at many client’s where i come is. Enable Automatic scavenging of stale records is forget to enable. This is a best practise. See: https://technet.microsoft.com/nl-nl/library/ff807390(v=ws.10).aspx

DC01

Use the Microsoft Best Practice Analyzer Winking smile

Powershell Smile

Set-DnsServerScavenging –ScavengingState $True –RefreshInterval  7:00:00:00 –NoRefreshInterval  7:00:00:00 –ScavengingInterval 7:00:00:00 –ApplyOnAllZones –Verbose

Exchange Analyzer is a great tool for every Exchange Admin

Exchange Analyzer is a PowerShell tool that scans an Exchange Server 2013 or 2016 organization and reports on compliance with best practices.

Exchange Analyzer is a community project, and is currently a beta release seeking feedback and results from real world environments.

To read the latest information about Exchange Analyzer click here to visit the project’s ReadMe on Github. More information can also be found in the Exchange Analyzer Wiki.

Installation Instructions

1. Download the latest Zip file

2. Extract or copy the following files and folders to a computer that has the Exchange 2013 or 2016 management shell installed. For example, place all of the files and folders in a C:\Scripts\ExchangeAnalyzer folder.

    • Run-ExchangeAnalyzer.ps1
    • \Data
    • \Modules
    • \Tests

    3. Copy the folders in the \Modules folder to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\

    4. Open a new Exchange Management Shell

    Important Note: if you are updating your copy of Exchange Analyzer please make sure you copy the updated module in step 3.

    Running Exchange Analyzer

    To run the Exchange Analyzer open an Exchange management shell, navigate to the folder with the script files (e.g. C:\Scripts\ExchangeAnalyzer) and run:

    Interpreting Results

    Exchange Analyzer produces a HTML report with a simple “Passed/Failed” indicator and a list of passed and/or failed objects. Links to more info are provided to assist you with further interpretation of the report.

    Feedback and Questions

    Before submitting feedback or questions please review the Exchange Analyzer FAQ.

    You can help with bug fixes by submitting issues on Github. If you would like to contribute fixes or other code please review theExchange Analyzer Wiki.

    You can also send email to feedback@exchangeanalyzer.com.

    Change Log

    14/01/2016 – v0.1.0-Beta.1

    • First public beta release

    28/01/2016 – v0.1.1-Beta.2

    • Second beta release. Details of changes are here.

    image

    wardvissers.nl Windows 10 mobile & desktop app

    • With Microsoft app studio you can create your on app within minuts.
      I created this within 15 minuts. Cool Open-mouthed smileOpen-mouthed smileOpen-mouthed smile

    ward app1

    ward app2

      Windows 10 Mobile

      Download package

      Windows 10 Desktop

      Download package

      How to use these packages:

      • Desktop: download the installable package, unzip it and execute the powershell script Add-AppDevPackage.ps1 and follow the instructions.
      • For Mobile: download and install the prerequisites, then download the package, tap the downloaded file and your App will be automatically installed on your device.

    MDT 2013 Update 2 (6.3.8330) Released

    The Microsoft Deployment Toolkit (MDT) 2013 Update 2 (6.3.8330) is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, available on the Microsoft Hardware Dev Center. (Note that there are known issues with the v1511 release of the Windows 10 ADK and System Center Configuration Manager; these issues do not directly affect MDT although may still impact ZTI or UDI scenarios.)

    MDT 2013 Update 2 is primarily a quality release; there are no new major features. The following is a summary of the significant changes in this update:

    • Security- and cryptographic-related improvements:
      • Relaxed permissions on newly created deployment shares (still secure by default, but now also functional by default)
      • Creating deployment shares via Windows PowerShell adds same default permissions
      • Updated hash algorithm usage from SHA1 to SHA256
    • Includes the latest Configuration Manager task sequence binaries
    • Enhanced user experience for Windows 10 in-place upgrade task sequence
    • Enhanced split WIM functionality
    • Fixed OSDJoinAccount account usage in UDI scenario
    • Fixed issues with installation of Windows 10 language packs
    • Various accessibility improvements
    • Monitoring correctly displays progress for all scenarios including upgrade
    • Improvements to smsts.log verbosity

    There are no other new release notes or significant known issues. See the previous post for more information as much of it is still applicable (other than the fix list above).

    See the following post on How to get help with MDT.

    Frequently Asked Questions

    In anticipation of some questions that you may have about this release (or MDT in general):

    Q: Should I expect a release of MDT with every new Windows 10 and/or Configuration Manager build release?

    No. We shipped multiple MDT releases this year due to the timing of Windows 10 and Configuration Manager releases, but do not intend to keep that same cadence going forward.

    Q: What branches of Windows 10 does MDT support?

    MDT supports both the current branch of Windows 10 as well as the long-term servicing branch.

    Q: What branches of System Center Configuration Manager does MDT support?

    For ZTI and UDI scenarios MDT 2013 Update 2 supports the current branch of System Center Configuration Manager (currently version 1511) for an integrated solution for deploying Windows 10 current branch as well as prior Windows versions.

    Q: When is the next planned release of MDT?

    We do not currently have a timeframe. We will release any tactical changes as needed which may be required to support new builds of Windows 10 or Configuration Manager, but do not currently expect this to be needed.

    Q: Is this the last release of MDT?

    No, we will continue to iterate and invest in the product.

    Q: Why is it still “MDT 2013” when the year is almost 2016?

    Two primary reasons. First, we have only made minor changes to MDT which in our opinion does not constitute a major version revision. Second, per the MDT support lifecycle, a new major version will drop support for MDT2012 Update 1 which still supports legacy platforms.

    Source

    Cumulative Update 11 for Exchange Server 2013

    Cumulative Update 11 for Microsoft Exchange Server 2013 was released on December 15, 2015. Several nonsecurity issues are fixed in this cumulative update or a later cumulative update for Exchange Server 2013.

    This cumulative update fixes the issues that are described in the following Microsoft Knowledge Base articles:

    This update also includes new daylight saving time (DST) updates for Exchange Server 2013. For more information about DST, go to Daylight Saving Time Help and Support Center.

     

    Download Cumulative Update 11 for Exchange Server 2013 (KB3099522) now.