First Step Shutdown ESXi Server enable Encryption
Second Add vTPM
Boot ESXi Server(s)
Configure Key Providers (Add Native Key Provider)
Now you can add vTPM to you VM
Don’t forget to enable VBS
Create GPO SRV 2022 – Virtualization Based Security and I did Apply only to my Server 2022 Lab Environment
System Information on my Server 2022 Lab Server
Virtual Machine with Windows Server 2022 with KB5022842 (Feb 2023) installed en configured with secure boot enabled will not boot up on vSphere 7 unless updated to 7.0u3k (vSphere 8 not affected)
In VM vmware.log, there is ‘Image DENIED’ info like the below:
2023-02-15T05:34:31.379Z In(05) vcpu-0 – SECUREBOOT: Signature: 0 in db, 0 in dbx, 1 unrecognized, 0 unsupported alg.
2023-02-15T05:34:31.379Z In(05) vcpu-0 – Hash: 0 in db, 0 in dbx.
2023-02-15T05:34:31.379Z In(05) vcpu-0 – SECUREBOOT: Image DENIED.
To identify the location of vmware.log files:
#vim-cmd vmsvc/getallvms | grep -i “VM_Name”
/vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vm1.vmx
/vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vmware.log
Resolution
This issue is resolved in VMware ESXi 7.0 U3k, released on February 21st 2023. Build 21313628
Notes:
Microsoft announced the addition of the Windows Server Hybrid Administrator Associate certification to our portfolio, to be released in early December 2021. This new certification validates the skills of administrators working in hybrid environments.
Administrators in this role support their teams and organizations using Windows Server—both in the cloud and on-premises/
You’ll need to pass two exams to earn this certification. These exams, Exam AZ-800 (beta): Administering Windows Server Hybrid Core Infrastructure and Exam AZ-801 (beta): Configuring Windows Server Hybrid Advanced Services, will be available in early December 2021.
You can read more about the specific change here –> https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows you can also read more here –> https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-update-now/ba-p/921536
After the change the following features will be supported against Active Directory.
Clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection stop working after you make this configuration change. This also applies for 3.party solutions which rely on LDAP such as Citrix NetScaler/ADC or other Network appliances, Vault and or authentication mechanisms also rely on LDAP. If you haven’t fixed this it will stop working. This update will apply for all versions.
Windows Server 2008 SP2,
Windows 7 SP1,
Windows Server 2008 R2 SP1,
Windows Server 2012,
Windows 8.1,
Windows Server 2012 R2,
Windows 10 1507,
Windows Server 2016,
Windows 10 1607,
Windows 10 1703,
Windows 10 1709,
Windows 10 1803,
Windows 10 1809,
Windows Server 2019,
Windows 10 1903,
Windows 10 1909
If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary under eventid 2888 one time every 24 hours when such bind attempts occur. Microsoft advises administrators to enable LDAP channel binding and LDAP signing as soon as possible before March 2020 to find and fix any operating systems, applications or intermediate device compatibility issues in their environment.
You can also use this article to troubleshoot https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs
Credits: https://msandbu.org/upcoming-change-microsoft-to-disable-use-of-unsigned-ldap-port-389/
I love powershell. I created a little script to deploy multi VM based on a Windows Template throug CSV file.
It’s create a computer account at the specfified ou. He greates also a Domain Local Group for management. (It used in the customization not specified here)
TempVMlist.csv
server,cpu,memory,DestinationCluster,OSCustomizationSpec,VMtemplate,adgroup
WARDTEST01,2,8,CLUSTER01,W2012R2_Demo,TPL_W2012R2_STD,ServerAdmin
MultiVM.ps1
#Filename: MultiVM.ps1
#Author: W. Vissers
#Source:
#Version: 1.1
#Date: 08-05-2018
#ChangeLog:
# V1.0 – Module Active Directory
# – Module VMware PowerCli
# – Active Directory Computer Account, Group
# – Host Selected from Cluster with Least Memory
# – Storage selection based on volume with most free space
# V1.1 – Added Harddisk 1&2
# – Changed porte group other vlan
#
<#
.SYNOPSIS
Script to create a virtual machine from template
.DESCRIPTION
Script to create a virtual machine from template
.EXAMPLE
MultiVM.ps1
#>
################################## INIT #################################################
# LoadModule Active Directory
if (!(Get-Module “activedirectory”)) {Import-module activedirectory}
Else {Write-Host “Module Active Directory is al ready loaded”}
# LoadModule VMware PowerCLI
# if (!(Get-Module “VMware.PowerCLI”)) {
# Find-Module VMware.PowerCLI
# Install-Module -Name VMware.PowerCLI -Scope CurrentUser
#}
#Else
# {
# Write-Host “Module PowerCLI is al ready loaded”
# }
#Config
$ouservers=”OU=Servers,DC=wardvissers.nl,DC=nl”
$ougroup=”OU=GroepObjecten,DC=wardvissers,DC=nl”
$folder=”Applicatie Servers”
$DestinationVC =”vcenter01.wardvissers.nl“
#Username
if (!$username ) { $username = Read-Host “Give vCenter username ‘wardvissers\admin'”}
#Password
if ( -NOT $Password ) {
$PasswordSec = Read-Host “Give vCenter password” -AsSecureString
$Password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($PasswordSec))
}
#Connect vCenter
$ConnectVC = Connect-VIServer $DestinationVC -Username $Username -Password $Password -AllLinked
$AllVMs = @()
$AllVMs = Import-Csv “D:\TempVMlist.csv”
foreach ($vm in $AllVMs) {
#Haal De Gegevens op
$server=$($vm.server)
$memory=$($vm.memory)
$cpu=$($vm.cpu)
$DestinationCluster=$($vm.DestinationCluster)
$OSSpec=”$($vm.OSCustomizationSpec)”
$VMtemplate=$($vm.VMtemplate)
$group=$($vm.adgroup)
$harddisk1=$($vm.harddisk1)
$harddisk2=$($vm.harddisk2)
Write-Host “$server heeft $memory GB memory en $cpu cpu(‘s)”
if ($server.length -gt 15) {
Write-Output “Hostname cannot contain more than 15 characters.”
$server = Read-Host “Re-enter hostname for host $server”}
Else
{
Write-Host “Server is umc server”
#Maak AD Groep aan en Computer Account
New-ADComputer -Name $server -Path $ouservers -Enabled $true
New-ADGroup -Name “DLG.$server” -SamAccountName “DLG.$server” -GroupCategory Security -GroupScope DomainLocal -DisplayName “DLG.$server” -Path $ougroup
Add-ADGroupMember -Identity “DLG.$server” -Members $group
}
# Rol server uit van Template
# Select the host with the less used memory
$DestinationHost = Get-Cluster –Name $DestinationCluster –Server $DestinationVC | Get-VMhost -State Connected | Sort-Object -Property MemoryUsageGB | Select-Object -First1
# Select DataStore with the most free space and not in maintance
$destinationDatastore = Get-Cluster $DestinationCluster | Get-Datastore | Where {$_.State -ne “Maintenance”} | Sort-Object -Property FreeSpaceGB -Descending | Select-Object -First 1
# Finally, I deploy my VM with the New-VM cmdlet using my template and OS specs. I place the VM on the ESXi host and store the VM on the datastore.
New-VM -Name $server -Template $VMTemplate -OSCustomizationSpec $OSSpec -VMHost $DestinationHOST -Datastore $DestinationDatastore -Location $folder
Get-VM $server | Set-VM -NumCpu $cpu -MemoryGB $memory -Confirm:$false
if ($harddisk1 -gt 60){Get-HardDisk -vm $server | Where {$_.Name -eq “Hard disk 1”} | Set-HardDisk -CapacityGB $harddisk1 -Confirm:$false}
if ($harddisk2 -gt 20) {Get-HardDisk -vm $server | Where {$_.Name -eq “Hard disk 2”} | Set-HardDisk -CapacityGB $harddisk2 -Confirm:$false}
Get-VM $server | Start-VM -Confirm:$false
Get-VM $Server | Get-NetworkAdapter | Set-NetworkAdapter -Connected $true -Confirm:$false
}
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.
Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.
The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.
Download:
| Product | Link |
| Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 21 | |
| Microsoft Exchange Server 2013 Cumulative Update 19 | |
| Microsoft Exchange Server 2013 Cumulative Update 20 | |
| Microsoft Exchange Server 2013 Service Pack 1 | |
| Microsoft Exchange Server 2016 Cumulative Update 8 | |
| Microsoft Exchange Server 2016 Cumulative Update 9 |
The Windows Defender Browser Protection extension for Google Chrome allows you to add an additional layer of protection when browsing online, powered by the same trusted intelligence found in Microsoft Edge. The extension alerts you about known malicious links, and gives you a clear path back to safety.
On March 20, 2018 Microsoft has released two new quarterly updates:
There aren’t too many new features in these CUs. The most important ‘feature’ is that TLS 1.2 is now fully supported (most likely you already have TLS 1.2 only on your load balancer). This is extremely supported since Microsoft will support TLS 1.2 ONLY in Office 365 in the last quarter of this year (see the An Update on Office 365 Requiring TLS 1.2 Microsoft blog as well).
Support for .NET Framework 4.7.1, or the ongoing story about the .NET Framework. The .NET Framework 4.7.1 is fully supported by Exchange 2016 CU9 and Exchange 2013 CU20. Why is this important? For the upcoming CUs in three months (somewhere in June 2018) the .NET Framework 4.7.1 is mandatory, so you need these to be installed in order to install these upcoming CUs.
Please note that .NET Framework 4.7 is NOT supported!
If you are currently running an older CU of Exchange, for example Exchange 2013 CU12, you have to make an intermediate upgrade to Exchange 2013 CU15. Then upgrade to .NET Framework 4.6.2 and then upgrade to Exchange 2013 CU20. If you are running Exchange 2016 CU3 or CU4, you can upgrade to .NET Framework 4.6.2 and then upgrade to Exchange 2016 CU9.
Schema changes
If you are coming from a recent Exchange 2013 CU, there are no schema changes since the schema version (rangeUpper = 15312) hasn’t changed since Exchange 2013 CU7. However, since there can be changes in (for example) RBAC, it’s always a good practice to run the Setup.exe /PrepareAD command. For Exchange 2016, the schema version (rangeUpper = 15332) hasn’t changed since Exchange 2016 CU7.
As always, check the new CUs in your lab environment before installing into your production environment!!
Exchange Server 2013 enters the Extended Support phase of product lifecycle on April 10th, 2018. During Extended Support, products receive only updates defined as Critical consistent with the Security Update Guide. For Exchange Server 2013, critical updates will include any required product updates due to time zone definition changes.
The Microsoft Deployment Toolkit (MDT), build 8450, is now available on the Microsoft Download Center. This update supports the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1709, available on the Microsoft Hardware Dev Center(adksetup.exe file version 10.1.16299.15).
Here is a summary of the significant changes in this build of MDT:
See the following post on How to get help with MDT.
Exchange 2013 CU19 fixes:
|
Version |
Build |
KB Article |
Download |
UMLP |
Schema Changes |
|
Exchange 2013 CU19 |
15.0.1365.1 |
No |
You must be logged in to post a comment.