PowerShell: BgInfo Automation script for Windows Server 2012 R2

September 17, 2018 at 10:09 am in Bg, BgInfo, Hyper-V, PowerShell, PowerShell Script, scugbe, VM Template, Windows Server, Windows Server 2012 R2, Windows Sysinternals by Wim Matthyssen

Sometime ago I already wrote a PowerShell script to install the BgInfo tool in an automated way whenever you create a VM Template or a base image (also called golden image) for a Windows Server 2016 Virtual Machine (VM) or physical server, which can be donwloaded here. More information can be found int this previous blog post: http://scug.be/wim/2017/02/23/powershell-bginfo-automation-script/

To return to the current blog post and like you can already figure out from the title, now I also wrote a script to automate the BgInfo installation and configuration for a Windows Server 2012 R2 server (VM or physical server).

This PowerShell script will do all of the following:

  • Download the latest BgInfo tool
  • Create the BgInfo folder on the C drive
  • Extract and cleanup the BgInfo.zip file
  • Download the logon.bgi file which holds the preferred settings
  • Extract and cleanup the LogonBgi.zip file
  • Create the registry key (regkey) to AutoStart the BgInfo tool in combination with the logon.bgi config file
  • Start the tool for the first time
  • Set to start up automatically whenever a user logs on to the server

 

Prerequisites

Windows PowerShell 4.0

 

PowerShell script

To use the script copy and save the above as BgInfo_Automated_WS2012_R2_v1.0.ps1, or whatever name you prefer. Afterwards run the script with Administrator privileges from the server you wish to use for your VM template or physical base image. If you want to change configuration settings, just open the logon.bgi file and adjust the settings to your preferences.

This PowerShell script can also found on the TechNet Gallery: https://gallery.technet.microsoft.com/PowerShell-BgInfo-07ade714

image

image

image

image

image

Hope this script comes in handy for you. If you have and questions or recommendations, please feel free to contact me through my twitter handle.

Wim Matthyssen (@wmatthyssen)

Configuring VNet peering through the Azure Portal resulted in a Peering Status – Failed

September 6, 2018 at 12:19 pm in Azure, Azure Networking, Azure portal, Azure PowerShell, VNet, VNet peering by Wim Matthyssen

Virtual network peering is a mechanism that seamlessly connects two Azure virtual networks (VNets). Once peered, the virtual networks appear as one, and resources can be accessed from both VNets via their private IP Addresses.

While creating a new peering through the Azure Portal, it resulted in a created VNet Peer with a PEERING STATUS Failed. Deleting the Peering also failed. Probably something went wrong in the back or the Portal was stuck and giving failure, showing the Failed status as a result. Like in most cases when you are troubleshooting Azure issues, Azure PowerShell comes to the rescue.

By running below PowerShell script (copy and save as .ps1), I was able to get the resources updated using the get and set command, which successfully Connected the VNet peer.

PowerShell script

clip_image002

I hope the above script comes in handy whenever you face the same issue. Till next time.

Wim Matthyssen (@wmatthyssen)

Unable to RDP to an Azure VM due to a CredSSP Encryption Oracle Remediation error

June 27, 2018 at 7:22 pm in Azure, Cloud, CredSSP, Encryption Oracle Remediation, RDP, Remote Desktop Connection, VM, Windows 10 by Wim Matthyssen

After applying some Windows updates on my Windows 10 Version 1803 home pc I was unable to make a Remote Desktop Connection (RDP) connection to some Microsoft Azure virtual machine(s) (VM).

When I made an RDP connection, I received the following error message:

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

clip_image002

What is CredSSP and why did it cause the error

The Credential Security Support Provider protocol (CredSSP) is a security protocol utilized to process authentication requests for separate applications like RDP. It allows you to securely forward credentials encrypted from the Windows client to the target servers for remote authentication.

Because of a critical vulnerability that has been discovered in CredSSP, which affects all versions of Windows and could allow remote attackers to exploit RDP and WinRM to steal data and run malicious code, Microsoft has released security update(s).
You can find the list of the corresponding KB number(s) for each operating system here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

In my case my recently updated Windows 10 pc could not communicate with a non-updated server (not allowed to setup an insecure RDP connection).

Workaround

To solve the error, first of all, I needed to temporarily change the policy settings on my Windows 10 to gain RDP access to the server.

To do so, open Run and execute gpedit.msc to change the settings in the Local Group Policy Editor. Browse to Computer Configuration / Administrative Templates / System. Open Credentials Delegation in the left pane.

clip_image004

clip_image006

Change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable.

clip_image008

You can also use the following PowerShell script to do it in an more automated way: https://gallery.technet.microsoft.com/PowerShell-Workaround-956e0d7e.

Or you can simply use this command line one-liner which can also be run in PowerShell (run as admin):

After this change, I was able to setup an unsecure RDP connection to the server(s) where I installed the missing security update.

clip_image010

After deploying the specific update on the server(s), I was able to connect to it without the error and with the Encryption Oracle Remediation settings reset to the default.

clip_image012

Of course you can also use PowerShell to set everything back to the default (copy and save as .ps1).

Or like before you can simply use a command line one-liner in PowerShell (run as admin):

This concludes this blog post, hope it helps if you face this error.

Wim Matthyssen (@wmatthyssen)

Azure: Clean up unused, inactive or old directories from your Azure subscription

June 20, 2018 at 9:31 am in AAD, Azure, Azure Active Directory, Azure AD, Azure tenant, B2B, Cloud, GDPR, MyApps by Wim Matthyssen

I am already working as an Azure Consultant/Architect for almost 5 years. In those 5 years I setup a lot of Azure IaaS/PaaS environments for different customers. To do all the necessary work involved in such setup, I mostly was invited to their Azure tenant as admin with my Microsoft account (personal account) or my work account (B2B user) to do all the necessary work. When all the work was done a thing mostly forgotten is to clean up that specific user in Azure Active Directory (AAD), causing that tenant still showing up or even starting as the default directory when logging on to the Azure portal. After a while you could even be unable to be invited to a new tenant because the maximum of 20 AAD’s is reached for that specific account.

clip_image002

Until some time ago, May 14 2018 to be specific, to unlink those lingering directories you had to contact another global admin of the inviting organization to have that account removed from their AAD tenant. Even as an admin you were not able to delete your own guest account. Sometimes, when a lot of time was passed since you last worked for that customer, finding a global admin for that tenant to delete that user could be a lot of work.

Luckily, thanks to Europe’s General Data Protection Regulation (GDPR), this can now be done in a much easier way. A B2B user can now easily leave an organization on their own (self-service leaving), to which he or she has been invited at any time, without having to contact an administrator.

Keep in mind that when a user leaves an organization, the user account is soft deleted in the directory. By default, the user object moves to the Deleted users state in AAD but is not permanently deleted for 30 days. This soft deletion enables the administrator to restore the user account (including groups and permissions), if the user makes a request to restore the account within that 30-day period.

To leave an organization you can follow the below steps:

Log in with your B2B account at https://myapps.microsoft.com/

When logged in select your name on the access panel in the upper-right corner.

clip_image004

Under Organizations, select the organization you want to leave.

clip_image006

Select your name again in the upper-right corner.

clip_image008

Select Leave organization next to the correct organization.

clip_image010

When asked to confirm, select Leave.

clip_image012

clip_image014

After a while you should receive an email at that specific account, telling you that you left the organization.

clip_image016

Repeat these steps if you need to leave any other organization you are associated with.

Hope this helps and thanks to my colleague Guido (@ggibens) for pinpointing me to this new simplified capability.

Wim Matthyssen (@wmatthyssen)

Windows 10: Set Display, Apps and websites language to English (United States) and keyboard to Belgian (Period)

June 14, 2018 at 9:25 am in Belgian (Period), Belgian beers, belgian chocolates, Belgium, ITPro, Keyboard shortcut, Keyboards, scugbe, Windows 10, Windows Apps, Windows Display Language by Wim Matthyssen

When you install and set up Windows 10, you’re asked to choose a default system language. Normally, you do not need to change the language after the initial setup but there might be some situations where you do. I ‘m a Belgian and working as an ITPro in that small country which has the best chocolates and beers, I like to have my Windows 10 display language and Windows Apps language set to English (United States) and my keyboard to Belgian period (Azerty).

However, when you deploy Windows 10, with country or region set to Belgium and system language set to English as a preferred language also Nederlands (België) is installed as first language for Apps and websites.

clip_image002

So even if your Windows display language is all set to English whenever you open a website or Windows App the language used is Dutch.

clip_image004

clip_image006

For me this is a little bit annoying. I know this can come in handy, if you’re bi-lingual and you type documents in Dutch, but also enter commands in Command Prompt in English, but for me that’s not the case. But if you prefer you can set the language on a per-app basis and then Windows will remember which language you prefer to use in that particular app. There is even a keyboard shortcut if you want to switch manually between two or more languages. Just press the Left Alt + Shift keys together to switch between languages on the fly.

To set my Windows display and Windows App (+ websites) language to English and set my keyboard to Belgian (Period) I followed the below steps.

Open All settings (or press the Windows key + I) to open the Windows Setttings page and then click Time & Language.

clip_image008

clip_image010

Select Region & language on the left.

clip_image012

At the Preferred languages topic, you can choose to set Nederlands (België) as the second language or choose to Remove this language. I choose to Remove this language completely (to be able to Remove a language you also need to set if first as the second language, otherwise you are not able to delete it).

clip_image014

clip_image016

If you Remove a first language you also need check and possible set your preferred keyboard language at the first language shown. To do so select the language and click Options.

clip_image018

Because English Unites States uses US (QWERTY), which I do not want to use. I first I need to add my second preferred keyboard. Press Add a keyboard and select the Belgian (Period) keyboard. When added you can remove the US (QWERTY) keyboard.

clip_image020

clip_image022

Now your all done. Like you can see the Windows display, website(s) and Windows App language are all set to English and I can type with my preferred Azerty keyboard settings.

clip_image024

clip_image026

clip_image028

Hope this comes in handy for the Belgium people. Till next time!

Wim Matthyssen (@wmatthyssen)

Azure Backup Server: Unprotected servers still showing up in the Azure portal even though their protection was stopped 3 months ago

June 11, 2018 at 9:49 am in Azure, Azure Backup, Azure Backup Server, Azure portal, Cloud, Cloud backup, MABS, MABS v2 by Wim Matthyssen

 

To help protect your hybrid backup setup with an Azure Backup Server (MABS), Microsoft introduced some security features built on three principals – Prevention, Alerting and Recovery. These features are enabled by default for newly create Recovery Services vaults, for existing vaults this link will show you how you can enable them. One of these features related to recovery will ensure you that Azure backup will retain all deleted backup data for 14 days, which ensures you can recover data using any old or recent recovery point(s).

clip_image002

Sometime ago I reconfigured a Protection Group which protected some Hyper-V VMs. Two Domain Controllers (DCs) were taken out of the Group and setup to only backup the C drive and the System State. On the MABS server all configuration went well and did not cause any specific issues or errors. However last week when I was checking the Recovery Services vault used to store the cloud backups,I noticed those two DCs were still showing up in the Backup items overview.

clip_image004

Like you can see, those two VMs are still there with no Disk or Cloud Recovery Points created after the protection was disabled.

clip_image006

To get the issue fixed, I followed some standard steps I always follow when having issues with a MABS. The first one is checking the current Azure Backup Agent version installed on the MABS, which was version 2.0.9109.0. Because there is a newer version available (at the time of writing version 2.0.9118.0), step one was getting that one in place.

clip_image008

To download the latest agent go to your Recovery Services vault blade in the Azure portal. Select Backup and on the Getting Started with Backup blade, select Backup goal. In the drop-down menu(s), select On-premises and Files and folders, click OK. In the Prepare Infrastructure blade, click Download Agent for Windows Server or Windows Client. Save MARSAgentInstaller.exe.

clip_image010

clip_image012

Install the latest agent on the MABS server. After the agent installation completes restart the following service:

Microsoft Azure Recovery Services Management Agent

clip_image014

clip_image016

clip_image018

Although the agent is now at the latest version it still did not fix the protection status of the deleted servers in the Azure portal.

After doing a little more troubleshooting (reading the logs, etc.) , I decided to open an Azure support ticket. The support agent who assisted me, told me, just like I already suspected, that this was currently  the default behavior from the azure backup service in some Azure regions (current backend design behavior like they say). The product team was already aware of this issue and they definitively will fix it in some later update.

If you cannot wait for the update, there is a quicker fix for the issue, you just need to delete the whole MABS server from the Azure portal and reconnect the server all over again. However, for me and even more for the customer this was a no go. So, we will wait for the proper backend update which will hopefully not take that long anymore.

Hope this helps whenever you face the same backup behavior in the Azure portal with your deleted MABS backups.

Wim Matthyssen (@wmatthyssen)

Azure Tip: Use Ctrl+Alt+D to check Azure Portal load times

May 7, 2018 at 6:55 pm in Azure, Azure portal, Azure Tip, Cloud, Keyboard shortcut by Wim Matthyssen

 

The Azure Portal is the go-to place to manage all of your Azure services in one hub. I myself spend a lot of time in the portal to build, deploy, modify and manage customers cloud resources. I am sure a lot of you do the same.

But sometimes this portal feels slow without any specific reason and then it is really difficult to find out why. Whenever that is the case there is a keyboard shortcut you can use to check the portal load time of all opened blades.

If you press the keyboard shortcut CTRL + ALT + D you can see the load time and other useful information for every title.

clip_image002

clip_image004

clip_image006

clip_image008

clip_image010

Pressing CTRL + ALT + D again will remove the portal load information.

Beside this useful keyboard shortcut there are some others you can use specifically for the Azure portal. You can open the Keyboard shortcut help item in the Help Menu on the top-right of the portal to see all of these shortcuts.

clip_image012

Hope it helps!

Wim Matthyssen (@wmatthyssen)

Creation of an Azure VPN gateway failed due to associated NSG

May 4, 2018 at 8:53 am in Azure, Cloud, GatewaySubnet, NSG, VNet, VPN gateway by Wim Matthyssen

 

A VPN gateway is a specific type of virtual network gateway that sends encrypted traffic between your virtual network (VNet) and your on-premises location across a public connection. You can also use a VPN gateway to send traffic between virtual networks across the Azure backbone.

While deploying such a gateway trough the Azure portal, the creation took a very long time and in the end the deployment Failed.

clip_image002

In the Activity log the following Error Code was showed.

OnlyTagsSupportedForPatch

clip_image004

clip_image006

After some troubleshooting and reviewing the complete VNet deployment, which was done through Azure PowerShell, I finally found out what caused the gateway deployment to fail.

An important remark is mentioned in the Microsoft technical documentation for creating a Site-to-Site connection in the Azure portal. It states that you may not associate a network security group (NSG) to the gateway subnet, which in my case was causing the issue.

clip_image008

The Azure PowerShell script used to setup the VNet and all of its Subnets also created NSGs for all subnets, the GatewaySubnet included.

To resolve the issue, I deleted the Failed gateway and set the Network security group for the GatewaySubnet to None.

clip_image010

clip_image012

Afterwards the creation of the gateway succeeded without any issues.

 

Conclusion

When you create a gateway subnet for your VNet you should never associated a NSG to it. This is not supported and the gateway will stop functioning as expected or completely fail. Always set the NSG to ‘None’. The gateway subnet also needs to be named ‘GatewaySubnet’ to work properly and never deploy any VMs or anything else to it.

Wim Matthyssen (@wmatthysen)

PowerShell: Download Microsoft Azure, Cloud and Enterprise Symbol / Icon set for Visio

April 24, 2018 at 12:14 pm in Azure, Microsoft Azure, Microsoft CloudnEnterprise Symbols, Microsoft Visio, PowerShell, Visio, Visio Stencil by Wim Matthyssen

 

The Microsoft Azure, Cloud and Enterprise Symbol / Icon Set package is available as a free download from Microsoft and includes icons for almost all Azure services and Microsoft cloud related technologies currently available. These icons and PNG files come in handy when making visual representations in Azure related architectural designs or when making project documentation to deliver to a customer.

To automate the download and install process of this useful package, I wrote the below PowerShell script which does all of the following:

  • Download the Microsoft_CloudnEnterprise_Symbols_v2.7.zip file
  • Extract the ZIP file to the My Shapes folder (the My Shapes folder is the default-working folder for Visio and is created during the installation of Visio).
  • Delete the ZIP file after extraction.

Before running the script, you should keep the following things in mind:

  • The script will exit if the My Shapes folder does not exist, the advice I would give is to install Visio first before using the Symbols package.
  • The script will exit if the Symbols package v2.7 is already installed in the My Shapes folder.
  • The symbol package itself is supported on the following Operation Systems: Windows 10, Windows 7, Windows 8 and Windows 8.1
  • You should remove any previous version of the symbol set so you can avoid duplicate and deprecated symbols.

PowerShell script

If you prefer you can download the complete script from the TechNet gallery.

clip_image002

clip_image004

clip_image006

Use with Visio

To use these stencils with Visio, open Visio and create a new Blank Drawing or use any other available template. Select More Shapes – My Shapes – Microsoft_CloudnEnterprise_Symbols_v2.7KP – Symbols and select any of the available choices.

clip_image008

clip_image010

Use with Word

To use the .PNG files with Word, open Word and create a new Blank document. Select Insert – Pictures and browse to your My Shapes folder. Open the Symbols folder located under the Microsoft_CloudnEnterprise_Symbols_v2.7KP folder. Browse to a PNG folder located under any of the shown folders and there you can find all available .PNG files.

clip_image012

clip_image014

clip_image016

clip_image018

clip_image020

This concludes this blog post, have fun using all these Azure symbols to visual enhance your Visio or Word cloud designs.

Wim Matthyssen (@wmatthyssen)

Azure Backup: Upgrade your Recovery Services Vault to enable support for large disk backups

April 5, 2018 at 6:59 am in Azure, Azure Backup, Cloud, Recovery Services vault by Wim Matthyssen

 

On March 13, 2018 the Azure Backup team announced the general availability for backup of Azure IaaS Virtual Machines (VMs) with large disks (1 to 4 TB), both managed and unmanaged. At the same time they released a set of other improvements to speed up the overall backup and restore process.

To enable these new features a one-time, one-directional upgrade must be done for every Azure Subscription where you wish to use these enhancements. Good to know is that this VM backup stack upgrade, can be started from any vault in your Subscription and will retain all your existing policies and recovery points.

 

Upgrade procedure

 

Open the Azure portal and login with you Azure credentials.

Go to your Recovery Services vault dashboard, on the top of the blade you will need to click the banner which says Support for > 1 TB disk VMs and improvements to backup and restore speed ->. If you do need see a banner, you can open Properties, go to VM backup stack and click Upgrade.

clip_image002

image

The Upgrade to new VM backup stack blade will open. Click on Upgrade.

clip_image004

The upgrade procedure will start, be aware that this process could take up to two hours.

clip_image006

Have fun backing up Azure VMs with these new enhancements. Till next time!

Wim Matthyssen (@wmatthyssen)