BEEMUG Summer Night: 05/09/2019

July 30, 2019 at 12:55 pm in Azure, beemug, eveningevent, free, Workplace&Mobility by Wim Matthyssen

 

A lot of you are still enjoying a well-earned vacation with family or friends. But we at BEEMUG are already planning our first evening event after summer, which will be held on Thursday 05/09!

clip_image002

During this evening you will have the opportunity to mingle with peers, learn something and meet your local community leaders to ask the questions you have always wanted to ask.

Following our new concept, we changed the location for the event to give everyone the opportunity to (at least once) get there without facing heavy traffic. This time we found a location in Ghent.

The formula is still straightforward and simple: we deliver one session in the field of Workplace and Mobility and one in Cloud and Datacenter with time to network in between the sessions.

The agenda for this evening:

Timeslot Speaker(s) Track
18:00u – 19:00u Welcome + Food & Drinks
19:00u – 20:00u Tim De Keukelaere
Ken Goossens
Session 1: Mobile Device Management, BYOD vs Fully managed devices
20:00u – 20:30u Pitstop
20:30u – 21:30u Wim Matthyssen
Christophe Lams
Session 2: 7 habits every Azure Admin must have
21:30u – …. Network drink

This edition, Cegeka is so kind to host the event at their office in Ghent and they will also sponsor the catering. Also, your parking ticket will be validated at the end of the evening.

clip_image004

Address:

Cegeka Business Solutions NV

Sluisweg 2 Bus 9
9000 Ghent
Belgium

 

Parking B – Ghelamco Arena (next to Brico), Cegeka offices are located at the 4th floor.

clip_image006

So please already mark your agenda’s and join us once again for a cool night out and learn something while you’re at it!

Please register via the below Eventbrite.

clip_image008

Azure PowerShell Error: “Your Azure credentials have not been set up or have expired, please run Connect-AzureRmAccount to set up your Azure credentials”

February 27, 2019 at 6:28 pm in Azure, Azure credentials, Azure PowerShell by Wim Matthyssen

While working on a new Azure IaaS deployment for a customer, I encountered the following error when running several Azure PowerShell cmdlets.

“Your Azure credentials have not been set up or have expired, please run Connect-AzureRmAccount to set up your Azure credentials”

clip_image002

Running the Connect-AzureRmAccount command for several times, like proposed in the error message, did not solve the problem. Neither did opening a new PowerShell window or even completely restarting my Surface laptop.

clip_image004

I finally got it fixed by running the Remove-AzureRmAccount cmdlet, which removes all credentials and contexts (subscription and tenant information) associated with that specific Azure account.

clip_image006

After executing the Remove-AzureRmccount cmdlet , and after login in again using the Login-AzureRmAccount cmdletall other cmdlets ran again like they should.

clip_image008

clip_image010

Hope this helps!

Wim Matthyssen (@wmatthyssen)

PowerShell: AzCopy download and silent installation

February 22, 2019 at 10:52 am in AzCopy, Azure, Download, PowerShell, PowerShell Script, Silent installation by Wim Matthyssen

AzCopy is a free command-line tool that is offered by Microsoft. It allows you to easily copy and transfer data (data migration) from and to Azure storage. It is designed for high performance transfers and can be deployed on both Windows and Linux systems (separate versions). AzCopy for example allows users to copy data between a file system and a storage account, or between storage accounts. Users have the possibility to select items by specifying patterns, like wildcards or prefixes, to identify the needed files for upload or download. It currently supports Microsoft Azure Blob, File and Table storage.

To automate the download and silent installation process of this useful tool, I wrote the below PowerShell script which does all of the following:

  • Create a Temp folder on the C: drive if not already available.
  • Create an AzCopy download folder in C:\Temp if not already available.
  • Download the latest Azcopy .msi (Windows) file.
  • Install AzCopy silently without any user interaction.
  • Delete the .msi file after installation.
  • Remove the AzCopy folder.
  • Exit the PowerShell window.

 PowerShell script

clip_image002

clip_image004

clip_image006

clip_image008

If you prefer you can download the complete script from the TechNet gallery.

More information and how to use AzCopy you can find over here.

This concludes this blog post, have fun using AzCopy for moving or copying data to or between storage accounts.

Wim Matthyssen (@wmatthyssen)

Microsoft Ignite 2018 recap

October 4, 2018 at 9:26 am in Microsoft Ignite, Microsoft Ignite 2018, Orlando, Windows, Windows 10, Windows Admin Center by Wim Matthyssen

Last week I visited the Microsoft Ignite 2018 conference in Orlando with some colleagues. 10,000 km of walking later and sitting back her at home thinking about the past exciting week. I tought it’s a good time to write a recap, quietly hoping the writing will help battling jet lag. :)

clip_image002

After a long flight and a stopover at Dulles International Airport in Washington it was really nice that we could pick up our badge directly at the airport which spared us the morning line before the start of the event. I planned almost all my sessions I wanted to follow before the event and the MS Events app really came in handy to check my schedule, get event notifications, messages and to fill in all evaluations. The navigation function in the app also came in really handy telling me how to get from one session to another. You should know that the venue of Ignite was the OCCC, a huge complex on International Drive in Orlando, combining two conference centers and the Hyatt Regency connected together by a Skybridge.

clip_image004

The thing I was really happy about was that I wore comfortable shoes and clothes, because I did a lot of walking, really a lot of walking. I would advise if you’re ever planning to go to Ignite wear shoes were you can at least walk 10 km a day in, otherwise do not do Ignite in them! Orlando itself is a beautiful city, with a lot of theme parks like Universal Studios Florida and Universal’s Islands of Adventure, which hosted the Ignite Celebration on Thursday evening. If you ever have the chance to go there, the Wizarding World of Harry Potter is truly magical.

clip_image006

It was my first time at Ignite and my main focus was to learn as much as possible and get note of all announcements and changes around Azure, and I must say I got lots of that. Next to all Azure related sessions, I also followed a few of them around Windows Admin Center and Windows 10. For the most part, the quality of all sessions I followed was excellent only the rooms were sometimes a bit cold due to the airco.

Announcements

Below you can find some announcements, I gathered during the technical breakout and theater room sessions I followed:

  • Microsoft partners with Adobe and SAP for new Open Data Initiative.
  • Microsoft Teams Screen Sharing which allows you to screenshare in Teams without needing to escalate to a meeting first.
  • SQL Server 2019 preview announced.
  • Windows Server 2019 general availability (GA) in October, together with Windows Server version 1809.
  • Azure Firewall a stateful firewall as a service GA.
  • Windows Virtual Desktop a virtual desktop experience which lets you run Windows 10 in the cloud, available in Preview.
  • Announcement of Microsoft Learn, a new learning platform to optimise your Microsoft skills.
  • Azure SQL Database Managed Instance a new deployment model of Azure SQL Database GA.
  • Azure Blueprints in Preview, which let you define user access, policies and resources in Azure.
  • Azure Management Groups available to organise and governance all your resources between all your subscriptions.
  • Azure Resource Graph GA which allow you to easily query, explore and analyse all your Azure cloud resources at scale.
  • Azure Migrate now also supports Hyper-V.
  • Azure Monitor now includes Log Analytics and Application Insights for collecting and analysing telemetry of your cloud and on-premises resources and applications.
  • There will be 2 models of the Surface Hub 2, the Surface Hub2S coming Q2 2019 and theSurface Hub 2X coming in 2020.
  • Azure Data box, Microsoft’s heavy-duty data transfer appliance is now GA.
  • Announcement of Azure Sphere, a Linux-based operating system created by Microsoft for Internet of Things applications.

If you’re interested in getting an overview of all announcements Microsoft did at Ignite, be sure to check out this Book of News.

Session Overview

Below you can find a few sessions I followed in person and I recommend to take a look at (click the link to get to the YouTube video):

I had a lot of sessions planned in my schedule that I did not manage to attend but I will take time to watch the recordings and slides. Like every year you can catch up the session recordings that are available on YouTube or the Microsoft Tech Community, but if you’re interested you can also download all Ignite content locally with the following PowerShell script from MVP Michel de Rooij (@mderooij): https://gallery.technet.microsoft.com/Ignite-2016-Slidedeck-and-296df316

clip_image008

For everyone who could not attend Ignite in person and still want to get the chance to follow some sessions live and explore the latest cloud technologies, Microsoft has announced, Microsoft Ignite | The Tour. which takes place in a lot of cities all around the world. You can check out the schedule over here: https://www.microsoft.com/en-us/ignite-the-tour/

I want to end this blog post with saying that Microsoft Ignite rocked! It doesn’t matter if you’re an ITPro or DevOps, if you ever have the change to go there, you shouldn’t hesitate because it’s really a great and fantastic experience. In my opinion, there’s not much that Microsoft can do to improve Ignite, everything was handled like it should for such hugh event and the content was great and will keep my busy absorbing in the next few weeks. Hope to be back again in Orlando in November next year

Unable to RDP to an Azure VM due to a CredSSP Encryption Oracle Remediation error

June 27, 2018 at 7:22 pm in Azure, Cloud, CredSSP, Encryption Oracle Remediation, RDP, Remote Desktop Connection, VM, Windows 10 by Wim Matthyssen

After applying some Windows updates on my Windows 10 Version 1803 home pc I was unable to make a Remote Desktop Connection (RDP) connection to some Microsoft Azure virtual machine(s) (VM).

When I made an RDP connection, I received the following error message:

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

clip_image002

What is CredSSP and why did it cause the error

The Credential Security Support Provider protocol (CredSSP) is a security protocol utilized to process authentication requests for separate applications like RDP. It allows you to securely forward credentials encrypted from the Windows client to the target servers for remote authentication.

Because of a critical vulnerability that has been discovered in CredSSP, which affects all versions of Windows and could allow remote attackers to exploit RDP and WinRM to steal data and run malicious code, Microsoft has released security update(s).
You can find the list of the corresponding KB number(s) for each operating system here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

In my case my recently updated Windows 10 pc could not communicate with a non-updated server (not allowed to setup an insecure RDP connection).

Workaround

To solve the error, first of all, I needed to temporarily change the policy settings on my Windows 10 to gain RDP access to the server.

To do so, open Run and execute gpedit.msc to change the settings in the Local Group Policy Editor. Browse to Computer Configuration / Administrative Templates / System. Open Credentials Delegation in the left pane.

clip_image004

clip_image006

Change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable.

clip_image008

You can also use the following PowerShell script to do it in an more automated way: https://gallery.technet.microsoft.com/PowerShell-Workaround-956e0d7e.

Or you can simply use this command line one-liner which can also be run in PowerShell (run as admin):

After this change, I was able to setup an unsecure RDP connection to the server(s) where I installed the missing security update.

clip_image010

After deploying the specific update on the server(s), I was able to connect to it without the error and with the Encryption Oracle Remediation settings reset to the default.

clip_image012

Of course you can also use PowerShell to set everything back to the default (copy and save as .ps1).

Or like before you can simply use a command line one-liner in PowerShell (run as admin):

This concludes this blog post, hope it helps if you face this error.

Wim Matthyssen (@wmatthyssen)

Azure: Clean up unused, inactive or old directories from your Azure subscription

June 20, 2018 at 9:31 am in AAD, Azure, Azure Active Directory, Azure AD, Azure tenant, B2B, Cloud, GDPR, MyApps by Wim Matthyssen

I am already working as an Azure Consultant/Architect for almost 5 years. In those 5 years I setup a lot of Azure IaaS/PaaS environments for different customers. To do all the necessary work involved in such setup, I mostly was invited to their Azure tenant as admin with my Microsoft account (personal account) or my work account (B2B user) to do all the necessary work. When all the work was done a thing mostly forgotten is to clean up that specific user in Azure Active Directory (AAD), causing that tenant still showing up or even starting as the default directory when logging on to the Azure portal. After a while you could even be unable to be invited to a new tenant because the maximum of 20 AAD’s is reached for that specific account.

clip_image002

Until some time ago, May 14 2018 to be specific, to unlink those lingering directories you had to contact another global admin of the inviting organization to have that account removed from their AAD tenant. Even as an admin you were not able to delete your own guest account. Sometimes, when a lot of time was passed since you last worked for that customer, finding a global admin for that tenant to delete that user could be a lot of work.

Luckily, thanks to Europe’s General Data Protection Regulation (GDPR), this can now be done in a much easier way. A B2B user can now easily leave an organization on their own (self-service leaving), to which he or she has been invited at any time, without having to contact an administrator.

Keep in mind that when a user leaves an organization, the user account is soft deleted in the directory. By default, the user object moves to the Deleted users state in AAD but is not permanently deleted for 30 days. This soft deletion enables the administrator to restore the user account (including groups and permissions), if the user makes a request to restore the account within that 30-day period.

To leave an organization you can follow the below steps:

Log in with your B2B account at https://myapps.microsoft.com/

When logged in select your name on the access panel in the upper-right corner.

clip_image004

Under Organizations, select the organization you want to leave.

clip_image006

Select your name again in the upper-right corner.

clip_image008

Select Leave organization next to the correct organization.

clip_image010

When asked to confirm, select Leave.

clip_image012

clip_image014

After a while you should receive an email at that specific account, telling you that you left the organization.

clip_image016

Repeat these steps if you need to leave any other organization you are associated with.

Hope this helps and thanks to my colleague Guido (@ggibens) for pinpointing me to this new simplified capability.

Wim Matthyssen (@wmatthyssen)

Azure Backup Server: Unprotected servers still showing up in the Azure portal even though their protection was stopped 3 months ago

June 11, 2018 at 9:49 am in Azure, Azure Backup, Azure Backup Server, Azure portal, Cloud, Cloud backup, MABS, MABS v2 by Wim Matthyssen

 

To help protect your hybrid backup setup with an Azure Backup Server (MABS), Microsoft introduced some security features built on three principals – Prevention, Alerting and Recovery. These features are enabled by default for newly create Recovery Services vaults, for existing vaults this link will show you how you can enable them. One of these features related to recovery will ensure you that Azure backup will retain all deleted backup data for 14 days, which ensures you can recover data using any old or recent recovery point(s).

clip_image002

Sometime ago I reconfigured a Protection Group which protected some Hyper-V VMs. Two Domain Controllers (DCs) were taken out of the Group and setup to only backup the C drive and the System State. On the MABS server all configuration went well and did not cause any specific issues or errors. However last week when I was checking the Recovery Services vault used to store the cloud backups,I noticed those two DCs were still showing up in the Backup items overview.

clip_image004

Like you can see, those two VMs are still there with no Disk or Cloud Recovery Points created after the protection was disabled.

clip_image006

To get the issue fixed, I followed some standard steps I always follow when having issues with a MABS. The first one is checking the current Azure Backup Agent version installed on the MABS, which was version 2.0.9109.0. Because there is a newer version available (at the time of writing version 2.0.9118.0), step one was getting that one in place.

clip_image008

To download the latest agent go to your Recovery Services vault blade in the Azure portal. Select Backup and on the Getting Started with Backup blade, select Backup goal. In the drop-down menu(s), select On-premises and Files and folders, click OK. In the Prepare Infrastructure blade, click Download Agent for Windows Server or Windows Client. Save MARSAgentInstaller.exe.

clip_image010

clip_image012

Install the latest agent on the MABS server. After the agent installation completes restart the following service:

Microsoft Azure Recovery Services Management Agent

clip_image014

clip_image016

clip_image018

Although the agent is now at the latest version it still did not fix the protection status of the deleted servers in the Azure portal.

After doing a little more troubleshooting (reading the logs, etc.) , I decided to open an Azure support ticket. The support agent who assisted me, told me, just like I already suspected, that this was currently  the default behavior from the azure backup service in some Azure regions (current backend design behavior like they say). The product team was already aware of this issue and they definitively will fix it in some later update.

If you cannot wait for the update, there is a quicker fix for the issue, you just need to delete the whole MABS server from the Azure portal and reconnect the server all over again. However, for me and even more for the customer this was a no go. So, we will wait for the proper backend update which will hopefully not take that long anymore.

Hope this helps whenever you face the same backup behavior in the Azure portal with your deleted MABS backups.

Wim Matthyssen (@wmatthyssen)

Creation of an Azure VPN gateway failed due to associated NSG

May 4, 2018 at 8:53 am in Azure, Cloud, GatewaySubnet, NSG, VNet, VPN gateway by Wim Matthyssen

 

A VPN gateway is a specific type of virtual network gateway that sends encrypted traffic between your virtual network (VNet) and your on-premises location across a public connection. You can also use a VPN gateway to send traffic between virtual networks across the Azure backbone.

While deploying such a gateway trough the Azure portal, the creation took a very long time and in the end the deployment Failed.

clip_image002

In the Activity log the following Error Code was showed.

OnlyTagsSupportedForPatch

clip_image004

clip_image006

After some troubleshooting and reviewing the complete VNet deployment, which was done through Azure PowerShell, I finally found out what caused the gateway deployment to fail.

An important remark is mentioned in the Microsoft technical documentation for creating a Site-to-Site connection in the Azure portal. It states that you may not associate a network security group (NSG) to the gateway subnet, which in my case was causing the issue.

clip_image008

The Azure PowerShell script used to setup the VNet and all of its Subnets also created NSGs for all subnets, the GatewaySubnet included.

To resolve the issue, I deleted the Failed gateway and set the Network security group for the GatewaySubnet to None.

clip_image010

clip_image012

Afterwards the creation of the gateway succeeded without any issues.

 

Conclusion

When you create a gateway subnet for your VNet you should never associated a NSG to it. This is not supported and the gateway will stop functioning as expected or completely fail. Always set the NSG to ‘None’. The gateway subnet also needs to be named ‘GatewaySubnet’ to work properly and never deploy any VMs or anything else to it.

Wim Matthyssen (@wmatthysen)

Azure Backup: Upgrade your Recovery Services Vault to enable support for large disk backups

April 5, 2018 at 6:59 am in Azure, Azure Backup, Cloud, Recovery Services vault by Wim Matthyssen

 

On March 13, 2018 the Azure Backup team announced the general availability for backup of Azure IaaS Virtual Machines (VMs) with large disks (1 to 4 TB), both managed and unmanaged. At the same time they released a set of other improvements to speed up the overall backup and restore process.

To enable these new features a one-time, one-directional upgrade must be done for every Azure Subscription where you wish to use these enhancements. Good to know is that this VM backup stack upgrade, can be started from any vault in your Subscription and will retain all your existing policies and recovery points.

 

Upgrade procedure

 

Open the Azure portal and login with you Azure credentials.

Go to your Recovery Services vault dashboard, on the top of the blade you will need to click the banner which says Support for > 1 TB disk VMs and improvements to backup and restore speed ->. If you do need see a banner, you can open Properties, go to VM backup stack and click Upgrade.

clip_image002

image

The Upgrade to new VM backup stack blade will open. Click on Upgrade.

clip_image004

The upgrade procedure will start, be aware that this process could take up to two hours.

clip_image006

Have fun backing up Azure VMs with these new enhancements. Till next time!

Wim Matthyssen (@wmatthyssen)

Windows Server 2019 (vNext) LTSC Preview – Build 17623 available for download

March 21, 2018 at 7:24 pm in Build 17623, Microsoft Tech Community, Windows Server 2019, Windows Server Insider, WS2019 by Wim Matthyssen

Yesterday Microsoft announced that Windows Server 2019 would be generally available in the second half of 2018, together with System Center 2019. As expected, this next-gen (vNext) Server OS is built on top of Windows Server 2016 and will focus on the following main areas: hybrid, security, application platform and hyper-converged infrastructures. Good to know is that Windows Server 2019 is a Long-Term Servicing Channel (LTSC) release, which means it will have 5 years of mainstream support and 5 years of extended support.

Whit this announcement Microsoft also released the first preview build (17623) of Windows Server 2019 LTSC to the public, which contains both the Desktop Experience as well as the Server Core edition in all 18-server languages.

To get started with the download of this Preview build, you need to be a member of Windows Server Insider program. If you are not yet registered for this Insider program, you can do so over here. Keep in mind that you can sign up with an organization or a personal account.

clip_image002

As a registered Insider, you can head over to the Windows Server Insider Preview download page. Under available Downloads you can now download the 4.2 GB ISO file. This build, which expires on 02/06/18, requires an activation key during setup. The following keys are allowed for unlimited activations:

  • Datacenter Edition 6XBNX-4JQGW-QX6QG-74P76-72V67
  • Standard Edition MFY9F-XBN2F-TYFMP-CCV49-RMYVH

clip_image004

clip_image006

clip_image008

When downloaded you can install the Windows Server 2019 OS from the ISO image on a virtual machine (VM) or on a physical server.

clip_image010

clip_image012

Have fun testing out this build and do not forget to provide your feedback to Microsoft using the Windows Feedback Hub app, or through the Windows Server space in the Microsoft Tech community.

Wim Matthyssen (@wmatthyssen)