PowerShell – BGInfo Automation script for Windows Server 2019

January 23, 2019 at 8:04 pm in BgInfo, Hyper-V, PowerShell, PowerShell Script, Sysinternals, VM Template, Windows Server 2019, WS2019 by Wim Matthyssen

Probably everyone knows the Sysinternals tool BGInfo (currently version 4.26). For those who don’t, it’s a great free tool from Microsoft which captures system information form a workstation or server (probably where it is the most useful) and displays that relevant data directly on the desktop of that particular machine. It can show useful information like, DNS settings, used IP Addresses, computer name, domain name, OS version, memory, service pack version, etc.

image

Whenever I create a new Windows Server 2019 Virtual Machine (VM) template for customers, I mostly add this tool in the base image (also called golden image) and set it so it starts up automatically whenever a user logs on to the server. To automate this process, I wrote a PowerShell script which automates the complete BGInfo installation and configuration.

This script will do all of the following:

  • Create the BGInfo folder on the C: drive if the folder does not already exist.
  • Download the latest BGInfo tool from the Sysinternals webpage.
  • Extract and cleanup the BGInfo.zip file in the BGInfo folder.
  • Download the logon.bgi file which holds the preferred settings.
  • Extract and cleanup the LogonBgi.zip file in the BGInfo folder.
  • Create the registry key (regkey) to AutoStart the BGInfo tool in combination with the logon.bgi config file.
  • Start BGInfo for the first time.
  • Exit the PowerShell window upon completion.

 

Prerequisites

  • Windows PowerShell 5.1
  • Run PowerShell as Administrator

 

PowerShell script

To use the script copy and save the above as BGInfo_Automated_Windows_Server_2019.ps1 or download it from the TechNet Gallery. Afterwards run the script with Administrator privileges from the server you wish to use for your VM template.

image

image

image

image

image

image

If you want to change any configuration setting (for example the font style or published info), just open the logon.bgi file and adjust the settings to your preferences. Click OK to save and set the new settings.

image

image

Hope this script comes in handy for you. If you have and questions or recommendations about it, feel free to contact me through my Twitter handle.

Wim Matthyssen (@wmatthyssen)

Hyper-V 2019: Configure antivirus exclusions in Windows Defender Antivirus

January 9, 2019 at 3:43 pm in antivirus exclusions, automatic exclusions, custom exclusions, Hyper-V, PowerShell, Windows Defender Antivirus, Windows Server, Windows Server 2019, Windows Server 2019 Hyper-V, WS2019 by Wim Matthyssen

Running a solid, constantly updated antivirus product on your Hyper-V hosts is a necessity to keep a healthy and secure virtual environment. By using Windows Defender Antivirus, the built-in antimalware solution in Windows Server 2019 you will be provided with next-gen cloud-delivered protection, which includes near-instant detection, always-on scanning and dedicated protection updates.

However, when using any antivirus software on a Hyper-V host, you also risk having issues when it is not configured properly and especially when real-time scanning (or monitoring) is enabled. This can negatively affect the overall host performance and even cause corruption of your virtual machines (VMs) or Hyper-V files.

To avoid these file conflicts and to minimize performance degradations you should implement the following recommend antivirus exclusions (directories, files and processes) on all your Hyper-V hosts, which can be found over here.

Luckily Windows Defender Antivirus automatically enrolls certain exclusions (automatic exclusions), defined by your specific server role. To determine which roles are installed on the server, Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools. You should be aware that these automatic exclusions will not appear in the standard exclusion list shown in the Windows Security app.

clip_image002

Below you can find a list of the automatic exclusions for the Hyper-V role:

File type exclusions:

  • *.vhd,*.vhdx,*.avhd,*.avhdx,*.vsv,*.iso,*.rct,*.vmcx,*.vmrs

Folder exclusions:

  • %ProgramData%\Microsoft\Windows\Hyper-V
  • %ProgramFiles%\Hyper-V
  • %SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
  • %Public%\Documents\Hyper-V\Virtual Hard Disks

Process exclusions:

  • %systemroot%\System32\Vmms.exe
  • %systemroot%\System32\Vmwp.exe

Hyper-V Failover Cluster folder exclusions:

  • %SystemDrive%\ClusterStorage

Although the automatic exclusions include almost all recommended Hyper-V antivirus exclusions you still may need to configure additional custom exclusions. These custom exclusions will take precedence over the automatic exclusions but will not conflict if a duplicate exists.

If you prefer to disable automatic exclusions you can run the following PowerShell cmdlet.

Below you can find an additional short list of custom exclusions for a server running the Hyper-V role which you can implement if applicable to your environment. There can be even more exclusions for your specific environment.

  • Any custom virtual machine configuration or hard disk drive directories (for example E:\VMs).

clip_image004

  • Any custom replication data directories, if you’re using Hyper-V Replica.
  • The Vmsp.exe process (%systemroot%\System32\Vmsp.exe)

clip_image006

  • The Vmcompute.exe process (%systemroot%\System32\Vmcompute.exe).

clip_image008

To add these exclusions for Windows Defender Antivirus in the Windows Security app you can follow the below steps.

Open the Windows Security app by clicking the magnifier in the task bar and type defender. Select Virus & threat protection.

clip_image010

Under the Virus & threat protection settings title select Manage settings.

clip_image012

On the Virus & threat protection settings page scroll down to Exclusions setting and click on Add or remove exclusions.

clip_image014

Click Add an exclusion. Click the + icon to choose the type and set the options for each exclusion. When adding an exclusion click Yes if the User Account Control box pops up.

clip_image016

clip_image018

When all custom exclusions are added the screen will look like this.

clip_image020

To remove an added exclusion, press the down arrow next to the exclusion and click Remove.

clip_image022

You can also add these custom exclusions with the use of PowerShell (as administrator). To do so you need to run the below commands.

clip_image024

Hope this helps securing your Hyper-V hosts.

Wim Matthyssen (@wmatthyssen)

Create an Azure Monitor action group with Azure PowerShell

December 27, 2018 at 12:40 pm in action groups, automation, Azure, Azure Monitor, Azure PowerShell, beemug by Wim Matthyssen

Azure Monitor, Microsoft’s built-in monitoring service, allows you to monitor and gain more visibility into the state of your resources from a single place in the Azure portal, to help you quickly find and fix problems.

To notify users that an alert has been triggered, Azure Monitor (and also Service Health alerts) uses action groups. This feature allows an owner of an Azure subscription to group a collection of actions to take when an alert is triggered. Owners can create an action group with functions such as sending an email or SMS, as well as calling a webhook and re-use it across multiple alerts. Action groups can be created through the Azure portal, but to automate the process you can also use Azure PowerShell.

In the below example a new action group, called email-ag, is created. To use the script, copy it and adjust it for your own purpose. Save it as .ps1.

clip_image002

You can check all existing action groups in your subscription, by running the below cmdlet. In my example the previously created action group email-ag is shown.

clip_image004

Like earlier said, you can also Add, validate or manage action groups through the Azure portal by opening Monitor, selecting Alerts and selecting Manage action groups. For more information you can check out the documentation page.

clip_image006

clip_image008

Hope the script comes in handy!

Wim Matthyssen (@wmatthyssen)

Azure: Unable to connect to VMs in a peered VNet from P2S VPN

October 11, 2018 at 8:50 am in Azure, Azure Networking, Azure virtual network, P2S client, P2S VPN, RDP, VNet peering by Wim Matthyssen

These days when setting up a greenfield Azure IaaS environment for customers, we use the hub-spoke network topology with shared services. In this topology the HUB network is used as central point of connectivity and a place to host services that can be consumed by the different workloads hosted in the spoke VNets. All spokes are peered with this Hub network, to isolate all workloads. Whenever I work remotely on these environments, I mostly use a Point-to-Site (P2S) connection to securely connect to the different VNets from my client devices.

However last week while deploying a new environment for a customer, I stumbled upon a problem where I couldn’t RDP (private IP addresses) to the virtual machines (VMs) in the different spokes. The RDP access to the VM’s in the Hub VNet worked without any issues.

clip_image002

This is caused, because by design the P2S client will have routes listed for all VMs in the HUB VNet (which hosts the Virtual Network Gateway). However, even though the HUB VNet and the other VNets are connecting via peering, the P2S client will not have any routes presented in its configuration to discover the VMs in the other VNets. In order for the P2S client to be able to reach all VMs (trough for example RDP) located in the peered VNets, a static route for these VNets should be added in the routes.txt file of that specific connection. You can follow the steps below to get this working.

Solution

Open Run, type %appdata% and press Enter.

clip_image004

Open Microsoft – Network – Connections – Cm and select the right connection folder. Next, open the routes.txt file in Notepad (to open just double-click).

clip_image006

Remark

You can also find the correct path to the routes.txt file in the P2S VPN log file. You can open this file by opening your P2S connection and selecting on Properties instead of Connect. In the opened Properties page select View Log. Search for ActionPath, which will show you the location of the file.

clip_image008

clip_image010

End of remark.

In the opened routes.txt file, add the static routes for the other VNets.

For example:

ADD 10.6.0.0 MASK 255.255.240.0 default METRIC default IF default

ADD 10.7.0.0 MASK 255.255.240.0 default METRIC default IF default

ADD 10.8.0.0 MASK 255.255.240.0 default METRIC default IF default

clip_image012

Save the file, and connect again. You should now be able to RDP to all other VMs in the spoke VNets.

Hope this helps and for any questions feel free to contact me through my Twitter handle.

Wim Matthyssen (@wmathyssen)

Microsoft Ignite 2018 recap

October 4, 2018 at 9:26 am in Microsoft Ignite, Microsoft Ignite 2018, Orlando, Windows, Windows 10, Windows Admin Center by Wim Matthyssen

Last week I visited the Microsoft Ignite 2018 conference in Orlando with some colleagues. 10,000 km of walking later and sitting back her at home thinking about the past exciting week. I tought it’s a good time to write a recap, quietly hoping the writing will help battling jet lag. :)

clip_image002

After a long flight and a stopover at Dulles International Airport in Washington it was really nice that we could pick up our badge directly at the airport which spared us the morning line before the start of the event. I planned almost all my sessions I wanted to follow before the event and the MS Events app really came in handy to check my schedule, get event notifications, messages and to fill in all evaluations. The navigation function in the app also came in really handy telling me how to get from one session to another. You should know that the venue of Ignite was the OCCC, a huge complex on International Drive in Orlando, combining two conference centers and the Hyatt Regency connected together by a Skybridge.

clip_image004

The thing I was really happy about was that I wore comfortable shoes and clothes, because I did a lot of walking, really a lot of walking. I would advise if you’re ever planning to go to Ignite wear shoes were you can at least walk 10 km a day in, otherwise do not do Ignite in them! Orlando itself is a beautiful city, with a lot of theme parks like Universal Studios Florida and Universal’s Islands of Adventure, which hosted the Ignite Celebration on Thursday evening. If you ever have the chance to go there, the Wizarding World of Harry Potter is truly magical.

clip_image006

It was my first time at Ignite and my main focus was to learn as much as possible and get note of all announcements and changes around Azure, and I must say I got lots of that. Next to all Azure related sessions, I also followed a few of them around Windows Admin Center and Windows 10. For the most part, the quality of all sessions I followed was excellent only the rooms were sometimes a bit cold due to the airco.

Announcements

Below you can find some announcements, I gathered during the technical breakout and theater room sessions I followed:

  • Microsoft partners with Adobe and SAP for new Open Data Initiative.
  • Microsoft Teams Screen Sharing which allows you to screenshare in Teams without needing to escalate to a meeting first.
  • SQL Server 2019 preview announced.
  • Windows Server 2019 general availability (GA) in October, together with Windows Server version 1809.
  • Azure Firewall a stateful firewall as a service GA.
  • Windows Virtual Desktop a virtual desktop experience which lets you run Windows 10 in the cloud, available in Preview.
  • Announcement of Microsoft Learn, a new learning platform to optimise your Microsoft skills.
  • Azure SQL Database Managed Instance a new deployment model of Azure SQL Database GA.
  • Azure Blueprints in Preview, which let you define user access, policies and resources in Azure.
  • Azure Management Groups available to organise and governance all your resources between all your subscriptions.
  • Azure Resource Graph GA which allow you to easily query, explore and analyse all your Azure cloud resources at scale.
  • Azure Migrate now also supports Hyper-V.
  • Azure Monitor now includes Log Analytics and Application Insights for collecting and analysing telemetry of your cloud and on-premises resources and applications.
  • There will be 2 models of the Surface Hub 2, the Surface Hub2S coming Q2 2019 and theSurface Hub 2X coming in 2020.
  • Azure Data box, Microsoft’s heavy-duty data transfer appliance is now GA.
  • Announcement of Azure Sphere, a Linux-based operating system created by Microsoft for Internet of Things applications.

If you’re interested in getting an overview of all announcements Microsoft did at Ignite, be sure to check out this Book of News.

Session Overview

Below you can find a few sessions I followed in person and I recommend to take a look at (click the link to get to the YouTube video):

I had a lot of sessions planned in my schedule that I did not manage to attend but I will take time to watch the recordings and slides. Like every year you can catch up the session recordings that are available on YouTube or the Microsoft Tech Community, but if you’re interested you can also download all Ignite content locally with the following PowerShell script from MVP Michel de Rooij (@mderooij): https://gallery.technet.microsoft.com/Ignite-2016-Slidedeck-and-296df316

clip_image008

For everyone who could not attend Ignite in person and still want to get the chance to follow some sessions live and explore the latest cloud technologies, Microsoft has announced, Microsoft Ignite | The Tour. which takes place in a lot of cities all around the world. You can check out the schedule over here: https://www.microsoft.com/en-us/ignite-the-tour/

I want to end this blog post with saying that Microsoft Ignite rocked! It doesn’t matter if you’re an ITPro or DevOps, if you ever have the change to go there, you shouldn’t hesitate because it’s really a great and fantastic experience. In my opinion, there’s not much that Microsoft can do to improve Ignite, everything was handled like it should for such hugh event and the content was great and will keep my busy absorbing in the next few weeks. Hope to be back again in Orlando in November next year

PowerShell: BgInfo Automation script for Windows Server 2012 R2

September 17, 2018 at 10:09 am in Bg, BgInfo, Hyper-V, PowerShell, PowerShell Script, scugbe, VM Template, Windows Server, Windows Server 2012 R2, Windows Sysinternals by Wim Matthyssen

Sometime ago I already wrote a PowerShell script to install the BgInfo tool in an automated way whenever you create a VM Template or a base image (also called golden image) for a Windows Server 2016 Virtual Machine (VM) or physical server, which can be donwloaded here. More information can be found int this previous blog post: http://scug.be/wim/2017/02/23/powershell-bginfo-automation-script/

To return to the current blog post and like you can already figure out from the title, now I also wrote a script to automate the BgInfo installation and configuration for a Windows Server 2012 R2 server (VM or physical server).

This PowerShell script will do all of the following:

  • Download the latest BgInfo tool
  • Create the BgInfo folder on the C drive
  • Extract and cleanup the BgInfo.zip file
  • Download the logon.bgi file which holds the preferred settings
  • Extract and cleanup the LogonBgi.zip file
  • Create the registry key (regkey) to AutoStart the BgInfo tool in combination with the logon.bgi config file
  • Start the tool for the first time
  • Set to start up automatically whenever a user logs on to the server

 

Prerequisites

Windows PowerShell 4.0

 

PowerShell script

To use the script copy and save the above as BgInfo_Automated_WS2012_R2_v1.0.ps1, or whatever name you prefer. Afterwards run the script with Administrator privileges from the server you wish to use for your VM template or physical base image. If you want to change configuration settings, just open the logon.bgi file and adjust the settings to your preferences.

This PowerShell script can also found on the TechNet Gallery: https://gallery.technet.microsoft.com/PowerShell-BgInfo-07ade714

image

image

image

image

image

Hope this script comes in handy for you. If you have and questions or recommendations, please feel free to contact me through my twitter handle.

Wim Matthyssen (@wmatthyssen)

Configuring VNet peering through the Azure Portal resulted in a Peering Status – Failed

September 6, 2018 at 12:19 pm in Azure, Azure Networking, Azure portal, Azure PowerShell, VNet, VNet peering by Wim Matthyssen

Virtual network peering is a mechanism that seamlessly connects two Azure virtual networks (VNets). Once peered, the virtual networks appear as one, and resources can be accessed from both VNets via their private IP Addresses.

While creating a new peering through the Azure Portal, it resulted in a created VNet Peer with a PEERING STATUS Failed. Deleting the Peering also failed. Probably something went wrong in the back or the Portal was stuck and giving failure, showing the Failed status as a result. Like in most cases when you are troubleshooting Azure issues, Azure PowerShell comes to the rescue.

By running below PowerShell script (copy and save as .ps1), I was able to get the resources updated using the get and set command, which successfully Connected the VNet peer.

PowerShell script

clip_image002

I hope the above script comes in handy whenever you face the same issue. Till next time.

Wim Matthyssen (@wmatthyssen)

Unable to RDP to an Azure VM due to a CredSSP Encryption Oracle Remediation error

June 27, 2018 at 7:22 pm in Azure, Cloud, CredSSP, Encryption Oracle Remediation, RDP, Remote Desktop Connection, VM, Windows 10 by Wim Matthyssen

After applying some Windows updates on my Windows 10 Version 1803 home pc I was unable to make a Remote Desktop Connection (RDP) connection to some Microsoft Azure virtual machine(s) (VM).

When I made an RDP connection, I received the following error message:

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

clip_image002

What is CredSSP and why did it cause the error

The Credential Security Support Provider protocol (CredSSP) is a security protocol utilized to process authentication requests for separate applications like RDP. It allows you to securely forward credentials encrypted from the Windows client to the target servers for remote authentication.

Because of a critical vulnerability that has been discovered in CredSSP, which affects all versions of Windows and could allow remote attackers to exploit RDP and WinRM to steal data and run malicious code, Microsoft has released security update(s).
You can find the list of the corresponding KB number(s) for each operating system here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

In my case my recently updated Windows 10 pc could not communicate with a non-updated server (not allowed to setup an insecure RDP connection).

Workaround

To solve the error, first of all, I needed to temporarily change the policy settings on my Windows 10 to gain RDP access to the server.

To do so, open Run and execute gpedit.msc to change the settings in the Local Group Policy Editor. Browse to Computer Configuration / Administrative Templates / System. Open Credentials Delegation in the left pane.

clip_image004

clip_image006

Change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable.

clip_image008

You can also use the following PowerShell script to do it in an more automated way: https://gallery.technet.microsoft.com/PowerShell-Workaround-956e0d7e.

Or you can simply use this command line one-liner which can also be run in PowerShell (run as admin):

After this change, I was able to setup an unsecure RDP connection to the server(s) where I installed the missing security update.

clip_image010

After deploying the specific update on the server(s), I was able to connect to it without the error and with the Encryption Oracle Remediation settings reset to the default.

clip_image012

Of course you can also use PowerShell to set everything back to the default (copy and save as .ps1).

Or like before you can simply use a command line one-liner in PowerShell (run as admin):

This concludes this blog post, hope it helps if you face this error.

Wim Matthyssen (@wmatthyssen)

Azure: Clean up unused, inactive or old directories from your Azure subscription

June 20, 2018 at 9:31 am in AAD, Azure, Azure Active Directory, Azure AD, Azure tenant, B2B, Cloud, GDPR, MyApps by Wim Matthyssen

I am already working as an Azure Consultant/Architect for almost 5 years. In those 5 years I setup a lot of Azure IaaS/PaaS environments for different customers. To do all the necessary work involved in such setup, I mostly was invited to their Azure tenant as admin with my Microsoft account (personal account) or my work account (B2B user) to do all the necessary work. When all the work was done a thing mostly forgotten is to clean up that specific user in Azure Active Directory (AAD), causing that tenant still showing up or even starting as the default directory when logging on to the Azure portal. After a while you could even be unable to be invited to a new tenant because the maximum of 20 AAD’s is reached for that specific account.

clip_image002

Until some time ago, May 14 2018 to be specific, to unlink those lingering directories you had to contact another global admin of the inviting organization to have that account removed from their AAD tenant. Even as an admin you were not able to delete your own guest account. Sometimes, when a lot of time was passed since you last worked for that customer, finding a global admin for that tenant to delete that user could be a lot of work.

Luckily, thanks to Europe’s General Data Protection Regulation (GDPR), this can now be done in a much easier way. A B2B user can now easily leave an organization on their own (self-service leaving), to which he or she has been invited at any time, without having to contact an administrator.

Keep in mind that when a user leaves an organization, the user account is soft deleted in the directory. By default, the user object moves to the Deleted users state in AAD but is not permanently deleted for 30 days. This soft deletion enables the administrator to restore the user account (including groups and permissions), if the user makes a request to restore the account within that 30-day period.

To leave an organization you can follow the below steps:

Log in with your B2B account at https://myapps.microsoft.com/

When logged in select your name on the access panel in the upper-right corner.

clip_image004

Under Organizations, select the organization you want to leave.

clip_image006

Select your name again in the upper-right corner.

clip_image008

Select Leave organization next to the correct organization.

clip_image010

When asked to confirm, select Leave.

clip_image012

clip_image014

After a while you should receive an email at that specific account, telling you that you left the organization.

clip_image016

Repeat these steps if you need to leave any other organization you are associated with.

Hope this helps and thanks to my colleague Guido (@ggibens) for pinpointing me to this new simplified capability.

Wim Matthyssen (@wmatthyssen)

Windows 10: Set Display, Apps and websites language to English (United States) and keyboard to Belgian (Period)

June 14, 2018 at 9:25 am in Belgian (Period), Belgian beers, belgian chocolates, Belgium, ITPro, Keyboard shortcut, Keyboards, scugbe, Windows 10, Windows Apps, Windows Display Language by Wim Matthyssen

When you install and set up Windows 10, you’re asked to choose a default system language. Normally, you do not need to change the language after the initial setup but there might be some situations where you do. I ‘m a Belgian and working as an ITPro in that small country which has the best chocolates and beers, I like to have my Windows 10 display language and Windows Apps language set to English (United States) and my keyboard to Belgian period (Azerty).

However, when you deploy Windows 10, with country or region set to Belgium and system language set to English as a preferred language also Nederlands (België) is installed as first language for Apps and websites.

clip_image002

So even if your Windows display language is all set to English whenever you open a website or Windows App the language used is Dutch.

clip_image004

clip_image006

For me this is a little bit annoying. I know this can come in handy, if you’re bi-lingual and you type documents in Dutch, but also enter commands in Command Prompt in English, but for me that’s not the case. But if you prefer you can set the language on a per-app basis and then Windows will remember which language you prefer to use in that particular app. There is even a keyboard shortcut if you want to switch manually between two or more languages. Just press the Left Alt + Shift keys together to switch between languages on the fly.

To set my Windows display and Windows App (+ websites) language to English and set my keyboard to Belgian (Period) I followed the below steps.

Open All settings (or press the Windows key + I) to open the Windows Setttings page and then click Time & Language.

clip_image008

clip_image010

Select Region & language on the left.

clip_image012

At the Preferred languages topic, you can choose to set Nederlands (België) as the second language or choose to Remove this language. I choose to Remove this language completely (to be able to Remove a language you also need to set if first as the second language, otherwise you are not able to delete it).

clip_image014

clip_image016

If you Remove a first language you also need check and possible set your preferred keyboard language at the first language shown. To do so select the language and click Options.

clip_image018

Because English Unites States uses US (QWERTY), which I do not want to use. I first I need to add my second preferred keyboard. Press Add a keyboard and select the Belgian (Period) keyboard. When added you can remove the US (QWERTY) keyboard.

clip_image020

clip_image022

Now your all done. Like you can see the Windows display, website(s) and Windows App language are all set to English and I can type with my preferred Azerty keyboard settings.

clip_image024

clip_image026

clip_image028

Hope this comes in handy for the Belgium people. Till next time!

Wim Matthyssen (@wmatthyssen)