Steven Datt

Category: Windows

  • Sync WSUS with Windows Update via Powershell

    This is a post I’ve been meaning to write for a while, and here I’ll explain some of the basic methods and commands to manage WSUS solely through Powershell. No one really wants to be logging onto machines unecessarily with RDP, and these have been personally useful to me when customers have had insane hoops to jump through in order to log in (password expiry policies, Workspaces with Pins and OTP, locked behind VPNs, for example)

    Synchronise WSUS with Windows Update:

    (Get-WSUSServer).GetSubscription().StartSynchronisation()

    Get the result of the last synchronisation:

    (Get-WSUSServer).GetSubscription().GetLastSynchronisation()

    These two are useful if you would prefer to power down WSUS servers outside of company patch windows (e.g. monthly patch cycles) to save on costs, as the Update DB on the server wont be up to date all of the time.

    Another useful command is to list all the computers managed by WSUS:

    Get-WsusComputer -All

    And to filter to specific instances, for example if you wanted to check if they were being managed: 

    Get-WsusComputer -NameIncludes "ComputerName"

    Finally, to clear out old machines that have either been decomissioned or no longer exist (especially useful if you still manage ASG instances or scaleset VMs with WSUS, though I would recommend you use Patch Management/Automation Accounts instead)  

    Get-WsusServer "computername" | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates

    That about wraps up basic admin tasks. You can get really in-depth with scripting for WSUS, although I personally haven’t gone that deep into it either. As above, we’ve moved on from managing static infrastructure and are now using Patch Management in AWS and Automation Accounts in Azure for Windows patch management. It really takes the pain away and gets rid of one extra VM to manage. 

    For a full listing of available commands, punch in:

    Get-Command -Module UpdateServices

    Or view these online on the MS Documentation page: https://docs.microsoft.com/en-us/powershell/module/updateservices

    Easy enough, right?

    Of course, you can use any of these commands in conjunction with Enter-PSSession, SSM in AWS or Cloud Shell in Azure to connect to a Powershell console on the VM/instance.

     

     

     

     

     

     

  • Installing Inspec for RubyGems on Windows

    I came across this as I was trying to install inspec to run against some Packer builds. The Github documentation only covers how to install inspec, and not the pre-requisites.

    You likely experienced an error such as “[…] requires installed build tools” and you may try to run gem install buildtools

    However, What you need to do is download the Ruby developer kit from https://rubyinstaller.org/downloads/ (found at the bottom of the page). You can unzip this wherever you like (I unzipped it to my Ruby install directory in a folder called devkit). From there, press SHIFT and right click, to open a command prompt window at that location. Now type:

    ruby dk.rb init

    and

    ruby dk.rb install

    The full output for these commands is below:

    C:\Ruby23\devkit>ruby dk.rb init
[INFO] found RubyInstaller v2.3.3 at C:/Ruby23

Initialization complete! Please review and modify the auto-generated
'config.yml' file to ensure it contains the root directories to all
of the installed Rubies you want enhanced by the DevKit.

C:\Ruby23\devkit>ruby dk.rb install
[INFO] Installing 'C:/Ruby23/lib/ruby/site_ruby/2.3.0/rubygems/defaults/operating_system.rb'
[INFO] Installing 'C:/Ruby23/lib/ruby/site_ruby/devkit.rb'

    Now, you can go ahead and

    gem install inspec

    Which will begin the installation.

  • Disable the Windows 10 notification sound

    Something that’s been driving me crazy recently is the excessive amount of notifications that pop up (and play a sound repeatedly) when I log in to my home PC.

    Somehow, turning down the system volume does nothing to stop the obnoxiousness of the alert.

    Luckily, there’s an easy, no fuss way to disable this!

    1. Right click on the volume icon in your system tray
    2. Select Sounds
    3. Find the option called Notifications, and set the option in the drop-down list under Sounds: to none.

    Hoping this helps to save the sanity of others (and their PCs/laptops from being thrown out of windows!)

  • Windows 10 – Settings can’t be opened using the Built-in Administrator account

    The Windows 10 rollouts from Microsoft has finally picked up traction. My opinion of Windows 10 has greatly improved due to the cross-platform availability of XBOX One games.

    However, due to the adoption of an app-like structure, this has posed it’s own problems.

    You may find that you’re not able to open built-in programs that you were able to use without any issues in Windows 8, for example.
    Settings can't be opened using the built-in Administrator account

    Luckily! There’s a simple fix for this!

    Please note, this fix applies to Windows 10 Professional versions and above.

    1. Press the Windows Key and R together
    2. Type secpol.msc into the box that appears
    3. Navigate to Local Policies -> Security Options
    4. Find the policy in the list called “User account control Admin Approval Mode for the built-in Administrator account
    5. Double click on this policy, and change the setting to Enabled

    This fix applies to Windows 10 Home versions

    Unfortunately home versions don’t have a local security policy editor, so we’ll have to resort to editing the registry to achieve the desired effect.

    1. Press the Windows Key and R together
    2. Type regedit into the box that appears and press return
    3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and create a DWORD value called FilterAdministratorToken with a value of 1
    4. Now browse to the folder below, “UIPI” and change the Default value to 1
    5. Open User account control settings, again, by pressing the Windows Key and R together, this time typing useraccountcontrolsettings and adjusting the slider to the second setting “Notify me only when apps try to make changes to my computer (default)“.
    6. Restart your PC/laptop, and you’ll now be able to open the built-in apps without any issues.

    If you don’t feel confident in making changes to the registry, I’ve attached a link to a file below that you can download, Double click, and apply the registry changes automatically.

    File: Registry item (hosted on MediaFire)

     

     

  • Exporting AD group members using Powershell

    We had a client who was experiencing high usage on one of their TS servers last week, and I was asked to compile and export a list of users on each TS to send to the client so we could move people around. I found a handy Powershell cmdlet that let me do this really easily, as well as being able to export to file.

    Simply put, it’s this:

    Get-ADGroupMember -identity GroupName | Export-csv -pathC:\GroupMembers.csv -NoTypeInformation

    The first section, Get-ADGroupMember -identity GroupName is where you specify the name of the group that you want to obtain the list of members for

    We have the pipe, to signify an extra command linked to the first, in this case, we want to export the results to a csv file called GroupMembers.csv

    The -NoTypeInformation switch just removes an unecessary line from the start of the csv.

    More information on the export-csv command, including additional switches can be found on Microsoft TechNet – https://technet.microsoft.com/en-us/library/hh849932.aspx

  • Disabling Windows Defender

    I had an issue recently where Windows updates installed Windows Defender automatically, on top of Microsoft Security Essentials on my TS3 server. This caused MSE to disable itself, and Windows Defender didn’t enable itself, causing my TS3 server to be exposed for longer than I would have liked.

    Obviously this was a huge problem, and I prefer to use MSE over Windows Defender, but getting rid of it wasn’t as easy as just re-enabling MSE.

    So, to disable Windows Defender:

    1. Open Control Panel
    2. Find & open Windows Defender
    3. Within Windows Defender, click Tools
    4. Then Options
    5. Click the last option, Administrator
    6. Un-check the box labelled “Use this program”

    Now,

    1. Open up services (Run -> services.msc)
    2. Find Windows Defender in there
    3. Double click on it to open Properties
    4. Set Startup Type to Disabled
    5. Enable MSE and restart the PC

    Even if, at this point, MSE hangs. When you log back in again it should  be re-enabled.

  • Domain controller migration

    This weekend I was running through a migration from Server 2008 Hyper-V host to ESXi and Server 2012 as the primary DC in a test environment. All the VMs were backed up and converted to VMDKs beforehand, and the install went off without a hitch.

    What I had done with the server, was to install 2012, and connect it to the domain (as a VM) and set it up as a secondary DC to replicate my AD over. Unfortunately, I had forgotten to demote the host DC before taking it offline, and was left with a problem. All the roles were on the root DC.

    Because of that, I had to go in and seize the roles from the primary DC before I could use any administrative tools on the 2012 server. Ideally you want to demote the primary DC first so it transfers all the roles to the other DC. In this case, I had to do something a little more long winded.

    1. First, open an administrative command prompt and enter the ntdsutil tool
    2. Type roles, then press enter
    3. Type connections. Press enter
    4. Enter connect to server and then the server name. This is the server you want to transfer the roles to
    5. Enter Q to go back to the previous menu (the Roles menu)
    6. Now you need to seize the roles from the primary DC. These are: pdc, rid master, schema master, infrastructure master

    There’s a handy script that’ll clear all the leftover metadata once you’ve done all of the above (it’s a lot easier than doing it all manually). It’s on a Technet in the script center – Metadata removal script. Copy the text out, and paste it into a notepad file. Save it as a .vbs file, then double click to run. It’ll scan the DCs in the domain and ask you which server it should remove metadata for.

    Now, you’ll be able to delete the server from Active Directory Sites & Services. Tip: delete the NTDS Settings first, then remove the server.

  • Media center software – XBMC

    A couple of months ago I purchased some new parts from Scan to build myself a Media PC. I went through a lot of different options, weighing up the pros and cons of each and eventually settled on a stripped down version of the Budget PC found in Custom PC Magazine. I have media across multiple drives, and a large factor for me was to have all of a set type of media – TV shows and films – kept together regardless of which drive they were on. I tried a couple of solutions before I settled on my final decision, and for anyone else finding themselves in the same dilemma I faced, here’s a quick rundown of the programs I tried…

    (more…)