From category archives: Avian Waves

Technology posts

Timothy

Forcing Windows Server to Use a Specific Outgoing IP Address

Normally this isn't much of an issue, but for some outgoing connections you want to use a specific IP address on your server that has many IP addresses set.  An example might be if you have a VPN set up to a remote location and you want to whitelist one IP address, not every single IP address on that server.  Windows does not use the first IP address you set in the Network Properties.  It instead chooses from that and all alternative IP addresses and guesses what the best one might be to use.  This is sometimes not the one you want to use.  And if you added an IP address in the future, who's to say it will stay the same and not choose a different one?  Then the above firewall rule would become broken.

Well, luckily, PowerShell to the rescue.  There is a property on all IP addresses called "Skip As Source" which is not exposed through the GUI.  What it does is allow you exclude an IP address from consideration as the primary / outgoing IP address.  You can use Set-NetIPAddress to assign this manually, but we can do better.  Using a couple lines of PowerShell, you can create a ps1 script and then run it via a Scheduled Task, say, hourly, so that if at any time in the future you add a new IP address, the primary IP will consistently be correct, at least within an hour.

The script looks like this.  Assuming the IP address you want to be primary is 192.168.33.129.

$primaryIP = "192.168.33.129"
Set-NetIPAddress -IPAddress $primaryIP -SkipAsSource $false
Get-NetAdapter | Get-NetIPAddress | ? { $_.IPAddress -ne $primaryIP } | % {
    Set-NetIPAddress -IPAddress $_.IPAddress -SkipAsSource $true
}

Now all IP addresses, except the one you are designating as "primary," will be excluded from consideration as primary.  We can verify this using...

Get-NetAdapter | Get-NetIPAddress | Select-Object IPAddress,SkipAsSource

Now if you save that segment to a PS1 file, then schedule it to run hourly using the SYSTEM account, your primary IP address is now automated.

Timothy

PowerShell Script to Detect Meltdown and Spectre Vulnerability on All Windows Computers in Your Domain

Today Microsoft released a PowerShell script that can be run on any Windows system to detect if the system is vulnerably to Meltdown and Spectre.  If you haven't heard about it yet, go here: https://support.microsoft.com/en-us/help/4073119.

Building on this, I created a PowerShell script (download below) that will find every Windows computer in your domain and run the Microsoft script and return the results.  This allows you to see the status of the patch deployment for your entire domain run from a single PC.

Prerequisites:

  • PowerShell 5 - This will basically work out of the box for Windows Server 2016 and Windows 10.  This may be a problem for some organizations that have not deployed PowerShell 5 yet for older operating systems.  The good news is that PowerShell 5 is available for Windows Server as old as 2008 R2 and Windows 7.  The script makes use of Install-PackageProvider and Install-Module which reach out to NuGet to retrieve the latest bits of the package Microsoft deployed.  There may be workarounds, hopefully if so somebody can build upon what I have here.
  •  
  • PowerShell Remoting - You must have set up PowerShell remoting so that Invoke-Command can run against other systems from wherever you execute this from.  It's not hard, but depending on your organization's security requirements, this might also be a blocking issue.
  •  
  • Run as a domain administrator or other account which has administrator access on all target computers.

How to use:

Just download it and run it (link is at the bottom of this post).  It's really that simple.  For systems that don't meet the prerequisites, you will see an entry in the output status showing "Error."  You can then go back to that machine and try running portions of the script manually if you want to troubleshoot, but at least in my environment, the most common issue is just not having PowerShell 5 installed.  If you want to export it to a CSV, which can then be opened in Excel, add the command line switch -csv followed by the path, like below.

  • .\Get-SpeculationControlSettingsOnAllComputersInDomain.ps1 -CSV C:\Users\YourName\Desktop\SpeculationControlOutput.csv

Examining the output:

The first two columns are the computer name and the script execution status.  The script execution status can be OK, Error, or Offline.  I think this is pretty self explanatory.  It either worked, didn't, or the computer wasn't online so the script couldn't be run.

The next columns are as follows (note: they are abbreviated since there are so many and it needs to fit on the screen).

  • BTIHWPr - BTIHardwarePresent - Hardware support for branch target injection mitigation is present.
  • BTIWinPr - BTIWindowsSupportPresent - Windows OS support for branch target injection mitigation is present.
  • BTIWinEn - BTIWindowsSupportEnabled - Windows OS support for branch target injection mitigation is enabled.
  • BTIDisSP - BTIDisabledBySystemPolicy - Windows OS support for branch target injection mitigation is disabled by system policy.
  • BTINoHWSup - BTIDisabledByNoHardwareSupport - Windows OS support for branch target injection mitigation is disabled by absence of hardware support.
  • KVAShdwRq - KVAShadowRequired - Hardware requires kernel VA shadowing.
  • KVIWinPr - KVAShadowWindowsSupportPresent - Windows OS support for kernel VA shadow is present.
  • KVIWinEn - KVAShadowWindowsSupportEnabled - Windows OS support for kernel VA shadow is enabled.
  • KVIPcidEn - KVAShadowPcidEnabled - Windows OS support for PCID performance optimization is enabled.  (Not required for security.)

According to the guidance the main things you want to look for is to have the following columns all show TRUE: BTIHWPr, BTIWinPr, BTIWinEn, KVAShdwRq, KVIWinPr, KVIWinEn.

This script is public domain.  Also, ABSOLUTELY NO WARRANTY.  I do not guarantee at all that the script works correctly in your scenario and I am not responsible for damage!

Here's example output of what it looks like when it's running.  I obfuscated my system names, but you can see how I have systems that are not yet patched below.  The patches are deploying tonight.  :-)  You will also notice that quite a few don't have PowerShell 5 installed.

Computer          Status  BTIHWPr BTIWinPr BTIWinEn BTIDisSP BTINoHWSup KVAShdwRq KVIWinPr KVIWinEn KVIPcidEn
--------          ------  ------- -------- -------- -------- ---------- --------- -------- -------- ---------
SRVDC1.nc.us.d... Error
SRVCA1.nc.us.d... Error
SRVSCOM1.nc.us... Error
SRVMAIL1.nc.us... OK      False   False    False    False    False      True      False    False    False
SRVCCS1.nc.us.... Error
SRVTFS2.nc.us.... Error
SRVWeb2.nc.us.... Error
SRVSQL3.nc.us.... Error
SRVMail2.nc.us... Offline
SRVSQL4.nc.us.... Error
SRVWEB1.nc.us.... Error
SRVWEB3.nc.us.... Error
SRVTFSBUILD2.n... OK      False   False    False    False    False      True      False    False    False
SRVTFSBUILD1.n... OK      False   False    False    False    False      True      False    False    False
SRVTFSBUILD3.n... OK      False   False    False    False    False      True      False    False    False
DESKTOP138.nc.... Offline
SRVWEB1A.nc.us... Error
SRVCACHE1.nc.u... Error
SRVCACHE2.nc.u... Error
DESKTOP923.nc.... Offline
DESKTOP251.nc.... OK      False   False    False    False    False      True      False    False    False
SRVDC2.nc.us.d... OK      False   False    False    False    False      True      False    False    False

Click here to download the script.

Timothy

It's Coming Any Day Now...

Thanks to the help I've gotten from some great alpha testers, RD Tabs 3.0 Public Beta is almost ready.  There are just a few more bugs to squash, graphics to tweak, and documentation to update and RD Tabs will be back!  Keep watching this space...

Timothy

Windows 10 Controlled Folder Access

Well this is an interesting feature I had not heard about until today.  I haven't been following the buzz about Fall Creators Update as closely as I should have, apparently.  With Controlled Folder Access, Windows 10 adds a type of second layer Access Control List to any folder you specify.  This is an interesting approach.  It differs from NTFS permissions in that you can whitelist applications, rather than users.  So even though I have Full Control / Owner of my OneDrive folder, if I add Controlled Folder Access, I will still get access denied when saving a file from Excel there unless I whitelist Excel.

It's not perfect.  You have to opt-in folders, presumably your most sensitive or precious (documents, pictures, etc.) and applications, which is a lot of effort.  Though there are GPOs to govern this feature, so it could be handy in the enterprise on strictly controlled machines.

What I would like to see added to this feature is automatic enrollment for an application's AppData folders.  For example, the installer or application could have a manifest that defines where they are putting their application data under AppData and what application is allowed to read and/or modify it.  Keep the ability of the user to control this from Defender, so you can manually opt-in other apps.

Source: https://www.bleepingcomputer.com/news/microsoft/windows-10s-controlled-folder-access-anti-ransomware-feature-is-now-live/

Timothy

System Center Operations Manager (SCOM) Community Management Pack Catalog

This is really great.  SquaredUp, the company behind the amazing third party web portal for SCOM/OpsMgr, has launched a new open source community effort to build a catalog for SCOM for free, open source, commercial, paid management packs.  This is something Microsoft has in the pipeline for the 2018 release, though only for large vendors, but there's nothing really that great out there right now.   I just finished the webinar about the launch of this effort.  I'm installing the MP now!  It works on SCOM 2012-2016.  The respository itself is hosted on Github.

Timothy

3.0 is coming...

RD Tabs ain't dead yet!  I've been working on the next version for about the past year here and there after taking way too long of a break from it.  What can I say, life happens sometimes.  But enough of that.  The new version has a lot of cool features in the works.  The UI is refreshed, there's PowerShell integration, colored tabs, full Windows 10 / Server 2016 support, no more .Net 2.0/3.5 dependency, better support for high DPI monitors, a TON of under-the-hood improvements, like dumping the .Net "settings" for a more reliable custom XML settings system with automatic settings history (no more corrupted user.config files!!), new command line options, better password security, automatic 64/32-bit support, locked aspect ratio scaling, too many fixed bugs to count, improved memory management, the new "Quick View" feature, better split screen support, improved exception handling, and a lot more I'm forgetting.

You can toss out the road map in the fourms (in fact I will later on), because it's been so long, I'm going to start with a clean slate right here with this new version being verison 3.0.  I'll start working on a new road map after relase.  One of the key takeways I've had over all this time is to not bite off more than I can chew.  I got too deep in major code refactoring in multiple areas of RD Tabs simultaneously and it got so boring and such a drag, I just gave up for a while.  Well, I've put it all back together and in the future I'm going to do smaller more agile releases.  After release you'll see bug fix releases for a little while, then I'll commit to just 2-3 features or major improvements for the next release.  That way I'm more likely to finish in a few months rather than years.  Hopefully, over the course of a year it will add up to be pretty significant.  After all, I use this tool daily too!  So I want to see improvements on a faster cadence.

And now the biggest announcement.  While RD Tabs will continue to be free to use, I'm going to also start building out a "Premium" version which includes priority support and enterprise features, like shared favorites, active directory integration, a portable thumbdrive version, help desk features, and more.

I know better than to assign an exact date, but let's just say the beta version is "coming soon."  So if you want to be a tester...

Stay tuned! 

Timothy

New Faster System Center Product Release Cadence

"The reports of my death are greatly exaggerated." - Mark Twain

For a few years now, there's been a lot of confusion about the future of System Center in the Microsoft product portfolio.  Updates had become less frequent and less impressive.  New product offerings on the Azure side seem to directly compete with classic System Center.  And a few products are clearly EOL (Orchestrator, most notably).

One big exception was Configuration Manager, which adopted a more frequent update cadence and in principle was not well-suited for the cloud (not that that has stopped Microsoft before).  Data Protection Manager (DPM) also stood out somewhat because it's 2016 release added a lot of long requested features, but it was still stuck in the long multi-year update cycle.

Well, it seems now Microsoft is getting back to showing System Center some love.  They are going to start pushing out the frequent update model to Operations Manager, Virtual Machine Manager, and Data Protection Manager.  This is great news for those of us with Hybrid and On-Premises deployments.  Azure is fantastic, and the new features which are rapidly rolling out are amazing, but not every workload can move to the cloud, nor should every workload move to the cloud (keep your tech stack diverse).  Plus, OpsMgr and DPM, in particular, are very useful in many Azure deployments.

As Microsoft makes this transition, they are also asking for feedback from OpsMgr users.  This is a good time to let them know the direction you want the product to take.

Timothy

Website Refresh!

I've updated the website theme with a brand new responsive design theme.  It seems to have fixed a lot of styling issues I never got to over the years.  There's still some tweaks to be done, but I'm pretty happy with it!  Let me know if any pages are unreadble.

Timothy

House Cleaning!

The forums have been long neglected and were overwhelmed with spam.  I cleaned it all up tonight.  I also did some software updates for the website.  There's still some work left to be done.  But, hopefully at the very least, the forums will be usable again if you need support on RD Tabs.

Timothy

Enumerating Nested Group Members in System Center Operations Manager Groups with PowerShell

I finally found a way to reliably return all members of a SCOM group, including members of subgroups (nested groups).  I don't know why Microsoft made this so difficult.  Anyway, other online solutions suggest using the GetRelatedMonitoringObjects() method on the group, but it was unreliable for and didn't work for all object types.  The method below seems to work for everything.  The main difference is that this PowerShell function recursively enumerates groups, but the trick is how do you reliably tell if a class is a group?  Well, thankfully, you can just pipe the class instance into Get-SCOMGroup and if it returns $null, it's not a group!  This function lets you enumerate groups by DisplayName or Class Instance object (from Get-SCOMGroup).

 Function Get-SCOMGroupMembers($group) {
    if ($group.GetType() -eq "".GetType()) {
        $group = Get-SCOMGroup -DisplayName $group
    }

    $group | Get-SCOMClassInstance | % {
        if (($_ | Get-SCOMGroup) -ne $null) {
            Get-SCOMGroupMembers $_
        } else {
            $_
        }
    }
}

Pages: Previous123456789...12NextReturn Top
@avianwaves

Avian Waves on Twitter Avian Waves on Facebook Avian Waves on Spotify

Recent Comments
  1. Re: DPM 2016 + SQL 2016 and "An unexpected error occurred during the installation" ID: 4387
    Camilo: Edward comment solved the issue! After installing the 16.5.3 (from the link provided and without uninstalling...
  2. Re: It's Coming Any Day Now...
    Tim: Awesome to hear. Can't wait to check it out.
  3. Re: RD Tabs Security Advisory - 2.0 and 2.1 Beta
    Roman: Hi admin having same materiel as i need. Also get some extra stuff here: [url="hit5k.com"]Patch Applications...
  4. Re: RD Tabs Security Advisory - 2.0 and 2.1 Beta
    Roman: Hi admin having same materiel as i need. Also get some extra stuff here: Patch Applications
  5. Re: 3.0 is coming...
    Sean: Great news, can't wait!
  6. Re: DPM 2016 + SQL 2016 and "An unexpected error occurred during the installation" ID: 4387
    Funny Guy: To add my 2 cents - after a day of fight it appears that DPM installation uses WMI queries to detect...
  7. Re: DPM 2016 + SQL 2016 and "An unexpected error occurred during the installation" ID: 4387
    Funny Guy: To add my 2 cents - after a day of fight it appears that DPM installation uses WMI queries to detect...
  8. Re: DPM 2016 + SQL 2016 and "An unexpected error occurred during the installation" ID: 4387
    Funny Guy: To add my 2 cents - after a day of fight it appears that DPM installation uses WMI queries to detect...
  9. Re: DPM 2016 + SQL 2016 and "An unexpected error occurred during the installation" ID: 4387
    kAM aCOSTA: Thanks Edward !!!
  10. Re: 3.0 is coming...
    Dave: Very Cool!