Search This Blog

Thursday, February 20, 2020

How to list attached ISO files to all Hyper-V machines

The event log for one of my Hyper-V hosts was full of "Failed to get disk information" errors, saying that it could not find attached ISO file. So I needed a command to list all VMs and their attached ISO files. To list all attached ISO files you just simply run this Powershell command:

Get-VMDvdDrive -VMName *

Thursday, February 13, 2020

How to clear local GPO cache

Group Policy is a very mature technology and it works near 100% of time. Recently I had one of these rare case when there were Group Policy issues.
The policy was removed from computer but the settings were left on the computer, gpupdate /force also did not help.
The solution was to clear local computer GPO cache. To do that, first you need to run Powershell as administrator and then execute this command:

Remove-Item "$env:windir\system32\GroupPolicy" -Force -Recurse

Tuesday, February 11, 2020

What is Configuration Manager baseline version?

If you hear the term Configuration Manager "baseline version" and don't know what it is, then here is a short explanation:

Configuration Manager baseline version can be used for new Configuration Manager installations, but non-baseline versions cannot. For example, if you want to install new Configuration Manager 1910 site, the you first need to install Configuration Manager 1902, which is a baseline version and then use in-console updates to upgrade to version 1910.

The updated list of Configuration Manager baseline versions and terminology is here https://docs.microsoft.com/en-us/configmgr/core/servers/manage/updates

There will not be a separate Windows 10 ADK version for build 1909

Windows Assessment and Deployment Kit (ADK) is a toolkit for assisting in Windows operating system deployment. So far Microsoft had released ADK for each Windows 10 build.
This has changed for Windows 10 v1909 as there will be no ADK for v1909, so version v1903 remains the latest at the moment and you can use it to deploy Windows 10 v1909.




https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

Friday, February 7, 2020

Is it possible to convert Windows Server 2016 / 2019 from Desktop Experience to Core?

Recently I was asked if it was possible to convert Windows Server 2019 from Desktop Experience to Core version. I certainly new that this was possible but was not sure about Windows Server 2016 / 2019.
Apparently there is no way to convert Windows Server 2016 or 2019 from Desktop Experience to Core as documented here https://docs.microsoft.com/lv-lv/windows-server/get-started/getting-started-with-server-core?redirectedfrom=MSDN


Monday, February 3, 2020

Step-by-step: Prevent weak passwords in Active Directory using Azure AD Password Protection

Hello guys,

I already posted a few main details about Azure AD Password Protection, and here is a step-by-step guide how to implement it in your Active Directory.
Before you start, make sure that all the latest Windows updates have been installed and have Global Admin rights in Azure AD and Domain Admin rights in Active Directory.

1. Configure Azure AD

Go to the Azure Portal - Azure Active Directory - Security - Authentication Methods - Password Protection and enable password protection for Windows Active Directory and set the mode to audit.



2. Download the agents

Download the Azure AD DC agent and Azure AD Proxy Service agent, both can be found here

3. Install the Azure AD Proxy Service agent

Run the AzureADPasswordProtectionProxySetup.exe file, accept licence agreement and click install.


Open Powershell as administrator and execute these commands:

  1. Import-Module AzureADPasswordProtection
  2. Register-AzureADPasswordProtectionProxy -AccountUpn 'yourglobaladmin@yourtenant.onmicrosoft.com'
  3. Register-AzureADPasswordProtectionForest -AccountUpn 'yourglobaladmin@yourtenant.onmicrosoft.com'
  4. Use this command to check the configuration: 
  5. Get-AzureADPasswordProtectionProxyConfiguration | fl

4. Install the Azure AD DC agent

DC agent installation is as easy as it could be (except that it requires restart) - just run the installation file AzureADPasswordProtectionDCAgentSetup.msi on the domain controller, accept licence agreement and click Install:


Then click Finish and choose if you want to restart immediately:



4. Monitor weak passwords

Once installed you can monitor weak passwords in Event log under Applications and Services Logs - Microsoft - AzureADPasswordProtection - DCAgent - Admin



5. Block weak passwords

When you are ready configure Azure AD Password Protection Enforced mode to block the passwords. See the first step of this guide step .