___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

Hi this is Michael Koeppl from the Support for Mission Critical team again. This time I wanted to walk you through a recent troubleshooting scenario I had at my customer.

14 out of 2150 Server 2016 systems reported and error when my customer tried to install the latest monthly rollup hotfix.

Normally, to be honest with you, we wouldn’t even bother as the number of systems is so low that it can almost fly under the radar. The Customer usually re-installs the machines in question but this time as all of them showed the same error they send me the list of affected machines and I started to investigate.

As I knew there’s an issue with Patch installation, I instantly turned to DISM an checked the CBS Store for any kind of corruption:

C:>dism /online /cleanup-image /scanhealth

Deployment Image Servicing and Management tool

Version: 10.0.14393.0

Image Version: 10.0.14393.2457

[==========================100.0%==========================] No component store corruption detected.

The operation completed successfully.

Repair a Windows Image

https://docs.microsoft.com/de-de/windows-hardware/manufacture/desktop/repair-a-windows-image

Okay no joy, what next?

I manually tried to install the January rollup (KB4480977) as this is the one my customer tried to install as well. For a list of all available monthly rollup packages visit: https://support.microsoft.com/en-us/help/4000825 for S2016

Here’s the error message we were getting

Log Name:      Setup

Source:        Microsoft-Windows-WUSA

Date:          26.03.2019 12:47:41

Event ID:      3

Task Category: None

Level:         Error

Keywords:

User:          DomainAdminUser

Computer:      MyPC.domain.de

Description:

Windows update “Update for Windows (KB4480977)” could not be installed because of error 2147956481 “The referenced assembly could not be found.” (Command line: “”C:Windowssystem32wusa.exe” “C:tmpwindows10.0-kb4480977-x64.msu” “)

Event Xml:

<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event“>

  <System>

    <Provider Name=”Microsoft-Windows-WUSA” Guid=”{09608C12-C1DA-4104-A6FE-B959CF57560A}” />

   <EventID>3</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime=”2019-03-26T11:47:41.355709400Z” />

    <EventRecordID>109</EventRecordID>

    <Correlation />

    <Execution ProcessID=”4824″ ThreadID=”9044″ />

    <Channel>Setup</Channel>

    <Computer>MyPC.domain.de</Computer>

    <Security UserID=”S-1-5-21-4188125556-1267690402-888888790447-0000″ />

  </System>

  <EventData>

    <Data Name=”UpdateTitle”>”Update for Windows (KB4480977)”</Data>

    <Data Name=”ErrorCode”>2147956481</Data>

    <Data Name=”ErrorString”>The referenced assembly could not be found.</Data>

    <Data Name=”CommandLine”>”C:Windowssystem32wusa.exe” “C:tmpwindows10.0-kb4480977-x64.msu” </Data>

  </EventData>

</Event>

Okay, let’s have a look at the CBS.log file which can be found at windowslogscbs

2019-03-26 12:40:12, Error                 CSI    0000001a@2019/3/26:11:40:12.185 (F) onecorebasewcpcomponentstorecsd_locking.cpp(200): Error STATUS_SXS_ASSEMBLY_MISSING originated in function CCSDirectTransaction::LockComponent expression: (null)

[gle=0x80004005]

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCBS.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCbsPersist_20190326072401.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCbsPersist_20190324034222.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCbsPersist_20190324001230.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCbsPersist_20190323234238.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCbsPersist_20190323230433.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Not able to add pending.xml to Windows Error Report. [HRESULT = 0x80070002 – ERROR_FILE_NOT_FOUND]

2019-03-26 12:40:12, Info                  CBS    Not able to add pending.xml.bad to Windows Error Report. [HRESULT = 0x80070002 – ERROR_FILE_NOT_FOUND]

2019-03-26 12:40:12, Info                  CBS    Not able to add poqexec.log to Windows Error Report. [HRESULT = 0x80070002 – ERROR_FILE_NOT_FOUND]

2019-03-26 12:40:12, Error                 CSI    0000001b (F) STATUS_SXS_ASSEMBLY_MISSING #1760302# from CCSDirectTransaction::OperateEnding at index 0 of 1 operations, disposition 2[gle=0xd015000c]

2019-03-26 12:40:12, Error                 CSI    0000001c (F) HRESULT_FROM_WIN32(ERROR_SXS_ASSEMBLY_MISSING) #1760150# from Windows::ServicingAPI::CCSITransaction::ICSITransaction_PinDeployment(Flags = 0, a = cd4484f3ed27edafc9d99e613bb62654, version 10.0.14393.2457, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}, cb = (null), s = (null), rid = ‘Package_7763_for_KB4462917~31bf3856ad364e35~amd64~~10.0.1.7.4462917-16739_neutral’, rah = ‘3’, manpath = (null), catpath = (null), ed = 0, disp = 0)[gle=0x80073701]

2019-03-26 12:40:12, Info                  CBS    Failed to pin deployment while resolving Update: Package_7763_for_KB4462917~31bf3856ad364e35~amd64~~10.0.1.7.4462917-16739_neutral from file: (null) [HRESULT = 0x80073701 – ERROR_SXS_ASSEMBLY_MISSING]

2019-03-26 12:40:12, Info                  CBS    Failed to bulk stage deployment manifest and pin deployment for package:Package_9131_for_KB4480977~31bf3856ad364e35~amd64~~10.0.1.7 [HRESULT = 0x80073701 – ERROR_SXS_ASSEMBLY_MISSING]

2019-03-26 12:40:12, Info                  CBS    CommitPackagesState: Started persisting state of packages

2019-03-26 12:40:12, Info                  CBS    CommitPackagesState: Completed persisting state of packages

2019-03-26 12:40:12, Info                  CSI    0000001d@2019/3/26:11:40:12.294 CSI Transaction @0x27526657710 destroyed

2019-03-26 12:40:12, Info                  CBS    Perf: Resolve chain complete.

2019-03-26 12:40:12, Info                  CBS    Failed to resolve execution chain. [HRESULT = 0x80073701 – ERROR_SXS_ASSEMBLY_MISSING]

2019-03-26 12:40:12, Error                 CBS    Failed to process single phase execution. [HRESULT = 0x80073701 – ERROR_SXS_ASSEMBLY_MISSING]

2019-03-26 12:40:12, Info                  CBS    WER: Generating failure report for package: Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.2759.1.7, status: 0x80073701, failure source: Resolve, start state: Absent, target state: Installed, client id: WindowsUpdateAgent

2019-03-26 12:40:12, Info                  CBS    Not able to query DisableWerReporting flag.  Assuming not set… [HRESULT = 0x80070002 – ERROR_FILE_NOT_FOUND]

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCBS.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCbsPersist_20190326072401.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCbsPersist_20190324034222.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCbsPersist_20190324001230.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCbsPersist_20190323234238.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Added C:WindowsLogsCBSCbsPersist_20190323230433.log to WER report.

2019-03-26 12:40:12, Info                  CBS    Not able to add %windir%winsxspoqexec.log to WER report. [HRESULT = 0x80070002 – ERROR_FILE_NOT_FOUND]

2019-03-26 12:40:12, Info                  CBS    Not able to add %windir%winsxspending.xml to WER report. [HRESULT = 0x80070002 – ERROR_FILE_NOT_FOUND]

2019-03-26 12:40:12, Info                  CBS    Not able to add %windir%winsxspending.xml.bad to WER report. [HRESULT = 0x80070002 – ERROR_FILE_NOT_FOUND]

2019-03-26 12:40:12, Info                  CBS    Reboot mark cleared

2019-03-26 12:40:12, Info                  CBS    Winlogon: Simplifying Winlogon CreateSession notifications

2019-03-26 12:40:12, Info                  CBS    Winlogon: Deregistering for CreateSession notifications

2019-03-26 12:40:12, Info                  CBS    FinalCommitPackagesState: Started persisting state of packages

2019-03-26 12:40:12, Info                  CBS    Reporting package change for package: Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.2759.1.7, current: Absent, pending: Default, start: Absent, applicable: Installed, target: Installed, limit: Installed, hotpatch status: StillGoing, status: 0x0, failure source: Resolve, reboot required: False, client id: WindowsUpdateAgent, initiated offline: False, execution sequence: 161, first merged sequence: 161, reboot reason: REBOOT_NOT_REQUIRED, RM App session: -1, RM App name: N/A, FileName in use: N/A, release type: Update, release quality: final, OC operation: False, download source: 0, download time (secs): 4294967295, download status: 0x0 (S_OK), Express download: False, Download Size: 0

2019-03-26 12:40:13, Info                  CBS    SQM: Package change report datapoints not populated because SQM is not initialized or not running online.

2019-03-26 12:40:13, Info                  CBS    Reporting package change completion for package: Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.2759.1.7, current: Absent, original: Absent, target: Installed, status: 0x80073701, failure source: Resolve, failure details: “(null)”, client id: WindowsUpdateAgent, initiated offline: False, execution sequence: 161, first merged sequence: 161, pending decision: InteractiveInstallFailed, primitive execution context: Interactive Flight: False

2019-03-26 12:40:13, Info                  CBS    The store corruption status report is incomplete. [HRESULT = 0x80070002 – ERROR_FILE_NOT_FOUND]

2019-03-26 12:40:13, Info                  CBS    Resolve time performance datapoint is invalid. [HRESULT = 0x80070490 – ERROR_NOT_FOUND]

2019-03-26 12:40:13, Info                  CBS    Stage time performance datapoint is invalid. [HRESULT = 0x80070490 – ERROR_NOT_FOUND]

2019-03-26 12:40:13, Info                  CBS    Execute time performance datapoint is invalid. [HRESULT = 0x80070490 – ERROR_NOT_FOUND]

2019-03-26 12:40:13, Info                  CBS    SQM: Package change report datapoints not populated because SQM is not initialized or not running online.

2019-03-26 12:40:13, Info                  CBS    FinalCommitPackagesState: Completed persisting state of packages

2019-03-26 12:40:13, Info                  CBS    Enabling LKG boot option

2019-03-26 12:40:13, Info                  CBS    Exec: Processing complete.  Session: 30729156_3451904436, Package: Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.2759.1.7 [HRESULT = 0x80073701 – ERROR_SXS_ASSEMBLY_MISSING]

2019-03-26 12:43:05, Info                  CBS    Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP

2019-03-26 12:43:05, Info                  CBS    TiWorker signaled for shutdown, going to exit.

2019-03-26 12:43:05, Info                  CBS    CbsCoreFinalize: ExecutionEngineFinalize

2019-03-26 12:43:05, Info                  CBS    Ending the TiWorker main loop.

Ohhhhh, okay well…..so lot’s of ASSEMBLY errors as well. Well, that at least matches what we saw in the event log …but where to start?

It’s particularly hard to read here as we do have more line breaks as in the original cbs.log file but I’ve marked the interesting things above.

Look at the package name / number we tried to install

Failed to bulk stage deployment manifest and pin deployment for package:Package_9131_for_KB4480977~31bf3856ad364e35~amd64~~10.0.1.7 [HRESULT = 0x80073701 – ERROR_SXS_ASSEMBLY_MISSING]

This is the January KB we tried to install (KB4480977) and the error is ERROR_SXS_ASSEMBLY_MISSING

Okay, but can you spot an identical error just before?

2019-03-26 12:40:12, Error                 CSI    0000001b (F) STATUS_SXS_ASSEMBLY_MISSING #1760302# from CCSDirectTransaction::OperateEnding at index 0 of 1 operations, disposition 2[gle=0xd015000c]

2019-03-26 12:40:12, Error                 CSI    0000001c (F) HRESULT_FROM_WIN32(ERROR_SXS_ASSEMBLY_MISSING) #1760150# from Windows::ServicingAPI::CCSITransaction::ICSITransaction_PinDeployment(Flags = 0, a = cd4484f3ed27edafc9d99e613bb62654, version 10.0.14393.2457, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}, cb = (null), s = (null), rid = ‘Package_7763_for_KB4462917~31bf3856ad364e35~amd64~~10.0.1.7.4462917-16739_neutral’, rah = ‘3’, manpath = (null), catpath = (null), ed = 0, disp = 0)[gle=0x80073701]

2019-03-26 12:40:12, Info                  CBS    Failed to pin deployment while resolving Update: Package_7763_for_KB4462917~31bf3856ad364e35~amd64~~10.0.1.7.4462917-16739_neutral from file: (null) [HRESULT = 0x80073701 – ERROR_SXS_ASSEMBLY_MISSING]

As you can see, the very same error is reported for an already installed patch, in this case the October 2018 (KB4462917) rollup.

The solution for those of you who are eager to know was to uninstall the patch which reported the error first – KB4462917 this can be done either through the control panel à view installed updates à uninstall or in our case we used DISM again to automate this.

1^st get a list of all installed packages

dism /online /get-packages /format:table

2^nd from this list find the package name for the one you want to uninstall

DISM.exe /Online /Remove-Package /PackageName:Package_for_KB2870699~31bf3856ad364e35~amd64~~6.2.1.1 /quiet /norestart

After that we were able to install any of the monthly rollup patches again without any issues.

Other related but not purposeful geek trivia for you to know.

I first had the idea that just some RegKey is missing or corrupt, so I checked the referenced key from the CBS.log.

Registry :

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionComponent Based ServicingPackagesPackage_7763_for_KB4462917~31bf3856ad364e35~amd64~~10.0.1.7

As you can see the LastError “0x80073701” is matching with the one from the CBS.log and the CurrentState which is 112 dec means installed.

For a complete list and more information’s visit https://blogs.technet.microsoft.com/tip_of_the_day/2015/10/12/tip-of-the-day-cbs-servicing-states-chart-refresher/

This didn’t help at the end and the only one and proper solution is to remove the patch which is reporting the assembly error first and either re-install that one or if available a newer one.

Thanks for reading

Michael

This blog post was authored by Dianna Marks, Product Marketing Manager, Azure Marketing.

Its that time of the year again! Spring is in the air and Windows Server Summit is right around the corner. On May 22nd at Windows Server Summit 2019 you can discover how Windows Server can help you deliver your hybrid cloud strategy as well as gain tips on how to modernize your evolving infrastructure. The great thing about Windows Server Summit is that you can attend from anywhere in the world since it is all virtual just kick up your feet and hit the link to join.

This year expect to deep dive in to technical Windows Server content covered by leading industry experts. Some of the heavy hitters youll hear from include leaders from the product team like Jeff Woolsey, Ned Pyle, Cosmos Darwin, and Haley Rowland. Well even have a fireside chat with experts from our Windows Sever community and live Q&A. You dont want to miss this!

Sign up now for Windows Server Summit 2019.

Whats included in the event?

• Innovations in Microsoft Hybrid Strategy: Deep dive into Microsofts hyper-converged technologies and how to add hybrid services from Azure.
• Modernize Windows Server apps and workloads: Learn about security, Remote Desktop Services (RDS), containers, and application compatibility.
• New in management and security: See whats new in Windows Admin Center, System Center 2019, and Windows Server 2019 – making it easier to deploy, manage, and monitor Windows Server anywhere.
• Insights and best practices: Fireside chat with Windows Server community experts.
• Looking ahead: Learn more about Windows Server Semi-Annual Channel and Windows Server on Azure.

In the meantime, check out our latest and greatest products:

Windows Server 2019

Leverage the benefits of the cloud in a hybrid cloud environment with Azure services now available in the latest release of Windows Server 2019.

Windows Admin Center

It couldnt be easier to manage servers, clusters, and hyper-converged infrastructures than on Windows Admin Center. Download the latest release of Windows Admin Center and see it for yourself!

Azure Stack HCI

Run virtual machines on-premises and easily connect to Azure with a Hyper-Converged Infrastructure (HCI) solution. Learn more on our new Azure Stack HCI page.

Get a head start

Check out the on-demand videos on our Windows Server Summit page.

As you can see, we have lots of great new content to share with you. Stay tuned as we continue to provide more about Windows Server Summit 2019. We cant wait to see you at the event!

The post It’s that time again: Windows Server Summit 2019! appeared first on Windows Server Blog.

Install-Module PSScriptAnalyzer -Scope CurrentUser

# Import helper module to get folders to archive
Import-Module -FullyQualifiedName @{ ModuleName = ArchiveHelper; ModuleVersion = '1.1' }

$paths = Get-FoldersToArchive -RootPath 'C:DocumentsDocumentsToArchive'
$archiveBasePath = '\ArchiveServerDocumentArchive'

# Dictionary to collect hashes
$hashes = [System.Collections.Generic.Dictionary[string, string]]::new()
foreach ($path in $paths)
{
    # Get the hash of the file and turn it into a base64 string
    $hash = (Get-FileHash -LiteralPath $path).Hash

    # Add this file to the hash catalog
    $hashes[$hash] = $path

    # Now give the archive a unique name and zip it up
    $name = Split-Path -LeafBase $path
    Compress-Archive -LiteralPath $path -DestinationPath (Join-Path $archiveBasePath "$name-$hash.zip")
}

# Add the hash catalog to the archive directory
ConvertTo-Json $hashes | Out-File -LiteralPath (Join-Path $archiveBasePath "catalog.json") -NoNewline

Invoke-ScriptAnalyzer -Path '.archiveScript.ps1`

$settings = @{
    Rules = @{
        PSUseCompatibleSyntax = @{
            # This turns the rule on (setting it to false will turn it off)
            Enable = $true

            # List the targeted versions of PowerShell here
            TargetVersions = @(
                '3.0',
                '5.1',
                '6.2'
            )
        }
    }
}

Invoke-ScriptAnalyzer -Path .archiveScript.ps1 -Settings $settings

RuleName                            Severity     ScriptName Line  Message
--------                            --------     ---------- ----  -------
PSUseCompatibleSyntax               Warning      archiveScr 8     The constructor syntax
                                                 ipt.ps1          '[System.Collections.Generic.Dictionary[string,
                                                                  string]]::new()' is not available by default in
                                                                  PowerShell versions 3,4

$diagnostics = Invoke-ScriptAnalyzer -Path .archiveScript.ps1 -Settings $settings
$diagnostics[0].SuggestedCorrections

File              : C:UsersroholtDocumentsDevsandboxVersionedScriptarchiveScript.ps1
Description       : Use the 'New-Object @($arg1, $arg2, ...)' syntax instead for compatibility with PowerShell versions 3,4
StartLineNumber   : 8
StartColumnNumber : 11
EndLineNumber     : 8
EndColumnNumber   : 73
Text              : New-Object 'System.Collections.Generic.Dictionary[string,string]'
Lines             : {New-Object 'System.Collections.Generic.Dictionary[string,string]'}
Start             : Microsoft.Windows.PowerShell.ScriptAnalyzer.Position
End               : Microsoft.Windows.PowerShell.ScriptAnalyzer.Position

$settings = @{
    Rules = @{
        PSUseCompatibleCommands = @{
            # Turns the rule on
            Enable = $true

            # Lists the PowerShell platforms we want to check compatibility with
            TargetProfiles = @(
                'win-8_x64_10.0.14393.0_6.1.3_x64_4.0.30319.42000_core',
                'win-8_x64_10.0.17763.0_5.1.17763.316_x64_4.0.30319.42000_framework',
                'win-8_x64_6.2.9200.0_3.0_x64_4.0.30319.42000_framework'
            )
        }
    }
}

Invoke-ScriptAnalyzer -Path ./archiveScript.ps1 -Settings $settings

RuleName                            Severity     ScriptName Line  Message
--------                            --------     ---------- ----  -------
PSUseCompatibleCommands             Warning      archiveScr 2     The parameter 'FullyQualifiedName' is not available for
                                                 ipt.ps1          command 'Import-Module' by default in PowerShell version
                                                                  '3.0' on platform 'Microsoft Windows Server 2012
                                                                  Datacenter'
PSUseCompatibleCommands             Warning      archiveScr 12    The command 'Get-FileHash' is not available by default in
                                                 ipt.ps1          PowerShell version '3.0' on platform 'Microsoft Windows
                                                                  Server 2012 Datacenter'
PSUseCompatibleCommands             Warning      archiveScr 18    The parameter 'LeafBase' is not available for command
                                                 ipt.ps1          'Split-Path' by default in PowerShell version
                                                                  '5.1.17763.316' on platform 'Microsoft Windows Server
                                                                  2019 Datacenter'
PSUseCompatibleCommands             Warning      archiveScr 18    The parameter 'LeafBase' is not available for command
                                                 ipt.ps1          'Split-Path' by default in PowerShell version '3.0' on
                                                                  platform 'Microsoft Windows Server 2012 Datacenter'
PSUseCompatibleCommands             Warning      archiveScr 19    The command 'Compress-Archive' is not available by
                                                 ipt.ps1          default in PowerShell version '3.0' on platform
                                                                  'Microsoft Windows Server 2012 Datacenter'
PSUseCompatibleCommands             Warning      archiveScr 23    The parameter 'NoNewline' is not available for command
                                                 ipt.ps1          'Out-File' by default in PowerShell version '3.0' on
                                                                  platform 'Microsoft Windows Server 2012 Datacenter'

# PSScriptAnalyzerSettings.psd1
# Settings for PSScriptAnalyzer invocation.
@{
    Rules = @{
        PSUseCompatibleCommands = @{
            # Turns the rule on
            Enable = $true

            # Lists the PowerShell platforms we want to check compatibility with
            TargetProfiles = @(
                'win-8_x64_10.0.14393.0_6.1.3_x64_4.0.30319.42000_core',
                'win-8_x64_10.0.17763.0_5.1.17763.316_x64_4.0.30319.42000_framework',
                'win-8_x64_6.2.9200.0_3.0_x64_4.0.30319.42000_framework'
            )
        }
        PSUseCompatibleSyntax = @{
            # This turns the rule on (setting it to false will turn it off)
            Enable = $true

            # Simply list the targeted versions of PowerShell here
            TargetVersions = @(
                '3.0',
                '5.1',
                '6.2'
            )
        }
    }
}

Invoke-ScriptAnalyzer -Path ./archiveScript.ps1 -Settings ./PSScriptAnalyzerSettings.psd1

RuleName                            Severity     ScriptName Line  Message
--------                            --------     ---------- ----  -------
PSUseCompatibleCommands             Warning      archiveScr 1     The parameter 'FullyQualifiedName' is not available for
                                                 ipt.ps1          command 'Import-Module' by default in PowerShell version
                                                                  '3.0' on platform 'Microsoft Windows Server 2012
                                                                  Datacenter'
PSUseCompatibleCommands             Warning      archiveScr 9     The command 'Get-FileHash' is not available by default in
                                                 ipt.ps1          PowerShell version '3.0' on platform 'Microsoft Windows
                                                                  Server 2012 Datacenter'
PSUseCompatibleCommands             Warning      archiveScr 12    The parameter 'LeafBase' is not available for command
                                                 ipt.ps1          'Split-Path' by default in PowerShell version '3.0' on
                                                                  platform 'Microsoft Windows Server 2012 Datacenter'
PSUseCompatibleCommands             Warning      archiveScr 12    The parameter 'LeafBase' is not available for command
                                                 ipt.ps1          'Split-Path' by default in PowerShell version
                                                                  '5.1.17763.316' on platform 'Microsoft Windows Server
                                                                  2019 Datacenter'
PSUseCompatibleCommands             Warning      archiveScr 13    The command 'Compress-Archive' is not available by
                                                 ipt.ps1          default in PowerShell version '3.0' on platform
                                                                  'Microsoft Windows Server 2012 Datacenter'
PSUseCompatibleCommands             Warning      archiveScr 16    The parameter 'NoNewline' is not available for command
                                                 ipt.ps1          'Out-File' by default in PowerShell version '3.0' on
                                                                  platform 'Microsoft Windows Server 2012 Datacenter'
PSUseCompatibleSyntax               Warning      archiveScr 6     The constructor syntax
                                                 ipt.ps1          '[System.Collections.Generic.Dictionary[string,
                                                                  string]]::new()' is not available by default in
                                                                  PowerShell versions 3,4

"powershell.scriptAnalysis.settingsPath": "./PSScriptAnalyzerSettings.psd1"

Import-Module -FullyQualifiedName @{ ModuleName = ArchiveHelper; ModuleVersion = '1.1' }

$paths = Get-FoldersToArchive -RootPath 'C:DocumentsDocumentsToArchive'
$archivePath = '\ArchiveServerDocumentArchive'

$hashes = New-Object 'System.Collections.Generic.Dictionary[string,string]'
foreach ($path in $paths)
{
    $hash = (Get-FileHash -LiteralPath $path).Hash
    $hashes[$hash] = $path
    $name = Split-Path -LeafBase $path
    Compress-Archive -LiteralPath $path -DestinationPath (Join-Path $archivePath "$name-$hash.zip")
}

ConvertTo-Json $hashes | Out-File -LiteralPath (Join-Path $archivePath "catalog.json") -NoNewline

Import-Module -Name ArchiveHelper -Version '1.1'

function CompatibleGetFileHash
{
    param(
        [string]
        $LiteralPath
    )

    try
    {
        $hashAlg = [System.Security.Cryptography.SHA256]::Create()
        $file = [System.IO.File]::Open($LiteralPath, 'Open', 'Read')
        $file.Position = 0
        $hashBytes = $hashAlg.ComputeHash($file)
        return [System.BitConverter]::ToString($hashBytes).Replace('-', '')
    }
    finally
    {
        $file.Dispose()
        $hashAlg.Dispose()
    }
}

function CompatibleCompressArchive
{
    param(
        [string]
        $LiteralPath,

        [string]
        $DestinationPath
    )

    if ($PSVersion.Major -le 3)
    {
        # PSUseCompatibleTypes identifies that [System.IO.Compression.ZipFile]
        # isn't available by default in PowerShell 3 and we have to do this.
        # We'll cover that rule in the next blog post.
        Add-Type -AssemblyName System.IO.Compression.FileSystem -ErrorAction Ignore
    }

    [System.IO.Compression.ZipFile]::Create(
        $LiteralPath,
        $DestinationPath,
        'Optimal',
        <# includeBaseDirectory #> $true)
}

$paths = Get-FoldersToArchive -RootPath 'C:DocumentsDocumentsToArchive'
$archivePath = '\ArchiveServerDocumentArchive'

$hashes = New-Object 'System.Collections.Generic.Dictionary[string,string]'
foreach ($path in $paths)
{
    $hash = CompatibleGetFileHash -LiteralPath $path
    $hashes[$hash] = $path
    $name = [System.IO.Path]::GetFileNameWithoutExtension($path)
    CompatibleCompressArchive -LiteralPath $path -DestinationPath (Join-Path $archivePath "$name-$hash.zip")
}

$jsonStr = ConvertTo-Json $hashes
New-Item -Path (Join-Path $archivePath "catalog.json") -Value $jsonStr

The post Using PSScriptAnalyzer to check PowerShell version compatibility appeared first on PowerShell.

Microsoft Enterprise Mobility + Security (EMS) is excited to deliver conditional access protection for Microsoft Edge on iOS and Android. This integration expands your management capabilities as you deploy Microsoft Edge for the best browsing experience across all endpoints in the enterprise. Microsoft Edge on iOS and Android with conditional access gives users easy, secure access to Office 365 and all your web apps that use Azure Active Directory, with the same application management and security capabilities that previously required Intune Managed Browser.

We are excited to share the following capabilities are now in public preview for Microsoft Edge on iOS and Android:

• Microsoft Edge single sign-on (SSO): Your employees can enjoy single sign-on across native clients (such as Microsoft Outlook) and Microsoft Edge for all Azure Active Directory connected apps.
• Microsoft Edge conditional access: You can now require employees to use Microsoft Intune protected browsers such as Microsoft Edge using application-based conditional access policies.

Let's dive a little deeper to explore these new features

Single Sign-on to Azure AD-connected apps in Microsoft Edge

Microsoft Edge on iOS and Android can now take advantage of single sign-on (SSO) to all web apps (SaaS and on-premises) that are Azure AD-connected. This means users of Microsoft Edge will be able to access Azure AD-connected web apps without having to re-enter their credentials. They simply need to have the Microsoft Authenticator app on iOS or the Intune Company Portal app on Android.

Let’s see how users can get this better sign-in experience on iOS devices:

• Install the latest version of Microsoft Edge. If you don’t have Microsoft Authenticator installed yet, you will be prompted to download it.

   

• Sign-in and navigate to any of your Azure AD-connected applications that support single sign-on. You will be prompted to register your device, and that's it you will receive single sign-on access to all applications.

If you previously used Intune Managed Browser with Azure AD Conditional Access, this new Microsoft Edge functionality will be familiar to you. Now, users protected with device-based conditional access can navigate to all links using Microsoft Edge from Outlook mobile, and access web resources without having to reauthenticate. To enable this, users only need to set Microsoft Edge as their default browser in their Outlook app settings.

Set default browser in Outlook settings

Secure mobile browser access using Conditional Access and Microsoft Edge

You can now enforce policy-managed Microsoft Edge as the approved mobile browser to access Azure AD-connected web apps, restricting the use of unprotected browsers like Safari or Chrome. This allows you to secure access and prevent data leakage via unprotected browser applications. A similar protection can be applied to Office 365 services like Exchange Online and SharePoint Online, the Office portal, and access to on-premises (intranet) sites via the Azure AD Application Proxy.

Users attempting to use unmanaged browsers such as Safari and Chrome will be prompted to open Microsoft Edge instead. On first attempt, users will be prompted to install the Microsoft Authenticator on iOS or the Intune Company Portal on Android. Here is a screenshot of a blocked access when using Safari on iOS.

Require approved mobile apps for security

To configure this in Microsoft Intune, you need to apply application-based conditional access policy and an App Protection policy for Microsoft Edge on iOS and Android. Here’s how you do that:

Create a conditional access policy to lock down browser access to a policy-protected browser such as Microsoft Edge using app-based conditional access. Here’s a screenshot of a policy targeting browser access.Configure conditional access policies to target the browser

You may then select the control to grant access to cloud resources only from approved clients apps that can protect your corporate data.  Configure conditional access policy to require approved apps

Create an Intune application protection policy and target all users for the Microsoft Edge application. This screenshot shows how to target Microsoft Edge.

Apply app protection policies to Microsoft Edge

In addition to conditional access and single sign-on, here are other features and benefits enjoyed by users of Microsoft Edge managed and protected by Microsoft EMS:

• Dual-Identity: Microsoft Edge now supports corporate and personal work identities. There is complete separation between the two identities, like the architecture and experience of Outlook and Office 365. Users can seamlessly transition between work and personal identities while corporate content is kept secured.
• Configuration settings: Admins can configure a homepage shortcut, bookmarks, MyApps integration, Azure app proxy, allow and block URL lists, and more for Microsoft Edge.
• Fast page-rendering: Consumers already love Microsoft Edge, and one thing we hear over and over is that they love how fast it is.
• Rich set of personalization and productivity features: Microsoft Edge comes with modern features such as seamless browsing across mobile and desktop, Voice Search, a built-in QR code reader, syncing capabilities to keep users’ eBooks, passwords, and favorites shared across devices. Learn more about the first-class features built into Microsoft Edge here.

Go ahead and download Microsoft Edge to experience these benefits today. Here’s a set of quick links to get you started:

• How to use Azure AD Application Proxy
• Authoring conditional access policy
• App-based conditional access technical documentation
• App protection policies in Intune
• Configure Microsoft Edge policies in Intune

As always, we’d love to hear any feedback or suggestions you have. Just email us here and let us know what you think!

Follow @MSIntune @AzureAD and @MicrosoftEdge on Twitter

(This post is authored in collaboration with Microsoft Intune, Azure Active Directory and Microsoft Edge product experts)

Introduction

We had our Community Day in Hamburg on the 15^th of March – we hold this in German but as I present the troubleshooting session and didn’t use slides, I decided to write a blog about this topic to ensure that not just German Speaking people understand what we did here.

(Video of the Session (Language is in German
https://youtu.be/R_JDKXctW5A )

Scenario

Imagine a Scenario where you launch you new VDI Image on Monday morning. I took one participant and gave him the task to run the App-V app, and to add a package from a local folder. Now the fun begins…

Problem

Starting an already published App-V Application shows this:

Trying to add a Package manually shows this error:

What is happening?

The first error could be a bit misleading pointing to VC++ components. The second error is much more straightforward and points to the App-V service not running. So let’s dig in:

Troubleshooting

Let’s try to start the service in PowerShell:

This is not helping much – so we do it the old style through the services.msc:

Ok, this is much more useful as it points us to a dependency service or a group of services which are not starting.

What dependencies do we have for App-V Client and how do we find them?

We have the services.msc open already, so use it and check the dependencies for the App-V Client service:

Now I know the dependencies but how do I know which of them is causing this?

Windows brings a tool called FLTMC – if you run this as Administrator on this box, you get the following output:

This shows us that the AppvStrm Driver is loaded but the AppVVFS and the Appvvemgr filter drivers are not there. As next step we need to focus on the AppvVemgr, as this is also a dependency of AppvVfs.

Let’s try to start it…

Now we are getting closer and closer – the actual error is a “File not found” error.

What is the first reaction of all engineers when they see this? – “Sure thing – the driver file is missing”

Ok – let’s check that.

Ok it’s there, now we need the tool we usually need to any type of troubleshooting…

PROCMON

I added a small tips section at the bottom of this post where I show you how to make Procmon show you more, which is not needed for this case but good to know…

How do we use Procmon?

What to trace? How to filter? There are so many events; what is important and what is not important? Questions over questions which gives some fear when we need that tool – but no worry, we will guide you through it here.

So, we start Procmon and start the capture and we just capture the startup of the driver (AppvVemgr.sys) as shown above.

When we have done that, we stop the capture and now we need to isolate the issue. At this point there are thousands of ways to dig into this deeper…. I show you one method which helps me in most of the cases. Let’s call it the Rewind Method.

Analysis with Procmon using Rewind and Assumption

In the default Setting I have ~ 94 K Events collected, and my actual view displays 4.5 K.

First, I go to the very last event as the issue happens nearly at that time when I stop the Trace.

Now I need to isolate my view a bit and here I need my knowledge. What do I know about the error? It says something was not found… OK, what have I done to get the error? I tried to start the AppvVemgr driver.

Which Process is actually starting the drivers? You see, with that knowledge that you get out of the error you can build an filter based on assumptions.

What does the filter look like?

After applying this filter, I got back four events:

This result matches 2 of three conditions we were thinking about:

1. I see the “not found”
2. It has to do with the driver we are looking for.

Now which Process is starting drivers? It’s not Services.exe it’s System. We don’t see anything from System here. If we would lookup that registry key on a working system we would see that this value “ObjectName” doesn’t exist so it’s not our root cause here.

Where is System?

Because it’s excluded by our view we don’t see it, so let’s make it look up either by changing the actual filter and remove this entry:

Or enable the Advanced Output from Procmon:

As we just want to focus on System we do the first option here. In addition, we modify our filter and no longer filter just on the driver (as the startup of the driver can look somewhere else to come up and we will ensure not to miss this). But as we want to know why the AppV driver is not coming up, and as a result the AppV service – we filter on Appv. The filter looks like this now:

After applying this filter, we have 15 results, where 5 are coming from the App-V registry key:

Time to take a closer look on the MAV keys in the registry of the machine.

Now when we go through the entries under Packages we notice that there is a difference:

All Packages look like this above except one:

This was also already shown in the Procmon above…

So what to do – as we are still in troubleshooting mode, we delete that key to see if this has any effect, and start the driver afterwards to see if this is now working:

So our troubleshooting method has a positive outcome now – the service is coming up fine.

TIP:

If you check the FLTMC output again, the drivers running on the system after all this troubleshooting are shown below:

What does this now mean – when you collect a Procmon trace you just see what is above the Procmon driver. In the case above, we would see what AppvVFS is doing but we would not see what the Appvvemgr driver or the Appvstrm driver will do.

If needed you must change the altitude of Procmon to run on a lower altitude. You can do this by open Regedit and find the used Procmon driver:

Change the Altitude value to 45100 (which will show you virtually everything that is happening on the machine).

You must also set the security on the “Process Monitor Instance” key and add deny rights for everyone for “delete” and “set value”. Reason being that Procmon will try to change its value back right away. You will have to uncheck “inherit permissions” to be able to set them at the Process Monitor Instance level.

Now after restarting the machine and starting Procmon, it’s running on the lower altitude.

Kind regards

Sebastian Gernert – Escalation Engineer App-V

Today we want to introduce a new member on the board. The MSIX Packaging Tool April Release is there for you to use. If you want to doublecheck – it is the version 1.2019.402.0.

Before we start our quick overview, we like to provide you with the link to the release notes: https://docs.microsoft.com/en-us/windows/msix/packaging-tool/release-notes/history

Now let’s start with a quick overview what changed:

• Remote Desktop packaging

  There is one more option how to create the MSIX package. In addition to create the package locally and within a local Hyper-V based virtual machine you now can remotely connect to any machine reachable. So, all of you not using Hyper-V locally or relying on 3rd party virtualization platforms, now share the same comfort workflow during package creation.

• Improved wizard workflow
  • Automatic version increment

    After you edited you MSIX package in the package editor a new dialog is added to the save procedure.

    This little box would have saved myself quite some minutes. Another needed optimization is the ability to use the dot “.” , to proceed within the version fields while you type in the package version. As always – sometimes the little things are the greatest.

  • Disabled Windows Update
    Disabling of Windows Update is now mandatory and done automatically during the wizard
• Package Editor changes

  You now have the ability to import complete folders (-structures) and their contents into the Package Editor, not just files.

  Furthermore empty folders are not dropped any more.

• Package time stamp

  A time stamp extends the validity of a certificate by verifying that the executable file was signed at the time that it was time stamped.

  During the “Create new package” workflow, you can now specify a custom Time Stamp Server URL, to ensure the MSIX package can be installed, even after the used signing certificate has expired. (it can be found in the settings menu)

• Quick Create Hyper-V template

  The Quick create template still contains the “old” MSIX packager.
  Simply update the application after deployment

Just a refresher – here is how you can find out the current version of the MSIX Packaging Tool:

1. Open Settings-Menu

2. Click Advanced

That’s all for today – stay tuned and keep an eye on the further posts in our series about Package Support Framework

Thanks for reading!

Ingmar Oosterhoff, Johannes Freundorfer and Matthias Herfurth

This blog was co-authored by Ben Schultz, Principal Program Manager and Weijuan Shi Davis, Senior Program Manager, Windows Server.

Greetings!

With the launch of Windows Server 2019 a few months ago, we kicked off a whole new wave of innovation focused on four pillars: Hybrid Cloud, Security, Application Platform, and Hyper-Converged Infrastructure, and it was just the beginning. Today, were excited to share with you a few feature areas of the next Windows Server, Semi-Annual Channel release version 1903.

Whats new in Windows Server, version 1903

For version 1903, were focusing on App Platform, edge computing, Windows Admin Center, and App Compatibility.

In this release period, well bring innovation in fundamentals and platform capabilities, closely working with the broader ecosystem to ensure compatibility. Some of the new capabilities will be available with this release, while others will be available through other channels including Azure and our ecosystem partners.

App Platform

Windows Server, version 1903 will continue to serve as an application platform for customers who are modernizing their applications on-premises or in the cloud with Windows containers.

1. We have been building platform capabilities to support Azure container services and third-party container services.
   • We integrated CRI-Containerd with Host Compute Service to support Pods of Windows Containers and Linux Containers on Windows on Azure.
   • We worked with the Kubernetes community to enable Windows container support. On March 25, 2019, with the release of Kubernetes v1.14, Windows Server node support officially graduated from beta to stable. To learn more, refer to the blog post, “Windows containers now supported in Kubernetes.”

2. We delivered scalability improvements enhancing overlay networking support for Windows containers, including integration with Kubernetes through the latest release of Flannel and Kubernetes v1.14. Try out Windows support in Kubernetes.
3. Based on customer interest in GPU acceleration, were taking the first step by enabling support for hardware acceleration of DirectX APIs in Windows containers. We believe this will enable new and interesting scenarios such as edge-local machine learning inferencing. Find out more in the blog post, “Bringing GPU acceleration to Windows containers.”
4. We updated documentation related to container identity/Group Managed Service Accounts (gMSA) with more examples and compatibility information. We’ve also made the Credential Spec module available in the PowerShell Gallery. For more information, refer to the blog post, “What’s new for container identity.”

Note: If you are using the Windows Server, version 1903 Insider Build on Azure, please note the build number is 18342. To ensure that you can run a Windows Server container on that build, use a Windows Server container build the same or lower than 18342. For example, you can run:

docker pull mcr.microsoft.com/windows/servercore/insider:10.0.18342.1

OR

docker pull mcr.microsoft.com/windows/servercore/insider:10.0.18323.1000

This practice of ensuring version compatibility applies to any Windows Server containers you may run, not just the case here. Please check the docs on Windows container version compatibility for more details.

Edge computing

As more applications, workloads, and services move to the cloud, certain edge computing scenarios are emerging where the logic is best suited to run locally rather than in the cloud. Applications that use Internet of Things (IoT) provide one example, and additional scenarios include data normalization, data analysis, and device control.

System Insights is a local predictive analytics feature introduced in Windows Server 2019. The System Insights predictive capabilities, each backed by a machine learning or analytics model, analyze Windows Server system data, such as performance counters and events. These capabilities provide insight into server operations, helping reduce the operational expenses associated with reactively managing deployment issues.

With the upcoming April Windows Admin Center (WAC) release, you can use the System Insights WAC extension to find, install, and update new System Insights capabilities. Coming shortly after the April WAC release, we will publish a new capability that allows you to detect anomalies in physical disk metrics. You can download this new capability entirely through WAC without updating your OS. This capability will work on both Windows Server 2019 and Windows Server, version 1903. With this capability, you can avoid setting static thresholds that require prior knowledge of expected behavior, and instead depend on this capability to automatically detect abnormal behavior in your physical disk metrics. In the future, we plan to extend these capabilities, improving the information you can leverage to best administrate your servers and infrastructure.

Windows Admin Center

Hybrid cloud makes it easier to run IT operations locally while still maximizing the benefits of the cloud. This includes easier distribution of data, monitoring infrastructure, and ease of deploying new apps. To improve the experience across cloud and on-premises, version 1903 brings the following innovations:

• Synergize migration with Azure File Sync: The Storage Migration Service leads to the Azure File Sync (AFS) WAC experience, where a customer who migrates from Windows Server 2008 to Windows Server 2019 then deploys Azure File Sync and manages that data.
• Allow direct-to-Azure storage migrations with Storage Migration Service (SMS): Customers can migrate from Windows Server 2003, 2008/R2, 2012/R2, or Linux Samba directly to a running IaaS virtual machine.
• Make Azure cluster witness an opt-out: We now default quorum management into an Azure blob instead of a local store.
• Expand and iterate on the growing set of WACs Azure integration scenarios, including Azure Site Recovery, Azure Backup, Azure Active Directory authentication, Azure Update Management, and Azure Monitor alerts.

Server Core App Compatibility – Feature on Demand

The App Compatibility Feature on Demand for Server Core, introduced with Windows Server 2019 and Windows Server, version 1809, continues to be popular with customers using it in a variety of scenarios. Feedback since launch has led to two significant additions:

1. Task Scheduler (Taskschd.msc): More easily schedule your apps, actions, and scripts!
2. Hyper-V Manager (Virtmgmt.msc): Create and connect to virtual machines hosted on Server Core + the App Compatibility feature on demand (FOD)!

A reminder that Server Core is the recommended server OS installation type for production (managed by Windows Admin Center and/or Powershell). The App Compatibility FOD is intended for those specific workloads or enterprise apps that require more than what Server Core alone provides. This helps IT environments to standardize on Server Core.

Reminder: Windows Server Semi-Annual Channel is designed for faster innovation.

Get started today with version 1903

Windows Server, version 1903 Insider Builds

• Get the latest Windows Server Insider Build.
• Insider Build 18342 is now available through the Azure portal and the Azure Marketplace.

Windows Server, Version 1903 Container Insider Builds

• Server Core container Insider Builds
• Nano Server container Insider Builds
• Windows container Insider Builds

Windows Admin Center 1904 is now generally available. Easily manage your server instances and optionally enable various Azure services to light up hybrid scenarios.

All Insider previews are available for registered Insiders only. Need to register? See the Getting Started with Windows Server Insider Preview page for more information.

Learn more!

Attend our Windows Server Summit virtual event on May 22, 2019 to hear more on whats to come from our Windows Server Team.

• Windows Server Summit 2019 event page
• Register for the Windows Server Summit

The post First sneak peek of Windows Server, version 1903 Semi-Annual Channel appeared first on Windows Server Blog.

This blog post was authored by Dianna Marks, Product Marketing Manager, Windows Server Marketing.

Youve been hearing about all the great innovations in Windows Server 2019. Weve also been working to enhance how we manage your Windows Server environment, and well be showing you more at the upcoming Windows Server Summit 2019.

Windows servers can be managed in multiple ways based on your need

We know that you need to manage both individual servers and servers at scale. We also know that each customer is at a different stage in their hybrid journey, so we provide scaled management tools centered in on-premises and scaled management tools for hybrid management in Azure. Whatever your management needs are,we have you coveredincluding patching, backup, monitoring, governing, and automation, or simply managing an individual server remotely on-premises or in Azure. See below to understand how these relate:

Lets drill into each of the three technologies:

Windows Admin Center

One of the exciting innovations in the Windows Server world has been Windows Admin Center. Launched in 2018, Windows Admin Center is an evolution of inbox server tools that is now a browser-based app for managing servers, clusters, hyper-converged infrastructure, and Windows 10 PCs. Its main benefit is that it allows you to manage a single server from a web-based experience. Windows Admin Center has no additional cost for all Windows Server customers and is now managing over 2.7 million nodes, which is pretty amazing.

Windows Admin Center is not intended to replace technologies such as Azure Management and System Center that manage many servers at a time. In fact, one of its best kept secrets is that Windows Admin Center includes hybrid on-ramps to Azure Management for single servers to take advantage of the Azure services for backup with its unlimited storage, or disaster recovery to provide redundancy with your own data center, for patching and more.

If you havent seen it, watch the overview of Windows Admin Center on Microsoft Cloud’s YouTube page. You can also read the Windows Admin Center blog,”Windows Admin Center 1904 GA update is now available,” to learn about whats new with the platform.

System Center

System Center has long been the mainstay of Windows Server management at scale. While Windows Admin Center enables the management of a single Windows server in depth, System Center offers management of many Windows Servers at scale. System Center suite provides the complete repertoire of tools for managing Windows Servers within your data center. For the enterprise customer looking for at-scale configuration, monitoring, data protection, automation, and provisioning of the fabric and the virtual machines across your on-premises Windows Server environment, System Center is essential.

We continue to innovate with System Center. The 2019 release of System Center was announced on March 14, 2019 and includes automation for provisioning HCI environment, improved security, and faster backups with the latest versions of Windows Server. System Center has also added on-ramps to Azure services by integrating with Azure Backup, Azure Monitor, and update management. You can read all about System Center 2019 in the blog post, “Now available: Microsoft System Center 2019!” Future revisions of System Center will double down on management capabilities for the hybrid cloud environment and light up management-at-scale of new platform capabilities in Windows Server vNext. Learn more at our System Center sessions at the upcoming Windows Server Summit!

Azure Management services

As customers are increasingly adding hybrid workloads, those workloads in Azure also need to be managed. At some level the basic functions are similar servers need to be patched, backup-ed, monitored, and you need automation to help enable that. Azure was the first cloud platform with built-in management services and is the most mature amongst major public cloud providers. If you are running workloads in Azure, then it often makes sense from a convenience perspective to use the built-in Azure services after all you can back up a virtual machine (VM) in Azure in just a few clicks. The Azure services are SaaS services so you dont need to worry about patching and upgrading them, or installing them on hardware. Microsoft does that for you, which can be a big time saver and you are always up to date. In addition to managing your Azure workloads, the Azure Management services use agents that can be deployed in your on-premises VMs running in VMWare or Hyper-V so you can achieve a single pane of glass hosted in Azure to manage both your on-premises workloads and your Azure workloads. Of course, there is lots of new technology in Azure like containers and cloud native services that also can be managed and governed.

Bringing it all together

We know that Windows Servers are an essential component of your IT infrastructure and each customer is at a unique place on your migration to hybrid. Thats why our management strategy at scale supports your needs and is at a continuum. Many customers use both System Center and the Azure Management services, and those same customers benefit from using Windows Admin Center on individual servers. It all falls in line with “our mission to empower every person and every organization on the planet to achieve more.

Join us for the event!

At Windows Server Summit 2019 well expand upon some of the major benefits of adopting Windows Admin Center and System Center to manage your Windows Servers. Well even include some demos to show you how they work. Check out the blog post, “Its that time again: Windows Server Summit 2019!” to see all the topics that well hit upon during the May 22nd event.

Already excited to come? Great! Register for Window Server Summit 2019 today!

The post It’s time to update your Windows management strategy! appeared first on Windows Server Blog.

The post Public Preview of PowerShell in Azure Functions 2.x appeared first on PowerShell.

Hi there! Stanislav Belov here, and you are reading the next issue of the Infrastructure + Security: Noteworthy News series!  

As a reminder, the Noteworthy News series covers various areas, to include interesting news, announcements, links, tips and tricks from Windows, Azure, and Security worlds on a monthly basis.

Microsoft is excited to announce enhancements to BitLocker management capabilities in both Microsoft Intune and System Center Configuration Manager (SCCM), coming in the second half of 2019. Whether your management infrastructure is on-premises or in the cloud, robust BitLocker management is required for today’s enterprises to secure modern endpoints.

Microsoft provides a range flexible BitLocker management alternatives to meet your organization’s needs, as follows:

1. Cloud-based BitLocker management using Microsoft Intune
2. On-premises BitLocker management using System Center Configuration Manager
3. Microsoft BitLocker Administration and Monitoring (MBAM)

Enterprise BitLocker management lifecycle – Enterprise BitLocker management includes assessing readiness, key management and recovery, and compliance reporting. Whichever option is right for your company, we have a complete enterprise solution.

Let us explore each of these alternatives in some detail

Option 1 - Cloud-based BitLocker management using Microsoft Intune

Microsoft Azure Active Directory and Microsoft Intune bring the power of intelligent cloud to Windows 10 device management and include management capabilities for Microsoft BitLocker on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions.

Microsoft Intune Endpoint Protection portal with example settings – With 38 BitLocker Encryption settings, you can customize the settings for your company.

As enterprises increasing look to modernize through cloud scale and simplicity, Microsoft is committed to driving the same approach for cloud-based BitLocker management. Microsoft Intune BitLocker management platform is available today, and includes features such as compliance reporting, encryption configuration, with key retrieval and rotation on the roadmap. In the coming months, we expect Microsoft cloud-based BitLocker management to meet and exceed the MBAM capabilities you are familiar with.

Additionally, Windows AutoPilot offers a modern provisioning approach to ensure BitLocker is seamlessly enabled on Windows devices, integrating with Azure Active Directory to provide a compliant device on first logon.

Here are some BitLocker management features you will find in Microsoft Intune:

• Readiness and Compliance Reporting
• Dedicated encryption reports that help admins understand the encryption status of their device estate; reports if devices can be successfully enabled with BitLocker. If devices fail BitLocker enablement, you’ll see onscreen error codes to help you troubleshoot and bring them to a successful state.

• Configuration
• Granular BitLocker configuration that empowers admins to manage devices to their intended level of security. We’re constantly working with customers and making bold investments to determine which features require mobile device management (MDM) support.

• Compliance
• Leverage Intune’s compliance policies. Revoke access to corporate resources if devices do not meet your encryption requirements.

• Key recovery auditing
• Get reports on who accessed recovery key information in Azure AD. Reports coming later in 2019.

• Key recovery
• Enables you or another admin to recover keys in the Microsoft Intune console. You may enable user self-service key recovery using the Company Portal app, available across device platforms such as web, iOS, Android, Windows, and MacOS. Self-service is expected to be available later in calendar year 2019.

• Key management (coming in 2019)
• Enable single-use recovery keys on Windows devices by ensuring keys are rolled on-access (by client) or on-demand (by Intune remote actions). Key rotation is expected later in calendar year 2019.

• Migrating from MBAM to cloud management (coming in 2019)
• For our current MBAM customers that need to migrate to modern BitLocker management, we are integrating that migration directly into the key rotation feature, available later in calendar year 2019.

Option 2 – On-premises BitLocker management using System Center Configuration Manager

For organizations currently using on-premises management, the best approach still remains getting your Windows devices to a co-managed state, to take advantage of cloud-based BitLocker management with Microsoft Intune. However to support scenarios where cloud is not an option, Microsoft is also introducing BitLocker management through Configuration Manager current branch.

Beginning in June 2019, Configuration Manager will release a product preview for BitLocker management capabilities, followed by general availability later in 2019. Similar to the Intune cloud-based approach, Configuration Manager will support BitLocker for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions. It will also support Windows 7, Windows 8, and Windows 8.1 during their respective support lifecycles.  

Configuration Manager (SCCM) will provide the following BitLocker management capabilities:

• Provisioning
• Our provisioning solution will ensure that BitLocker will be a seamless experience within the SCCM console while also retaining the breadth of MBAM.

• Prepare Trusted Platform Module (TPM)
• Admins can open the TPM management console for TPM versions 1.2 and 2.0. Additionally, SCCM will support TPM+PIN for log in. For those devices without a TPM, we also permit USBs to be used as authenticators on boot.

• Setting BitLocker Configuration
• All MBAM configuration specific values that you set will be available through the SCCM console, including: choose drive encryption and cipher strength, configure user exemption policy, fixed data drive encryption settings, and more.

• Encryption
• Encryption allows admins to determine the algorithms with which to encrypt the device, the disks that are targeted for encryption, and the baselines users must provide in order to gain access to the disks.

• Policy enactment / remediation on device
• Admins can force users to get compliant with new security policies before being able to access the device.

• New user can set a pin / password on TPM & non-TPM devices
• Admins can customize their organization’s security profile on a per device basis.

• Auto unlock
• Policies to specify whether to unlock only an OS drive, or all attached drives, when a user unlocks the OS drive.

• Helpdesk portal with auditing
• A helpdesk portal allows other personas in the organization outside of the SCCM admin to provide help with key recovery, including key rotation and other MBAM-related support cases that may arise.

• Key rotation
• Key rotation allows admins to use a single-use key for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises.

• Compliance reporting
• SCCM reporting will include all reports currently found on MBAM in the SCCM console. This includes key details like encryption status per volume, per device, the primary user of the device, compliance status, reasons for non-compliance, etc.

Option 3 - Microsoft BitLocker Administration and Monitoring (MBAM)

Since 2011, the enterprise standard for BitLocker management has been Microsoft BitLocker Administration and Monitoring (MBAM), which requires dedicated on-premises infrastructure, including database servers. Microsoft has announced MBAM will end mainstream support on July 9, 2019 and will enter extended support until July 9, 2024. Customers can continue to deploy and use MBAM 2.5 SP1, fully supported by Microsoft during the extended support period. The end of mainstream support indicates that new features will not be added to MBAM 2.5 SP1.  Microsoft is dedicated to investing in modern approaches that simplify and streamline BitLocker management for the enterprise. MBAM remains a supported management tool for customers that don’t currently use either Microsoft Intune or System Center Configuration Manager.

More info and feedback

Whether you are a current MBAM customer or are using a third-party tool for BitLocker management, Microsoft can help support your transition to modern enterprise BitLocker management at your own pace with a unified endpoint management platform that includes Microsoft Intune and Configuration Manager.

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Follow @MSIntune and @MSWindowsITPro on Twitter

This blog post was authored by Dianna Marks, Product Marketing Manager, Windows Server Marketing.

HCI is all the buzz nowadays! What exactly is HCI? Spelled out its hyperconverged infrastructure, also referred to as the software defined data center (SDDC). It allows companies to run their storage, networking, and compute with lowered capital expenditure (CAPEX) and operating expenses (OPEX) since storage and networking are software-defined and dont require the same amount of hardware and level of management. HCI offers centralized management, which is great for many types of environments including development and product workloads. Also, now that there is no storage area network (SAN), you can scale up more easily since all you have to do is add an additional node. With Microsoft, all of this is included in Windows Server. Lets dig into the features.

New OS features and Azure Stack HCI launch

Azure Stack HCI launched in March 2019 with all the software-defined features in Windows Server 2019. Some of these features include native support for persistent memory to enable better performance, deduplication, and compression to save space and money, as well as increase efficiency, nested resiliency inspired by RAID 5+1 so two-node clusters can survive multiple simultaneous failures, and increased maximum scale by 4x to 4 petabytes.

At launch, there were more than 70 solutions from 15 partners. Azure Stack HCI is the evolution of the Windows Server 2016 based Windows Server Software-Defined (WSSD) program. Did you know that if your hardware vendor supports it, you can officially get an in-place upgrade from Windows Server 2016 to Windows Server 2019? This includes HCI and is officially tested and supported by Microsoft!

Now you can manage HCI with Windows Admin Center

If you are running HCI, youll want to try the gorgeous new unified user interface (UI) in Windows Admin Center. We just launched Windows Admin Center version 1904, which offers new HCI management capabilities like improved charting for RDMA networking, new drive latency and error statistics, full support for dark theme, and clustering enhancements. You can read more about it in the Windows Admin Center blog released last month.

New Azure connectedness features

Get even more out of your on-premises HCI by connecting to Azure. Its totally optional! Examples include:

1. Cloud Witness so that two-node clusters can achieve quorum without any other on-premises infrastructure.
2. Azure Site Recovery to protect virtual machines with just a few clicks in Windows Admin Center.
3. Connect your HCI to Azure Monitor to get text or email alerts when things fail, even when youre not at your desk.

What next?

To learn more, check out the 70+ solutions in the new store-style catalog, and tune in to the Windows Server Summit on May 22, 2019, where the team will highlight some of their favorite novel new solutions.

Register for Windows Server Summit.

The post It’s all the buzz! HCI in your Windows Server environment appeared first on Windows Server Blog.

#To list all modules that tagged as DSCResourceKit
Find-Module -Tag DSCResourceKit 
#To list all DSC resources from all sources
Find-DscResource

Install-Module -Name < module name >

Install-Module -Name xWebAdministration

Update-Module

Get-DscResource

The post DSC Resource Kit Release May 2019 appeared first on PowerShell.

The other day I was writing a script and decided that I wanted to break it into a couple of files and have the main script dot-source a library script in the same directory. Here is the problem that I ran into:
PS> Get-ChildItem

Directory: Microsoft.PowerShell.CoreFileSystem::C:Temptest

Mode LastWriteTime Length Name
—- ————- —— —-
d—- 6/19/2007 6:12 AM subdir
-a— 6/19/2007 6:12 AM 47 Invoke-Test.ps1
-a— 6/19/2007 6:12 AM 47 LibraryTest.ps1

PS> Get-Content Invoke-Test.ps1
. .LibraryTest.ps1
echo “I Love PowerShell”
PS>
PS> Get-Content LibraryTest.ps1
function echo ($msg)
{ write-host $msg
}
PS>
PS> C:temptestInvoke-Test.ps1
I Love PowerShell
PS>
PS> Set-Location subdir
PS> C:temptestInvoke-Test.ps1
The term ‘.LibraryTest.ps1’ is not recognized as a cmdlet, function, opera
ble program, or script file. Verify the term and try again.
At C:temptestInvoke-Test.ps1:1 char:2
+ .
The problem is that when the script dot sources the library (“. .LibraryTest.ps1”) from the current directory, it is the current directory of the process not the directory of the script. That is why it worked when I was in the directory that had the library but it broke when I changed my location to a different directory.
What the script needs to do is to dot-source the library from its own directory (the ScriptDirectory) not the current working directory.
This brings up the question – how do I do that? (Good question!)
I didn’t know the answer off the top of my head. Well, as always with PowerShell, there is a way if you think about it for a while. Note that while it is a best practice to go explore and figure this stuff out, you can always just post a question to our newsgroup Microsoft.Public.Windows.PowerShell and the community will help.
So you do you figure this out? Let’s first start by seeing what variables are provided to a function. This is a little trickier than it sounds because in PowerShell, if you ask for a variable and it isn’t in your function’s scope, we look for it in your parent’s scope and so on until we reach to top of the stack. So the trick is to only see those variables in your scope. Check this out:
PS> function t { (Get-Variable).Count }
PS> t
72
PS> function t { (Get-Variable -Scope 0).Count }
PS> t
17
PS> # That tells us that the function has access to 72 variables but 17 are in its scope.
PS> # PowerShell populates these for each scope automatically.
PS>
PS> function t { Get-Variable -Scope 0 |sort Name}
PS> t

Name Value
—- —–
? True
args {}
ConsoleFileName
Culture en-US
ExecutionContext System.Management.Automation.EngineIntrin…
false False
HOME E:Usersjsnover.NTDEV
Host System.Management.Automation.Internal.Hos…
input System.Array+SZArrayEnumerator
MaximumVariableCount 4096
MyInvocation System.Management.Automation.InvocationInfo
null
PID 960
PSHOME E:Windowssystem32WindowsPowerShellv1.0
ShellId Microsoft.PowerShell
true True
UICulture en-US
The variable $MyInvocation is the one I was looking for so let’s explore it and see how it can help me solve this problem. Notice that I’m going to use both test scripts and the interactive shell to explore this. I’m leveraging the fact that all scopes have $MyInvocation so I can use the interactive session to explore its structure but I need a test script to test the actual values for an external script.
PS>
Get-Content t1.ps1
$MyInvocation | Format-List *
PS>
.t1.ps1

MyCommand : t1.ps1
ScriptLineNumber : 1
OffsetInLine : 9
ScriptName :
Line : .t1.ps1
PositionMessage :
At line:1 char:9
+ .t1.ps1 # Note the LACK of a PATH. Let’s explore the structure of MyInvocation
PS> # to see if we can find one.
PS> $MyInvocation |Get-Member -type Property

TypeName: System.Management.Automation.InvocationInfo

Name MemberType Definition
—- ———- ———-
InvocationName Property System.String InvocationName {get;}
Line Property System.String Line {get;}
MyCommand Property
System.Management.Automation.CommandInfo
MyC…
OffsetInLine Property System.Int32 OffsetInLine {get;}
PipelineLength Property System.Int32 PipelineLength {get;}
PipelinePosition Property System.Int32 PipelinePosition {get;}
PositionMessage Property System.String PositionMessage {get;}
ScriptLineNumber Property System.Int32 ScriptLineNumber {get;}
ScriptName Property System.String ScriptName {get;}

PS>
# Notice that MyCommand is a structure (not a simple type) so let’s explore it.
PS> $MyInvocation.MyCommand |Get-Member -Type Property

TypeName: System.Management.Automation.ScriptInfo

Name MemberType Definition
—- ———- ———-
CommandType Property System.Management.Automation.CommandTypes Command…
Definition Property System.String Definition {get;}
Name Property System.String Name {get;}
ScriptBlock Property System.Management.Automation.ScriptBlock ScriptBl…

PS>
# Looks promising.
PS>
Get-Content t2.ps1
$MyInvocation.MyCommand | Format-List *
PS> .t2.ps1

Path : C:Temptestsubdirt2.ps1
Definition : C:Temptestsubdirt2.ps1
Name : t2.ps1
CommandType : ExternalScript

PS>
# BINGO!
So with that knowledge I can now write my Get-ScriptDirectory function and use it dot-source a local library properly. Now think about this a second, if you write a function Get-ScriptDirectory and call it, $MyInvocation is going to be changed and reflect the call to that function. So what this function has to do is to work on the $MyInvocation of its parent! Luckly, the PowerShell team thought of that and the Get-Variable cmdlet allows you to specify a SCOPE. If you specify 0, it means the current scope (you saw this earlier). If you specify 1, it means the parent scope (2 means the grandparent and so on). So here it is:
PS> Get-Content Invoke-Test.ps1
function Get-ScriptDirectory
{
$Invocation = (Get-Variable MyInvocation -Scope 1).Value
Split-Path $Invocation.MyCommand.Path
}

$path = Join-Path (Get-ScriptDirectory) LibraryTest.ps1
. $path
echo “I Love PowerShell”
PS>
PS> C:TemptestInvoke-Test.ps1
I Love PowerShell
PS>
PS> Set-Location subdir
PS>
PS> C:TemptestInvoke-Test.ps1
I Love PowerShell
PS>
PS>
# If it can work there, it can work anywhere!
I just love this stuff!!!!
Jeffrey Snover [MSFT]
Windows Management Partner Architect
Visit the Windows PowerShell Team blog at: http://blogs.msdn.com/PowerShell
Visit the Windows PowerShell ScriptCenter at: http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx

The post Get-ScriptDirectory to the Rescue appeared first on PowerShell.

In a typical Kerberoasting attack, attackers exploit LDAP vulnerabilities to generate a list of all user accounts with a Kerberos Service Principal Name (SPN) available. Once successful at listing these accounts, attackers grant Kerberos Service Tickets for each user account with an SPN and later perform offline Brute Force on the encrypted part of the Kerberos tickets. This action helps attackers locate a password that belongs to a domain account. Domain account passwords enable attackers to freely move laterally in your domain.

Environments where the Kerberos Ticket Granting Service (TGS) is encrypted with a weak cipher, and the cipher is generated from a well-known password (not randomly generated) are prime targets for successful brute force attacks of this type.  

The following attack logic is often used to find an organization's weakest link and perform LDAP based Kerberoast attacks.

Figure 1-Typical Kerberoasting attack flow

Typical LDAP based Kerberoasting attack flow and result: 

Step 1: Identify

In this attack phase, attackers are using LDAP to query and locate all user accounts with a Service Principal Name (SPN). Running this LDAP query is possible for all user accounts in a domain.

Figure 2- LDAP query that looks for all user accounts with a SPN set

Step 2: Enumerate

In this phase of the attack, a request is made for Kerberos TGS to the SPN using a valid TGT.

Figure 3- TGS request to ExampleService of user1 by user2

Figure 4 - TGS response with ticket to ExampleService of user1

Step 3: Brute force

In the brute force phase of the attack, by using commonly available password cracking tools on accounts with commonly used passwords, attackers easily succeed at obtaining the password.

In the following example, a commonly used password cracking tool, JohnTheRipper, performs a successful brute force using a rainbow table.  

Figure 5 - Cracked password using a rainbow table

Step 4: Attack  

In cases where the attempted brute force attack (shown previously) is successful, attackers use the newly obtained clear-text password to login to remote machines or access cloud resources and files.

Figure 6 - Interactive clear-text logon

How can you detect and prevent Kerberoast attacks from succeeding? 

Azure Advanced Threat Protection (Azure ATP) has risen to the Kerberoasting challenge and developed new methods to detect when malicious actors are attempting to perform LDAP based reconnaissance on your domain. While this type of attack is difficult to detect, and LDAP’s extensive query language presented additional challenges, our security research work involved differentiating legitimate workflows from malicious behavior and surfacing all related activities and entities.

Our newest security alert involves smart behavioral detection backed by extensive machine learning, designed to raise an alert when any type of abnormal enumeration (including SPN enumeration), or queries on sensitive security groups are detected.  

Starting from v2.72, Azure ATP issues a Security principal reconnaissance (LDAP) alert when the first stage of a Kerberoasting attack attempt is detected on the domains we monitor.  

Each alert includes vital information for use in your investigation and remediation:

1. Identification of malicious activity

2. Attempted enumeration details and specifics

3. Historical comparisons and activity correlation

4. Suggestion remediation steps 

The following workflow explains how to use Azure ATP alerts to detect and remediate Kerberoasting attempts on your domain.

Step 1: Review the alert to identify the actors and entities involved.

Figure 7 - Azure ATP alert on suspicious enumerations 

Step 2: Filter activities to review resource access on the entity involved

Figure 8 - Filter for resource access activities on Client1's profile

Step 3: Use the filter results to investigate the resource access activities

Figure 9 - Investigate the resource access activity (generated by Kerberos Ticket Granting Service) for ExampleService/User1

Step 4: Filter Interactive logon and Credential validation for the accessed entity

Figure 10 - Filter Interactive logon and Credential validation on User1’s profile

Step 5: Review logon and access attempts

Figure 11 - User1's clear text password was used to logon on interactively on Client2

Step 6: Remediate possible risks

1. Force a password reset on the compromised account
2. Require use of long and complex passwords for users with service principal accounts https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-length
3. Replace the user account by Group Managed Service Account (gMSA) https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview

Kerberoasting remains a popular attack method and heavily discussed security issue, but the effects of a successful Kerberoasting attack are real. Make sure your security team is aware of common Kerberoasting risks and strategies, along with the tools and alerts Azure ATP offers to help protect your domain.

As always, we welcome your feedback about our work, and are interested in learning more about the security threats and risks you encounter. For more information about features and threat protection, or to learn how we can help, contact us. 

Get Started Today

If you are just starting your journey, begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace:

• Windows Defender ATP trial
• Office 365 E5 trial
• Enterprise Mobility Suite (EMS) E5 trial
• Azure Security Center trial

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

This content has also been posted on the Core Infrastructure and Security TechCommunity @ https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/Software-Update-Dashboard-by-Collections/ba-p/615822

**Please visit the above URL for any future updates!

Hello everyone, Matt Novitsch (SCCM Premier Field Engineer) here to talk to you about a Power BI Dashboard that I created using SCCM data.

<#
Script Disclaimer. The sample scripts provided here are not supported under any Microsoft standard support program or service. All scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose.
#>

https://gallery.technet.microsoft.com/SCCM-Patching-Dashboard-d0eb8b21

Summary:

This dashboard will present software updates status for the Collection and provide with the systems that are in that collection. This is meant to be used for management overview along with some details for the system admin to track down problem machines.

How to install:

First thing we need to do is get the collection(s) that you are targeting with your software update groups. Open the SoftwareUpdateByCollectionScript.sql file in SQL Server Management Studio or your preferred SQL Editor. You will need to change the FILENAME path to your desired location. Change NOV000015 to the collection(s) of your workstations. Change NOV000016 to the collection(s) of your servers. Change SMSDM003 to the collection(s) of your Windows Defender and other updates. Please note if you want to add more than one collection for your workstations add a comma between the two collections. An example of multiple collections is below.

Example:

vFCM.CollectionID in(‘NOV000015′,’NOV000029′,’NOV000190’)

Originally, I had the query limited to just the Cumulative Updates, I have commented those out and allowed everything that is applied to the collection. If you wish to filter the dashboard to certain updates, I have left the code in place so you can uncomment them out and it will work. The lines you want to change for this are just after the comment “This is where you would add the title of the update(s) if you want them filtered”. If you chose to filter on the Cumulative updates just delete the /* and the */. If you want to filter on a list of updates, then you will need to copy the row with the like in it and paste it however many different updates you are looking to filter from. An example of multiple filters of software updates is below.

Example:

Vui.title like ‘%Cumulative Update for Windows%’ and

Vui.title like ‘%Adobe%’ and

Finally, you will need to run the SoftwareUpdateByCollectionScript.sql on the CAS/Primary database server. This script creates a database called SCCM_PBI_Reporting and then creates the tables and stored procedure needed to run the SoftwareUpdateByCollection Dashboard in Power BI so you will need admin rights to create those on the database.

Using the dashboard:

Once the script has ran successfully on, make sure you have Power BI Desktop x64 installed (Version: 2.67.5404.581 64-bit (March 2019)). Open SoftwareUpdatesByCollections.pbit, the first thing that you will see is the Welcome to Power BI Desktop. Please create an account or sign in if you already have one.

Once logged in a window will appear asking for your server and database, these are parameters for all the queries. The first parameter is your SQL Server of your CAS/Primary. The second parameter is your database of your CAS/Primary (Default is SCCM_PBI_Reporting).

Once you click load, you may be prompted with the message box stating the Native Database query needs approval to run. Click run to continue, if you do not click run the data will not load in the database. It should appear no more than 3 times (one for each query).

You should be able to see the dashboards if all the changes were made correctly. It should look something like this.

Finally, please remember to save the file to your desired location so you don’t have to make the changes to the template every time. Open your file with the PBI extension next time and click the refresh button, you will be good to go then.

How to uninstall:

Open the SoftwareUpdateByCollectionScript.sql file in SQL Server Management Studio or your preferred SQL Editor. Go to the bottom of the file. You will see about 10 lines that are commented out. Highlight the 10 lines and execute them. Below is what the code looks like.

–Uninstall SCCM PBI_Reporting database

/*

–Sets database to single user mode so it drops all other connections

USE [master]

GO

ALTER DATABASE [SCCM_PBI_Reporting] SET SINGLE_USER WITH ROLLBACK IMMEDIATE

GO

–Deletes the database from SQL Server

Drop database [SCCM_PBI_Reporting]

*/

This blog post was authored by Dianna Marks, Product Marketing Manager, Windows Server Product Marketing.

What do we have in store for you?

But thats not all!

• Attend the live broadcast for at least an hour
• Complete the Knowledge Check
• Download a document from the virtual event Resources
• Take the event survey

Tune in

The post We’re almost there! Join us at Windows Server Summit 2019 appeared first on Windows Server Blog.

Last month, we gave everyone a detailed sneak peek into new capabilities we are releasing with Windows Server, version 1903. Today, we are excited to announce that this release is now generally available.

Windows Server, version 1903 brings innovation to areas that that matter to you, such as Containers, Edge Computing and Hybrid. You can see these capabilities enabled across our suite of server products.

Windows Server containers

Weve introduced several new capabilities of Windows Server containers, most notably, the support of Windows Server containers in Kubernetes. Not only that, we are also bringing that support in Azure Kubernetes Service (AKS). Check out the preview for more details.

Otherenhancements include GPU Acceleration in Windows containers, and scalability improvements in the latest release of Flannel and Kubernetes v1.14.

Windows Admin Center

The latest Windows Admin Center release continues to build on hybrid cloud capabilities that make it easier than ever to leverage the benefits of the cloud from your Windows Servers. For example, you can seamlessly migrate Windows Server 2008 and 2008 R2 file shares to Azure, using Storage Migration Service and Azure File Sync integration in Windows Admin Center.

Check out the Windows Admin Center blog for other new capabilities.

Application Compatibility in Server Core

Server Core is the recommended Server OS for production. Server Core App Compatibility Feature on Demand (FOD) augments for improved application compatibility. The two additions to FOD this release are Task Scheduler and Hyper-V Manager.

Learn more

Refer to whats new in Windows Server version 1903 in Windows Server docs.

Tune in to Windows Server Summit on May 22^nd at 9AM Pacific Time and also check out the on-demand sessions.

What to expect from Windows Server Summit? Windows Server experts will dive deep into

• Azure Kubernetes Service (AKS) with Windows Server containers
• Latest in Windows Admin Center
• Storage Migration Service
• Application Compatibility Feature-on-demand (FOD)
• And, many more Windows Server sessions

Get started

Get Windows Server version 1903:

• Volume Licensing Service Center (VLSC): Volume-licensed customers with Software Assurance can obtain the release by going to the Volume Licensing Service Center and clicking Sign In. Then click Downloads and Keys and search for this release.
• Visual Studio Subscriptions: Visual Studio Subscribers can obtain Windows Server, version 1903 by downloading it from the Visual Studio Subscriber download page. Releases obtained through Visual Studio Subscriptions are for development and testing only.

Frequently asked questions

Q: Are there new HCI and SDDC features in the Semi-Annual Channel 1903 release?

A: No, software-defined datacenter features like Storage Spaces Direct, software-defined networking, and shielded virtual machines arent included in Semi-Annual Channel releases. As described in Windows Server Semi-Annual Channel update, the Semi-Annual Channel of Windows Server is focused on containers and application scenarios that benefit from faster innovation.

If you need infrastructure roles, use a Long-Term Servicing Channel release such as Windows Server 2019, or a Windows Server Insider Preview Build if you want to test the latest innovations.

Q: Does Windows Admin Center ship in Windows Server, version 1903?

A: Windows Admin Center is available as a separate download.

Q: Where can I find Windows Server container images?

A: You can start with this landing page on Docker Hub. For more details on how to use Windows Server containers, check out the documentation site.

The post Windows Server version 1903 now generally available appeared first on Windows Server Blog.

Microsoft Intune for Education continues to deliver new and exciting iOS management capabilities that make it easier than ever for IT administrators to manage classroom devices from one unified console.

Students often require different devices depending on the different stages in their development at school. And with the heavy use of iPads in early learning classrooms, Microsoft has continued to invest in broadening the iOS device management capabilities in Intune for Education. This not only ensures schools can easily support their students’ technology needs, but administrators can now centralize and streamline management across iOS and Windows devices to deliver a great classroom experience regardless of the device.

Let’s look at some of the exciting new features for iOS device management released recently, and what else is coming soon!

Microsoft is dedicated to making device configuration simple for our Education customers. In the past few months, we've added several new features in Intune for Education to make initial setup of iOS devices quick and easy. Intune for Education helps you connect your Intune and Apple School Manager accounts and now when you set up an MDM server token in Intune for Education, Intune for Education automatically configures enrollment settings, so the devices associated with the MDM Server Token have fewer Setup Assistant screens to tap through. This makes enrollment even faster. We've also added a customizable iOS device naming format. By default, devices enrolled using enrollment program tokens are given the same name, e.g. “iPad” or “iPhone”, but we know it's important for devices to have unique names so you can easily differentiate and group them in Intune for Education. Now you can do this easily with Intune for Education. We've also added the ability to enroll your iOS devices with Shared iPad features enabled. Shared iPad is an iOS feature that requires students and teachers to sign in to school devices with a Managed Apple ID. They can sign in and out of any enabled device in the school to access saved and in-progress work, apps, and tasks. The last piece of getting iOS devices up and running in a quick and easy way is using Intune for Education's Express Configuration to quickly set up apps and settings on groups of devices. Express configuration features the settings that are essential to get a group of devices ready for the classroom. We continually adjust this list, so you will see some settings move out of Express Configuration and some new settings moved in. You can always find all the available settings for iOS devices in Intune for Education in Groups > Settings > iOS Device Settings.

New improvements to Apple VPP support and management have also been a big area of focus, enabling you to sync your VPP-purchased apps with Intune for Education, as well as assign these apps directly from the Intune for Education dashboard. You’ll also notice that we now display location information for your Apple School Manager VPP tokens so that you can easily identify them from both Intune for Education and Apple School Manager. You can give your VPP tokens nicknames in Intune for Education for easy labeling and organization.

Coming soon: you'll be able to restrict which admins have access to specific VPP tokens based on Intune role assignments. We know this is crucial when certain classrooms are trying to use specialized iOS apps and you want to make sure only the right people have access.

As we continue to add new settings, feedback from our education partners and customers has been amazingly helpful. For example, we've heard from many schools that it is important to be able to configure custom wallpaper and lock screen images on school devices. And now it’s possible through Intune for Education! We've also added some settings that give more control over how the iOS Classroom app is used. Coming later on: so you can configure the app through Intune for Education. We will also be adding a feature that helps you easily configure a custom Home Screen layout for classroom devices.

Microsoft is committed to delivering rich and seamless device management that enhances classroom experiences and learning. We know iPads are one such device, so we continue to invest heavily in new features to make iOS devices quick and easy to manage.

To learn more about Microsoft support for iOS devices please visit the Intune for Education doc site, or if you have questions or feedback please comment below.

Hi there! Stanislav Belov here, and you are reading the next issue of the Infrastructure + Security: Noteworthy News series!  

As a reminder, the Noteworthy News series covers various areas, to include interesting news, announcements, links, tips and tricks from Windows, Azure, and Security worlds on a monthly basis.