Forum Widgets
Latest Discussions
Accessing trials and kits for Windows Server
Updated May 20, 2022: This issue is now resolved. Please visit the Microsoft Evaluation Center at www.microsoft.com/EvalCenter for access to the latest trials and evaluations for Windows client, Windows Server, and other Microsoft products and kits. As you may have noticed, the Microsoft Evaluation Center is temporarily unavailable. While work is underway to restore this valuable service, you can access Windows Server and Windows client trials, evaluations, and related kits at the links below. Windows Server 180-day evaluations Windows Server 2022 Windows Server 2019 de-de: ISO de-de: ISO en-us: ISO en-us: ISO en-us: VHD en-us: VHD en-us: LOF - ISO en-us: FOD - ISO es-es: ISO es-es: ISO fr-fr: ISO fr-fr: ISO it-it: ISO it-it: ISO ja-jp: ISO ja-jp: ISO ru-ru: ISO ru-ru: ISO zh-cn: ISO zh-cn: ISO Windows Server on Azure Windows Server on Azure Create a Windows Server VM in Azure LOF = language packs and optional features FOD = features on demand Windows Virtual Hardware Lab Kit (VHLK) VHD version VHLK for Windows 11 VHLK for Windows Server 2022 VHLK for Windows 10, version 2004 Windows client 90-day evaluations Windows 11 Enterprise Windows 10 Enterprise Windows 10 Enterprise LTSC de-de: x64 de-de: x64 | x86 de-de: x64 | x86 en-gb: x64 en-gb: x64 | x86 en-gb: x64 | x86 en-us: x64 en-us: x64 | x86 en-us: x64 | x86 es-es: x64 es-es: x64 | x86 es-es: x64 | x86 fr-fr: x64 fr-fr: x64 | x86 fr-fr: x64 | x86 it-it: x64 it-it: x64 | x86 it-it: x64 | x86 ja-jp: x64 ja-jp: x64 | x86 ja-jp: x64 | x86 ko-kr: x64 ko-kr: x64 | x86 ko-kr: x64 | x86 pt-br: x64 pt-br: x64 | x86 pt-br: x64 | x86 zh-cn: x64 zh-cn: x64 | x86 zh-cn: x64 | x86 zh-tw: x64 zh-tw: x64 | x86 zh-tw: x64 | x86 Deployment lab kits Lab kit Windows 11 and Office 365 Deployment Lab Kit (+ lab guides) Windows 10 and Office 365 Deployment Lab Kit (+ lab guides) Note: The Deployment Lab Kits include the 90-day evaluations of Windows 11 or Windows 10 listed above. They are updated every 90 days with a fresh version of the 90-day evaluation software. As a result, please note that the Windows 10 deployment lab kit will be refreshed by May 16 th with a new 90-day evaluation of Windows 10 Enterprise.HOW-TO: Import Out of Band Updates to WSUS using Microsoft Edge Chromium IE Mode and PowerShell
----- I recommend using https://www.powershellgallery.com/packages/Import-WSUSUpdate Full instructions to install the module are located here - https://www.ajtek.ca/blog/the-new-way-to-import-updates-into-wsus/ ----- History: 09/12/2023 - adding PowerShell method to the OP 07/30/2023 - please follow the latest comments for the updated approach using PowerShell. The method in the OP has become obsolete 01/13/2022 - update links and clarification to prevent an error "This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS", added Troubleshooting and Q&A section. 02/11/2021 - initial version PREREQUISITES: Windows 10 / 11 / Windows Server 2016 or later with WSUS RSAT Tool installed. latest Microsoft Edge installed, version 97 as of time of writing. Internet Explorer (mode) is installed in Settings > Apps > Optional Features or equivalent location in Windows 11 HOW-TO: - Open Edge 97 or later - Open Microsoft Edge Options > Default Browser - Change "Allow Sites to be reloaded in Internet Explorer Mode" to 'Allow' - Add links to add to Microsoft Edge IE Mode - Remove all other links in the scope of *.catalog.update.microsoft.com, only these shall remain for the catalog.update.microsoft.com page. https://catalog.update.microsoft.com/ https://catalog.update.microsoft.com/v7/site/Home.aspx see screenshots below for better illustration. - Close Edge and all catalog tabs if there were any open, especially if you use "Open tabs from the previous session" feature - Open WSUS MMC and right click Updates from the tree > Import Updates - The link in Edge should open in IE mode, there are several indicators on this the open tab to point to https://catalog.update.microsoft.com/v7/site/Home.aspx?SKU=WSUS&Version=10.0.xxxxx.xxxx&ServerName=YOURSERVER.CONTOSO.LOCAL&PortNumber=8531&Ssl=True&Protocol=1.20 NOTES 1.When the link opened in importing updates from WSUS MMC does not contain the "v7/site/" part or does contain a https://www.update instead of https://catalog.update your configuration is wrong. 2. The "Default" setting will not be sufficient to allow the installation and use of the ActiveX plugin. Go back to your update catalog tab, Install the ActiveX if you have not done on this box already. Check if you have not setup restrictions to execute or install ActiveX plugins in IE directly or via group policy. 3. Edge now has the ability to an IE Mode button. Also it has a new feature to automatically add pages to the exception list. Do not use this ability as shown in the picture for this use case as it might add wrong exceptions to the list. 4. When there are wrong exceptions in the exception list for IE mode it might not work correctly and cause a missing but very important redirection, which ultimately cause the import to fail. More troubleshooting assistance below. LINKS STARTING FROM DECEMBER 2021 / JANUARY 2022: Links to add to Microsoft Edge IE Mode https://catalog.update.microsoft.com/ https://catalog.update.microsoft.com/v7/site/Home.aspx TROUBLESHOOTING: Q 1: Microsoft Edge does not allow me to configure any IE Site Mode links (greyed out). A: Either you have not enabled "Allow Sites to be reloaded in Internet Explorer Mode" to 'Allow', or your enterprise has set policies to prevent that. This should be clearly indicated by a lock and message in the Edge settings tab. Q 2: I have followed this guide or a previous version. I can see the cart to import into WSUS but cannot import any or just specific updates. Others fail with a message "This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS". A: This is a "known" issue and the guide has been updated to reflect this issue and a potential change on the server-side. Please make sure only the two links are included in your IE mode list. They may not include www in the link name. You need to include both links, not just one or the other as in the previous version of this guide. Q 3: May I use the new Edge feature in Settings > Appearance > Internet Explorer Mode button A: I would recommend to refrain using this feature, as the mechanism between WSUS update import and the browser is extremly picky. It would not work if you just copy the same link into a browser tab. The feature of the cart to import into WSUS will be likely missing and you can just download to the Download folder instead. Q 4: Edge offers me to restart this tab in IE mode next time. A: you should not receive this message, otherwise the exceptions as stated in the guide are invalid or you have more than the stated links in place. Go through the guide again and double-check. Do not use this otherwise nice feature. It will cause to add more catalog links to the exception list which will cause an issue to import updates to WSUS, as described in Q #2. Thanks for the hint Eric_VanAelstyn, thanks to abbodi1406 for additional hints after this guide got invalid a redirection change in December 2021 / January 2022. cc AriaUpdated MissyQ cc for the other teams as I did not want to repost it in Edge and Servicing communities, unless you insist šMost Common Mistakes in Active Directory ...
Here are some useful links to help you avoid making these common mistakes with Active Directory... Most Common Mistakes in Active Directory and Domain Services ā Part 1 ā MEA SI Blog https://blogs.technet.microsoft.com/meamcs/2018/12/31/most-common-mistakes-in-active-directory-and-domain-services-part-1/ Most Common Mistakes in Active Directory and Domain Services ā Part 2 ā MEA SI Blog https://blogs.technet.microsoft.com/meamcs/2019/01/08/most-common-mistakes-in-active-directory-and-domain-services-part-2/Active Directory Advanced Threat Hunting - Tracing the cause of account lockouts and password errors
Dear Microsoft Active Directory friends, In this article we are going on a "search for clues" :-). In the life of an IT administrator, you have certainly often had to reset a user's password or remove an account lockout. Now the question arises on which system the account was locked or on which system the password was entered incorrectly. In order to determine this information with PowerShell, some preparations must be made. "Advanced Audit Policy Configuration" must be configured in the group policies. This article from Microsoft provides a good starting point: https://learn.microsoft.com/en-us/defender-for-identity/deploy/event-collection-overview In my example, I have adapted the Default Domain Controls Policy. Before we begin, here is some important information about MITRE techniques: Account Access Removal: https://attack.mitre.org/techniques/T1531/ User Account: https://attack.mitre.org/datasources/DS0002/ Brute Force: Password Spraying: https://attack.mitre.org/techniques/T1110/003/ Account lockouts are logged in the Windows event logs with the ID 4740. We will therefore focus on this event ID first. The start of the PowerShell script looks like this: #Prep work for lockouts, Account lockout Event ID $LockOutID = 4740 #Find the PDC (Get-ADDomain).PDCEmulator $PDCEmulator = (Get-ADDomain).PDCEmulator #Connect to the PDC Enter-PSSession -ComputerName $PDCEmulator #Query event log Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } #Parse the event and assign to a variable $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } #Examine some properties $events[0].Message #Regex? $events[0].Message -match 'Caller Computer Name:\s+(?<caller>[^\s]+)' $Matches.caller #Cool, but not as easy as: $events[0].Properties $events[0].Properties[1].Value #For all events: ForEach($event in $events){ [pscustomobject]@{ UserName = $event.Properties[0].Value CallerComputer = $event.Properties[1].Value TimeStamp = $event.TimeCreated } } #And we'll make that a function Function Get-ADUserLockouts { [CmdletBinding( DefaultParameterSetName = 'All' )] Param ( [Parameter( ValueFromPipeline = $true, ParameterSetName = 'ByUser' )] [Microsoft.ActiveDirectory.Management.ADUser]$Identity ) Begin{ $LockOutID = 4740 $PDCEmulator = (Get-ADDomain).PDCEmulator } Process { If($PSCmdlet.ParameterSetName -eq 'All'){ #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } }ElseIf($PSCmdlet.ParameterSetName -eq 'ByUser'){ $user = Get-ADUser $Identity #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $LockOutID } | Where-Object {$_.Properties[0].Value -eq $user.SamAccountName} } ForEach($event in $events){ [pscustomobject]@{ UserName = $event.Properties[0].Value CallerComputer = $event.Properties[1].Value TimeStamp = $event.TimeCreated } } } End{} } #Usage Get-ADUserLockouts #Single user Get-ADUser 'jesse.pinkman' | Get-ADUserLockouts Now we come to the incorrectly entered passwords. These events are logged in the Windows event logs with the ID 4625. #Prep work for bad passwords - Event ID $badPwId = 4625 #Get the events from the PDC $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $badPwId } #Correlate the logon types $LogonType = @{ '2' = 'Interactive' '3' = 'Network' '4' = 'Batch' '5' = 'Service' '7' = 'Unlock' '8' = 'Networkcleartext' '9' = 'NewCredentials' '10' = 'RemoteInteractive' '11' = 'CachedInteractive' } #Format the properties ForEach($event in $events){ [pscustomobject]@{ TargetAccount = $event.properties.Value[5] LogonType = $LogonType["$($event.properties.Value[10])"] CallingComputer = $event.Properties.Value[13] IPAddress = $event.Properties.Value[19] TimeStamp = $event.TimeCreated } } #Bring it all together in a function Function Get-ADUserBadPasswords { [CmdletBinding( DefaultParameterSetName = 'All' )] Param ( [Parameter( ValueFromPipeline = $true, ParameterSetName = 'ByUser' )] [Microsoft.ActiveDirectory.Management.ADUser]$Identity ) Begin { $badPwId = 4625 $PDCEmulator = (Get-ADDomain).PDCEmulator $LogonType = @{ '2' = 'Interactive' '3' = 'Network' '4' = 'Batch' '5' = 'Service' '7' = 'Unlock' '8' = 'Networkcleartext' '9' = 'NewCredentials' '10' = 'RemoteInteractive' '11' = 'CachedInteractive' } } Process { If($PSCmdlet.ParameterSetName -eq 'All'){ #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $badPwId } }ElseIf($PSCmdlet.ParameterSetName -eq 'ByUser'){ $user = Get-ADUser $Identity #Query event log $events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable @{ LogName = 'Security' ID = $badPwId } | Where-Object {$_.Properties[5].Value -eq $user.SamAccountName} } ForEach($event in $events){ [pscustomobject]@{ TargetAccount = $event.properties.Value[5] LogonType = $LogonType["$($event.properties.Value[10])"] CallingComputer = $event.Properties.Value[13] IPAddress = $event.Properties.Value[19] TimeStamp = $event.TimeCreated } } } End{} } #Usage Get-ADUserBadPasswords | Format-Table #Single account Get-ADUser administrator | Get-ADUserBadPasswords | Format-Table I hope that this information is helpful to you and that you have been given a good "little" foundation. This article/information is by no means complete and exhaustive. But I still hope that this information is helpful to you. Thank you for taking the time to read the article. Happy Hunting, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerBypass LBFO Teaming deprecation on Hyper-V and Windows Server 2022
Starting with Windows Server 1903 and 1909, Hyper-V virtual switches on an LBFO-type network adapter cluster are deprecated (see documentation). The technology remains supported, but it will not evolve. It is recommended to create an aggregate of type SET. In practice The SET is a very interesting technology that has some constraints. The interfaces used must have identical characteristics: Manufacturer Model Link speed Configuration Even if these constraints do not seem huge, we are very far from the flexibility of LBFO Teaming. As a reminder, this one has absolutely no constraints. In practice the SET is recommended with network interfaces of 10Gb or more. Therefore, we are very far from the target of the LBFO (use of all integrated boards with motherboard pro, Home Lab, refurbish). If SET cannot be used As of Windows Server 2022, it is not possible to use the Hyper-V Management Console to create a virtual switch with LBFO, as it will prompt an error saying that LBFO have been depreciated. However, it is possible to use PowerShell to create this virtual switch. First, create the Teaming of your network cards using the Server Manager, in my case the teaming will be with LACP mode and Dynamic load balancing mode. Then execute the below PowerShell Command to create the virtual switch based on the teaming created in the previous step: New-VMSwitch -Name "LAN" -NetAdapterName "LINK-AGGREGATION" -AllowNetLbfoTeams $true -AllowManagementOS $true In detail: The virtual switch will be named "LAN" The network adapter cluster teaming is named "LINK-AGGREGATION" The aggregate remains usable to access the Hyper-V host. You will see your network teaming up and running on Hyper-V host. Thats it!Server 2022 KMS host key bug; Can't activate Win10 Enterprise LTSB/LTSC
We recently dropped our new Server 2022 KMS host key onto our KMS server. After the necessary update to accept the 2022 key and activating the new 2022 host key, we were able to activate our most common OS types in a quick test afterward -- Win10 Education 21H1, Server 2022, Server 2019, etc. In the next few days, and even more today, we've been getting reports that Win10 Enterprise LTSB/LTSC across some signage devices and laboratory machines stopped activating. Sure enough, I could reproduce the issue from a known good network. Just this morning I spun up entirely fresh VMs and verified all the above is still reproducible with the following results: Windows Server 2022 = Successfully activated Windows Server 2019 = Successfully activated Windows Server 2016 = Successfully activated Windows 10 Education 21H1 = Successfully activated Windows 10 Enterprise LTSC 2021 = FAILED ACTIVATION (0xC004F074: License server reported that the computer could not be activated.) Windows 10 Enterprise LTSC 2019 = FAILED ACTIVATION (0xC004F074: License server reported that the computer could not be activated.) Windows 10 Enterprise 2016 LTSB = FAILED ACTIVATION (0xC004F074: License server reported that the computer could not be activated.) Windows 10 Enterprise 2015 LTSB = Successfully activated (odd, after the previous two) Windows 8.1 Enterprise = Successfully activated Windows 7 Enterprise = Successfully activated Anyone else seeing this or could possibly test and confirm? I feel like this **has** to be a bug with 2022 host keys, but it's so new that I can't find anyone else in the same boat. I have a Premier ticket open for this.
Hostname Character Limit
Still being limited to 15 characters for hostnames in 2019 is very upsetting. In an age where we are deploying servers in multiple data centres, whether that be on premise or in the cloud and having multiple environments as well means trying to come up with sensible hostnames in just 15 characters is basically impossible. Iām sure I am not the only person who is frustrated by this limit and would very much like it if Microsoft was to revisit this limit and increase it to bring it in line with the wonderful limit our Linux friends enjoy.
