The Evolving Admin

Declining MECM updates that aren’t visible in WSUS

2020-08-06T00:00:00-04:00

Ever need to decline an update or updates from MECM, and then get stuck because the update isn’t visible in the WSUS console?

This is pretty common with items from 3rd party catalogs, but sometimes you know exactly which update you want to get rid of and don’t want to scroll through all the updates in the WSUS console to find it?

As is so often the case, PowerShell to the rescue! 😃

You’ll need access to both the ConfigurationManager and UpdateServices modules, and the account you’re running the script as will need at least Read access to Software Updates in MECM and membership in the WSUS Administrators group on the WSUS server that your root SUP talks to.

The ConfigurationManager module comes with the MECM Console install, and the UpdateServices module is part of the WSUS RSAT feature. Or if you’re feeling fancy, you can implicit remote these from your site server. 😃

The embedded code (thanks Gist!) is a rough sketch that will do the trick for you; the first few lines will need to be customized for your environment per the comments.

Down on line 36 is where you’ll put the article ID of the update you want to decline. PLEASE BE CAUTIOUS HERE as some vendors will use the same article ID for multiple updates.

You can modify the Get-CMSoftwareUpdate section to go by other attributes; the important bit is that the CI_UniqueID of the CMSoftwareUpdate is the UpdateID that Get-WSUSUpdate is looking for.

MMSMOA Tips and Tricks

2019-05-08T00:00:00-04:00

What’s this about?

The “Tips & Tricks Showcase” session seemed like a must attend event (especially as it was the only one in the time slot :wink:)

And when they said there were some awesome Surface Laptops to giveaway, I figured, may as well get up and share something.

A big thanks to the community for being some encouraging and welcoming to a first time attendee and presenter (and for the extra 10 seconds of speaking time) :thumbsup:

Enough buttering, get to the meat!

The tip that I shared was around the PowerShell Module EditorCommandServicesSuite. Just install it from the gallery with

Install-Module EditorCommandServicesSuite -Scope CurrentUser

You’ll also need to add the following to your VSCode PowerShell Profile so it auto-loads:

Import-Module EditorServicesCommandSuite
Import-EditorCommand -Module EditorServicesCommandSuite

Once it’s installed and loaded, you can activate by either:

Selecting PowerShell: Show Additional Commands from PowerShell Modules
pressing Shift-Alt-S while editing a PowerShell file

This provides a number of very useful capabilities, but my current favorite is Convert Command to Splat Expression Splatting is a very handy way to make long PowerShell commands more readable, and more easily re-usable.

Unfortunately it has two drawbacks:

VSCode PowerShell auto-complete/intellisense doesn’t help you with parameter names/values when splatting
I usually forget something in the syntax/formatting.

This function from the EditorServicesCommandSuite module solves both those problems; just write out the command as one long line, and then let it convert it to a splat for you.

Didn’t you also say something about PowerShell Profiles?

Yep! I didn’t have time to go into it (didn’t want the bear to growl at me!), but fortunately it’s something I’ve previously written about: PowerShell Profile Tips and Tricks

That post is a bit old, but aside from not mentioning VSCode, it all still applies to Windows PowerShell, and almost all should apply to PowerShell Core.

I did however update the sample profile linked in it (and here as well) to be more current.

Hopefully this has been useful, and if there is more you’d like me to write about, just click the Suggest Topic link at the top of the page, and tell me about it!

Out-State -Destination ‘MMS @MOA 2019’

2019-05-04T00:00:00-04:00

What is MMS?

The Midwest Management Summit is a 4-day conference purposely capped to just 750 attendees so that nobody gets lost in the crowd. Speakers have time to meet and talk to you. No rushing people out of a session to get the next speaker going. Time to absorb what you see and talk it over with speakers and other attendees. A true learning experience. Real networking. Real-life issues discussed. And no, you don’t have to be from the Midwest to attend. It’s just the name.

Interesting…

Since the other SysAdmin at $WORK had already scheduled for this years Ignite (and is part of the Krewe), it made sense for me to go to a different conference. As I’m the resident ConfigMgr admin at $WORK, MMS seemed like a good fit. Especially as I’ve interacted with a number of the community members on Twitter, Slack, etc.

I should probably as SolarWinds if they’ll give me any kickback for advertisements as my backpack, and almost all of the shirts I packed are from them or their community THWACK.. :smile:

PowerShell MSSQL cron job

2019-01-16T21:45:00-05:00

I did what

Just setup a cron job that runs a PowerShell script to build an htpasswd file from the results of an Mssql query. Cross platform ftw. Thanks @cl @PowerShell_Team #PowerShell #dbatools
— Damien Solodow (@DSolodow) January 15, 2019

Why I did that

TL;DR - wanted to get rid of a manual process on a legacy system. :smiley:

Longer version

One of our few remaining legacy servers at $WORK is a Server 2008 R2 VM that is eating far more disk than is called for.

Just about the only thing the server does is host a pretty basic website. The sticky wicket though is that a few directories on the site need to require authentication. Since not all of the users have accounts in our Active Directory, the credentials are based on data from their ERP record.

The solution used on this legacy server was a 3rd party HTML “locker” that was last updated to support Windows 8. :open_mouth:

The process to update the credential list involves a SQL Agent job that emails a file to someone, who then has to follow a nearly 30 step manual process that involves carefully modifying and saving the file, logging into the web server via RDP, and running a GUI app to import said file and update the credential list. :sob: :scream: :dizzy_face:

How I did that

New solution

This sounded like a good place for a Linux VM running Apache, and using htaccess and htpasswd. I have some prior experience with Apache, and it looked like the easier path compared to using IIS and having to deal with scripting the creation/management of IIS users, or getting IIS to authenticate directly against a database.

Main reasons for that were:

I’m not a web developer by any stretch of the imagination
The IIS PowerShell module (WebAdministration) is in my experience an ugly PITA

I went with an Ubuntu LTS install, since I have prior experience there, they’ve been playing very nice with Microsoft of late, and it’s what I have in my WSL install.

Basic setup

So it was time to:

Copy web content to new server
Add SSL certificate to server
Configure Apache for site, SSL redirection
Create sample htpasswd for site
Configure Apache to do forms authentication for the required directories using the sample htpasswd
1. this was in the main apache config instead of using .htaccess as it’s better that way if you have control of the server
Test it out

Most of this was from Apache docs and some Googling, and a healthy dose of trial and error. :wink:

Getting the data

I created a SQL login in the database for the script to use, and granted it SELECT access to the appropriate view and table. Then I used that login in SSMS to run a test query:

SELECT top 10 username, password FROM erp_db..view_user

This ran successfully; so credentials, security, and query are good, so time to run that via PowerShell on the Linux server. I’d selected to install PowerShell Core during the initial Ubuntu install, but instructions for existing installs are here: Install PowerShell on Ubuntu

The SQLServer PowerShell module is cross-platform, so it can be installed in PowerShell Core on Linux. :+1:

Unfortunately, installing this revealed that only a subset of cmdlets are available when installed in Core, and Invoke-Sqlcmd isn’t one of them. :anguished:

I remembered a recent tweet from Chrissy LeMaire (@cl) about the dbatools module going cross-platform, so I gave that one a try:

Install-Module 'dbatools' -Scope CurrentUser
Get-Command -Module 'dbatools' -Noun '*query*'

Invoke-DbaQuery looks like a winner, so time to read the documentation for it.

Looked like the commands to run were:

$login = Get-Credential -UserName 'SQLLOGIN'
Invoke-DbaQuery -SqlCredential $login -SqlInstance 'SQLSERVER' -Database 'erp_db' -Query 'SELECT top 10 username, password FROM view_user'

Unfortunately, I got a warning instead of results:

Doh! :astonished:

Maybe this was something wonky with running the module under PowerShell Core on Linux… So I tried the same PowerShell on my Windows box, using Windows PowerShell instead of Core.

Nope, same error. :-1: Smells like a bug in the module, so off to their issues page…

Searching through there didn’t show any previous reports of this issue, so I used their handy Issues template and submitted a new one: Issue-4946

Within a couple hours it had been confirmed, and a fix merged. :heart_eyes:

So I updated my systems to the fixed module version (0.9.741), and re-tried my query. This time I got results back! :+1::+1:

Building htaccess from the data

Now that I could pull from the database, it was time to turn that into an htpassword file.

I gave the user that would be running the script via cron the ability to edit the htpassword file:

sudo setfacl -m u:cron_user:rw htpassword

This seemed a more minimal course than giving cron_user the ability to run ‘sudo htpasswd’ without a password.

The htpasswd utility allows you to pass both the username and password as part of the command line, so it was a simple PowerShell bit to do that:

$login = Get-Credential -UserName 'SQLLOGIN'
$creds = Invoke-DbaQuery -SqlCredential $login -SqlInstance 'SQLSERVER' -Database 'erp_db' -Query 'SELECT top 10 username, password FROM view_user'
$creds | ForEach-Object {htpasswd -b /path/to/htpassword $_.username $_.password}

That looked to have worked; it ran without error and I was able to use one of the username, password combos from the SQL query to login to the protected directories. :raised_hands:

Only catch was, the new lines were being added to the htpassword file, so I was going to need to either blank out the file or recycle it before building it; otherwise it would get oversized, and have multiple (potentially different) entries for each person. :worried:

Fleshing it out and polishing it

Now that I had a working proof of concept, just had to do a few more things:

Flush out the file before re-filling it (Linux has a handy truncate command)
Make sure I didn’t flush out the file if I didn’t have data to put in
Add some error reporting
Make it pretty

So here’s what it ended up like:

#Requires -Modules @{ModuleName="dbatools"; ModuleVersion="0.9.741"}

$username = 'SQLLOGIN'
$password = ConvertTo-SecureString -String 'SQLPASSWORD' -AsPlainText -Force
$cred = New-Object -typename System.Management.Automation.PSCredential -ArgumentList $username, $password

$invokeDbaQuerySplat = @{
    SqlInstance   = 'SQLSERVER'
    Database      = 'erp_db'
    SqlCredential = $cred
    Query         = 'SELECT username,password FROM view_user'
}
$results = Invoke-DbaQuery @invokeDbaQuerySplat
if ($results) {
    #clear file to avoid duplicate entries
    truncate --size 0 /path/to/htpassword
    $results | ForEach-Object {htpasswd -b /path/to/htpassword $_.username $_.password}
} else {
    $servername = [system.net.dns]::GetHostEntry((hostname)).hostname
    $sendMailMessageSplat = @{
        Subject    = "Script error on $servername"
        From       = 'cron@SERVER'
        To         = 'sysadmins@WORK.COM'
        SmtpServer = 'SMTPSERVER'
        Body       = "Script: $PSCommandPath  `n Threw: $Error[0]"
    }
    Send-MailMessage @sendMailMessageSplat
}

Success! :relieved: :sunglasses:

What’s on that port?

2019-01-10T17:25:00-05:00

What’s on that port?

Today, the network admin at $WORK contacted me, saying while running a ZenMap on part of one of the offices, he found several Windows PCs in the AP and Payroll departments that were listening on 80/tcp. This gave him the willies, so he reached out to me to find out WTF. :anguished:

Once the IPs of the PCs were converted to names, it was time to investigate.

First, let’s make sure they’re still online and listening as expected:

$PCs = 'PC1','PC2','PC3'
$PCS | Foreach-object {Test-NetConnection -ComputerName $_ -CommonPort HTTP}

(Had to use the Foreach as Test-NetConnection doesn’t allow an array for ComputerName) :persevere:

This showed that yes, all three were online, reachable and accepting connections for inbound HTTP traffic. Now let’s see what process is listening on the port:

Invoke-Command -ComputerName $PCs -ScriptBlock {netstat -ano | findstr :80}

On each computer, the process listening on port 80 had PID 4 (far right column). On a Windows machine, PID 4 is SYSTEM, aka the kernel. This meant that it wasn’t a user process listening on port 80, so the odds of it being malware or the like went down dramatically. :relieved: It also meant that it was almost definitely from the Windows built-in, kernel level HTTP listener (http.sys)

Maybe they had something like IIS, MSMQ, etc. installed?

Invoke-Command -ComputerName $pcs -Credential $admin -ScriptBlock {
    Get-WindowsOptionalFeature -Online |
        Where-Object {($_.FeatureName -like '*web*' -or $_.FeatureName -like '*http*') -and $_.state -eq "Enabled"}
}

Nope, no hits there. :frowning:

A bit of Googling for ‘http.sys show http listener’ revealed the handy command netsh http show urlacl, so…

Invoke-Command -ComputerName $pcs -ScriptBlock {netsh http show urlacl | findstr :80}

Those look like GUIDs. To the Google!

And one of the first hits was: How can I determine why the System process is listening on port 80?

This indicated BranchCache, which is harmless but maybe undesirable now.

Exchange Schema Upgrade

2018-07-17T11:00:00-04:00

What and why

One of the things I discovered at new $WORK was that we have all our mailboxes in Exchange Online, and are using ADFS and directory synchronization.

Pretty common and normal. The catch? No on-premise Exchange server.

This isn’t supported, and prevents you from modifying most of the Exchange properties on your objects. Reference :frowning:

The first step was to find out what version of Exchange had last been present and get the schema upgraded to Exchange 2016.

I ran the following and then looked up the result on this site

Get-ADObject "CN=ms-Exch-Schema-Version-Pt,$((Get-ADRootDSE).schemaNamingContext)" -Property RangeUpper

This told me the last Exchange versions installed was 2007 SP1.

This would require a few upgrades in succession to get to 2016 as 2007 SP1 and 2016 can’t coexist or direct upgrade.

The plan

Since we were getting ready to decommission our last Windows 2008 DC, I decided to use it for the upgrade.

The plan was:

Make the 2008 DC the schema master
Add my admin account to Schema Admins
Disable outbound replication from the 2008 DC
Apply Exchange 2010 schema upgrade and domain prep
Apply Exchange 2013 schema upgrade and domain prep
Verify things went ok
Re-enable outbound replication from 2008 DC

The idea here was that if something went badly with the upgrade, I could kill the 2008 DC and seize the schema master role without hosing the forest.

The reality

Steps 1..4 went basically as expected.

However I ran into a few snags for the Exchange 2013 schema:

First, Exchange 2013 setup (including /prepareAD) won’t run on Server 2008.

So I had to create a temporary pair of 32 bit AD subnets for the 2008 DC and my PC, and put those two subnets with a temporary AD site.

This was necessary because the schema upgrade expects the schema master to be in the same site.

The next snag was the schema upgrade threw an error on the pre-req checks. :frowning: According to the logs, there was still an Exchange 2003 server in the environment.

This turned out to be due to the Exchange 2000/3 server not having been properly decommissioned upon upgrade to Exchange 2007. Judging by what I saw, it looked like Exchange hadn’t uninstalled as there were still objects in the Configuration partition such as the Exchange Server object, Recipient Update Service, etc.

Once these were removed via ADSIEdit, the Exchange 2013 schema upgrade completed without issue. :thumbsup:

Next steps

The Exchange 2016 schema upgrade required a Windows 2008 R2 domain and forest functional levels, so I wasn’t able to apply that schema upgrade yet. So it was necessary to:

Re-enable outbound replication from the 2008 domain controller
Verify replication completed successfully
Transfer Schema Master FSMO role to another DC
Demote Windows 2008 domain controller
Raise forest and domain functional levels (was able to go to 2012 R2)
Run Exchange 2016 schema upgrade on new Schema Master

Guess what they forgot to do?

The Exchange 2016 schema upgrade failed saying there was still an Exchange 2007 server in the environment. A bit of checking in ADSIEdit showed the Exchange Server object for the Exchange 2007 server. Once this was removed, the Exchange 2016 schema upgrade completed successfully.

With all this done, it was now possible to actually (finally) install Exchange Server 2016.

Fortunately that went without hiccup and we were in business. :smile:

New Work PC

2018-04-22T11:00:00-04:00

One of the perks of a new job was a new computer. :smile: My boss told me they’re a Dell shop currently, and turned me loose on what I wanted to order.

I wanted a powerful laptop (I tend to run local VMs for testing), and prefer a 15” screen. It turned out that they already used the Precision 5520 for a few cases, like CAD and other design work. So after taking a look at the information for that model and being really impressed, I pulled up the info to customize one.

There are a lot of reviews and info on this model already, but the highlights are:

15” LCD; either 1080 standard or 4k touch
Choice of i7 7th Generation or Xeon E3-1505
Up to 32 GB RAM
M.2 PCIe SSD
Height: 0.44” (11.1mm), Width: 14.05” (357mm), Depth: 9.26” (235.3mm), Weight: 3.93lbs (1.78kg)

I also ordered the Thunderbolt Dock (TB16) to go with it to hook up the pair of 24” 1080 monitors, as well as gigabit Ethernet, etc.

I like that the dock has a pair of USB3 ports on the front as well as a 3.5mm headphone jack, along with a nice complement of ports on the back. It is rather annoying that while it has multiple display outputs on the back, they’re all different kinds.

While I was waiting for the new PC to arrive, I made a customized Windows 10 USB stick to install from. This was both as a proof of a concept and to save me some work for the actual install. :smile:

Here’s how I did it:

Download the Windows 10 1709 x64 ISO from the VLSC
Extract the ISO
Open the extract folder in NTLite and mount install.wim
Remove the images from the wim except for Enterprise
Modify the installed Windows components (added WSL, Hyper-V, IIS Manager, etc.)
Pre-configured a few preferences and settings
Apply the current Windows 10 cumulative update and Adobe Flash update
Add the drivers for the model from the Dell site
Apply the changes to the WIM and save
Save to ISO (button in NTLite)
Write the ISO to USB for a UEFI install (shout-out to [Rufus])

After the hardware arrived, I made sure the BIOS was set for UEFI and the various virtualization and TPM settings were enabled. Then booted the USB stick and did the install. Turned out I missed a few drivers (some for the dock) and needed a firmware update or two as well. Fortunately, Dell Command is an excellent and handy tool for dealing with those.

Then just had to load up a few extra things like RSAT, IIS Remote Manager, etc.

Will see how things go after time, but so far I’ve been pretty happy with the PC. :thumbsup:

New Job

2018-03-23T11:00:00-04:00

Today, after almost 10 years I’ve put in my papers to change jobs. :pensive:

On March 22, 2018 I accepted an offer from a new employer in a different industry, and today (March 23rd) I put in my notice.

This will be my 6th job in 21 years, so I’m not exactly a frequent changer, and this wasn’t the easiest decision.

But, there are a number of positive things coming as part of the new position:

Much shorter commute (about 15 miles less one way)
Several co-workers I already know (although with those characters that might be mixed :sunglasses:)
An escape from cubicles :+1:
A nice mix of things I’m already familiar with and new products/experiences.

In discussions with IT leadership at the new employer, the main things I’ll be working on to start with are:

Implementing ConfigMgr/SCCM
Deploying Solarwinds Orion
Helping the current team:
- pay off technical debt
- clear out backlogged requests/projects
- homogenize and stabilize environment

I’ll be starting the new position on April 9th, so after that expect some new posts on the new environment and my projects. :metal:

What is THWACK?

2018-02-21T12:40:00-05:00

You may have (hopefully) noticed the THWACK link in my author profile on the left there, and wondered what’s that? I mean, sure, everyone knows about email, Twitter, LinkedIn, GitHub and StackOverflow, but THWACK?

The TL;DR version: THWACK is the user community for Solarwinds (we’ll get to who they are in just a minute.)

A more detailed version from their site is:

Simply put, THWACK connects you with more than 130,000 IT professionals and community members, who’ve contributed to help us make superior products, provide educational IT content, and, most importantly, help IT professionals do their jobs better. Here we put you in direct contact with the people who manage and develop our products. THWACK is a place where you have a say in the direction of those products, and where you get support and answers, on the fly, without having to pick up the phone. Crazy, huh?

Crazy indeed.

Obviously, it’s most useful for those who are (or are planning to be) Solarwinds customers, but it still has value for other IT pros. If nothing else, there are lots of opportunities to collect points to redeem for swag.

So who/what is this “Solarwinds” anyway?

I told you we’d get to them in a minute. :smile:

The short version is that they’re a company that develops software products for IT pros. The largest piece of the pie is their Orion suite, which is a group of web-based products that integrate together and provide things like:

device monitoring (up-time, resource usage, hardware status)
application/service monitoring
network device configuration management
IP address/DNS/DHCP management
user device mapping
network traffic analysis (NetFLOW and NBAR)
Log and Event Management
VoIP and QoS monitoring
storage monitoring/management
virtualization monitoring/management
database performance management/monitoring
patch management
and more!

A more detailed “who we are” is on their website: Link

What’s great about them

I’ve been a user of Solarwinds products since 2009, and a member of Thwack since late that same year. During that time we’ve added several of their products to our environment, and have seen a lot of changes and enhancements to the suite.

I’ve seen first-hand (and in some cases been directly involved in) them making changes/fixes to their products based on user requests and feedback. They have opportunities for those interested to participate in user studies and feedback sessions while new versions/products are still in development.

They also make release candidate versions of new releases available in advance of GA, and most importantly, those release candidates are fully supported in production.

The community (THWACK) is pretty active, and employees (including product managers and engineers) are frequent posters and active. One of the major benefits of this is that there are a lot of community created and contributed templates, reports, SNMP pollers, etc, in addition to all of the out of the box ones.

So to wrap it all up :gift:, Solarwinds makes good, solid products, and they know who their target market/audience is (IT pros). This shows in their interactions, and most especially in their community (THWACK). So if you’re in IT pro, especially one interested in or already using Solarwinds tools (even the free ones), come join us and check it out!

Code to joy

2018-02-19T14:05:00-05:00

Why I love VSCode (and you might too)

What is VSCode?

Visual Studio Code (VSCode for short) is:

From VSCode Docs:

…a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux. It comes with built-in support for JavaScript, TypeScript and Node.js and has a rich ecosystem of extensions for other languages (such as C++, C#, Java, Python, PHP, Go) and runtimes (such as .NET and Unity).

It’s a powerful text/code editor from Microsoft that’s:

Free
Open Source
Cross platform
Extensible
Customizable
Regularly updated (more so if you use the Insiders track)

Why I switched

When VSCode first came out (announced in April 2015), I didn’t pay too much attention. For one, it was a preview; (1.0 was released in April 2016), two it was focused more on web development (HTML, CSS, JS, etc.), three I’d been using Notepad++ for years and it met my needs.

What finally drove me over was the really slick PowerShell extension, and the news that going forward VSCode + PowerShell extension would be “preferred” (aka maintained) over the PowerShell ISE.

So with that, I downloaded a copy, grabbed a few extensions and started kicking the tires.

Why I love it

Built-in version control (out of the box Git, extension for VSTS) - helps good habits
Save as admin (new in 1.20) - if the file requires elevated rights to write, it will prompt you for UAC/sudo
Extensions! - lots of ways to enhance/expand. Favorites so far:
- markdownlint (warn about sloppy Markdown)
- PowerShell (code completion, linting, console, and more!)
- mssql (connect to MSSQL servers and write/run code)
- Visual Studio Team Services (source control for VSTS/TFS)
- XML Tools (properly format XML; includes turning long string into a tree)
Customizable - you can change almost anything; the settings are in JSON files that you can port around/backup easily.
Command Palette - instead of digging around in menus, just press F1 and type
Well documented - Microsoft (and the VSCode community) have put together a lot of documentation, howtos, getting started, etc. for VSCode.
Side by side editors or previews - open two files side by side, or a file and preview (can we say Markdown or HTML?)

Sounds nice, how can I get started?

Go download a copy for your OS, and install.

After that, Microsoft has several Introductory Videos to help you get off the ground. If you’re currently used to or experience with another editor and don’t want your muscle memory to get in the way, VSCode has several keymap extensions available so you can use the same hotkeys/keyboard shortcuts for your current editor.

You can also:

Anything you love/hate/need with VSCode? Questions, comments? Feel free to comment below. :smile: