Hello to all of our outstanding readers! Brandon Wilson here once again to give you, yep you got it, yet another pointer to some more new network feature information from the Windows Core Networking team on the Top 10 networking features in Windows Server 2019. This time around, they are covering DPDK (Data Plane Development Kit) in Windows Server 2019, and its an interesting read! Here is some initial information straight from the product group:

“Top 10 Networking Features in Windows Server 2019: #2 Propelling broadcast video with DPDK on Windows

https://blogs.technet.microsoft.com/networking/2018/09/12/windowsdpdk4broadcasting/

As the world moves from HD to 4K and other high-resolution media formats (e.g. 8K), media broadcasters are pioneering a transition to an IP-based infrastructure. Designing for the future, this transition requires high bandwidth and low latency networking re-architecture, not to mention state of the art GPU drivers. We recently announced the availability of Data Plane Development Kit (DPDK) libraries on Windows to provide user mode applications fast packet processing capabilities, bypassing the host networking stack.

To this end, we are pleased to announce a partnership with Cisco and Intel to accelerate this transition in the media industry, by bringing Windows DPDK to Cisco’s media software package called virtual Media Interface (vMI).  Now, Windows Server with DPDK’s express data path and wealth of GPU drivers becomes the platform of choice for delivering next gen media formats and other user-mode applications!

”

As always, if you have comments or questions on the post, your most direct path for questions will be in the link above.

Thanks for reading, and we’ll see you again soon!

Brandon Wilson

Hello again everyone! Christopher Scott, Premier Field Engineer here. Recently I have started publishing some of my PowerBi report templates and received some positive feedback, so I decided to keep them going. This next template was designed to provide data insights into a filtered System Center Configuration Manager (SCCM) collection. Below is a detailed summary of each page as well as some important configurations and the download links for the template and PowerBI desktop.

These reports are scoped by collection so that they can be generated for individual organizations\collection owners that fall under a larger entity.

• Template can be downloaded from
  
  • https://gallery.technet.microsoft.com/SCCM-Collection-Specific-1572746a
• PowerBI Desktop can be downloaded for free from
  
  • https://powerbi.microsoft.com/en-us/downloads/
    

Important Configurations:

Data-Source Parameters:

• If you are importing from the template file:
  • you will be prompted for the “SCCM_SQL_Instance”, “SCCM_DB”, “CollectionID” and “AV_Software”. Fill these fields with the appropriate SQL Information, SCCM Collection ID and Antivirus Software information for your environment and click ok.
• If you are using the PBIX file:
  • Once you open the PowerBI file the first thing you will need to do is configure the data source by editing the parameters. You can do this simply by clicking the “Edit Queries” button ion the Home Toolbar and then select “Edit Parameters”

• Replace the “SCCM_SQL_Instance”, “SCCM_DB”, “CollectionID” and “AV_Software” fields with the appropriate SQL Information, SCCM Collection ID and Antivirus Software information for your environment and click ok. Click ok to continue and Run to allow the Native queries to run and import the data.

Report Previews:

• Page 1 is an Overview page for client imaging dates. The bar graph and corresponding table give a visual timeline of when clients were imaged over a period of time. The Date slider on the top left can be used to filter that period to a specific range. On the bottom right, I’ve added a last refresh timestamp to ensure the data is an accurate reflection of the environment.
• This report page is generally used to determine when clients should be refreshed.

• Page 2 shows the Update Compliance for the collection specified against each Software Update Group assigned to it. On this page starting from the top left I provide a count of systems in the collection and the number of devices reporting as non-compliant (In terms of Update Compliance only), Those numbers are broken down to provide a percentage calculation for quick insight. Also on the left hand side is a table of clients and the Antivurus versions (or Definition versions) installed on each client. Lastly on the left hand side is the number of machines reporting to SCCM as Unknown. These are machines that little or no inventory and usually have been powered off or disconnected for extended periods, but not limited to those situations.
• Inside the Box 1 (The Top outlined box pane) I break down the overall Deployment status with a summarized compliancy table and pie chart. Box 2 (The bottom outlined box pane) provides detailed deployment status first summarzied in the pie chart and then broken out in the graph by individual deployment.
• This has been a favorite for my customers as it provides a high level insight into the compliance of the desired collection.

I hope this report gives you the necessary data points to empower your organization. Please feel free to comment below with any feedback or ideas that you would like to see templated or improved.

Hi there! Stanislav Belov here to bring you the next issue of the Infrastructure + Security: Noteworthy News series!  

As a reminder, the Noteworthy News series covers various areas, to include interesting news, announcements, links, tips and tricks from Windows, Azure, and Security worlds on a monthly basis.

Hello All! Prathista here from the SCCM PFE world to give you some insights about the client assignment process and how client push is triggered when automatic client push is enabled. Many have faced the issue that automatic client push is not happening, despite you have all the boundaries and accounts in place. This is something I have come across multiple instances even in my previous role and had always been a mystery if it is the DDM or CCM itself or something else! Worst part, we will not see much information from ddm logs without verbose. Even with verbose, not much details related to ccr creation or client push trigger.

For those who are new with these terms, here is a quick background,

CCM – Client Configuration Manager – the component responsible for performing the client push and communicating with the client.

CCR- Client Configuration Record – the record which will be created for the CCM to read and process the request.

DDM – Discovery Data Manager – the component responsible for processing the newly discovered/heartbeat discovery records.

DDR – Data Discovery Record – the record which will be created for the DDM to read and update the DB and other actions depending on the type.

Here is an easy flow chart I have created for a better understanding of the flow.

The log snippets are taken from my lab with a CAS and 2 primaries and the client in the log snippet here (CL1) has its boundary in NYC primary.

An interesting thing to note here; I noticed many technet forums talking about manually deleting the duplicate entries from System_SMS_Assign_ARR table. It might not help much because these entries will still pop up after every discovery.

The duplicate entries happen in the following scenario,

1. You have secondaries in your environment.
2. Your secondaries’ boundary groups have site assignment checkbox enabled (refer to the screenshot below) with the Secondary site code.

An important thing to note, refer to the following statement from the article: https://docs.microsoft.com/en-us/sccm/core/clients/deploy/assign-clients-to-a-site

“Clients cannot be assigned to a central administration site or to a secondary site.”

The duplicate entries can be identified using the following query,

select * from System_SMS_Assign_ARR where ItemKey in
(select ItemKey from System_SMS_Assign_ARR group by ItemKey
Having COUNT(itemkey) > 1)

This could also lead to client push not able to be triggered because the particular resource is assigned to both primary and secondary site code. To fix this issue, uncheck the site assignment from Secondary’s boundary and you can see these duplicates immediately disappear and automatic client push will be triggered soon after the resource is discovered.

Thanks for reading, and I hope this helped solve the mystery around client assignment and automatic client push, which I always had

Happy Wednesday to all of our great readers! Brandon Wilson here once again to give you the last pointer of the series from the Windows Core Networking team covering the top 10 networking features in Windows Server 2019. This time around, they are covering container networking with Kubernetes in Windows Server 2019! Here is some initial information straight from the product group:

“Top 10 Networking Features in Windows Server 2019: Container Networking with Kubernetes

https://blogs.technet.microsoft.com/networking/2018/09/19/ws2019-kubernetes/

In today’s increasingly competitive and fast-paced technology market, enterprises are constantly discovering amazing new ways to innovate and evolve. One such area with expanding interest in recent years is application modernization using containers and container orchestration.

As applications are lifted-and-shifted from VMs to containers, IT Pros and Dev Ops teams require the same network management agility of Software-Defined Datacenter (SDDC). Kubernetes, the de facto container orchestration tool, addresses this gap under the umbrella of a standardized & open-sourced framework. Now, with Windows Server 2019, we greatly improved usability of Kubernetes on Windows by enhancing platform networking resiliency and support of container networking plugins.“

As always, if you have comments or questions on the post, your most direct path for questions will be in the link above.

Thanks for reading, and we’ll see you again soon!

Brandon Wilson

Looking at the Windows Time process and configuration there and back again

As last we met, I am Tim Medina Sr PFE with Microsoft and we are coming to a conclusion of our three-part journey in time. First we took some time to look at the new features and aspects of Windows Time in Windows Server 2019. Then we took a some of the more common configuration items. This moment before we set off on further adventures, is going to draw all the information (past and present) in one nice neat spot for reference and help for those still needing it.

Where do we start? I would say with some of the more informative articles on current Windows Time Service here. From the reading you see what we consider the use and control spaces of Windows Time. This would include 2 important support boundaries. First and foremost, we see that we have the old standard bearer of Kerberos 5 requiring a time accuracy in the ticket issuance and expiration. Next, we see our new 2016 and 2019 items for highly accurate time. This will allow you in the confines of the configuration to each constraint. Meaning that each highly accurate increment needs to be defined and controlled properly to meet the support boundary.

Ok now that we have our playing field set, let’s look at what we touch and how it interacts in an environment.

See the two charts below as reference found here

As you will note the typical system that is providing time will reach out to a higher stratum source and then pull in the information via standard port. From there it displays and services the system itself to keep accuracy based on its configuration. Putting that same system into a domain-based model you can then see that the PDC will be the controlling stratum by organically populating the time for them as the primary source.

As noted in the previous blog and the technical reference, we need to make sure we have the settings properly configured. So, let’s break those down based on the documentation. First, we can still use the W32tm commands here to set stand-alone systems. In the case of a domain based system the encouraged path is to use a GPO. Both translate into registry settings that are found in HKLM\System\CurrentControlSet\Services\W32Time\. There are some key ones we need to discuss in context that were called out.

First we have the parameters items as seen below.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry Indicates which peers to accept synchronization from:

• NoSync. The time service does not synchronize with other sources.
  
• NTP. The time service synchronizes from the servers specified in the NtpServer. registry entry.
  
• NT5DS. The time service synchronizes from the domain hierarchy.
  
• AllSync. The time service uses all the available synchronization mechanisms.
  

The default value on domain members is NT5DS. The default value on stand-alone clients and servers is NTP.

Key things to remember here is that when you have something set to AllSync, it will pull in all sources to the system and make an amalgamation of the reliable sources to establish a time for the system. This can be problematic when you have 3 sources on a VM or more. This is where we note the proper setting to configure this should be NTP and Nt5DS in most cases.

Our next part is the flags set for the sources seen below.

This entry specifies a space-delimited list of peers from which a computer obtains time stamps, consisting of one or more DNS names or IP addresses per line. Each DNS name or IP address listed must be unique. Computers connected to a domain must synchronize with a more reliable time source, such as the official U.S. time clock.

• 0x01 SpecialInterval
  
• 0x02 UseAsFallbackOnly
  
• 0x04 SymmetricActive
  

  For more information about this mode, see Windows Time Server: 3.3 Modes of Operation (http://go.microsoft.com/fwlink/?LinkId=208012).
  

• 0x08 Client
  

There is no default value for this registry entry on domain members. The default value on stand-alone clients and servers is time.windows.com,0x1.

We need to take care when making setting changes here as they affect the behavior of the system. The standard use targets are 0x02 and 0x01. The note here would be the use of the 0x08 for only a specific race event. It is discouraged to set an authoritative source (PDCe or main standalone time server) as a client as it will not be properly conform to the requests for an authoritative source (commonly seen as 0x09). As with other items it falls into the if it is not broke, don’t change it.

There is one final note here that deals with the source targets and that has to do with VMNICTimeProvider. If you are in Azure or other cloud environment, it is recommended that those systems continue to use this source as it pulls in time stratum from the data center source. However if you have an on prem virtual it is a good idea to partially disable it to ensure that your VMs follow domain hierarchy.

Let’s put this into a nice time stream shall we? Using the following blogs as context you can configure a WMI filter to follow your PDCe and then build a GPO to set the time information for your domain. Again, if it ain’t broke principle applies here in current Windows server editions as it does in previous. Use of the w32time commands can be used here as well though its control is purely manual and can be mistyped or error because of a command entry error.

So, what is new? Let’s take a look at what Server 2016 and Windows 10 is presenting us in the GPO area as well in the registry of note in the high accuracy area. In the same parameter space and under the GPO settings we can reduce the Polling Intervals (min and max). We also can set the Update Interval as well as the key Special Poll Interval and Frequency Correction rate. With these changes you can then tune down your rate of variance to 1ms. This does require that the GTIMESERV role is enables as well a reliable GPS enabled source clock on your network. The down level (2012 and Windows 8) systems still benefit from this configuration though they cannot participate readily in its implementation.

On 2016 we see a host of new entries and configurable settings that differ from previous versions in configuration in GPOs. In the registry we also see some changes to the previous versions allowing us to take advantage of the parameter and configuration changes in the modern OS.

With the previous mentioned base MSDN articles, some of these settings are not generally altered or controlled to a degree. To be explicit though they can all be found here for reference.

Also just in case things should start to be a bit wibbly wobbly timey wimey on a client or system the debug log settings are still in the same hive entries and can be turned on to provide rich data for troubleshooting.

And there we go, just a quick run around the blogosphere universe in relation to time. As we head into Server 2016 and 2019 universe I can only see bright things for Windows Time. Drop a line if you have questions here on Windows Time, until next time, Fantastic! Allons-y! Geronimo!

Hi! I’m Graeme Bray and you may remember me from previous articles such as KMS Activation for Windows Server 2016.  Today’s installment will coincide with a new Windows Server release.  I’m going to focus on getting you to enable AD Based Activation for those of you who have not yet done so. 

The location for the KMS Host Key is the same as Windows Server 2016.  You need to find the key on the Microsoft Volume License Service Center. 

KMS Activation for Windows Server 2019 can be run from the following Operating Systems with the appropriate prerequisites: 

Windows Server 2012 R2 

July 2016 Servicing Stack Update: KB3173424 

September 11, 2018 Cumulative Update: KB4457129 

*Note* – If you’re reading this after a subsequent Patch Tuesday, the most recent Cumulative Update will include these changes as well.  They were originally introduced in KB4343891. 

Windows Server 2016 

May 2018 Servicing Stack Update: KB4132216 

August 30, 2018 Cumulative Update: KB4343884 

*Note* – You can install any future Windows Server 2016 Cumulative update and get these fixes.  Most Organizations would have installed KB4457131 as part of their patching process.  All fixes for Windows Server 2016 are cumulative. 

Retrieve KMS License Key from the VLSC for Windows Server 2019 

To resolve this problem, follow these steps: 

1. Log on to the Volume Licensing Service Center (VLSC).
2. Click License.
3. Click Relationship Summary.
4. Click License ID of your current Active License.
5. After the page loads, click Product Keys.
6. In the list of keys, locate Windows Srv 2019 DataCtr/Std KMS 
   

Install the Volume Activation RSAT Tools 

Log into a Windows Server 2012 R2 or Windows Server 2016 Machine 

1. Install (or verify) that the RSAT Volume Activation Tools are available.
2. Run Install-WindowsFeature RSAT-VA-Tools
4. Since you still have PowerShell open, launch Volume Activation Tools by typing vmw.exe
5. Click <Next> to skip that Welcome screen that everyone dislikes.
6. Ensure that Active Directory-Based Activation is selected and click <Next>.
7. Enter your Product Key and put the VLSC Product Name in the Display Name object.  This will help with future validation.
9. Click <Next> and then <Commit>.  This will put the key into AD, assuming that you have the proper permissions (Enterprise Admin).

I know, you need *what* to enable AD Based Activation?  Stay tuned for a future article (from yours truly) on how to delegate THAT access. 

This is the *only* time that you need to use the CSVLK (KMS Key) to activate a system, at least in this forest. 

Client Licensing 

Now, if you’re like me, you always do a search for “Appendix A KMS” on your favorite search engine (Bing, of course!).  That takes you to the below link which gives you the appropriate Generic Volume License Key (GVLK) that is hardcoded to each OS to activate.  If you download the ISO from the Volume License Service Center, this key is already in the OS and ready to activate. 

https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys  

A couple of caveats as far as AD Based Activation: 

1. Your systems need to be able to reach the Forest root DC’s if this is in a child domain.
2. You need to have extended the AD Schema to at least Windows Server 2012.

For more details: Activate Using Active Directory-based Activation 

Windows Server 2019 Activation: https://docs.microsoft.com/windows-server/get-started-19/activation-19  

Now, get going!  Activate Windows Server 2019 in your environment.  Use it in a lab, see what use case scenarios you can find to implement some new features.  You should expect to see more from us on Windows Server 2019 features in the future. 

Thanks! 

Graeme

Happy Friday folks! Brandon Wilson here once again to give you a pointer to some more information covering a topic touched on by the Windows Core Networking PG, and that is Software Defined Networking (SDN) load balancing in Windows Server 2016 and Windows Server 2019.

“Notes from the Field: Microsoft SDN Software Load Balancers

https://blogs.technet.microsoft.com/networking/2018/10/10/notesfromthefield-slb/

Kyle Bisnett and Bill Curtis here from the field and two of the SDN Blackbelts that share knowledge around architecture, implementations, and lessons learned!  We are excited to have wrote this new blog below on our Software Load Balancing Multiplexers (SLB MUXs) that are part of the Software Defined Network (SDN) framework in Windows Server 2016 and Windows Server 2019.

At a high level, Microsoft SDN provides software-based network functions such as virtual networking with switching, routing, datacenter firewall for micro-segmentation, third party appliance support and load balancing.  As mentioned above, in this blog we will look at the SLB MUXs and the feature set that it provides such as Inbound NAT, Outbound NAT, how performant they are, and why it is such an appealing option to our customers! This is a Q & A style blog that customers have asked along the way.”

As always, if you have comments or questions on the post, your most direct path for questions will be in the link above.

Thanks for reading, and we’ll see you again soon!

Brandon Wilson

Hello everyone, Jonathan Warnken here, and I am a Premier Field Engineer (PFE) for Microsoft. I primarily support Configuration Manager and I have been getting a lot of questions recently on how to collect custom information and include it in the device inventory within Configuration Manager. I wanted to share one way to accomplish this that demonstrates some of the great ways to extend the built-in features. For this post, I am going to show how to capture the information about local machine certificates. I do want to take a moment to thank MVP Sherry Kissinger for this post with the base powershell script used to collect the certificate information.

#Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.#

Now on to the good stuff. PowerShell makes it easy to get information about certificates. Using get-childitem and selecting one certificate we can see all the information available

While you can collect all of this information we are going to limit this down to just the Thumbprint, Subject, Issuer, NotBefore, NotAfter, and FriendlyName. We are also going to add a custom value of ExpiresinDays and ScriptLastRan. Next, we use a PowerShell script to collect the information and publish it to a custom wmi class.

https://github.com/mrbodean/AskPFE/blob/master/ConfigMgr%20Certificate%20Inventory/publish-CertInfo2WMI.ps1

Next create a configuration item that uses the script to publish the certificates in the local machine personal store, the local machine trusted publishers, and the local machine trusted root certificate stores to wmi that will allow the hardware inventory to collect the information.

1. Download https://github.com/mrbodean/AskPFE/raw/master/ConfigMgr%20Certificate%20Inventory/Inventory%20Machine%20Certificates.cab to c:\temp\Examples\
2. Navigate to \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines
3. Click on “Import Configuration Data” (You will find this as a button on the top toolbar or in the context menu when you right click on Configuration Baselines
   1. Select C:\temp\Examples\Inventory Machine Certificates.cab
   2. Click Yes on the warning “The publisher of Inventory Machine Certificates.cab file could not be verified. Are you sure that you want to import this file?”
   3. Click next twice to progress through the wizard and once complete, click close.
4. You will now see a new sub folder named Custom under Configuration Items (\Assets and Compliance\Overview\Compliance Settings\Configuration Items\Custom) and a configuration item named “Inventory Machine Certificates” in the Custom folder.
5. You will also see a Configuration baseline named “Inventory Machine Certificates”
   1. Deploy this baseline to a test collection

The documentation for using configuration items is available at:

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/configuration-items-for-devices-managed-with-the-client

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/create-configuration-baselines

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/deploy-configuration-baselines

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/monitor-compliance-settings

These steps will extend the Hardware Inventory to collect the certificate information that has been published in WMI. To extend the inventory you must use a MOF file, MOF files are a convenient way to change WMI settings and to transfer WMI objects between computers. For more info see https://technet.microsoft.com/en-us/library/cc180827.aspx

1. Download https://raw.githubusercontent.com/mrbodean/AskPFE/master/ConfigMgr%20Certificate%20Inventory/CertInfo.mof to c:\temp\Examples\
2. Create a new Custom Device Client Setting (\Administration\Overview\Client Settings)
   1. Name the setting “Custom HW Inventory” and only enable Hardware Inventory
   2. Select Hardware Inventory on the left just under General
      1. Ensure Enable hardware inventory on clients is set to yes
      2. The default schedule is for 7 days, update the schedule if you would like to change it
      3. Click the “Set Classes …” button
         1. Click on the “Import …” button
            1. Select the c:\temp\Examples\CertInfo.mof
         2. Once back on the Hardware Inventory Classes dialog ensure the CertInfo (cm_CertInfo) class is enabled
         3. Click Ok
      4. Click Ok (again)
   3. Deploy the “Custom HW Inventory” Client Setting to a test collection.

Once the configuration item runs and publishes the data info WMI, the next time hardware inventory runs for systems in the test collection the certificate information will be available for reporting in Configuration Manager.

These steps will create console query that you can use to search for systems with a specific certificate thumbprint

1. Download https://raw.githubusercontent.com/mrbodean/AskPFE/master/ConfigMgr%20Certificate%20Inventory/Find_Cert_Query.MOF to c:\temp\Examples\
2. Navigate to \Monitoring\Overview\Queries
3. Click on “Import Objects”, this is available a button on the top toolbar and the context menu when you right click on Queries
   1. Click next to navigate through the wizard
   2. On the MOF File Name step, select c:\temp\Examples\Find_Cert_Query.MOF
4. Once the import completes, you will see a query named “Find Machines with a Certificate by thumbprint”

5. Once you have systems reporting the certificates as part of the inventory you can run this report
   1. When you run this report, it will prompt you for the thumbprint of a certificate to search for
   2. If any systems are found with the certificate the system name and the thumbprint will be returned by the query

This is a SQL query that can be used to view the certificate inventory data and can also be used as the basis for creating a custom report

Select sys.Name0 as ‘Name’, Location0 as ‘Certificate Location’, FriendlyName0 as ‘Friendly Name’, ExpiresinDays0 as ‘Expires in Days’, Issuer0 as Issuer, NotAfter0 as ‘Not After’, NotBefore0 as
‘Not Before’, Subject0 as Subject, Thumbprint0 as Thumbprint, ScriptLastRan0 as ‘Script last Ran’

from v_GS_CM_CERTINFO

Inner Join v_R_System as sys ON v_GS_CM_CERTINFO.ResourceID = sys.ResourceID

Thank you for reading, and I hope this helps you out!

Hi everyone! Graeme Bray with you again today to talk about an age old discussion point. Does Group Policy process quicker if you disable the User/Computer sections of a specific policy?

We’re going to walk through my lab setup, grabbing the policies, comparing them, and then confirming that I actually did disable the policy section.

Without further ado… Continue to how I set up my lab for this test.

Lab Setup

• Two Domain Controllers, in distinct separate sites, with appropriate subnets for my test server
• Test server running Windows Server 2012 R2, fully patched (as of September 2018).
  • 1 vCPU (Added: Oct 22, 2018)
  • 1 GB RAM
• 18 Group Policies configured, some with WMI Filters, others with Group Policy Preferences, none with any specific Client Side Extension organization in mind. Also included is the Microsoft Security Baselines. All are currently configured for “GPO Status” of Enabled.
• GPSVC Debug Logging turned on for system SERVER12.
  • New-Item -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’ -Name Diagnostics -ItemType Directory
  • New-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics’ -Name GPSvcDebugLevel -PropertyType DWord -Value 0x30002 -Force
  • New-Item -Path C:\windows\debug\usermode -ItemType Directory | Out-Null

  These three PowerShell commands will create the Registry Key, the Dword Value, and the Folder necessary for the actual log.

Test #1 – All Policies Enabled

After setting up my lab, I ran a GPUpdate /force. I was not updating any policies, so the settings themselves didn’t change. I didn’t have many user settings configured, so I wasn’t too terribly concerned about those. I wanted to focus specifically on the computer policy processing time. This tends to be the longest, due to any number of factors including Security Policies, WMI Filters targeting specific OS versions, and

I did my GPUpdate /force 3 times. The first test, from the beginning of processing at .031 seconds, finished processing Local Group Policy at .640 Seconds.

This seems like a long time. If we adjust the time based on some things that BOTH tests will have to encompass, we can shorten the time from .609 down to something easier to get a median between my 3 tests.

We want to skip to the initial “Checking Access to…” entry. In the section of “Searching for Site Policies” we are doing bandwidth checks and other domain/forest information queries.

On policy GUID 244F038B-8372-494A-AE7D-BBCA51A79273, the reason it is slightly slower is due to a WMI Filter check to see if it is Windows Server 2016.

The total time in the first test to process and get every policy is 0.265 seconds. Using the same methodology for the other two “Fully Enabled” tests, the times came to:

Test #2 – All Policies “User Configuration Disabled”

Without going into the same detail, the same methodology was used with all policies having “User Configuration Disabled”. Times are below, with a couple screenshots to prove I’m not making up the data.

As you can see, the difference is a grand total of 11 hundredths of a second.

Test #3 – Policies Half and Half (Randomly Chosen)

Finally, I picked half of my policies and disabled the User configuration section. Results are below:

But But… How can you prove what you did?

I know, I see it coming… How do I know in your logs that a User section of the policy was disabled?

Great question, you can see details on the Flags when Group Policy Debug Logging is enabled on this MSDN article.

See my screenshot below, with “Found flags of: ##”

Tl;dr:

Flag value 0 means Computer/User Enabled

Flag value 1 means User Disabled

Flag value 2 means Computer Disabled

Flag value 3 means policy Disabled.

Now, the question is, what does this mean? For years we’ve all heard, told, and explained that we should disable parts of a GPO that are not in use, especially for performance reasons. From this (somewhat) statistical approach, you can see that there are no obvious benefits to disabling any specific side of a policy, if not in use. The Group Policy engine still needs to query Active Directory to determine each policy that is linked to the Site, Domain, and OU. It still needs to determine what is in the policy, GP Extension wise, and get all of the information about the policy itself.

What should I do?

This is purely a decision you need to make. Some customers will continue to disable sides of the policy based on management and preference. Others will continue to forget that it exists. The choice is yours to make, but please stop proliferating the notion that disabling User/Computer sections within a GPO improves performance.

For what it’s worth, don’t combine User and Computer policies into the same GPO. Split them out, link them to the appropriate OU’s, and for Pete’s sake, please avoid loopback whenever possible.

Hopefully this article has helped detail reasons why it’s not that important to disable portions of a GPO. The end result is at most, 11 hundredths of a second. Nearly instantaneous and within any margin of error, depending on environment.

Thanks for reading

Graeme

Hi there! Stanislav Belov here, bringing you the next issue of the Infrastructure + Security: Noteworthy News series!  

As a reminder, the Noteworthy News series covers various areas, to include interesting news, announcements, links, tips and tricks from Windows, Azure, and Security worlds on a monthly basis.

Hello all from PFE Land! I’m Allen Sudbring, PFE in the Central Region. Today I’m going to talk about the built in SSH server that can be added to Windows Server 2019. With previous versions of server, there was some detailed configuration and installs you needed to do, to get SSH working on a Windows Server. With Windows Server 2019, it has become much easier. Here are the steps to install, configure, and test:

1. Open a PowerShell window on the Server you wish to install at:

2. Run the following command to install the SSH server components:

   Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

3. The install opens the firewall port and configures the service. Last step is start both SSH services with the following command and set them to automatic:

   Set-Service sshd -StartupType Automatic

   Set-Service ssh-agent -StartupType Automatic

   Start-Service sshd

   Start-Service ssh-agent

4. Test with SSH client. I used Ubuntu installed on Windows 10 WSL. The format for server on domain to connect is upn of the login account @servername, as in:

ssh allenadmin@sudbringlab.com@servername

• For servers in a workgroup, use a local admin account@servername as in:

ssh AzureVMAdmin@servername

5. After you login, you receive a command prompt where you can proceed with CMD or open PowerShell:

OpenSSH gives you the ability to connect to your windows servers without remote PowerShell and get a full CMD and PowerShell Experience. The ability to connect to Windows machines from Linux with a remote CMD shell is also useful in mixed environments.

In case you’re asking, you also can do the opposite way, and install PowerShell on Linux and remote to a PowerShell Instance on a Linux Machine with PowerShell Core on a Window Machine, but that is for a later post…

Thanks for reading!

Hello everyone, Matt Novitsch (SCCM Premier Field Engineer) with Craig McCarty (Platforms Premier Field Engineer) here to talk to you about a method of unsticking stuck Windows Updates. We have seen this several times with customers and on our own machines where Windows Updates are stuck downloading, installing, or failing to install for a variety of reasons. We found one way that fixes them all, without having too many steps, and can be done by any administrator…

So what do you need to do? Simple:

1. Stop the BITS and the Windows Update Services
2. Delete or rename the SoftwareDistribution folder
   1. NOTE: If deleting, it would be a good idea to copy or backup this folder first
      
3. Start the BITS and Windows Update Services.
   1. NOTE: You should now see the SoftwareDistribution folder is recreated

This can be done via script if by running the following in an administrative PowerShell console.

<#

Script Disclaimer. The sample scripts provided here are not supported under any Microsoft standard support program or service. All scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose.

#>

#Stop BITS Server

Stop-Service BITS

#Stop Windows Update

Stop-Service wuauserv

#Rename the Software Distribution Folder to .old the folder will be recreated when the services are restarted

Rename-Item -Path “C:\Windows\SoftwareDistribution” -NewName “C:\Windows\SoftwareDistribution.old”

#Start BITS service

Start-Service BITS

#Start Windows Update

Start-Service wuauserv

Once this script is done, restart the endpoint and check for updates again.

If you are still experiencing problems with updates you could have a corrupt or missing system file. To resolve this, you will want to run the Deployment Imaging Servicing and Management (DISM) tool followed by SFC /SCANNOW. You can do this by using the steps below.

1. Open an elevated command prompt
2. Type ‘DISM.exe /Online /Cleanup-image /Restorehealth /Source:C:\GoodSource\Windows /LimitAccess’ (C:\GoodSource should be replaced with a path to a Windows DVD or mounted ISO).
   *This command can take several minutes to run.
   *In cases where Windows Updates are not broken, you would be able to just run ‘DISM.exe /Online /Cleanup-Image /RestoreHealth’.
   
   In the screenshot above, I used a ISO mounted to D:\ as my source
3. When command completes run ‘SFC /SCANNOW’ from the elevated command prompt.
   
   
4. Wait for the verification to show 100% complete. If no errors were detected, then you can close the window and try Windows Update again. If an error was detected and wasn’t automatically repaired, please refer to this article starting at Step 4 in the article.

If you haven’t discovered this method before, hopefully this helps you out of a jam Thanks for reading!

Hello all, my name is Seth Price and I am a Configuration Manager PFE. I recently had a customer with a large network environment and they wanted to enable Configuration Manager Peer Cache to help with network bandwidth optimization. They were looking for some reporting options to help determine where peer cache could benefit network utilization and what clients would be appropriate in these locations to enable as peer sources. This post provides custom report options to help identify peer cache source candidates and report on systems that are already configured as peer cache sources.

Background information

Peer Cache is a feature in Configuration Manager which expands on the capabilities of Branch Cache to optimize network utilization for content delivery. Peer Cache can be used to manage deployment of content to clients in remote locations.

https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/client-peer-cache

In a large network environment, it may be difficult to identify and track both subnets where Peer Cache could provide a benefit, and the best client options for enabling Peer Cache content sources in that subnet. Some of the considerations in this decision would include:

Enabling Peer Cache on subnet:

• Number of workstation on subnet
• Network location (Connection speed to DP in boundary group)

Enabling a client as a Peer Cache source

• Client OS
• CCM client version (Does it support Peer Cache)
• Network Connection type (Wired vs Wireless)
• System chassis type
  • Example –Chassis type = 3,6, or 7 (Desktop, Mini Tower, or Tower)

    This would exclude systems types you may not want to use as a content source such as laptops, notebooks, hand helds and All in One systems.

• Available system drive space

Here are a few examples of creating custom reports to assist customers with managing Peer Cache.

***Report requirements***

1. Hardware inventory classes

   Hardware inventory will need to be configured to collect the following WMI classes:

   1. Root\ccm\softmgmtagent (CacheConfig) Specifically class ‘Size’

      Required to get the CCM cache size on systems

   2. Root\ccm\policy\machine\actualconfig (CCM_SuperPeerClientConfig) Specifically class ‘CanBeSuperPeer’
   3. System Enclosure (Win32_SystemEnclosure) –Chassis Types

1. Update AD System Discovery to add the following AD attribute “OperatingSystem”

*Note – Instructions for configuring requirements including system discovery and hardware inventory are at the end of this post.

Download the .rdl files for both custom reports here:

https://github.com/setprice2245/Peer-Cache

Report 1

PE Peer Cache Candidate Dashboard

This report lists the AD sites and the number of subnets associated with each site. Expanding the site and specific subnet will provide details on the client count in that site and the number of Peer Cache content source candidates.

The details of the client in that site are listed and color coded for Peer Cache candidate status.

Green = (Peer Cache is already enabled)

Blue = (System meets to criteria to be recommended as a Peer Cache candidate)

Gray = (System does NOT meet criteria for Peer Cache candidate)

In this report the client system must meet the following criteria to be displayed in BLUE for Peer Cache capable.

Note- The data used for candidate criteria is based on hardware inventory. Based on hardware inventory configuration this data may or may not be current (Default hardware inventory is 7 days)

• OS version (Like %Windows% NOT like %Server%)
• Ethernet connection (Adaptertype0) = ‘Ethernet 802.3’
• IPAddress0 like ‘%.%.%.%’ (Not Null)
• Free space on system drive is > 20 GB
• CCM Client is Active
• Client version 5.00.8540.1000 or later
• Chassis type in (3,6,7) – Desktop, Min Tower, or Tower

Note: The attached report will not list Server operating systems but I do have them enabled for display in the example report screenshot.

Report 2

PE Peer Cache Enabled Clients

This report lists all systems that have the Peer Cache client enabled and system details such as chassis type, free system drive space, CCM cache size, client status, Client version, OS name, AD site, and default gateway

Configuring system discovery and hardware inventory requirements

1. In the Config Mgr console under Administration > Hierarchy Configuration > Discovery Methods > Active Directory System Discovery > Properties > Add attribute operatingsystem
   

   Then start a system discovery

2. Add required classes to hardware inventory.

   Under Administration > Client Settings > Modify the Default Client Setting

   Edit Hardware inventory and click Set Classes…
   

   Add System Enclosure (Win32_SystemEnclosure) class = Chassis Types as shown below

   For the next classes, select Set Classes…, then select Add.
   

   Click Connect

   Under WMI namespace type Root\ccm\softmgmtagent and select Recursive as shown below.

   *Note – You may need to run the Config Mgr console as administrator to have access.

   Select CacheConfig and select OK

   Back in hardware inventory classes, find CacheConfig (CacheConfig) and select the Size class as shown.

   1. Repeat this process to add class Root\ccm\policy\machine\actualconfig (CCM_SuperPeerClientConfig) -Specifically class ‘CanBeSuperPeer’

   After we have added the new hardware inventory classes to the default client settings policy, we need to run a machine policy evaluation on a clliented system, then run a hardware inventory to update the database.

   Next, we can browse to our report server website and import the .rdl files included in this post.

   *Note- Make sure to edit the report and change the data source to your database.

Thank you for reading this post, you should now be able to run both custom reports. Please provide feedback if the reports are useful or if you would like to see additional data in either of the reports.

Hi there! This is Stanislav Belov here, and you are reading the next issue of the Infrastructure + Security: Noteworthy News series!  

As a reminder, the Noteworthy News series covers various areas, to include interesting news, announcements, links, tips and tricks from Windows, Azure, and Security worlds on a monthly basis.

Hello, Paul Bergson back again. It is late fall and once again playoff time for High School and Collegiate volleyball. Women’s volleyball in Minnesota is a big deal and I have played and coached for over 30 years and I have a lot of great memories with my friends and family in this sport. One thing I have learned is teaching young athletes to be well rounded in the game. Many become focused on the offensive part of the game and won’t put the effort to learn how to become a skilled defender. Yet they don’t seem to understand if you can’t control the ball defensively you don’t get to set up an attack against your opponent.

I see this same sort of mentality when it comes to preparation for the defense against phishing attacks. There are technical measures that can be put in place to guard against malware which includes Phishing attacks but the last line of defense against Phishing is your user base.

Preparing your users to be on the lookout for phishing attacks is difficult to do. Most figure their job isn’t very glamorous, and no one would want to target them. Yet, the largest attack vector isn’t software flaws but is instead the human factor. Email Phishing attacks randomly target millions of users and targeted spear-phishing attacks focus on high value assets within the company. Spear-phishing attacks are more effective and much harder to detect with “roughly 75% of all company breaches now start with phishing attempts designed to steal user credentials.”
https://blogs.technet.microsoft.com/cloudready/2018/04/30/phishing-examples-for-the-microsoft-office-365-attack-simulator-part-one/

Look at that number, 75%! With a number that large it makes it easier for IT decision makers to justify budget expense requests, to their management, to protect the enterprise infrastructure. So what type of equipment is needed to protect against “Phishing” attacks? No physical equipment is needed! Only annual or more frequent “User Training”, along with ongoing tests to ensure users are following training guidance.

What about email and spam filters, don’t those protect the enterprise? The answer is yes, but like anything else phishing/spear-phishing attacks evolve and some of this email still lands in your user’s inboxes.
https://blogs.msdn.microsoft.com/tzink/2014/09/12/why-does-spam-and-phishing-get-through-office-365-and-what-can-be-done-about-it/

It is at this point; your users are your last line of defense. Awareness and training could be the difference that saves your enterprise from attackers getting a foot hold within the company and the opportunity to pivot from this compromised workstation. If your user’s have been trained to spot a phishing attack (or watering hole) they can stop the attack in the “Kill Chain”.
https://blogs.technet.microsoft.com/prasadpatil/2017/12/15/crippling-the-cyber-kill-chain/

Training your users on how to spot an attack is based on not trusting people or organizations your users aren’t familiar with and to ensure the information provided within an email is legitimate.

Once training has been completed it can be crucial to be aware of the level of understanding your users have on this threat. This awareness can be performed with a Phishing awareness assessment. An awareness assessment creates a phishing simulation to see which users fall victim, which don’t fall victim and those that don’t fall victim and report the attack. The details that are pulled from this assessment can then be used to help retrain those users that fell victim.

An awareness assessment can be created manually but that can be difficult, there are third party tools and vendors that can provide this service, but Office 365’s Threat Intelligence service recently released a new enhanced feature called “Attack Simulator”. Attack Simulator has three options available:

• Spear-phishing user testing
• Password spray attack
• Brute-force password attack

In order to use Attack Simulator, there are several prerequisites:

• The enterprise owns O365 Threat Intelligence (E5 Licensing) or have purchased Threat Intelligence separately
• Exchange Online is in use (On premise is not supported)
• Multi-Factor Authentication (MFA) for O365 is enabled and used by the account running the Attack Simulator

The only users capable of using the Attack Simulator feature are O365 Global Administrators or someone that has been delegated the “Security Administrator” role.

Prior to running an in-house phishing attack, ensure to get leadership approval, since this could be considered a hostile act even if it is just a simulation.

The O365 team has created a number of scenarios to help our users create a targeted attack. Along with the links provided below I have also included a short video on the console:

• https://blogs.technet.microsoft.com/cloudready/2018/04/30/phishing-examples-for-the-microsoft-office-365-attack-simulator-part-one/
• https://blogs.technet.microsoft.com/cloudready/2018/04/30/phishing-examples-for-the-microsoft-office-365-attack-simulator-part-two/
• https://blogs.technet.microsoft.com/cloudready/2018/04/30/phishing-examples-for-the-microsoft-office-365-attack-simulator-part-three/
• Video – Introducing Office 365 Attack Simulator
  • https://www.youtube.com/watch?v=5jWGU2VM3SI

I still recall an eventual DII collegiate player on my team, good enough to help the team offensively but a detriment defensively sitting on the bench as we were playing for a berth in the state tournament. Sadly, she never got an opportunity to play in the tournament run. The following year she finally realized that there were three components to the game – Bump, Set and Spike. Think of this as the volleyball “Kill Chain” (Lockheed Martin framework) which opponents will leverage to their advantage.

If you have access to the Attack Simulator, don’t “Sit on the bench” figuring it isn’t important. It is!!! Use this tool to help educate and protect your enterprise from Phishing attacks as well as Password Spray and Brute Force attacks.

“Go, Go Gophers!”

Hello everyone, Jonathan Warnken here. I am a Premiere Field Engineer (PFE) for Microsoft. I primarily support Configuration Manager and today I want to talk about creating a custom console extension to allow the use of a Fully Qualified Domain Name (FQDN) when starting a remote-control session. If you work in a multi domain environment or need to support direct access clients you will quickly find that one of the challenges with Configuration Manager is that when it starts a remote control session it defaults to the Client name which generally matches the Net Bios name of the system. I was recently challenged by a customer wanting to simplify the management of clients connected via direct access. They had correctly configured the environment to support managing out to these devices and could complete all connected except starting remote control via the console. Remote control would work but the initial connection via the net bios name would fail and the user would need to enter the FQDN to allow the connection to complete successfully.

In all other cases when connecting to clients connected via direct access the operating system would append the correct DNS suffix. However, the Configuration Manager console would not. Starting the remote-control tool via the command line does support passing the FQDN and\or the IP address. My first solution was to write a PowerShell script to take the computer name and look up the FQDN.

& $env:SMS_ADMIN_UI_PATH\CmRcViewer.exe $([net.dns]::GetHostEntry(‘YourComputerName’).Hostname)

Simple and effective but the response was that it needed to be even simpler. So after a little digging in the AssetManagementNode.xml file, I saw that two nodes exposed the remote control options via a right click in the console. For more info on finding Console Nodes see https://docs.microsoft.com/sccm/develop/core/servers/console/how-to-find-a-configuration-manager-console-node-guid

With this info I decided to write a custom right click to run the PowerShell command. The first node started with was the devices view which has a GUID of “ed9dee86-eadd-4ac8-82a1-7234a4646e62”. After reading https://docs.microsoft.com/en-us/sccm/develop/core/servers/console/how-to-create-a-configuration-manager-action, I created a test action using the notepad example from the docs site and everything worked great so I made an xml file to execute the PowerShell command. And nothing happened! After some head scratching and a few expletives uttered, I realized that the ampersand (&) character is a special character for xml and must be escaped for it to be correctly parsed.

NOTE: You may need to zoom in a bit to see the screenshot. The XML content is copied below as well.

<ActionDescription Class=”Executable” DisplayName=”PFE FQDN Remote Control” MnemonicDisplayName=”PFE FQDN Remote Control” Description = “Use FQDN to start remote control session”>

<ShowOn>

<string>ContextMenu</string>

</ShowOn>

<Executable>

<FilePath>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</FilePath>

<Parameters>-nologo -noprofile -noninteractive -windowstyle hidden -ExecutionPolicy Bypass -Command “&amp; { &amp; $env:SMS_ADMIN_UI_PATH\CmRcViewer.exe  $([net.dns]::GetHostEntry(‘##SUB:NAME##’).Hostname) }” </Parameters>

</Executable>

<SecurityConfiguration>

<ClassPermissions>

<ActionSecurityDescription RequiredPermissions=”32″ ClassObject=”SMS_Collection”/>

</ClassPermissions>

</SecurityConfiguration>

</ActionDescription>

You will also note that there is a special variable used to pass the client name. ##SUB:NAME## is the variable passed from the console to the custom action for the client name.

To use the custom action you will need to save the xml file in the XmlStorage\Extensions\Actions folder in path where the console is installed. Under the actions folder you will need to create a folder named the same as the GUID for the node that you would like the action to appear and save the file there. As I said earlier, there are two nodes I waned my extension to appear in. The other node I want to use is the devices in a collection node, for which the GUID is “3fd01cd1-9e01-461e-92cd-94866b8d1f39”.

With the xml in place the new right click tool is ready for action.

Hopefully, you will find this useful if you need to do something similar or need to write your own custom extension. If you would like to use mine the xml and a install script is available https://github.com/mrbodean/AskPFE/tree/master/ConfigMgr%20FQDN%20Remote%20Control/source/ed9dee86-eadd-4ac8-82a1-7234a4646e62

Thanks for reading

Hello everyone, Ty McPherson here, along with some fellow engineers Andreas Pacius and Edwin Gaitan, and we wanted to put together and share some information to help you setup Remote Server Administration Tools with Windows 10 1809.

Starting with Windows 10 v1809 the Remote Server Administration Tools (RSAT) is now a Feature on Demand (FoD). Features can be installed at any time and the requested packages are obtained through Windows Update. However, some of you are not connected to the internet to retrieve these packages, but still need the RSAT features enabled. The below steps will allow you to install some or all of the RSAT features. There are a couple options available to you, so please read through them so you can determine the best course of action to meet your needs.

The first step in all cases is that you need to obtain the FoD media from your Volume License Servicing Center (VLSC). Login and do a search for Features on Demand, ensuring you select the same edition that you want to RSAT enabled on.

Figure 1 – VLSC Search for Features on Demand

Download Disk 1 of the latest release

Figure 2 – Download Disk 1 of the latest release

Before we install the RSAT let’s examine what’s available we’ll use Get-WindowsCapability. Run the following command:

Get-WindowsCapability -online | ? Name -like Rsat* | FT

Figure 3 – Check RSAT FoD Status

Here are your choices, some a great for single quick installations, while others can help make available the FoD resources for the Enterprise.

Option 1:

You can copy the files from the .iso media to a local directory and move to a network share and make it available to the administrative staff.

Use the following PowerShell to install RSAT from the FoD source that was placed on a network share from Option 1.

Option 2:

Alternatively, you could mount the .ISO and specify the drive as the source. Using a local drive letter as the -source parameter specified when executing the Add-WindowsCapability PowerShell.

If installing from a mounted ISO the below is an example PowerShell script

After the installation we’ll use Get-WindowsCapability again to check the status of the RSAT features after the installation.

Figure 4 – Ensure RSAT features installed

Thank you for taking some time to read this and learning about the changes with RSAT in Windows 10 1809. We hope that this will help you as you transition to this recent build of Windows 10.

Good Luck!

Hello! My name is Todd Linke, and I am a Premier Field Engineer at Microsoft where I specialize in System Center Configuration Manager.

I was working with some customers who were seeing strange behavior on their SCCM Site Servers. In one case, an unusually high percentage of clients had corrupt hardware inventories. Looking at the log files, we could see that client inventories were being successfully sent to the Management Point, but when processed on the site server by SMS_INVENTORY_DATALOADER we were getting a “File in use” error. We used Process Monitor and were able to determine that MsMpEng.exe (Windows Defender) was the process that was locking the file. We turned off “Real-Time Protection” for Defender and the errors suddenly stopped.

What we thought was unusual though, is that they were using a 3^rd Party Antivirus solution, which they believed would disable Windows Defender when installed.

In the other case, Software Update Compliance status was missing in action. The MP_FILE_DISPATCH_MONITOR component on the Software Update Point Server was unable to copy client status messages to the proper inboxes on the Primary Site Server. This time the error being reported was “The network path does not exist”. Once again, Process Monitor showed that the files were in use by MsMpEng.exe, and once again, turning off “Real-Time Protection” solved the issue immediately. In this case also, they were using a 3^rd party Antivirus solution. At both customers the proper exclusions for SCCM were configured for their 3^rd party Antivirus, which would normally prevent these types of issues.

What set these two servers apart from their other SCCM servers is that they were running Windows Server 2016.

As you may or may not know, Microsoft included Windows Defender in Server 2016, where it is enabled by default. Unlike in previous versions of Windows Server, installing a 3^rd party Antivirus will not automatically disable Windows Defender. The following page of the Server 2016 online documentation describes exactly how this works:

https://docs.microsoft.com/en-us/windows-server/security/windows-defender/windows-defender-overview-windows-server

There are two solutions for this situation:

1. Disable Windows Defender Real Time Protection via Group Policy by setting the “Turn off Real-Time Protection” to “Enabled”. You can find more details at the following location:

   https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus

2. Configure the recommended SCCM Antivirus Scanning exclusions for Windows Defender using either Group Policy, or SCCM. A great list of SCCM scanning exclusions can be found in this blog post by Brandon McMillan, who is also an SCCM PFE at Microsoft:

   https://blogs.technet.microsoft.com/systemcenterpfe/2017/05/24/configuration-manager-current-branch-antivirus-update/

One of the many great features in SCCM is the ability to use Baselines to monitor SCCM Client devices for specific issues or symptoms. If you would like to verify this in your environment, run the following script on your Site Server to create a Configuration Item and Baseline both named “Verify Windows Defender Real-Time Scanning Status”.

Then deploy the baseline to a collection containing only Windows Server 2016 Devices. Any devices that show Non-Compliant have Real-Time Scanning enabled.

Powershell Code:

#Load SCCM CmdLets

$CMConsolePath = Get-ItemPropertyValue -Path HKLM:\SOFTWARE\Microsoft\SMS\Setup -Name “UI Installation Directory”

$CMModulePath = “$CMConsolePath\bin\ConfigurationManager.psd1″

Import-Module $CMModulePath

#Get CM SiteCode

$ProviderInfo = Get-WMIObject -Class SMS_ProviderLocation -Namespace root\SMS -ComputerName $Env:ComputerName

$Sitecode = “$($ProviderInfo.SiteCode):”

#Change to CM PSDrive

Set-Location “$SiteCode“

#Set Discovery Script PS Code

$DiscoveryScript = @”

`$(Get-MPPreference).DisableRealtimeMonitoring

“@

#Create Configuration Item

$ConfigItem = New-CMConfigurationItem -Name “Verify Windows Defender Real-Time Scanning Status” -CreationType WindowsOS

#Add Compliance Rule to CI

$ConfigItem | Add-CMComplianceSettingScript -DataType String -DiscoveryScriptLanguage PowerShell -DiscoveryScriptText $DiscoveryScript -SettingName “Defender Real-Time Protection Setting” -NoRule -Is64Bit

$CompSetting = $ConfigItem | Get-CMComplianceSetting -SettingName “Defender Real-Time Protection Setting”

$CompRule = $CompSetting | New-CMComplianceRuleValue -RuleName “Is False” -ExpressionOperator IsEquals -ExpectedValue “True”

$FinishedCI = $ConfigItem | Add-CMComplianceSettingRule -Rule $CompRule

#Add CI to new Baseline

$CMBaseline = New-CMBaseline -Name $ConfigItem.LocalizedDisplayName

$FinishedBL = Set-CMBaseline -Name $ConfigItem.LocalizedDisplayName -AddOSConfigurationItem $ConfigItem.CI_ID

Thanks for reading!

Hi there! Stanislav Belov here to bring you the next issue of the Infrastructure + Security: Noteworthy News series!  

As a reminder, the Noteworthy News series covers various areas, to include interesting news, announcements, links, tips and tricks from Windows, Azure, and Security worlds on a monthly basis.