I am helping at the school of our children to run the Windows server and workstations. For this and also in my lab I setup MDT to deploy new physical or virtual machines.
At school we buy used/re-furbished desktop or laptop computers a lot and all of them come with a unique Windows license. And we just cannot afford to buy a additional Enterprise license for each.
So MDT helps us also to keep track of all Windows product keys and we put them one time in a spreadsheet (we get some help from students here). So end of 2012 we got 35 new machines and I thought it would be nice to import the spreadsheet into the MDT database and assign the role to install Windows 7 32bit to them as well.
So I found this post http://blogs.technet.com/b/mniehaus/archive/2009/05/15/manipulating-the-microsoft-deployment-toolkit-database-using-powershell.aspx from Michael Niehaus and I downloaded the PowerShell command lets he provided as well.
Our spreadsheet has the format:
- 1. line includes the data headers: computername, Windows product code, machine's serial number
- the other lines have the data
The spreadsheet is delimited by tabs.
And her is the PowerShell I created:
##########
# Import the CSV file into a PowerShell array
$collection = @(Import-CSV .\HPlabcomputers20121231.csv -Delimiter "`t")
# Connect to the SQL database
connect-mdtdatabase -sqlserver . -database MDTDB
# Create for each computer an entry in the MDT database
foreach($computer in $collection)
{
$PCNAME=$computer.ComputerName
$SerialNum=$computer.SerialNum
$ProdKey=$computer.WinProductKey
write-host Importing $PCNAME
new-mdtcomputer -assetTag $computer.ComputerName -serialNumber $SerialNum -settings @{OSInstall='YES'; OSDComputerName=$PCNAME; ProductKey=$ProdKey}
}
# Assign for each computer the role to install Win7 Pro 32 bit
foreach($computer in $collection)
{
$PCNAME=$computer.ComputerName
write-host Updating $PCNAME
# Search for the computername and set the computer role
get-mdtcomputer -assetTag $PCNAME | Set-MDTComputerRole -roles @('Win7_lab_computers')
}
##########
So obviously the user account you use must have SQL permissions on the MDT database to update the database.
Also note that the MDT MMC (aka Deployment Workbench) does not show the new computers if you just click refresh on the Computers view under MDT Deployment Share/Advanced Configuration/Database. Click instead on Database and hit refresh, and go back to the Computers view.
Wednesday, January 9, 2013
Tuesday, December 4, 2012
Certificate Autoenrollment and RDS cause a certificate flood
All,
I love using machine certificates for RDP SSL as well. This week I came across an issue where I first thought autoenrollment is freaking out and generates on every reboot or gpupdate /force a new certificate.
After I found tons of articles why autoenrollment is not working at all but nothing about issuing to many certificates. I luckily found an article about the GPO settings for RDP.
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/382774a9-5b2c-4d54-9abb-03357adccc08
RDP GPO settings http://technet.microsoft.com/en-us/library/cc771869(WS.10).aspx
So it seems that this "known" issue is not yet fixed. Or perhaps it is and I just do not know the KB article number.
Solution in short: Keep "Template Display Name" and "Template Name" with the exact same spelling and no spaces. See below.
I love using machine certificates for RDP SSL as well. This week I came across an issue where I first thought autoenrollment is freaking out and generates on every reboot or gpupdate /force a new certificate.
After I found tons of articles why autoenrollment is not working at all but nothing about issuing to many certificates. I luckily found an article about the GPO settings for RDP.
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/382774a9-5b2c-4d54-9abb-03357adccc08
RDP GPO settings http://technet.microsoft.com/en-us/library/cc771869(WS.10).aspx
So it seems that this "known" issue is not yet fixed. Or perhaps it is and I just do not know the KB article number.
Solution in short: Keep "Template Display Name" and "Template Name" with the exact same spelling and no spaces. See below.
Thursday, October 25, 2012
New study about Validating SSL Certiļ¬cates in Non-Browser Software
Scientist from The University of Texas and the Stanford University have published a study about SSL encryption in several products and services.
Even applications using data encryption they do not perform an proper identity verification of the sender or receiver. I have seen this before for online backup services, password sync tools etc.
So that is not a new thing, but it is amazing that we still have to deal with that.
Read the article http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
Thursday, October 11, 2012
1-2-3 : See what is in a SAML response
1. Get Fiddler 2 installed http://www.fiddler2.com/fiddler2/version.asp, downlaod and active HTTPS inspection (HTTPS inspection can break the communication for some services when it is activated, e.g. Outlook using RPC over HTTP)
2. Download XML Notepad from here http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=7973
3. Start Fiddler, hit F8 to see the Inspectors
4. Log on to your SaaS application
5. Go back to Fiddler. Click on the first entry in Web Sessions what is hiting the SaaS vendor, click on Inspectors and RAW on the right hand side. Copy the SAMLresponse from the RAW tab to https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php
and click on "Decode"
6. Copy the decoded SAMLresponse to the clipboard.
7. Open XML notepad and hit CTRL-V.
Tuesday, August 21, 2012
certlm.msc - Short cut to open the certificate store for the local machine
Sometimes even small a thing can be a time saver.
So in Windows 2012 you can just type certlm.msc to start the certificates MMC with the local machine store.
So in Windows 2012 you can just type certlm.msc to start the certificates MMC with the local machine store.
Saturday, August 11, 2012
SharePoint 2013 gets native RMS support
Microsoft SharePoint 2013 supports Information Rights Management (IRM) protection of PDF documents. With that support, users can upload PDF documents to IRM-protected libraries, and upon download, the files will be protected using Microsoft Office IRM.
http://officepreview.microsoft.com/en-us/sharepoint-help/sharepoint-compatible-pdf-readers-that-support-microsoft-information-rights-management-services-HA102925502.aspx
The first compatible PDF reader comes from Foxit (http://www.foxitsoftware.com/) and other vendors are welcome to make their readers compatible.
Native Support for PDF is one of the top 5 questions from clients about RMS.
http://officepreview.microsoft.com/en-us/sharepoint-help/sharepoint-compatible-pdf-readers-that-support-microsoft-information-rights-management-services-HA102925502.aspx
The first compatible PDF reader comes from Foxit (http://www.foxitsoftware.com/) and other vendors are welcome to make their readers compatible.
Native Support for PDF is one of the top 5 questions from clients about RMS.
Message: This account can't be used to access Outlook.com
Today I ran into an issue accessing the Office 365 Outlook Web Access.
First of all, I made the Office 365 setup for a new tenant. The school of my kids decided to test Office 365, right now they are on Google and they want teach the kids more then one cloud application.
For ADFS we already have a Windows Server 2012. So ADFS works great but the MSOL powershell commands are not working with 2012. But only this server has a public certificate, and the URL is used for other services as well. So I just added ADFS 2.0 to another server, moved the signing cert over and started the MSOL powershell commands. Then I just played copycat to get the relying party settings over to the 2012 ADFS server. After ADFS done I installed and ran DirSync. To verify my doing I went to http://outlook.com/domain.org and after ADFS authentication: BUMMER!
"This account can't be used to access Outlook.com"
So I did some web search, but nothing really helpful came up.
So I compared the relying party settings between the ADFS 2.0 server and the 2012 server and found that I missed to configure the hash algorithm to SHA-1. If it is SHA256 you will see the message above.
I suppose this is only one reason when you see that message because the message is kind of generic.
First of all, I made the Office 365 setup for a new tenant. The school of my kids decided to test Office 365, right now they are on Google and they want teach the kids more then one cloud application.
For ADFS we already have a Windows Server 2012. So ADFS works great but the MSOL powershell commands are not working with 2012. But only this server has a public certificate, and the URL is used for other services as well. So I just added ADFS 2.0 to another server, moved the signing cert over and started the MSOL powershell commands. Then I just played copycat to get the relying party settings over to the 2012 ADFS server. After ADFS done I installed and ran DirSync. To verify my doing I went to http://outlook.com/domain.org and after ADFS authentication: BUMMER!
"This account can't be used to access Outlook.com"
So I did some web search, but nothing really helpful came up.
So I compared the relying party settings between the ADFS 2.0 server and the 2012 server and found that I missed to configure the hash algorithm to SHA-1. If it is SHA256 you will see the message above.
I suppose this is only one reason when you see that message because the message is kind of generic.
Subscribe to:
Posts (Atom)