Office 365 Exchange Migration Template

Office 365 IMAP Exchange Migration Template

Office 365 Install/Update issue - Sophos

Issue: Office 365 does not install or update when Sophos web filtering is enabled

Solution:

1. Log into Sophos UTM
2. Go to Web Protection -> Filtering options
3. Click New Exception List
4. Configure the following
   1. Name Microsoft Software CDN
   2. Select the following
      1. MIME type Blocking
      2. Antivirus
      3. Block by download size
      4. SSL Scanning
      5. Certificate trust check
      6. Do not display Download/Scan progress page
   3. Certificate date check
   4. For All requests select "Matching these URLs"
      1. Enter the following URLs
      2. officecdn.microsoft.com.edgesuite.net
      3. officecdn.microsoft.com
5. Save the exception

Office 365 Message Encryption

Office 365 Email: Message Encryption and Security

By Rosemarie Withee, Ken Withee, Jennifer Reed

Before the explosion of cloud technologies such as Office 365, organizations had control over their data that resided within the perimeter of their on-premises data centres. The identity of the users, the devices they used, the applications they ran, and the company data were all confined within this parameter and controlled by the IT team.

Nowadays, however, we operate in a boundary-less world. we check email from our personal devices, we do our work at the office or at home — or even at the beach — and we use cloud services outside the perimeter of an organization’s data centre. we do these things because we want to be productive, but sometimes this productivity can mean sacrificing security.

In Office 365, you can continue to do the things you do to be productive while at the same time stay secure. In Exchange Online (the technology driving your email), for example, you can encrypt your email so that only the intended recipients of the message will be able to read it. You can apply protection to your email so if it’s confidential, the email can only be read by people within your organization. If someone accidentally forwards or copies a recipient outside of the organization on an email marked confidential, that recipient will get the email but he or she won’t be able to read it.

These security features for protecting email are available through the Office 365 Message Encryption (OME) service.

Licensing requirements for Office 365 Message Encryption

Office 365 Message Encryption (OME) is part of the Office 365 subscriptions listed as follows. There is no need to purchase additional licenses for users when the following subscriptions are assigned to them:

• Office 365 E3 and E5 (Enterprise)
• Office 365 A1, A3, and A5 (Education)
• Office 365 G3 and G5 (Government)
• Enterprise Mobility + Security E3
• Microsoft 365 E3

If a user’s license is not for any of these subscriptions, you can purchase a standalone subscription called Azure Information Protection Plan 1 for $2 per user per month to enable OME as long as the user’s current license is any one of the following subscriptions:

• Exchange Online Plan 1 or Plan 2
• Office 365 F1 or E1
• Office 365 Business Premium or Business Essentials

Enabling Office 365 Message Encryption

If you’ve purchased Office 365 licenses with OME capabilities after February 2018, OME is automatically configured and your users can start using the service.

If you purchased Office 365 license prior to February 2018, you need to enable Azure Rights Management (Azure RMS) from the Office 365 portal. After enabling Azure RMS, Microsoft will automatically configure OME in your Office 365 tenant. Here are the steps to enable Azure RMS:

1. Log on to the Office 365 portal with a Global Administrator account and then click the Admin icon.
2. Click Settings from the menu on the left panel.
3. Click Services & Add-ins and then select Microsoft Azure Information Protection from the list of services.
4. Click Manage Microsoft Azure Information Protection settings from the pane.
   You will be asked to authenticate with your Office 365 credentials.
5. In the Rights Management page, click the Activate button.
6. Before closing the page, verify that the Rights Management Is Activated notification is displayed with the green check mark next to it.

Rights management is activated in Office 365.

Sending an encrypted email in Office365

With OME enabled in your Office 365 tenant, users can immediately start sending encrypted emails to recipients within or outside the organization based on the default policies available in OME. Depending on your subscription and the functionalities Microsoft has rolled out, you will find two or more pre-configured encryption policies. The two default policies in the Office 365 E3 or the Azure Information Protection Plan 1 subscriptions available are Encrypt and Do Not Forward.

To apply these policies to an email using the Outlook desktop app, follow these steps:

1. In the Outlook desktop application, compose a new email and add the recipients.
2. From the ribbon, click Options.
3. Click the Permission button and then select the appropriate encryption policy.
4. Click Send to send your email.

To apply these policies to an email in Outlook Online, follow these steps:

1. Compose a new email and add the recipients.
2. From the ribbon, click Protect.
3. Click Change Permissions from the notification bar to display the available options and then select the appropriate encryption policy.
4. Click Send to send your email.

Using the Encrypt policy

When you use the Encrypt policy, the email message will be encrypted on its way to the recipient. Once it reaches the recipient, the message will be decrypted so that it’s readable.

Using the Encrypt policy does not prevent the recipient from forwarding the email to someone else. The recipient can print out the email, post it on social media, or frame it on his or her wall. If additional protection is required, the Global Admin for the Office 365 Portal will need to create custom policies.

Currently, Outlook Online, Outlook for iOS, and Outlook for Android will automatically display the decrypted message on the screen. For other email applications, the email will provide a link to allow the recipient to read the decrypted message. There are plans underway to expand the list of supported applications in the near future including the Outlook desktop application, which is currently in preview.

Reading an encrypted message in non-supported apps.

Using the Do Not Forward policy

The Do Not Forward policy also encrypts the email message on its way to the recipient, but it has an additional policy restricting the recipients from forwarding the email to someone else. If any of the recipients forward the email to others, new recipients who try to open the email will get a message saying that they don’t have permission to view the message.

Do Not Forward policy error message.

Making Outlook and Office 365 work for you

As a cloud service, Office 365 has intelligent experiences designed to help you prioritize work so you can be productive. Built-in AI in Outlook allows you to re-focus your energy on what’s important. And when Outlook misbehaves, there is a built-in tool to help you troubleshoot common Outlook issues without the need to engage your support team.

Filtering out the noise with Focused Inbox

Exchange Online in Office 365 has built-in spam and spoof filters that block known unwanted and malicious emails from reaching your mailbox. Yet even with filters, our mailboxes can still end up being bloated with an email from the pizza place, our cable provider, and our favourite shopping site. When you’re trying to be productive, it’s easy to get distracted by legitimate but unimportant emails.

The Outlook desktop application and Outlook Online come with a functionality called Focused Inbox to address that challenge. Focused Inbox helps with mailbox management by acting as an automatic sorter that puts all your important emails into the Focused tab and the less important ones in the Other tab.

The Focused Inbox.

Built-in AI in Office 365 determines what email goes into what tab. Email from the contacts you interact with a lot will go to the Focused tab while bulk email from your shopping site will go to the Other tab to filter out the noise. You can also train the AI to fine-tune the categorization by moving email that ends up in the wrong tab. The more you train the AI, the better it will learn your behaviours to ensure that your inbox feels just right for you.

Diagnosing common Outlook problems with SARA

One of the advantages Microsoft has in running cloud services is its access to error logs and signals from the devices and users interacting with the system. Those logs and signals are transmitted to Microsoft databases where they are monitored and analyzed. Based on those insights, Microsoft is able to improve its service or create self-service solutions for customers.

SARA is short for Support and Recovery Assistant, a diagnostics tool built into Outlook. It’s a handy tool that automatically fixes common errors users have encountered in Office 365, such as Outlook problems, Office installations, and more.

Common Outlook problems SARA can troubleshoot.

If you are experiencing any of these issues and want to run SARA, follow these steps:

1. In the Outlook desktop application, click File from the ribbon.
2. From the backstage left panel, click Support.
3. Click Support Tool to install SARA.
   This action will connect to the Office 365 systems and will download the tool.
4. Once the tool finishes downloading and starts running, follow the prompts based on the issue you are trying to resolve.
   Depending on your issue, the process could take a few minutes to half an hour.

About the Book Author

Rosemarie Withee is President of Portal Integrators and Founder of Scrum Now with offices in Seattle, WA and Laguna, Philippines. Ken Withee is a Microsoft Certified Technology Specialist in SharePoint, SQL Server, and .NET. Jennifer Reed is a Microsoft Certified Professional in Office 365 Administration and founder of Cloud611.

Source: https://www.dummies.com/software/microsoft-office/office-365-email-message-encryption-and-security/

Office 365 POP Exchange Migration Template

Bulk change Microsoft 365 Licences

If you have a text file with a list of User Principal Names (UPNs) that you want to change, you can use a PowerShell script to read the file and change the licenses for each user. Here’s an example:

# Connect to your Microsoft 365 tenant
# Use either Connect-MsolService or Connect-AzureAD depending on the module you're using

# Define the SKU IDs for the E3 and E5 licenses
$e3License = "contoso:ENTERPRISEPACK"
$e5License = "contoso:ENTERPRISEPACK_E5"

# Read the UPNs from the file
$upns = Get-Content -Path "C:\temp\e3_users.txt"

# Loop through each UPN and change the license
foreach ($upn in $upns) {
    Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses $e5License -RemoveLicenses $e3License
}

In this script, replace "contoso:ENTERPRISEPACK_E5" and "contoso:ENTERPRISEPACK" with the actual SKU IDs of your E5 and E3 licenses respectively.
Also, ensure that you have enough E5 licenses available in your tenant before running this script.

This script assumes that the file at C:\temp\e3_users.txt contains one UPN per line.
If your file is formatted differently, you may need to adjust the Get-Content command accordingly.

Sophos XG Firewall v18 to Azure VPN Gateway IPSEC Connection

Step 1: Create Azure Local Network Gateway (with XG public IP details)

The local network gateway typically refers to your on-premises location. You'll need the public IP address of your On-Prem Sophos XG firewall and your On-Prem Private IP address spaces.

Please note that this configuration assumes that the public IP address is directly configured on the On-Prem XG firewall. Your configuration will be slightly different if your On-Prem XG firewall sits behind a NAT device.

1. Go to the Azure Portal: https://portal.azure.com and sign in with your credentials.
2. Click on "Create a resource".
3. In the search box, type "Local Network Gateway".
4. Select "Local Network Gateway" and click on "Create".

5. In the "Create local network gateway" blade, configure the following and then click on "Create":

   • Name: On_Premises_Sophos_XG_Firewall (You can give this any preferred name).
   • Endpoint: IP address
   • IP address: Specify the public IP address of your Sophos XG firewall.
   • Address space: Specify the address ranges for the network that your On-Prem local network represents. In our scenario, this is 10.100.0.0/16.
   • Subscription: Verify that the correct subscription is selected for the deployment.
   • Resource Group: Select the resource group that you want to use. You can either create a new resource group or select an existing one.
   • Location: Select the location that this object will be created in.

Step 2: Create a Gateway Subnet

The VPN gateway will be deployed into a specific subnet of your network called the 'GatewaySubnet'.The size of the GatewaySubnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a GatewaySubnet as small as /29, it is recommend to create a larger subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future configurations.

1. In the Azure Portal: https://portal.azure.com, click on "More Services".
2. In the search box, type "Virtual Networks" and select the "Virtual Networks" option.
3. Click on the virtual network for which you want to create a virtual network gateway.
4. In the "Virtual networks" blade, under "Settings", click on "Subnets".
5. In the "Subnets" blade, click on "+ Gateway subnet" to add a new Gateway subnet.
6. In the "Add Subnet" blade, configure the CIDR range of the new Gateway subnet and click "Save". In our scenario, this is 10.1.1.0/24.

Step 3: Create the VPN Gateway

1. In the Azure Portal: https://portal.azure.com, click on "Create a resource".
2. In the search box, type "Virtual network gateway".
3. Select "Virtual network gateway" and click on "Create".

4. In the "Create virtual network gateway" blade, configure the following:

   • Subscription: Verify that the correct subscription is selected for the deployment.
   • Instance details
     • Name: This will be the name of the gateway object you are creating.
     • Region: Select the same location as your virtual network (Otherwise the virtual network will not be displayed on the list).
     • Gateway type: VPN
     • VPN type: Route-based (this is a MUST to be able to use IKEv2).
     • SKU: Select the gateway SKU from the dropdown. For more information about gateway SKUs, see Gateway SKUs.
     • Generation: Generation 1
     • Virtual network: Choose the virtual network to which you want to add this gateway (if the virtual network that you want is not displayed on the list, verify that you have selected the right location in the "Region" parameter above).
   • Public IP address:
     • Public IP address: Create New
     • Public IP address Name: Enter a Name for the public IP address resource.
     • Leave other settings as default.
     • Click on "Review + Create"
     • Click on "Create"
     • Creating a gateway can take up to 45 minutes!
5. After the VPN gateway creation has completed successfully, obtain it's public IP address (this will be needed in step 5).
   • In the Azure Portal, click on "More services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
   • Click on the VPN Gateway that you just created.
   • In the "VPN Gateway" blade, in the "Overview" section, make a note of the public IP address of the gateway.
   • This will be used in step 5.

Step 4: Create the VPN connection (Azure)

1. In the Azure Portal: https://portal.azure.com, click on "More Services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
2. Select the VPN gateway that you created earlier.
3. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then click on "+ Add".
4. In the "Add connection" blade, configure the following:
   • Name: Sophos_Xg_OnPrem_To_Azure (Input your preferred name)
   • Connection type: Site-to-site (IPSec)
   • Virtual network gateway: The value is fixed because you are connecting from this gateway
   • Local network gateway: 
     • Click "Choose a local network gateway" 
     • In the "Choose a local network gateway"  blade, select the local network gateway that you created earlier.
   • Shared key (PSK): Input a complex shared key. The value here must match the value that we will use on our on-premises Sophos XG firewall.
   • IKE Protocol: IKEv2
   • The remaining values for Subscription, Resource Group, and Location are fixed.
   • Click OK to create your connection. You'll see Creating Connection flash on the screen.

Step 5: Download and extract needed information from the configuration file (Azure)

1. In the Azure Portal: https://portal.azure.com, click on "More services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
2. Select the VPN gateway that you created earlier.
3. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then select the connection that you created earlier.
4. Click on the "Download configuration" button. This configuration file contains the needed information to configure the VPN connection on the XG Firewall.
5. In the "Download configuration" blade, select the following:
   • Device vendor: Generic Samples
   • Device family: Device Parameters
   • Firmware version: 1.0
   • Click on "Download configuration".
6. Open the downloaded file and make a note of the following:
   • Scroll down to the "Tunnel interface (VTI) configuration" section.
   • Make a note of the interface tunnel IP address and subnet mask
   • Also, make a note of the MSS value.
   • Both values will be needed for the configuration of the "xfrm tunnel interface" on the Sophos XG.
     
     

Step 6: Create the VPN connection (Sophos XG Firewall)

1. Log into the WebAdmin of your On-Premises Sophos XG firewall.
2. Under "Configure", click on "VPN" → "IPSEC Connections" → "Add".
3. Configure the following settings:
   • General Settings
     • Name: Input any preferred name.
     • Connection type: Tunnel interface
     • IP version: Dual
     • Gateway type: Initiate
     • Activate on save: Selected
     • Description: Add a description for the connection.
   • Encryption
     • Policy: Microsoft Azure
     • Authentication Type: Preshared key
     • Preshared key: Enter the same preshared key that you entered when creating the VPN connection on Azure.
     • Repeat preshared key: Confirm the above preshared key.
   • Gateway settings
     • Listening interface: Select the WAN interface of the Sophos XG Firewall.
     • Gateway address: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
     • Local ID: IP Address
     • Remote ID: IP Address
     • Local ID: Enter the public IP of the OnPrem Sophos XG firewall.
     • Remote ID: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
     • There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".
   • Advanced
     • Leave default settings.
   • Click "Save".
   • Click "OK" when prompted about the "Preshared key".
   • The connection should now be active. Click on the "red" button under Connection to enable the connection.
     
     
   • When prompted if you're sure that you want to connect, click "OK".

Step 7: Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos XG Firewall)

1. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
2. Under "Protect", click on "Rules and policies" → "Add firewall rule" → "New firewall rule".
3. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
   • Rule status: None
   • Rule name: azure_to_onprem
   • Action: Accept
   • Rule position: Top
   • Rule group: None
   • Log firewall traffic: Selected
   • Source
     • Source zones: LAN and VPN
     • Source networks and devices: Any
     • During scheduled time: Leave default setting
   • Destination & services
     • Destination zones: LAN and VPN
     • Destination networks: Any
     • Services: Any
   • Leave other settings as default.
     • You can configure the security checks of the XG for the traffic if you want to.
   • Click on "Save".

Step 8: Configure the xfrm tunnel interface (Sophos XG Firewall)

1. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
2. Under "Configure", click on "Network" → under "Interfaces", click on the xfrm interface.
   
   
   
   
3. In the "Network" configuration window, configure the following:
   • IPv4/netmask: Enter the IP address and select the subnet mask that you made a note of in Step 5 (6).
   • Expand "Advanced settings".
     • Select "Override MSS" and enter the MSS value that you made a note of in Step 5 (6).
   • Click on "Save"
     
     
     
     
   • In the "Update interface" prompt, click "Update interface".

Step 9: Configure static routing to the Azure network (Sophos XG Firewall)

1. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
2. Under "Configure", click on "Routing" → under "Static Routing", click on "Add".
3. In the "Add unicast route" window, configure the following:
   • Destination IP/Netmask: Enter the network IP and subnet mask of your Azure virtual network.
   • Gateway: You can either leave this empty
     • OR enter the second IP address in the network that you made a note of in Step 5 (6). For example, the XG's tunnel interface in my case is "169.254.0.1" in a "/30" network so the only other IP in that network is "169.254.0.2". I can enter this if I choose.
   • Interface: Select the XG's xfrm tunnel interface.
   • Distance: Leave default setting.
   • Click on "Save"
     
     

Step 10: Verify the VPN connection

1. Do a connectivity test from an on-premise instance to an Azure VM.
   
   
   
   
2. Do a connectivity test from an Azure VM to an on-premise instance.
   
   
   
   
3. In the Azure Portal: https://portal.azure.com, go to "Virtual network gateways" and select the virtual network that you connected to.
4. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections".
5. In the "VPN Gateway - Connections" blade, ensure that the status of the connection is "Connected"
   
   
   
   
6. Click on the connection and ensure that you're seeing data flow.
   • If you see 0B doesn't mean that the connection is not working, it just means that there's no data flow detected on the Azure side.
     
     

Things to watch out for

1. Network Security Groups in Azure
   • If there's a network security group that's configured to block ports that you're attempting to connect on. This will cause issues.
2. Route Table configuration in Azure
   • By default, the VPN Gateway automatically advertises the VPN subnets to the vNet route tables but watch out if you have user-defined routes that could override this.

Source: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/126356/sophos-xg-firewall-v18-to-azure-vpn-gateway-ipsec-connection

Add additional S2S connections to a VNet: Azure portal

Prerequisites

Verify the following items:

• You are NOT configuring a new coexisting ExpressRoute and VPN Gateway Site-to-Site connection.
• You have a virtual network that was created using the Resource Manager deployment model with an existing connection.
• The virtual network gateway for your VNet is RouteBased. If you have a PolicyBased VPN gateway, you must delete the virtual network gateway and create a new VPN gateway as RouteBased.
• None of the address ranges overlap for any of the VNets that this VNet is connecting to.
• You have compatible VPN device and someone who is able to configure it. See About VPN Devices. If you aren't familiar with configuring your VPN device, or are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you.
• You have an externally facing public IP address for your VPN device.

Configure a connection

1. From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.

2. Select All resources and locate your virtual network gateway from the list of resources and select it.

3. On the Virtual network gateway page, select Connections.

   

4. On the Connections page, select +Add.

5. This opens the Add connection page.

   

6. On the Add connection page, fill out the following fields:

   • Name: The name you want to give to the site you are creating the connection to.
   • Connection type: Select Site-to-site (IPsec).

Add a local network gateway

1. For the Local network gateway field, select Choose a local network gateway. This opens the Choose local network gateway page.

2. Select + Create new to open the Create local network gateway page.

   

3. On the Create local network gateway page, fill out the following fields:

   • Name: The name you want to give to the local network gateway resource.
   • Endpoint: The public IP address of the VPN device on the site that you want to connect to, or the FQDN of the endpoint. If you want to create a connection to another VPN gateway, you can use the IP address of the other gateway in this field.
   • Address space: The address space that you want to be routed to the new local network site.

4. Select OK on the Create local network gateway page to save the changes.

Add the shared key

1. After creating the local network gateway, return to the Add connection page.
2. Complete the remaining fields. For the Shared key (PSK), you can either get the shared key from your VPN device, or make one up here and then configure your VPN device to use the same shared key. The important thing is that the keys are exactly the same.

Create the connection

1. At the bottom of the page, select OK to create the connection. The connection begins creating immediately.
2. Once the connection completes, you can view and verify it.

View and verify the VPN connection

In the Azure portal, you can view the connection status of a VPN gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.

1. In the Azure portal menu, select All resources or search for and select All resources from any page.

2. Select to your virtual network gateway.

3. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.

4. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

   

Next steps

Once your connection is complete, you can add virtual machines to your virtual networks

Source: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-multi-site-to-site-resource-manager-portal

Microsoft Graph PowerShell SDK

Open PowerShell and prepare for installation

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

Ensure the following PowerShell modules are installed.

# Install Microsoft.Graph module
Install-Module Microsoft.Graph -Scope CurrentUser

# Install Microsoft.Graph.Beta module
Install-Module Microsoft.Graph.Beta -Scope CurrentUser

Install Microsoft.Graph.Authentication module
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser 

Connect to Microsoft.Graph

Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All","Organization.Read.All"

Source: Install the Microsoft Graph PowerShell SDK | Microsoft Learn
Source: Get started with the Microsoft Graph PowerShell SDK | Microsoft Learn

Change Office 365 licences CLI

In this example, we are changing from E3 to E5 licences for a list of users

Connect to your Microsoft 365 tenant using Microsoft Graph
https://wiki.jraustralia.com/index.php?action=faq&cat=2&id=92&artlang=en

Create a file called C:\temp\e3_users.txt with a single line for every user UPN who is moving to an E5 licence.

Note:

You need to replace "TenantName:ENTERPRISEPACK" and "TenantName:ENTERPRISEPACK_E5" with your actual tenant’s name and license name.
To find out the tenant name run: Get-MgOrganization | ft DisplayName
To list available licence names run: Get-MgSubscribedSku | ft SkuPartNumber

# Define the SKU IDs for the E3 and E5 licenses
$e3License = "TenantName:ENTERPRISEPACK"
$e5License = "TenantName:ENTERPRISEPACK_E5"

# Read the UPNs from the file
$upns = Get-Content -Path "C:\temp\e3_users.txt"

# Loop through each UPN and change the license
foreach ($upn in $upns) {
    # Get the user
    $user = Get-MgUser -UserId $upn

    # Remove the E3 license
    $user | Set-MgUserLicense -UserId $upn -RemoveLicenses $e3License -Confirm:$false

    # Add the E5 license
    $user | Set-MgUserLicense -UserId $upn -AddLicenses $e5License -Confirm:$false
}

You can combine the command to add and remove a licence in one go
Set-MgUserLicense -UserId $upn -AddLicenses $e5License -RemoveLicenses $e3License -Confirm:$false

Conditional Access for Expired AD Users

This article describes two methods to block access for expired Active Directory (AD) accounts using Microsoft Entra ID.

Option 1: Conditional Access Based on a Synced Attribute

Step 1: Tag Expired Users in Active Directory

Use the following PowerShell script to mark expired accounts by setting extensionAttribute1 to "Expired":

Get-ADUser -Filter * -Properties accountExpires | Where-Object {
    $_.accountExpires -ne 0 -and ([datetime]::FromFileTime($_.accountExpires) -lt (Get-Date))
} | ForEach-Object {
    Set-ADUser $_ -Replace @{extensionAttribute1="Expired"}
}

Step 2: Sync the Attribute to Microsoft Entra ID

1. Open Entra Connect Sync Rules Editor.
2. Create a new Inbound Sync Rule:
   • Name: Sync extensionAttribute1
   • Connected System: Active Directory
   • Connected System Object Type: user
   • Metaverse Object Type: person
   • Link Type: Join
   • Precedence: Higher than default rules
3. Add a Transformation:
   • FlowType: Direct
   • Source: extensionAttribute1
   • Target Attribute: extensionAttribute1
4. Run a full sync using PowerShell:

   Start-ADSyncSyncCycle -PolicyType Initial
   

Step 3: Create a Conditional Access Policy

1. Go to Microsoft Entra admin center → Protection → Conditional Access.
2. Click New policy.
3. Name the policy: Block Expired Users.
4. Configure Assignments:
   • Users: All users or a specific group
   • Cloud apps: All apps or specific ones (e.g., RDS)
5. Set Conditions:
   • Filter for users:

     user.extensionAttribute1 -eq "Expired"
     

6. Configure Access controls:
   • Grant: Block access
7. Enable the policy.

Option 2: Dynamic Group + Conditional Access

Step 1: Tag and Sync Expired Users

Use the same PowerShell script and sync rule from Option 1.

Step 2: Create a Dynamic Group in Entra ID

1. Go to Microsoft Entra admin center → Groups → New group.
2. Set the following:
   • Group type: Security
   • Membership type: Dynamic User
   • Name: Expired AD Users
3. Add a Dynamic Membership Rule:

   (user.extensionAttribute1 -eq "Expired")
   

Step 3: Create a Conditional Access Policy

1. Go to Conditional Access → New policy.
2. Name the policy: Block Expired Users via Group.
3. Configure Assignments:
   • Users: Select the group Expired AD Users
   • Cloud apps: All or specific apps
4. Configure Access controls:
   • Grant: Block access
5. Enable the policy.

PowerShell Script Reference

Get-ADUser -Filter * -Properties accountExpires | Where-Object {
    $_.accountExpires -ne 0 -and ([datetime]::FromFileTime($_.accountExpires) -lt (Get-Date))
} | ForEach-Object {
    Set-ADUser $_ -Replace @{extensionAttribute1="Expired"}
}

AzureAD Disable Security Defaults

• Log into the 365 Admin Portal
• From the left menu select "Azure Active Directory admin center"
• From the left menu Select "Azure Active Directory"
• Select "Properties" from the next menu
• Click on "Manage Security defaults"
• Change "enable Security defaults" to "NO"

Migrate Domain Joined to Azure AD

Well, there is a tool from ForensIT that migrate your machine and its user profile residing on local machine from domain or local to Azure AD join. You will need to create a deployment package using the wizard it provides and at the end it will create .exe file. Deploy that exe file either through GPO or through SCCM whichever works for you. Now one of thing here is, if you create provisioning package (.pkgg) file that is ask at one point, this .pkgg file can be created using Windows Configuration designer tool. Basically you will be able to automate the whole process of even joining the machine to Azure AD. So download windows configuration design tool (its free from MS and available in Windows Store) and follow the wizard very easy. At the end you will have .pkgg file. Use this file in ForensIT tool when it ask you to provide this at somepoint in wizard. At the end, you will .exe and all good.

When this .exe is run.

it will migrate the domain profile to Azure AD user profile such that all the settings, apps, desktop data everything stay as-is

it will disjoin the machine from the local AD

it will auto join the machine to azure ad using the provisioning package you created using WCD

you will need to reboot machine twice

that's it and you will have your machine fully Azure AD joined and with user profile and data intact!

Source: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad/device-migration-from-on-prem-ad-to-azure-ad/m-p/1165192/page/2

Conditional Access for Expired AD Users

This article describes two methods to block access for expired Active Directory (AD) accounts using Microsoft Entra ID.

Option 1: Conditional Access Based on a Synced Attribute

Step 1: Tag Expired Users in Active Directory

Use the following PowerShell script to mark expired accounts by setting extensionAttribute1 to "Expired":

Get-ADUser -Filter * -Properties accountExpires | Where-Object {
    $_.accountExpires -ne 0 -and ([datetime]::FromFileTime($_.accountExpires) -lt (Get-Date))
} | ForEach-Object {
    Set-ADUser $_ -Replace @{extensionAttribute1="Expired"}
}

Step 2: Sync the Attribute to Microsoft Entra ID

1. Open Entra Connect Sync Rules Editor.
2. Create a new Inbound Sync Rule:
   • Name: Sync extensionAttribute1
   • Connected System: Active Directory
   • Connected System Object Type: user
   • Metaverse Object Type: person
   • Link Type: Join
   • Precedence: Higher than default rules
3. Add a Transformation:
   • FlowType: Direct
   • Source: extensionAttribute1
   • Target Attribute: extensionAttribute1
4. Run a full sync using PowerShell:

   Start-ADSyncSyncCycle -PolicyType Initial
   

Step 3: Create a Conditional Access Policy

1. Go to Microsoft Entra admin center → Protection → Conditional Access.
2. Click New policy.
3. Name the policy: Block Expired Users.
4. Configure Assignments:
   • Users: All users or a specific group
   • Cloud apps: All apps or specific ones (e.g., RDS)
5. Set Conditions:
   • Filter for users:

     user.extensionAttribute1 -eq "Expired"
     

6. Configure Access controls:
   • Grant: Block access
7. Enable the policy.

Option 2: Dynamic Group + Conditional Access

Step 1: Tag and Sync Expired Users

Use the same PowerShell script and sync rule from Option 1.

Step 2: Create a Dynamic Group in Entra ID

1. Go to Microsoft Entra admin center → Groups → New group.
2. Set the following:
   • Group type: Security
   • Membership type: Dynamic User
   • Name: Expired AD Users
3. Add a Dynamic Membership Rule:

   (user.extensionAttribute1 -eq "Expired")
   

Step 3: Create a Conditional Access Policy

1. Go to Conditional Access → New policy.
2. Name the policy: Block Expired Users via Group.
3. Configure Assignments:
   • Users: Select the group Expired AD Users
   • Cloud apps: All or specific apps
4. Configure Access controls:
   • Grant: Block access
5. Enable the policy.

PowerShell Script Reference

Get-ADUser -Filter * -Properties accountExpires | Where-Object {
    $_.accountExpires -ne 0 -and ([datetime]::FromFileTime($_.accountExpires) -lt (Get-Date))
} | ForEach-Object {
    Set-ADUser $_ -Replace @{extensionAttribute1="Expired"}
}

BGInfo Notes

@Echo off
 
C:\Support\Software\BGInfo\BGInfo.exe C:\Support\Software\BGInfo\BGINFO.bgi /Timer:0 /Silent /NoLicPrompt
 
EXIT

Correct Multiple monitor issues

Add this registry item

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Value Name: {Path}\BGInfo.exe ← change path to suit location of BGInfo

Value type: REG_SZ

Value data: ~ HIGHDPIAWARE

-----------------------------------------

ISSUE: High Resolution Screen not adjusting wallpaper as required Which led me to this KB:

Disable DPI virtualization for the application.

To do this, right-click the application’s shortcut and then click Properties.

On the Compatibility tab, select Disable Display Scaling On High DPI Settings, and then click OK.

https://support.microsoft.com/en-us/kb/2900023

'You still have to get into the Background settings and change Wallpaper Position to Stretch, or else I think it will centre the wallpaper, but it gets rid of the autonomous tiling behavior for me.'

Computername: <Host Name>

CPU: <CPU>

Memory: <Memory>

Free Space: <Free Space>

OS Version: <OS Version> - <OS Release>

User Name: <Logon Domain>\<User Name>

Supplied by IT Support

OS Version Detection

Pre 1909

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ReleaseID

Post 1909

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion

Common Support Folder Setup

Create a folder on C: Drive called Support

1. Change security
   1. Disable Inheritance
   2. Setup users to Full access
2. Share folder as Support
   1. Full Access for Everyone
3. Create sub folders
   1. Logs
   2. Software
   3. Scripts

Logs folder to contain Logs from Scripts etc.

Software folder contains software packages we use

This can become, or be replaced by a general 'Installs' folder

Scripts folder contains all scripts we use, within their own folder to reduce confusion

Run below to create the above structure automatically on C Drive

(Hint: Copy all and paste in elevated CMD window)

MKDIR C:\Support\Logs\Logon\Users
MKDIR C:\Support\Logs\Logon\Computers
MKDIR C:\Support\Logs\Mapping
MKDIR C:\Support\Logs\LocalLogon
MKDIR C:\Support\Software
MKDIR C:\Support\Scripts
ICACLS C:\Support /grant:R "Administrators":F /inheritance:e
ICACLS C:\Support /grant "Authenticated Users":F
ICACLS C:\Support /grant "Support":F
ICACLS C:\Support /inheritance:d
NET SHARE Support=C:\Support /grant:everyone,FULL

Convert MBR to GPT

Run MBR2GPT in Full Windows OS to Convert MBR to GPT

MBR2GP tool is designed to be run in a Windows Preinstallation Environment (Windows PE) environment command prompt, but can also be run from the full Windows 10 operating system (OS) by using the /allowFullOS option.

1. Run Command Prompt (Admin) on your Windows 10.

2. Type command lines below and press enter after each one.

mbr2gpt /validate /allowFullOS

mbr2gpt /convert /allowFullOS

icacls Permission Command Line

Add Full permission to the Folder

icacls Folder /grant User:(OI)(CI)F /T

Remove 'Grant' Permission from Folder

icacls Folder /remove:G User

Remove 'Deny' Permission from Folder for User

icacls Folder /remove:D User

Remove inheritance

icacls Folder /inheritance:R

Remove inheritance but keep current permissions

icacls Folder /inheritance:D

Enable Inheritance & traverse directories

icacls Folder /inheritance:E /T

NSSM

Installation

1. Install Sophos SSL VPN Service as shown in "SSL Client Connection Setup"

2. Test SSL connection as OK before proceeding

3. Remove OpenVPN startup from registry
    HKLM\Software\WOW64Node\Microsoft\Windows\CurrentVersion\RUN\openvpn-gui

4. Create Batch file for service to use
    a. C:\EVITSupport\Scripts\SSL VPN\SophosCLIENTNAME.CMD
    e.g. C:\EVITSupport\Scripts\SSL VPN\SophosTLC.CMD

    b. Enter the following details changing the ovpn file name to suit
    "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\bin\openvpn-gui.exe" --config_dir "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\" --connect [email protected]

5. Download NSSM (Non-Sucking Service Manager)
    https://nssm.cc/download

6. Run the following command (first have nssm in C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\conf and cd to that location as admin in cmd.
Then run following command
    a. .\nssm install SophosCLIENTNAME

7. In Application Tab enter
    Path:   C:\EVITSupport\Scripts\SSL VPN\SophosCLIENTNAME.CMD
    Startup directory   C:\EVITSupport\Scripts\SSL VPN

8. Under Details Tab enter
    Display Name    CLIENTNAME SSL Client AutoConnect
    Description CLIENTNAME SSL Client AutoConnect

9. Click Install Service

10. Under c:\programfiles (x86)\Sophos\config\USER
Drag user config to desktop, edit, under auth-pass make it auth-pass.txt
Make a pass.txt file with VPN username in top line and password line below.
Drag contents back into c:\programfiles (x86)\Sophos\config\

11. Restart workstation and confirm remote access

Power Config Command Line

AC Power commands

powercfg /change standby-timeout-ac 0

powercfg /change monitor-timeout-ac 0

powercfg /change hibernate-timeout-ac 0

Battery Power commands

powercfg /change standby-timeout-dc 0

powercfg /change monitor-timeout-dc 0

powercfg /change hibernate-timeout-dc 0

AC and DC determine 'on battery' and 'plugged in'

while 0 disables these options using a number for minutes will set the timeout

Remove Labtech

1. Services.msc

1. Click Start, and select Control Panel.
2. Select Administrative Tools.
3. Click Services.
4. Select ‘LabTech Monitoring Services’ and stop the service.
5. Select ‘LabTech Monitoring Services CheckUp Util’ and stop the service.
6. From a command prompt, run the following two commands to remove the services from the service list.
   • ‘sc delete ltservice’
   • ‘sc delete ltsvcmon’

2. Registry Editor

1. From the registry editor remove the registry keys located underHKLM\Software\LabTech. If running a 64-bit OS, remove keys that may exist under HKLM\Software|Wow6432Node\LabTech.

3. Task Manager

1. Right-click task bar.
2. Select Start Task Manger.
3. Under Processes tab, select ‘LTTray.exe’.
4. Click End Process.

4. LTSvc file

1. Go to c:\Windows.
2. Right-click LTSvc and select Delete.
3. Restart the machine.

Take Ownership of Files

Take Ownership of Folder and files

Takeown /A /R /D Y /F “Folder

Migrate Domain Joined to Azure AD

Well, there is a tool from ForensIT that migrate your machine and its user profile residing on local machine from domain or local to Azure AD join. You will need to create a deployment package using the wizard it provides and at the end it will create .exe file. Deploy that exe file either through GPO or through SCCM whichever works for you. Now one of thing here is, if you create provisioning package (.pkgg) file that is ask at one point, this .pkgg file can be created using Windows Configuration designer tool. Basically you will be able to automate the whole process of even joining the machine to Azure AD. So download windows configuration design tool (its free from MS and available in Windows Store) and follow the wizard very easy. At the end you will have .pkgg file. Use this file in ForensIT tool when it ask you to provide this at somepoint in wizard. At the end, you will .exe and all good.

When this .exe is run.

it will migrate the domain profile to Azure AD user profile such that all the settings, apps, desktop data everything stay as-is

it will disjoin the machine from the local AD

it will auto join the machine to azure ad using the provisioning package you created using WCD

you will need to reboot machine twice

that's it and you will have your machine fully Azure AD joined and with user profile and data intact!

Source: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad/device-migration-from-on-prem-ad-to-azure-ad/m-p/1165192/page/2

VMware player only showing 2 cores in Windows

VMware player only allocates CPUs and not cores

Windows Desktop OS can only use 2 CPUs, thus only 2 cores are shown in Task Manager

Add/modify the following lines in the .VMX file to show 4 or more cores to Windows Desktop OS
numvcpus = "4"
cpuid.coresPerSocket = "2"

Reset Windows Update

Start CMD shell with Administrator rights

Run the following:

net stop bits /Y
net stop wuauserv /Y
net stop appidsvc /Y
net stop cryptsvc /Y
Del “%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\*.*” /Q
rmdir %systemroot%\SoftwareDistribution /S /Q
rmdir %systemroot%\system32\catroot2 /S /Q
regsvr32.exe /s atl.dll
regsvr32.exe /s urlmon.dll
regsvr32.exe /s mshtml.dll
netsh winsock reset
netsh winsock reset proxy
net start bits
net start wuauserv
net start appidsvc
net start cryptsvc

Correct / Update SFC Scan cache

Is SFC /ScanNow is not able to correct files, this is due to the local cache files not being updated to the current version of Windows

Check SFC Cache files
DISM /Online /Cleanup-Image /ScanHealth

Correct SFC Cache files
DISM /Online /Cleanup-Image /Restorehealth

If issues, run from a local source image
Mount Currently installed Windows ISO
DISM /Online /Cleanup-Image /Restorehealth /Source:D:\Sources /LimitAccess

IIS SMTP Service Crashing When Accessing Settings

Editing IIS 6.0 Manager Settings to Prevent Crashes

To prevent the SMTP management window from crashing when right-clicking on the SMTP virtual server, follow these steps:

1. Stop Services:

   • Stop the SMTPSVC service (Display Name: "Simple Mail Transfer Protocol (SMTP)").
   • Stop the IISADMIN service (Display Name: "IIS Admin Service").

2. Edit metabase.xml:

   • Navigate to C:\Windows\System32\inetsrv\MetaBase.xml.

   • Locate the relevant configuration section IIsSmtpServer    Location ="/LM/SmtpSvc/1".

   • Add the following attributes within the  section:

     <IIsSmtpServer    Location ="/LM/SmtpSvc/1"
         RelayIpList="127.0.0.1"
     />
     

3. Save the metabase.xml File:

   • Save the changes to the metabase.xml file.

4. Restart Services:

   • Start the IISADMIN service.
   • Start the SMTPSVC service.

5. Verify Changes:

   • Open the Internet Information Services (IIS) 6.0 Manager (InetMgr6.exe) and verify that it operates normally.

Additional Considerations

• These steps have been tested on several new installations of Windows Server 2022 and have consistently worked.
• For upgraded systems, note that the SMTP service may not be installed post-upgrade. You will need a backup of the settings to apply after reinstalling the service.

• Tip: Set the SMTPSVC service to start "Automatically" as it is set to "Manual" by default.

PowerShell Commands for Time Zones

Set-TimeZone -id "E. Australia Standard Time"

Set-TimeZone -Name 'E. Australia Standard Time' -PassThru

Get-TimeZone

Get-TimeZone -Name "*pac*"

Get-TimeZone -ListAvailable

CMD Commands for Time Zones

tzutil /g

E. Australia Standard Time

tzutil /l

(UTC+10:00) Brisbane
E. Australia Standard Time

tzutil /s "E. Australia Standard Time"

tzutil /s "AUS Eastern Standard Time_dstoff"

How to Identify Your RDS License Server

Setup Taskbar when Windows Workstation/Server Unregistered

This will configure the user desktop on an unlicensed Windows Workstation/System

The following registry entries should be added and Explorer.exe restarted

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
TaskbarGlomLevel = dword:00000002 -> Combine Taskbar icons when the taskbar is full 
HideFileExt = dword:00000000 -> Show File Extensions
NavPaneExpandToCurrentFolder = dword:00000001 -> Expand to open folder in Navigation pane

Restart Explorer.exe to allow the changes to become active.

To show all icons and notifications on the task bat run
explorer shell:::{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}

The above can be executed by a CMD script. (Reg and CMD batch files available)

@Echo off
Echo Running script in folder %~dp0
c:\Windows\System32\regedt32.exe /s %~dp0\taskbar_setup.reg
taskkill /f /im explorer.exe
start explorer.exe
Timeout 3
explorer shell:::{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}
exit /b

Installing and Uninstalling Programs in Safe Mode

Installing and Uninstalling Programs in Safe Mode

Introduction

Safe Mode is a diagnostic mode in Windows that starts the operating system with a minimal set of drivers and services. This can be useful for troubleshooting issues. However, by default, the Windows Installer service is not available in Safe Mode, which can prevent the installation or uninstallation of programs. This guide will show you how to enable the Windows Installer service in Safe Mode.

Steps

1. Open an Elevated Command Prompt in Safe Mode
   • Boot your computer into Safe Mode.
   • Open an elevated command prompt.
   • You can do this by searching for cmd in the Start menu, right-clicking on Command Prompt, and selecting Run as administrator.
2. Add the Windows Installer Service to Safe Mode

   Copy and paste the following commands into the elevated command prompt one at a time, pressing Enter after each command:

   REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service"
   REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer" /VE /T REG_SZ /F /D "Service"
   net start msiserver
       

   The first two commands add the “Service” registry value to include the Windows Installer service in Safe Mode. The third command starts the Windows Installer service.

3. Close the Elevated Command Prompt

   Once the commands have been executed successfully, close the elevated command prompt.

4. Install or Uninstall Programs

   You should now be able to install and uninstall programs while in Safe Mode.

Conclusion

By following these steps, you can enable the Windows Installer service in Safe Mode, allowing you to manage your programs even when troubleshooting your system. This can be particularly useful for removing problematic software or installing essential updates.

IIS SMTP Service Crashing When Sending Email

Editing IIS 6.0 to Prevent Crashes when Sending Emails

To prevent the SMTP Service from crashing when sending email, follow these steps:

Stop Services

• Stop the SMTPSVC service (Display Name: Simple Mail Transfer Protocol (SMTP)).
• Stop the IISADMIN service (Display Name: IIS Admin Service).

Edit metabase.xml

1. Navigate to C:\Windows\System32\inetsrv\MetaBase.xml.
2. Locate the relevant configuration section IIsSmtpServer    Location ="/LM/SmtpSvc/1".
3. Add/modify the following attributes:

   <IIsSmtpServer    Location ="/LM/SmtpSvc/1"
       RelayIpList="127.0.0.1"
       MaxConnections="20"
       ConnectionTimeout="60"
   />

Save the metabase.xml File

Save the changes to the metabase.xml file.

Restart Services

• Start the IISADMIN service.
• Start the SMTPSVC service.

Verify Changes

Open the Internet Information Services (IIS) 6.0 Manager (InetMgr6.exe) and verify that it operates normally.

Additional Considerations

• These steps have been tested on several new installations of Windows Server 2022 and have consistently worked.
• For upgraded systems, note that the SMTP service may not be installed post-upgrade. You will need a backup of the settings to apply after reinstalling the service.
• Tip: Set the SMTPSVC service to start Automatically as it is set to Manual by default.

How to Disable the Blur Effect on the Windows Logon Screen

The Windows logon screen features an Acrylic blur effect, which adds a frosted glass appearance to the background image.
While this visual feature enhances aesthetics, some users prefer a clear background for performance or personal preference.
This article outlines two methods to disable the blur effect.

Applicable Versions

• Windows 10 (version 1903 and later)
• Windows 11
• Editions: Pro, Enterprise, Education (Group Policy method); All editions (Registry method)

Method 1: Using Group Policy Editor

Note: This method is available only on Windows Pro, Enterprise, and Education editions.

Steps:

1. Press Win + R, type gpedit.msc, and press Enter.
2. Navigate to:
   Computer Configuration > Administrative Templates > System > Logon
3. Double-click Show clear logon background.
4. Select Enabled.
5. Click OK to apply the change.
6. Restart your computer.

Method 2: Using Registry Editor

Note: This method works on all Windows editions, including Home.

Steps:

1. Press Win + R, type regedit, and press Enter.
2. Navigate to:
   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
3. If the System key does not exist:
   • Right-click on Windows, select New > Key, and name it System.
4. Inside the System key:
   • Right-click and select New > DWORD (32-bit) Value.
   • Name the value: DisableAcrylicBackgroundOnLogon.
   • Set its value to 1.
5. Close the Registry Editor.
6. Restart your computer.

Result

After applying either method, the login screen will display a clear background image instead of the blurred effect.

Windows Registry: DateTime Servers

Summary

This article documents how Windows stores and presents the list of available Internet time (NTP) servers in the Date and Time Control Panel, and how to set the default server selection via the registry. It covers the registry path, value semantics, example configuration, deployment guidance, and related considerations.

Registry Location

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers
• Scope: Machine-wide
• Purpose: Populates the drop-down list of NTP servers shown in Control Panel → Date and Time → Internet Time → Change settings… and controls which entry is selected by default.

Value Semantics

Within …\DateTime\Servers, values are organised as:

• Default (REG_SZ): The numeric index (as a string) of the currently selected server from the list.
  Example: @ = "1" means the server labelled "1" is selected by default in the UI.
• Numbered REG_SZ values (1, 2, 3, …): Each numbered value contains a server hostname (or FQDN).
  Example:
  • "1" = "clock.isc.org"
  • "2" = "north-america.pool.ntp.org"

Important:
This registry key affects the UI list and default selection. It does not itself configure the Windows Time (W32Time) service’s operational peers (which are controlled by HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer and related policy keys). However, when users click Update now or use the Internet Time UI, Windows will attempt to synchronize with the selected server.

Example Configuration (.reg)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]
@="1"
"1"="clock.isc.org"
"2"="north-america.pool.ntp.org"

Behavior:

• The Internet Time settings dialogue will show two choices: clock.isc.org and north-america.pool.ntp.org.
• The default selection (highlighted when opening the dialogue) will be clock.isc.org (index "1").

Typical Use Cases

• Standardising the UI list of NTP servers for end-users across an organisation.
• Pre-selecting a preferred server so users see a vetted choice by default.
• Complementing W32Time configuration (e.g., via Group Policy) with a curated UI list.

How to Deploy

Option A — Import the .reg File

1. Save the above snippet as DateTimeServers.reg.
2. Run as Administrator:
   • Double-click the file and accept the prompt, or
   • Execute via command line:

     reg import DateTimeServers.reg

Option B — Use PowerShell

$base = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers'
New-Item -Path $base -Force | Out-Null

# Set default selection to index "1"
New-ItemProperty -Path $base -Name '(default)' -Value '1' -PropertyType String -Force | Out-Null

# Populate list entries
New-ItemProperty -Path $base -Name '1' -Value 'clock.isc.org' -PropertyType String -Force | Out-Null
New-ItemProperty -Path $base -Name '2' -Value 'north-america.pool.ntp.org' -PropertyType String -Force | Out-Null

Note: Setting '(default)' requires this specific name to target the default value in PowerShell.

Verification

1. Open Control Panel → Date and Time → Internet Time → Change settings….
2. Confirm the server dropdown lists:
   • clock.isc.org
   • north-america.pool.ntp.org
3. Confirm the default selection matches the index set in @ (e.g., "1" → clock.isc.org).
4. (Optional) Click Update now to test reachability/sync.

Interaction with Windows Time (W32Time)

• The UI list is not the authoritative configuration for continuous time sync in domain or service scenarios.
• For service-level peers, configure:
  • HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
  • HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
  • Or via Group Policy:
    Computer Configuration → Administrative Templates → System → Windows Time Service → Time Providers
• In Active Directory domains, members typically sync from the domain hierarchy (PDC Emulator). The Internet Time UI is often hidden/disabled for domain-joined machines.

Best Practices & Considerations

• Prefer pool addresses (e.g., *.pool.ntp.org) for resiliency.
• Firewall: Allow outbound UDP 123 to reach public NTP servers (if using Internet servers).
• Security/Trust: For regulated environments, use internal NTP sources (GPS-backed or upstream-stratum) and restrict external NTP.
• Latency & Accuracy: Choose geographically close pools (e.g., oceania.pool.ntp.org for AU/NZ environments) to improve stability.
• Domain-Joined Machines: Rely on AD time hierarchy unless policy dictates external NTP.
• Monitoring: Use w32tm /query /status and w32tm /query /peers to inspect operational sync status.

Troubleshooting

• Sync fails via UI:
  • Check DNS resolution (nslookup <server>).
  • Verify UDP 123 outbound is permitted.
  • Test with w32tm /stripchart /computer:<server> /samples:5 /dataonly.
• UI list not updating:
  • Confirm registry values under …\DateTime\Servers are present and of type REG_SZ.
  • Reopen the Internet Time dialogue to refresh.
• Domain-joined behaviour:
  • UI may be disabled by policy. Review GPOs under Windows Time Service.

Related Keys & Commands

• Service peers:
  HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
• NTP Client settings:
  HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
• Commands:

  w32tm /query /status
  w32tm /query /peers
  w32tm /resync

Change History

• Added servers: clock.isc.org, north-america.pool.ntp.org
• Default selection: Index "1" (clock.isc.org)

Appendix: Original Registry Entry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]
@="1"
"1"="clock.isc.org"
"2"="north-america.pool.ntp.org"

Disk Cleanup using DISM: Component Store Cleanup (StartComponentCleanup & ResetBase)

DISM /Online /Cleanup-Image /StartComponentCleanup [/ResetBase] [/NoRestart] [/Quiet]

dism /online /cleanup-image /startcomponentcleanup

dism /online /cleanup-image /startcomponentcleanup /resetbase

cmd
dism /online /cleanup-image /startcomponentcleanup

cmd
dism /online /cleanup-image /startcomponentcleanup /norestart

cmd
dism /online /cleanup-image /startcomponentcleanup /resetbase

cmd
dism /online /cleanup-image /startcomponentcleanup /quiet /norestart

Title: WinSxS Component Store Cleanup (DISM)
System: 
Window: 
Command(s):
  dism /online /cleanup-image /startcomponentcleanup [/resetbase] [/quiet] [/norestart]
Backout Plan: Not applicable when using /resetbase (irreversible)
Validation:
  - Check %WINDIR%\Logs\DISM\dism.log
  - Verify system stability and disk space reduction

Create Users Folders Script

Scripermissionsons not worknig as expected

Creates user folder as user logs in with Administrator and user permissions

@Echo off
if exist \\SERVER\USers$\%USERNAME%\ GOTO END
 
:CREATE
MKDIR \\SERVER\Users$\%USERNAME%
icacls \\SERVER\Users$\%USERNAME% /Inheritance:R
TAKEOWN /F \\SERVER\Users$\%USERNAME% /A /R /D Y
icacls \\SERVER\Users$\%USERNAME% /grant Support:(OI)(CI)F
icacls \\SERVER\Users$\%USERNAME% /grant Administrators:(OI)(CI)F
icacls \\SERVER\Users$\%USERNAME% /grant %USERNAME%:(OI)(CI)F
EXIT
 
:END
EXIT

Windows 10 & 11 remove bloatware (PowerShell)

Open Powershell with Administrative rights

Run the following:

iwr -useb https://git.io/debloat|iex

Article Source: https://www.lifehacker.com.au/2022/03/you-can-get-rid-of-windows-bloatware-with-one-command/amp/

Program Source: https://github.com/Sycnex/Windows10Debloater

Local Admin Policy

Create a new Group Policy called Local Admin Policy under the Workstation OU folder

* Do not place in the root of AD Group Policy *

Set up, or copy, a batch file called Local_Admin.ps1 and set to run at startup for Computers only

Ensure the file is placed in the default SYSVOL Location

# Administrator Password
$password = "CustomPassword"

# Create SecureString
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force

# Enable the local Administrator account
Net user Administrator /active:yes

# Set password and account settings for Administrator
Set-LocalUser -Name Administrator -Password $secpassword -AccountNeverExpires
Set-LocalUser -Name Administrator -PasswordNeverExpires $true

# Create additional accounts
New-LocalUser -Name "Support" -Password $secpassword -Description "Administrative user account" -AccountNeverExpires

# Set password never expires for additional accounts
Set-LocalUser -Name "Support" -PasswordNeverExpires $true

# Add Additional accounts to Administrators group
Add-LocalGroupMember -Group "Administrators" -Member "Support"

# Delete Existing Local Account called 'Temp'
Remove-LocalUser -Name "Temp"

Batch file Solution
Set up, or copy, a batch file called Local_Admin.CMD and set to run at startup for Computers only

@Echo off
 
:: Deactivate old Local Admin Accounts
NET USER Supervisor /ACTIVE:NO
NET USER SetupUser /ACTIVE:NO
NET USER Install /ACTIVE:NO
 
::Activate local Administrator account and set a password
NET USER Administrator /ACTIVE:YES /PASSWORDCHG:NO
NET USER Administrator "StrongPassword1" /ADD /PASSWORDCHG:NO /Y
NET USER Administrator "StrongPassword1"
 
::Create new Local Admin accounts
NET USER InstallUser "StrongPassword2" /ADD /PASSWORDCHG:NO /Y
NET USER InstallUser "StrongPassword2"
NET USER Support "StrongPassword3" /ADD /PASSWORDCHG:NO /Y
NET USER Support "StrongPassword3"
 
::Set new local Admin accounts to never expire
wmic UserAccount where Name='InstallUser' set PasswordExpires=False
NET USER InstallUser /EXPIRES:NEVER
NET USER InstallUser /ACTIVE:YES
 
wmic UserAccount where Name='Support' set PasswordExpires=False
NET USER Support /EXPIRES:NEVER
NET USER Support /ACTIVE:YES
 
wmic UserAccount where Name='Administrator' set PasswordExpires=False
NET USER Administrator /EXPIRES:NEVER
NET USER Administrator /ACTIVE:YES
 
::Configure new account with local Administrator Rights
NET LOCALGROUP Administrators InstallUser /ADD
NET LOCALGROUP Administrators Support /ADD
 
EXIT

Log Drive Maps and Printers

Requires:

Shared C:\Support folder on the server

Folder X:\Support\Logs\Mapping

Notes:

Setup scripts (Log_Mapping.ps1) for Group Policy under User Configuration

# Set site Variables
$Server = "SERVERNAME"
$Share = "Support"

# Create required Folders
New-Item -ItemType Directory -Path "\\$Server\$Share\Logs\Mapping" | Out-Null

# Prepare Log File
"===========================================================================================" | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append
"$env:USERNAME Logged onto $env:COMPUTERNAME on $(Get-Date) at $(Get-Date -Format T)" | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append

# Get the mapped drive information
"Mapped Drives:" | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append
"`n" | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append
Get-PSDrive | Where-Object {$_.DriveType -eq '3'} | ForEach-Object {
$drive = $_.Name
$path = $_.Root

# Append the information to a file on a server
"$env:USERNAME Logged onto $env:COMPUTERNAME on $(Get-Date) at $(Get-Date -Format T)" | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append
}

# Get the installed printer information
Get-WmiObject -Class Win32_Printer | Select-Object Name, SystemName, ShareName | Format-Table | Out-String | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append

# Get Profile Folder Location
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Personal" | Select-Object -ExpandProperty "Personal" | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Desktop" | Select-Object -ExpandProperty "Desktop" | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "My Music" | Select-Object -ExpandProperty "My Music" | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "My Pictures" | Select-Object -ExpandProperty "My Pictures" | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "My Video" | Select-Object -ExpandProperty "My Video" | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append
"Logon Server: $env:logonserver" | Out-File "\\$Server\$Share\Logs\Mapping\$env:USERNAME.TXT" -Append

EXIT

Log Windows Version

Requires:

Shared C:\Support folder on the server

Folder X:\Support\Logs\System_Versions

Notes:

Setup scripts (OSVer.ps1) for Group Policy under User Configuration

# Set site Variables
$URL = "db.jraustralia.com/files/WinVerDB.zip"
$SERVER = "ServerName"
$SHARE = "Support"
$Workingfolder = (gi $env:temp).fullname

# If Powershell to old to run Excpand-Archive, use this value as an alert
$OSVer = "PS_Too_Old"

# Update CSV File
Invoke-WebRequest -Uri $URL -OutFile "$Workingfolder\WinVerDB.zip"
Expand-Archive "$Workingfolder\WinVerDB.zip" "$Workingfolder" -Force

# Prepare Locations
New-Item -ItemType Directory -Path "\\$SERVER\$SHARE\Logs\System_Versions"

# Determine Windows Build Number
$OSBuild = (Get-WmiObject Win32_OperatingSystem).BuildNumber

# Determine Windows Version from Build Number using WinVerDB.csv
$OSVer = Select-String -Path "$Workingfolder\WinVerDB.csv" -Pattern $OSBuild | Select-Object -ExpandProperty Line | Select-String -Pattern '^[^,]*' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value

# Locate Windows Product Name from Registry
$ProductName = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').ProductName

# Write details to file
$FileContent = "$OSVer $ProductName"
Set-Content -Path "\\$SERVER\$SHARE\Logs\System_Versions\$OSVer`_$env:COMPUTERNAME.TXT" -Value $FileContent

EXIT

Logging user LogOn and LogOff

Requires:

Server:

Shared Support folder on the server

Folder X:\Support\Logs\Logon\Users

Folder X:\Support\Logs\Logon\Computers

Workstation:

Folder X:\Support\Logs\LocalLogon

Notes:

Setup two scripts (Logon.CMD and Logoff.CMD) for Group Policy under User Configuration

Logon.ps1

Set site Variables
$Server = "SERVERNAME"
$Share = "Support"

# Get Variables
$username = $env:USERNAME
$computerName = $env:COMPUTERNAME
$date = Get-Date -Format "dd/MM/yyyy"
$time = Get-Date -Format "HH:mm:ss"

# Query Session
$sessionInfo = quser $username | Select-String '>'
$sessionNum = ($sessionInfo -split '\s+')[2]
$clientName = (Get-ItemProperty "HKCU:\Volatile Environment\$sessionNum").ClientName

# Create local logon directory if it doesn't exist
New-Item -ItemType Directory -Path "C:\$Share\Logs\LocalLogon" -ErrorAction SilentlyContinue

# Create Log files
Add-Content "\\$Server\$Share\Logs\logon\Users\$username.TXT" "$username logged on to $computerName at $time on $date from $clientName"
Add-Content "\\$Server\$Share\Logs\logon\Computers\$computerName.TXT" "$username logged on to $computerName at $time on $date from $clientName"

Add-Content "C:\$Share\Logs\LocalLogon\$username.TXT" "$username logged on to $computerName at $time on $date from $clientName"
Add-Content "C:\$Share\Logs\LocalLogon\$computerName.TXT" "$username logged on to $computerName at $time on $date from $clientName"

Exit

LogOff.ps1

Set site Variables
$Server = "SERVERNAME"
$Share = "Support"

# Get Variables
$username = $env:USERNAME
$computerName = $env:COMPUTERNAME
$date = Get-Date -Format "dd/MM/yyyy"
$time = Get-Date -Format "HH:mm:ss"

# Query Session
$sessionInfo = quser $username | Select-String '>'
$sessionNum = ($sessionInfo -split '\s+')[2]
$clientName = (Get-ItemProperty "HKCU:\Volatile Environment\$sessionNum").ClientName

# Create local logon directory if it doesn't exist
New-Item -ItemType Directory -Path "C:\$Share\Logs\LocalLogon" -ErrorAction SilentlyContinue

# Create Log files
Add-Content "\\$Server\$Share\Logs\logon\Users\$username.TXT" "$username logged off $computerName at $time on $date from $clientName"
Add-Content "\\$Server\$Share\Logs\logon\Computers\$computerName.TXT" "$username logged off $computerName at $time on $date from $clientName"

Add-Content "C:\$Share\Logs\LocalLogon\$username.TXT" "$username logged off $computerName at $time on $date from $clientName"
Add-Content "C:\$Share\Logs\LocalLogon\$computerName.TXT" "$username logged off $computerName at $time on $date from $clientName"

Exit

NSSM

Installation

1. Install Sophos SSL VPN Service as shown in "SSL Client Connection Setup"

2. Test SSL connection as OK before proceeding

3. Remove OpenVPN startup from registry
    HKLM\Software\WOW64Node\Microsoft\Windows\CurrentVersion\RUN\openvpn-gui

4. Create Batch file for service to use
    a. C:\EVITSupport\Scripts\SSL VPN\SophosCLIENTNAME.CMD
    e.g. C:\EVITSupport\Scripts\SSL VPN\SophosTLC.CMD

    b. Enter the following details changing the ovpn file name to suit
    "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\bin\openvpn-gui.exe" --config_dir "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\" --connect [email protected]

5. Download NSSM (Non-Sucking Service Manager)
    https://nssm.cc/download

6. Run the following command (first have nssm in C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\conf and cd to that location as admin in cmd.
Then run following command
    a. .\nssm install SophosCLIENTNAME

7. In Application Tab enter
    Path:   C:\EVITSupport\Scripts\SSL VPN\SophosCLIENTNAME.CMD
    Startup directory   C:\EVITSupport\Scripts\SSL VPN

8. Under Details Tab enter
    Display Name    CLIENTNAME SSL Client AutoConnect
    Description CLIENTNAME SSL Client AutoConnect

9. Click Install Service

10. Under c:\programfiles (x86)\Sophos\config\USER
Drag user config to desktop, edit, under auth-pass make it auth-pass.txt
Make a pass.txt file with VPN username in top line and password line below.
Drag contents back into c:\programfiles (x86)\Sophos\config\

11. Restart workstation and confirm remote access

Rebuild Windows Search

Create a folder called folder C:\Support\Scripts\Rebuild_Windows_Search

Create a Batch file called Rebuild_Search.CMD and place in the Copy the following code

@Echo Off
Net Stop WSearch
Net Stop WSearch
del "%ProgramData%\Microsoft\Search\Data\Applications\Windows\Windows.edb"
Net Start WSearch
Net Start WSearch

EXIT

Setup Scheduled Task to run Batch file every Week on Saturday Night

This will allow the system to rebuild Windows Search prior to Monday's start

Alternatively, copy these files to C:\Support\Scripts\Rebuild_Windows_Search

Import the XML into Task Scheduler and confirm settings

Run App with Admin rights - AutoIT

Example:

$strCmd = "C:\Windows\System32\notepad.exe"
$strDomain = "domain.local"
$strUser = "administrator"
$strPass = "Password123"

runaswait ($strUser, $strDomain, $strPass, 0, $strCmd)


Source: https://www.autoitscript.com/site/autoit/
Download: https://www.autoitscript.com/site/autoit/downloads/

Set Affinity

Some RDS systems require control over CPU usage.

This is usually done by restricting core usage to certain programs

As Affinity is not saved, a program will start using all available cores when it is started

To set Affinity on a semi-permanent basis the following PowerShell command should be run every 5 minutes

Get-Process OUTLOOK, | ForEach-Object { $_.ProcessorAffinity=252}

Get-Process IEXPLORE | ForEach-Object { $_.ProcessorAffinity=252}

Get-Process CHROME | ForEach-Object { $_.ProcessorAffinity=252}

Get-Process TEAMS | ForEach-Object { $_.ProcessorAffinity=252}

These command sets Outlook, Internet Explorer, Chrome and Teams to only run on Cores 2,3,4,5,6 & 7

Leaving Cores 0 & 1 to process background tasks.

Use one command per app as the entire command will fail if an app is not running causing the other apps to not have their Affinity adjusted

These notes relate to an 8-core system, adjust the affinity number to suit a system with a different core count

Setup:

1. Create a file called Set_Affinity.ps1
2. Copy the following, changing the Process Names as required (e.g. NOT Outlook.exe)
   1. Get-Process OUTLOOK | ForEach-Object { $_.ProcessorAffinity=252}
   2. Get-Process IEXPLORE | ForEach-Object { $_.ProcessorAffinity=252}
   3. Get-Process CHROME | ForEach-Object { $_.ProcessorAffinity=252}
   4. Get-Process TEAMS | ForEach-Object { $_.ProcessorAffinity=252}
3. Place it in the folder C:\Support\Scripts\Affinity

1. Create a New Scheduled Tasks called Set Affinity
   1. Set to Run Daily starting at 7:00AM
   2. Program to Run: powershell.exe
   3. Arguments: -ExecutionPolicy Bypass -File "c:\Support\Scripts\Affinity\Set_Affinity.ps1"
   4. Security: Run whether the user is logged in or not
   5. Privileges: Run with the highest Privileges
   6. Edit the trigger to repeat the task every 30 minutes
   7. Under Settings ensure the Stop the task if it runs longer than 1 Hour

Test the schedule.

Open PowerShell with Admin rights

Run the following command to list the current Affinity

 get-process outlook,iexplore,chrome | FT Name, ProcessorAffinity -autosize

This will show a value of 255 on an 8-core system

Manually run the script in Task Scheduler

When complete run the above command again and ensure it is set as required

Windows 10 Version Switcher

Run batch file to change the Windows 10 Version

Support Version

• Home -> Pro, Education VL, Enterprise VL
• Pro -> Pro VL, Education VL, Enterprise VL
• Pro VL -> Pro, Education VL, Enterprise VL
• Education VL -> Pro, Pro VL, Enterprise VL
• Enterprise VL -> Pro, Pro VL, Education VL

Source: https://github.com/TerryHuangHD/Windows10-VersionSwitcher 

SMTP Telnet test

Telnet may need to be installed

telnet mail.domain.com 25

EHLO mail.domain.com
MAIL FROM:[email protected]
RCPT TO:[email protected]
DATA
Subject: Test Message

This is a test message sent using telnet.

.

^ Don't miss the full stop
The message should be accepted for delivery and arrive at the expected destination

Robocopy Example

The example below shows lines already REM'd out to ensure they do not run should you execute the batch file by accident.
Remove the REM command to enable the line to execute

Multiple lines are present, as an example. Excess lines can be removed, or duplicated if more are required

/R:0 - Do not retry failed files
/W:0 - Do not wait between failed files
/COPYALL - Copy all security descriptors
/NP - Do not show progress
/NDL - Do not show directory listing
/TEE - Send output to screen
/XJ - Excludes junction points, preventing folder loops.
/log+:"c:\XXX\XXX.TXT" - Append log information file - Create if not existing

@Echo off

Set log=%date:~10,4%%date:~7,2%%date:~4,2%_%time:~0,2%%time:~3,2%

REM C:\Windows\System32\Robocopy.exe \\SERVERNAME\RedirectedFolders E:\Data\RedirectedFolders /mir /COPYALL /r:0 /w:0 /np /ndl /tee /xj /log+:"C:\Temp\Migration\Logs\Data_Log_%log%.TXT"
REM C:\Windows\System32\Robocopy.EXE \\SERVERNAME\software$ E:\Data\Software /mir /COPYALL /r:0 /w:0 /np /ndl /tee /xj /log+:"C:\Temp\Migration\Logs\Data_Log_%log%.TXT"
REM C:\Windows\System32\Robocopy.EXE \\SERVERNAME\Profiles$ E:\Data\Profiles /mir /COPYALL /r:0 /w:0 /np /ndl /tee /xj /log+:"C:\Temp\Migration\Logs\Data_Log_%log%.TXT"


EXIT /b

Rename folders due to Folder Name too Long.

When folders are too long deleting can be difficult.
Renaming the folder will fix it, but can take a while on several folders and folder depth.

Create the following batch file (CMD) and it will run in the folder it is placed in.

@echo off
setlocal enabledelayedexpansion

set "folderPath=%~dp0"
set "counter=1"

echo About to make changes to this folder: "%folderPath%"
echo.
set /p "confirmation=Press Y to continue, or N to stop: "

if /i "%confirmation%" neq "Y" (
    echo Operation cancelled. No changes were made.
    exit /b
)

for /r "%folderPath%" /d %%F in (*) do (
    ren "%%F" "!counter!"
    set /a "counter+=1"
)

echo.
echo All folders renamed in the main folder and subfolders.

Exit /b

Generate a Certificate from a Windows CA using certreq

This guide details the process of submitting a Certificate Signing Request (CSR) to a Microsoft Active Directory Certificate Services (AD CS) environment using the certreq command-line tool.
This specific example requests a certificate based on a custom template named "Infrastructure".

1. Prerequisites

Before proceeding, ensure the following are in place:

• You have a Certificate Signing Request (CSR) file. In this guide, we will use iDRAC.csr.
• Your Active Directory Certificate Services environment has a configured certificate template named Infrastructure.
  This custom template is typically based on the 'Web Server V2' template and has been adjusted as required to suit the site's needs.
• You have the necessary permissions to request certificates using the "Infrastructure" template.

2. Obtaining the Certificate Authority Name

To submit the request, you must first identify the correct configuration string for your Certificate Authority (CA).

Instructions

1. Open a Command Prompt or PowerShell on a domain-joined machine.
2. Run the following command:

   certutil -getconfig

3. The command will return the configuration string for the CA. The output will look similar to this:

   Config String: "CA.domain.local\Widgets Issuing CA 01"
   CertUtil: -getconfig command completed successfully.

4. Copy the Config String value (including the quotes) for use in the next step.

3. Submitting the Certificate Request

With the CA's configuration string, you can now submit your CSR and specify the template to be used.

Instructions

1. Open a Command Prompt or PowerShell in the same directory as your CSR file.
2. Execute the following command, replacing the -config value with the one you obtained in the previous step.

   certreq -submit -config "CA.domain.local\Widgets Issuing CA 01" -attrib "CertificateTemplate:Infrastructure" iDRAC.csr iDRAC.cer

3. If the submission is successful, the CA will issue a certificate based on the "Infrastructure" template, and it will be saved as iDRAC.cer in the same directory.

Command Breakdown

The table below explains each component of the certreq command used.

Connect Outlook 2013 to Office 365

Open Mail Management from Control Panel and create a new Profile

Select Manual Setup

Enter the following details

Server: outlook.office365.com

Username: [email protected]

User Cached Exchange Mode: Enable

Mail to Keep Offline: 12 Months

Click on More Settings

Select Security Tab

Logon Network Security: Anonymous Authentication

Select Connection Tab

Connect to Microsoft Exchange HTTP: Enable

Click on Exchange Proxy Settings to set proxy

https://outlook.office365.com

Connect using SSL Only: Enable

Only connect to proxy servers that have this principle name in their certificate: MSSTD:outlook.com

On fast Networks, Connect using HTTP....: Enabled

On slow Networks, Connect using HTTP....: Enabled

Use this authentication when connecting.....: Basic Authentication

Outlook is now configured and ready to start

You will be prompted for credentials at first start-up

Source: https://guides.appriver.com/m/8585/l/142450-manual-configuration-outlook-2013

Connect Outlook 2016 to Exchange 2010

Check that the network is not set to Public!

1. Go to Windows "Settings"
2. Click on "Network and Internet"
3. Click on "Ethernet"
4. Click on your Ethernet adapter
5. Make sure "Private" is selected, not "Public"
6. Try again after the change

When configuring a new Outlook profile in Outlook 2016 to Exchange 2010

Outlook will connect to Office 365 first

To stop this make these two registry changes and restart the workstation

{Create Keys as required}

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover

"ExcludeHttpsRootDomain"=dword:00000001

HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\outlook\autodiscover

"ExcludeExplicitO365Endpoint"=dword:00000001

Remove (or set value to 0) these entries when migrating to Office 365

Disable Select All (CTRL+A) in Outlook

Add the following registry entry

Key: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\DisabledShortcutKeysCheckBoxes

Create new String Value (REG-SZ)

Name: CtrlA

Value: 65,8

Close and Re-Open Outlook

Increase PST or OST File size above 50GB

Update below registry entries from the default to the recommended values to double the OST/PST files

HKEY_CURRENT_USER\Software\Microsoft\Office\XX.0\Outlook\PST

Outlook 2010: 14.0
Outlook 2013: 15.0
Outlook 2016: 16.0
Outlook 2019: 16.0
Outlook 365: 16.0

Default Values

Increased Values (Recommend increase)

Notes:
The MaxLargeFileSize registry entry and the WarnLargeFileSize registry entry refer to a UNICODE formatted (new Large format) file in MB.
The MaxFileSize registry entry and the WarnFileSize registry entry refer to an ANSI formatted (an earlier Microsoft Outlook format) file in Bytes.

source: https://support.microsoft.com/en-us/topic/how-to-configure-the-size-limit-for-both-pst-and-ost-files-in-outlook-2f13f558-d40e-9c2a-e3b6-02806fa535f4 

Outlook PST stuck in repair mode

If Outlook states that the PST file is corrupt but scans show that it is OK you may need to force the issue with Outlook

1. In the registry go to: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\PST
   1. Change 16.0 to suit the installed version of Outlook
2. Delete the following two keys: LastCorruptStore and PromptRepair
3. Start Outlook

Enabling Manual Archiving in Outlook via Registry

Introduction

Manual archiving in Outlook allows users to organize and store their emails and other items manually, rather than relying solely on automatic archiving.
This guide will walk you through the steps to enable manual archiving by modifying the Windows Registry.

Steps to Enable Manual Archiving

1. Open the Registry Editor
• Press Win + R to open the Run dialog box.
• Type regedit and press Enter. This will open the Registry Editor.
  
  
2. Navigate to the Outlook Preferences Key
• In the Registry Editor, navigate to the following path:
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Preferences
  
  
3. Modify the disablemanualarchive Value
• Look for the disablemanualarchive entry in the right pane. If it doesn’t exist, you’ll need to create it:
• Right-click in the right pane, and select New > DWORD (32-bit) Value.
• Name the new value disablemanualarchive.
• Double-click the disablemanualarchive entry.
• Set the value data to 0 and click OK.
  
  
4. Close the Registry Editor
• Close the Registry Editor and restart Outlook for the changes to take effect.

Conclusion

By following these steps, you have enabled manual archiving in Outlook.
You can now manually archive your emails and other items as needed.

Exchange Upgrade from CU12 to CU22

Install .Net Framework 4.7.1 using MSU installer

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4033369

Install VC++ 2013 runtime

https://www.microsoft.com/en-us/download/details.aspx?id=40784

Download Exchange 2013 CU22

https://www.microsoft.com/en-us/download/details.aspx?id=57069

Update Active Directory Schema

setup.exe /prepareAD /IAcceptExchangeServerLicenseTerms

Install CU22

Run Setup.exe in GUI mode i.e. no switches, just double click ssetup.exe

Notes:

In case you receive this error in the readiness check:

“All Unified Messaging language packs other than US English (en-US) must be uninstalled before you can upgrade the Mailbox server role. Detected language packs: es-ES"

Run: setup.exe /RemoveUmLanguagePack:es-ES

Adjust to relevant language pack in error message

Then rerun setup

Stop Outlook connecting to old Onsite Exchange

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover
     Add DWORD: ExcludeScpLookup
     Set Value: 1

DKIM and DMARC setup

DomainKeys Identified Mail (DKIM) Setup

DKIM requires the creation of a couple of public CNAME DNS records.
Microsoft Exchange will provide the necessary details for the public DNS.

Here is the basic format of the CNAME entries:

• Hostname: selector1._domainkey
  Points to address or value: selector1-domain-com._domainkey.domain-com.onmicrosoft.com

• Hostname: selector2._domainkey
  Points to address or value: selector2-domain-com._domainkey.domain-com.onmicrosoft.com

To obtain these details, attempt to enable DKIM.
This will initially fail as the keys do not exist.
However, the error message will provide the required CNAME records.

Add the CNAMEs to your public DNS.
After approximately 15 minutes, try enabling DKIM again.

Domain-based Message Authentication, Reporting & Conformance (DMARC) Setup

For DMARC, create a shared mailbox and a TXT record on your public DNS.
A shared mailbox, such as [email protected], can be created and set up to forward to yourself or a distribution list.
This allows for the removal of your forward when no longer needed to see every email while keeping a record of messages as a log.

To create the DMARC record, use the wizard from MX Toolbox.
https://mxtoolbox.com/DMARCRecordGenerator.aspx 

Click the ‘Show advanced’ option and set every optional value.

While these values are optional, some major mail services, such as Yahoo and iiNet, may fail and drop email if the optional entries are not present.
If a specific optional entry is not important, select the ‘relax’ option which is the default value.

Delete any pre-filled email addresses and add the email you setup e.g.: [email protected].
Every change will update the grey box to the right, this is the DNS TXT entry you need to add to your public DNS.

Repeat the above steps for every domain from which emails are sent.

Export Exchange to PST

How to Export Individual Mailboxes to PST
Configure user performing the export (Usually Admin or EVITSupport) to be a part of the 'Mailbox Export Role'
Open Exchange Management Console (EMC)

New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "Admin"
	Reopen EMS

New-MailboxExportRequest -Mailbox <user> -FilePath \\servername\share\user.pst
Get-MailboxExportRequest | Get-MailboxExportRequestStatistics

How to Export PST of List of Users from a txt file
New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "Admin"
	Reopen EMS
	
$Export = Get-Content .\Mailbox.txt
$Export|%{$_|New-MailboxExportRequest -FilePath "\\servername\pst\$($_.alias).pst"}
Get-MailboxExportRequest | Get-MailboxExportRequestStatistics

Delete Mailbox Export Requests
Once completed the mailbox request can be deleted
To get a list of running requests run:
Get-MailboxExportRequest |ft status, identity -AutoSize

Run  the following to delete individual tasks run:
 Remove-MailboxExportRequest -identity "<identity>"

Alternatively remove ALL completed tasks with:
Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest

How to Export All the Mailboxes to PST
New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "Admin"
	Reopen EMS
	
$Export = Get-Mailbox
$Export|%{$_|New-MailboxExportRequest -FilePath "\\servername\pst\$($_.alias).pst"}
Get-MailboxExportRequest | Get-MailboxExportRequestStatistics

How to Export All the Mailboxes with Specific folders
New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "Admin"
$Export = Get-Mailbox
	Specifying folders Inbox and Sent Items
$Export|%{$_|New-MailboxExportRequest -IncludeFolders "#Sentitems#,"#inbox#" -FilePath \\servername\pst\$($_.alias).pst}

SMTP Telnet test

Telnet may need to be installed

telnet mail.domain.com 25

EHLO mail.domain.com
MAIL FROM:[email protected]
RCPT TO:[email protected]
DATA
Subject: Test Message

This is a test message sent using telnet.

.

^ Don't miss the full stop
The message should be accepted for delivery and arrive at the expected destination

Disable/Enable Exchange Services

This script 'Stop_Exchange_Services.CMD' will Set all Exchange services to Manual

then stop the services themselves (Run as Admin!)

This script 'Start_Exchange_Services.CMD' will set all Exchange services to their default start values

then start all services (Run as Admin!)

Telstra APN Names

Add additional S2S connections to a VNet: Azure portal

Prerequisites

Verify the following items:

• You are NOT configuring a new coexisting ExpressRoute and VPN Gateway Site-to-Site connection.
• You have a virtual network that was created using the Resource Manager deployment model with an existing connection.
• The virtual network gateway for your VNet is RouteBased. If you have a PolicyBased VPN gateway, you must delete the virtual network gateway and create a new VPN gateway as RouteBased.
• None of the address ranges overlap for any of the VNets that this VNet is connecting to.
• You have compatible VPN device and someone who is able to configure it. See About VPN Devices. If you aren't familiar with configuring your VPN device, or are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you.
• You have an externally facing public IP address for your VPN device.

Configure a connection

1. From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.

2. Select All resources and locate your virtual network gateway from the list of resources and select it.

3. On the Virtual network gateway page, select Connections.

   

4. On the Connections page, select +Add.

5. This opens the Add connection page.

   

6. On the Add connection page, fill out the following fields:

   • Name: The name you want to give to the site you are creating the connection to.
   • Connection type: Select Site-to-site (IPsec).

Add a local network gateway

1. For the Local network gateway field, select Choose a local network gateway. This opens the Choose local network gateway page.

2. Select + Create new to open the Create local network gateway page.

   

3. On the Create local network gateway page, fill out the following fields:

   • Name: The name you want to give to the local network gateway resource.
   • Endpoint: The public IP address of the VPN device on the site that you want to connect to, or the FQDN of the endpoint. If you want to create a connection to another VPN gateway, you can use the IP address of the other gateway in this field.
   • Address space: The address space that you want to be routed to the new local network site.

4. Select OK on the Create local network gateway page to save the changes.

Add the shared key

1. After creating the local network gateway, return to the Add connection page.
2. Complete the remaining fields. For the Shared key (PSK), you can either get the shared key from your VPN device, or make one up here and then configure your VPN device to use the same shared key. The important thing is that the keys are exactly the same.

Create the connection

1. At the bottom of the page, select OK to create the connection. The connection begins creating immediately.
2. Once the connection completes, you can view and verify it.

View and verify the VPN connection

In the Azure portal, you can view the connection status of a VPN gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.

1. In the Azure portal menu, select All resources or search for and select All resources from any page.

2. Select to your virtual network gateway.

3. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.

4. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

   

Next steps

Once your connection is complete, you can add virtual machines to your virtual networks

Source: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-multi-site-to-site-resource-manager-portal

Finding Spanning Tree loop

The following commands can help locate the loop.

show spanning-tree
* This will show how long ago a Spanning-0Tree event took place

show spanning-tree topo-change-history originated
* This command shows the history of topology changes that were originated by the local switch1
* It helps you identify if the local switch has been causing topology changes in the network.

show spanning-tree topo-change-history received
* This command shows the history of topology changes that were received by the local switch2.
* It provides information about which switch generated the topology change, in which port it was generated, and when it was generated2.

show lldp info remote-device A1
* This will help identify the device on the port, usually picked up from the above received command.

Sophos Web Filtering Exception for Google Tools and Download Services

A web filtering exception is a firewall or content filter configuration that allows traffic to specific websites or domains that might otherwise be blocked.
Such exceptions are often used to permit trusted services essential for system updates or software downloads.

One common example is creating exceptions for tools.google.com and dl.google.com, which are Google-related domains used for downloading certain tools, plugins, or updates.
Allowing traffic to these domains ensures the uninterrupted functionality of Google services or software deployment tools within a network that uses web filtering.

Procedure

1. Log into the Sophos Web Console interface.
2. Navigate to the Web section and select Exceptions.
3. Choosing Add Exception.
4. Configuring URL patterns to match desired domains, such as:
   • ^tools\.google\.com
   • ^dl\.google\.com
5. Set the option to skip policy checks.
6. Save the configuration.

Security Considerations

While exceptions can enable necessary functionality, they must be implemented with caution.
Allowing unrestricted access to certain domains could potentially bypass security controls.
Organisations should verify the trustworthiness of the domains being whitelisted and ensure they are still required for business operations.

Enable routing remote SSL traffic to remote IPSEC connection (Hub and Spoke routing Sophos UTM)

To enable a remote user on an SSL connection to access a remote site via the head office IPSec connection

On the Head Office Router add/modify the following:

Network Protection -> Firewall -> Rules

Add Rule

Source: VPN Pool (SSL)

Services: Any

Destination: Any

Action: Allow

Network Protection -> NAT -> NAT

Add Rule

Add SNAT Rule

Rule Type: SNAT

For Traffic From: vpn Pool (SSL)

Using Service: Any

Going to: Remote site LAN IP Range

Change the Source to: Internal (Address)

And the service to: Leaveblank

Automatic firewall rule: Enable

Advanced -> Rule applies to IPSec packets: Enable

Remote Access -> SSL -> Profiles

Modify Remote Access Profile

Local Networks: Add Remote Site LAN IP Range

Office 365 Install/Update issue - Sophos

Issue: Office 365 does not install or update when Sophos web filtering is enabled

Solution:

1. Log into Sophos UTM
2. Go to Web Protection -> Filtering options
3. Click New Exception List
4. Configure the following
   1. Name Microsoft Software CDN
   2. Select the following
      1. MIME type Blocking
      2. Antivirus
      3. Block by download size
      4. SSL Scanning
      5. Certificate trust check
      6. Do not display Download/Scan progress page
   3. Certificate date check
   4. For All requests select "Matching these URLs"
      1. Enter the following URLs
      2. officecdn.microsoft.com.edgesuite.net
      3. officecdn.microsoft.com
5. Save the exception

Sophos XG Firewall v18 to Azure VPN Gateway IPSEC Connection

Step 1: Create Azure Local Network Gateway (with XG public IP details)

The local network gateway typically refers to your on-premises location. You'll need the public IP address of your On-Prem Sophos XG firewall and your On-Prem Private IP address spaces.

Please note that this configuration assumes that the public IP address is directly configured on the On-Prem XG firewall. Your configuration will be slightly different if your On-Prem XG firewall sits behind a NAT device.

1. Go to the Azure Portal: https://portal.azure.com and sign in with your credentials.
2. Click on "Create a resource".
3. In the search box, type "Local Network Gateway".
4. Select "Local Network Gateway" and click on "Create".

5. In the "Create local network gateway" blade, configure the following and then click on "Create":

   • Name: On_Premises_Sophos_XG_Firewall (You can give this any preferred name).
   • Endpoint: IP address
   • IP address: Specify the public IP address of your Sophos XG firewall.
   • Address space: Specify the address ranges for the network that your On-Prem local network represents. In our scenario, this is 10.100.0.0/16.
   • Subscription: Verify that the correct subscription is selected for the deployment.
   • Resource Group: Select the resource group that you want to use. You can either create a new resource group or select an existing one.
   • Location: Select the location that this object will be created in.

Step 2: Create a Gateway Subnet

The VPN gateway will be deployed into a specific subnet of your network called the 'GatewaySubnet'.The size of the GatewaySubnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a GatewaySubnet as small as /29, it is recommend to create a larger subnet that includes more addresses by selecting /27 or /28 to be able to accommodate future configurations.

1. In the Azure Portal: https://portal.azure.com, click on "More Services".
2. In the search box, type "Virtual Networks" and select the "Virtual Networks" option.
3. Click on the virtual network for which you want to create a virtual network gateway.
4. In the "Virtual networks" blade, under "Settings", click on "Subnets".
5. In the "Subnets" blade, click on "+ Gateway subnet" to add a new Gateway subnet.
6. In the "Add Subnet" blade, configure the CIDR range of the new Gateway subnet and click "Save". In our scenario, this is 10.1.1.0/24.

Step 3: Create the VPN Gateway

1. In the Azure Portal: https://portal.azure.com, click on "Create a resource".
2. In the search box, type "Virtual network gateway".
3. Select "Virtual network gateway" and click on "Create".

4. In the "Create virtual network gateway" blade, configure the following:

   • Subscription: Verify that the correct subscription is selected for the deployment.
   • Instance details
     • Name: This will be the name of the gateway object you are creating.
     • Region: Select the same location as your virtual network (Otherwise the virtual network will not be displayed on the list).
     • Gateway type: VPN
     • VPN type: Route-based (this is a MUST to be able to use IKEv2).
     • SKU: Select the gateway SKU from the dropdown. For more information about gateway SKUs, see Gateway SKUs.
     • Generation: Generation 1
     • Virtual network: Choose the virtual network to which you want to add this gateway (if the virtual network that you want is not displayed on the list, verify that you have selected the right location in the "Region" parameter above).
   • Public IP address:
     • Public IP address: Create New
     • Public IP address Name: Enter a Name for the public IP address resource.
     • Leave other settings as default.
     • Click on "Review + Create"
     • Click on "Create"
     • Creating a gateway can take up to 45 minutes!
5. After the VPN gateway creation has completed successfully, obtain it's public IP address (this will be needed in step 5).
   • In the Azure Portal, click on "More services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
   • Click on the VPN Gateway that you just created.
   • In the "VPN Gateway" blade, in the "Overview" section, make a note of the public IP address of the gateway.
   • This will be used in step 5.

Step 4: Create the VPN connection (Azure)

1. In the Azure Portal: https://portal.azure.com, click on "More Services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
2. Select the VPN gateway that you created earlier.
3. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then click on "+ Add".
4. In the "Add connection" blade, configure the following:
   • Name: Sophos_Xg_OnPrem_To_Azure (Input your preferred name)
   • Connection type: Site-to-site (IPSec)
   • Virtual network gateway: The value is fixed because you are connecting from this gateway
   • Local network gateway: 
     • Click "Choose a local network gateway" 
     • In the "Choose a local network gateway"  blade, select the local network gateway that you created earlier.
   • Shared key (PSK): Input a complex shared key. The value here must match the value that we will use on our on-premises Sophos XG firewall.
   • IKE Protocol: IKEv2
   • The remaining values for Subscription, Resource Group, and Location are fixed.
   • Click OK to create your connection. You'll see Creating Connection flash on the screen.

Step 5: Download and extract needed information from the configuration file (Azure)

1. In the Azure Portal: https://portal.azure.com, click on "More services" and search for "Virtual network gateways". Then click on "Virtual network gateways".
2. Select the VPN gateway that you created earlier.
3. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then select the connection that you created earlier.
4. Click on the "Download configuration" button. This configuration file contains the needed information to configure the VPN connection on the XG Firewall.
5. In the "Download configuration" blade, select the following:
   • Device vendor: Generic Samples
   • Device family: Device Parameters
   • Firmware version: 1.0
   • Click on "Download configuration".
6. Open the downloaded file and make a note of the following:
   • Scroll down to the "Tunnel interface (VTI) configuration" section.
   • Make a note of the interface tunnel IP address and subnet mask
   • Also, make a note of the MSS value.
   • Both values will be needed for the configuration of the "xfrm tunnel interface" on the Sophos XG.
     
     

Step 6: Create the VPN connection (Sophos XG Firewall)

1. Log into the WebAdmin of your On-Premises Sophos XG firewall.
2. Under "Configure", click on "VPN" → "IPSEC Connections" → "Add".
3. Configure the following settings:
   • General Settings
     • Name: Input any preferred name.
     • Connection type: Tunnel interface
     • IP version: Dual
     • Gateway type: Initiate
     • Activate on save: Selected
     • Description: Add a description for the connection.
   • Encryption
     • Policy: Microsoft Azure
     • Authentication Type: Preshared key
     • Preshared key: Enter the same preshared key that you entered when creating the VPN connection on Azure.
     • Repeat preshared key: Confirm the above preshared key.
   • Gateway settings
     • Listening interface: Select the WAN interface of the Sophos XG Firewall.
     • Gateway address: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
     • Local ID: IP Address
     • Remote ID: IP Address
     • Local ID: Enter the public IP of the OnPrem Sophos XG firewall.
     • Remote ID: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
     • There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".
   • Advanced
     • Leave default settings.
   • Click "Save".
   • Click "OK" when prompted about the "Preshared key".
   • The connection should now be active. Click on the "red" button under Connection to enable the connection.
     
     
   • When prompted if you're sure that you want to connect, click "OK".

Step 7: Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos XG Firewall)

1. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
2. Under "Protect", click on "Rules and policies" → "Add firewall rule" → "New firewall rule".
3. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
   • Rule status: None
   • Rule name: azure_to_onprem
   • Action: Accept
   • Rule position: Top
   • Rule group: None
   • Log firewall traffic: Selected
   • Source
     • Source zones: LAN and VPN
     • Source networks and devices: Any
     • During scheduled time: Leave default setting
   • Destination & services
     • Destination zones: LAN and VPN
     • Destination networks: Any
     • Services: Any
   • Leave other settings as default.
     • You can configure the security checks of the XG for the traffic if you want to.
   • Click on "Save".

Step 8: Configure the xfrm tunnel interface (Sophos XG Firewall)

1. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
2. Under "Configure", click on "Network" → under "Interfaces", click on the xfrm interface.
   
   
   
   
3. In the "Network" configuration window, configure the following:
   • IPv4/netmask: Enter the IP address and select the subnet mask that you made a note of in Step 5 (6).
   • Expand "Advanced settings".
     • Select "Override MSS" and enter the MSS value that you made a note of in Step 5 (6).
   • Click on "Save"
     
     
     
     
   • In the "Update interface" prompt, click "Update interface".

Step 9: Configure static routing to the Azure network (Sophos XG Firewall)

1. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
2. Under "Configure", click on "Routing" → under "Static Routing", click on "Add".
3. In the "Add unicast route" window, configure the following:
   • Destination IP/Netmask: Enter the network IP and subnet mask of your Azure virtual network.
   • Gateway: You can either leave this empty
     • OR enter the second IP address in the network that you made a note of in Step 5 (6). For example, the XG's tunnel interface in my case is "169.254.0.1" in a "/30" network so the only other IP in that network is "169.254.0.2". I can enter this if I choose.
   • Interface: Select the XG's xfrm tunnel interface.
   • Distance: Leave default setting.
   • Click on "Save"
     
     

Step 10: Verify the VPN connection

1. Do a connectivity test from an on-premise instance to an Azure VM.
   
   
   
   
2. Do a connectivity test from an Azure VM to an on-premise instance.
   
   
   
   
3. In the Azure Portal: https://portal.azure.com, go to "Virtual network gateways" and select the virtual network that you connected to.
4. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections".
5. In the "VPN Gateway - Connections" blade, ensure that the status of the connection is "Connected"
   
   
   
   
6. Click on the connection and ensure that you're seeing data flow.
   • If you see 0B doesn't mean that the connection is not working, it just means that there's no data flow detected on the Azure side.
     
     

Things to watch out for

1. Network Security Groups in Azure
   • If there's a network security group that's configured to block ports that you're attempting to connect on. This will cause issues.
2. Route Table configuration in Azure
   • By default, the VPN Gateway automatically advertises the VPN subnets to the vNet route tables but watch out if you have user-defined routes that could override this.

Source: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/126356/sophos-xg-firewall-v18-to-azure-vpn-gateway-ipsec-connection

Sophos Web Filtering Exception for Google Tools and Download Services

A web filtering exception is a firewall or content filter configuration that allows traffic to specific websites or domains that might otherwise be blocked.
Such exceptions are often used to permit trusted services essential for system updates or software downloads.

One common example is creating exceptions for tools.google.com and dl.google.com, which are Google-related domains used for downloading certain tools, plugins, or updates.
Allowing traffic to these domains ensures the uninterrupted functionality of Google services or software deployment tools within a network that uses web filtering.

Procedure

1. Log into the Sophos Web Console interface.
2. Navigate to the Web section and select Exceptions.
3. Choosing Add Exception.
4. Configuring URL patterns to match desired domains, such as:
   • ^tools\.google\.com
   • ^dl\.google\.com
5. Set the option to skip policy checks.
6. Save the configuration.

Security Considerations

While exceptions can enable necessary functionality, they must be implemented with caution.
Allowing unrestricted access to certain domains could potentially bypass security controls.
Organisations should verify the trustworthiness of the domains being whitelisted and ensure they are still required for business operations.

Increase VMWare Converter Performance

Two changes to help speed up ESXi Conversion

1. Disable SSL

Edit the following file

%ALLUSERSPROFILE%\Application Data\VMware\VMware vCenter Converter Standalone\converter-worker.xml

Search for useSsl value located under the nfc subkey

Change the value from true to false

e.g.:

	<Config>
	   ...
	  <nfc>
	    <useSsl>false</useSsl>
	    ...
	  </nfc>
	   ...
	</Config>

Restart the 'VMware vCenter Converter Standalone Worker' service

1. Change data connection per task

In VMware vCentre Converter Standalone perform the following:

Select Administration

Click Data Connections per Task…

Select Custom and enter 2

Click OK

vCenter VirtualCenter.AutoManagedIPV4 incorrect issue v6.7+

SSH into the vCenter Server Appliance to run the following commands

Stop the Virtual Provisioning X Daemon (vpxd)

service-control --stop vmware-vpxd

Log into the vCenter PostgreSQL database

/opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres
The prompt should change to VCDB=#

Check the current 'VirtualCenter.AutoManagedIPV4' value

select * from vpx_parameter where name = 'VirtualCenter.AutoManagedIPV4';

Change the 'VirtualCenter.AutoManagedIPV4' to the new value

update vpx_parameter set value = '10.10.12.27' where name = 'VirtualCenter.AutoManagedIPV4';

Check the current 'VirtualCenter.AutoManagedIPV4' value has changed

select * from vpx_parameter where name = 'VirtualCenter.AutoManagedIPV4';

Check the value for the "management_ip" for all hosts in the vpx_host table:

select management_ip,dns_name from vpx_host;

Change this value to "NULL"

update vpx_host set management_ip = NULL where management_ip IS NOT NULL;

Re-check the "management_ip" value for all hosts in the vpx_host table:

select management_ip,dns_name from vpx_host;

Exit the database

\q

Start vCenter Server services

service-control --start vmware-vpxd

All ESXi Hosts should get the updated 'ServerIP' value for their vpxa.cfg file

vCenter Appliance Update Manager (VUM) database unavailable

The vCenter Appliance Update Manager (VUM) database can become unavailable after changing the Center IP or Subnet

Run the following commands to re-register the Update Manager back to the vCenter

/usr/lib/vmware-updatemgr/bin/vmware-vciInstallUtils -C /usr/lib/vmware-updatemgr/bin/ -L /var/log/vmware/vmware-updatemgr/ -I /usr/lib/vmware-updatemgr/bin/ -v vcenterappliance.tsvports.local -p 80 -U [email protected] -P password -S /usr/lib/vmware-updatemgr/bin/extension.xml -O extupdate

chown updatemgr:updatemgr /usr/lib/vmware-updatemgr/bin/vci-integrity.xml

Reboot the vCenter Server Appliance

VMware player only showing 2 cores in Windows

VMware player only allocates CPUs and not cores

Windows Desktop OS can only use 2 CPUs, thus only 2 cores are shown in Task Manager

Add/modify the following lines in the .VMX file to show 4 or more cores to Windows Desktop OS
numvcpus = "4"
cpuid.coresPerSocket = "2"

Increasing Memory Assigned to the ESXCLI Process on VMware ESXi

This guide provides instructions for increasing the memory allocation for the ESXCLI process from 300MB to 500MB on a VMware ESXi host.
This adjustment may be necessary when encountering a memoryerror while running an upgrade via the CLI.

Commands Overview

1. Disable VisorFS Pristine Tardisk Setting

   esxcli system settings advanced set -o /VisorFS/VisorFSPristineTardisk -i 0
   

   Disables the VisorFS Pristine Tardisk setting.

2. Backup the esxcli-software File

   cp /usr/lib/vmware/esxcli-software /usr/lib/vmware/esxcli-software.bak
   

   Creates a backup of the esxcli-software file.

3. Modify Memory Allocation in the Backup File

   sed -i 's/mem=300/mem=500/g' /usr/lib/vmware/esxcli-software.bak
   

   Changes the memory allocation value from 300 to 500 in the backup file.

4. Replace the Original File with the Modified Backup

   mv /usr/lib/vmware/esxcli-software.bak /usr/lib/vmware/esxcli-software -f
   

   Replaces the original esxcli-software file with the modified backup.

5. Re-enable VisorFS Pristine Tardisk Setting

   esxcli system settings advanced set -o /VisorFS/VisorFSPristineTardisk -i 1
   

   Re-enables the VisorFS Pristine Tardisk setting.

Conclusion

By following these commands, you can increase the memory assigned to the ESXCLI process on your VMware ESXi host. Ensure you have proper backups and understand the changes you are making.

ESXi Change Management Switch

• Log onto ESXi Web Console
• Under Networking Go to Virtual Switches
• Create a new Switch called vSwitch1
• Go to VMKernal NIC
• Create a new VMkernal NIC called vmk1
  1. Enable Management, select vSwitch1 & Set IP as required
• Connect via new Port Group prior and continue
• Edit vmk0 and untick Management
• Remove vmk0 *** Ensure not also used by VM's ***
• Go to Port Groups and remove Management Network
• Rename vmk1 port group to Management Network

ESXi NFS Setup

Enable NFS

1. Go to Control panel -> File Services -> SMB.AFP/NFS
2. Enable NFS (Do not enable NFS4.1

Create Datastore Share

1. Go to Control Panel -> Shared Folder
2. Create a new Share (e.g. datastore1)

Change NFS Permissions on the new shared folder

1. Create/edit NFS Rule
   1. Hostname or IP: *
   2. Privilege: Read/Write
   3. Squash: No mapping
   4. Security: sys
   5. Enable asynchronous: True
   6. Allow Connections from non-privileges ports: False
   7. Allow users to access mounted subfolders: False
2. Note Mount path on bottom of page (e.g. /volume1/datastore1)

Create a separate second network connection

1. Go to Control panel -> Network
   1. Configure a second network with static IP
      1. e.g. 10.0.0.50

Setup ESXi NFS datastore

1. Log into ESXi Console
2. Setup Virtual Switch Name: "vSwitchNFS"
   1. Ensure correct physical Nic is selected
3. Add VMKernal to vSwitch and set IP
   1. Port Group Name: "VM NFS"
   2. Select "vSwitchNFS"
   3. Setup IP to Static
   4. Set IP: eg. 10.0.0.40

Enable NFS in Firewall

1. Go to Networking -> Firewall
2. Enable NFS Client
   1. Allow connections from all IP addresses
3. Enable nfs41client
   1. Allow connections from all IP addresses
4. Reboot ESXi

Create Datastore in ESXi

1. Go to Storage
   1. Click New datastore
   2. Select Mount NFS datastore
   3. Create a relevant datastore name
      1. e.g. datastoreNFS0
   4. Enter IP of Synology
      1. e.g. 10.0.0.50
   5. Enter NFS Share
      1. e.g. /volume1/datastore1
   6.  

ESXi RAID Management DELL Servers

OpenManage Integration for VMware vCenter (OMIVV) can only monitor.
 

You can use OpenManage Server Administrator to create new arrays remotely.

Though Installing the required VIB on the ESXi does require a reboot.

VIB Drivers are located here:

http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=YCYN1&fileId=3365343039&osCode=XI55&productCode=poweredge-t320&languageCode=EN&categoryId=SM

Reset ESXi Hypervisor Licence

Turn on SSH and log in to the host.

Remove the current license

rm -r /etc/vmware/license.cfg

Copy over the new evaluation license, which is already on the host

cp /etc/vmware/.#license.cfg /etc/vmware/license.cfg

Restart ESXi services

/etc/init.d/vpxa restart

Confirm the new license

Source: https://calvin.me/reset-esxi-evaluation-license 

Upgrade ESXi

Enabling SSH on ESXi

1. Using the Direct Console User Interface (DCUI):

   • Load the DCUI screen and press F2 to log in.
   • Enter the root password.
   • Navigate to Troubleshooting Options and enable ESXi Shell and SSH.
   • Press Alt+F1 to open the console for executing ESXi shell commands.

2. Using vSphere Web Client:

   • Log in to the vSphere Web Client.
   • Go to Hosts and Clusters, select your ESXi host.
   • Under the Configure tab, open System > Services.
   • Click SSH and start the service.

Listing Available Upgrade Versions

• To list all available upgrade versions, use the following command:

  esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
  

• To list specific versions (e.g., ESXi 7.0), use:

  esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0
  

Upgrading ESXi

• For upgrading to version 6.7.0:

  esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-6.7.0-8169922-standard
  

• For the latest version (6.7.0):

  esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-6.7.0-20210304001-standard
  

• For version 6.5.0:

  esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-6.5.0-20210704001-standard
  

Handling DNS Issues

• If you encounter DNS issues:
  • Check DNS and routing.
  • Add 8.8.8.8 as a secondary DNS server.

Understanding Upgrade File Names

• Image files with shorter numbers are typically the initial releases (GA).

• Larger numbers with date references indicate later upgrades.

• Select the package that includes VMware Tools for upgrading the tools package on systems.

  • Initial GA: ESXi-6.5.0-4564106-no-tools

  • Earlier Upgrade: ESXi-6.5.0-20190701001s-standard

  • Later Upgrade: ESXi-6.5.0-20190804001-standard

  • Does Not Include Tools: ESXi-6.5.0-20190804001-no-tools

  • Includes Tools Package: ESXi-6.5.0-20190804001-stand

Remember to reboot after upgrading (preferably after hours).

VMWare Tools Download

General URL: https://packages.vmware.com/tools/index.html 
Tools URL: https://packages.vmware.com/tools/esx/ 

Increasing Memory Assigned to the ESXCLI Process on VMware ESXi

This guide provides instructions for increasing the memory allocation for the ESXCLI process from 300MB to 500MB on a VMware ESXi host.
This adjustment may be necessary when encountering a memoryerror while running an upgrade via the CLI.

Commands Overview

1. Disable VisorFS Pristine Tardisk Setting

   esxcli system settings advanced set -o /VisorFS/VisorFSPristineTardisk -i 0
   

   Disables the VisorFS Pristine Tardisk setting.

2. Backup the esxcli-software File

   cp /usr/lib/vmware/esxcli-software /usr/lib/vmware/esxcli-software.bak
   

   Creates a backup of the esxcli-software file.

3. Modify Memory Allocation in the Backup File

   sed -i 's/mem=300/mem=500/g' /usr/lib/vmware/esxcli-software.bak
   

   Changes the memory allocation value from 300 to 500 in the backup file.

4. Replace the Original File with the Modified Backup

   mv /usr/lib/vmware/esxcli-software.bak /usr/lib/vmware/esxcli-software -f
   

   Replaces the original esxcli-software file with the modified backup.

5. Re-enable VisorFS Pristine Tardisk Setting

   esxcli system settings advanced set -o /VisorFS/VisorFSPristineTardisk -i 1
   

   Re-enables the VisorFS Pristine Tardisk setting.

Conclusion

By following these commands, you can increase the memory assigned to the ESXCLI process on your VMware ESXi host. Ensure you have proper backups and understand the changes you are making.

Convert a Thick Provisioned VMDK to Thin Provisioned (ESXi CLI Method)

Applies To: ESXi 6.x, ESXi 7.x, ESXi 8.x

1. Summary

This guide provides step-by-step instructions for converting a thick-provisioned virtual machine disk (VMDK) to a thin-provisioned one using the ESXi command-line interface (CLI). This process is useful for reclaiming unused storage space on a datastore.

This article uses the following example:

• Virtual Machine: VM1
• Datastore Path: /vmfs/volumes/620b07f2-ebb3db8c-3cfc-e43d1a5aec50/
• Target Disk: VM1.vmdk (currently thick provisioned)

The end goal is to have the VM1 virtual machine running on a thin-provisioned VM1.vmdk and to safely remove the old thick-provisioned disk file.

2. Important Prerequisites

• VM Powered Off: The target virtual machine (VM1) must be completely powered off. The operation cannot be performed on a running or suspended VM.
• No Snapshots: The VM must have NO active snapshots. Before you begin, commit or delete all snapshots. Cloning a disk that is part of a snapshot chain will break the chain and result in a broken VM.
• Full Backup: It is strongly recommended to have a complete, verified backup of the virtual machine before attempting this procedure.
• Sufficient Datastore Space: You must have enough free space on your datastore to hold a complete copy of the virtual disk's used data.
• SSH Access: SSH must be enabled on the ESXi host. You can enable it from the vSphere Host Client under Manage > Services > TSM-SSH.

3. Recommended Method: Storage vMotion (If Available)

If you are using vCenter Server with a vSphere Standard license or higher, the safest and easiest method is to use Storage vMotion. This method requires no downtime.

1. Right-click the VM in vCenter and select Migrate.
2. Choose Change storage only.
3. On the "Select storage" page, select a destination datastore (it can be the same one).
4. From the "Select virtual disk format" dropdown, choose Thin Provision.
5. Click Finish. vCenter will handle the entire process automatically.

If you do not have vCenter, proceed with the CLI method below.

4. Main Procedure: CLI Conversion and Renaming

This process involves creating a thin-provisioned copy, renaming files to swap the old disk with the new one, and then cleaning up.

Step 1: Connect via SSH and Navigate to VM Directory

1. Use an SSH client (like PuTTY or Terminal) to log in to your ESXi host.

2. Navigate to the directory of the virtual machine.

cd /vmfs/volumes/620b07f2-ebb3db8c-3cfc-e43d1a5aec50/VM1/

Step 2: Clone the Thick Disk to a New Thin Disk

We will use vmkfstools to create a new, thin-provisioned clone of the original disk. We'll give it a temporary name.

• -i [source_disk]: Specifies the input or source disk.
• -d thin: Specifies that the destination format should be thin-provisioned.

vmkfstools -i VM1.vmdk -d thin VM1-temp-thin.vmdk

Step 3: Rename the Disks

Now we perform a "three-way rename" to safely swap the disks. The -E flag safely renames both the descriptor and data files and updates the internal pointers.

1. Rename the original (thick) disk to `-old` for safety.

vmkfstools -E VM1.vmdk VM1-old.vmdk

2. Rename the new (thin) temporary disk to the original name.

vmkfstools -E VM1-temp-thin.vmdk VM1.vmdk

At this point, the VM's configuration file (VM1.vmx) still points toVM1.vmdk, which is now our new thin disk. No changes to the .vmx file are necessary.

Step 4: Power On and Verify

1. In the vSphere Client, power on the VM1 virtual machine.
2. Log in to the guest operating system and verify that all data is intact and all applications are functioning correctly.
3. To confirm the disk is thin, select the VM, go to Edit Settings, expand the hard disk, and the Type should now read as Thin Provision.

5. Reregistering the VM (Optional Troubleshooting)

In 99% of cases, simply powering on the VM after the renaming process works perfectly. If the VM fails to power on with an error like "file not found", you can force ESXi to reread its configuration by unregistering and reregistering it.

1. In the vSphere Client, right-click the VM1 virtual machine and select Unregister.
2. Open the Datastore browser, navigate to the VM1 folder.
3. Right-click the VM1.vmx file and select Register VM.
4. Follow the wizard prompts. The VM will reappear in your inventory, and you can now power it on.

6. Final Cleanup: Deleting the Old Thick Provisioned File

1. Ensure you are still connected via SSH and are in the VM's directory.

2. Use the vmkfstools -U command to delete the old thick disk safely (VM1-old.vmdk and its -flat file).

vmkfstools -U VM1-old.vmdk

3. You can verify the deletion by listing the files again with ls -lh. The -old files will be gone, and the space on your datastore will be reclaimed.

Adding Calendar Permission using PowerShell

List individual Calendar Permissions

Get-MailboxFolderPermission username:\calendar

List Calendar Permissions for all users

Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_”:\calendar”} | Select Identity, User, AccessRights

List Calendar Permissions level for the Default user on all users

Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_”:\calendar”} | Where {$_.User -like “Default”} | Select Identity, User, AccessRights

Configuring new Distribution Group

New-DistributionGroup -Type Security -Name “Resource Calendar Owners” -Alias “grResourceCalendarAccess”

Add Calendar Permissions for a User

add-MailboxFolderPermission -Identity [email protected]:\calendar -User User2 -AccessRights Owner

Add Calendar Permissions for a Security Group

add-MailboxFolderPermission -Identity [email protected]:\calendar -User grResourceCalendarAccess -AccessRights Owner

Remove user permission for a Calendar

Remove-MailboxFolderPermission -Identity [email protected]:\calendar –user [email protected]

Set default Calendar permission for all users

Get-Mailbox | ForEach-Object {Set-MailboxFolderPermission $_”:\calendar” -User Default -AccessRights AvailabilityOnly}

Get-Mailbox | ForEach-Object {Set-MailboxFolderPermission $_”:\calendar” -User Anonymous -AccessRights None}

Example changing existing permission

Get-Mailbox | ForEach-Object {Set-MailboxFolderPermission $_”:\calendar” -User Default -AccessRights Reviewer}

Example adding additional permissions

Get-Mailbox | ForEach-Object {Add-MailboxFolderPermission $_”:\calendar” -User "Calendar Users" -AccessRights Owner}

Default user should be set to AvailabilityOnly (read free/busy information from the calendar)

Default can be set to Reviewer (read Only)

Options

Owner — read, create, modify and delete all items and folders. Also this role allows manage items permissions;

PublishingEditor — read, create, modify and delete items/subfolders;

Editor — read, create, modify and delete items;

PublishingAuthor — read, create all items/subfolders. You can modify and delete only items you create;

Author — create and read items; edit and delete own items NonEditingAuthor – full read access and create items. You can delete only your own items;

Reviewer — read-only;

Contributor — create items and folders;

AvailabilityOnly — read free/busy information from the calendar;

LimitedDetails;

None — no permissions to access folder and files.

https://www.easy365manager.com/how-to-configure-office-365-calendar-permissions/

Office 365 Add Full Access Privilege's

To grant a user full access to another mailbox in Office 365 through Outlook and Outlook Web App, follow these steps:

Run the following command (Change identity and user as required)

Add-MailboxPermission -Identity "mailbox" -User "User" -AccessRights FullAccess -InheritanceType All -AutoMapping $true

note: the "mailbox" is the mailbox that needs the permission added, and "User" is the user who needs access to the mailbox.

To grant an admin full access to all user mailboxes in Office 365 through Outlook and Outlook Web App, follow these steps:

Run the following command (Change details as required)

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User [email protected] -AccessRights fullaccess -InheritanceType all

Notes

(RecipientTypeDetails -eq 'UserMailbox') => Mail type to apply changes to (In this case all mailboxes)

 -and (Alias -ne 'Admin') => Exclude this recursive user (Add addition '-and' entries to exclude more than one user)

Add-MailboxPermission => Command to apply changes to selected mailbox

Office 365 Add users to Distribution Group

List all members for a Distribution group

get-DistributionGroupMember -Identity "Distribution Group name"

Add All members to a Specific Distribution group

get-mailbox | foreach-object {Add-DistributionGroupMember -Identity "Distribution Group name" -Member "$_"}

Office 365 Change UPN (UserPrincipleName)

Using PowerShell log into Office 365

Connect to Azure AD using the following commands

$msolcred = get-credential

connect-msolservice -credential $msolcred

Run the following PowerShell command to change the UPN

Set-MsolUserPrincipalName -UserPrincipalName [email protected] -NewUserPrincipalName [email protected]

Office 365 check existing forwards

Connect to clients Office 365 via Powershell

Copy and paste the following into Powershell console

$mailboxes=get-mailbox –resultSize unlimited

$rules = $mailboxes | foreach { get-inboxRule –mailbox $_.alias }

$rules | where { ( $_.forwardAsAttachmentTo –ne $NULL  ) –or ( $_.forwardTo –ne $NULL ) –or ( $_.redirectTo –ne $NULL ) } |foreach {Get-InboxRule –identity $_.identity| fl name,identity,forwardTo,forwardAsAttchmentTo,redirectTo}

Add '| out-file c:\temp\lll.txt' to the end to send to a file

e.g.

$rules | where { ( $_.forwardAsAttachmentTo –ne $NULL  ) –or ( $_.forwardTo –ne $NULL ) –or ( $_.redirectTo –ne $NULL ) } |foreach {Get-InboxRule –identity $_.identity| fl name,identity,forwardTo,forwardAsAttchmentTo,redirectTo} | out-file c:\temp\lll.txt

source: https://blogs.technet.microsoft.com/timmcmic/2015/04/19/office-365-determine-accounts-that-have-forwarding-enabled/

Office 365 Delete Mail from Mailboxes

Assign eDiscovery permissions in the Security & Compliance Center

1. Go to https://protection.office.com.

2. Sign in using your work or school account.

3. In the left pane of the security and compliance center, select Permissions, and then select the checkbox next to eDiscovery Manager.

4. On the eDiscovery Manager flyout page, do one of the following based on the eDiscovery permissions that you want to assign.

To make a user an eDiscovery Manager: 
Next to eDiscovery Manager, select Edit. In the Choose eDiscovery Manager section, select the Choose eDiscovery Manager hyperlink, and then select Add. Select the user (or users) you want to add as an eDiscovery manager, and then select Add. When you're finished adding users, select Done. Then, on the Editing Choose eDiscovery Manager flyout page, select Save to save the changes to the eDiscovery Manager membership.

To make a user an eDiscovery Administrator: 
Next to eDiscovery Manager, select Edit. In the Choose eDiscovery Administrator section, Under eDiscovery Administrators, select Choose eDiscovery Administrator, select Edit, and then select Add. Select the user (or users) you want to add as an eDiscovery Administrator, and then Add. When you're finished adding users, select Done. Then, on the Editing Choose eDiscovery Administrator flyout page, select Save to save the changes to the eDiscovery Administrator membership.

Search for and Delete email messages

Connect to Security & Compliance Center PowerShell 

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking

Create a Content Search to find the message to delete

$Search=New-ComplianceSearch -Name "Remove Phishing Message" -ExchangeLocation All -ContentMatchQuery '(Received:4/13/2016..4/14/2016) AND (Subject:"Action required")'

Start-ComplianceSearch -Identity $Search.Identity

Delete the message

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete
or

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete

Check the Status of the task

Get-ComplianceSearchAction | ft SearchName, Status, JobProgress

Delete Compliance Search task when completed

Remove-ComplianceSearchAction -Identity "Remove Phishing Message_Purge"

Office 365 Powereshell Access

Open PowerShell

The Exchange Online Management module is required.
Run the following commands to install as required

Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement

To start accessing Office 365 via Powershell, run the following commands

$UserCredential = Get-Credential

Enter Admin credentials

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking

When finished run the following command before closing PowerShell

Remove-PSSession $Session

Office 365 Public Folders Information

Obtain current settings

Get-OrganizationConfig | Format-List *quota*

To change Settings

Set-OrganizationConfig -DefaultPublicFolderProhibitPostQuota 50GB -DefaultPublicFolderIssueWarningQuota 45GB

Default Values

DefaultPublicFolderIssueWarningQuota : 1.7 GB (1,825,361,920 bytes)

DefaultPublicFolderProhibitPostQuota : 2 GB (2,147,483,648 bytes)

Office 365 Save Sent Items in Shared Mailbox Sent Items folder

When you send a message as another user or on behalf of the user, the sent message isn't saved to the Sent Items folder of the shared mailbox. Instead, it's saved to the Sent Items folder of your mailbox.

Using Exchange PowerShell, for emails Sent As the shared mailbox, run the following cmdlet

set-mailbox <mailbox name> -MessageCopyForSentAsEnabled $True

For all users:

get-mailbox | foreach-object {set-mailbox  -Identity "$_" -MessageCopyForSentAsEnabled $True}

Using Exchange PowerShell, for emails Sent On Behalf of the shared mailbox, run the following cmdlet

set-mailbox <mailbox name> -MessageCopyForSendOnBehalfEnabled $True

For all users:

get-mailbox | foreach-object {set-mailbox  -Identity "$_" -MessageCopyForSendOnBehalfEnabled $True}

Office 365 Set Time Zone PowerShell

Log into Office 365 via PowerShell

Run the following command to set Language to English (Australia) and Time zone to +10 Brisbane

get-mailbox | Set-MailboxRegionalConfiguration -DateFormat dd/MM/yyyy -Language en-AU -TimeZone "E. Australia Standard Time"

To find out current setting run the command in PowerShell

get-mailbox | Get-MailboxRegionalConfiguration

WINMAIL.DAT issue on iPhones and iPads

This issue occurs when the receiver’s email client is unable to interpret a message sent from Microsoft Outlook in the Rich Text format. When you send an email from Outlook using rich text, a plain text copy of the email is sent, along with an attachment called WINMAIL.DAT. This attachment contains all the rich text formatting, elements and other data unique to rich text messages.

The problem is, a lot of email programs can’t open emails sent using this method, known as Transport Neutral Encapsulation Format – or TNEF. In order to resolve it, we need to force Exchange Online to convert rich text messages to HTML before sending them. We do this by setting the RemoteDomain property TNEFEnabled to false on the Default policy

Solution

1. PowerShell into clients Office 365
2. Run Get-RemoteDomain | FL
   1. Confirm TNFEnabled entry is either empty or True
3. Run Set-RemoteDomain Default -TNFEnabled $False
4. Confirm changes occurred
   1. Run Get-RemoteDomain | FL
   2. TRNFEnabled entry should now show False

Source: https://gcits.com/knowledge-base/how-to-fix-the-winmail-dat-attachment-issue/

Recover Disconnected Exchange 365 Mailbox

Run this command to see a list of available offline mailboxes

Get-Mailbox -InactiveMailboxOnly | Format-List Name,DistinguishedName,ExchangeGuid,PrimarySmtpAddress

Command to create mailbox using disconnected mailbox

new-mailbox -inactivemailbox <ExchangeGuid> -Alias <Aliasd> -Name <Alias> -FirstName <First Name> -LastName <LastName> -DisplayName "<DisplayName>" -MicrosoftOnlineServicesID [email protected]

e.g
new-mailbox -inactivemailbox daea9fc7-4503-4330-8ec4-84277ffa0da4 -Alias KarenC -Name KarenC -FirstName Karen -LastName Cockerell -DisplayName "Karen Cockerell" -MicrosoftOnlineServicesID [email protected]

You can't recover or restore an inactive mailbox configured with an auto-expanding archive.
If you need to recover data from an inactive mailbox with an auto-expanding archive, use content search to export the data from the mailbox and then import it to another mailbox.

For instructions, see the following articles
Content search https://docs.microsoft.com/en-us/microsoft-365/compliance/content-search?view=o365-worldwide 
Export content search results https://docs.microsoft.com/en-us/microsoft-365/compliance/export-search-results?view=o365-worldwide 

Bulk change Microsoft 365 Licences

If you have a text file with a list of User Principal Names (UPNs) that you want to change, you can use a PowerShell script to read the file and change the licenses for each user. Here’s an example:

# Connect to your Microsoft 365 tenant
# Use either Connect-MsolService or Connect-AzureAD depending on the module you're using

# Define the SKU IDs for the E3 and E5 licenses
$e3License = "contoso:ENTERPRISEPACK"
$e5License = "contoso:ENTERPRISEPACK_E5"

# Read the UPNs from the file
$upns = Get-Content -Path "C:\temp\e3_users.txt"

# Loop through each UPN and change the license
foreach ($upn in $upns) {
    Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses $e5License -RemoveLicenses $e3License
}

In this script, replace "contoso:ENTERPRISEPACK_E5" and "contoso:ENTERPRISEPACK" with the actual SKU IDs of your E5 and E3 licenses respectively.
Also, ensure that you have enough E5 licenses available in your tenant before running this script.

This script assumes that the file at C:\temp\e3_users.txt contains one UPN per line.
If your file is formatted differently, you may need to adjust the Get-Content command accordingly.

Microsoft Graph PowerShell SDK

Open PowerShell and prepare for installation

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

Ensure the following PowerShell modules are installed.

# Install Microsoft.Graph module
Install-Module Microsoft.Graph -Scope CurrentUser

# Install Microsoft.Graph.Beta module
Install-Module Microsoft.Graph.Beta -Scope CurrentUser

Install Microsoft.Graph.Authentication module
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser 

Connect to Microsoft.Graph

Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All","Organization.Read.All"

Source: Install the Microsoft Graph PowerShell SDK | Microsoft Learn
Source: Get started with the Microsoft Graph PowerShell SDK | Microsoft Learn

Change Office 365 licences CLI

In this example, we are changing from E3 to E5 licences for a list of users

Connect to your Microsoft 365 tenant using Microsoft Graph
https://wiki.jraustralia.com/index.php?action=faq&cat=2&id=92&artlang=en

Create a file called C:\temp\e3_users.txt with a single line for every user UPN who is moving to an E5 licence.

Note:

You need to replace "TenantName:ENTERPRISEPACK" and "TenantName:ENTERPRISEPACK_E5" with your actual tenant’s name and license name.
To find out the tenant name run: Get-MgOrganization | ft DisplayName
To list available licence names run: Get-MgSubscribedSku | ft SkuPartNumber

# Define the SKU IDs for the E3 and E5 licenses
$e3License = "TenantName:ENTERPRISEPACK"
$e5License = "TenantName:ENTERPRISEPACK_E5"

# Read the UPNs from the file
$upns = Get-Content -Path "C:\temp\e3_users.txt"

# Loop through each UPN and change the license
foreach ($upn in $upns) {
    # Get the user
    $user = Get-MgUser -UserId $upn

    # Remove the E3 license
    $user | Set-MgUserLicense -UserId $upn -RemoveLicenses $e3License -Confirm:$false

    # Add the E5 license
    $user | Set-MgUserLicense -UserId $upn -AddLicenses $e5License -Confirm:$false
}

You can combine the command to add and remove a licence in one go
Set-MgUserLicense -UserId $upn -AddLicenses $e5License -RemoveLicenses $e3License -Confirm:$false

Disable Select All (CTRL+A) in Outlook

Add the following registry entry

Key: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\DisabledShortcutKeysCheckBoxes

Create new String Value (REG-SZ)

Name: CtrlA

Value: 65,8

Close and Re-Open Outlook

Stop Outlook connecting to old Onsite Exchange

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover
     Add DWORD: ExcludeScpLookup
     Set Value: 1

Windows 11 TPM Bypass Checks

Information on this site: https://support.microsoft.com/en-us/windows/ways-to-install-windows-11-e0edbbfb-cfc5-4011-868b-2ce77ac7c70e 

Older information - may not work anymore
HKEY_Local_Machine\SYSTEM\Setup

Create a new Key: LabConfig

Inside the new key add the following entries

Type: DWORD

Name: BypassTPMCheck

Data: 1

Type: DWORD

Name: BypassRAMCheck

Data: 1

Type: DWORD

Name: BypassSecureBootCheck

Data: 1

Setup Taskbar when Windows Workstation/Server Unregistered

This will configure the user desktop on an unlicensed Windows Workstation/System

The following registry entries should be added and Explorer.exe restarted

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
TaskbarGlomLevel = dword:00000002 -> Combine Taskbar icons when the taskbar is full 
HideFileExt = dword:00000000 -> Show File Extensions
NavPaneExpandToCurrentFolder = dword:00000001 -> Expand to open folder in Navigation pane

Restart Explorer.exe to allow the changes to become active.

To show all icons and notifications on the task bat run
explorer shell:::{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}

The above can be executed by a CMD script. (Reg and CMD batch files available)

@Echo off
Echo Running script in folder %~dp0
c:\Windows\System32\regedt32.exe /s %~dp0\taskbar_setup.reg
taskkill /f /im explorer.exe
start explorer.exe
Timeout 3
explorer shell:::{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}
exit /b

Installing and Uninstalling Programs in Safe Mode

Installing and Uninstalling Programs in Safe Mode

Introduction

Safe Mode is a diagnostic mode in Windows that starts the operating system with a minimal set of drivers and services. This can be useful for troubleshooting issues. However, by default, the Windows Installer service is not available in Safe Mode, which can prevent the installation or uninstallation of programs. This guide will show you how to enable the Windows Installer service in Safe Mode.

Steps

1. Open an Elevated Command Prompt in Safe Mode
   • Boot your computer into Safe Mode.
   • Open an elevated command prompt.
   • You can do this by searching for cmd in the Start menu, right-clicking on Command Prompt, and selecting Run as administrator.
2. Add the Windows Installer Service to Safe Mode

   Copy and paste the following commands into the elevated command prompt one at a time, pressing Enter after each command:

   REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service"
   REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer" /VE /T REG_SZ /F /D "Service"
   net start msiserver
       

   The first two commands add the “Service” registry value to include the Windows Installer service in Safe Mode. The third command starts the Windows Installer service.

3. Close the Elevated Command Prompt

   Once the commands have been executed successfully, close the elevated command prompt.

4. Install or Uninstall Programs

   You should now be able to install and uninstall programs while in Safe Mode.

Conclusion

By following these steps, you can enable the Windows Installer service in Safe Mode, allowing you to manage your programs even when troubleshooting your system. This can be particularly useful for removing problematic software or installing essential updates.

Network Location Awareness (NLA) Service Startup Timing via Registry

Network Location Awareness (NLA) Service Startup Timing via Registry

Overview

The Network Location Awareness (NLA) service in Windows is responsible for identifying the type of network a machine is connected to—Domain, Private, or Public. On domain controllers and domain-joined machines, NLA may incorrectly classify the network as "Private" during boot if critical services like DNS or Netlogon are not yet available.

This guide explains how to modify the Windows Registry to adjust the startup dependencies of the NLA service, ensuring it waits for essential services before initializing.

Why Modify NLA Dependencies?

By default, NLA may start too early in the boot process, before services like DNS Client or Netlogon are ready. This can result in:

• Incorrect network profile assignment
• Group Policy failures
• Authentication issues
• Delayed domain connectivity

Adding dependencies ensures NLA waits for these services, improving reliability.

Steps to Modify the Registry

1. Open Registry Editor
   Press Win + R, type regedit, and press Enter.
   Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc
2. Edit DependOnService
   Locate the DependOnService value (type: REG_MULTI_SZ).
   Double-click to edit.
   Add the following services, each on a new line:
   • NSI
   • RpcSs
   • TcpIp
   • Dhcp
   • Eventlog
   • Dnscache
   • Netlogon
   • LanmanWorkstation

   These additions ensure NLA waits for DNS resolution, domain authentication, and network share connectivity.

3. Restart the System
   Reboot the machine to apply changes.
   After reboot, verify that the network profile is correctly identified as Domain.

Important Considerations

• Always back up the registry before making changes.
• Ensure service names are spelled correctly. Incorrect entries can prevent NLA from starting.
• Optionally, set NLA to Automatic (Delayed Start) via services.msc for additional boot-time flexibility.

Verification

After reboot:

• Open Control Panel > Network and Sharing Center
• Confirm the network is listed as Domain Network
• Check Event Viewer for any NLA-related errors under System Logs

Related Tools

• Group Policy Editor (gpedit.msc): Enforce domain profile settings.
• PowerShell: Automate registry edits and service configuration.

How to Disable the Blur Effect on the Windows Logon Screen

The Windows logon screen features an Acrylic blur effect, which adds a frosted glass appearance to the background image.
While this visual feature enhances aesthetics, some users prefer a clear background for performance or personal preference.
This article outlines two methods to disable the blur effect.

Applicable Versions

• Windows 10 (version 1903 and later)
• Windows 11
• Editions: Pro, Enterprise, Education (Group Policy method); All editions (Registry method)

Method 1: Using Group Policy Editor

Note: This method is available only on Windows Pro, Enterprise, and Education editions.

Steps:

1. Press Win + R, type gpedit.msc, and press Enter.
2. Navigate to:
   Computer Configuration > Administrative Templates > System > Logon
3. Double-click Show clear logon background.
4. Select Enabled.
5. Click OK to apply the change.
6. Restart your computer.

Method 2: Using Registry Editor

Note: This method works on all Windows editions, including Home.

Steps:

1. Press Win + R, type regedit, and press Enter.
2. Navigate to:
   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
3. If the System key does not exist:
   • Right-click on Windows, select New > Key, and name it System.
4. Inside the System key:
   • Right-click and select New > DWORD (32-bit) Value.
   • Name the value: DisableAcrylicBackgroundOnLogon.
   • Set its value to 1.
5. Close the Registry Editor.
6. Restart your computer.

Result

After applying either method, the login screen will display a clear background image instead of the blurred effect.

Windows Registry: DateTime Servers

Summary

This article documents how Windows stores and presents the list of available Internet time (NTP) servers in the Date and Time Control Panel, and how to set the default server selection via the registry. It covers the registry path, value semantics, example configuration, deployment guidance, and related considerations.

Registry Location

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers
• Scope: Machine-wide
• Purpose: Populates the drop-down list of NTP servers shown in Control Panel → Date and Time → Internet Time → Change settings… and controls which entry is selected by default.

Value Semantics

Within …\DateTime\Servers, values are organised as:

• Default (REG_SZ): The numeric index (as a string) of the currently selected server from the list.
  Example: @ = "1" means the server labelled "1" is selected by default in the UI.
• Numbered REG_SZ values (1, 2, 3, …): Each numbered value contains a server hostname (or FQDN).
  Example:
  • "1" = "clock.isc.org"
  • "2" = "north-america.pool.ntp.org"

Important:
This registry key affects the UI list and default selection. It does not itself configure the Windows Time (W32Time) service’s operational peers (which are controlled by HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer and related policy keys). However, when users click Update now or use the Internet Time UI, Windows will attempt to synchronize with the selected server.

Example Configuration (.reg)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]
@="1"
"1"="clock.isc.org"
"2"="north-america.pool.ntp.org"

Behavior:

• The Internet Time settings dialogue will show two choices: clock.isc.org and north-america.pool.ntp.org.
• The default selection (highlighted when opening the dialogue) will be clock.isc.org (index "1").

Typical Use Cases

• Standardising the UI list of NTP servers for end-users across an organisation.
• Pre-selecting a preferred server so users see a vetted choice by default.
• Complementing W32Time configuration (e.g., via Group Policy) with a curated UI list.

How to Deploy

Option A — Import the .reg File

1. Save the above snippet as DateTimeServers.reg.
2. Run as Administrator:
   • Double-click the file and accept the prompt, or
   • Execute via command line:

     reg import DateTimeServers.reg

Option B — Use PowerShell

$base = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers'
New-Item -Path $base -Force | Out-Null

# Set default selection to index "1"
New-ItemProperty -Path $base -Name '(default)' -Value '1' -PropertyType String -Force | Out-Null

# Populate list entries
New-ItemProperty -Path $base -Name '1' -Value 'clock.isc.org' -PropertyType String -Force | Out-Null
New-ItemProperty -Path $base -Name '2' -Value 'north-america.pool.ntp.org' -PropertyType String -Force | Out-Null

Note: Setting '(default)' requires this specific name to target the default value in PowerShell.

Verification

1. Open Control Panel → Date and Time → Internet Time → Change settings….
2. Confirm the server dropdown lists:
   • clock.isc.org
   • north-america.pool.ntp.org
3. Confirm the default selection matches the index set in @ (e.g., "1" → clock.isc.org).
4. (Optional) Click Update now to test reachability/sync.

Interaction with Windows Time (W32Time)

• The UI list is not the authoritative configuration for continuous time sync in domain or service scenarios.
• For service-level peers, configure:
  • HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
  • HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
  • Or via Group Policy:
    Computer Configuration → Administrative Templates → System → Windows Time Service → Time Providers
• In Active Directory domains, members typically sync from the domain hierarchy (PDC Emulator). The Internet Time UI is often hidden/disabled for domain-joined machines.

Best Practices & Considerations

• Prefer pool addresses (e.g., *.pool.ntp.org) for resiliency.
• Firewall: Allow outbound UDP 123 to reach public NTP servers (if using Internet servers).
• Security/Trust: For regulated environments, use internal NTP sources (GPS-backed or upstream-stratum) and restrict external NTP.
• Latency & Accuracy: Choose geographically close pools (e.g., oceania.pool.ntp.org for AU/NZ environments) to improve stability.
• Domain-Joined Machines: Rely on AD time hierarchy unless policy dictates external NTP.
• Monitoring: Use w32tm /query /status and w32tm /query /peers to inspect operational sync status.

Troubleshooting

• Sync fails via UI:
  • Check DNS resolution (nslookup <server>).
  • Verify UDP 123 outbound is permitted.
  • Test with w32tm /stripchart /computer:<server> /samples:5 /dataonly.
• UI list not updating:
  • Confirm registry values under …\DateTime\Servers are present and of type REG_SZ.
  • Reopen the Internet Time dialogue to refresh.
• Domain-joined behaviour:
  • UI may be disabled by policy. Review GPOs under Windows Time Service.

Related Keys & Commands

• Service peers:
  HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
• NTP Client settings:
  HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
• Commands:

  w32tm /query /status
  w32tm /query /peers
  w32tm /resync

Change History

• Added servers: clock.isc.org, north-america.pool.ntp.org
• Default selection: Index "1" (clock.isc.org)

Appendix: Original Registry Entry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]
@="1"
"1"="clock.isc.org"
"2"="north-america.pool.ntp.org"

Migrate DHCP to a new server - Import and Export DHCP

Exporting DHCP with this method will preserve current reservations and leases reducing conflicts

Step one - Migrate base configration

Start CMD with Administrator rights

To Export
netsh dhcp server dump > c:\temp\dhcp.txt all

If moving to a new server, open c:\temp\dhcp.txt and perform a find and replace in notepad changing the old server name to the new server name

To Import
netsh exec c:\temp\dhcp.txt

If you get this error - The following command was not found: ■

1. Open the exported configuration file using notepad.exe.
2. From the Menu bar choose File > Save As.
3. From the Encoding drop-down list choose ANSI.
4. Click Save.

Step two - Migrate leases

These commands can be run on the destination server
Export-DhcpServer -ComputerName "SourceServer" -Leases -File "C:\temp\exportdhcp.xml" -Verbose

Then run
Import-DhcpServer -ComputerName "DestinationServer" -Leases -File "C:\temp\exportdhcp.xml" -BackupPath "C:\temp\dhcpbackup" -Verbose

If you get this error - The DHCP server version 6.2 is not compatible with the file version 10.0

The XML header fields need to be changed from this
<?xml version="1.0" encoding="utf-8"?>
<DHCPServer xmlns="http://schemas.microsoft.com/windows/DHCPServer">
  <MajorVersion xmlns="">10</MajorVersion>
  <MinorVersion xmlns="">0</MinorVersion>

To this:
<?xml version="1.0" encoding="utf-8"?>
<DHCPServer xmlns="http://schemas.microsoft.com/windows/DHCPServer">
  <MajorVersion xmlns="">6</MajorVersion>
  <MinorVersion xmlns="">2</MinorVersion>
  <IPv4 xmlns="">

Non-Domain Logon Scripts

Non-Domain Login Scripts

Create a share on the server called Support with the following directory structure

Logon
-- Files
-- Logs
-- Scripts

Set all folders to allow all users to write, but set read-only for folders 'Files' & 'Scripts'

Extract the files to the relevant folders

Executable files
You will need to use ps2exe to convert the following scripts to exe

Setup_Logon.ps1 -> Setup_Logon.exe
Setup_Admin_Logon.ps1 -> Setup_Admin_Logon.exe
Map_Drives.ps1 -> Map_Drives.exe

Logging of Script execution can be done with the following lines added to the Powershell script

#Logging
$username = $env:USERNAME
$computername = $env:COMPUTERNAME
$logdate = Get-Date -Format "yyyyMMdd"
$logmonth = Get-Date -Format "yyyyMM"
$logtime = Get-Date -Format "HHmmss.fff"
$contentlogs = "$logdate,$logtime,$computername,$username,Script_Name.ps1 Script Started"
$filepathlogs = "\\Servername\Support\Logs\General"

Add-Content -Path $filepathlogs`\$logmonth.txt -Value $contentlogs




#Logging - Modified from standard as unable to Network Destination under Admin context
New-Item -ErrorAction Ignore -ItemType Directory -Path "C:\Support\Logs\General"
$username = $env:USERNAME
$computername = $env:COMPUTERNAME
$logdate = Get-Date -Format "yyyyMMdd"
$logmonth = Get-Date -Format "yyyyMM"
$logtime = Get-Date -Format "HHmmss.fff"
$contentlogs = "$logdate,$logtime,$computername,$username,Script_Name.ps1 Script Started"
$filepathlogs = "C:\Support\Logs\General"

Add-Content -Path $filepathlogs`\$logmonth.txt -Value $contentlog

Reset Windows Update

Start CMD shell with Administrator rights

Run the following:

net stop bits /Y
net stop wuauserv /Y
net stop appidsvc /Y
net stop cryptsvc /Y
Del “%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\*.*” /Q
rmdir %systemroot%\SoftwareDistribution /S /Q
rmdir %systemroot%\system32\catroot2 /S /Q
regsvr32.exe /s atl.dll
regsvr32.exe /s urlmon.dll
regsvr32.exe /s mshtml.dll
netsh winsock reset
netsh winsock reset proxy
net start bits
net start wuauserv
net start appidsvc
net start cryptsvc

Correct / Update SFC Scan cache

Is SFC /ScanNow is not able to correct files, this is due to the local cache files not being updated to the current version of Windows

Check SFC Cache files
DISM /Online /Cleanup-Image /ScanHealth

Correct SFC Cache files
DISM /Online /Cleanup-Image /Restorehealth

If issues, run from a local source image
Mount Currently installed Windows ISO
DISM /Online /Cleanup-Image /Restorehealth /Source:D:\Sources /LimitAccess

IIS SMTP Service Crashing When Accessing Settings

Editing IIS 6.0 Manager Settings to Prevent Crashes

To prevent the SMTP management window from crashing when right-clicking on the SMTP virtual server, follow these steps:

1. Stop Services:

   • Stop the SMTPSVC service (Display Name: "Simple Mail Transfer Protocol (SMTP)").
   • Stop the IISADMIN service (Display Name: "IIS Admin Service").

2. Edit metabase.xml:

   • Navigate to C:\Windows\System32\inetsrv\MetaBase.xml.

   • Locate the relevant configuration section IIsSmtpServer    Location ="/LM/SmtpSvc/1".

   • Add the following attributes within the  section:

     <IIsSmtpServer    Location ="/LM/SmtpSvc/1"
         RelayIpList="127.0.0.1"
     />
     

3. Save the metabase.xml File:

   • Save the changes to the metabase.xml file.

4. Restart Services:

   • Start the IISADMIN service.
   • Start the SMTPSVC service.

5. Verify Changes:

   • Open the Internet Information Services (IIS) 6.0 Manager (InetMgr6.exe) and verify that it operates normally.

Additional Considerations

• These steps have been tested on several new installations of Windows Server 2022 and have consistently worked.
• For upgraded systems, note that the SMTP service may not be installed post-upgrade. You will need a backup of the settings to apply after reinstalling the service.

• Tip: Set the SMTPSVC service to start "Automatically" as it is set to "Manual" by default.

FRS to DFSR SYSVOL Migration

Overview

The File Replication Service (FRS) to Distributed File System Replication (DFSR) SYSVOL migration requires the forest functional level to be configured on your Windows Server. If this has not been done, the forest and domain functional levels must be updated first.

Verification

You can verify whether the system is using FRS by running the following command:

dfsrmig /getglobalstate

Run this command by logging in to a domain controller as a Domain Admin or Enterprise Admin, opening a PowerShell console, and entering the command above.

Migration Stages

Before making any changes, you should be familiar with the migration stages. There are four states that correspond with the four migration phases:

• State 0 – Start: FRS replicates the SYSVOL folder among domain controllers. Ensure a current copy of SYSVOL exists before beginning migration.
• State 1 – Prepared: FRS continues replicating SYSVOL while DFSR begins replicating a clone of the SYSVOL folder. The DFSR SYSVOL does not respond to service requests.
• State 2 – Redirected: DFSR begins servicing SYSVOL requests. FRS continues replicating its SYSVOL copy but is no longer used for production.
• State 3 – Eliminated: DFSR becomes the sole replication system. Windows deletes the old FRS SYSVOL and stops FRS replication.

Migration Steps

To migrate from FRS to DFSR, the environment must progress from State 1 through State 3.

Prepared State

• Log in to a domain controller as Domain Admin or Enterprise Admin.
• Open PowerShell.
• Run: dfsrmig /setglobalstate 1
• Verify all DCs reached the state: dfsrmig /getmigrationstate

Redirected State

• Run: dfsrmig /setglobalstate 2
• Verify all DCs reached the state: dfsrmig /getmigrationstate

Eliminated State

• Run: dfsrmig /setglobalstate 3
• Verify all DCs reached the state: dfsrmig /getmigrationstate

Example success message:

All domain controllers have migrated successfully to the Global state ('Eliminated').
Migration has reached a consistent state on all domain controllers.
Succeeded.

Post‑Migration Validation

• Confirm the SYSVOL share by running: net share
• Ensure the FRS service is stopped and disabled on all domain controllers.

IIS SMTP Service Crashing When Sending Email

Editing IIS 6.0 to Prevent Crashes when Sending Emails

To prevent the SMTP Service from crashing when sending email, follow these steps:

Stop Services

• Stop the SMTPSVC service (Display Name: Simple Mail Transfer Protocol (SMTP)).
• Stop the IISADMIN service (Display Name: IIS Admin Service).

Edit metabase.xml

1. Navigate to C:\Windows\System32\inetsrv\MetaBase.xml.
2. Locate the relevant configuration section IIsSmtpServer    Location ="/LM/SmtpSvc/1".
3. Add/modify the following attributes:

   <IIsSmtpServer    Location ="/LM/SmtpSvc/1"
       RelayIpList="127.0.0.1"
       MaxConnections="20"
       ConnectionTimeout="60"
   />

Save the metabase.xml File

Save the changes to the metabase.xml file.

Restart Services

• Start the IISADMIN service.
• Start the SMTPSVC service.

Verify Changes

Open the Internet Information Services (IIS) 6.0 Manager (InetMgr6.exe) and verify that it operates normally.

Additional Considerations

• These steps have been tested on several new installations of Windows Server 2022 and have consistently worked.
• For upgraded systems, note that the SMTP service may not be installed post-upgrade. You will need a backup of the settings to apply after reinstalling the service.
• Tip: Set the SMTPSVC service to start Automatically as it is set to Manual by default.

Network Location Awareness (NLA) Service Startup Timing via Registry

Network Location Awareness (NLA) Service Startup Timing via Registry

Overview

The Network Location Awareness (NLA) service in Windows is responsible for identifying the type of network a machine is connected to—Domain, Private, or Public. On domain controllers and domain-joined machines, NLA may incorrectly classify the network as "Private" during boot if critical services like DNS or Netlogon are not yet available.

This guide explains how to modify the Windows Registry to adjust the startup dependencies of the NLA service, ensuring it waits for essential services before initializing.

Why Modify NLA Dependencies?

By default, NLA may start too early in the boot process, before services like DNS Client or Netlogon are ready. This can result in:

• Incorrect network profile assignment
• Group Policy failures
• Authentication issues
• Delayed domain connectivity

Adding dependencies ensures NLA waits for these services, improving reliability.

Steps to Modify the Registry

1. Open Registry Editor
   Press Win + R, type regedit, and press Enter.
   Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc
2. Edit DependOnService
   Locate the DependOnService value (type: REG_MULTI_SZ).
   Double-click to edit.
   Add the following services, each on a new line:
   • NSI
   • RpcSs
   • TcpIp
   • Dhcp
   • Eventlog
   • Dnscache
   • Netlogon
   • LanmanWorkstation

   These additions ensure NLA waits for DNS resolution, domain authentication, and network share connectivity.

3. Restart the System
   Reboot the machine to apply changes.
   After reboot, verify that the network profile is correctly identified as Domain.

Important Considerations

• Always back up the registry before making changes.
• Ensure service names are spelled correctly. Incorrect entries can prevent NLA from starting.
• Optionally, set NLA to Automatic (Delayed Start) via services.msc for additional boot-time flexibility.

Verification

After reboot:

• Open Control Panel > Network and Sharing Center
• Confirm the network is listed as Domain Network
• Check Event Viewer for any NLA-related errors under System Logs

Related Tools

• Group Policy Editor (gpedit.msc): Enforce domain profile settings.
• PowerShell: Automate registry edits and service configuration.

Conditional Access for Expired AD Users

This article describes two methods to block access for expired Active Directory (AD) accounts using Microsoft Entra ID.

Option 1: Conditional Access Based on a Synced Attribute

Step 1: Tag Expired Users in Active Directory

Use the following PowerShell script to mark expired accounts by setting extensionAttribute1 to "Expired":

Get-ADUser -Filter * -Properties accountExpires | Where-Object {
    $_.accountExpires -ne 0 -and ([datetime]::FromFileTime($_.accountExpires) -lt (Get-Date))
} | ForEach-Object {
    Set-ADUser $_ -Replace @{extensionAttribute1="Expired"}
}

Step 2: Sync the Attribute to Microsoft Entra ID

1. Open Entra Connect Sync Rules Editor.
2. Create a new Inbound Sync Rule:
   • Name: Sync extensionAttribute1
   • Connected System: Active Directory
   • Connected System Object Type: user
   • Metaverse Object Type: person
   • Link Type: Join
   • Precedence: Higher than default rules
3. Add a Transformation:
   • FlowType: Direct
   • Source: extensionAttribute1
   • Target Attribute: extensionAttribute1
4. Run a full sync using PowerShell:

   Start-ADSyncSyncCycle -PolicyType Initial
   

Step 3: Create a Conditional Access Policy

1. Go to Microsoft Entra admin center → Protection → Conditional Access.
2. Click New policy.
3. Name the policy: Block Expired Users.
4. Configure Assignments:
   • Users: All users or a specific group
   • Cloud apps: All apps or specific ones (e.g., RDS)
5. Set Conditions:
   • Filter for users:

     user.extensionAttribute1 -eq "Expired"
     

6. Configure Access controls:
   • Grant: Block access
7. Enable the policy.

Option 2: Dynamic Group + Conditional Access

Step 1: Tag and Sync Expired Users

Use the same PowerShell script and sync rule from Option 1.

Step 2: Create a Dynamic Group in Entra ID

1. Go to Microsoft Entra admin center → Groups → New group.
2. Set the following:
   • Group type: Security
   • Membership type: Dynamic User
   • Name: Expired AD Users
3. Add a Dynamic Membership Rule:

   (user.extensionAttribute1 -eq "Expired")
   

Step 3: Create a Conditional Access Policy

1. Go to Conditional Access → New policy.
2. Name the policy: Block Expired Users via Group.
3. Configure Assignments:
   • Users: Select the group Expired AD Users
   • Cloud apps: All or specific apps
4. Configure Access controls:
   • Grant: Block access
5. Enable the policy.

PowerShell Script Reference

Get-ADUser -Filter * -Properties accountExpires | Where-Object {
    $_.accountExpires -ne 0 -and ([datetime]::FromFileTime($_.accountExpires) -lt (Get-Date))
} | ForEach-Object {
    Set-ADUser $_ -Replace @{extensionAttribute1="Expired"}
}

Changing Default User and Computer OU Locations in Active Directory

By default, new users are created in the Users container, and new computers are created in the Computers container.
These are system containers, not Organisational Units (OUs).
When using Azure AD Hybrid Join, Autopilot, or Intune, it is often necessary to redirect newly joined computers or users to specific synchronised OUs.

Viewing Current Default OU Settings

Use the following PowerShell commands to check where new computers and users are currently being placed.

Computers:

 Get-ADDomain | Select computersContainer 

Users:

 Get-ADDomain | Select usersContainer 

Changing the Default OU for Computers

Use the redircmp command to redirect new computer objects to a different OU.

 redircmp "OU=CompanyComputers,DC=domain,DC=local" 

Changing the Default OU for Users

Use the redirusr command to redirect new user objects to a specific OU.

 redirusr "OU=Users,OU=Microsoft365,DC=domain,DC=local" 

Completion

These changes take effect immediately.
New objects will now appear in the designated OUs.

Generate a Certificate from a Windows CA using certreq

This guide details the process of submitting a Certificate Signing Request (CSR) to a Microsoft Active Directory Certificate Services (AD CS) environment using the certreq command-line tool.
This specific example requests a certificate based on a custom template named "Infrastructure".

1. Prerequisites

Before proceeding, ensure the following are in place:

• You have a Certificate Signing Request (CSR) file. In this guide, we will use iDRAC.csr.
• Your Active Directory Certificate Services environment has a configured certificate template named Infrastructure.
  This custom template is typically based on the 'Web Server V2' template and has been adjusted as required to suit the site's needs.
• You have the necessary permissions to request certificates using the "Infrastructure" template.

2. Obtaining the Certificate Authority Name

To submit the request, you must first identify the correct configuration string for your Certificate Authority (CA).

Instructions

1. Open a Command Prompt or PowerShell on a domain-joined machine.
2. Run the following command:

   certutil -getconfig

3. The command will return the configuration string for the CA. The output will look similar to this:

   Config String: "CA.domain.local\Widgets Issuing CA 01"
   CertUtil: -getconfig command completed successfully.

4. Copy the Config String value (including the quotes) for use in the next step.

3. Submitting the Certificate Request

With the CA's configuration string, you can now submit your CSR and specify the template to be used.

Instructions

1. Open a Command Prompt or PowerShell in the same directory as your CSR file.
2. Execute the following command, replacing the -config value with the one you obtained in the previous step.

   certreq -submit -config "CA.domain.local\Widgets Issuing CA 01" -attrib "CertificateTemplate:Infrastructure" iDRAC.csr iDRAC.cer

3. If the submission is successful, the CA will issue a certificate based on the "Infrastructure" template, and it will be saved as iDRAC.cer in the same directory.

Command Breakdown

The table below explains each component of the certreq command used.

Exchange Online mailbox doesn't appear in on-prem EAC

If a mailbox in Office 365 does not appear on the local EAC run the two commands on the local Exchange Management Shell

Enable-MailUser -Identity <email address> –ExternalEmailAddress <email address>

Enable-RemoteMailbox -Identity <email address>

Upgrade Windows 10 Command Line

Download the latest Windows 10 ISO and PSExec tools

Extract Windows 10 ISO contents onto the remote workstation
e.g. C:\Temp\W10

Create a new batch file - C:\Temp\W10Upgrade.CMD

Add the following to the W10Upgrade.CMD file

start /wait C:\temp\W10\setup.exe /auto upgrade /DynamicUpdate disable /showoobe None /Telemetry Disable
exit

Open Local CMD shell
Run the following command

PSEXEC \\remotecomputer -S C:\Temp\W10Upgrade.CMD

Remote workstation should run through the Upgrade path and restart when finished

Access WSUS with SQL Server Management Studio

Open Microsoft SQL Server Management Studio by using right click, “Run as administrator”

WID2008
np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query

WID2012+
np:\\.\pipe\MICROSOFT##WID\tsql\query

Source: https://www.ajtek.ca/wsus/how-do-i-connect-to-the-windows-internal-database-wid/ 

Configuring Mailbox Regional Settings in Exchange

Configuring Mailbox Regional Settings in Exchange

Command:

Get-Mailbox | Set-MailboxRegionalConfiguration -Language en-AU -TimeZone "E. Australia Standard Time" -DateFormat "dd/MM/yyyy"

Overview:

This PowerShell command is used to configure the regional settings for all mailboxes in an Exchange environment.

The command sets the language, time zone, and date format for each mailbox.

Details:

• Get-Mailbox: This cmdlet retrieves all mailboxes in the Exchange organization.
• Set-MailboxRegionalConfiguration: This cmdlet configures the regional settings for a mailbox.

Parameters:

• -Language en-AU: Sets the language to Australian English.
• -TimeZone “E. Australia Standard Time”: Sets the time zone to Eastern Australia Standard Time.
• -DateFormat “dd/MM/yyyy”: Sets the date format to day/month/year.

Usage:

This command is particularly useful for organizations with users in different regions, ensuring that their mailbox settings are appropriately configured for their locale.
By running this command, administrators can ensure that all users have a consistent experience that matches their regional preferences.

Example Scenario:

An organization based in Australia can use this command to set the language to Australian English, the time zone to Eastern Australia Standard Time, and the date format to day/month/year for all mailboxes.
This ensures that all users see dates and times in a familiar format and can interact with their mailbox in their preferred language.

Conclusion:

Using the Get-Mailbox and Set-MailboxRegionalConfiguration cmdlets together allow for efficient and consistent configuration of mailbox settings across an entire organization.
This is essential for maintaining a user-friendly environment, especially in multinational or multilingual organizations.

Test SQL Access

Test SQL AcecssWindows from Windows 10/11

Create a blank TXT file and rename it to Test_SQL_Access.udl

Opening the file will bring up the Data Link Properties window for SQL.

Select the SQL server and test access with relevant login details

Example Download file available

Reindex the WSUS database

This SQL Query does basic maintenance tasks on SUSDB:

• Identifies indexes that are fragmented, and defragments them. For certain tables, a fill factor is set to improve insert performance.
• Updates potentially out-of-date table statistics

USE SUSDB;
GO
SET NOCOUNT ON;

-- Rebuild or reorganize indexes based on their fragmentation levels
DECLARE @work_to_do TABLE (
objectid int
, indexid int
, pagedensity float
, fragmentation float
, numrows int
)

DECLARE @objectid int;
DECLARE @indexid int;
DECLARE @schemaname nvarchar(130);
DECLARE @objectname nvarchar(130);
DECLARE @indexname nvarchar(130);
DECLARE @numrows int
DECLARE @density float;
DECLARE @fragmentation float;
DECLARE @command nvarchar(4000);
DECLARE @fillfactorset bit
DECLARE @numpages int

-- Select indexes that need to be defragmented based on the following
-- * Page density is low
-- * External fragmentation is high in relation to index size
PRINT 'Estimating fragmentation: Begin. ' + convert(nvarchar, getdate(), 121)
INSERT @work_to_do
SELECT
f.object_id
, index_id
, avg_page_space_used_in_percent
, avg_fragmentation_in_percent
, record_count
FROM
sys.dm_db_index_physical_stats (DB_ID(), NULL, NULL , NULL, 'SAMPLED') AS f
WHERE
(f.avg_page_space_used_in_percent < 85.0 and f.avg_page_space_used_in_percent/100.0 * page_count < page_count - 1)
or (f.page_count > 50 and f.avg_fragmentation_in_percent > 15.0)
or (f.page_count > 10 and f.avg_fragmentation_in_percent > 80.0)

PRINT 'Number of indexes to rebuild: ' + cast(@@ROWCOUNT as nvarchar(20))

PRINT 'Estimating fragmentation: End. ' + convert(nvarchar, getdate(), 121)

SELECT @numpages = sum(ps.used_page_count)
FROM
@work_to_do AS fi
INNER JOIN sys.indexes AS i ON fi.objectid = i.object_id and fi.indexid = i.index_id
INNER JOIN sys.dm_db_partition_stats AS ps on i.object_id = ps.object_id and i.index_id = ps.index_id

-- Declare the cursor for the list of indexes to be processed.
DECLARE curIndexes CURSOR FOR SELECT * FROM @work_to_do

-- Open the cursor.
OPEN curIndexes

-- Loop through the indexes
WHILE (1=1)
BEGIN
FETCH NEXT FROM curIndexes
INTO @objectid, @indexid, @density, @fragmentation, @numrows;
IF @@FETCH_STATUS < 0 BREAK;

SELECT
@objectname = QUOTENAME(o.name)
, @schemaname = QUOTENAME(s.name)
FROM
sys.objects AS o
INNER JOIN sys.schemas as s ON s.schema_id = o.schema_id
WHERE
o.object_id = @objectid;

SELECT
@indexname = QUOTENAME(name)
, @fillfactorset = CASE fill_factor WHEN 0 THEN 0 ELSE 1 END
FROM
sys.indexes
WHERE
object_id = @objectid AND index_id = @indexid;

IF ((@density BETWEEN 75.0 AND 85.0) AND @fillfactorset = 1) OR (@fragmentation < 30.0)
SET @command = N'ALTER INDEX ' + @indexname + N' ON ' + @schemaname + N'.' + @objectname + N' REORGANIZE';
ELSE IF @numrows >= 5000 AND @fillfactorset = 0
SET @command = N'ALTER INDEX ' + @indexname + N' ON ' + @schemaname + N'.' + @objectname + N' REBUILD WITH (FILLFACTOR = 90)';
ELSE
SET @command = N'ALTER INDEX ' + @indexname + N' ON ' + @schemaname + N'.' + @objectname + N' REBUILD';
PRINT convert(nvarchar, getdate(), 121) + N' Executing: ' + @command;
EXEC (@command);
PRINT convert(nvarchar, getdate(), 121) + N' Done.';
END

-- Close and deallocate the cursor.
CLOSE curIndexes;
DEALLOCATE curIndexes;


IF EXISTS (SELECT * FROM @work_to_do)
BEGIN
PRINT 'Estimated number of pages in fragmented indexes: ' + cast(@numpages as nvarchar(20))
SELECT @numpages = @numpages - sum(ps.used_page_count)
FROM
@work_to_do AS fi
INNER JOIN sys.indexes AS i ON fi.objectid = i.object_id and fi.indexid = i.index_id
INNER JOIN sys.dm_db_partition_stats AS ps on i.object_id = ps.object_id and i.index_id = ps.index_id

PRINT 'Estimated number of pages freed: ' + cast(@numpages as nvarchar(20))
END
GO


--Update all statistics
PRINT 'Updating all statistics.' + convert(nvarchar, getdate(), 121)
EXEC sp_updatestats
PRINT 'Done updating statistics.' + convert(nvarchar, getdate(), 121)
GO

Source: https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/reindex-the-wsus-database 

Test SQL Access

Test SQL AcecssWindows from Windows 10/11

Create a blank TXT file and rename it to Test_SQL_Access.udl

Opening the file will bring up the Data Link Properties window for SQL.

Select the SQL server and test access with relevant login details

Example Download file available

Test SQL Access

Test SQL AcecssWindows from Windows 10/11

Create a blank TXT file and rename it to Test_SQL_Access.udl

Opening the file will bring up the Data Link Properties window for SQL.

Select the SQL server and test access with relevant login details

Example Download file available

vCenter VirtualCenter.AutoManagedIPV4 incorrect issue v6.7+

SSH into the vCenter Server Appliance to run the following commands

Stop the Virtual Provisioning X Daemon (vpxd)

service-control --stop vmware-vpxd

Log into the vCenter PostgreSQL database

/opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres
The prompt should change to VCDB=#

Check the current 'VirtualCenter.AutoManagedIPV4' value

select * from vpx_parameter where name = 'VirtualCenter.AutoManagedIPV4';

Change the 'VirtualCenter.AutoManagedIPV4' to the new value

update vpx_parameter set value = '10.10.12.27' where name = 'VirtualCenter.AutoManagedIPV4';

Check the current 'VirtualCenter.AutoManagedIPV4' value has changed

select * from vpx_parameter where name = 'VirtualCenter.AutoManagedIPV4';

Check the value for the "management_ip" for all hosts in the vpx_host table:

select management_ip,dns_name from vpx_host;

Change this value to "NULL"

update vpx_host set management_ip = NULL where management_ip IS NOT NULL;

Re-check the "management_ip" value for all hosts in the vpx_host table:

select management_ip,dns_name from vpx_host;

Exit the database

\q

Start vCenter Server services

service-control --start vmware-vpxd

All ESXi Hosts should get the updated 'ServerIP' value for their vpxa.cfg file

vCenter Appliance Update Manager (VUM) database unavailable

The vCenter Appliance Update Manager (VUM) database can become unavailable after changing the Center IP or Subnet

Run the following commands to re-register the Update Manager back to the vCenter

/usr/lib/vmware-updatemgr/bin/vmware-vciInstallUtils -C /usr/lib/vmware-updatemgr/bin/ -L /var/log/vmware/vmware-updatemgr/ -I /usr/lib/vmware-updatemgr/bin/ -v vcenterappliance.tsvports.local -p 80 -U [email protected] -P password -S /usr/lib/vmware-updatemgr/bin/extension.xml -O extupdate

chown updatemgr:updatemgr /usr/lib/vmware-updatemgr/bin/vci-integrity.xml

Reboot the vCenter Server Appliance

Convert a Thick Provisioned VMDK to Thin Provisioned (ESXi CLI Method)

Applies To: ESXi 6.x, ESXi 7.x, ESXi 8.x

1. Summary

This guide provides step-by-step instructions for converting a thick-provisioned virtual machine disk (VMDK) to a thin-provisioned one using the ESXi command-line interface (CLI). This process is useful for reclaiming unused storage space on a datastore.

This article uses the following example:

• Virtual Machine: VM1
• Datastore Path: /vmfs/volumes/620b07f2-ebb3db8c-3cfc-e43d1a5aec50/
• Target Disk: VM1.vmdk (currently thick provisioned)

The end goal is to have the VM1 virtual machine running on a thin-provisioned VM1.vmdk and to safely remove the old thick-provisioned disk file.

2. Important Prerequisites

• VM Powered Off: The target virtual machine (VM1) must be completely powered off. The operation cannot be performed on a running or suspended VM.
• No Snapshots: The VM must have NO active snapshots. Before you begin, commit or delete all snapshots. Cloning a disk that is part of a snapshot chain will break the chain and result in a broken VM.
• Full Backup: It is strongly recommended to have a complete, verified backup of the virtual machine before attempting this procedure.
• Sufficient Datastore Space: You must have enough free space on your datastore to hold a complete copy of the virtual disk's used data.
• SSH Access: SSH must be enabled on the ESXi host. You can enable it from the vSphere Host Client under Manage > Services > TSM-SSH.

3. Recommended Method: Storage vMotion (If Available)

If you are using vCenter Server with a vSphere Standard license or higher, the safest and easiest method is to use Storage vMotion. This method requires no downtime.

1. Right-click the VM in vCenter and select Migrate.
2. Choose Change storage only.
3. On the "Select storage" page, select a destination datastore (it can be the same one).
4. From the "Select virtual disk format" dropdown, choose Thin Provision.
5. Click Finish. vCenter will handle the entire process automatically.

If you do not have vCenter, proceed with the CLI method below.

4. Main Procedure: CLI Conversion and Renaming

This process involves creating a thin-provisioned copy, renaming files to swap the old disk with the new one, and then cleaning up.

Step 1: Connect via SSH and Navigate to VM Directory

1. Use an SSH client (like PuTTY or Terminal) to log in to your ESXi host.

2. Navigate to the directory of the virtual machine.

cd /vmfs/volumes/620b07f2-ebb3db8c-3cfc-e43d1a5aec50/VM1/

Step 2: Clone the Thick Disk to a New Thin Disk

We will use vmkfstools to create a new, thin-provisioned clone of the original disk. We'll give it a temporary name.

• -i [source_disk]: Specifies the input or source disk.
• -d thin: Specifies that the destination format should be thin-provisioned.

vmkfstools -i VM1.vmdk -d thin VM1-temp-thin.vmdk

Step 3: Rename the Disks

Now we perform a "three-way rename" to safely swap the disks. The -E flag safely renames both the descriptor and data files and updates the internal pointers.

1. Rename the original (thick) disk to `-old` for safety.

vmkfstools -E VM1.vmdk VM1-old.vmdk

2. Rename the new (thin) temporary disk to the original name.

vmkfstools -E VM1-temp-thin.vmdk VM1.vmdk

At this point, the VM's configuration file (VM1.vmx) still points toVM1.vmdk, which is now our new thin disk. No changes to the .vmx file are necessary.

Step 4: Power On and Verify

1. In the vSphere Client, power on the VM1 virtual machine.
2. Log in to the guest operating system and verify that all data is intact and all applications are functioning correctly.
3. To confirm the disk is thin, select the VM, go to Edit Settings, expand the hard disk, and the Type should now read as Thin Provision.

5. Reregistering the VM (Optional Troubleshooting)

In 99% of cases, simply powering on the VM after the renaming process works perfectly. If the VM fails to power on with an error like "file not found", you can force ESXi to reread its configuration by unregistering and reregistering it.

1. In the vSphere Client, right-click the VM1 virtual machine and select Unregister.
2. Open the Datastore browser, navigate to the VM1 folder.
3. Right-click the VM1.vmx file and select Register VM.
4. Follow the wizard prompts. The VM will reappear in your inventory, and you can now power it on.

6. Final Cleanup: Deleting the Old Thick Provisioned File

1. Ensure you are still connected via SSH and are in the VM's directory.

2. Use the vmkfstools -U command to delete the old thick disk safely (VM1-old.vmdk and its -flat file).

vmkfstools -U VM1-old.vmdk

3. You can verify the deletion by listing the files again with ls -lh. The -old files will be gone, and the space on your datastore will be reclaimed.

Recover Disconnected Exchange 365 Mailbox

Run this command to see a list of available offline mailboxes

Get-Mailbox -InactiveMailboxOnly | Format-List Name,DistinguishedName,ExchangeGuid,PrimarySmtpAddress

Command to create mailbox using disconnected mailbox

new-mailbox -inactivemailbox <ExchangeGuid> -Alias <Aliasd> -Name <Alias> -FirstName <First Name> -LastName <LastName> -DisplayName "<DisplayName>" -MicrosoftOnlineServicesID [email protected]

e.g
new-mailbox -inactivemailbox daea9fc7-4503-4330-8ec4-84277ffa0da4 -Alias KarenC -Name KarenC -FirstName Karen -LastName Cockerell -DisplayName "Karen Cockerell" -MicrosoftOnlineServicesID [email protected]

You can't recover or restore an inactive mailbox configured with an auto-expanding archive.
If you need to recover data from an inactive mailbox with an auto-expanding archive, use content search to export the data from the mailbox and then import it to another mailbox.

For instructions, see the following articles
Content search https://docs.microsoft.com/en-us/microsoft-365/compliance/content-search?view=o365-worldwide 
Export content search results https://docs.microsoft.com/en-us/microsoft-365/compliance/export-search-results?view=o365-worldwide 

Compare All Office 365 Plans

Source: https://lazyadmin.nl/compare-microsoft-office-365-plans/ 

Microsoft Office 365 license comparison