Block the Win 10 style Data Gathering from Windows 7/8/Server2008

Microsoft Windows 10 has some pretty intrusive data gathering built into the operating system.   It collects anonymous and not-so-anonymous data from users of the Operating System.   Today, MS released 4 Optional Updates to bring the Win 10 Style Telemetry and Data Gathering to previous versions of Windows.

The 4 updates are:

KB3075249
KB3077715
KB3078667
KB3080149

MS Fanboys will claim there’s nothing personal that MS takes… but I say, do you really trust them?
People will claim ios and android already do this… but I say, why give them anything about your self at all if you can avoid it?
Many say we already post about ourselves online in social media… For those of us who don’t, I say don’t apply these updates .

To block them, you simply hide the updates in Windows Update.
Got to the Control Panel -> Windows Updates or START -> Search -> Windows Update

Select Optional Updates
Block win 7 Data gathering 1

Right Click each of the 4 updates and select ‘Hide Updates’
Block win 7 Data gathering 2

Hit OK and that’s it. Gone until MS tries to sneak it in again down the road.

Another option is to use this OpenSource Program to disable the tracking:
https://github.com/10se1ucgo/DisableWinTracking

Lastly, If you already installed the KBs, you can uninstall them directly from the “Programs and Features” in Control Panel.

Windows 2008 R2 Server Windows update unknown error

I’m putting this out there for anyone else. For the last 3 months I had a windows 2008 R2 server that would not apply windows updates. “An unknown error has occurred” is all I would get.

This was fixed today. The cause seemed to be an Disk Filter applied to the Local System Disk. I had never heard of this before today.

The command FLTMC lists out the Filter names on the disk. This is from a working server. I don’t know if yours will match exactly.

C:Usersadministrator.server>fltmc

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
VirtFile                                0       429999.280700    0
msnfsflt                                0       364000         0
luafv                                   1       135000         0

Now when my server was in an error condition, this listing had an additional entry with the highest ‘Altitude’ value.

C:Usersadministrator.server>fltmc

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
CpsFsJnl                                0       429999.999999    0
VirtFile                                0       429999.280700    0
msnfsflt                                0       364000         0
luafv                                   1       135000         0

This filter was the cause of my issue. This was a remnant of a Symantec CPS (continuous protection server) installation that was supposedly uninstalled years ago. It apparently left this filter installed and active on the server. It must have been dormant there for years until a windows update or something caused the error condition.

The filer is an system file called cpsfsjnl.sys and a quick search found it buried in the Program Files Directory. I deleted the file (after making a backup just in case). I also exported then deleted the following registry entries:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesCpsFsJnl]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesCpsFsJnlEnum]

I rebooted the server, checked FLTMC to be sure the CpsFsJnl was no longer listed, and then ran the Windows updates.

So, bottom line, in my case, Symantec CPS left a Virtual Disk Filter on the server that caused the error condition. Removing it fixed Windows updates.

Exchange 2007 Outlook Web Access Error The Password does not meet the minimum security requirements

In Microsoft Exchange OWA (outlook web access) a user will attempt to change the account password and encounter an error “The password supplied does not meet the minimum security requirements”. This error happens even though the GPO Policy has password complexity disabled.

OWA error message

The cause of the error is the minimum password age in one or more of the applied GPOs on the OWA host.

Change the Policy for Minimum password age to 0. Then either run GPUPDATE /FORCE or just reboot the host.

GPO for Min Password Age

Installing SCEP using Microsoft NDES

SCEP (Simple Certificate Enrollment Protocol) is a standard solution for admins wishing to deploy certificates to devices with little interaction and no manual uploading/downloading of cert files between systems. NDES (Network Device Enrollment Service) is Microsoft’s implementation of SCEP. NDES and SCEP are essentially 2 labels for the same service. This is really just my braindump from working with SCEP over the last few months.

Alot of this page is derived from the the Microsoft Whitepaper Microsoft SCEP Implementation.

To begin, you will need a few things.
1) A working MS Domain with healthy AD.

2) A Microsoft Certificate Authority.
You can setup either a Standalone or Enterprise CA. Since most of my work was with MS, this example is for an Enterprise CA.

3) A 2008 or 2012 Enterprise or DataCenter Server.
This is for the install of NDES. NDES will not install on a Standard Server. Also, Ndes can not be installed to the same server that holds a Certificate authority.

With those ready to go, here’s how to get NDES installed.

Setup NDES Accounts in AD
NDES needs 2 accounts on the Domain. You need an Admin account for installation and interaction with the GUI. You need a service account to run the service and request/enroll certificates.

1) Create NDES_Admin. Assign it to the Enterprise Admin Group in the Domain (this membership can be removed after installation). Assign it to the local Adminstrator Group on the NDES host.
2) Create NDES_ServiceAccount. Assign it to the IIS_IUSRS group on the NDES host.

Duplicate the Certificate Templates
In the Certificate Authority(CA) we need to create the Certificate templates that will be used by NDES.

  • Open the Certificate Authority MMC
  • On the left, expand the CA. Right click on the Templates Folder and select Manage. This will open the Template Mgmt folder.
  • Locate the Exchange Enrollment Agent (Offline Request), right click and Duplicate the template.
  • When prompted, select the server level. I used 2008 Enterprise on a 2008 host and 2012 on a 2012 host. Both worked fine, I don’t know the differences between the 2.
  • In the Template Dialogue, Make the name NDES Exchange Enrollment Agent (Offline Request)
  • In the Template Security Tab, Assign Permissions for the NDES_Admin Account and grant it Read and Enroll rights.
  • Click OK to save and exit this Template.
  • We need to do the same thing for CEP Encryption Template (Duplicate, name it NDES CEP Encryption, and assign NDES_Admin the Read and Enroll Rights.
  • Last, we need to do the same thing for the IPSEC (Offline Request), name it NDES IPSEC (Offline Request), assign NDES_Admin AND NDES_ServiceAccount the Read and Enroll Rights.
  • Close the Templates MMC

Publish The Certificates
Back at the CA, we need to publish the new Templates we just created into the CA for use.

  • Right click the Tempates folder in the CA.
  • Pick New then Certificate Template to Issue.
  • Select the 3 NDES… certificates we just created and click OK to publish.

Once done, the 3 NDES certs should appear in the list of usable certificate templates in the CA windows.

Assign Permissions on the CA
Next we need to add Read and Request permissions for the NDES_Service Account to the CA

  • From the left side panel in Certificate Authority MMC, right click the CA name, and select Properties
  • Click on the security tab.
  • Add NDES_Service Account and assign it Read and Request Certificate rights.
  • Hit ok and close it

Install NDES
Now we are done with the CA and certificate work, we can move on to the installation of NDES on the ndes host.

  • Log in to the NDES box using the NDES_Admin account created earlier.
  • Open Server Manager from the Start menu.
  • In the left pane of Server Manager, right-click Roles and select Add Roles from the menu.
  • Click Next on the Before You Begin screen in the Add Roles Wizard.
  • Select Active Directory Certificate Services on the Select Server Roles screen and click Next.
  • Click Next on the Introduction screen.
  • On the Select Role Services screen, clear Certification Authority and select Network Device Enrollment Service. As I mentioned previously, NDES can’t be installed on the same machine as a CA.
  • In the Add Roles Wizard dialog box, click Add Required Role Services to install the necessary IIS and Remote Server Administration Tool components.
  • On the Specify User Account screen click Select User. In the Windows Security dialog box, enter the username and password for the NDES_ServiceAccount and click Next.
  • Click Browse in the Specify CA for Network Device Enrollment Service dialog box.
  • In the Select Certification Authority dialog box, select the issuing CA, click OK and Next to continue.
  • On the Specify Registration Authority Information screen, modify the Country/Region field as necessary and click Next.
  • On the Configure Cryptography for Registration Authority screen, accept the default settings, which you can see in Figure 3, and click Next.
  • Click Next on the Web Server (IIS) introduction screen.
  • Accept the defaults on the Select Role Services screen by clicking Next.
  • Click Install on the Confirm Installation Selections screen.
  • Click Close on the Installation Results screen.

Modify the NDES Registry
Before we can request a password from NDES to start the certificate request process, we need to set some registry keys on the NDES server to point to our NDES IPsec (Offline Request) certificate, then restart IIS.

  • Open regedit from the Search programs and files box on the Start menu.
  • In the left pane of Registry Editor, navigate to the following registry key: HKLMSoftwareMicrosoftCryptographyMSCEP.
  • You’ll find three REG_SZ values: EncryptionTemplate, GeneralPurposeTemplate and SignatureTemplate. Set all three values to NDESIPSECIntermediateOffline, then close Registry Editor.
  • Type cmd into the Search programs and files box on the Start menu and click Ctrl+Shift+Enter to start the command prompt with administrative privileges.
  • Type the following two commands to restart IIS:
  • net stop w3svc net start w3svc

  • Close the command prompt.

Replace Outlook Mail, Contacts, and Calendar with Thunderbird

My company uses MS Exchange 2013 for mail, contacts, calendars, and tasks. However, we have a lot of users on LInux desktops that can’t run Outlook. For others, the new Outlook 2013 is a horrible monstrosity of Flat icons on all all white background that burns your eyes after a few hours in front of the monitor. So I was after a complete replacement for Outlook to access email, contacts, and calendar on Exchange. Well, Email is easy. Calendar not so much. Contacts are deliberately making the task complicated on purpose. But here is a working solution using Thunderbird with some available plugins. These examples were taken from a machine running Mint 17 64bit but the same tasks should work well on Windows.

 

Install Thunderbird

Thunderbird is the mozilla based mail client. It comes installed on many Linux distros. IF you need to install it for any reason you can find it in the repos or directly from the thunderbird website. https://www.mozilla.org/en-US/thunderbird/

 

Configure Thunderbird for Exchange Mail

  1. Add a new Mail account (Edit > Account Settings > Account Actions Button > Add Email Account)
  2. Note if you get prompted to add a new email at some 3rd party service, select “Skip this and use my existing Mail”
  3. Enter You Name to be displayed, email address, and password.setupTB1
  4. Thunderbird will most likely fail to autodetect the settings for Exchange.     An expanded window will appear prompting for settings for your Exchange.   These settings can be provided by the email admin.   You need the IMAP settings, SMTP settings, and note that the Username usually takes the form of DOMAINUsername.setupTB2
  5. Hit DONE when complete

 

Install Lightning for Thunderbird

Lightning is a Thunderbord Add-on that provides the calendar and task list services.   Installation is done from Thunderbird.

  1. Click Tooks > Add-ons (or use the menu button on the right and pick add-ons.  BTW to get the menu bar back, click to the right of the tabs and select Menu Bar).
  2. In the Search box, enter ‘lightning’
  3. Select the Lightning Plug-in.   Install it and Restart.

 

Install Exchange connector

The real trick here is getting the calendar, contacts, and tasks to sync with Exchange.   The only plug-in that I’ve found that does this is located at http://www.1st-setup.nl/wordpress/?page_id=551

  1. Access that link and download the lastest version of the plugin.
  2. Save the xpi file on your machine.
  3. From Thunderbird, Access the add-on manager (Tools > Add-ons)
  4. Click the box next to the search window and select “Install add-on From File”
  5. Select the xpi plug in you just downloaded.
  6. Restart Thunderbird

 

Configure Calendar

  1. Click the Calendar button to open the calendar tab.
  2. Right click on the blank space under calendar and select “New Calendar”
  3. Select “On the Network” and click next
  4. Select “Microsoft Exchange 2007/2010/2013” and click nextcalendar-pick_msexch
  5. Give the Calendar a name like “Exchange Calendar” and pick the email associated with the Exchange account (this should match the one you just setup on IMAP above).  Hit next when done.calendar_calendaroptions
  6. Click the Autodiscover (any good admin has this setup). Fill in the username and the domain.  Leave the Folder id field empty.   Click “Perform Autodiscovery” when ready.calendar-Perform_autodiscovery
  7. You will probably get a prompt to enter your Email account password.   Enter the Password and continue.
  8. You will probably get the option to Pick an EWS server.   You’ll probably only have 1 in the list, otherwise, ask your admin.  Continue when ready.
  9. You will get a final window showing the calendar root.   make edits as needed, but most can just accept the default and hit Next.calendar_final
  10. In the list of calendars, you should now see an entry for your calendar on Exchange.

 

Configure Contacts

  1. In Thunderbird’s inbox tab, select Address Book.AddressBook-1
  2. In the Address Book window, select the “Add Exchange Contact Folder”AddressBook-2
  3. Enter a Descriptive Name
  4. Check the Add Global Address List to Serch results.
  5. Check the Use Exchange’s Autodiscovery function.
  6. Enter your email, username and Domain in the correct fields and perform the autodiscovery when ready.AddressBook-3
  7. Once again, enter password if prompted and pick the correct EWS server if prompted.
  8. Make edits to the contact root folder as needed.  Most can leave it at default.   If your company uses a Public Folder for contacts, you can change the root to Public Folders and browse to the correct folder.

 

That’s it.   You can add as many calendars and address book entries as you need.  I did this and now don’t have very good solution to replace Outlook in any desktop.

Prevent Users from changing Pictures in Exchange 2013

Yes, in Exchange 2013, users were given the ability to edit their user pictures that is stored in the LDAP for display on their profile across Microsoft’s suite of products.

Seems like a harmless function right? Microsoft is so desperate to be viewed as a ‘cool social media like product’ that users will take advantage of the customizable settings. Well, if left unchecked, the user photos quickly become a mixture of Kittens, logos, TV characters, and borderline raunchy images. No good, especially since users have NO IDEA that these images might be viewed by outside entities. Highly unprofessional!!!

So the Goal here is to allow the use of Photos that the Admin or a security person can upload into LDAP, let users view the photos, but keep users from changing the photo.

The only way I’ve found to do this is by using a mailbox policy.

Open up a powershell session on exhcange 2013 and run the following.
1st we set list the mailbox policies and set the option to enable photos to False.
2nd we apply the policy to all mailboxes.

Get-OWAMailboxPolicy | set-owamailboxpolicy -setphotoenabled:$false
Get-CASMailbox -ResultSize Unlimited | Set-CASMailbox -OWAMailboxPolicy Default

To test, sign into OWA as a user and check the 2 spots where users can change photos and ensure the options to edit photos are gone.
1) Under the Photo in the main display.
2) User User’s profile options in the ‘My account’ page.

NOTE: Be aware, that the last time I updated a Cumulative Upgrade, these settings reverted back to the default behavior and I had to re-apply the mailbox policy.

Setup Exchange 2013 Mailbox on Outlook without Autodiscover

I have had this issue come up a few times.    I had the need to setup an employee’s laptop with access to an Exchange 2013 mailbox. However, the employee was using a laptop that was not a domain member and could not use autodiscover to automate Outlook setup.

In Exchange 2010 and earlier, one could just manually configure the Exchange account with a server name of the Exchange server i.e. mail.company.com.
In Exchange 2013, the Exchange server name now uses the format of GUID@company.com where GUID is the Mailbox guid and is unique to each user. That basically means that end users now need a specific value in the server field that is provided by an Exchange administrator.

So the 1st thing we need is the GUID for the account mailbox. Use the Exchange Powershell get-mailbox cmdlet to get the information.

Get-Mailbox  | fl name, exchangeguid

You should get something like the following:

Name         : Clark Kent
ExchangeGuid : 39f83854-18b3-4bb2-baf1-9cc03c721c6b

Now go to the client’s system. We need to create a new account either by running Outlook for the 1st time or in the “Account Settings” window. You can get to this windows through Outlook from TOOLS -> ACCOUNT SETTINGS or from the CONTROL PANEL -> MAIL -> EMAIL ACCOUNTS.

Note that the labels vary slightly from outlook 2007 to 2010 to 2013, but the steps are essentially the same.
1. Click NEW to add a new account.

2. Select Microsoft Exchange. Click Next.

3. In the Account Setup section, Check the option to “Manually configure server settings” and click Next.

4. From the E-Mail service window, select Microsoft Exchange and Click Next.

5. In the Exchange Server Field enter the GUID@company.com using the GUID returned from the Get-Mailbox Cmdlet and the mailbox domain (i.e. company.com).

6. In the Username Field enter the user email address (i.e. clark.kent@company.com).

7. Click the “More Settings” button. Select the Connection Tab, check the “Connect to Microsoft Exchange using HTTP” and click the “Exchange Proxy Settings” Button (See image for reference)2013-manual-setup

8. In the Proxy Settings Window, enter the mailserver CAS host’s FQDN in the Proxy server field.2013-manual-setup2

9. Click OK to apply the changes and NEXT to Finish the setup.

That should get the client connected to the Exchange 2013 mailbox.

I honestly don’t see how this is an improvement over Exchange 2010 where all users could be given a simple set of instructions and could setup their own mailbox if autodiscover didn’t work for them. 2013 requires Administrator Support for each user that needs a manual setup since users can’t run the Exchange Cmdlet needed to get the GUID. And before anyone says “Why don’t you just use Autodiscover”, there are times in the real world when you can’t use it. Not every Domain is run like it would be in an enclosed lab.

If someone knows why this is better, please leave a comment and enlighten me.

How to Remove Old Computer or User accounts from a Windows Domain

Any admin knows that there are always computer and user accounts in AD that become stale and unused. It’s good practice to remove these old accounts from AD.

Here’s how I do it.

From any Domain Controller, open a command prompt and try the following.

 
dsquery computer -inactive 8 -limit 3000 

Dsquery is an invaluable tool and can do much more than just this. We tell dsquery to look for computer accounts that are currently inactive for 8 weeks and to limit the display to 3000 entries. Setting the -limit to 0 would return all entries.

If you would simply like to count them:

dsquery computer -inactive 8 -limit 3000 | find /c "-" 

This example should also return inactive computer accounts, older than 8 weeks. In this case, we query for stale passwords on computer accounts instead. This should return the same results as the ‘inactive 8’ flag in the previous example.

dsquery computer DC=domain,DC=com -stalepwd 56 -limit 0 

Now that we know what computers need to be removed, lets disable them instead of deleting them. Just in case.
Just pipe the information to dsmod to modify their status:
dsquery computer DC=domain,DC=com, -stalepwd 56 -limit 1400 | dsmod computer -disabled yes

Now just sit and wait for maybe a week or two, if no-one calls to report problems, you’re OK to delete the accounts.
To remove the disabled accounts:

dsquery computer DC=fs31,DC=vwf,DC=vwfs-ad –disabled | dsrm 

And You’re done!

Exchange 2010 List ActiveSync Devices removed from Quarantine and other States

Exchange 2010 has this feature in active sync where the admin can setup rules to allow certain devices to connect via ActiveSync Access Rules. Device Access Rules can be setup so that only certain devices can connect and all other devices will be quarantined until an admin can act on it.

This works well for companies that only issue certain devices (i.e. blackberries) and want to block all android/iPhones from using Active sync. However, there are always exceptions. Especially when the CEO wants to use his iPhone. So the Admin can explicitly allow the CEO’s iPhone to connect. However, the GUI interface does not report on what devices are allowed, which met policy, which are given individual exemptions.

Here’s how I discovered how to get that info using Exchange PowerShell:

This command will list all active ActiveSync devices that have been issued an individual examption.

Get-ActiveSyncDevice -filter {DeviceAccessStateReason -eq 'Individual'}

The DeviceAccessStateReason can also include:

DeviceAccessStateReason

The reason for the device’s access state. Available values include:

  • Global   Caused by to the global access setting
  • DeviceRule   Caused by a device access rule
  • Individual   Caused by an individual exemption.
  • Policy   Caused by Exchange ActiveSync security policies
  • Upgrade   Caused by the upgrade of the user’s mailbox. This is a temporary state that is designed to give the device a chance to upgrade prior to being controlled by the rules and access settings.

 

 

The same Cmdlet can be used to filter on any of the attributes of the Active Sync Item:

Attribute Description
FriendlyName The name that the user called their mobile device
DeviceId A unique identifier used by Exchange ActiveSync to identify each device’s partnership
DeviceImei  The International Mobile Equipment Identity (IMEI) number of the mobile device
DeviceMobileOperator The mobile operator to which the mobile device was last connected
DeviceOS    The name and version number of the operating system that is running on the mobile device
DeviceOSLanguage    The language used by the operating system
DeviceTelephoneNumber The last four digits of the phone number
DeviceType    The device family. If you want to control access for all device models in a device family, you can create a device access rule for that device family. See Create a New Device Access Rule.
DeviceUserAgent    The device’s network protocol name, which characterizes the client to the server
DeviceModel    The device model. If you want to control access for a specific device model, you can create a device access rule for that device model only. See Create a New Device Access Rule.
FirstSyncTime    The date and time the device first requested to connect with Exchange ActiveSync. This field provides an idea of how old the device partnership is. If you want to get more information about the latest device connections, you can view the mobile device information from the user’s mailbox or user settings, or use the Get-ActiveSyncDeviceStatistics cmdlet. For more information, see Get-ActiveSyncDeviceStatistics.
UserDisplayName    The name of the person who is using the device
DeviceAccessState The access state of the device: Allowed, Blocked, Quarantined, or DeviceDiscovery. The last value indicated the device is temporarily quarantined while it is being identified by Exchange ActiveSync.
DeviceAccessStateReason The reason for the device’s access state. Available values include:

  • Global   Caused by to the global access setting
  • DeviceRule   Caused by a device access rule
  • Individual   Caused by an individual exemption.
  • Policy   Caused by Exchange ActiveSync security policies
  • Upgrade   Caused by the upgrade of the user’s mailbox. This is a temporary state that is designed to give the device a chance to upgrade prior to being controlled by the rules and access settings.
DeviceAccessControlRule   The name of the rule that is affecting the device’s current access state, if any
DeviceActiveSyncVersion  The version of the Exchange ActiveSync protocol used by the given device

For a Summary of the Active Sync Devices, try the following command:

Get-ActiveSyncDevice | Group-Object -property DeviceType

To view a count of devices of each device model, run the following command:

Get-ActiveSyncDevice | Group-Object -property DeviceModel

All these values are stored in AD and could also be queried via an LDAP search or a well-formed dsquery|dsget command.

AD attribute for MSAccessState

AD attribute for MSAccessState

Check for 32 bit vs 64 bit Microsoft OS in Windows Batch File

This is a usable example showing how to check for a 32 bit OS vs a 64 bit OS in MS windows within a batch file.

This is very useful when deploying certain applications through MS Group Policy.

Example from a .bat file:

@echo off
Set RegQry=HKLMHardwareDescriptionSystemCentralProcessor
REG.exe Query %RegQry% > checkOS.txt
Find /i "x86" < CheckOS.txt > StringCheck.txt
If %ERRORLEVEL% == 0 (
   CALL --32bit install goes here--
) ELSE (
   CALL --64bit install goes here--
)

The code simple checks the contents of the Registry entry then looks for the entry ‘x86’ indicating a 32 bit installation.
The batch file will leave the checkOS.txt in place on the end user machine.

Contents of the checkOS.txt file would look something like this:

HKEY_LOCAL_MACHINEHardwareDescriptionSystemCentralProcessor
    Component Information    REG_BINARY    00000000000000000000000000000000
    Identifier    REG_SZ    Intel64 Family 6 Model 37 Stepping 2
    Configuration Data    REG_FULL_RESOURCE_DESCRIPTOR    FFFFFFFFFFFFFFFF0000000000000000
    ProcessorNameString    REG_SZ    Intel(R) Core(TM) i7 CPU       M 620  @ 2.67GHz
    VendorIdentifier    REG_SZ    GenuineIntel
    FeatureSet    REG_DWORD    0x21193ffe
    ~MHz    REG_DWORD    0xa64
    Update Signature    REG_BINARY    000000000D000000
    Update Status    REG_DWORD    0x7
    Previous Update Signature    REG_BINARY    000000000D000000
    Platform ID    REG_DWORD    0x10