Upcoming change (March 2020) – Microsoft to disable use of unsigned LDAP port 389

In March 2020, Microsoft is going to release a update which will essentially disable the use of unsigned LDAP which will be the default. This means that you can no longer use bindings or services which binds to domain controllers over unsigned ldap on port 389. You can either use LDAPS over port 636 or using StartTLS on port 389 but it still requires that you addd a certificate to your domain controllers. This hardening can be done manually until the release of the security update that will enable these settings by default.

How to add signed LDAPS to your domain controllers

You can read more about the specific change here –> https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows you can also read more here –> https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-update-now/ba-p/921536

After the change the following features will be supported against Active Directory.

clipboard_image_0.png

How will this affect my enviroment?

Clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection stop working after you make this configuration change. This also applies for 3.party solutions which rely on LDAP such as Citrix NetScaler/ADC or other Network appliances, Vault and or authentication mechanisms also rely on LDAP. If you haven’t fixed this it will stop working. This update will apply for all versions.

Windows Server 2008 SP2,
Windows 7 SP1,
Windows Server 2008 R2 SP1,
Windows Server 2012,
Windows 8.1,
Windows Server 2012 R2,
Windows 10 1507,
Windows Server 2016,
Windows 10 1607,
Windows 10 1703,
Windows 10 1709,
Windows 10 1803,
Windows 10 1809,
Windows Server 2019,
Windows 10 1903,
Windows 10 1909

How to check if something is using unsigned LDAP?

If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary under eventid 2888 one time every 24 hours when such bind attempts occur. Microsoft advises administrators to enable LDAP channel binding and LDAP signing as soon as possible before March 2020 to find and fix any operating systems, applications or intermediate device compatibility issues in their environment.

You can also use this article to troubleshoot https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs

Credits: https://msandbu.org/upcoming-change-microsoft-to-disable-use-of-unsigned-ldap-port-389/

Install VMware PowerCli

1. Install the Powershell Get Module

Installing items from the Gallery requires the latest version of the PowerShellGet module, which is available in Windows 10, in Windows Management Framework (WMF) 5.0, or in the MSI-based installer (for PowerShell 3 and 4).

With the latest PowerShellGet module, you can:

Supported Operating Systems

The PowerShellGet module requires PowerShell 3.0 or newer.

Therefore, PowerShellGet requires one of the following operating systems:

  • Windows 10
  • Windows 8.1 Pro
  • Windows 8.1 Enterprise
  • Windows 7 SP1
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2 SP1

PowerShellGet also requires .NET Framework 4.5 or above. You can install .NET Framework 4.5 or above from here.

2. Find-Module -Name VMware.PowerCLI

3. Install-Module -Name VMware.PowerCLI -Scope CurrentUser

4. When you start Powershell VMware.Powershell is automatically loaded

Imported Hotfixes for Windows 2008 R2 Clustering

Imported Hotfixes for Windows 2008 R2 Clustering:

NTFS.sys

2814923          “0x0000009E” Stop error and disk volumes cannot be brought online on a Windows Server 2008 R2-based failover cluster
http://support.microsoft.com/kb/2814923/EN-US

MPIO

2754704          A hotfix is available that provides a mechanism for DSM to notify MPIO that a particular path is back to online in Windows Server 2008 and Windows Server 2008 R2
http://support.microsoft.com/kb/2754704/EN-US

storport.sys

2780444          “0x0000012E” Stop error occurs when an application sends a 12-byte SCSI opcode to an iSCSI target in Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1
http://support.microsoft.com/kb/2780444/EN-US

msiscsi

2684681          Iscsicpl.exe process stops responding when you try to reconnect a storage device to a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
http://support.microsoft.com/kb/2684681/EN-US

rdbss

2670567 “0x000000027” Stop error when you copy a file from a redirected folder in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2670567/EN-US

Kernel

2805853          “0x0000008E” Stop error on a computer that is running Windows 7 or Windows Server 2008 R2
http://support.microsoft.com/kb/2805853/EN-US

RPCSS

2756999 Handle leak occurs on a COM client that is running on a Windows 7 or Windows Server 2008 R2 computer
http://support.microsoft.com/kb/2756999/EN-US

Mrxsmb10

2727324 Computer stops responding after you connect to an SMB 1 server in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2727324/EN-US

Mrxsmb20

2778834          File becomes corrupted when you try to overwrite the file while it is opened by another user on a computer that is running Windows 7 or Windows Server 2008 R2
http://support.microsoft.com/kb/2778834/EN-US

TCPIP

2519644          Stop code in the tcpip.sys driver on a computer that is running Windows Server 2008 R2: 0x000000D1
http://support.microsoft.com/kb/2519644/EN-US

2524478          The network location profile changes from “Domain” to “Public” in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2524478/EN-US

VMware Horizon 7.3.1 and Horizon Client 4.6 released

VMware has released VMware Horizon 7.3.1 and Horizon Client 4.6! With this new release, Horizon 7.3 enhances key platform features, including Horizon Virtualization Pack for Skype for Business, VMware Instant Clone Technology and the Horizon Help Desk Tool.

Many new items have been introduced, such as HTML5 video redirection support for the Chrome browser and the ability to configure Windows Start menu shortcuts for desktop and application pools using the Horizon Administrator console. As always, you can count on increased operating system support for virtual desktops and clients.

Here is an overview of the new features:

VMware Horizon 7.3 Server Enhancements

Horizon Help Desk Tool

  • Displays application process resources with reset control
  • Role-based access control for help desk staff
  • Activity logging for help desk staff
  • Displays Horizon Client information
  • Granular logon time metrics
  • Blast Extreme display protocol metrics

Instant Clone Technology

  • Instant-clone desktops can now use dedicated assignment to preserve the hostname, IP address and MAC address of a user’s desktop
  • Windows Server OS is now supported for desktop use
  • Instant clones are now compatible with Storage DRS (sDRS)
  • If there are no internal VMs in all four internal folders created in vSphere Web Client, these folders are unprotected, and you can delete them
  • IcUnprotect.cmd utility can now unprotect or delete template, replica or parent VMs or folders from vSphere hosts

Windows Start Menu Shortcuts Created Using the Admin Console

  • Create shortcuts to Horizon 7 resources:
    • Published applications
    • Desktops
    • Global entitlements

Cloud Pod Architecture Scale

  • Total session limit is increased to 140,000
  • The site limit is now seven

VMware Horizon Apps

  • This update makes Horizon Apps easier to use and allows the administrator to restrict entitlements
  • Restrict access to desktop and application pools from specific client machines

Resiliency for Monitoring

  • If the event database shuts down, Horizon administrator maintains an audit trail of the events that occur before and after the event database shutdown

Database Support

  • Always-On Availability Groups feature for Microsoft SQL Server 2014

ADMX Templates

  • Additional GPO settings for ThinPrint printer filtering, HTML5 redirection and enforcement of desktop wallpaper settings

Remote Experience

Horizon Virtualization Pack for Skype for Business

  • Multiparty audio and video conferencing
  • Horizon 7 RDSH support
    • Windows Server 2008 R2
    • Windows Server 2012 R2
  • Forward Error Correction (FEC)
  • Quality of Experience (QOE) metrics
  • Customized ringtones
  • Call park and pickup
  • E911 (Enhanced 911) support, to allow the location of the mobile caller to be known to the call receiver
  • USB desktop-tethering support
  • Horizon Client for Linux support for the following Linux distributions:
    • Ubuntu 12.04 (32-bit)
    • Ubuntu 14.04 (32 & 64-bit)
    • Ubuntu 16.04 (64-bit)
    • RHEL 6.9/CentOS 6.x (64-bit)
    • RHEL 7.3 (64-bit)
    • SLED12 SP2 (64-bit)

Additional NVIDIA GRID vGPU Support

  • Support for the Tesla P40 graphics card from NVIDIA

HTML5 Video Redirection

  • View HTML 5 video from a Chrome browser and have video redirected to the client endpoint for smoother and more efficient video playback

Performance Counter Improvements

  • Windows agent PerfMon counters improvements for Blast Extreme sessions: imaging, audio, client-drive redirection (CDR), USB and virtual printing

Linux Virtual Desktops

  • KDE support: Besides RHEL/CentOS 6.x, the KDE GUI is now supported on RHEL/CentOS 7.x, Ubuntu 14.04/16.04 and SUSE Linux Enterprise Desktop 11 SP4
  • MATE  interface is now supported on Ubuntu 14.04 and Ubuntu 16.04
  • Blast Extreme Adaptive Transport is now supported for Linux desktops
  • vGPU hardware H.264 encoder support has been added

USB Redirection

  • USB redirection is supported in nested mode

ThinPrint Filtering

  • Administrators can filter out printers that should not be redirected

Horizon Client 4.6 Updates

Security Update

  • All clients have been updated to use SHA-2 to prevent SHA-1 collision attacks

Session Pre-launch

  • Session pre-launch is now extended to both Horizon Client for macOS and Horizon Client for Windows

Apteligent

  • Integration of Apteligent crash log

Blast Extreme

  • Improvements in Blast Extreme Adaptive Transport mode for iOS and macOS
  • User can change Blast Extreme settings without having to disconnect

Horizon Client 4.6 for Windows

  • Support for UNC path with CDR

Horizon Client 4.6 for macOS

  • Support for macOS Sierra and macOS High Sierra
  • Selective monitor support
  • Norwegian keyboard support

Horizon Client 4.6 for iOS

  • CDR support with drag and drop of files in split view
  • iOS split keyboard enhancement
  • iOS UI updates

Horizon Client 4.6 for Android

  • Android Oreo support
  • Manage the Horizon server list with VMware AirWatch
  • Simple shortcuts
  • External mouse enhancements
  • Real-Time Audio-Video (RTAV) support for Android and Chrome OS

Horizon Client 4.6 for Linux

  • Blast Extreme Adaptive Transport support

Horizon Client 4.6 for Windows 10 UWP

  • Network recovery improvements

Horizon HTML Access 4.6

  • HTML Access for Android with a revised UI
  • Customization of HTML Access page

Horizon Help Desk Tool

The Horizon Help Desk Tool provides a troubleshooting interface for the help desk that is installed by default on Connection Servers. To access the Horizon Help Desk Tool, navigate to https://<CS_FQDN>/helpdesk, where <CS_FQDN> is the fully qualified domain name of the Connection Server, or click the Help Desk button in the Horizon Administrator console.

The Help Desk Tool was introduced in Horizon 7.2 and has been greatly expanded upon in the Horizon 7.3 release.

Help Desktop Tool features with Horizon 7.2:

  • Virtual machine metrics
  • Remote assistance
  • Session control (restart, logoff, reset, and disconnect)
  • Sending messages

Additional features with Horizon 7.3:

  • Display application process resources with reset control
  • Role-based access control for help desk staff
  • Activity logging for help desk staff
  • Granular login time metrics
  • Display Horizon Client information

User Session Details

The user session details appear on the Details tab when you click a user name in the Computer Name option on the Sessions tab. You can view details for Horizon Client, the VDI desktop or RDSH-published desktop, CPU and memory stats, and many other details.

  • Client version
  • Unified Access Gateway name and IP address
  • Logon breakdown (client to broker):
    • Brokering
    • GPO load
    • Profile load
    • Interactive
    • Authentication

Blast Extreme Metrics

Blast extreme metrics that have been added include estimated bandwidth (uplink), packet loss, and transmitted and received traffic counters for imaging, audio, and CDR.

Note the following behavior:

  • The text-based counters do not auto-update in the dashboard. Close and reopen the session details to refresh the information.
  • The counters for transmitted and received traffic counters are accumulative from the point the session is queried/polled.

Blast Extreme Metrics for a Windows 10 Virtual Desktop Session

Display and Reset Application Processes and Resources

This new feature provides help desk staff with a granular option to resolve problematic processes without affecting the entire user session, similar to Windows Task Manager. The session processes appear on the Processes tab when you click a user name in the Computer Name option on the Sessions tab. For each user session, you can view additional details about CPU- and memory-related processes to diagnose issues.

Role-based Access Control and Custom Roles

You can assign the following predefined administrator roles to Horizon Help Desk Tool administrators to delegate the troubleshooting tasks between administrator users:

  • Help Desk Administrator
  • Help Desk Administrator (Read Only)

You can also create custom roles by assigning the Manage Help Desk (Read Only) privilege along with any other privileges based on the Help Desk Administrator role or Help Desk Administrator (Read Only) role.

Members of the Help Desk Administrators (Read Only) role do not have access to following controls; in fact, functions such as Log Off and Reset are not presented in the user interface.

Watch this brief demonstration video of the Horizon Help Desk Tool to see it in action:

Horizon Virtualization Pack for Skype for Business

You can now make optimized audio and video calls with Skype for Business inside a virtual desktop without negatively affecting the virtual infrastructure and overloading the network.

All media processing takes place on the client machine instead of in the virtual desktop during a Skype audio and video call.

New support with many expanded features for the Horizon Virtualization Pack for Skype for Business can be found in Horizon 7.3 and Client 4.6.

New Features

Horizon Virtualization Pack for Skype for Business offers the following supported features:

System Requirements

The following table outlines the system requirements for the new release:

Supported Clients

The following table provides the list of support Horizon clients:

Start Menu Shortcuts Configured Through the Admin Console

This feature improves the user experience by adding desktop and application shortcuts to the Start menu of Windows client devices.

You can use Horizon Administrator to create shortcuts for the following types of Horizon 7 resources:

  • Published applications
  • Desktops
  • Global entitlements

Shortcuts appear in the Windows Start menu and are configured by IT. Shortcuts can be categorized into folders.

Users can choose at login whether to have shortcuts added to the Start menu on their Windows endpoint device.

Watch this brief demonstration video of the new Desktop and Apps Shortcuts feature to see it in action:

Dedicated Desktop Support for Instant Clones

Upon the initial release of instant clones in Horizon 7, we supported floating desktop pools and assignments only. Further investments have been made to Instant Clone Technology that add support for dedicated desktop pools. Fixed assignments and entitlements of users to instant-clone machines is now provided as part of Horizon 7.3.

Dedicated instant-clone desktop assignment means that there is a 1:1 relationship between users and desktops. Once an end user is assigned to a desktop, they will consistently receive access to the same desktop and corresponding virtual machine. This feature is important for apps that require a consistent hostname, IP address, or MAC address to function properly.

Note: Persistent disks are not supported. Fixed assignments to desktops does not mean persistence for changes. Any changes that the user makes to the desktop while in-session will not be preserved after logoff, which is similar to how a floating desktop pool works. With dedicated assignment, when the user logs out, a resync operation on the master image retains the VM name, IP address, and MAC address.

Support for the Tesla P40 Graphics Card from NVIDIA

VMware has expanded NVIDIA GRID support with Tesla P40 GPU cards in Horizon 7.3.

HTML5 Video Redirection

This feature provides the ability to take the HTML5 video from a Chrome (version 58 or higher) browser inside a Windows VDI or RDSH system and redirect it to Windows clients. This feature uses Blast Extreme or PCoIP side channels along with a Chrome extension.

The redirected video is overlaid on the client and is enabled as well as managed using GPO settings.

Benefits include:

  • Supports generic sites such as YouTube, without requiring a server-side plugin.
  • Provides smooth video playback comparable to the native experience of playing video inside a browser on the local client system.
  • Reduces data center network traffic and CPU utilization on the vSphere infrastructure hosts.

Improved USB Redirection with User Environment Manager

The default User Environment Manager timeout value has been increased. This change ensures that the USB redirection Smart Policy takes effect even when the login process takes longer than expected.

With Horizon Client 4.6, the User Environment Manager timeout value is configured only on the agent and is sent from the agent to the client.

You can now bypass User Environment Manager control of USB redirection by setting a registry key on the agent machine (VDI desktop or RDSH server). This change ensures that smart card SSO works on Teradici zero clients. Note: Requires a restart.

HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB uemFlags (REG_DWORD 1)

Blast Extreme Performance Counter Improvements

The Windows Agent PerfMon counters for the Blast Extreme protocol have been improved to update at a constant rate and to be even more accurate.

Counters include:

  • Imaging
  • Audio
  • CDR
  • USB
  • Virtual printing

Linux Virtual Desktops

Features and functions for Horizon 7 for Linux virtual desktops have been expanded:

  • KDE support – Besides RHEL/CentOS 6.x, the KDE GUI is now supported on RHEL/CentOS 7.x, Ubuntu 14.04/16.04, SUSE Linux Enterprise Desktop 11 SP4.
  • Support for the MATE interface on Ubuntu 14.04, Ubuntu 16.04.
  • Blast Extreme Adaptive Transport support.
  • vGPU hardware H.264 encoder support.

USB Redirection Support in Nested Mode

The USB redirection feature is now supported when you use Horizon Client in nested mode. When using nesting–for example, when opening RDSH applications from a VDI desktop–you can now redirect USB devices from the client device to the first virtualization layer and then redirect the same USB device to the second virtualization layer (that is, nested session).

Filtering Redirected Printers

You can now create a filter to specify the printers that should not be redirected with ThinPrint. A new GPO ADMX template (vmd_printing_agent.admx) has been added to enable this functionality.

By default, the rule permits all client printers to be redirected.

  • Supported attributes:
    • PrinterName
    • DriverName
    • VendorName
  • Supported operators:
    • AND
    • OR
    • NOT
  • Supported searching pattern is a regular expression.

Blast Extreme Improvements in CPU Usage

Now even lower CPU usage is achieved with adaptive Forward Error Correction algorithms. This clever mechanism decides how to handle error correction, lowering CPU usage within virtual desktop machines as well as on client endpoint devices.

Blast Extreme Adaptive Transport Side Channel

New support has been added for Blast Extreme Adaptive Transport side channels for USB and CDR communications. Once enabled, TCP port 32111 for USB traffic does not need to be opened, and USB traffic uses a side channel. This feature is supported for both virtual desktops and RDS hosts.

  • Feature is turned off by default.
  • Enable the feature through a registry key: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config\UdpAuxiliaryFlowsEnabled 1

Entitlement Restrictions Based on Machine Name

This feature allows IT administrators to restrict access to published applications and desktops based on both client computer and user. With client restrictions for RDSH, it is now possible to check AD security groups for specific computer names. Users only have access to desktops and apps when both the user and the client machine are entitled. For this release, the feature is supported only for Windows clients and works with global entitlements.

Pre-Launch Improvements

Pre-launch provides the ability to launch an empty (application-less) session when connecting to the Connection Server. The feature is now also available to Windows clients, in addition to macOS.

Also, it is no longer necessary to manually make changes to the client settings. You can configure automatic reconnection.

Blast Extreme Adaptive Transport Mode for iOS and macOS

With prior client releases, users were required to configure their Blast Extreme settings before they connected to the Connection Server. After a connection was established, the options to change the Blast Extreme setting—which included H.264, Poor, Typical, and Excellent—were unavailable.

With this release, users can change the network condition setting from Excellent to Typical or the reverse while inflight to sessions. Doing so also changes the protocol connection type between TCP (for Excellent) and UDP (for Typical).

Note: End users will not be able to change the network condition setting if Poor is selected before establishing a session connection.

Horizon Client for Windows

Horizon Client 4.6 updates include:

  • Additional command-line options for the new client installer – When silently installing the Windows client, using the /s flag, you can now also set:
    • REMOVE-SerialPort,Scanner – Removes the serial port, scanner, or both.
    • DESKTOP_SHORTCUT-0 – Installs without a desktop shortcut.
    • STARTMENU_SHORTCUT-0 – Installs without a Start menu shortcut.

  • Support for UNC paths with client drive redirection (CDR):
    • Allows remote applications to access files from a network location on the client machine. Each location gets its own drive letter inside the remote application or VDI desktop.
    • Folders residing on UNC paths can now be redirected with CDR, and get their own drive letter inside the session, just as any other shared folder.

Horizon Client for macOS

Horizon Client 4.6 updates include:

  • Apple macOS High Sierra day 0 support.
  • Users can select which monitors to use for VDI sessions and which to use for the local system.
  • Norwegian keyboard support and mappings are now available

Horizon Client for iOS

Horizon Client 4.6 updates include:

  • iOS 11 support
  • iOS split keyboard update – Removes the middle area in the split keyboard for a better view of the desktop
  • New dialog box for easy connection to a Swiftpoint Mouse

Horizon Client for Android

Horizon Client 4.6 updates include:

  • Android 8.0 Oreo support.
  • Server URL configuration – Allows administrators to configure a list of Connection Servers and a default Connection Server on Android devices managed by VMware AirWatch.

Android and Chrome OS Client Updates

Horizon Client 4.6 for Android and Horizon Client 4.6 for Chrome OS updates include:

  • Simple shortcuts – Users can right-click any application or desktop to add a shortcut to the home screen.
  • Webcam redirection – Integrated webcams on an Android device or a Chromebook are now available for redirection using the Real-Time Audio-Video (RTAV) feature.

HTML Access

HTML Access 4.6 updates include:

  • HTML Access on Android devices – Though HTML Access has fewer features than the native Horizon Client, it allows you to use remote desktops and published applications without installing software.
  • HTML Access page customization – Administrators can customize graphics and text and have those customizations persist through future upgrades.

Horizon Client for Linux

Horizon Client 4.6 updates include:

  • Support for Raspberry Pi 3 Model B devices:
    • ThinLinx operating system (TLXOS) or Stratodesk NoTouch operating system
    • Supported Horizon Client features include:
  • Blast Extreme
  • USB redirection
  • 264 decoding
  • 8000Hz and 16000Hz audio-in sample rate
  • RHEL/CentOS 7.4 support

Horizon Client for Windows 10 UWP

Horizon Client 4.6 updates include:

  • Network recovery improvements – Clients can recover from temporary network loss (up to 2 minutes). This feature was already available for Windows, macOS, Linux, iOS, and Android, and is now available for Windows 10 UWP.
    • Automatically reconnects Blast Extreme sessions
    • Reduces re-authentication prompts

We are excited about these new features in Horizon 7.3.1 and the Horizon Client 4.6.  We hope that you will give them a try.

You can download it here.

Exchange Server 2016 Cumulative Update 7 (KB4018115) and Exchange Server 2013 Cumulative Update 18 (KB4022631)

The latest set of Cumulative Updates for Exchange Server 2016 and Exchange Server 2013 are now available on the download center.  These releases include fixes to customer reported issues, all previously reported security/quality issues and updated functionality.

Minimum supported Forest Functional Level is now 2008R2

In our blog post, Active Directory Forest Functional Levels for Exchange Server 2016, we informed customers that Exchange Server 2016 would enforce a minimum 2008R2 Forest Functional Level requirement for Active Directory.  Cumulative Update 7 for Exchange Server 2016 will now enforce this requirement.  This change will require all domain controllers in a forest where Exchange is installed to be running Windows Server 2008R2 or higher.  Active Directory support for Exchange Server 2013 remains unchanged at this time.

Support for latest .NET Framework

The .NET team is preparing to release a new update to the framework, .NET Framework 4.7.1.  The Exchange Team will include support for .NET Framework 4.7.1 in our December Quarterly updates for Exchange Server 2013 and 2016, at which point it will be optional.  .NET Framework 4.7.1 will be required on Exchange Server 2013 and 2016 installations starting with our June 2018 quarterly releases.  Customers should plan to upgrade to .NET Framework 4.7.1 between the December 2017 and June 2018 quarterly releases.

The Exchange team has decided to skip supporting .NET 4.7.0 with Exchange Server.  We have done this not because of problems with the 4.7.0 version of the Framework, rather as an optimization to encourage adoption of the latest version.

Known unresolved issues in these releases

The following known issues exist in these releases and will be resolved in a future update:

  • Online Archive Folders created in O365 will not appear in the Outlook on the Web UI
  • Information protected e-Mails may show hyperlinks which are not fully translated to a supported, local language

Release Details

KB articles that describe the fixes in each release are available as follows:

Exchange Server 2016 Cumulative Update 7 does not include new updates to Active Directory Schema.  If upgrading from an older Exchange version or installing a new server, Active Directory updates may still be required.  These updates will apply automatically during setup if the logged on user has the required permissions.  If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin must execute SETUP /PrepareSchema prior to the first Exchange Server installation or upgrade.  The Exchange Administrator should execute SETUP /PrepareAD to ensure RBAC roles are current.

Exchange Server 2013 Cumulative Update 18 does not include updates to Active Directory, but may add additional RBAC definitions to your existing configuration. PrepareAD should be executed prior to upgrading any servers to Cumulative Update 18. PrepareAD will run automatically during the first server upgrade if Exchange Setup detects this is required and the logged on user has sufficient permission.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU18, 2016 CU7) or the prior (e.g., 2013 CU17, 2016 CU6) Cumulative Update release.

For the latest information on Exchange Server and product announcements please see What’s New in Exchange Server 2016 and Exchange Server 2016 Release Notes.  You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post is published.

IIS Crypto the best tool to configure SSL/TLS cipher suites

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

Features

– Single click to secure your website using best practices
– Create custom templates that can be saved and run on multiple servers
– Stop DROWN, logjam, FREAK, POODLE and BEAST attacks
– Disable weak protocols and ciphers such as SSL 2.0, 3.0 and MD5
– Enable TLS 1.1 and 1.2
– Enable forward secrecy
– Reorder cipher suites
– Built in Best Practices, PCI, PCI 3.1 and FIPS 140-2 templates
– Site scanner to test your configuration
– Command line version

Screenshot1

WMI Filters for OS version

DESKTOPS

ANY WINDOWS DESKTOP OS

  • Any Windows Desktop OS – 32-bit
    select * from Win32_OperatingSystem WHERE ProductType = “1” AND NOT OSArchitecture = “64-bit”
  • Any Windows Desktop OS – 64-bit
    select * from Win32_OperatingSystem WHERE ProductType = “1” AND OSArchitecture = “64-bit”

WINDOWS 7

  • Windows 7
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″
  • Windows 7 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 7 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 8.1

  • Windows 8.1
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″
  • Windows 8.1 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 8.1 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 8.1

  • Windows 8.1
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″
  • Windows 8.1 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 8.1 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 10

  • Windows 10
    select * from Win32_OperatingSystem WHERE ‘Version like ‘10.0.%’ AND ProductType=”1″
  • Windows 10 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “10.0.% AND ProductType=”1” AND NOT OSArchitecture = “64-bit”
  • Windows 10 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “10.0.%””6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

SERVERS

ANY WINDOWS SERVER OS

  • Any Windows Server OS
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”)
  • Any Windows Server OS – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server OS – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”) AND OSArchitecture = “64-bit”
  • Any Windows Server – Domain Controller
    select * from Win32_OperatingSystem where (ProductType = “2”)
  • Any Windows Server – Domain Controller – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server – Domain Controller – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) AND OSArchitecture = “64-bit”
  • Any Windows Server – Non-Domain Controller
    select * from Win32_OperatingSystem where (ProductType = “3”)
  • Any Windows Server – Non- Domain Controller – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “3”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server – Non-Domain Controller – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “3”) AND OSArchitecture = “64-bit”

WINDOWS SERVER 2008 R2

  • Windows Server 2008 R2 – 64-bit – DC
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”2″
  • Windows Server 2008 R2 – 64-bit – non-DC
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”3″

WINDOWS SERVER 2012 R2

  • Windows Server 2012 R2 – 64-bit – DC
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”2″
  • Windows Server 2012 R2 – 64-bit – non-DC
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”3″

WINDOWS SERVER 2016

Windows Server 2016 certification

Microsoft is pleased to announce the release of the new MCSA: Windows Server 2016 certification.

The new MCSA can be earned by taking and passing the following three exams:

  • 70-740 – Installation, Storage, and Compute with Windows Server 2016
  • 70-741 – Networking with Windows Server 2016
  • 70-742 – Identity with Windows Server 2016

Exam 740 is scheduled for beta release in early October 2016, with the other exams following soon after.

Individuals who currently hold either an MCSA: Windows Server 2012 or MCSA: Windows Server 2008 certification will be able to upgrade to the new 2016 certification through a single, upgrade exam:

  • 70-743 – Upgrade Your Skills to MCSA: Windows Server 2016

Exam 743 is scheduled for beta release in late July 2016. 

MOC courses corresponding to all four Windows Server 2016 exams are scheduled for release in September 2016, while practice tests will be available shortly after each exam beta period ends.

New options for specialization and continuing education through the MCSE program will be announced later this summer.

Cumulative Update 2 for Exchange Server 2016

.Net 4.6.1 Support

Support for .Net 4.6.1 is now available for Exchange Server 2016 and 2013 with these updates. We fully support customers upgrading servers running 4.5.2 to 4.6.1 without removing Exchange. We recommend that customers apply Exchange Server 2016 Cumulative Update 2 or Exchange Server 2013 Cumulative Update 13 before upgrading .Net FrameWork. Servers should be placed in maintenance mode during the upgrade as you would do when applying a Cumulative Update. Support for .Net 4.6.1 requires the following post release fixes for .Net as well.

Note: .Net 4.6.1 installation replaces the existing 4.5.2 installation. If you attempt to roll back the .Net 4.6.1 update, you will need to install .Net 4.5.2 again.

AutoReseed Support for BitLocker

Beginning with Exchange 2013 CU13 and Exchange 2016 CU2, the Disk Reclaimer function within AutoReseed supports BitLocker. By default, this feature is disabled. For more information on how to enable this functionality, please seeEnabling BitLocker on Exchange Servers.

SHA-2 Support for Self-Signed Certificates

The New-ExchangeCertificate cmdlet has been updated to produce a SHA-2 certificate for all self-signed certificates created by Exchange. Creating a SHA-2 certificate is the default behaviour for the cmdlet. Existing certificates will not automatically be regenerated but newly installed servers will receive SHA-2 certificates by default. Customers may opt to replace existing non-SHA2 certificates generated by previous releases as they see fit.

Migration to Modern Public Folder Resolved

The issue reported in KB3161916 has been resolved.

 

This cumulative update fixes the following issues:

This cumulative update also fixes the issues that are described in the KB 3160339 MS16-079: Security update for Microsoft Exchange: June 14, 2016 and KB 3134844 Cumulative Update 1 for Exchange Server 2016

Microsoft Knowledge Base articles.
This update also includes new daylight saving time (DST) updates for Exchange Server 2016. For more information about DST, go to Daylight Saving Time Help and Support Center.

Download: https://www.microsoft.com/en-us/download/details.aspx?id=52968

Setup MDT 2013 (Update 2) to encrypt Windows 10 devices (Laptops) automaticlly

This  will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

  • A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
  • To configure your environment for BitLocker, you will need to do the following:
  1. Configure Active Directory for BitLocker.
  2. Download the various BitLocker scripts and tools.
  3. Configure the rules (CustomSettings.ini) for BitLocker.

Configure Active Directory for BitLocker

To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.

Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.

In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.

figure 2

Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.

Add the BitLocker Drive Encryption Administration Utilities

The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):

  1. On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
  2. On the Before you begin page, click Next.
  3. On the Select installation type page, select Role-based or feature-based installation, and click Next.
  4. On the Select destination server page, select DC01.contoso.com and click Next.
  5. On the Select server roles page, click Next.
  6. On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
    1. BitLocker Drive Encryption Administration Utilities
    2. BitLocker Drive Encryption Tools
    3. BitLocker Recovery Password Viewer
  7. On the Confirm installation selections page, click Install and then click Close.

figure 3

Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.

Create the BitLocker Group Policy

Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.

  1. On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
  2. Assign the name BitLocker Policy to the new Group Policy.
  3. Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:

    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives

    1. Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
      1. Allow data recovery agent (default)
      2. Save BitLocker recovery information to Active Directory Domain Services (default)
      3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This Winking smile)
    2. Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
    3. Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.

      Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services

    4. Enable the Turn on TPM backup to Active Directory Domain Services policy.

(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)

Set permissions in Active Directory for BitLocker

In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.

  1. On DC01, start an elevated PowerShell prompt (run as Administrator).
  2. Configure the permissions by running the following command:
    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
    

figure 4

Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.

Add BIOS configuration tools from Dell, HP, and Lenovo

If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.

Add tools from Dell

The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:

cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP

The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:

BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234

And the sample content of the TPMEnable.REPSET file:

English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo

The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:

cscript.exe SetConfig.vbs SecurityChip Active

CustomSettings.ini

[Default]
SkipBitLocker=YES

[LAPTOP]
TaskSequenceID=LAPTOP
MachineObjectOU=OU=Bitlocker,OU=LAPTOPS,OU=Clients,DC=wardvissers,DC=local
BDEKeyLocation=\\mdt01.wardvissers.local\Bitlocker$

Source

Translate »