17 April 2018

Enable Office365 MFA per User or all users - Search for users with MFA disabled

Enabling all users for MFA is relatively easy with PowerShell, and how to's are found all over the web.
But enabling MFA for one user is a bit more difficult.
Here's how to do it:

Enable MFA per user

$MFASetting = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement -Property @{            
    RelyingParty = "*"            
    State        = "Enabled"            
    }            
            
Set-MsolUser -UserPrincipalName 'user@domain.com' -StrongAuthenticationRequirements $MFASetting
Check the settings
$User = Get-msoluser -UserPrincipalName 'user@domain.com' |            
    Select-Object -ExpandProperty StrongAuthenticationRequirements            
$User.State

Find users with MFA enabled
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

Find users not MFA enabled (Not sure if this displays correct info)
Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName

Find users not MFA enabled (This is more accurate I believe)
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -eq $null} | Select-Object -Property UserPrincipalName

Bulk enable for multiple users in csv file
Enable for multiple users
            
function Set-MFAUsers {            
    param (            
        [parameter(ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)]            
        [ValidateScript( {Test-Path $_})]              
        [Alias('FullName')]            
        [String] $Path,            
                    
        [ValidateSet('Enabled','Enforced')]            
        [String] $State = 'Enabled'            
    )            
            
    # Set MFA object            
    $MFASetting = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement -Property @{            
        RelyingParty = "*"            
        State        = $State            
    }            
                
    # Get user list            
    $Users = Get-Content -Path $Path -ReadCount -1            
            
    foreach ($user in $users)             
    {            
         $SetUser = @{            
            UserPrincipalName                = $user            
            StrongAuthenticationRequirements = $MFASetting             
            ErrorAction                      = 'Stop'              
        }            
            
        Try {            
            # Set MFA            
            Set-MsolUser @SetUser            
                        
            # Post Check            
            $ThisUser = Get-msoluser -UserPrincipalName $User |             
                Select-Object -ExpandProperty StrongAuthenticationRequirements            
            
            if ($ThisUser.State -eq $SetUser.StrongAuthenticationRequirements.State) {            
                Write-Host "[SUCCESS] UPN: $user" -ForegroundColor Green            
            }            
            else {            
                Write-Host "[FAILED ] UPN: $user" -ForegroundColor Red            
            }            
        }            
        Catch {            
             Write-Warning -Message $_.Exception.Message            
        }               
    }             
}            
            
Get-ChildItem C:\temp\MFA_Users.txt | Set-MFAUsers -State Enforced

10 April 2018

Install Exchange 2013 CU's from an elevated command prompt or elevated PowerShell

Most commonly used:

Prepare Schema:
.\Setup.exe /PrepareSschema /IAcceptExchangeServerLicenseTerms

Prepare All Domains:
.\Setup.exe /PrepareAllDdomains /IAcceptExchangeServerLicenseTerms

Prepare Domain:
.\Setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms

run setup /?

.\Setup.exe /Mode:Upgrade /IAcceptExchangeServerLicenseTerms

The last Exchange setup files are always available in the following location:
C:\Program Files\Microsoft\Exchange Server\V15\Bin

From that location run: Setup.exe /?

Microsoft Exchange Server 2013 Cumulative Update 19 Unattended Setup


For detailed help, type one of the following options:

  Setup /help:Install         - Install Exchange server roles.
  Setup /help:Upgrade         - Upgrade an existing Exchange server.
  Setup /help:Uninstall       - Uninstall Exchange server roles.
  Setup /help:RecoverServer   - Recover an existing Exchange server.
  Setup /help:PrepareTopology - Prepare your topology for Exchange.
  Setup /help:Delegation      - Delegate server installations.
  Setup /help:UmLanguagePacks - Add or remove Unified Messaging
                                language packs.

To read the Exchange Server license terms,
see http://go.microsoft.com/fwlink/p/?LinkId=150127.

setup /help:install


C:\Program Files\Microsoft\Exchange Server\V15\Bin>Setup /help:Install

Microsoft Exchange Server 2013 Cumulative Update 19 Unattended Setup


Microsoft Exchange Server 2013 Setup Parameter Help

Exchange Server Installation Usage:

    Setup /Mode:Install /Roles:<roles to install> [<OptionalParameters>]
      /IAcceptExchangeServerLicenseTerms
    Setup /Mode:Uninstall
      /IAcceptExchangeServerLicenseTerms
    Setup /Mode:Upgrade /IAcceptExchangeServerLicenseTerms

--Exchange Server Installation Required Parameters--

/Mode:<installation mode>, /m:<installation mode>
    Specifies the operation to perform:
        . Install:    (Default)--Installs one or more server roles.
        . Uninstall:  Removes all installed server roles.
        . Upgrade:    Installs a service pack.

/Roles:<role 1, role 2>, /Role:<role>, /r:<role>
    The following are the valid server roles:
        . ClientAccess, ca
        . Mailbox, mb
        . EdgeTransport, et
        . ManagementTools, mt, t

    * This parameter can't be used when the /Mode parameter
    is set to Uninstall or Upgrade.

/IAcceptExchangeServerLicenseTerms
    This parameter is required to accept Exchange Server license terms
    and must be included every time the setup command is run.

--Exchange Server Installation Optional Parameters--

[/DisableAMFiltering]
    Disables Exchange Server anti-malware functionality.

[/DomainController:<NetBIOS or FQDN>, /dc:<NetBIOS> or FQDN>]
    Specifies the domain controller that Setup will use to read
    and write to Active Directory.

[/InstallWindowsComponents]
    Installs required Windows Server roles and features.

[/OrganizationName:<organization name>, /on:<organization name>]
    Specifies the name of the Exchange organization. The name can't be
    longer than 64 characters. If the name has spaces, enclose it in
    quotes.
    Valid characters: A-Z, a-z, 0-9, space (not leading or trailing),
    hyphen, dash.

    * This parameter is required if you're installing the first
    Exchange server in an organization.

[/TargetDir:<path>, /t:<path>]
    Specifies the location to install Exchange Server 2013 files.
    Default: "%ProgramFiles%\Microsoft\Exchange Server\V15"

[/UpdatesDir:<path>, /u:<path>]
    Updates from the specified directory will be installed during
    setup.

[/?]
    Displays help for setup.

--Exchange Server Installation Advanced Optional Parameters--

[/ActiveDirectorySplitPermissions:<True | False>]
    Enable Active Directory split permissions mode when preparing
    the Exchange organization.
    The value can be true or false.

[/AnswerFile:<path>, /af:<path>]
    Specifies the location of an answer file that contains advanced
    parameters for setup.
    For details, see http://go.microsoft.com/fwlink/p/?LinkId=254454.

[/CustomerFeedbackEnabled:<True | False>]
    Specify whether to participate in Customer Experience Improvement
    Program.
    The value can be True or False.

[/DbFilePath:<path>]
    Specify the full path to the mailbox database file when
    the Mailbox server role is installed.
    Role: Mailbox

[/DoNotStartTransport]
    Microsoft Exchange Transport service will not be started during
    setup when this parameter is specified.
    Role: Mailbox

    Remarks: This parameter can only be specified during the first
    Exchange 2013 Mailbox server installation in an organization.

[/EnableErrorReporting]
    Enables the Exchange server to automatically submit critical
    error reports. Microsoft uses this information to diagnose
    problems and provide solutions.

[/LogFolderPath:<path>]
    Specify the folder path to the directory where the mailbox database
    database logs should be placed when the Mailbox server role is
    installed.
    Role: Mailbox

[/MdbName:<MDB name>]
    Specify the default database name that is created when the
    Mailbox server role is installed.
    Role: Mailbox

[/TenantOrganizationConfig:<path>]
    Specifies the path to the file that contains the organization
    configuration of your Office 365 tenant. This file is created by
    running the Get-OrganizationConfig cmdlet in your Office 365
    tenant. For more information, see
    http://go.microsoft.com/fwlink/?LinkId=262888.

Setup /help:Upgrade


Microsoft Exchange Server 2013 Cumulative Update 19 Unattended Setup


Microsoft Exchange Server Setup Parameter Help

Upgrade Exchange Server Usage:

    Setup /Mode:Upgrade [OptionalParameters]
      /IAcceptExchangeServerLicenseTerms

--Upgrade Exchange Server Required Parameters--

/Mode:Upgrade, /m:Upgrade
    Upgrades an existing Exchange server object.

/IAcceptExchangeServerLicenseTerms
    This parameter is required to accept Exchange Server license terms
    and must be included every time the setup command is run.

--Upgrade Exchange Server Optional Parameters--

[/DomainController:<NetBIOS or FQDN>, /dc:<NetBIOS or FQDN>]
    Specifies the domain controller that setup will use to read
    and to write to Active Directory.

[/EnableErrorReporting]
    This enables the Exchange server to automatically submit critical
    error reports. Microsoft uses this information to diagnose problems
    and provide solutions.

Setup /help:Uninstall


Microsoft Exchange Server 2013 Cumulative Update 19 Unattended Setup


Microsoft Exchange Server 2013 Setup Parameter Help

Exchange Server Installation Usage:

    Setup /Mode:Install /Roles:<roles to install> [<OptionalParameters>]
      /IAcceptExchangeServerLicenseTerms
    Setup /Mode:Uninstall
      /IAcceptExchangeServerLicenseTerms
    Setup /Mode:Upgrade /IAcceptExchangeServerLicenseTerms

--Exchange Server Installation Required Parameters--

/Mode:<installation mode>, /m:<installation mode>
    Specifies the operation to perform:
        . Install:    (Default)--Installs one or more server roles.
        . Uninstall:  Removes all installed server roles.
        . Upgrade:    Installs a service pack.

/Roles:<role 1, role 2>, /Role:<role>, /r:<role>
    The following are the valid server roles:
        . ClientAccess, ca
        . Mailbox, mb
        . EdgeTransport, et
        . ManagementTools, mt, t

    * This parameter can't be used when the /Mode parameter
    is set to Uninstall or Upgrade.

/IAcceptExchangeServerLicenseTerms
    This parameter is required to accept Exchange Server license terms
    and must be included every time the setup command is run.

--Exchange Server Installation Optional Parameters--

[/DisableAMFiltering]
    Disables Exchange Server anti-malware functionality.

[/DomainController:<NetBIOS or FQDN>, /dc:<NetBIOS> or FQDN>]
    Specifies the domain controller that Setup will use to read
    and write to Active Directory.

[/InstallWindowsComponents]
    Installs required Windows Server roles and features.

[/OrganizationName:<organization name>, /on:<organization name>]
    Specifies the name of the Exchange organization. The name can't be
    longer than 64 characters. If the name has spaces, enclose it in
    quotes.
    Valid characters: A-Z, a-z, 0-9, space (not leading or trailing),
    hyphen, dash.

    * This parameter is required if you're installing the first
    Exchange server in an organization.

[/TargetDir:<path>, /t:<path>]
    Specifies the location to install Exchange Server 2013 files.
    Default: "%ProgramFiles%\Microsoft\Exchange Server\V15"

[/UpdatesDir:<path>, /u:<path>]
    Updates from the specified directory will be installed during
    setup.

[/?]
    Displays help for setup.

--Exchange Server Installation Advanced Optional Parameters--

[/ActiveDirectorySplitPermissions:<True | False>]
    Enable Active Directory split permissions mode when preparing
    the Exchange organization.
    The value can be true or false.

[/AnswerFile:<path>, /af:<path>]
    Specifies the location of an answer file that contains advanced
    parameters for setup.
    For details, see http://go.microsoft.com/fwlink/p/?LinkId=254454.

[/CustomerFeedbackEnabled:<True | False>]
    Specify whether to participate in Customer Experience Improvement
    Program.
    The value can be True or False.

[/DbFilePath:<path>]
    Specify the full path to the mailbox database file when
    the Mailbox server role is installed.
    Role: Mailbox

[/DoNotStartTransport]
    Microsoft Exchange Transport service will not be started during
    setup when this parameter is specified.
    Role: Mailbox

    Remarks: This parameter can only be specified during the first
    Exchange 2013 Mailbox server installation in an organization.

[/EnableErrorReporting]
    Enables the Exchange server to automatically submit critical
    error reports. Microsoft uses this information to diagnose
    problems and provide solutions.

[/LogFolderPath:<path>]
    Specify the folder path to the directory where the mailbox database
    database logs should be placed when the Mailbox server role is
    installed.
    Role: Mailbox

[/MdbName:<MDB name>]
    Specify the default database name that is created when the
    Mailbox server role is installed.
    Role: Mailbox

[/TenantOrganizationConfig:<path>]
    Specifies the path to the file that contains the organization
    configuration of your Office 365 tenant. This file is created by
    running the Get-OrganizationConfig cmdlet in your Office 365
    tenant. For more information, see
    http://go.microsoft.com/fwlink/?LinkId=262888.

Setup /help:RecoverServer


Microsoft Exchange Server 2013 Cumulative Update 19 Unattended Setup


Microsoft Exchange Server 2013 Setup Parameter Help

Recover Exchange Server Usage:

    Setup /Mode:RecoverServer [OptionalParameters]
      /IAcceptExchangeServerLicenseTerms

--Recover Exchange Server Required Parameters--

/Mode:RecoverServer, /m:RecoverServer
    Recovers an existing Exchange server object.

/IAcceptExchangeServerLicenseTerms
    This parameter is required to accept Exchange Server license terms
    and must be included every time the setup command is run.

--Recover Exchange Server Optional Parameters--

[/TargetDir:<path>, /t:<path>]
    Specifies the location to install Exchange Server 2013 files.
    Default: "%programfiles%\Microsoft\Exchange Server\V15"

[/UpdatesDir:<path>, /u:<path>]
    Specifies the location from which updates will be installed
    during setup.

[/DomainController:<NetBIOS or FQDN>, /dc:<NetBIOS or FQDN>]
    Specifies the domain controller that setup will use to read
    and to write to Active Directory.

[/EnableErrorReporting]
    This enables the Exchange server to automatically submit critical
    error reports. Microsoft uses this information to diagnose problems
    and provide solutions.

[/DoNotStartTransport]
    The Microsoft Exchange Transport service will not be started during
    setup when this parameter is specified.
    Role: Mailbox

Setup /help:PrepareTopology


Microsoft Exchange Server 2013 Cumulative Update 19 Unattended Setup


Microsoft Exchange Server 2013 Setup Parameter Help

Prepare Topology Usage:

    Setup /PrepareAD [<OptionalParameters>]
      /IAcceptExchangeServerLicenseTerms
    Setup /PrepareSchema [<OptionalParameters>]
      /IAcceptExchangeServerLicenseTerms
    Setup /PrepareDomain [<OptionalParameters>]
      /IAcceptExchangeServerLicenseTerms
    Setup /PrepareDomain:<domainA, domainB> [<OptionalParameters>]
      /IAcceptExchangeServerLicenseTerms
    Setup /PrepareAllDomains [<OptionalParameters>]
      /IAcceptExchangeServerLicenseTerms

--Prepare Topology Required Parameters--

/PrepareAD, /p
    Prepares the Active Directory forest for the Exchange
    installation.

/PrepareSchema, /ps
    Prepares the Active Directory schema for the Exchange installation.

/PrepareDomain, /pd
    Prepares the local domain for the Exchange installation.

/PrepareDomain:<domain FQDN>, /pd:<domain FQDN>
    Prepares the specified domain(s) for the Exchange installation.

/PrepareAllDomains, /pad
    Prepares all domains in the forest for the Exchange
    installation.

/IAcceptExchangeServerLicenseTerms
    This parameter is required to accept Exchange Server license terms
    and must be included every time the setup command is run.

--Prepare Topology Optional Parameters--

[/OrganizationName:<organization name>, /on:<organization name>]
    Specifies the name of the Exchange organization. The name can't be
    longer than 64 characters. If the name has spaces, enclose it in
    quotes.
    Valid characters: A-Z, a-z, 0-9, space (not leading or trailing),
    hyphen, dash.

    * This parameter is required if you're installing the first
    Exchange server in an organization.

[/DomainController:<NetBIOS or FQDN>, /dc:<NetBIOS or FQDN>]
    Specifies the domain controller that Setup will use to read
    and write to Active Directory.

[/ActiveDirectorySplitPermissions:<True | False>]
    Enable Active Directory split permissions mode when preparing
    the Exchange organization.
    The value can be true or false.

Setup /help:Delegation


Microsoft Exchange Server 2013 Cumulative Update 19 Unattended Setup


Microsoft Exchange Server 2013 Setup Parameter Help

Server Setup Delegation Usage:

    Setup /NewProvisionedServer:<server name>
      /IAcceptExchangeServerLicenseTerms
    Setup /RemoveProvisionedServer:<server name>
      /IAcceptExchangeServerLicenseTerms

--Server Setup Delegation Required Parameters--

/NewProvisionedServer:<server name>, /nprs:<server name>
    Creates a placeholder server object so that a
    delegated server administrator can run Exchange installation.

/RemoveProvisionedServer:<server name>, /rprs:<server name>
    Removes the provisioned server object.

/IAcceptExchangeServerLicenseTerms
    This parameter is required to accept Exchange Server license terms
    and must be included every time the setup command is run.

Setup /help:UmLanguagePacks


Microsoft Exchange Server 2013 Cumulative Update 19 Unattended Setup


Microsoft Exchange Server 2013 Setup Parameter Help

Unified Messaging Language Pack Usage:

    Setup /AddUmLanguagePack:<cultures> [<OptionalParameters>]
      /IAcceptExchangeServerLicenseTerms
    Setup /RemoveUmLanguagePack:<cultures>
      /IAcceptExchangeServerLicenseTerms

--Unified Messaging Language Pack Required Parameters--

/AddUmLanguagePack:<cultures>
    Adds the language packs for the specified cultures.

/RemoveUmLanguagePack:<cultures>
    Removes the installed language packs.

/IAcceptExchangeServerLicenseTerms
    This parameter is required to accept Exchange Server license terms
    and must be included every time the setup command is run.

--Unified Messaging Language Pack Optional Parameters--

[/SourceDir:<path>, /s:<path>]
    Location for the Unified Messaging language pack
    for the cultures specified. Valid with /AddUmLanguagePack
    parameter only.

[/UpdatesDir:<path>, /u:<path>]
    Updates from the directory specified will be installed
    during setup.

Usage Examples:
    Setup /AddUmLanguagePack:de-DE /s:d:\Downloads\UmLanguagePacks
    Setup /AddUmLanguagePack:de-DE,fr-FR,ja-JP /s:\\myshare\langpacks
    Setup /RemoveUmLanguagePack:de-DE,fr-FR
    Setup /AddUmLanguagePack:de-DE /s:d:\Downloads /u:d:\Patches

Remarks:
    The en-US Unified Messaging language pack can't be added or removed.
    It will be installed and uninstalled with the Mailbox role.
    These operations are only valid when the Mailbox role is already
    installed on the server.



14 March 2018

Enable MFA for all Office365 users at once with PowerShell

Now that Multi Factor Authentication is widely supported through all the different PowerShell modules within Office365 and Azure it's a good idea and a best practice to enable MFA for all accounts. Especially admin accounts.

So how do we do this?
After connecting to the MSOnline service with PowerShell run:

$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement            
            
$auth.RelyingParty = "*"            
            
$auth.State = "Enabled"            
            
$auth.RememberDevicesNotIssuedBefore = (Get-Date)            
            
Get-MsolUser –All | Foreach{ Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationRequirements $auth}

All users are now "enabled" for MFA.
This should give you a lot of extra brownie points on your secure score rating :-)

13 March 2018

Install Office365 requirements with PowerShell - SkypeOnline - ExchangeOnline - AzureAD - SharepointOnline PowerShell modules

I came across a script by Chris Goosen to connect to all of the Office 365 services via PowerShell.
When I tried to run it errors were flying everywhere.
All of the requirements were missing on my system.

So that's what I came up with, a one stop way to get all of those requirements in one single go.

<# 
.SYNOPSIS 
Install Office365 PowerShell Prerequisites
 
.DESCRIPTION  
Downloads and installs the AzureAD, Sharepoint Online, Skype Online for Windows PowerShell
#>             
            
Function InstallSharepointOnlinePowerShellModule() {             
             
$SharepointOnlinePowerShellModuleSourceURL = 
"https://download.microsoft.com/download/0/2/E/02E7E5BA-2190-44A8-B407-BC73CA0D6B87/SharePointOnlineManagementShell_7414-1200_x64_en-us.msi"
$DestinationFolder = "$ENV:homedrive\$env:homepath\Downloads" If (!(Test-Path $DestinationFolder)) { New-Item $DestinationFolder -ItemType Directory -Force } Write-Host "Downloading Sharepoint Online PowerShell Module from $SharepointOnlinePowerShellModuleSourceURL" try { Invoke-WebRequest -Uri $SharepointOnlinePowerShellModuleSourceURL
-OutFile
"$DestinationFolder\SharePointOnlineManagementShell_7414-1200_x64_en-us.msi" -ErrorAction STOP $msifile = "$DestinationFolder\SharePointOnlineManagementShell_7414-1200_x64_en-us.msi" $arguments = @( "/i" "`"$msiFile`"" "/passive" ) Write-Host "Attempting to install $msifile" $process = Start-Process -FilePath msiexec.exe -Wait -PassThru -ArgumentList $arguments if ($process.ExitCode -eq 0) { Write-Host "$msiFile has been successfully installed" } else { Write-Host "installer exit code $($process.ExitCode) for file $($msifile)" } } catch { Write-Host $_.Exception.Message } } InstallSharepointOnlinePowerShellModule # Download and Install Visual Studio C++ 2017 $VisualStudio2017x64URL = "https://download.visualstudio.microsoft.com/download/pr/11687625/2cd2dba5748dc95950a5c42c2d2d78e4/VC_redist.x64.exe" Write-Host "Downloading VisualStudio 2017 C++ from $VisualStudio2017x64" $DestinationFolder = "$ENV:homedrive\$env:homepath\Downloads" Invoke-WebRequest -Uri $VisualStudio2017x64URL -OutFile "$DestinationFolder\VC_redist.x64.exe" -ErrorAction STOP Write-Host "Attempting to install VisualStudio 2017 C++, a reboot is required!" Start-Process "$DestinationFolder\VC_redist.x64.exe" -ArgumentList "/passive /norestart" -Wait Write-Host "Attempting to install VisualStudio 2017 C++" # Download and Install Skype Online PowerShell module $SkypeOnlinePowerShellModuleSourceURL = "https://download.microsoft.com/download/2/0/5/2050B39B-4DA5-48E0-B768-583533B42C3B/SkypeOnlinePowerShell.Exe" $DestinationFolder = "$ENV:homedrive\$env:homepath\Downloads" If (!(Test-Path $DestinationFolder)) { New-Item $DestinationFolder -ItemType Directory -Force } Write-Host "Downloading Skype Online PowerShell Module from $SkypeOnlinePowerShellModuleSourceURL" Invoke-WebRequest -Uri $SkypeOnlinePowerShellModuleSourceURL -OutFile "$DestinationFolder\SkypeOnlinePowerShell.Exe" -ErrorAction STOP Start-Process "$ENV:homedrive\$env:homepath\Downloads\SkypeOnlinePowerShell.Exe" -ArgumentList "/quiet" -Wait $DestinationFolder = "$ENV:homedrive\$env:homepath\Downloads" # Register PSGallery PSprovider and set as Trusted source Register-PSRepository -Name PSGallery -SourceLocation https://www.powershellgallery.com/api/v2/
-PublishLocation
https://www.powershellgallery.com/api/v2/package/ -ScriptSourceLocation https://www.powershellgallery.com/api/v2/items/psscript/
-ScriptPublishLocation
https://www.powershellgallery.com/api/v2/package/ -InstallationPolicy Trusted -PackageManagementProvider NuGet Set-PSRepository -Name psgallery -InstallationPolicy trusted # Install modules from PSGallery Save-Module -Name AzureAD -Path $DestinationFolder\ Install-Module -Name AzureAD Save-Module -Name MSOnline -Path $DestinationFolder Install-Module -Name MSOnline # Manually install Exchange Online with MFA authentication support from the Exchange Online ECP Write-Host "Login, go to Hybrid and download the Exchange Online Powershell module" Start-Process https://outlook.office365.com/ecp/

12 March 2018

How to restore a private key in IIS 7.0 or IIS 8.0

The following instructions apply to Windows Server 2008 (IIS 7.0) & Windows Server 2012 (IIS 8.0). Perform the following steps to restore the private key.

Import SSL certificate into the Personal > Certificates folder
Create a Certificates snap-in in a MMC console, refer to solution SO9999.
From the top left-hand pane, expand the Certificates tree, expand the Personal folder
Right-click the Certificates sub folder and select All Tasks > Import
The Certificate Import Wizard opens. Click Next
Click Browse and then navigate to the SSL certificate file.
Click Open > Next
Ensure "Place all certificates in the following store" is selected, ensure that "Personal" is listed for the certificate store.
Click Next > Finish

Import the Intermediate Certificate into the Intermediate Certification Authorities > Certificates folder
Download the correct Intermediate CA certificate, refer to article INFO1421.
From the left pane, expand the Intermediate Certification Authorities folder
Right-click on the Certificates sub folder
Select All Tasks > Import - A Certificate Import Wizard will open.
Click Next
Click Browse and then navigate to the Intermediate CA Certificate file
Click Next
Select Place all certificates in the following store: Intermediate Certification Authorities
Click Next
Click Finish 

Restore Private Key
With the MMC console still open, select the Certificates folder inside the Personal folder in the left-hand pane.
Double-click the newly imported SSL certificate in the right-hand pane, then select the Details tab.
Scroll down and select the Thumbprint field, then select and copy the entire thumbprint (in the bottom box) to the clipboard.
Open a command prompt, then enter the following command:
certutil -repairstore my "<thumbprint>"
Example:
certutil -repairstore my "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f"
If successful, the response will be "CertUtil: -repairstore command completed successfully"
Assign SSL certificate in IIS
Go to > Start > Administrative Tools > Internet Information Services (IIS) Manager.
From the Connections pane on the left, expand the local server, expand the Sites folder and select the web site to be secured with SSL.
From the Actions pane on the right, select the Bindings option under Edit Site.
In the Site Bindings window, select an existing https binding and click Edit. If there are no existing https bindings, click Add.
Ensure the type is set to 'https', then select the new SSL certificate from the drop down menu.
Click the View button to confirm details of the certificate.
Click OK > Close

22 February 2018

Clean IIS .LOG files, .BLG and .ETL files while we're at it

This is a script I found at "The Gallery" over at Technet.
Edward van Biljon created this for his own environment and I saw a great script to be used for my environment as well. In his version it also goes through the IIS folders, but I think there are better scripts available to do this so I don't use that function and commented it out in the script.

What it does is find log files, blg files and etl files.
If older than X days they get deleted.

Why would you want this? Well, disk space disk space disk space.
All the logging that Exchange 2013 and 2016 does out of the box will fill up your disks like crazy.

Running this as a scheduled task will prevent the most cases of system freezes and lockups because of full OS disks.

Certain files are in constant use by Exchange or IIS so this script won't be able to delete those files.
After a reboot you can delete those files by running this script.
The original script by Edward was missing some folders, so I added those:

$days=2            
#$IISLogPath="C:\inetpub\logs\LogFiles\"            
$ExchangeLoggingPath="C:\Program Files\Microsoft\Exchange Server\V15\Logging\"            
$ETLLoggingPath="C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\ETLTraces\"            
$ETLLoggingPath2="C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\Logs"            
$ETLLoggingPath3="C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Data\ProgramLogArchive\"            
$ETLLoggingPath4="C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\Connectivity"            
$HTTPERRLoggingPath="C:\Windows\System32\LogFiles\HTTPERR"            
Function CleanLogfiles($TargetFolder)            
{            
  write-host -debug -ForegroundColor Yellow -BackgroundColor Cyan $TargetFolder            
            
    if (Test-Path $TargetFolder) {            
        $Now = Get-Date            
        $LastWrite = $Now.AddDays(-$days)            
        $Files = Get-ChildItem "C:\Program Files\Microsoft\Exchange Server\V15\Logging\"  -Recurse | 
Where-Object {$_.Name -like "*.log" -or $_.Name -like "*.blg" -or $_.Name -like "*.etl"}  | 
where {$_.lastWriteTime -le "$lastwrite"} | Select-Object FullName              
        foreach ($File in $Files)            
            {            
               $FullFileName = $File.FullName              
               Write-Host "Deleting file $FullFileName" -ForegroundColor "yellow";             
                Remove-Item $FullFileName -ErrorAction SilentlyContinue | out-null            
            }            
       }            
Else {            
    Write-Host "The folder $TargetFolder doesn't exist! Check the folder path!" -ForegroundColor "red"            
    }            
}            
#CleanLogfiles($IISLogPath)            
CleanLogfiles($ExchangeLoggingPath)            
CleanLogfiles($ETLLoggingPath)            
CleanLogfiles($ETLLoggingPath2)            
CleanLogfiles($ETLLoggingPath3)            
CleanLogfiles($ETLLoggingPath4)            
CleanLogfiles($HTTPERRLoggingPath)

Source

15 February 2018

Schannel errors and the alert codes - What does the alert code mean

SSL / TLS  Alert Protocol and the Alert Codes.

When a schannel error is logged in the system eventlog there will be an alert code as well.
The table below shows what the alert code means.
Now this isn't going to help you fix your issue but it will point you in the direction you need to investigate.



Alert Code
Alert
Message
Description
0
close_notify
Notifies the recipient that the sender will not send any more messages on this connection.
10
unexpected_message
Received an inappropriate message This alert should never be observed in communication between proper implementations. This message is always fatal.
20
bad_record_mac
Received a record with an incorrect MAC. This message is always fatal.
21
decryption_failed
Decryption of a TLSCiphertext record is decrypted in an invalid way: either it was not an even multiple of the block length or its padding values, when checked, were not correct. This message is always fatal.
22
record_overflow
Received a TLSCiphertext record which had a length more than 2^14+2048 bytes, or a record decrypted to a TLSCompressed record with more than 2^14+1024 bytes. This message is always fatal.
30
decompression_failure
Received improper input, such as data that would expand to excessive length, from the decompression function. This message is always fatal.
40
handshake_failure
Indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. This is a fatal error.
42
bad_certificate
There is a problem with the certificate, for example, a certificate is corrupt, or a certificate contains signatures that cannot be verified.
43
unsupported_certificate
Received an unsupported certificate type.
44
certificate_revoked
Received a certificate that was revoked by its signer.
45
certificate_expired
Received a certificate has expired or is not currently valid.
46
certificate_unknown
An unspecified issue took place while processing the certificate that made it unacceptable.
47
illegal_parameter
Violated security parameters, such as a field in the handshake was out of range or inconsistent with other fields. This is always fatal.
48
unknown_ca
Received a valid certificate chain or partial chain, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA. This message is always fatal.
49
access_denied
Received a valid certificate, but when access control was applied, the sender did not proceed with negotiation. This message is always fatal.
50
decode_error
A message could not be decoded because some field was out of the specified range or the length of the message was incorrect. This message is always fatal.
51
decrypt_error
Failed handshake cryptographic operation, including being unable to correctly verify a signature, decrypt a key exchange, or validate a finished message.
60
export_restriction
Detected a negotiation that was not in compliance with export restrictions; for example, attempting to transfer a 1024 bit ephemeral RSA key for the RSA_EXPORT handshake method. This message is always fatal.
70
protocol_version
The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. This message is always fatal.
71
insufficient_security
Failed negotiation specifically because the server requires ciphers more secure than those supported by the client. Returned instead of handshake_failure. This message is always fatal.
80
internal_error
An internal error unrelated to the peer or the correctness of the protocol makes it impossible to continue, such as a memory allocation failure. The error is not related to protocol. This message is always fatal.
90
user_cancelled
Cancelled handshake for a reason that is unrelated to a protocol failure. If the user cancels an operation after the handshake is complete, just closing the connection by sending a close_notify is more appropriate. This alert should be followed by a close_notify. This message is generally a warning.
100
no_renegotiation
Sent by the client in response to a hello request or sent by the server in response to a client hello after initial handshaking. Either of these would normally lead to renegotiation; when that is not appropriate, the recipient should respond with this alert; at that point, the original requester can decide whether to proceed with the connection. One case where this would be appropriate would be where a server has spawned a process to satisfy a request; the process might receive security parameters (key length, authentication, and so on) at start-up and it might be difficult to communicate changes to these parameters after that point. This message is always a warning.
255
unsupported_extension