Automatic Updates Client command line parameters

The Automatic Updates Client Utility (wuauclt.exe) supports a few command line parameters. Some of them are documented, others not. Here are the ones I have found:

Parameter Explanation
/detectnow Run a detection cycle
/a /resetauthorization Resets the WSUS cookie. (If used together with /detectnow; /resetauthorization must be entered before /detectnow.)
/r /ReportNow Sends all queued reporting events to the server asynchronously.
/RunHandlerComServer
/RunStoreAsComServer
/ShowSettingsDialog Display the Windows Update settings dialogue
/ResetEulas
/ShowWU Open the Windows Update Control Panel Applet
/ShowWindowsUpdate Open the Windows Update Control Panel Applet
/SelfUpdateManaged
/SelfUpdateUnmanaged
/UpdateNow
/ShowWUAutoScan Open Windows Update Control Panel Applet and scan for updates
/ShowFeaturedUpdates Opens the Features Updates list
/ShowOptions Opens the Windows Updates Settings window
/ShowFeaturedOptInDialog Opens the OptIn dialogue for Featured Updates
/DemoUI Display Windows Update notification in tray

More info:

One thing to be aware of when it comes to wuauclt.exe is that it has no desire or need whatsoever to inform you whether any of the parameters you submitted actually worked, or were even vaild! No matter what you supply as a parameter to wuauclt.exe you will get absolutely nothing back. So check your typing. You have been warned.

Some Windows Server 2008 R2 Failover Cluster Notes

  • You should format you shared disks with NTFS before you form you cluster. If not the disks will not be eligible as witness disks. (NTFS is a requirement for a disk witness.) Do not assign a drive letter or mount point to your witness disk. (Disks used e.g. for a clustered file server needs a drive letter assigned. Do this through Failover Cluster Manager.)
  • If you want to run, say, a clustered file server, the corresponding role must be installed on the nodes of the cluster. This is true for all built-in roles.
    image
  • To be able to add a share to a clustered file server in Failover Cluster Manager; the Remote Volume Management firewall exception must be enabled on all nodes. To enable this exception from the command line:
    netsh advfirewall firewall set rule group=”Remote Volume Managmenet” new enable=yes
  • To move the default cluster group (called Cluster Group by default) with PowerShell:
    Move-ClusterGroup –Name “Cluster Group” –Node <name of destination node>
  • To see the owner of the default cluster group with PowerShell (the only way you can actually see that information, to my knowledge (except with cluster.exe, of course)):
    Get-ClusterGroup “Cluster Group”

Happy clustering!

Morgan

Getting volume data with PowerShell

It has always irritated me that I cannot export data from the disk management snap-in in Windows. Take this example from an Exchange server:

image

It would be very nice to be able to export this data to a CSV to create a quick storage report. Unfortunately you can’t. But with PowerShell you can!

This command will export the same data:

Get-WmiObject win32_volume | select Name,Label,@{Name=”Capacity (GB)”; Expression={“{0:N2}” –f ($_.capacity/1GB)}},@{Name=”Free Space (GB)”; Expression={“{0:N2}” -f ($_.freespace/1GB)}},@{Name=”Used Space (GB)”; Expression={“{0:N2}” -f ( ($_.capacity/1GB) – ($_.freespace/1GB) ) }} | ft –AutoSize

The result:

Name        Label        Capacity (GB) Free Space (GB) Used Space (GB)
—-        —–        ————- ————— —————
C:                      72,50         18,17           54,33
E:LogLUN1 ExchangeLogs 1 249,87      1 245,32        4,55
E:         Exchange     0,97          0,93            0,03
E:DBLUN1  DBLUN1       2 046,87      1 358,92        687,95
E:DBLUN2  DBLUN2       2 046,87      1 467,69        579,19
E:DBLUN3  DBLUN3       2 046,87      1 527,84        519,03
E:DBLUN4  DBLUN4       499,87        375,19          124,68

Of course, you can export this to CSV etc.

Enabling Windows Search on Windows Server 2008 R2

As with Windows Server 2008, Windows Search is included as part of the OS and can be installed through Server Manager or PowerShell. Unfortunately it is located in a not quite intuitive place…

To enable Windows Search on Windows Server 2008 R2 you must start the Add Roles wizard and then select File Services Role, on the Role Services page you will find Windows Search:

image

The Role Service File Server is selected by default, so if you only want Windows Search uncheck it.

To use PowerShell to install Windows Search run:

Add-WindowsFeature FS-Search-Service

(Remember to do ImportSystemModules first.)

Group Policy WMI filters

WMI filters are useful to further filter Group Policy Objects (GPOs), beyond what is possible/convenient with groups.

Distinguish between x86 and x64 computers:

x86

Select AddressWidth from Win32_Processor where (AddressWidth=”32″)

x64

Select AddressWidth from Win32_Processor where (AddressWidth=”64″)

Determine Windows version:

Use this filter to determine the Windows version and role:

select * from Win32_OperatingSystem where Version like “6.%” and ProductType = “1”

  • The Version property returns values that begin with the following characters (the % symbol is a wildcard character that represents other characters that can follow, but do not help distinguish the version number):
    Windows Server 2008 R2 or Windows 7 6.1%
    Windows Server 2008 or Windows Vista 6.0%
    Windows Server 2003 5.2%
    Windows XP 5.1%
    Windows 2000 5.0%
  • The ProductType property returns the following values:
    Client versions of Windows 1
    Server versions of Windows that are operating as a domain controller 2
    Server versions of Windows that are not operating as a domain controller (typically referred to as member servers) 3

Determine computer type (laptop, desktop etc.)

NOTE: The PCSystemType property in only available on Windows Vista and later OSs.

SELECT * FROM Win32_ComputerSystem WHERE PCSystemType = 1

These are the possible values for PCSystemType:

Value Meaning
0 Unspecified
1 Desktop
2 Mobile
3 Workstation
4 Enterprise Server
5 Small Office and Home Office (SOHO) Server
6 Appliance PC
7 Performance Server
8 Maximum

(I’d really like a computer with type 8, please!)

Some Windows Virtual PC Notes

  • Press the DEL key to enter the VM BIOS
  • If you can’t install the Virtual PC Integration Components on Windows XP and you get a 1603 error in the log file; delete the c:windowssystem32driverswdf01000.sys and retry the install.
  • Press SHIFT+ESC while the VM is starting to view the console instead of just the progress bar.
  • To mount a floppy image, use the scripts provided here: http://blogs.msdn.com/b/virtual_pc_guy/archive/2009/10/01/using-floppy-disks-with-windows-virtual-pc.aspx
  • Sysinternals’ Disk2Vhd is an excellent tool to P2V your machines into Windows Virtual PC. It even takes care of setting the correct HAL in the boot.ini file. Get it here: http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx
    NOTE: The technique that Disk2Vhd uses will make it impossoble for you to install a Windows XP service pack. More info here: http://support.microsoft.com/kb/327101
  • If you need to run older OSs on Windows Virtual PC you can use the AV Additions from Virtual PC 2007. This will give you VM Additions support for Windows 2000 and DOS. Get the Virtual PC 2007 install file and extract it, then run an administrative install using msiexec.exe /a <path>. In the folder you specified you will find the ISO file with the VM Additions from Virtual PC 2007. Mount the file in your guest as you would any ISO file.
  • Microsoft has published a Windows Virtual PC Tips document: Windows Virtual PC Tips
  • The Windows Virtual PC blog can be found here: http://blogs.technet.com/b/windows_vpc/
  • The acronym RAIL means Remote Applications Installed Locally. RAIL technology is used to publish apps in the VM to the host.
  • The Windows Virtual PC Home page: http://www.microsoft.com/windows/virtual-pc/default.aspx

Exchange Move Mailbox logon info

Event IDs related to Mailbox moves

The Event source for Mailbox moves is Exchange Migration, and the events are logged in the Application log on the server where an administrator started the move. Meaning; where the admin was logged on and used the EMC or EMS to start the mailbox move. It would be nice to have all the mailbox move events gathered in one place, and that can be performed with Event collection.

Event ID Level  
1006 Information Indicates the start of a mailbox move
1022 Error Logon failure on database, caused by the mailbox move
9660 Warning User X failed to log on because their mailbox is in the process of being moved
9873 Information A named property has been created for database XX. Meaning the new mailbox has been created in the destination database.
1007 Information The mailbox was successfully moved.
9354 Information The mailbox is deleted from the source database
1154 Information Rule synchronization between old and new mailbox has completed successfully.
1205 Error Failed to create mailbox

Last logged on user

Whenever you move a mailbox in Exchange Server the LastLoggedOnUserAccount attribute of the mailbox is changed to the user running the mailbox move. This is confusing since that user does not need permission to log on to the mailbox to perform the move.

It can also present a problem if you are trying to figure out which users have yet to log on to their mailboxes after moving them between servers. Let’s say you run this command:

Get-MailboxStatistics | where { $_.LastLogonTime -eq $null }

This would show you which users have never logged on to their mailboxes. Whichever servers they originally were located on cannot be removed before they have logged on at least once and been redirected to their new mailbox servers. Unfortunately, since the user performing the mailbox move is added to the LastLoggedOnUserAccount this command will probably return no users.

SCVMM P2V and ISA Server 2006

I recently upgraded my home network to Forefront Threat Management Gateway (TMG), retiring my old ISA Server 2006 server. I exported my ISA configuration and imported it into TMG, but to be on the safe side I decided to keep a copy of the server as a virtual machine. I used the P2V wizard in System Center Virtual Machine Manager (SCVMM) R2, but after I hit the Scan System button this error appeared:

VMM is unable to complete the request. The connection to the agent <ISA Server FQDN> was lost.

Ensure that the computer <ISA Server FQDN> exists on the network, WMI service and the agent are installed and running and that a firewall is not blocking HTTP and WMI traffic.

ID: 3157
Details: The RPC server is unavailable (0x800706BA)

Preparing to run the P2V wizard I had already created a new access rule allowing all traffic between the SCVMM and ISA Server computers, and disabled the Strict RPC compliance on the rule:

Apparently something was interfering with the RPC communication. Since my P2V rule was at the top of the Firewall Policy whatever was causing the problem had to be in the System Policy. I displayed the System Policy in the Firewall Editor and looked through each rule that specified RPC communication to the ISA Server. Turns out there was only one; the Microsoft Management Console (MMC) rule. To successfully perform a P2V of an ISA Server you need to disable the Strict RPC compliance setting. There was no way to do that in the MMC rule in the System Policy. Since all System Policy rules are processed before the Firewall Rules the MMC rule matched the RPC traffic and blocked parts of it necessary for P2V. I disabled the MMC rule, leaving only my P2V rule. Now the wizard worked correctly.

Windows Deployment Service Pre-Staging and GUIDs

Windows Deployment Services (WDS) has the ability to search Active Directory for pre-staged computer accounts to use when deploying images. There are several benefits to this, e.g. you can choose to service only known clients that you have created and ignore others, and you don’t have to provide or generate computer names since the image is deployed with the name of the pre-staged account. The information used to match a pre-staged computer account with a PXE-booting client is one of three things; the MAC address of the NIC executing the PXE boot, the GUID of the system or the GUID of the NIC executing the PXE boot. The latter is most widely used and recommended by Microsoft, since it virtually guaranteed to be unique. The WDS server performs an LDAP query to find the account that matches the booting computer:
(&(objectCategory=<DN of Computer Schema object>)(|(netbootGUID=<GUID>)(netbootGUID=MAC)))
This filter ensures that a device will be found if it is pre-staged using either a computer GUID or a MAC address. The netbootGUID attribute on a pre-staged client is used to store the value of the physical computer’s GUID or the MAC address.
You enter the GUID in two ways; using the GUI and Active Directory Users and Computers (ADUC) or using the CLI and WDSUTIL.EXE. Regardless you need to pay attention to how you format the GUID, because GUIDs can be byte-swapped according to the endianism of the system that handles them. The GUI in ADUC hints at this if you enter an invalid value:
—————————
GUID Not Valid
—————————
The globally unique identifier (GUID) query you entered is not valid. Use one of the following formats to enter a GUID:

0123456789ABCDEFABCDEFABCDEFABCD or

{67452301-AB89-EFCD-ABCD-EFABCDEFABCD}    (Note byte reordering)
—————————
OK
—————————

In this message the first GUID is presented in what is known as binary octet string, the second representation is called just GUID string.
From the message you can work out how to convert between the two.
From Binary Octet string to GUID string (using the octet string in the message above):
  1. Each pair or characters is called an octet. Work with the GUID from left to right.
  2. Take the first 4 octets and reverse their order: 01234567 –> 67452301.
  3. Take the next 2 octets and reverse their order: 89AB –> AB89.
  4. Repeat for the next 2 octets: CDEF –> EFCD
  5. The rest of the octet string is identical for both formats so just add a hyphen: ABCDEFABCDEFABCD –> ABCD-EFABCDEFABCD
Reverse the process to convert from GUID string to binary octet string.
So how do you know which type you have? Sometimes the system will tell you; like ADUC’s Attribute Editor does:
Now, to confuse you completely, take a look at this from the ADUC Attribute Editor:
You have a value that is stored as an Octet String, but displayed in the list as GUID string! You have to double-click the value to see the REAL Octet String! Nice going!
Anyway, back to figuring out which way your GUID is displayed. If the system does not explicitly tell you which type its using I can give you this rule of thumb: GUID strings are usually displayed in braces (squiggly/sexy brackets) and with hyphens, or just with hyphens, while Binary octet string GUIDs are not. Keep in mind though; this might not always be the case. A perfect example of this is PXE boots, where the GUID that is displayed has hyphens, but is still an octet string GUID. All physical machines that I have observed have had octet string GUIDs in their PXE boot screens (see exception below for Hyper-V VMs).
If you want to pre-stage a computer account in Active Directory using this GUID you have to enter it without braces and hyphens:
This will cause ADUC to convert it to a GUID string, which is what the GUI always displays:
A very interesting exception to this is for Hyper-V VM PXE boots. For some strange reason, Microsoft decided that the GUID displayed during PXE boots in a Hyper-V VM is in GUID string format!
If you want to pre-stage a Hyper-V VM in Active Directory using this GUID you have to enter it with braces and with hyphens. This prevents ADUC from converting it, which it would do with a normal (octet string) GUID. So the braces probably mean ‘literal’ string or something.
Way to go Microsoft! 🙁
So to summarize:
  • PXE boot screens always display octet string GUIDs (except Hyper-V VMs)
  • Active Directory Users and Computers always displays the GUID in GUID string format.
  • Active Directory Users and Computers accepts both octet string GUIDs and GUID string GUIDs, but will always convert to GUID string when displaying.
More info:

Microsoft Security Essentials, Sysprep and Group Policy

In smaller deployments Microsoft Security Essentials (MSE) is a good, free alternative for anti-malware. If you decide to use MSE in your images, you will discover that sysprep resets the Out Of Box Experience (OOBE) settings for MSE. In other words; every user that logs on to a machine deployed from your image will see the MSE OOBE Wizard (Figure 1-2), until someone with Administrator privileges completes the wizard. Sometimes you might not want to expose your users to that. Fortunately for us, we can use Group Policy Preferences to bypass the OOBE wizard.

Steps to disable MSE OOBE with Group Policy Preferences:

  1. Create a new Group Policy Object (GPO) or use an existing one.
  2. Create a new Registry preference for computers (Figure 3).
  3. Update the key HKLMSOFTWAREMicrosoftMicrosoft Security EssentialsOOBE DWORD to 0.
  4. Update policy on the client.

The OOBE value has two (known) values:

  • 1: Yes, run OOBE please
  • 0: No thanks, OOBE has already run for this computer

Having shown you how to do this I would like to call attention to the following excerpt from the Microsoft Security Essentials EULA:

  1. INSTALLATION AND USE RIGHTS.
    1. Home Use. If you are a home user, then you may install and use any number of copies of the software on your personal devices for use by people who reside in your household. As a home user, you may not use the software in any commercial, non-profit, or revenue generating business activities.
    2. Small Business. If you operate a small business, then you may install and use the software on up to ten (10) devices in your business.
    3. Restrictions.
      1. The software may not be used on a device running an enterprise version of a Microsoft Windows operating system.
      2. The software may not be used on devices owned by government or academic institutions.
    4. Separation of Components. The components of the software are licensed as a single unit. You may not separate the components and install them on different devices.
    5. Included Microsoft Programs. The software may contain other Microsoft programs. The license terms with those programs apply to your use of them.