Quick post about how to disable User Account Control for administrators on servers. Group Policy setting: Computer Configuration > Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate withouth prompting User Account Control: Detect application installations and prompt for elevation = Disabled User Account Control: Run all administrators in Admin Approval Mode = Disabled Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA=0

The WinOps conference will take place 22 September 2015 in London. The agenda is now up at http://winops.org/. What, you though DevOps was only for Linux?

I hit a stumbling block with adding compute nodes to new HPC cluster. If you see the following errors when deploying Microsoft HPC Pack 2012 R2 when joining compute nodes to the cluster: HPC Node Manager Service unreachable and System.Runtime.Remoting.RemotingException: An error occurred while processing the request on the server: System.Runtime.Remoting.RemotingException: User identity is not authorized to connect to this endpoint The solution is to add your installation credentials to the administrators group before install HPC pack on compute nodes.

Updating the disk images used by MDT I’ve been working on a project to set up an Amazon Web Services AMI bakery and thought its time to update the disk images used by Microsoft Deployment Toolkit too. The time to install patches during deployment was getting crazy. The process to update MDT images is: (PXE) Boot WinPE (from WDS server or some other TFTP source) Format and partition disk install OS install core software to be included in image (eg Office or SNMP), install updates (for OS and Microsoft apps) SysPrep Boot into WinPE & Capture image (WIM) Shutdown Start with a regular client/server template and add a capture stage to the end of the task sequence.

Query for Bitlocker recovery keys (properties of machines) and then getting the owner of key. Using the useful (and free) Quest ActiveRoles commandlets but you can do this with regular activedirectory powershell module too. add-pssnapin quest.activeroles.admanagement -ErrorAction Silentlycontinue $DesktopsOU= "OU=Win7,OU=Workstations,DC=companyname,DC=com" # or whatever your machine OU is Get-QADObject -SizeLimit 0 -IncludedProperties Name,ParentContainer -SearchRoot $DesktopsOU | Where-Object {$_.type -eq "msFVE-RecoveryInformation"} | Foreach-Object {Split-Path -Path $_.ParentContainer -Leaf} | Select-Object -Unique The following page links to a script which will give you a CSV report http://blog.

I presented at AWS User Group UK meetup on Hybrid deployments and High Performance Computing. https://www.youtube.com/watch?v=jvVEldPLmnM http://www.meetup.com/AWSUGUK/events/206136202/

So it turns out AWS isn’t so Enterprise friendly. If you plan to start using Amazon AWS as an extension to your datacentre, be aware that you better put everything in one VPC (July 2015). Systems in peered VPCs are not accessible from corporate network over AWS VPN or Direct Connect :-( Be aware of limitations on transiting VPCs in your cloud networking designs. http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/invalid-peering-configurations.html#edge-to-edge-vgw

Hey there Enterprise Administrator! Avoid storing AWS API keys by using Windows authentication instead[/caption] Are you an Enterprise investigating AWS? Don’t want to become a security news story like these guys? https://www.google.co.uk/search?q=news+aws+secret+access+key+hack Are you used to multiple levels of physical and logical security for access to your equipment? https://www.youtube.com/watch?v=_qc5TG2ulx8 Is access to your VPC config shielded by nothing but some AWS API credentials? (which are probably stored in plain text..) Can your AWS credentials be used from the public internet (instead of only from the Office)?

When you get started with Amazon Web Services (AWS) one thing to do early is secure access to the web console. Rather than manage another set of user accounts you can reuse your corporate directory (Microsoft Active Directory) to login to the AWS console. You use AD Federation Services to do this. Also, if you keep your ADFS server internal, then your AWS console is not accessible from the public Internet.

Update to previous post on older BES version ( “Test intranet access from Blackberry and other mobile platforms”). For BES12 create a krb5.conf file and upload to the “Single-sign on” profile (obv. switch mycompany.com to your own FQDN. And specify the FQDNs for one or more domain controllers. This has been case sensitive in the past.)``` [libdefaults] default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 des3-cbc-sha rc4-hmac default_realm = MYCOMPANY.COM [realms] MYCOMPANY.COM = { kdc = tcp/DC1.