Posts on Alex Mags' Blog

How to disable Microsoft 365 Copilot Chat

Sat, 17 Jan 2026 10:10:30 +0000

Microsoft includes Microsoft 365 Copilot Chat in their business and enterprise Office365 services. If your organisation is not ready for this AI service, here’s how to disable it for now.

Fix wobbly parcel shelf in Jaguar F-Type

Wed, 15 Oct 2025 09:00:11 +0000

If the parcel shell falls off in F-type Coupe here’s the fix.

FITCAMX Dashcam for Jaguar F-Type

Sun, 12 Oct 2025 09:00:11 +0000

Demos of the FITCAMX integrated dashcam for Jaguar F-Type.

Upgrade speakers in Jaguar F-Type

Wed, 18 Jun 2025 09:00:11 +0000

How to upgrade the factory original speakers in a MY2016 Jaguar F-Type.

Calendar free/busy information sharing

Sat, 26 Apr 2025 09:00:11 +0000

Scheduling meetings is tricky when people are split across different companies and you can’t tell when the other side are available. If both companies are using Microsoft Exchange Online mail, you can choose to share calendar availability. The Microsoft guidance didn’t work for me when one of the organisations was a more complicated Exchange Hybrid deployment. Here’s how to fix error message: “The recipient’s server could not be determined. Contact your administrator”

Add Android Auto to Jaguar F-Type

Sat, 19 Apr 2025 16:53:30 +0000

How to Install an aftermarket Apple CarPlay/Android Auto System in a Jaguar F-Type Without Losing Your Sanity (Mostly)

So, you’ve got yourself a Jaguar F-Type—a sleek, growling beast that makes heads turn at every traffic light. Congratulations! But wait, what’s this? The infotainment system looks like it was plucked straight out of the early 2010s? And you’re weaving between lanes trying to reroute on your phone while driving. Fear not, for there’s a solution: installing an aftermarket Wireless Apple CarPlay and Android Auto Interface.
Buckle up, because this is a story of ambition, frustration, and—if you’re lucky—triumph.

Active Directory Tiered Administration Model

Sat, 30 Nov 2024 16:53:30 +0000

The Active Directory Tiered Admin Model is a way to organise AD users and groups with very clear boundaries between standard user accounts and their permission groups, server and application administrative accounts and groups, and domain wide access accounts and groups. Creating and enforcing these boundaries hinders privilege escallation from desktop/user level access to domain compromise. Here’s some automation to set it up.

Checking Microsoft 365 security configuration

Sat, 07 Sep 2024 18:00:11 +0000

Was your M365 tenant configured securely when it was deployed? Is it still configured securely now? Update on state of SaaS security posture management (SSPM) post from 2022. This time looking at community projects too.

Mimecast authentication with Entra ID

Tue, 28 May 2024 18:00:11 +0000

Sign-in to Mimecast can either be “service provider initiated” (where you sign-in via mimecast’s web portal), or “idenity provider initiated” (where you sign-in via Entra myapps.microsoft.com portal). But why not both! This post shows how to enable both at once.

LDAPS with self-signed certificate

Sat, 23 Mar 2024 09:55:38 +0000

“Create a picture in the style of a pixar movie of a friendly badger, working in an office IT department, using encryption to secure Microsoft Active Directory” - bing chat

This post describes how to keep user passwords transmitted in LDAP authentication requests safe. Lightweight Directory Access Protocol (LDAP) is an open standard for directories. It underpins Microsoft Active Directory Domain Services (ADDS). Applications need to check in with a central directory to authenticate user sign-ins. Other authentication protocols oAuth,SAML,Kerberos, even NTLM are prefered but still, even today, you’ll need to accomodate self-hosted business applicaitons that only support LDAP for authenticaiton. In my experience these are often JAVA developed apps or apps hosted on Linux. This post has some PowerShell generate encryption certificates (private and public keys) to enable SSL encrypted LDAPS communication with domain controllers.

Cooking for engineers - Aioli garlic mayo

Mon, 04 Mar 2024 09:00:11 +0000

Here’s the technical specification for a Aioli also known as garlic mayo. Goes well with seafood or chicken. You make a garlic paste by drawing the back of a knife over chopped cloves. The raw garlic is punchy!.

Cooking for engineers - Kladdkaka sticky chocolate cake recipe

Sun, 07 Jan 2024 09:00:11 +0000

Here’s the technical specification for a chocolate cake that’s popular in scandinavia. There’s no raising agent such as baking powder so, while it gets crispy on the outside, it stays gooey and sticky in the middle. It’s very quick to make and so tasty!

Cooking for engineers - Soda bread recipe

Sun, 07 Jan 2024 09:00:11 +0000

Here’s the technical specification for a tasty loaf of bread. A restaurant near me serves and sells this bread. It’s very quick to make and so tasty!

The Chemistry Stack Overview

Soda bread is fundamentally a chemical leavening system. Unlike yeast-based breads that rely on biological fermentation (slow deployment), soda bread uses an acid-base reaction for immediate lift. The kefir/buttermilk (pH ~4.5) reacts with sodium bicarbonate (NaHCO₃) to produce carbon dioxide gas, which expands in the dough matrix to create the crumb structure—think of it like deploying a containerized workload that instantly scales your dough volume.

Firewall policy as code with Hashicorp Terraform

Thu, 30 Nov 2023 19:00:11 +0000

“in the style of a pixar movie poster, draw a friendly badger configuring a firewall with code” - bing chat

Hashicorp Terraform is a tool for managing infrastructure as code. You describe the desired state in versioned text files and the Terraform tool will drag your infrastructure into that state. Sometimes it feels like creating the code takes longer than just using the admin GUI to get something done. Sometimes it’s MUCH faster… This post describes adding 300 address ranges to a network security rule in just one line. How to create a terraform list from a text file.

Looking for you! Deploying Windows Hello For Business in a Hybrid AD Joined environment

Tue, 19 Sep 2023 19:00:11 +0000

Face recognition on Apple iPhones has long been a trusted and secure way to sign-in to business apps on corporate phones. With the right camera hardware, it’s been available in Windows too for quite a while. This post describes deploying Windows Hello for Business (WHfB) in a Hybrid AD Joined environment.

How to download Windows 10 enterprise edition

Wed, 12 Jul 2023 09:00:11 +0000

The Microsoft Volume Licensing Portal doesn’t seem to be available if you’re licenced via Cloud Solution Provider (CSP) program? I’m helping someone setup Microsoft Deployment Toolkit and couldn’t get a Windows 10 Enterprise edition ISO. Fortunately there’s another way…

How to Disable NetBIOS and LLMNR

Sat, 28 Jan 2023 09:00:11 +0000

Hey defenders! Hackers and pentesters hate it when you disable the old NetBIOS network service. They love to respond to NetBIOS requests from PCs on your company LAN so they can impersonate your servers and steal some credentials. Here’s how to disable the old NetBIOS service so as not to give hackers and pentesters an easy ride.

SCCM CMTrace and OneTrace

Fri, 30 Dec 2022 09:00:11 +0000

You found this page because you’re looking for SCCM CMTrace to work with log files? Hope this post helps you.

Checking SaaS security configuration (SSPM)

Sun, 02 Oct 2022 18:00:11 +0000

Was your SaaS software configured securely when it was deployed? Is it still configured securely now?
This article discusses the risk to your data of misconfigured/unhardened SaaS software and the emerging products to automate security checking of SaaS.

M365 Feature deployment order

Tue, 16 Aug 2022 18:00:11 +0000

“M365 landscape by By Aaron Dinnage”)

From the excellent feature licensing chart by Aaron Dinnage, you can see the Microsoft 365 suite has so many productivity and security components. It’s difficult to know where to start. I’d like to suggest a roadmap for implementing M365 features and getting value out of M365 licensing. The roadmap would be based on dependencies (you need X before you can deploy Y) and it should be prioritised on business value. I also wanted to experiment with the MermaidJS library for creating dependency diagrams.

Exchange Online Migration gotchas

Sun, 14 Aug 2022 18:00:11 +0000

Exchange Online migration is a complicated project in a large organisation. So complicated that some organisations haven’t completed this yet. There’s many technical integrations and operational processes with this service. Here’s a post about technical and operational problems that can occur when migrating email to Exchange Online. What has tripped you up in an Exchange migration? Let me know what I’ve missed!

Career break

Thu, 28 Jul 2022 18:00:11 +0000

I fancied a break and change of workplace. So my wife and I both resigned from our jobs and we’re taking the summer off. 😎

Internet Explorer End of Life. Find IE usage in your Defender for Endpoint data

Mon, 06 Jun 2022 18:00:11 +0000

This post has some KQL to report usage of Internet Explorer.

Shields up! Find CISA Known Exploited Vulns in your Defender for Endpoint data

Fri, 04 Mar 2022 18:00:11 +0000

This post has some KQL to report CISA Known Exploited Vulns within your environment.

Exchange Onlne Email Investigation

Sat, 26 Feb 2022 08:59:11 +0000

This post has some KQL to report “who read the sensitive email and who opened the sensitive attachment” using Defender for Office365 and Defender for Endpoint.

KQL for files uploaded to cloud

Sat, 19 Feb 2022 09:00:38 +0000

This post has some KQL to report on files uploaded to cloud via Microsoft or Google browsers. It requires Office365 sensitivity labels, Defender for EndPoint and (for Google Chrome) the Microsoft Compliance extention

Domestic Wifi for farmhouse

Sat, 31 Jul 2021 09:00:38 +0000

This post is about extending Wifi in my brother-in-law’s ancient farmhouse.

PrintNightmare Discover Print Servers

Tue, 06 Jul 2021 18:55:38 +0000

Find all servers, with printer published to users in AD, by looking for printerqueue objects.

Local admin report with Defender for EndPoint

Sat, 12 Jun 2021 07:51:28 +0000

Securing Windows PCs starts with managing local administator access. Microsoft Defender for Endpoint logs every login and records if it was a local admin. Use this KQL query in the Advanced Hunting portal to create a report.

Bitlocker status report with Defender for EndPoint

Sat, 12 Jun 2021 06:51:28 +0000

Are all your machines encrypted? If a laptop was lost is the data protected or you’ll need to declare. Microsoft Defender for EndPoint (aka ATP) stores Bitlocker status information. Use the following KQL query in the Advanced Hunting portal.

Ultimate accessory for standing desk

Mon, 31 May 2021 08:30:14 +0000

Like many I’ve been working from home for a while. I use a standing desk and a recent and best accessory purchase is, believe it or not, footware.

Assign Azure AD role By AD Security Group

Sat, 13 Mar 2021 14:15:13 +0000

Using AD security groups to delegate access to Azure AD roles is not supported at the moment (March 2021). This post offers two workarounds. Permissions to manage Azure AD and Office365 are often assigned via Azure AD Roles. If you have strong access management processes and tooling for on prem Active Directory (access request &approval workflow, joiners & leavers, access reviews & reporting, auditing and alerts) you’ll likely want to reuse these to manage access to Azure AD and Office365.

Auto Configure Git client proxy authentication

Sat, 27 Feb 2021 16:55:38 +0000

This post has some PowerShell to make Git client work on Windows in corporate environment. Short version Use the Microsoft Credential Manager for Git. Don’t expose passwords in plaintext in Git config or environment variable. The Microsoft Credential Manager will store creds for proxy amd git repo in Windows Credential Manager Git client doesn’t accept domain name in Git config, when you enter creds in Credential Manager change ID to <userID> format Automatically configurge Git client to authenticate with corporate proxy Git client doesn’t support Web Proxy Auto Discovery (WPAD).

Compliance Boundaries

Sun, 21 Feb 2021 20:22:58 +0000

Very niche post today. Few will need to delve into Office 365 Compliance Boundaries unless they need to unblock some regulatory compliance requirement. If your in that situation hopefully this will help you. The scenario is this: you have multiple eDiscovery teams in your organisation. Each eDiscovery team should only see content belonging to users in their own sphere of responsibility. Example requirement: eDiscovery team ACME should only be able to see content for company ACME

WinOps 2019 Complaince as Code with Office365

Tue, 24 Sep 2019 22:06:34 +0000

I wanted to share this idea of using versioned code and unit tests to manage Office365 tenant configuration between environments. So I did a talk about it at the annual WinOps conference in London. Slides so-i-devsecopsed-office-365

Public Cloud Risk Management

Thu, 21 Mar 2019 22:06:34 +0000

A big part of my work lately has been describing, tracking and managing the risk involed with moving data from the traditional datacentre with it’s firewalled perimiter to public cloud. The NIST Cyber Security Framework was useful as a way of grouping and classifying risks. https://www.slideshare.net/AlexMagnay/risk-management-for-public-cloud-projects

AWS Architecture Talk

Sun, 20 Aug 2017 22:06:34 +0000

Amazon invited me to record a segment in the AWS Architecture series. This was a fun afternoon in their studio.

Meraki switch JSON

Sat, 29 Jul 2017 14:52:28 +0000

Hi Meraki devices have status pages. These can be accessed by internal clients. See https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page Wireless Access points MR - http://ap.meraki.com Switches MS - http://switch.meraki.com Routers MX and Z1 - http://wired.meraki.com Any - http://setup.meraki.com This URL will work for any Cisco Meraki device, but will only access the first device in its path. For example, if you’re on a PC connected to a Meraki switch you can connect to http://switch.meraki.com/ which gives you a status page about your connection.

Grid Computing on public cloud

Wed, 02 Nov 2016 15:05:06 +0000

I gave a talk on using public cloud to host grid computing/HPC workloads. The elastic and on demand nature of public cloud is a great fit for spikey workloads like grid computing. I’d had some fun building an autoscaling MATLAB HPC cluster (scale out and scale back) and talked about it at a breakfast briefing with our consultancy Hentsu. https://www.slideshare.net/hentsu/infinitely-scalable-clusters-grid-computing-on-public-cloud

Public Cloud Security talk

Fri, 26 Aug 2016 14:54:21 +0000

I gave a talk on cloud security. Before companies will start using Public Cloud they need to know it’s safe to use. There’s plenty of stories in press about security breaches, but AWS for example makes it clear in their “Shared Responsibility Model” that you still have to use security best practices such as least rights privilege, network segmentation (eg a DMZ) to contain any breach. https://www.slideshare.net/hentsu/cloud-security-for-regulated-firms-securing-my-cloud-and-proving-it-65384157?qid=6a90d703-73bf-4892-b99d-cb1da1b9fcbd&v=&b=&from_search=2

DevTest Labs

Sun, 29 May 2016 13:37:18 +0000

Great talk on enabling developers to make use of DevTest labs on Azure https://channel9.msdn.com/events/Visual-Studio/Alm-Days-2016/Needs-when-running-your-DevTest-Infrastructure-on-Azure https://blogs.msdn.microsoft.com/devtestlab http://ClemensReijnen.nl http://www.uk.sogeti.com/services/microsoft-services/oneshare-cloud-based-development-and-testing/

Snowboarding in Meribel

Sun, 24 Jan 2016 21:41:41 +0000

I took some technology to the alps, a GoPro Hero 4 silver. Great bit of kit, was easy to view vids on iPad over WiFI at the end of the day. If attaching to a helmet use a tether to your goggle clip or loose it when you crash on your head. Back home the video editor, GoPro Studio, crashed a lot :-( (https://vimeo.com/152906550) HD file: (http://tinyurl.com/hx9d97u) or (http://1drv.ms/1PezEom)

High Performance Computing on AWS

Wed, 20 Jan 2016 21:03:27 +0000

I ran a project to deploy an HPC cluster using on-demand AWS Elastic Compute Cloud (EC2) resources. The HPC cluster provides researchers with compute resource to quickly run mathematical simulations across very large datasets. This deployment was a replacement for aging on premises HPC hardware and an opportunity to trial Amazon AWS in a hybrid cloud configuration. High security implementation: One way firewall rules between company network and AWS (company connects out to AWS resources, AWS resources can’t connect in) Encryption of data in transit and at rest AWS Direct Connect connecting company to AWS.

Nordic Infrastructure Conference

Sun, 03 Jan 2016 08:39:13 +0000

While hunting for some Hyper-V videos, I came across recorded sessions from the 4th Nordic Infrastructure Conference. No sales pitches, only some great talks from field hardened consultants. The sessions are focused on Enterprise Infrastructure (Microsoft Windows Server, System Centre, Azure, PowerShell DSC, Identity Management, Security/hacking). Session Info http://2015.nicconf.com/sessions Recorded sessions: https://www.youtube.com/channel/UChu8zqu8d1mjWxNRLlGXUAw

PowerShell wait music

Thu, 31 Dec 2015 16:55:46 +0000

My long running PowerShell scripts now have background musak thanks to: http://www.adminarsenal.com/admin-arsenal-blog/powershell-music-remotely https://www.youtube.com/watch?v=FsoIfkNQYEg http://youtube-mp3.org/ $scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent $musakFilePath="$scriptDir\musak.mp3" $wmplayer = New-Object System.Windows.Media.MediaPlayer $wmplayer.Open($musakFilePath) Start-Sleep 2 # This allows the $wmplayer time to load the audio file $duration = $wmplayer.NaturalDuration.TimeSpan.TotalSeconds $wmplayer.Play() $stopwatch=[system.diagnostics.stopwatch]::StartNew() while ($stopwatch.Elapsed.Seconds -lt $duration) { Write-Progress -Activity "Doing stuff, please hold…" -status "$($stopwatch.Elapsed.Seconds) seconds" -percentComplete ($stopwatch.Elapsed.Seconds / $duration*100) # do something # break when done start-Sleep -s 1 } $wmplayer.

SCCM Client duplicate GUIDs and VMware View Blast

Tue, 29 Dec 2015 15:58:03 +0000

Another super niche blog post. No one is ever going to find this…. So I had to dig into System Centre Configuration Manager today, probably Microsoft’s most complex product. I’ve been using this massively scalable and capable scheduling system since SMS1.2. But it still a bit scary to support… Machines cloned by VDI service VMware View were coming up with the same unique ID. The SMS client had been captured in the reference image that was cloned to create desktop pools.

AD authentication to AWS from PowerShell

Fri, 11 Dec 2015 01:29:39 +0000

I’ve done a couple of other posts on using AD credentials with AWS API. You setup AWS IAM to trust AD Federation Services (ADFS) for authentication. You get temporary access keys to use with the AWS API. This is safer than making lots of IAM accounts with long term passwords (Secret Access Keys) that end up embedded in code and stored who knows where. See previous posts for an overview of AD authentication to AWS.

MSDN subscriptions for your developers get you cheaper Azure VMs

Mon, 07 Dec 2015 22:16:09 +0000

We know Visual Studio Pro with MSDN gets you unlimited Windows Server (including Hyper-V for virtualisation) and unlimited SQL. This is a way of licensing Microsoft software in your on premises test and development environments. You can now bring your own MSDN licences with you to Azure. This way the Microsoft software in your Windows and SQL VMs on Azure is already paid for and you pay the equivalent of Linux rates for Windows and SQL VMs on Azure.

AWS hardware VPN over direct connect

Mon, 07 Dec 2015 21:53:38 +0000

Getting a Direct Connect link to AWS from our colo datacentre was straight forward. Encrypting traffic between colo and AWS via Direct Connect is proving to be more difficult. Although the traffic is logically isolated, we wanted it encrypted as it traverses 3rd party WAN providers. This is the best resource I’ve come across so far explaining how to setup a VPN over AWS direct connect: https://www.youtube.com/watch?v=SMvom9QjkPk

PuppetConf2015 Everything sucks (but then devops)

Thu, 05 Nov 2015 22:35:09 +0000

@SadServer at PuppetConf2015 provides a rather depressing view of the state of IT as a combination of crappy software with more crappy software to manage and monitor the crappy software. But there’s a ray of hope! https://www.youtube.com/watch?v=TBwW2vTKVy4

RHEL on Azure. Finally!

Wed, 04 Nov 2015 21:31:55 +0000

I got a message today from our Red Hat account manager to let me know that Microsoft has signed Red Hat’s Certified Cloud Service Provider agreement, meaning that over time they will make available, and be available to host, Red Hat products in Azure. RHEL will become the premium Enterprise Linux offering in Azure. This is fantastic news for Red Hat Customers. Previously Azure was not a Red Hat Certified Platform.

WinOps Conference 2015 videos

Wed, 07 Oct 2015 11:30:54 +0000

WinOps conference videos have been released: Videos: https://www.youtube.com/channel/UCP1OgsLk-HkEdQyhjJX_5JQ Slides: http://www.slideshare.net/WinOpsConf Future Meetups: http://www.meetup.com/WinOps/ Watch the keynote for a “state of the industry” regarding DevOps on Windows. Keynote part 1 https://www.youtube.com/watch?v=wlJo4BLtXyI Keynote part 2 https://www.youtube.com/watch?v=WQZYS5gu6CQ

Achieving agility with control in Financial Services on AWS

Wed, 16 Sep 2015 19:18:11 +0000

Attended “Achieving agility with control in Financial Services on AWS” talk today at AWS Loft London 2015. The usual AWS slide of company logos was there for “look how many companies use AWS, so it must be safe!”. This list wasn’t tailored to Financial Services (Tinder, really?). There was a bit about Agility focusing on Continuous Integration (CI also known as automated testing) and Continuous Deployment (CD also known as automated deployment).

Work from anywhere?

Sat, 05 Sep 2015 18:26:45 +0000

Update: THIS WAS 2015 AND PRE COVID… I’ve been reading about how distributed companies are operating. Companies with their servers running in the cloud don’t need a server room, or Office premises at all it seems. And there’s lots of them. Wired article about Automatic, the company behind WordPress Lots of information at this clever URL WorkingRemote.ly Article about how Buffer do distributed working The Pros and Cons of Remote Work in Ops As a worker wouldn’t you like to skip the commuting?

Hashicorp Terraform for Infrastructure as Code

Tue, 01 Sep 2015 08:30:19 +0000

Terraform is a tool by Hashicorp (who do Vagrant, Packer and other ops tools). You maintain a single configuration file and it trues up your environment, creating and deleting machines, to match the configuration file. Their products are coming together into a cohesive suite. The first part describes the Terraform product. At 30 mins there’s a description of “DevOps” (that cuts through much of the BS). Basically: Developers care about:

DevOps on Windows (or any OS)

Mon, 31 Aug 2015 08:30:14 +0000

Ahead of the WinOps conference later this month, here’s a short presentation about DevOps on any OS (and DevOps in general) by Steve Thair from consultancy The Dev Ops Guys. https://blog.dataloop.io/2015/03/31/doxlon-devops-exchange-mar-15-devops-for-windows-an-oxymoron/ http://www.meetup.com/DevOps-Exchange-London/

Disable user account control (UAC)

Thu, 27 Aug 2015 06:51:28 +0000

Quick post about how to disable User Account Control for administrators on servers. Group Policy setting: Computer Configuration > Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate withouth prompting User Account Control: Detect application installations and prompt for elevation = Disabled User Account Control: Run all administrators in Admin Approval Mode = Disabled Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA=0

DevOps on Windows Conference

Thu, 20 Aug 2015 21:11:40 +0000

The WinOps conference will take place 22 September 2015 in London. The agenda is now up at http://winops.org/. What, you though DevOps was only for Linux?

Adding compute nodes to Microsoft HPC Pack 2012 R2

Thu, 20 Aug 2015 20:10:44 +0000

I hit a stumbling block with adding compute nodes to new HPC cluster. If you see the following errors when deploying Microsoft HPC Pack 2012 R2 when joining compute nodes to the cluster: HPC Node Manager Service unreachable and System.Runtime.Remoting.RemotingException: An error occurred while processing the request on the server: System.Runtime.Remoting.RemotingException: User identity is not authorized to connect to this endpoint The solution is to add your installation credentials to the administrators group before install HPC pack on compute nodes.

Microsoft Deployment Toolkit (MDT) Image Bakery

Mon, 10 Aug 2015 18:29:46 +0000

Updating the disk images used by MDT I’ve been working on a project to set up an Amazon Web Services AMI bakery and thought its time to update the disk images used by Microsoft Deployment Toolkit too. The time to install patches during deployment was getting crazy. The process to update MDT images is: (PXE) Boot WinPE (from WDS server or some other TFTP source) Format and partition disk install OS install core software to be included in image (eg Office or SNMP), install updates (for OS and Microsoft apps) SysPrep Boot into WinPE & Capture image (WIM) Shutdown Start with a regular client/server template and add a capture stage to the end of the task sequence.

Bitlocker encrypted? Reporting on Bitlocker machine account properties

Tue, 04 Aug 2015 12:42:29 +0000

Query for Bitlocker recovery keys (properties of machines) and then getting the owner of key. Using the useful (and free) Quest ActiveRoles commandlets but you can do this with regular activedirectory powershell module too. add-pssnapin quest.activeroles.admanagement -ErrorAction Silentlycontinue $DesktopsOU= "OU=Win7,OU=Workstations,DC=companyname,DC=com" # or whatever your machine OU is Get-QADObject -SizeLimit 0 -IncludedProperties Name,ParentContainer -SearchRoot $DesktopsOU | Where-Object {$_.type -eq "msFVE-RecoveryInformation"} | Foreach-Object {Split-Path -Path $_.ParentContainer -Leaf} | Select-Object -Unique The following page links to a script which will give you a CSV report http://blog.

Presented at AWS UG UK meetup

Thu, 30 Jul 2015 10:04:12 +0000

I presented at AWS User Group UK meetup on Hybrid deployments and High Performance Computing. https://www.youtube.com/watch?v=jvVEldPLmnM http://www.meetup.com/AWSUGUK/events/206136202/

AWS VPC peering and direct connect

Tue, 14 Jul 2015 19:08:40 +0000

So it turns out AWS isn’t so Enterprise friendly. If you plan to start using Amazon AWS as an extension to your datacentre, be aware that you better put everything in one VPC (July 2015). Systems in peered VPCs are not accessible from corporate network over AWS VPN or Direct Connect :-( Be aware of limitations on transiting VPCs in your cloud networking designs. http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/invalid-peering-configurations.html#edge-to-edge-vgw

AWS API without keys

Thu, 02 Jul 2015 21:25:11 +0000

Hey there Enterprise Administrator! Avoid storing AWS API keys by using Windows authentication instead[/caption] Are you an Enterprise investigating AWS? Don’t want to become a security news story like these guys? https://www.google.co.uk/search?q=news+aws+secret+access+key+hack Are you used to multiple levels of physical and logical security for access to your equipment? https://www.youtube.com/watch?v=_qc5TG2ulx8 Is access to your VPC config shielded by nothing but some AWS API credentials? (which are probably stored in plain text..) Can your AWS credentials be used from the public internet (instead of only from the Office)?

AD Authentication for AWS console

Mon, 15 Jun 2015 21:22:21 +0000

When you get started with Amazon Web Services (AWS) one thing to do early is secure access to the web console. Rather than manage another set of user accounts you can reuse your corporate directory (Microsoft Active Directory) to login to the AWS console. You use AD Federation Services to do this. Also, if you keep your ADFS server internal, then your AWS console is not accessible from the public Internet.

Windows Authentication in Blackberry Enterprise Server (BES) 12

Wed, 22 Apr 2015 20:30:47 +0000

Update to previous post on older BES version ( “Test intranet access from Blackberry and other mobile platforms”). For BES12 create a krb5.conf file and upload to the “Single-sign on” profile (obv. switch mycompany.com to your own FQDN. And specify the FQDNs for one or more domain controllers. This has been case sensitive in the past.)``` [libdefaults] default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 des3-cbc-sha rc4-hmac default_realm = MYCOMPANY.COM [realms] MYCOMPANY.COM = { kdc = tcp/DC1.

Amazon Web Services (AWS) online training

Tue, 07 Apr 2015 14:15:13 +0000

My head in the clouds as usual. Today I passed the AWS Certified Solutions Architect - Associate exam. I used Ryan Kroonenburn’s course on Udemy to skill up. I recommend it: Udemy - AWS Certified Solutions Architect associate by Ryan Kroonenburn Update: Ryan quit Udemy’s platform and setup his own by founding https://www.ACloudGuru.com

100 days of DevOps

Sat, 28 Mar 2015 18:54:36 +0000

Came across this amazing body of work. These guys (a group of System Centre consultants) spent 100 days on automation tools across Windows and Linux and also AWS and Azure cloud services. PowerShell DSC – from Basic to Advanced Cross-Platform Management and DevOps with DSC and Chef Package Deployment Azure PaaS (Cloud Services, Websites and SQL) for IT Pros Source Control and Unit Testing Integration and Automation for IT Pros (TFS, VSO and GIT) System Center and DevOps Amazon EC2 and PowerShell Well written, concise, high level overviews to wet your appetite.

Windows Server 2012 nic teaming with powershell

Tue, 17 Mar 2015 19:22:58 +0000

Some PowerShell to configure Nic Teaming on Windows Server 2012. Note: pick teaming mode and load balancing algorithm to suit your networking environment. The config below is for two NICs going to independent switches in active-passive mode (no LACP). Also note that the order Windows discovers and labels NICs may not match your hardware vendor’s labelling at the back of the server. # Check current state of NICs and do teaming if (get-netLbfoTeam) {write-host "Nic Team already exists"} else { write-host "Renaming NICs" #Rename Ethernet & Ethernet2 to Nic1 & Nic2 etc $nicIndex=1 get-netAdapter | ForEach-Object { $\_ | Rename-NetAdapter -NewName "Nic$nicIndex" ; $nicIndex++} #Create team for Nic1,2 write-host "Teaming Nic1 and Nic2" $team = new-netlbfoteam -name NicTeam -teammembers Nic1,Nic2 -TeamingMode **SwitchIndependent** -loadBalancingAlgorithm **TransportPorts** -Confirm:$false #Configure NIC2 as standby write-host "Configuring Nic2 as standby" Set-NetLbfoTeamMember -Name "Nic2" -AdministrativeMode Standby # loop until this NIC team is up while ($team.

Windows Network List Manager

Sat, 14 Mar 2015 19:23:12 +0000

Hide Select a location for the network When you deploy Windows 7 you get a prompt: “Select a location for the network”. Laptop users also see this when they connect to a new network or WIFI service. You must pick the local network type. This helps Windows firewall decide if the local network is trusted (Private) or untrusted (Public). Rather than leave this as a manual choice for PC deployment staff and laptop users, you can automate this.

Powershell to disable NetBIOS over TCP/IP

Thu, 12 Mar 2015 19:15:07 +0000

You don’t need your machines talking to each other via NetBIOS over TCP/IP. Turn this off to cut down on network chatter and reduce your attack surface. The following PowerShell is useful as step during OS deployment (one-off config), or as a Group Policy startup script (every boot). # disable NetBIOS over TCP/IP on new adapter (legacy protocol not required) $NETBIOS_DISABLED=2 Get-WmiObject Win32_NetworkAdapterConfiguration -filter "ipenabled = 'true'" | ForEach-Object { $_.

Remote desktop protocol 8.1

Mon, 02 Mar 2015 21:11:48 +0000

TL;DR Make RDP better on Win7. Enable UDP support with this update. Add support for RDP 8.1 to Windows 7. Both an updated RDP client (useful when connecting to Windows Server 2012) and updates for the terminal server service. http://blogs.msdn.com/b/rds/archive/2013/11/12/remote-desktop-protocol-8-1-update-for-windows-7-sp1-released-to-web.aspx There are quite a few hotfix prerequisites that took a while to install. I found it quicker to extract the cab files from within the MSU hotfix files (used 7zip) and install using dism.

Web proxy auto detection

Mon, 16 Feb 2015 22:40:16 +0000

If you have proxy servers between your staff and the public internet, and you’re configuring the proxy server name/IP and port in web browsers then CUT THAT OUT RIGHT NOW! Your web browsers can find your proxy servers automatically (with a little help….) What is Web Proxy Autodiscovery Protocol (WPAD)? The Web Proxy Autodiscovery Protocol (WPAD) is a method used by web clients (IE, Firefox, Chrome, Winodws) to locate an internet proxy automatically.

OS Hardening guides

Mon, 16 Feb 2015 22:15:43 +0000

In the bad old days Windows would install in user friendly, super accessible mode. You’d then run scripts to lock it down, improving security permissions on registry keys, files and folders, reg tweaks, and potentially break stuff too. There were lots of security guides around. I’d use these NSA guides and tips from McGraw Hill’s Hacking Exposed. Now days Windows comes secure out of the box and you install roles before it’ll do anything.

Lost the administrator password? Break into Windows

Tue, 20 Jan 2015 22:14:51 +0000

If you come across a machine that has disconnected from the domain, and you don’t have a system to recover the local administrator password, you’ll need to break in. If you have physical access to the machine, and can access the OS files from another OS (disk is not encrypted), then you can make offline changes to Windows. Boot into your Windows Preinstallation Environment (WinPE), typically used for OS deployment. See Microsoft Deployment Toolkit.

IT Infrastructure Directions in 2015

Tue, 20 Jan 2015 21:58:22 +0000

A recent Microsoft TechNet Flash email links to a Forrester report about what CIOs should be doing in 2015. Part of it mentions hybrid cloud architectures (read Azure) Forrester Research Predictions 2015: CIOs Accelerate the Business Technology Agenda “In 2015, digital disruption will change the nature of competition, forcing firms to obsess about creating superior digital experiences across the entire customer life cycle. Many CIOs have the technical expertise and cross-functional business purview to help drive this level of innovation, but they are too often still seen as nothing more than the leader of a cost centre.

Test intranet access from Blackberry and other mobile platforms

Fri, 02 Jan 2015 19:07:29 +0000

If you’re accessing intranet websites using Blackberries and other mobile platforms like Good for Enterprise you can get Kerberos working to provide single sign-on/passthough authentication. Staff can then browse intranet pages that are secured by Windows authentication, URL filtering or NTFS without having to type in their (probably complex) Windows password on a teeny tiny phone keypad. I use the Active Server Page (ASP) below on IIS to test if Kerberos is working.

VMware View Client as desktop shell

Tue, 30 Dec 2014 18:20:30 +0000

You can repurpose Windows PCs as thin clients in a VMware View VDI environment. Swap the Windows explorer shell (start menu and desktop) with View Client. This also works for Windows Embedded thin clients. This works best with VMware View Client v5.4.0. Newer versions (View Client 2.0 and above, don’t ask me why the version numbers are out of order) VMware changed the View Client behaviour. When you disconnect from your VDI session, the View Client doesn’t close (so Windows doesn’t logoff).

Package - Java Runtime Environment (JRE)

Tue, 30 Dec 2014 18:04:53 +0000

JRE install/reinstall package This will help you do unattended install of JRE. JRE is a little tricky as there are several major versions. There are 32bit and 64bit editions. There are regular updates. And there are plenty of security vulnerabilities that need patching regularly, especially the java plug-in for web browsers. Currently Oracle release JRE updates every quarter and this needs to become more frequent. As a result you need good version control for your packages and reliable install and upgrades.

Shower Booking System

Sat, 27 Dec 2014 16:53:30 +0000

Once in a while a request will come in from left field. This was one of them: implement a shower booking system for the new office. I implemented a finite state machine, using XML to store state, and XSLT to transform from one state to another. XSLT to transform the state file to HTML views. And a little ASP to implement webhooks to kick off the transforms.

Building a VDI infrastructure

Fri, 19 Dec 2014 12:46:45 +0000

This seminar describes a Virtual Desktop Infrastructure (VDI) using only open source software (and a Windows desktop OS). This is of course a crazy thing to attempt. You’re more likely to pick an off-the-shelf products like VMware Horizon View or Citrix. The most interesting aspect of this seminar is that it explains the components of a VDI infrastructure and the challenges in making an OS designed for local disk work well in a VDI environment and shared storage.

Website change alerts with powershell

Thu, 18 Dec 2014 12:50:06 +0000

Had a requirement to monitor a website for changes. Used free online tool www.changedetection.com. But set up a second monitoring tool using PowerShell and a scheduling system. Remix the following code in your own monitoring projects. Maybe turn it into a function. Maybe test for an expected string (eg the HTML for login form). There’s no defensive code to recover if the website is inaccessible (needs a try-catch there). Could add some code to raise a SNMP trap, or create a support ticket.

Business aims vs Technology aims

Wed, 05 Nov 2014 14:08:19 +0000

At a conference yesterday there was the results of a survey into business and IT dept priorities and a discussion around how they differ: Business Priorities 1.Improving Efficiency 2.Deliver Operational Results 3.Improve Profitability 4.Reduce Enterprise Costs 5.Attract and Retain Customers 6.Product and Service Innovation 7.New markets and territories 8.Attract and Retain Personnel 9.Marketing and Sales Effectiveness 10.Increasing Enterprise Growth IT Priorities 1.Security 2.Mobile Technology 3.High Availability/Disaster Recovery 4.Storage and Data Growth

Using Microsoft NetMon to troubleshoot application network communications

Tue, 21 Oct 2014 14:30:08 +0000

Recently showed NetMon to a developer for troubleshooting IntelliJ. The Java development environment app was freezing and we found it was attempting to go direct to Maven central repository instead of our internal repository or out via the web proxy. NetMon is a network capture tool. Rather than showing you raw data like wireshark, it breaks down the traffic into “conversations” per process (and process ID). This makes it easier to see the forest for the trees, or the tree you’re interested in instead of the whole forest.

PowerShell update-help proxy authentication

Tue, 16 Sep 2014 14:43:55 +0000

PowerShell 3 installs without help files. You download these from Microsoft using the command update-help. Use the following PowerShell to make the .Net web client pass your session credentials to the (auto detected) proxy. Now you can wget, curl or update-help $wc = New-Object System.Net.WebClient $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials update-help This tip was from_:_ http://blog.stangroome.com/2013/08/02/powershell-update-help-and-an-authenticating-proxy/

The 10 Immutable Laws of Security

Mon, 30 Jun 2014 14:49:52 +0000

Attended a security webinar titled 11 Most Effective Ways to Lockdown Active Directory. The 10 Immutable Laws of Security was referenced (in the context of VMware admins having equivalent of physical access to VMs, law #3). Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore. Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.

Atlassian Confluence 5

Thu, 19 Jun 2014 14:56:02 +0000

I migrated the awesome intranet WIKI system Confluence from v4 on Linux to v5 on Windows. This was not straight forward (it was hell) but it’s now working great. As a JAVA based app it runs fine on Windows and it’s easier to support on this platform (IMHO). Some findings/gotchas: Confluence config settings All references to setenv.bat in Atlassian docs should be ignored. Making JVM config changes to this file has no impact.

.Net application publisher certificate checking

Mon, 09 Jun 2014 15:34:59 +0000

Have a server app (NetApp SnapDrive 7) which installs a .Net service. The service fails to start and the MSI package rolls back. It fails to start because it’s doing publisher cert checking and the servers don’t have internet access via proxy. The workaround offered was to edit the app .config file and add Described in this article: http://msdn.microsoft.com/en-us/library/bb629393(v=vs.110).aspx And: http://msdn.microsoft.com/en-us/library/system.security.permissions.publisheridentitypermission(v=vs.110).aspx Found this cert check can be turned off per machine in machine.

Benchmarking Physical Machines Vs HyperV VMs

Fri, 06 Jun 2014 15:41:11 +0000

SQL Enterprise licence cost avoidance Microsoft SQL Server Enterprise edition licensing changed from per-server (and CALs) to per-core. This makes SQL Server Enterprise on our 16 core blade servers very expensive to licence. To workaround this licencing cost we bought 8 core servers with a higher clock speed. TL;DR - Save money on SQL Enterprise licensing by choosing fewer cores with faster clock speed. Benchmarked the new 8 cores @3.5GHz SQL server hardware vs our previous SQL server hardware.

Trader Virtual Desktop Infrastructure (VDI)

Sun, 20 Apr 2014 15:35:55 +0000

My first trader VDI setup. A remoted desktop environment with two machines per trader, one keyboard and mouse, and up to 8 screens. Historically traders had two machines: One (trading machine) ring-fenced for Bloomberg and trading, and a second (non-trading machine) for MS Office, surfing the web, some 3rd party apps etc.. They would swap between the machines using KVM switch boxes. We switched to a VDI style solution where the trader’s machines are moved to the datacentre and accessed via a ’thin client’ terminal.

IT Department Agility

Mon, 14 Apr 2014 16:08:54 +0000

Our development team have adopted the AGILE project management methodology. Along with new continuous testing tools they’re able to implement changes much more quickly now. They’re now finding the next barrier to agility is us, the IT operations department (the ops in DevOps). We can’t rollout software as fast as they release is. Ideally IT Operations would be able to deploy their changes within a single AGILE sprint cycle (the dev cycle).

SharePoint stretched farm

Wed, 02 Apr 2014 17:16:03 +0000

Installed SharePoint as a Google like search engine for documents on filers. Configuring it as a stretched farm (servers in multiple sites) with a SQL backend. This is overkill for a search site, but makes it possible to failover SharePoint to DR site an will be useful if it’s used as a doc library in future, or for SQL 2014 data analytics. Also SharePoint automatically shares the indexing work between servers in a farm.

MATLAB Optimised Desktop Platform

Thu, 27 Mar 2014 15:38:50 +0000

Some of our the desktop hardware used by researchers was getting to end of life. Simulations within MATLAB required more RAM. Our desktops ground to a halt when simulations exceeded physical RAM and the OS began swapping pages of memory to disk. The desktops had 16GB and 32GB of RAM but researchers wanted 64GB. Upgrading desktops to 64GB RAM would cost £3000 per PC. £500 for RAM and £2500 for Workstation class hardware (Intel Xeon required to accommodate >32GB RAM) To pick a new MATLAB desktop hardware platform I profiled the application using SysInternal Process Monitor to expose how the app used CPU, RAM and the Network interface.

Audit Microsoft and Linux licensing with Microsoft MAP

Tue, 18 Mar 2014 17:31:44 +0000

The Microsoft Migration and Assessment Planning (MAP) tool was originally designed to help you plan your migration to HyperV. But the reports it generates are also very useful for the annual Microsoft licensing true-ups. https://www.microsoft.com/map https://www.microsoft.com/en-us/download/details.aspx?id=7826 It can now audit Linux too (with a view to virtualising it on HyperV/Asure) http://blogs.technet.com/b/mapblog/archive/2013/01/29/determine-linux-machine-readiness-to-move-to-a-windows-azure-virtual-machine-using-the-map-toolkit.aspx Next time you need to gather data for Microsoft licensing, check out The Microsoft Migration and Assessment Planning (MAP) tool.

Boot WinPE on VMs without virtual media or PXE

Thu, 13 Mar 2014 17:35:28 +0000

Deploying VMs from templates harks back to the bad old days of disk imaging. But using “baremetal templates” ensures your virtual hardware configuration is consistent (choice of NIC, choice of array controller, disk is thin provisioned etc..). Then make a baremetal template that boots straight into WinPE for unattended OS deployment. Then you get consistent VM hardware config without maintaining a distributing OS disk images. Create VM template or factory image with WinPE on harddisk Create VM with required virtual hardware configuration

VDI with VMware View

Mon, 03 Mar 2014 22:46:40 +0000

The traders with 6 screens and two machines each needed a more elaborate VDI system (see my rgs post). But for the back office, with a mere two screens each, I deployed VMware Horizon View. I’ve upgraded though View 3, 4 and 5 and expect to upgrade to View 6 soon. We have mixture of HP thin clients and repurposed PCs (Vmware view client as shell). With a little VDI optimisation Windows 7 will work great in a VDI environment.