Archive
Windows Server 2025 – preview build 26080
Last week on 13th of March Microsoft announced (RSS) new preview release of Windows Server 2025 (Windows Server Long-Term Servicing Channel (LTSC), build 26080). This preview build contains both the Desktop Experience and Server Core installation options for Datacenter and Standard editions, Annual Channel for Container Host and Azure Edition (for VM evaluation only):
To download evaluation (build 26080 will expire after September 15, 2024) version of new Windows Server 2025, go to Windows Insider Preview Downloads. To download preview Server versions, you need to be a member of the Windows Insider program. If you are not yet an insider, you can register for free here.
Besides English (US) version, you can also test server in few other languages:
Two of the most interesting changes in this new release are:
– Win32-OpenSSH server component is now installed by default,
– winget in Windows Server with Desktop Experience.
Starting in Windows Server 2025 the Win32-OpenSSH server side component (SSHD) will ship installed by default and if/when needed, it just needs to be enabled/disabled:
By default, when SSH is enabled, it will allow inbound connection on private networks (only) on the default TCP port 22. New local group “OpenSSH Users” can be used to allow remote connectivity for non-admin users.
Enable command that is executed in the background:
Get-Service -Name sshd | Set-Service -StartupType Automatic -PassThru | Start-Service
Disable command that is executed in the bckground:
Get-Service -Name sshd | Set-Service -StartupType Manual -PassThru | Stop-Service -Force
To customize default SSH config, you can edit file “C:\ProgramData\ssh\sshd_config”.
Some of the defaults:
AllowGroups administrators “openssh users”
HostKey PROGRAMDATA/ssh/ssh_host…
AuthorizedKeysFile .ssh/authorized_keys
Match Group administrators
AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys
Winget (Windows Package Manager) is command-line tool originally available on Windows 11 and modern versions of Windows 10. It allows admins and users to manage (install, uninstall, upgrade,…) locally installed applications. Winget is designed to help you quickly and easily discover and install custom software packages (by default from two sources: winget and msstore, with support for more).
Until you start managing applications with a solution like AppLocker, you might want to use GPO to disable winget.
If you want to test matching version of Windows Client, you can also download Windows 11 Insider Preview Build 26080:
Since Windows 11 Insider Preview Build 26052 you can natively run sudo on Windows 11, you just need to enable it:
Unlike winget, for this one I do hope it gets added to Windows Server at some point…
More info:
– Announcing Windows Server Preview Build 26080
– Introducing Sudo for Windows
Microsoft news in June 2019
So far June has been busy month for Microsoft. Few of the recent announcements I want you to know about:
– Microsoft Azure Bastion – private and fully managed RDP and SSH access to virtual machines (blog)
– AaronLocker performance and feature updates (blog)
– Microsoft Hyper-V Server 2019 available for download (ISO)
– Sysinternals updates
– Sysmon v10.01 – adds support for DNS query logging
– Autoruns for Windows v13.95 – adds support for user Shell folders redirections
– Windows To Go (WTG) – Feature Deprecation in Windows 10 1903
– PowerShell v7.0.0-preview.1 Release
– Azure Multi-Factor Authentication Server goes Cloud-Only – As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments.
– Microsoft Edge Insider Channels receives update on Canary channel – brings preview for Windows 7, Windows 8, Windows 8.1 and macOS (*)
– SCCM Client extension for Windows Admin Center (more info) (*)
– Windows Insider Lab Kit (Olympia v2) updated to version 5.7 (*)
– Windows and Office Deployment Lab Kit updated to version 1903 (*)
* added after initial blog post
NTK 2019 and other Microsoft-related news
From 21. until 23. of May 2019, Portorož (Slovenia) became my home for few days. The reason for this was NTK (NT konferenca) – Microsoft’s IT conference that brought together people from all over the place.
During the three days conference was going on, I had a privilege to present three sessions of my own. As always, I was pleasantly surprised by the number of people who came to my sessions, even though the session was in the middle of the lunch time or the last one for the day. Thank you all for showing up and asking questions.
My sessions at NTK 2019 were:
- Povečanje varnosti Windows klientov – ways to improve Windows security
- Vzdrževanje SCCM in WSUS okolja – SCCM and WSUS maintenance
- Brezplačna orodja za upravljanje Windows okolij – free tools to speedup Windows maintenance
Presentations and demo files can be downloaded from NTK web site or from my OneDrive:
- Povečanje varnosti Windows klientov.pptx, Day1-Demos.zip
- Vzdrževanje SCCM in WSUS okolja.pptx, Day2-Demos.txt
- Brezplačna orodja za upravljanje Windows okolij.pptx
For all the demos on day one and day two I used Start-Demo.ps1 PowerShell script. Thank you Jeffrey Snover and Joel “Jaykul” Bennett for the original script.
During one of my presentations there was one Windows Sandbox related question – data sharing between Host and Sandbox. At the time I wasn’t aware of Windows Sandbox – Config Files which I believe is exactly where the question was going. There is MappedFolders parameter, that gives us an option to map local drive into Sandbox on user’s Desktop. Mapped folder can be Read-Only or Read&Write. Example of Windows Sandbox Config file with few additional options: WindowsSandbox.wsb
While we were busy with NTK, Microsoft rolled out few new products, services and announcements:
- Windows 10 1903 (available on VL Service Center since 21st of May, on MSDN since 4th of April)
- Microsoft Security Compliance Toolkit 1.0 updated with final version of Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline (more info)
- AaronLocker updated (info)
- Features in Configuration Manager technical preview version 1905 (Application groups, BitLocker management, Task sequence debugger,…)
- Microsoft Edge preview builds – Chromium-based (Beta, Dev and Canary)
- Application Guard for Chrome und Firefox
On-premises BitLocker management using System Center Configuration Manager
Beginning in June 2019, System Center Configuration Manager (SCCM) will release a product preview for BitLocker management capabilities, followed by general availability later in 2019.
Configuration Manager will support BitLocker for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions. It will also support Windows 7, Windows 8, and Windows 8.1 during their respective support lifecycles.
SCCM will provide the following BitLocker management capabilities:
Provisioning
Our provisioning solution will ensure that BitLocker will be a seamless experience within the SCCM console while also retaining the breadth of MBAM.
Prepare Trusted Platform Module (TPM)
Admins can open the TPM management console for TPM versions 1.2 and 2.0. Additionally, SCCM will support TPM+PIN for log in. For those devices without a TPM, we also permit USBs to be used as authenticators on boot.
Setting BitLocker Configuration
All MBAM configuration specific values that you set will be available through the SCCM console, including: choose drive encryption and cipher strength, configure user exemption policy, fixed data drive encryption settings, and more.
Encryption
Encryption allows admins to determine the algorithms with which to encrypt the device, the disks that are targeted for encryption, and the baselines users must provide in order to gain access to the disks.
Policy enactment / remediation on device
Admins can force users to get compliant with new security policies before being able to access the device.
New user can set a pin / password on TPM & non-TPM devices
Admins can customize their organization’s security profile on a per device basis.
Auto unlock
Policies to specify whether to unlock only an OS drive, or all attached drives, when a user unlocks the OS drive.
Helpdesk portal with auditing
A helpdesk portal allows other personas in the organization outside of the SCCM admin to provide help with key recovery, including key rotation and other MBAM-related support cases that may arise.
Key rotation
Key rotation allows admins to use a single-use key for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises.
Compliance reporting
SCCM reporting will include all reports currently found on MBAM in the SCCM console. This includes key details like encryption status per volume, per device, the primary user of the device, compliance status, reasons for non-compliance, etc.
If you are familiar with Microsoft BitLocker Administration and Monitoring (MBAM), you probably noticed that above listed BitLocker-related SCCM improvements to come look a lot like MBAM features – and you would be correct to think that. The reason for that is in Microsoft’s announcement for the MBAM support – MBAM will end mainstream support on July 9, 2019 and will enter extended support until July 9, 2024.
Regardless of the MBAM situation, I sure am happy to see this new feature set is coming to SCCM.
More info at: Microsoft expands BitLocker management capabilities for the enterprise
AaronLocker – automate AppLocker configuration
AppLocker is application whitelisting security feature that became available in Windows 7 and Windows Server 2008 R2. With Windows 10 and Windows Server 2016 Microsoft decided to rebrand it to Windows Defender Application Control or WDAC for short. Other than rebranding it, AppLocker didn’t receive any major improvements. In most of the management tools you will still find it under AppLocker name.
If you want to learn more about it, I would recommend you to check out official documentation.
If you or your company is using Windows Enterprise or Education client operating system, then you should look at setting up AppLocker. The implementation itself doesn’t take much time but it can drastically improve overall security of Windows environment. In Windows 10 and Windows Server 2016 AppLocker represents one part of multi-layer defense strategy.
To ease the implementation, Aaron Margosis put together set of PowerShell scripts including detailed documentation called AaronLocker. What AaronLocker helps you do is automate most of the tasks needed to implement and maintain AppLocker.
Few of the nice to have features are:
– Selective scan of any folder and subfolders with rule merge
– Additional rules for domain-joined PCs
– Find user writable paths and set exclusions
– Exclude sensitive build-in Windows programs, that are rarely used by non-admins
– Policy report in Excel
– Audit and Enforce policy
– Audit/Enforce summary reporting from AppLocker Logs in Event Viewer
– Reporting supports forwarded events with Event Forwarding (How-to in the documentation)
– Detailed documentation including how to implement Pilot / Broad / Production phases
You can learn more about AaronLocker from the documentation available on the GitHub portal. If you prefer or like video content, you can also check two YouTube videos, first one introducing the solution and second one quick start.
SloWUG – 2019.02 – Pohitrimo nadzor Windows okolja s SCCM
On 13th of February I was presenting at Slovenian Windows Users Group (SloWUG) in Ljubljana. We looked at different SCCM features, some fully released, some in preview in latest stable build (1810) and some in preview in preview builds. Focus of the presentation was on the features administrators can use, to decrease time of their daily work and at the same time improve existing procedures.
Attached to this post you can find link to my presentation.
After short discussion with attendees, I plan to do another SCCM-related presentation, this time focusing on SCCM maintenance and WSUS.
Windows Server 2016 – Where to start?
New version of Windows Server is by now available to all of us.
If you haven’t had a chance to look into it, here are few starting points for the journey ahead:
- Windows Server 2016 Feature Comparison Guide (PDF)
- Introducing Windows Server 2016 (PDF)
- Microsoft Ignite On-Demand Videos – Windows Server 2016
If you haven’t yet downloaded your copy, you can grab one here:
After you get through all previous content, you might also be interested in:
- Nano Server Image Builder (download)
- MSMG Toolkit (automate Windows Image management tasks like Servicing, Customization, Add or Remove Features and Components, Enable or Disable Features)
- Security baseline for Windows 10 v1607 (“Anniversary edition”) and Windows Server 2016
- AD FS Rapid Restore Tool
SCCM 2012 R2 With BitLocker Network Unlock
I’ve read and followed MS documentation available at:
– BitLocker: How to enable Network Unlock
– Bitlocker: Network Unlock (PFE Blog post)
- Client/Server configuration:
- Clients: Windows 8.1 and up on isolated VLAN
- SCCM Servers: 2012 R2 SP1
- SCCM distribution point: dedicated server for network unlock and client deployment
- change to certificate template used for network unlock: Certification Authority and Certificate recipient fields are Windows Server 2012 R2 and Windows 8.1 respectively
After some initial testing I’ve successfuly deployed this configuration at one of our customer’s sites.
Not sure if it is fully supported from MS side but I didn’t do any “funny” customization to get it working – based on this I would guess it should be supported.
Second link is really useful for understanding how the whole thing works – it even has few screenshots of network trace (good reference for troubleshooting).
Good to know:
– Network unlock by itself doesn’t do PXE boot – unlock happens before that with special DHCP packet (provided, that LAN boot is not first BOOT option – which it shouldn’t be). Check second link for more info.
– This change to BitLocker OS drive unlock process will add few seconds to boot process. Why? Before Windows can successfully start and unlock drive with certificate, boot manager has to get valid IP DHCP address (or not if timeout happens). Only after this happens BootRequest packet is send to WDS server which replies with BootReply. How big can this delay be probably depends on usual network-related configuration.
Where to start your journey when your goal is multi-boot USB
Not so often anymore, but still sometimes I find myself in situation when I have to analyze and possibly repair broken Windows system. When that happens, it is good to have few tools at hand. Because you never know what went wrong in advance, it is good to be prepared for all occasions. I usually need only one USB drive – my 32GB multi-boot USB drive (you can also go with less).
On my USB, there are quite few tools; some of them might come in handy even to you some day. Just to kick-start your journey I will give you few pointers:
You need bootable USB and something to boot. I prefer:
Windows 7 USB/DVD tool
– Free
– Good for Windows-only multi-boot
– Wizard driven “ISO to USB/DVD” converter
– Can create bootable USB from any WIM based image, like:
– Windows Vista & Windows Server 2008
– Windows 7 & Windows Server 2008 R2
– Windows Defender Offline
– Microsoft Diagnostics and Recovery Toolset
– Windows PE – you can get it in Windows AIK
– Windows RE – Create a Windows RE Recovery Media
Windows Defender Offline
– Free
– Dedicated to finding and removing malicious and potentially unwanted programs
– Based on Windows PE
– Wizard driven USB/DVD creator
Microsoft Diagnostics and Recovery Toolset
– Free for Microsoft SA customers, available to Volume Licensing customers, Microsoft Development Network subscribers, and Microsoft TechNet subscribers
– Packed with tools like Locksmith, Crash Analyzer, File Restore, Disk Wipe and Standalone System Sweeper
– Based on Windows PE
– Wizard driven USB/DVD creator
Universal USB Installer
– Free
– Great for true multi-boot
– Can combine multiple Windows based and non-Windows based images onto one media
– Supports Windows XP and newer
– Supports 90+ Linux distributions (don’t forget to check out KON-BOOT*)
– Wizard driven USB/DVD creator
When creating bootable USB all the applications require USB format (wipe and FAT32 created).
If you also like to have updated Sysinternals tools with you, don’t forget to check out SysInternalsUpdater.
*Great tool for true bypassing of local Windows Logon passwords.
Remote Server Administration Tools for Windows 7 SP1 available for download
RSAT Client is the collection of Windows Server management tools which enable IT professionals to manage their Windows Server infrastructure from their PCs running Windows 7 SP1 and Windows 7.
This is the list of Windows Server administration tools which are included in RSAT Client for Win7 SP1:
Server Administration Tools:
Server Manager
Role Administration Tools:
Active Directory Certificate Services (AD CS) Tools
Active Directory Domain Services (AD DS) Tools
Active Directory Lightweight Directory Services (AD LDS) Tools
DHCP Server Tools
DNS Server Tools
File Services Tools
Hyper-V Tools
Terminal Services Tools
Feature Administration Tools:
BitLocker Password Recovery Viewer
Failover Clustering Tools
Group Policy Management Tools
Network Load Balancing Tools
SMTP Server Tools
Storage Explorer Tools
Storage Manager for SANs Tools
Windows System Resource Manager Tools
Download page at Microsoft Download Center: RSAT for Windows 7 with SP1
If you followed my previous post on how to manually install RSAT tools on Windows 7 with SP1 you can also install this update on your PC over existing RSAT tools.
Going down the IT rabbit hole 