Server 2016 ADFS – Limit Claims Providers

If you’re ADFS setup has more than one Claims Provider configured, the default behavior is for all the providers to be available for use by your Relying Parties.  If you’d like to limit some RPs to limit which CPs are available, you can use the following PowerShell:

Set-AdfsRelyingPartyTrust -TargetName RPName -ClaimsProviderName @("CPName")

To check the settings you can use the get version of the command, but the identifier is Name instead of TargetName:

Get-AdfsRelyingPartyTrust -Name 'RPName'

 

Advertisements

Server 2016 ADFS – Enable Test Page

ADFS has a local page that will allow you to use it as a launcher for Federated logins (https://FQDN/adfs/ls/idpinitiatedsignon.aspx).  It is also a great test page to use to confirm a login is working.

In Server 2016 this page is disabled by default.  To turn it on run the following PowerShell:

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

When you’re done testing, you can turn it back off:

Set-AdfsProperties -EnableIdpInitiatedSignonPage $false

S2D Cluster Stuck in Degraded State

We ran into a problem this month with our S2D Hyper-V cluster.  Since the nodes replicate their disks, after a restart it needs to get the restarted node back in sync with the cluster.  This happens automatically, and we keep an eye on it to make sure the node pool is synced before we bring the restarted node back into production.

FYI – you can do this with:

Get-VirtualDisk

Get-StorageJob

However, this month the jobs were created, but never started.  I let it sit overnight, but when they still hadn’t run by the next morning.  I started to look into how to fix this.  Luckily, I found a blog with the right things to check and fix: http://kreelbits.blogspot.com/2017/06/storage-spaces-direct-storage-jobs-hung.html

He has a number of things to check, and what to do to fix them.  In our case the problem was that some of the drives stayed in maintenance mode.  From the Failover Cluster Manager they were not listed in maintenance, so without checking in PowerShell we probably never would have seen it.  To check the drives to see if any have an operational status of ‘In Maintenance Mode’ run

Get-PhysicalDisk

If you have some that aren’t ‘OK’, you can fix them by running

Get-PhysicalDisk | Where-Object { $_.OperationalStatus -eq "In Maintenance Mode" } | Disable-StorageMaintenanceMode

Once we did that the Storage jobs started and the drives got in sync.

Update Offline Virtual Machine

If you’ve created a golden image VM, you may have run across the hassle of keeping it updated.  You can fire it up monthly and run updates, or just wait and update as the first step in deploying a new machine.  OR…  You can deploy updates to the offline VM with a little prep work and powershell.

These notes are for deploying the monthly cumulative update on Windows Server 2016, but it should work for older versions and other updates.

The first step is to download the update file.  Then use the Expand program (built in) to extract the contents:

expand <PATHTOUPDATEFILE> -F:* <EXTRACTDESTINATION>

In the extract folder, find the .cab file for the update. Copy that to the VM host.  In this example, I’m using C:\Temp.

Now either open a PS Session or from the VM host open PowerShell.

Go to a folder on the local disk (this process failed when mounting into a CSV) and create a temporary folder to use as a mount point. It’s easiest if this is also where you’ve put the .cab file.

mkdir -Path C:\Temp\MountDir

Now mount the offline VHD(X) you want to update.

Mount-WindowsImage -ImagePath $VHDtoUpdate -Path C:\Temp\MountDir -Index 1

Now apply the image.

Add-WindowsPackage -Path C:\Temp\MountDir -PackagePath $updatepath

Wait while the process runs, then dismount the VHD(X).

Dismount-WindowsImage -Path C:\Temp\MountDir -Save

Now repeat for additional virtual machines, or clean up your temporary mount folder.

rd -Path C:\Temp\MountDir

Now you can start up your updated VM.

Full script:

$vmhost = <yourhost>
Enter-PSSession -ComputerName $vmhost

$cummupdatepath = "C:\Temp\Windows10.0-KB4022715-x64.cab"
$VHDtoUpdate = "C:\ClusterStorage\Volume1\Example\Virtual Hard Disks\Example.vhdx"

mkdir -Path C:\Temp\MountDir
Mount-WindowsImage -ImagePath $VHDtoUpdate -Path C:\Temp\MountDir -Index 1
Add-WindowsPackage -Path C:\Temp\MountDir -PackagePath $cummupdatepath
pause
Dismount-WindowsImage -Path .\MountDir -Save
rd -Path C:\Temp\MountDir

Exit-PSSession

 

Uninstall Application with Server Core

There is no way to directly uninstall a program with PowerShell, but you can get there in a PSRemote Session using WMI.  Note, this won’t work for Nano since it doesn’t have WMI.

First you need to open your connection and get the programs with WMI.

Enter-PSSession - ComputerName <YOURCOMPUTER>
$programs = Get-WmiObject -Class win32_product
$programs | Select Name

Now you can see the installed programs.  Find the one you want to remove, counting from zero to get its index in the array.  I want to remove program 5 in my example.  To test, I run a quick command to make sure I have the right entry.

$programs[5].Name

If you get the right program back, proceed to uninstall.

$programs[5].Uninstall()

You can rerun the initial commands to make sure it is no longer listed.  When you’re done, make sure to exit your PSRemote session.

Exit-PSSession

Block SMB to your Workstations

When was the last time you had a business need to reach the C$ share on one of your workstations?  When was the last time you wanted a user workstation to reach the C$ share on another workstation?

If your answer was never or rarely, then you should block them.  It helps slow lateral movement of an attacker and if you were unpatched against MS17-010, but had this in place it would have prevented the spread of WannaCry.

This has been available since the introduction of the integrated firewall in Windows XP SP2.  It can be configured by Group Policy, so it’s easy to have it automatically applied to new machines as they are put into production.