Set-FederationTrust - "Unable to connect to the remote server"

Below are all the steps required to renew the "Exchange Delegation Federation" certificate.

By following the steps in the "Learn" document on https://learn.microsoft.com/en-us/exchange/renew-the-federation-certificate-exchange-2013-help eveuthing should work fine. But if you still use a proxy you could see this:

This is the part where I was trying to get the certificate activated but wasn't allowed through the proxy:

Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Show quick reference guide: QuickRef
VERBOSE: Connecting to sr-xxxxx.domain.lan.
VERBOSE: Connected to sr-xxxxx.domain.lan.
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint CE7AB8B6603427556C825A1122E270E74F7B177A -RefreshMetaData
Unable to access the Federation Metadata document from the federation partner. Detailed information: "Unable to connect to the remote server".
    + CategoryInfo          : MetadataError: (:) [Set-FederationTrust], FederationMetadataException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=a22a6478-3923-408c-88f2-a54aa5db0f70,TimeStamp=25-4-2023 13:44:24] [FailureCategory=Cmdlet-FederationMetadataException] 67AB8D6B,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>
[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  10.*;*.domain.lan;<local>

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx -RefreshMetaData
Unable to access the Federation Metadata document from the federation partner. Detailed information: "Unable to connect to the remote server".
    + CategoryInfo          : MetadataError: (:) [Set-FederationTrust], FederationMetadataException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=c55ed676-399a-46ca-adca-13c851055ff4,TimeStamp=25-4-2023 15:13:47] [FailureCategory=Cmdlet-FederationMetadataException] 67AB8D6B,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy InternetWebProxyBypassList
---------------- --------------------------



[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/


[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx -RefreshMetaData
WARNING: The federation trust has changed to prepare for the usage of a new certificate for Federation. You should update all TXT proof-of-ownership records that were previously set in DNS for all the
domains configured for Federation before publishing the new certificate.
The new hash-value should be replaced with the OrgNextCertificate proof value output generated with "Get-FederatedDomainProof -DomainName example.com".
[PS] C:\windows\system32>Get-FederatedDomainProof -DomainName domain.nl


RunspaceId : 010137a2-e51c-41f7-88f6-f4e982724bb7
DomainName : domain.nl
Name       : OrgNextPrivCertificate
Thumbprint : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Proof      : XXXXXXXXnUXZ5I2/1r4OtQd+Ajif1kUWjbE/ZV/CIQfijGJlvcXXXXXXxsATxs82lE5l56iO+37XXXXXXXX
DnsRecord  : domain.nl TXT IN XXXXXXXXnUXZ5I2/1r4OtQd+Ajif1kUWjbE/ZV/CIQfijGJlvcXXXXXXxsATxs82lE5l56iO+37XXXXXXXX

RunspaceId : 010137a2-e51c-41f7-88f6-f4e982724bb7
DomainName : domain.nl
Name       : OrgPrivCertificate
Thumbprint : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Proof      : XXXXXXXXxqi4Dw2u377XXXXXXwpQUDo6TZrCyc+XgvWERobhE4b7WRnc2/lE89Sqta6FyFmOx++toIrBXXXXXXXX
DnsRecord  : domain.nl TXT IN XXXXXXXXxqi4Dw2u377XXXXXXwpQUDo6TZrCyc+XgvWERobhE4b7WRnc2/lE89Sqta6FyFmOx++toIrBXXXXXXXX



[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy $null
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy InternetWebProxyBypassList
---------------- --------------------------



[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  10.*;*.domain.lan;<local>

[PS] C:\windows\system32>netsh winhttp clear proxy
The following command was not found: winhttp clear proxy.
[PS] C:\windows\system32>netsh winhttp reset proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>$Servers = Get-ExchangeServer; $Servers | foreach {Get-ExchangeCertificate -Server $_ | Where {$_.Services -match 'Federation'}} | Format-List Identity,Thumbprint,Services,Subject


Identity   : sr-xxxxx.domain.lan\xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Thumbprint : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Services   : SMTP, Federation
Subject    : CN=Federation

Identity   : sr-xxxxx.domain.lan\XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Thumbprint : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Services   : SMTP, Federation
Subject    : CN=Federation

Identity   : sr-xxxxx.domain.lan\xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Thumbprint : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Services   : SMTP, Federation
Subject    : CN=Federation

Identity   : sr-xxxxx.domain.lan\XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Thumbprint : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Services   : SMTP, Federation
Subject    : CN=Federation

The Exchange Certificate operation has failed with an exception on server sr-xxxx1.  The error message is: Access is denied
    + CategoryInfo          : InvalidOperation: (:) [Get-ExchangeCertificate], LocalizedException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=80e9b8ef-a09d-4128-a7c9-533951782758,TimeStamp=25-4-2023 15:41:21] [FailureCategory=Cmdlet-LocalizedException] 12503763,Microsoft.Exchange.Manageme
   nt.SystemConfigurationTasks.GetExchangeCertificate
    + PSComputerName        : sr-xxxxx.domain.lan

The Exchange Certificate operation has failed with an exception on server sr-xxxx1.  The error message is: Access is denied
    + CategoryInfo          : InvalidOperation: (:) [Get-ExchangeCertificate], LocalizedException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=a311f800-dc09-4efa-8ceb-ecd97b6f5965,TimeStamp=25-4-2023 15:41:21] [FailureCategory=Cmdlet-LocalizedException] 9671FFC8,Microsoft.Exchange.Manageme
   nt.SystemConfigurationTasks.GetExchangeCertificate
    + PSComputerName        : sr-xxxxx.domain.lan



[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
Creating a new session for implicit remoting of "Set-FederationTrust" command...
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:34:59] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>$webclient=New-Object System.Net.WebClient
[PS] C:\windows\system32>$webclient.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:35:22] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>[Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
[PS] C:\windows\system32>[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=42e63050-a895-4073-a082-6d835d11e3eb,TimeStamp=26-4-2023 07:35:57] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:36:47] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

    Proxy Server(s) :  http://proxy.domain.lan:8080
    Bypass List     :  10.*;*.domain.lan;<local>

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:40:27] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan




[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=42e63050-a895-4073-a082-6d835d11e3eb,TimeStamp=26-4-2023 07:40:53] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp reset proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp set proxy proxy.domain.lan:8080

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  (none)

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:43:46] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp set proxy proxy.domain.lan:8080 bypass-list="*.microsoftonline-p.com"

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  *.microsoftonline-p.com

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=2f6f2f77-9d84-4029-b860-3274731a42b7,TimeStamp=26-4-2023 07:45:04] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Stop-Service -Name WinHttpAutoProxySvc -Force
Stop-Service : Service 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' cannot be stopped due to the following error: Cannot open WinHttpAutoProxySvc service on computer '.'.
At line:1 char:1
+ Stop-Service -Name WinHttpAutoProxySvc -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (System.ServiceProcess.ServiceController:ServiceController) [Stop-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.StopServiceCommand

Stop-Service : Collection was modified; enumeration operation may not execute.
At line:1 char:1
+ Stop-Service -Name WinHttpAutoProxySvc -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Stop-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.StopServiceCommand

[PS] C:\windows\system32>Set-Service -Name WinHttpAutoProxySvc -StartupType disabled
Set-Service : Service 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' cannot be configured due to the following error: Access is denied
At line:1 char:1
+ Set-Service -Name WinHttpAutoProxySvc -StartupType disabled
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (System.ServiceProcess.ServiceController:ServiceController) [Set-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotSetService,Microsoft.PowerShell.Commands.SetServiceCommand

[PS] C:\windows\system32>whoami
domain\Username
[PS] C:\windows\system32>
[PS] C:\windows\system32>
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/


[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList "10.*;*.domain.lan"
Cannot process argument transformation on parameter 'InternetWebProxyBypassList'. Cannot convert value "10.*;*.domain.lan" to type "Microsoft.Exchange.Data.MultiValuedProperty`1[Microsoft.Exchange.Data.Fqd
n]". Error: "Failed to convert 10.*;*.domain.lan from System.String to Microsoft.Exchange.Data.Fqdn. Error: Error while converting string '10.*;*.domain.lan' to result type Microsoft.Exchange.Data.Fqdn: "1
0.*;*.domain.lan" isn't a valid SMTP domain."
    + CategoryInfo          : InvalidData: (:) [Set-ExchangeServer], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-ExchangeServer
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/


[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList @{"10.*","*.domain.lan","*.microsoftonline-p.com"}
>> ^C
[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList @("10.*","*.domain.lan","*.microsoftonline-p.com")
Cannot process argument transformation on parameter 'InternetWebProxyBypassList'. Cannot convert value "10.* *.domain.lan *.microsoftonline-p.com" to type "Microsoft.Exchange.Data.MultiValuedProperty`1[Mic
rosoft.Exchange.Data.Fqdn]". Error: "Cannot convert value "10.*" to type "Microsoft.Exchange.Data.Fqdn". Error: ""10.*" isn't a valid SMTP domain.""
    + CategoryInfo          : InvalidData: (:) [Set-ExchangeServer], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-ExchangeServer
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList @("domain.lan","microsoftonline-p.com")
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/ {domain.lan, microsoftonline-p.com}


[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=c3dd4e8e-34bc-402a-9cdb-3cf6ca994637,TimeStamp=26-4-2023 07:56:54] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan
	

And here I added the following domains "domains.live.com" & "www.msftconnecttest.com" to the bypass list on the proxy:

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
WARNING: The federation trust has changed to use a new certificate for Federation. You should update all TXT proof-of-ownership records that were previously set in DNS for all the domains configured for
Federation. The new hash-value should be replaced with the OrgNextCertificate proof value output of the OrgNextCertificate generated with "Get-FederatedDomainProof -DomainName example.com".
[PS] C:\windows\system32>Get-FederationTrust | Format-List *priv*


OrgPrivCertificate     : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
OrgNextPrivCertificate :
OrgPrevPrivCertificate : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX



[PS] C:\windows\system32>Test-FederationTrust -UserIdentity user@domain.nl


Begin process.

STEP 1 of 6: Getting ADUser information for user@domain.nl...
RESULT: Success.

STEP 2 of 6: Getting FederationTrust object for user@domain.nl...
RESULT: Success.

STEP 3 of 6: Validating that the FederationTrust has the same STS certificates as the actual certificates published by the STS in the federation metadata.
RESULT: Success.

STEP 4 of 6: Getting STS and Organization certificates from the federation trust object...
RESULT: Success.


Validating current configuration for FYDIBOHF25SPDLT.domain.nl...


Validation successful.

STEP 5 of 6: Requesting delegation token...
RESULT: Success. Token retrieved.

STEP 6 of 6: Validating delegation token...
RESULT: Success.

Closing Test-FederationTrust...


RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : FederationTrustConfiguration
Type       : Success
Message    : FederationTrust object in ActiveDirectory is valid.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : FederationMetadata
Type       : Error
Message    : Unable to retrieve federation metadata from the security token service.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : StsCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : StsPreviousCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : OrganizationCertificate
Type       : Success
Message    : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : OrganizationPreviousCertificate
Type       : Success
Message    : Valid certificate referenced by property OrgPrevPrivCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : TokenRequest
Type       : Success
Message    : Request for delegation token succeeded.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : TokenValidation
Type       : Success
Message    : Requested delegation token is valid.



[PS] C:\windows\system32>
[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy $null -InternetWebProxyBypassList $null
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy InternetWebProxyBypassList
---------------- --------------------------

Install or update PowerShellGet

To access the PowerShell Gallery, you must use Transport Layer Security (TLS) 1.2 or higher. By default, PowerShell is not configured to use TLS 1.2. Use the following command to enable TLS 1.2 in your PowerShell session.

1	[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

There are two ways to install the NuGet provider:

-Use Install-PackageProvider to install NuGet before installing other modules
Run the following command to install the NuGet provider.

1	Install-PackageProvider -Name NuGet -Force

After you have installed the provider you should be able to use any of the PowerShellGet cmdlets with the PowerShell Gallery.

-Let Install-Module prompt you to install the NuGet provider
The following command attempts to install the updated PowerShellGet module without the NuGet provider. Install-PackageProvider -Name NuGet -Force Install-Module prompts you to install the NuGet provider. Type Y to install the provider.

NuGet provider is required to continue 
PowerShellGet requires NuGet provider version '2.8.5.201' 
or newer to interact with NuGet-based repositories. 
The NuGet provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or  
'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'.  
You can also install the NuGet provider by running '
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'.  
Do you want PowerShellGet to install and import the NuGet provider now?  
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y VERBOSE: 
VERBOSE: Installing NuGet provider.

Note:
If you have not configured TLS 1.2, any attempts to install the NuGet provider and other packages will fail.

After installing PowerShellGet.
After you have installed the new version of PowerShellGet, you should open a new PowerShell session. PowerShell automatically loads the newest version of the module when you use a PowerShellGet cmdlet.

We also recommend that you register the PowerShell Gallery as a trusted repository. Use the following command:

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

Disable Exchange Online Remote PowerShell for users with PowerShell

 A regular user has no need for remote PowerShell access to Exchange Online.
So, we're going to disable it.

This is not as easy as you might think, I saw an article by "The Cloudtechnologist" (disable-exchange-online-remote-powershell-for-users-as-a-scheduled-task) but this is for Global admins only. What if you have roles assigned to Exchange Admins that are not Global admins?

This might help:

At line26; edit your username
At line 28 to 40 you disable all user accounts that are synced from on-premises
At line 44 to 56 you disable all guest users
At line 59 to 71 you disable all roommailboxes
At line 73 to 80 you can create a list with all account that are still enabled for remote PowerShell, go through the list manually and use that list to disable the access for the remaining users.

You might need to change the filters to something that works for you, and as always with stuff found on the interwebs, test test test.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105

#region functions <# .SYNOPSIS Script to disable Exchange Online RemotePowerShell access for users, guests and RoomMailboxes .DESCRIPTION Disables Exchange Online RemotePowerShell acces for users, guests and roommailboxes, and let's the remaining users be disabled by file list. .PARAMETERS None .EXAMPLE Disable-EXOPowerShellForUsers .By Edwin van Brenk .For Company .Version 1.0 .Date 13-09-2022 .SOA SOA-212 #> Import-Module -Name ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName username@company.com # Dir synced users Write-Host "Disable-EXOPowerShellForUsers: process: Getting all dirsynced users from tenant" $Users = Get-User -ResultSize unlimited | where-object {$_.isdirsynced -eq 'True'} foreach ($User in $Users) { try { Write-Host "Disable-EXOPowerShellForUsers: process: Updating $($User.WindowsEmailAddress)" Set-User -Identity $User.WindowsLiveID -RemotePowerShellEnabled $false -Confirm:$false } catch { Write-Warning "Something went wrong with $($User.WindowsEmailAddress)" continue } $user = $null } $number = $Users.Count Write-host "$number of users have been updated" # Guest users Write-Host "Disable-EXOPowerShellForUsers: process: Getting all guest users from tenant" $GuestUsers = Get-User -ResultSize unlimited | where-object {$_.RecipienttypeDetails -eq 'GuestMailUser'} foreach ($GuestUser in $GuestUsers) { try { Write-Host "Disable-EXOPowerShellForUsers: process: Updating $($GuestUser.Identity)" Set-User -Identity $GuestUser.WindowsLiveID -RemotePowerShellEnabled $false -Confirm:$false } catch { Write-Warning "Something went wrong with $($GuestUser.WindowsLiveID)" continue } $GuestUser = $null } $number = $GuestUsers.Count Write-host "$number Guest users have been updated" # Teams Rooms Write-Host "Disable-EXOPowerShellForUsers: process: Getting all TeamRooms from tenant" $TeamsRooms = Get-User -ResultSize unlimited | where-object {$_.RecipienttypeDetails -eq 'RoomMailbox'} foreach ($TeamsRoom in $TeamsRooms) { try { Write-Host "Disable-EXOPowerShellForUsers: process: Updating $($TeamsRoom.WindowsEmailAddress)" Set-User -Identity $TeamsRoom.WindowsLiveID -RemotePowerShellEnabled $false -Confirm:$false } catch { Write-Warning "Something went wrong with $($TeamsRoom.WindowsLiveID)" continue } $TeamsRoom = $null } $number = $TeamsRooms.Count Write-host "$number TeamsRooms have been updated" # Block for a list of users $UserList = Get-Content "C:\Users\Username\OneDrive - Company\Security Optimization Assesment\2022\Scripts\userlist.txt" $UserList | foreach {Set-User -Identity $_ -RemotePowerShellEnabled $false} Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true' | Select-Object Name, WindowsLiveID, WindowsEmailAddress, RecipientType, RecipientTypeDetails |` export-csv -Path "C:\Users\Username\OneDrive - Company\Security Optimization Assesment\2022\Scripts\AcceptedEnabledRemotePowerShellUserList.csv" <# -To display only those users who don't have access to Exchange Online PowerShell, run the following command: Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $false' -To display only those users who have access to Exchange Online PowerShell, run the following command: Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true' #>

Corporate Windows 10 devices pointing to WSUS

If you're not on Twitter, get on Twitter.

Famous words from @samilaiho, and you know why?
Because of tweets like these:

You should check your settings as this is a common error and can prevent a lot of nasty problems.

When Windows is pointed at a WSUS server, it stops trying to repair corrupted components from Microsoft servers.

Check the whole thread here:
https://twitter.com/SwiftOnSecurity/status/1561827619242475521

Update-Module - Module PowershellGet was not installed by using Install-Module, so it cannot be updated.

Well there we go again, something that should be easy and take 5 minutes turns in to a 3 hour job.

How we got here?

Install-Module : A parameter cannot be found that matches parameter name ‘AllowPrerelease’

Okay, so if that doesn't work, then try to update it.

No bueno, this is because PowerShellGet comes builtin with Windows 2016 but it's on older version. If you want all bells and whistles you need to install newest version from PowerShellGallery.

That doesn't really help.

But what does help is going full mental.

PowerShellGet 1.0.0.1 does not update properly.

Now try the aggressive way of  forcing your will onto this module.

Browse to C:\Program Files\WindowsPowerShell\Modules\
Open the folder C:\Program Files\WindowsPowerShell\Modules\PowershellGet and delete the subfolder 1.0.0.1
Open the folder C:\Program Files\WindowsPowerShell\Modules\PackageManagement and delete the subfolder 1.0.0.1
Browse to C:\Program Files (x86)\WindowsPowerShell\Modules\
Open the folder C:\Program Files (x86)\WindowsPowerShell\Modules\PowershellGet and delete the subfolder 1.0.0.1
Open the folder C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement and delete the subfolder 1.0.0.1

Now run Install-Module PowerShellGet -Force and Update-Module PowerShellGet

Check for correct installation and mudule version with Get-Command Install-Module.