Configure Auto Enroll for Computer & User certificates

Searching for a good and clear "how to" i came across this blogpost from Adrian Costea that sums it up in a very easy and understandable way.
Auto enrollment it self isn't hard at all, but if you're new to this it's hard to figure out where to start.

Well this is how its done:

Set Up Automatic Certificate Enrollment (Auto enroll)

Managing certificates usually does not need too much intervention. Issuing and enrolling for certificates, again is a piece-of-cake… in a small environment. But if you are running more than let’s say 50 workstations and servers enrolling for certificates is a week job, if not more. To ease the work; actually to automate this you can use Active Directory since you already have the tool in your hands. This is one of the advantages of an Active Directory domain with an Enterprise CA; you can deploy certificates automatically using a process known as auto enrollment. This greatly reduces the amount of administrative overhead required to deploy certificates to your clients; and all you need for this is a GPO linked to your domain or an OU configured with the auto enroll policy.

Before we start I presume you already have your Active Directory Certificate Service installed and at least some clients joined to the domain to be able to test this. If you don’t have enough hardware at your disposal, VMware Workstation is great way to do test labs.

In the first part of the article I’m going to talk about Computer Certificates Auto-Enrollment and in the second part about User Certificates Auto-Enrollment.

Computer Certificates Auto-Enrollment

Now log in to one of your domain controllers and open the Group Policy Management console.

Here you have to decide where the GPO should be linked. If you want only a bunch of clients to be configured for auto enrollment, create and link the GPO to the OU where those clients sit. If however, you want the policy to apply to all clients in your domain, create and link the GPO to the root of the domain. 

To create the GPO, right-click the root of the domain or the OU and choose Create a GPO in this domain, and Link it here…. Give it a name and click OK.

     

On the newly created GPO do a right-click and choose Edit.

Once the Group Policy Management Editor opens, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Here you will see Certificates Services Client – Auto-Enrollment policy.

Open its properties and choose Enabled on the Configuration Model box, then check the boxes Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Click OK when you are done. As you can see this policy will automatically renew any expired certificates and also cleans up the certificates store of any certificates that expired.

     

Only configuring this will not get the job done. You have to tell the clients what type of certificate they can request and this can be done by creating a Certificate Request Setting. To set it up expand the Public Keys Policies folder, right-click Automatic Certificate Request Settings and choose New > Automatic Certificate Request.

Click Next to skip the Welcome screen of the wizard.

On the Certificates Templates page you can see all the templates that you can use to issue certificates from. The only one we are interested right now is the Computer certificate. Select it and click Next and at the end click Finish to close the wizard.

    

Now you have a Certificate Request Settings created. Let’s tests it and see if it works.

Log in to one of you clients and open the certificate store from Start > Run > mmc. Once the console opens, from the File menu choose Add/Remove Snap-in.

In the Add/Remove Snap-ins window select Certificates and click the Add button.

Choose Computer account > Local computer.

     

If you look in the Personal folder you can see that there is no certificate. Too see the magic happen in real time do a  gpupdate /force then refresh the console. After this a computer certificate “magically” appears.

     

Oh yeah, and the certificate also has a private key, which is what we wanted.

Since this is group policy, you will have to wait between 90 and 120 minutes for the policy to get in effect. Then all clients that are affected by this GPO will auto-enroll for a computer certificate from your internal CA. 

User certificates Auto-Enrollment

Now I know that most of you also need a way to auto-enroll for user certificates, so these users can encrypt their personal data or secure their emails. For this, a few things need to be modified or added to your Enterprise Internal CA and user accounts. First of all the users need to have an email address present in the E-mail field of their AD account.

You don’t need to have an email server present in your environment like Exchange server, just an email address typed in the user’s E-mail account field.

 then, a new certificate template needs to be created. Log in to one of your domain controllers and open the Certification Authority console. Right-click the Certificate Templates folder and choose Manage.

Search for the User template, right-click it and choose duplicate.

On the General tab type a name for the new template then go to the Security tab. Here select Domain Users from the ACL (Access Control List) and in the Permissions section check the Enroll (should be already checked, but just in case) and Auto enroll box. Click     

Back on the Certification Authority console, right-click the Certificate Templates folder one more time and choose New > Certificate Template to Issue. From the list, search for the new template, select it and click OK.

Now that the template is ready we need to set up the GPO that request certificates on behalf of the user. Still on this domain controller, open the Group Policy Management console and create a new GPO. Again this can be created/linked to the root of the domain or an OU. If you link it to an OU make sure is the one where users are present not computers.

     

Once you create the GPO, right-click it and choose Edit. In the Group Policy Management Editor console expand User Configuration > Policies > Windows Settings > Security Settings and click on the Public Key Policies folder. Here we have a view almost exactly we had when we configured the computer certificate auto-enrollment. The policy that we are interested in is Certificate Services Client – Auto-Enrollment, so double click it to open its properties; or right-click > Properties.

From the Configuration Model drop-down box choose Enabled then check the Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates boxes. Click OK when you’re done.

All you have to do now is wait for the users to get the new policy, and that can take between 90 and 120 minutes. If you don’t want to wait and force this process to see if it works do a gpupdate /force on the client computer. Then if you open the user certificates store you should see the certificate issued for the user that you are logged in with.

Taking a look at the certificate itself it has a private key, it was issued using the template we created and it has all the key usage necessary for the user to encrypt data and email. 

Source

OneGet find, select and install silently

List all built-in package providers (requires Powershell 5.0)

Find-Packageprovider -Provider bootstrap,

Set Chocolatey as a trsuted package provider

Get-Packageprovider -Name chocolatey -Trusted

Search for multiple packages, select a version and install

Find-Package | Out-Gridview -Title "Select Packages to install" -PassThru | Install-Package -Force

Uninstall installed package

 Uninstall-Package -Name AdobeReader

Source

Edge servers certificate expired or issuing certificate renewed? Renew the Edgesyncsubscription

When deleting an expired EdgeSyncSubscription certificate from your edge server, the following error is written in the eventlog:

The next error in the eventlog:

When the issuing certificate for your internal PKI CA has to be renewed, don't forget to renew it on the Edge servers as well.

When the Edge servers certificates for the EdgeSyncSubscription are expired, then renew the entire EdgeSyncSubscription.

A complete how to can be found here.

Lync federation error ID 504 source id 239

When you receive the following error:

The (root) certificate from the company you are trying to federate with is not available.
And by root certificate i mean the CA the company has accuired their certificate; Comodo, Baltimore Cyber Trust, Go Daddy etc.

There are 2 ways to resolve this, find the sipfederationtls SRV DNS record like this:

nslookup -type=SRV _sipfederationtls._tcp.microsoft.com

SRV hostname = sipfed.microsoft.com

Now you can try to get a certificate by guessing webmail domain names because the certificate at https://sipfed.microsoft.com:5061 doesnt return the certificate that you want.

An easier ways is to download the RUCT tool (Remote RU Troubleshotter) found here

Type the domain of the company you want to federate with and select the sipfederationtls SRV record, and on the Certificate Information tab click Go.

After finding the domain you want to federate with you can install the certificate with one mouse click in the local trusted certificate store on the Lync EDGE server.

You can easily find the imported certificate chain in the local trusted root store.

Source 1

Source 2

Deleted item retention policy not working, well actually your just being impatient

If you implement the deleted item policy retention tag in Exchange 2010 and assign it to a retention policy, you'll notice that it takes a long period before it actually starts working.

Searching the internet for a solution can lead you to the most critical blog posts, forums, dodgy solutions and advice.

In fact it's quite simple. If you set a retention policy tag for the deleted items for lets say 31 days, then the moment you assign it to a retention policy the clock starts ticking. This means from that date the retention kicks in, the 31 days you selected. Then after those 31 days if a user deletes a mail message the retention clock starts ticking and it takes 31 days before it gets marked as expired and deleted.

For emails already in the deleted items folder after the first 31 days, on the 32 day the emails would be processed accordingly.

So it's a combination of retention policy activation time, user email deletion date and the actual delete date.

Remember this before diving in the Google-O-matic or logging a call at Microsoft. It's not really well documented but if you read carefully enough you could figure it out, i figured this out by checking every week what had happened thus far.

Connect to Exchange Powershell website remotely (Office 365) and Exchange Server 2010, 2013

Start Powershell as a administrator

Run Windows PowerShell and check your Execution policy settings:

Get-ExecutionPolicy

If the execution policy is set to Restricted please change it to RemoteSigned or Unrestricted:

Set-ExecutionPolicy RemoteSigned

Provide the target server administrator credentials:

$LiveCred = Get-Credential

Configure the connection:
In the case of connecting to Exchange Server 2010, 2013:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<target-server-address>/powershell/ -Credential $LiveCred

In the case of connecting to Exchange Online (Office 365):

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Start the connection:

Import-PSSession $Session

To disconnect type in:

Remove-PSSession $Session

The Exchange toolkit

Here's a great blog post from Chad Solarz over at the Technet blog.

Even tho the post itself is last updated may 2013 it is the biggest collection of tools I've seen so far .
View the post here.

Short summary of the tools listed:

VSSTester Script – Exchange 2010
MFCMAPI – Any version
Experfwiz – Exchange 2007 & higher (soon to be 2013 as well)
PAL – Any version
EWS Editor - Exchange 2007 and up
OffCat (now ver 1.2)– outlook 2003 and higher
Network Message Analyzer – Any version
Microsoft Script Center Repository – Any version
Exchange Remote Connectivity Analyzer – All versions
Autodiscover Self Test – Exchange 2007 and up
Exchange Client Network Bandwidth Calculator – Any version
CalCheck tool – Outlook and Exchange 2003 and higer
Datacenter Switchover Troubleshooter – Exchange 2010
Log Parser Studio 2.0 – Any version
Exchange Legacy API Scanner – Exchange 2010
Exchange Pre-Deployment Analyzer
Exchange Deployment Assistant (EXDeploy)
Exchange Mailbox Server Calculator – 2010 / 2013
Exchange Processor Query Tool
Microsoft Connectivity Analyzer Tool – Any version
Exchange Server User Monitor (ExMon) – Exchange 2000 and higher
Exchange Server Profile Analyzer – Exchange 2007
Exchange get file log usage script - Exchange 2007 +
Public Folder Replication Troubleshooter – Exchange 2003
PST Capture tool – Exchange 2010 & 2013
LoadGen – Exchange 2010
JetStress – Exchange 2010 (soon to be 2013 as well)
TCPView – All versions
PortQry UI – All versions
EAS Troubleshooter script - all versions
Report CAL information script - Exchange 2010
Exchange Log Growth Collector Script -  Exchange 2007 & 2010
Process Tracking Log (PTL) tool - Exchange 2007 & 2010
ActiveSync Guided walk-through - non-version specific
Outlook connectivity guided walkthrough - Exchange on-premises
Exchange 2003 Migration Toolkit - Exchange 2003
Office365 Mailbox Migration perf analysis - Hybrid / migration to the cloud
ActiveSync log analysis - All versions of Exchange
Exchange DB growth script - Exchange 2010 & 2013
Office 365 Mailbox / Folder sharing scenarios - Office 365 AND Exchange on-prem
Exchange Online migration guided walkthrough - Any on-prem to Office 365
Exchange Client Performance Analyzer
IMAP Migration walkthrough troubleshooter

Outlook switches

Never knew this:

How to use Outlook's Command line switches

When you're having problems with Outlook you may be told to start Outlook using a specific command line switch.

To do this:

Close Outlook.

At the Start menu, Run command (or open the Run command by pressing Windows Key 

() + R type:

Outlook /switch

Then click OK to start Outlook. (There is a space between outlook and /.)

This screenshot shows how you enter it, using the /cleanreminders switch as an example.

Occasionally you'll need to use the full path to Outlook, then the command line looks like this:

"C:\Program Files\Microsoft Office\Office11\Outlook.exe" /switch

 Notes:

Before using a command line switch, you need to close Outlook and verify it's closed in Task Manager's Processes tab.

Paths that include spaces between words must be enclosed in quotation marks (") and are case sensitive.

If you use Vista or Windows 7, you can type the command line in the Start Search field on the Start menu.

You'll need the full path if you  want to create desktop shortcuts using a switch, such as to open Outlook to a specific folder:

"C:\Program Files\Microsoft Office\Office11\Outlook.exe" /select outlook:calendar

All Switches

/a

Creates an item with the specified file as an attachment.

Usage:

Outlook /a "C:\My Documents\labels.doc"

 If no item type is specified, IPM.Note form is assumed. This switch cannot be used with message classes that aren't based on Outlook.

/altvba otmfilename

Opens the VBA program specified in otmfilename, rather than %appdata%\Microsoft\Outlook\VbaProject.OTM. Use this switch when you need to run macros not in your VBAProject file.

/autorun macroname

Opens Outlook and immediately runs the macro specified in macroname.

/c messageclass

Creates a new item of the specified message class, works for any valid MAPI form.

Examples:

• /c ipm.activity creates a Journal entry
• /c ipm.appointment creates an appointment
• /c ipm.contact creates a contact
• /c ipm.note creates an e-mail message
• /c ipm.stickynote creates a note
• /c ipm.task creates a task

/checkclient

Prompts for the default manager of e-mail, news, and contacts.

/cleanclientrules

Starts Outlook and deletes client-based rules. Used by non-Exchange account users.

/cleandmrecords

Deletes the logging records saved when a manager or a delegate declines a meeting. Used by Exchange Server accounts.

/cleanfinders

Removes Search Folders from the Microsoft Exchange server store.

/cleanfreebusy

Clears and regenerates free/busy information. This switch can only be used when you are able to connect to your Microsoft Exchange server.

/cleanprofile

Removes invalid profile keys and recreates default registry keys where applicable.

/cleanpst

Launches Outlook with a clean Personal Folders file (.pst)

/cleanreminders

Clears and regenerates reminders.

/cleanrules

Starts Outlook and deletes client- and server-based rules.

/cleanschedplus

Deletes all Schedule+ data (free/busy, permissions, and .cal file) from the server and enables the free/busy information from the Outlook Calendar to be used and viewed by all Schedule+ 1.0 users.

/cleanserverrules

Starts Outlook and deletes server-based rules. Used only with Exchange server accounts.

/cleansniff

Overrides the programmatic lockout that determines which of your computers (when running Outlook simultaneously) processes meeting items. The lockout process helps prevent duplicate reminder messages. This switch clears the lockout on the computer it is used, enabling Outlook to process meeting items.

/cleansubscriptions

Deletes the subscription messages and properties for subscription features. Used with SharePoint alerts.

/cleanviews

Restores default views. Use with care as all custom views you created are lost.

/designer

Starts Outlook without figuring out if Outlook should be the default client in the first run.

/embedding

Opens the specified message file (.msg) as an OLE embedding. Also used without command-line parameters for standard OLE co-create.

/explorer

Opens the new window in "explorer" mode (link bar on).

/f msgfilename

Opens the specified message file (.msg) or Microsoft Office saved search (.oss).

/firstrun

Starts Outlook as if it were run for the first time.

/folder

Opens a new window in "folder" mode (Navigation Pane off).

/hol holfilename

Opens the specified .hol file.

/ical icsfilename

Opens the specified .ics file.

/importprf prffilename

Launches Outlook and opens/imports the defined MAPI profile (*.prf). If Outlook is already open, queues the profile to be imported on the next clean launch.

/l olkfilename

Opens the specified .olk file.

/launchtraininghelp assetid

Opens a Help window with the Help topic specified in assetid.

/m emailname

Provides a way for the user to add an e-mail name to the item. Use either the full address or let alias resolve. Only works in conjunction with the /c command-line parameter.

Usage:

Outlook.exe /c ipm.note /m test@poremsky.com

Outlook.exe /c ipm.note /m dianep

/nocustomize

Starts Outlook without loading outcmd.dat (customized toolbars). With older versions of Outlook the *.fav file doesn't load.

/noextensions

Starts Outlook with extensions turned off, but listed in the Add-In Manager.

/nopollmail

Starts Outlook without checking mail at startup.

/nopreview

Starts Outlook with the Reading Pane off and removes the option from the View menu.

/p msgfilename

Prints the specified message (.msg). Does not work with HTML.

/profile profilename

Loads the specified profile. If your profile name contains a space, enclose the profile name in quotation marks.

/profiles

Opens the Choose Profile dialog box regardless of the Options setting on the Tools menu.

/recycle

Starts Outlook using an existing Outlook window, if one exists. Can be used in combination with /explorer or /folder. The Outlook shortcut in the Quick Launch bar uses the /recycle switch.

/resetfoldernames

Resets default folder names (such as Inbox or Sent Items) to default names in the current Office user interface language. For example, if you first connect to your mailbox Outlook using a Russian user interface, the Russian default folder names cannot be renamed. To change the default folder names to another language such as Japanese or English, you can use this switch to reset the default folder names after changing the user interface language or installing a different language version of Outlook.

/resetfolders

Restores missing folders for the default delivery location.

/resetnavpane

Clears and regenerates the Navigation Pane for the current profile. Removes all Shortcuts and FavoriteFolders. Has the same effect as deleting profilename.xml in your user directory.

/rpcdiag

Opens Outlook and displays the remote procedure call (RPC) connection status dialog.

/s filename

Loads the specified shortcuts file (.fav). Use to load *.fav files created in older versions of Outlook.

/safeStarts Outlook without extensions, Reading Pane, or toolbar customization.

/safe:1

Starts Outlook with the Reading Pane off. New to Outlook 2003.

/safe:2

Starts Outlook without checking mail at startup. New to Outlook 2003.

/safe:3

Starts Outlook with extensions turned off, but listed in the Add-In Manager. Outlook 2003 only.

/safe:4

Starts Outlook without loading Outcmd.dat (customized toolbars) and *.fav file. Outlook 2003 only.

/select foldername

Starts Outlook and opens the specified folder in a new window.

Usage:

"C:\Program Files\Microsoft Office\Office11\Outlook.exe" /select outlook:calendar

outlook /select "outlook:Inbox\Old Messages"

/sniff

Starts Outlook and forces a detection of new meeting requests in the Inbox, and then adds them to the calendar.

/t oftfilename

Opens the specified .oft file.

/v vcffilename

Opens the specified .vcf file.

/vcal vcsfilename

Opens the specified .vcs file.

/x xnkfilename

Opens the specified .xnk file.

Source

Get eventviewer events from multiple servers and email combined errors and warnings per server report

****UPDATED****

Check http://vanbrenk.blogspot.nl/2015/10/get-winevent-from-multiple-servers.html

for the new and improved version.

It's a bit of a mouth full, the title that is, but the script does even more.

Specify which servers you want to monitor the error and warnings events from, then write a HTML file to a specified (shared) location per server and per type of log (system log or Application log).
You can even specify how far back in time you want to see the errors and warnings, 1 day, 2 or even 7 days.

Combine those files in to a single HTML file and send that one by email.

That way you get one email that has all info you want to see every morning.

The script:

#SMTP options for sending the report email            
$smtpServer = "smtp.domain.lan"            
$smtpFrom = "Eventlogs@domain.com"            
$smtpTo = "username@domain.com"            
$messageSubject = "Latest Eventlog events"            
            
$logPath = "C:\Temp\Eventlogs\"            
$logsys = "system"            
$logapp = "application"            
            
#Specify the servers you want to report on            
$servers = "sr-xxxxx","sr-yyyyy","sr-zzzzz"            
            
$style = ""            
            
# End HTML Output file style            
            
$date = get-date -format dd-MM-yyyy            
$now = get-date            
#Specify the number of days you want to be reported on            
$subtractDays = New-Object System.TimeSpan 1,0,0,0,0            
$then = $Now.Subtract($subtractDays)            
            
# Get the servers from the list and perform the following            
Foreach ($server in $servers)            
                {            
    $systemErrors = Get-EventLog -Computername $server -LogName $logsys -After $then -Before $now -EntryType "Error","Warning" | select EventID,MachineName,Message,Source,TimeGenerated,Entrytype            
                    
    $systemErrors | ConvertTo-HTML -head $style -body "<H2>System log Report From Server $server</H2>" | Out-File "$logPath\$server-$logsys-$date.html"            
            
    $applicationErrors = Get-EventLog -Computername $server -LogName $logapp -After $then -Before $now -EntryType "Error","Warning" | select EventID,MachineName,Message,Source,TimeGenerated,Entrytype            
                
    $applicationErrors | ConvertTo-HTML -head $style -body "<H2>Application log Report From Server $server</H2>" | Out-File "$logPath\$server-$logapp-$date.html"            
    }            
#Combine all the html files in to one file               
Remove-Item C:\Temp\Eventlogs\combined.html            
Get-Content -path c:\temp\eventlogs\*.html | Add-Content -Path C:\temp\Eventlogs\combined.html            
            
#Construct email message            
send-mailmessage -to $smtpto -from $smtpfrom -smtpserver $smtpserver -subject $messagesubject -body (Get-Content $logpath\combined.html | Out-String) -bodyashtml            
# Remove all html files to prevent filling the disk            
Remove-Item $logpath\*.html