Work

Happy Anniversary Absoblogginlutely!

16 years ago today I registered Absoblogginlutely.net and started to blog at this location. I totally missed the fact that back in March, helsby.net became 20 years old, a domain that I registered as an early birthday present to myself and is now used as my main email service.
This means I’ve been blogging on or off for about 20 years – how time flies!
Unfortunately I’ve not been updating this blog as often as I’d like as a lot of the tweaks and discoveries that I would normally blog about have become more work related and therefore more confidential.
However I would like to get back into the habit of documenting more so watch this space.
I’m heading to the Columbus Infosec Summit on Thursday and Friday this week which has always been full of interesting talks and demonstrations. It is sold out, but the twitter tag is .

Paula Januszkiewicz is one of the keynotes this year and her presentations are always valuable with a lot of takeaways and simultaneously manages to impress and scare me with the state of IT Security nowadays.

Fixed – Screenconnect blocked by Windows Smartscreen

Due to an expired code sign certificate, the version of Screenconnect that is launched from Connectwise Automate (aka Labtech) fails to run on 2 of my Windows 10 machines but works fine on the rest of the machines. The error message “Your administrator has blocked this application because it potentially poses a security risk to your computer”. The ones that fail are running Windows 1809 and 1903 so I suspect that there is some of the new features of SmartScreen are enabled and older versions do not have these settings.

Your administrator has blocked this application because it potentially poses a security risk to your computer

Checking out the file used for Screenconnect, I saw that the certificate used to sign the exe file expired on February 1st this year, but I’m not sure why my machines suddenly started to refuse to run it the last few days of March.

The Screenconnect.WindowsClient.exe is downloaded to a random subdirectory of appdata\local\apps\2.0 so I recommend you navigate to this directory and then search for *.exe and check the correct screenconnect file as per the screenshot below which shows the certificate expiring on the 1st February

ScreenConnect certificate expiry dates

After searching around and contacting Connectwise Support they advised me this would be fixed in an upcoming version. In the meantime setting the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\Security\TrustManager\PromptingLevel\Internet to a string type of Enabled will allow the ClickOnce application to popup and this allows the dialog box to give an option as to whether the file should be run or not (the previous setting was Disabled). This then allows the user to select yes to install and run the file overriding the invalid SSL certificate.

Obviously this is not a great idea but it does allow you to run Screenconnect from within the Automate window. (The other alternative is to use the Screenconnect website itself to connect).

Fixed: PDF’s will not load over insecure http but will on secure https (if you have a Meraki firewall)

Had a weird issue this morning where pdf files that were served over http were getting blocked and would not load. Some sites also have https so we were able to just change the url to https and the file would then download.

After checking various browser settings I checked the Meraki firewall. By Disabling the Advanced Malware Protection (AMP) under Security/Threat Protection the files were downloaded successfully.
Instead of leaving AMP off, I then put a whitelist url of http://*.pdf and now pdf files load successfully with AMP still protecting the network.

Whitelisting pdf files in Meraki
Meraki pdf whitelisting

The frustrating thing is that AMP does not seem to be logged anywhere so it was not obvious that this was the cause of the problem. It also turns out that this has been a problem with AMP in the past as this 2 year old thread on Reddit shows!

Fixed: Scheduled automation task in Azure to start virtual machines does not complete successfully.

I use Azure’s automation accounts to stop and start virtual machines when they are not needed. One of our machines is used to host backups and is only used for a limited amount of time during the day when the backups run so it is shut down automatically after the backups have completed. 

Recently I ran some cleanup on my Azure subscription to get rid of some old test machines and in doing so removed one of the machines that was listed in an exclusion list of machines that should not be started or stopped (as I did not want this obsolete test machine starting on a daily basis).

Navigating to the Dashboard / Automation Accounts / Jobname / Scheduled Job/All logs shows that there is an invalid computer name.

Navigating through to Automation Account logs

It turns out that removing a machine from the Azure inventory but still keeping it in the VM’s exclude list actually stops the entire script from running.  Short term fix is to remove it from VM’s Exclude list and the machines start to run again.  The long term fix (one day) is to continue if the Exclude list contains invalid servers.

Powershell oneliner to check network connections used on current machine based on Mike Robin’s blog post

Mike Robins had a nice tip yesterday about using powershell to see what your system is talking to and I thought I would tweak it slightly to potentially make it even more useful.

When I ran the command on my machine it took a while to run and I also thought it would be nice to tweak it so that the machine does a reverse dns lookup to retrieve the host names that the system is talking to. This might provide an indication of whether the connection is good or not.

I saved the output of the command to a variable so if I need to tweak the display output I can do so easily without running the script again.

This is a very quick and dirty hack and takes ages to run on my computer. It probably doesn’t help that I have a ton of chrome tabs open which will require a lot of dns lookups and several of them are the same host but this method will lookup them all up individually. IP  and dns lookup on active network connections

 

Yes, I split this ‘one-liner’ into multiple lines to make it easier to read on the screen but if you have to do that, then it’s not really a one-liner and even more so if you are unlikely to remember it.

Office365 Exchange Control Panel now has command logging for admins.

Help Button, Show command logging.One of my annoyances with Office365 administration tasks was that I could make changes to the interface but had no idea what commands were being run behind the scenes. This made creating scripts a frustrating trial and error attempt at finding the correct verbs to run.
However, this morning I stumbled under the Help/Show Command Logging option in the admin panel. This is similar to the Show command output that was available in the Exchange 2010 admin console that I used extensively in the good old on-premise days.

I have no idea how long this has been here but it really made my day.

Now if only the rest of the Office365 admin panels had the same functionality.

Fixed: Unmountable Boot Volume error with Windows Server 2016 and Storagecraft’s SPX

BSOD imageWe’ve been tracking down issues with Windows Server 2016 on a multitude of servers this week where the servers will reboot and come back with Unmountable Boot Volume which is a pretty nasty experience for oncall. So far we’ve mainly seen it on Domain Controllers but also on a Hyper-V server. The solution is typically to do a last known good boot on the machine and then try to work out what has changed on the server and needs redoing. So far we’ve had issues with duplicate servers in Webroot and Automate along with a couple of server functions not working correctly.

Initially we thought it was a problem with Windows Updates, but it seems that the culprit is Storagecraft’s SPX version 6.7.4
The solution is either to downgrade to version 6.5 or get a patch for 6.7.4 that fixes this issue.

Download location for SPX 6.5.2:

For 6.7.4, You will need to get the patched stcvsm.sys  from Storagecraft and then apply these instructions.

Patch is a very manual process. New version of the stcvsm.sys driver is 2.2.73.0.36
1. Install SPX 6.7.2:
2. Do NOT reboot
3. Rename %windir%\system32\drivers\stcvsm.sys to %windir%\system32\drivers\stcvsm-rtm.sys
4. Copy the 2.2.73 driver to %windir%\system32\drivers. Be sure to select the correct ‘bitness’.
5. Reboot

It’s been very frustrating to have gone through this issue without any notification of this pretty serious bug from #Storagecraft

Edit: Today I discovered that Storagecraft now have a more detailed knowledge base article about resolving Inaccessible Boot Device after upgrade to 6.7.x. Judging from the comments I’ve had here, I’m not the only one who has had this issue and it still keeps happening for some users.

Prepping for #MSIgnite – 50% discount on exams taken at the conference.

I was eventually able to find a post on Uservoice that confirmed there was a discount on Microsoft exams if taken at MSIgnite. Pick the exam and register in the normal way, but when selecting the test center, choose Orlando, FL and then select the Ignite center. This will then give you a 50% discount on the exam that will show at the bottom of the invoice.

Microsoft exam discount

All the MSIgnite information is scattered all over the place so you really do need to keep an eye out on the forums and twitter to find out whats happening.

I’m not sure what exams I will take this year but would like to get at least one done whilst I am there.

You can check out the rest of my #MSignite posts here.

Prepping for #MSIgnite – Mobile apps

It appears that the #MSIgnite2017 mobile apps are ready for download now. The Android app is available here and the Apple app here.

I only downloaded the Android version of the app although I was a bit concerned about the authenticity of the app. I have not seen any official notification from Microsoft about the apps being available and the publisher of the application is Eventbase Technology and not Microsoft. The reviews were also pretty scathing saying that the logins did not work so all the signs were pointing to a phishing attack.Microsoft Ignite app on the Google play store. Would you trust this app?However, Eventbase Technology, Inc seem to do a lot of event apps for various people so it sounded like it may be legit. After the app was downloaded it did go to an official looking live.com signin page and as I have 2fa enabled on my account and my account password is different that passwords used anywhere else I didn’t feel too nervous about signing in.

Curiously the app has an option to create a Live Id as it’s just providing the standard Live Id login page but this functionality is kind of pointless as you need an id to sign up for MSIgnite in the first place.

Unlike the others, I was able to sign in successfully and the schedule that I’ve already setup online synchs down nicely to the app. As you can see from the image below it doesn’t help with overlapping schedules 😉 but you can see the ability to add/remove sessions to the schedule.Android Session Scheduler for #MSIgnite 2017

Interestingly, I still don’t see the keynotes listed in the session schedules. Anyone know when these are and why they would not be in the scheduler?