Step by Step Create a User P2S VPN using Azure Secured Virtual Hub and Azure Active Directory #SDWAN #Azure #Secure

There are multiple ways on how to use a VPN and how to connect and use this. In this blog I use an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager.

When connecting to your Virtual Hub over the IKEv2 protocol, you can use certificate-based authentication or RADIUS authentication. However, when you use the OpenVPN protocol, you can also use Azure Active Directory authentication.

I will use the open VPN with Azure Active Directory authentication. Remember this is only supported on Windows 10 as you will need the Azure VPN client from the microsoft store.

For giving the vpn application the proper permissions, you need to register the application to your Azure AD first.

below is the default URL that can be used to trigger the registration, use the proper rights to create an enterprise App in you Azure AD

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Sign in with the proper credentials

Using the wrong account will end up in

AADSTS50020: User account  from identity provider ‘live.com’ does not exist in tenant ‘Microsoft’ and cannot access the application ‘4b4′(Azure VPN) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

When Accepted the you will be redirected to the Azure portal.

In the Azure portal you can go to the Azure active directory and

Enterprise applications | All applications  and search for Azure VPN

Now that the basics are in place, we can configure our Site to Site VPN profile the following information is needed.

Go to your Virtual Wan and select the user VPN configuration

Create User VPN ##### I noticed during the writing of this blog post the screens may differ as the portal changed the layout#######

• Configuration name – Enter the name you want to call your User VPN Configuration.
• Tunnel type – Select OpenVPN.
• Authentication method – Select Azure Active Directory.
• Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
• Issuer – https://sts.windows.net/tenantID/
• AAD Tenant – https://login.microsoftonline.com/TenantID

Select open VPN

go to the Azure Active Directory <> properties and grab the Tenant ID

Set the switch to yes and new fields will open.

 

• Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
• Issuer – https://sts.windows.net/3078684f/   ## remember the /  this must be at the end
• AAD Tenant – https://login.microsoftonline.com/3078684f

#the number is your tenant ID

Now that the VPN user profile is created we can configure the HUB

Now that the user vpn profile is created we can create the P2S VPN.  Select your hub

Select the user VPN point to site VPN  select create

Creating a VPN gateway you need to select the just created User profile.  

Select a proper IP subnet and if needed a DNS server for the workload into that network

Updating a hub can take 30 minutes or more.

Download User VPN profile as we need this on the Windows 10 client later.

Use the VPN profile to configure your clients.

1. On the page for your Virtual WAN, click User VPN configurations.
2. At the top of the page, click Download user VPN config.
3. Once the file has finished creating, you can click the link to download it.
4. Use the profile file to configure the VPN clients.

To download the Azure VPN client on your windows 10 test device.

Use this link to download the Azure VPN Client.

Open the VPN Client you can add a new VPN or import a Connection

 

For Importing the Connection we need the just downloaded zip file and extract this in the AzureVPN folder there is a XML that holds the vpn configuration.

 

 

If any thing goes wron with the import it is 99% your pbk file,

 

go to the following folder and delete the files – this will probably also remove your other vpn connections it you had any.

%userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk

C:\Users\admin\AppData\Local\Packages\Microsoft.AzureVpn_8wekyb3d8bbwe\LocalState

Now that the Import worked and you are ready to connect to the VPN in Azure.

  Use your Azure AD credentials or your FIDO2 key

 

  Now we are fully connected to the Secure Virtual WAN in Azure

It can take some time to see your connection in the portal

Showing the above it all is easy to setup this but I already see the questions yes but I need to do this on 5000 Windows 10 devices.  

Microsoft Endpoint Management is your best friend.

Deploy VPN with Microsoft Endpoint Management 

We create a Custom Template and do not select the VPN option as this is not for uploading the XML

In our Custom settings we add the Following settings

• Name: Enter a name for the configuration.
• Description: Optional description.
• OMA-URI: ./User/Vendor/MSFT/VPNv2/demo01_hub-weu/azurevpnconfig.xml (this information can be found in the azurevpnconfig.xml file in the tag Name).
• Data type: String (XML file).

Now that this is done we can create some assign ments and test this on the pilot group

 

As you can see there are a few steps involved and are linked together

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Journal, a Microsoft Garage project #Windows10 #Journal #Garage #Wimvp #WindowsInsiders @MSFTGarage

What is the Journal app ? it is a Windows  10 app helping people who love to journal to evolve their ideas and express themselves quickly with the power of their digital pen.

Description

Journal, a Microsoft Garage project, is an app for Windows that invites people who love to journal to pick up their digital pen, express themselves quickly, and evolve their ideas. Of all the different methods of device interaction, digital ink is unique in the speed and degree of natural expression and in aiding memory. With Journal, disparate ideas can be connected, drawings can be sketched, annotations can be freely inserted, information can be located with search, and you can easily connect your ink across other apps to grow your best ideas. Journal provides an ink-first solution that delivers new AI, intuitive gestures, and connected experiences for Microsoft 365 for work and school (subscription required, sold separately) . It’s designed for people who thrive when writing out their ideas, notes, and sketches. The Microsoft Garage is an outlet for experimental projects for you to try. Learn more at https://garage.microsoft.com

Download the Journal tool from the Store

There is a quick introduction play guide.

Features

• An ink-first experience for those who write with a digital pen
• A page-based canvas for easy scrolling, optimized for tablet and 2-in-1 devices
• New intuitive Ink Gestures that don’t require mode switches
• Drag and drop your content between pages, or to your favorite applications
• Microsoft 365 Integration to access your Calendar for faster meeting notes (Subscription required, sold separately)
• Import and markup PDF documents and images
• Search using keywords or filters

What’s new in this version

Improved ability to open journals from Documents folders stored on networks – Fixed issue with sending email for M365 Work and School users – Improvements to Scratch Out – Improvements for signing in with Microsoft 365 Work or School account – General bug and performance tweaks with ink AI, undo, and opening/closing journals

Try it out https://aka.ms/TryJRNL
Learn more https://aka.ms/JRNLblog

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Windows 10 tips and tricks #windows10 #ITPRO #Assist #keyboard #tricks

Now days I hardly see Windows 7 or older in the wild anymore. It’s all Windows 10 but in that I see all builds around from 1511 to the latest build. And I must say a lot is changed and it is almost hard to keep up with all the new stuff. If you are part of the Windows insiders you can already test the next version or update. this time it is just a short blog post about some handy windows 10 tricks and tips

The current Windows 10 versions can be found here. 

Me personally I’m a mouse fan or command line I hardly use the Windows key +   guess my left hand is to lazy but once you use the Windows key + X  or R  P L it is super handy.  and yes the most used short cut is probably ctrl+a ,ctrl+c ,ctrl+v

But did you know there is a big list there is a key for almost everything Cool

Take a look at this site for your shortcut

and if you need help you can always ask someone you know did you know there is a quick assist option in Windows 10

  

Quick assist is a simple tool to view the screen and help the other and view the issue they have

 

So how to start with this in the windows menu type quick or assist you will see the app.

When opening there are two options give or receive support.

 

So contact the person that will help you and he need to open quick assist and  open  assist another person

The assiter need to login with a microsoft passport.

The number is for the receiver.

 

On the helper sider there is a question view or full access ?

When approved the show can start

 

below an overview on helper and receiver.

Closing the quick assist program will disconnect the session or press stop.

Quick tool no install needed and super handy  and the above steps are just showing the connection but if you have a high secure desktop you might need some extra settings.

 

 

 

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Step by Step Azure NAT Gateway – Static Outbound Public IP address #ANG #NAT #WVD #Azure #Security #Cloud #MVPBuzz #AzOps #ITPRO #VirtualNetworks #PowerShell

There a several ways on using an external IP in Azure, What method to use is up to you. Remember there is no good or wrong but only different opinions or insights on how to use it.

Public IP addresses allow Internet resources to communicate inbound to Azure resources. Public IP addresses also enable Azure resources to communicate outbound to Internet and public-facing Azure services with an IP address assigned to the resource. The address is dedicated to the resource, until it is unassigned by you. If a public IP address is not assigned to a resource, the resource can still communicate outbound to the Internet, but Azure dynamically assigns an available IP address that is not dedicated to the resource.

Some of the resources you can associate a public IP address resource with are:

• Virtual machine network interfaces
• Internet-facing load balancers
• VPN gateways
• Application gateways
• Azure Firewall
• NAT Gateway

Matching SKUs must be used for load balancer and public IP resources. You can’t have a mixture of basic SKU resources and standard SKU resources. You can’t attach standalone virtual machines, virtual machines in an availability set resource, or a virtual machine scale set resources to both SKUs simultaneously.

Virtual Network NAT (network address translation) simplifies outbound-only Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses your specified static public IP addresses. Outbound connectivity is possible without load balancer or public IP addresses directly attached to virtual machines. NAT is fully managed and highly resilient.

So this is only for the Outbound connection. why not use the Resource group IP this is also “static” ? using this IP means that al VM’s must be in the same resource group and when the resource group changed the IP is also changing.

NAT is compatible with standard SKU public IP address resources or public IP prefix resources or a combination of both. You can use a public IP prefix directly or distribute the public IP addresses of the prefix across multiple NAT gateway resources. NAT will groom all traffic to the range of IP addresses of the prefix. Any IP whitelisting of your deployments is now easy.

So How to implement this. a step by step guide. GUI and powershell Looking at my demo setup, There are 2 vm’s both in a different Resource group.

Setting up the NAT gateway is done by 3 tabs to fill in the name and what vnet to use

We add a new NAT gateway.

We create a new resource group and choose NAT gateway name.

The Timeout we leave this on 4 min for now.

We configure an external IP and with a standard SKU. Basic is not supported.

the next step is choose the External outbound IP pool minimal is 2 and max is 256. this is not needed but only if you want to have a pool of External IP’s else it just go the one external ip

you can select max 2 prefixes

Configure which subnets of a virtual network should use this NAT gateway. Subnets with Basic load balancers or virtual machines that are using a Basic public IP are not compatible and cannot be used.
Note: While you do not have to complete this step to create a NAT gateway, the NAT gateway will not be functional until you have added at least one subnet. You can also add and reconfigure which subnets are included after creating the NAT gateway.

in the last step we tag the NAT gateway to a subnet. When checking the VM’s on this subnet for the outbound IP ( remember the VM does not need a public IP on the network card)

Here I have 2 VM’s getting both an IP from the prefix

If there is only a small prefix then both machines will get the same external outbound IP

With this time flow it recycles the External IP, depending on the scope and usage.

So in just a few steps you can use a useful gateway for all your outbound traffic.

Building this in Powershell is also easy. I use a semi automatic script as I want to choose my network. but you can change this to a fixed network if you want.

remember this will need the az.network latest module. in the old modules there is no get-AzNatGateway command. without this the posh is not working.

First we have some parameters

# Set the variables for the NAT Gateway.
$rg = ‘rg-rsm-natgw001’
$Location = ‘Westeurope’
$sku = ‘Standard’
$PublicIpname = ‘pup-rsm-natgw001’
$Publicprefixname = ‘pxp-rsm-natgw001’
$NatGatewayname=’gwn-rsm-natgateway001′

#create Rsource group
New-AzResourceGroup -Name $rg -Location $Location 

First we make some external IP and or a range.

#create Standard SKUP public IP
$publicIP = New-AzPublicIpAddress -Name $PublicIpname -ResourceGroupName $rg -AllocationMethod Static -Location $Location -Sku $sku
$publicIP | Select-Object Name, ResourceGroupName, IpAddress, IdleTimeoutInMinutes, ProvisioningState

With the Zone attribute you can create zone redundancy, but this is not needed for this resource.

#create  IP prefix ( how many IP’s are needed)
$publicIPPrefix = New-AzPublicIpPrefix -Name $Publicprefixname -ResourceGroupName $rg -Location $Location -PrefixLength 29

$publicIPPrefix | Select-Object Name, IPPrefix, PrefixLength, ProvisioningState

You can skip this if you want only one external IP.

Next is creating the gateway.

#Create NAT gateway
$natGateway = New-AzNatGateway -Name $NatGatewayname -ResourceGroupName $rg -PublicIpAddress $publicIP -PublicIpPrefix $publicIPPrefix -Location $Location -Sku $sku -IdleTimeoutInMinutes 4
$natGateway  | Select-Object Name, ResourceGroupName, IdleTimeoutInMinutes , SKuText | Format-table -autosize –wrap

Now that the Gateway is created we can add a subnet to this. I used a point an click so that I can choose the network and subnet. but you can also use a variable to do this.

$virtualNetwork = Get-AzVirtualNetwork | Out-GridView -PassThru -Title "Pick the vnet that will be used for the NAT gateway"

$NATSubnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $virtualNetwork | Out-GridView -PassThru -Title "Pick the Subnet that will be used for the NAT gateway"

$NATSubnet.NatGateway = $natGateway
$virtualNetwork | Set-AzVirtualNetwork

The network is chosen and the subnet is selected.

In the Azure portal you can see the result.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

 

Installing tenant attach with Microsoft Endpoint Configuration Manager Update 2002 #MEMCM #MEMAC #ConfigMgr

At MSIgnite 2019 was announced that SCCM is now MEMCM and that Intune and MEMCM can be managed in one portal. With the update 2002 this option is finally there.  Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center.

Where to start with Microsoft Endpoint Configuration Manager for this update.

http://endpoint.microsoft.com/

When opening the Microsoft Endpoint Configuration Manager console the update is not there. this is the update is released in Rings and I want to download this update from the fast ring. When starting this make sure your servers are healthy and are patched. If you run a tight virus scanner on the MEMCM then you may need to disable this during the install

 

 

As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you’ll be notified when it’s ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, see these instructions on how to use the PowerShell script to ensure that you are in the first wave of customers getting the update. By running this script, you’ll see the update available in your console right away. 

https://download.microsoft.com/download/7/c/4/7c48f2c7-f433-414b-a901-753a61c7956d/EnableEarlyUpdateRing2002.exe

After downloading and extracting the file we have a PowerShell script

Running this Powershell script in Admin Mode. With the Server name and I do a verbose to see a bit more output.

C:\EnableEarlyUpdateRing2002> .\EnableEarlyUpdateRing2002.ps1 -siteServer mvpsccm17 -Verbose

C:\EnableEarlyUpdateRing2002> .\EnableEarlyUpdateRing2002.ps1 -siteServer mvpsccm17 –Verbose

Now that the Script has run the Update services will trigger the fast ring to get the update

Press check for updates and do a refresh.

The Microsoft Endpoint Configuration Manager update 2002 is now available for download.

Now that the Update is downloaded we can trigger the Install.

This Process is a Next Next Close wizard and the only choice you need to make is run the agent in a test collection or strait into production

Here you have the option to test this update in an isolated Collection.

In this case I go strait into the production as this is my demo lab server

I Accept and my end date of the SA.

Well this was a pretty strait forward process now in the back ground Microsoft Endpoint Configuration Manager is updating the servers.

The progress can be followed in the log files when go to status the logs will be opened.

when the preparations are done Microsoft Endpoint Configuration Manager will start the installation. This can take some time so be patient. Don’t do a sudden reboot etc.

If you had a pending reboot the installation will fail, Reboot the server first then do the update.

Or check the Task Manger when the update is finished.

When the Update is Finished and opening the Microsoft Endpoint Configuration Manager Admin Console The update of the console is triggered and need to install.

 

The update is installed. and we can configure Co-Management

The default setting for device upload is All my devices managed by Microsoft Endpoint Configuration Manager. If needed, you can limit upload to a single device collection.

I choose All

Now that the installation is finished we can see the connector.

You can verify this in the Azure AD there is an app registration called ConfigMgrSvc

 

1. Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
2. The next sync time is noted by log entries similar to Next run time will be at approximately: 04/02/2020 11:45:05

1. For device uploads, look for log entries similar to Batching N records. N is the number of devices uploaded to the cloud.
2. The upload occurs every 15 minutes for changes. Once changes are uploaded, it may take an additional 5 to 10 minutes for client changes to appear in Microsoft Endpoint Manager admin center. http://endpoint.microsoft.com/

In a browser, navigate to http://endpoint.microsoft.com/  or https://aka.ms/memac

below You see only MEMAC

When the Machines are Hybrid AD joined you can see both devices. the sync take some time.

This is the start to manage the devices from MEMAC. In the next blog I’ll show you more on the management.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Celebrate World Backup Day & WIN with #Altaro!

 

Celebrate World Backup Day & WIN with Altaro!

We all remember how grateful we were to have backup software when facing so many data loss mishaps and near-catastrophes.

If you manage your company’s Office 365 data, celebrate this World Backup Day with Altaro. All you have to do is sign up for a 30-day free trial of Altaro Office 365 Backup. If you share your biggest backup mishap with them, you get a chance to WIN one of the Grand Prizes:

· DJI Mavic Mini Drone FlyCam Quadcopter,

· Google Stadia Premiere Edition,

· Ubiquity UniFi Dream Machine

· Logitech MX Master 3 Advanced Wireless Mouse.

And guess what? For any eligible subscription they give you a guaranteed Amazon voucher!

What are you waiting for? Sign up now!

Good luck & happy World Backup Day!

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Share this:

Windows 10 version 1903 May update prepair Windows Update Delivery Optimization #Windows10 #ConfigMgr #DO #DeliveryOptimization #Waas #WUDO

With the up coming Windows 10 1903 version you better be prepared, and save some bandwidth by setting up the right settings like Delivery Optimization. https://blogs.windows.com/windowsexperience/2019/04/08/releasing-the-may-2019-update-to-the-release-preview-ring/#XSwellpKSbo6oeum.97

What is Delivery Optimization ?

Windows Update Delivery Optimization helps you get Windows updates and Microsoft Store apps more quickly and reliably.

In many business networks, downloading apps and updates can be slow, inefficient, and, in many markets, expensive. When speaking with our customers, we often hear that they have regional facilities in limited and/or metered markets where devices download the same content, redundantly impacting coveted bandwidth and, ultimately, the organization’s financial bottom line. In almost any network, Delivery Optimization can be a highly effective tool, efficiently delivering content to devices and reducing the need for more internet bandwidth.

Windows Update Delivery Optimization works by letting you get Windows updates and Microsoft Store apps from sources in addition to Microsoft, like other PCs on your local network, or PCs on the Internet that are downloading the same files. Delivery Optimization also sends updates and apps from your PC to other PCs on your local network or PCs on the Internet, based on your settings. Sharing this data between PCs helps reduce the Internet bandwidth that’s needed to keep more than one device up to date or can make downloads more successful if you have a limited or unreliable Internet connection.

When Windows downloads an update or app using Delivery Optimization, it will look for other PCs on your local network (or from the Internet, depending on your settings) that have already downloaded that update or app. Windows doesn’t download the entire file from one place. Instead, the download is broken down into smaller parts. Windows then gets parts of the update or app from the PCs that have it, and parts from Microsoft. Windows uses the fastest, most reliable download source for each part.

Delivery Optimization creates a local cache, and stores files that it has downloaded in that cache for a short period of time.

you can turn this on in the update settings of Windows 10

But there is also a GPO control that can be used. But you need the latest ADMX files in your PolicyDefinitions folder. If you are uncertain if you have the latest file check here to get the files

Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)

https://www.microsoft.com/en-us/download/details.aspx?id=57576

With this GPO setting you can control the settings for Delivery Optimization

All these settings depends on your need and how your network is configured.

You can also use Delivery Optimization with SCCM. Microsoft recommends that you optimize Windows 10 quality update delivery using Configuration Manager with express installation files and a peer caching technology

the SCCM client settings

above a good overview on the difference between the different caching options.

To get some details on the caching there are some history charts and activity charts. these are depending on the system.

In this case these are just my lab machines so no big improvements here, and the machines are redeployed etc so for graphs not the best show models.

other adjustments can be made on cache settings or bandwidth, 

Get-DeliveryOptimizationStatus

Get-DeliveryOptimizationPerfsnap
Get-DeliveryOptimizationPerfsnapThisMonth

Recommended Setting for Delivery Optimization  Quick-reference table   

Quick-reference table:

Use case	Policy	Recommended value	Reason
Hub & spoke topology	Download mode	1 or 2	Automatic grouping of peers to match your topology
Sites with > 30 devices	Minimum file size to cache	10 MB (or 1 MB)	Leverage peers-to-peer capability in more downloads
Large number of mobile devices	Allow uploads on battery power	60%	Increase # of devices that can upload while limiting battery drain
Labs with AC-powered devices	Content Expiration	7 (up to 30) days	Leverage devices that can upload more for a longer period

 

More info about Delivery-Optimization can be found here : https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Delivery-Optimization-Scenarios-and-configuration-options/ba-p/280195

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Welcome to Olympia Set up your own Windows Insider Lab for Enterprise #Olympia #Office365 #EnterpriseMobility #WindowsServer #Microsoft #Azure #WindowsInsiders #SCCM

 

Olympia V2 is the next step for enabling Windows Insiders to try new and pre-release Windows 10 Enterprise features. Windows Insider Lab for Enterprise v2 provides a complete Microsoft 365 deployment and management testing environment that can be run directly on your own machines. The lab features both client and administrative functionality, including System Center Configuration Manager Preview plus connectivity to Office 365 and Enterprise Mobility Security evaluation trials. Customers can also add the latest Windows 10 Insider Preview Enterprise build to the lab. 

This is a great lab toolkit, to start with the new features. It is easy to setup with a great learning curve.

First we download the entire Lab. it around 14GB

The table below lists the virtual machines, which will be imported and created in Hyper-V:

Server Name	Roles & Products
HYD -DC1	Active Directory Domain Controller, DNS, DHCP, Certificate Services Windows Server 2016
HYD-CM1	System Center Configuration Manager Technical Preview Branch – Version 1808 (Note: After installing a baseline version, you can then use in-console updates to bring your installation up-to-date with the most recent preview version. See Section 4.) Windows Deployment Services Microsoft Deployment Toolkit Windows 10 ADK Windows Software Update Services Microsoft SQL Server 2014 Windows Server 2016
HYD-APP1	Microsoft BitLocker Administration and Monitoring Microsoft SQL Server 2014 Windows Server 2016
HYD-GW1	Remote Access for Internet Connectivity Windows Server 2016
HYD-CLIENT1 (Optional)	If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be Domain Joined
HYD-CLIENT2 (Optional)	If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be Domain Joined
HYD-CLIENT3 (Optional)	If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be on Workgroup
HYD-CLIENT4 (Optional)	If the Windows 10 Insider Preview ISO image is imported, this machine will be created with windows installed and will be on Workgroup

The VM list in Hyper-v

The table below lists the credentials and access type available in the default implementation:

After that just extract the files, keep in mind the setup extract the files at the current location of the setup files. You can move the VM’s afterwards

Starting the setup and extracting the VM’s

Select your Vswitch on the Hyper-v server

Select a insiders ISO or download one,

Plenty of room in the Windows Server 2019 Hyper-v server with Storage Spaces direct.

The extracting can take up some time depends on the disks and CPU speed for extraction

After the Extraction Several VM’s are added to the Hyper-v Server

The Gateway will route all the data to internet.

The setup is done the full lab is installed, there are several laps that you can do and setup

The domain structure that is created is the basic for all the labs

A SCCM site is created and ready for use. As this is the Technical preview I already got the 1812 Build

 

In the Azure Active directory we set some custom pictures.

 

Customize these screens is easy done in the Azure portal

Next step is use SCCM and Intune to manage your systems. This lab is perfect for showing all the options.

 

The Setup is Complete and ready to use, this lab is a great way to self explore the new features.

     Lab Objectives

This guide is designed to provide step-by-step guidance in demonstrating the basic functionality of the feature.

·         Lab Setup

o   On-Premises Environment

o   Cloud Environment

o   On-Premises Environment Post Setup Manual Steps

·         Servicing

o   Windows Analytics Update Compliance

·         Deployment & Management

o   Modern Device Deployment

o   Modern Device Management with AutoPilot

o   Co-Management

o   Modern Application Management with Intune

o   Enterprise State Roaming

·         Security

o   Windows Information Protection

o   Windows Defender Advanced Threat Protection

o   Windows Defender Application Guard

o   Windows Defender Exploit Guard

o   Windows Hello

o   Credential Guard

o   Device Encryption (MBAM)

o   Device Guard – User Mode Code Integrity

·         Compatibility

o   Windows Analytics Upgrade Readiness

o   Browser Compatibility

o   Desktop Bridges

·         Additional Labs

o   MDM WINS over GP

o   MAM FAQ

The Windows Insider Lab for Enterprise was designed for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features. There are two versions of the lab:

· Windows Insider Lab for Enterprise v1 – provides a client-side view of the latest Microsoft 365 enterprise features through access to Olympia Corp – a virtual corporation has been set up to reflect the IT infrastructure of real world business. 

· Windows Insider Lab for Enterprise v2 – provides a complete Microsoft 365 deployment and management testing environment that can be run directly on your own machines. The lab features both client and administrative functionality, including System Center Configuration Manager Preview plus connectivity to Office 365 and Enterprise Mobility + Security evaluation trials.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

What is change in Windows Server 2016 (10) cluster – Setting Cluster Common Properties #winserv

In the new Windows Server 2016 ( Windows Server Technical Preview )there are a lot of new features an not all are clear what they are doing.

I call it here Windows server 2016 there is currently no indication that the server 10 will be named 2016 but as the product will come in 2015 it will make sense that it will be called Windows server 2015.

I made a Quick compare from the old cluster Windows Server 2012R2 to the new Windows server 2016

In the GUI there is not much change the only part that is real changed is the Enclosure part. ( See my other blog about this )

 

But what is change is underwater. when we do a Get-cluster | fl *  We get a list of all the cluster property’s that can be set.

Check this MSDN site for more info about Cluster Common Properties

http://msdn.microsoft.com/en-us/library/aa369087(v=vs.85).aspx

 

There are a lot of new options but one option is gone RootMemoryReserved is not longer available.

cluster environment variable RootMemoryReserved was introduced to ensure that clustered VM hosts have a minimum amount of physical memory reserve for the host.

The RootMemoryReserved is by default set at 512 MB. This should be sufficient for the host VM that is not performing any operation other than manage the VMs.

As above windows10 is my cluster name and must be used in the PowerShell command

(get-cluster windows10).RootMemoryReserved

To change the RootMemoryReserved, the desired reserved memory size is assigned to the PowerShell cmdlet above. Use the following PowerShell cmdlet to set RootMemoryReserved to 1024 MB:

(get-cluster <cluster name>).RootMemoryReserved=1024

So it is no longer there.!

But now what is new.

When we do a Get-cluster | fl *

It will give us a long list but I filtered out and here are only the new parts that is only available in Windows Server 2015

ClusSvcRegroupStageTimeout        5
ClusSvcRegroupTickInMilliseconds        300
ClusterFunctionalLevel        9
ResiliencyDefaultPeriod        0
QuarantineDuration        0
ResiliencyLevel        Default
ClusterGroupWaitDelay        120
QuorumArbitrationTimeMax        20
RequestReplyTimeout        60
DumpPolicy        69913

When we need to change these options that can be done with (get-cluster).ClusterFunctionalLevel=9

(get-cluster).< with the name> = Value

As I noticed there are options from 2008 back and all have to do with latency so a logical conclusion would be will the cluster go to Azure or is there something coming that we need the values to get a better cluster. and all

Let us review these Commands

ClusSvcRegroupStageTimeout

ClusSvcRegroupTickInMilliseconds

These options where there in 2008 but removed in 2012 and now they are back.

Controls the amount of time, in seconds, that a node waits on other nodes in a membership stage before deciding that they have failed.

Controls the interval of time, in milliseconds, that the membership algorithm waits between issuances of periodic membership messages.

http://msdn.microsoft.com/en-us/library/jj151921(v=vs.85).aspx

ClusterFunctionalLevel

Upgrading a Hyper-V or Scale-Out File Server cluster from Windows Server 2012 R2 to Windows Server Technical Preview no longer requires downtime. The cluster will continue to function at a Windows Server 2012 R2 level until all of the nodes in the cluster are running Windows Server Technical Preview. The cluster functional level is upgraded to Windows Server Technical Preview by using the Windows PowerShell cmdlt Update-ClusterFunctionalLevel.

http://technet.microsoft.com/en-us/library/dn765474.aspx

ResiliencyDefaultPeriod

The default resiliency period for the cluster, in seconds

http://msdn.microsoft.com/en-us/library/dn823627(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/dn765741(v=vs.85).aspx

ClusterGroupWaitDelay

Specifies the amount of time groups will wait for their default or preferred owner node to come up during cluster cold start, before the groups are moved to another node.

http://blogs.msdn.com/b/clustering/archive/2009/08/11/9864574.aspx

QuorumArbitrationTimeMax

Specifies the maximum number of seconds a node is allowed to spend arbitrating for the quorum resource in a cluster.

http://msdn.microsoft.com/en-us/library/aa369123(v=vs.85).aspx

RequestReplyTimeout

Describes the length of time a request from a node with a cluster state update will wait for replies from the other healthy nodes before the request times out. Any nodes that do not reply within the request time out period will be removed from active membership in the cluster. The following table summarizes the attributes of the RequestReplyTimeout property.

http://msdn.microsoft.com/en-us/library/bb394696(v=vs.85).aspx

DumpPolicy

Queries that can be used to export resource type specific logs.

http://msdn.microsoft.com/en-us/library/dn823627(v=vs.85).aspx

 

There a fresh new options and currently not well documented or <NDA> but I’m sure when the server product is right a lot more new features will be made public.

When the next release of Windows Server will be available I’ll discuss the DASMode properties in a future blog

Happy clustering

Robert Smit

@clusterMVP

https://robertsmit.wordpress.com

Technorati Tags: Windows Azure,Azure File service,Windows,Server,Clustermvp,Blob,cloud witness

First installing Windows 10 Can I have my tiles back ?

After downloading the Windows 10 Preview Iso

http://windows.microsoft.com/en-us/windows/preview-download

You can create a boot USB with Windows 7 USB/DVD Download Tool

http://www.microsoftstore.com/store/msusa/html/pbPage.Help_Win7_usbdvd_dwnTool

and no I did not press the Express settings.

just a lot of screens with the settings that will be set during the Express settings.

 

In this case I’ll set the improve products to on!

 

 

I’ll pick a new account so I can create a fresh new local account and not a microsoft account just for testing

here you can create a local account

 

A easy setup and you will have the start menu. ( but now I want the tiles back )

and One extra a update check a preview update check

 

#windows10

Technorati Tags: windows 10,Microsoft,clustermvp