powershell | renshollanders.nl

After recent events in the online world, everybody is in a frenzy patching their servers, disabling SMB1, removing the feature from Windows 10 and Windows Server 2012 R2 (after It should have been done way way before). So was I. This week’s priority at the customer I’m working for is entirely dedicated to patching servers (if they weren’t patched prior to WannaCry, which was a small percentage nevertheless) and disabling and removing the SMB1 feature on all the machines.

A lot has been written about WannaCry and how to deal with it. The two most helpfull articles come from big MS itself: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server and WannaCrypt attacks: guidance for Azure customers.

After patching and removing the feature (directly instead of just disabling it first) on a Windows 2012R2 Server, I discovered I couldn’t browse to the server any longer. Each time I did a: “\\sctxps-01\d$” (which is a Citrix Provisioning Services Server) I got a message the server couldn’t be reached:

After hitting some key phrases on Google and finding the recommendations of Microsoft, it struck me. The Set-Command: “Set-SmbServerConfiguration -EnableSMB1Protocol $false” which configures SMB to be turned off, can also be partially used as a Get-Command to see it’s current states. And look what we found:

It appeared SMB1 Protocol was still turned on, however due to the removal of the feature entirely from the Server, the machine wasn’t reachable any longer through UNC, IP and even localhost. After hitting the command: “Set-SmbServerConfiguration -EnableSMB2Protocol $true” the server could be reached again.

It appeared someone had configured SMB1 before and turned of SMB2. Due to the removal now the servers SMB shares couldn’t be approached any longer over the network.

So please check your SMB status with: Get-SMBServerConfiguration before doing something drastic like removing SMB features. Of-course in an ideal world this would all be planned, risk, impact and analysis etc. But in an ideal world their wouldn’t be any Cryptolockers either.

Cheers! Rens

Hi there,

So the word is out, Microsoft has re-released MDT 2013 update 1 after several bugs and errors have come forward during the deployment of Windows 10.

Each new version means that if you use scripts which have a dependency with tools such as MDT, you’ll need to check it for compatibility.

Since two years now I rely on configuring an entire deployment share environment by powershell. Since clicking and mouse pointing my way through ADK and MDT setups were killing my brain cells one setup at a time.

I’ll save you the deep dive into the script’s but here’s a short explanation:

Script 1 will: Automatically download Windows ADK for Windows 10, and MDT 2013 update 1 Build 8298 to the folder from where the script is executed and create a “Software” folder where the content’s are stored.

Once the downloads are completed both tools are installed with default settings silently. And lastly the script will enable the .NET framework and WDS feature / role to configure the server as a MDT deployment server.

Script 2 will: First ask you if you want to split wim files prior to configuring the deployment share. I’ve incorporated this question, since 4 Gb is the FAT32 file size limit and this is a need little option to instantly make your FAT32 UEFI deployments work! Next it will automatically configure an entirely new deployment share in a matter of seconds, with a logical folder structure. Selection profiles, the configuration of WinPE settings and the overall Settings.xml, read more about it here: MDT2013 – Configure everything with Powershell!!!

Now how does this look?