esxcli software vib install --depot=/vmfs/volumes/datastore/ESXi550-201410001.zip

 In de Sphere Client: Install/update VMware Tools
Op de VM console op de command line,mkdir /cdrom
mount de virtuele cdrom van stap 1;
mount /dev/cdrom /cdrom
cd /tmp
tar -xvf /cdrom/VMwareTools (tab om automatisch aan te vullen)
cd vmware (tab om automatisch aan te vullen)
./vmware-install.pl
accepteer de defaults, Indien nodig installeer perl
umount /cdrom

Install/upgrade VMWare tools
Dan op de commandline
D:\.\setup64.exe /S /v"/qn REBOOT=Y"
indien nodig
shutdown -r -t 1

VMware Tools may not install on a Windows guest operating system after upgrading to a newer version of ESX/ESXi (1012693) | VMware KB This is an issue with Microsoft Windows Installer and does not affect all Windows 2008/2003 systems. The problem can occur when the original install path from the older version of VMware Tools is invalid, such as if the install path was E:\ and that path is no longer present. For more information, see the Microsoft Knowledge Base article To resolve this issue, you must perform a forced uninstall and reinstall of VMware Tools.
To uninstall and reinstall VMware Tools:
Right-click the virtual machine and click Guest > Install/Upgrade VMware Tools. 
Open a Console to the virtual machine and log into the guest operating system. 
Click Start > Run, type cmd, and click OK. A Command Prompt window opens. 
Change the drive to your CD-ROM drive (For example, D:\). 
Type setup /c and press Enter to force removal of all registry entries and delete the old version of VMware Tools.
Note: For 64-bit guest operating systems, type setup64 /c 
Open My Computer and double-click the CD-ROM that contains VMware Tools. 
After Auto-Run starts, follow the prompts to install.

Note: This must be done from the GUI interface. Do not launch the install by running Setup from the Command Prompt. Also ensure that the CD-ROM is enabled. In the virtual machine properties select CD-ROM under Device Status, and ensure that Connected (if the virtual machine is powered on) and Connect at power on are selected. 

When the installation completes, reboot the guest operating system. 

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012693

Crontab  

List active cron jobs  

crontab -l
less /etc/crontab  

Systemctl restart crond    

View Cron Jobs by User
sudo crontab –u username –l  

How to List Hourly Cron Jobs
ls –la /etc/cron.hourly  

How to List Daily Cron Jobs
ls –la /etc/cron.daily  

How to Display Weekly Cron Jobs
ls –la /etc/cron.weekly  

How to List Monthly Cron Jobs
ls –la /etc/cron.monthly    

So the rule is always use full paths in crontab:  

22 10 * * * root /usr/bin/scp -i /home/username/.ssh/id_rsa -r /var/www/abc abc@ip:/home/abc  

Explanation of the Date/Time fields

The first five fields of the line are the date and time field which specify how frequently and when to execute a command. When adding the cron job in the DreamHost panel, the Date/Time is added for you automatically based on your 'When to run' setting.

Add user
net user test test123 /add

Add user to group administrators
net localgroup administrators test /add

Delete user
net user test /del

Enable user
net user test /active:no

net user test /active:yes

Open een command prompt als administrator,

vul in het volgende commando

desk.cpl ,5

From the vCenter Server HTML5 Web Client

1. Power off the VM.
2. Enable the Copy & Paste for the Windows/Linux virtual machine:
   1. Right-click the virtual machine and click Edit Settings.
   2. Click the VM Options tab, expand Advanced, and click Edit Configuration.
   3. Click on Add Configuration Params three times to give three rows 
   4. Fill in the Name and Value fields as mentioned below:

5. Click OK to save and exit out of the Configuration Parameters wizard. Note: These options override any settings made in the guest operating system’s VMware Tools control panel. 
6. Click OK to save and exit out of the Edit Settings wizard.

3. Power on the VM
4. Then use Copy/Paste directly on Windows/Linux/any other platform. 
5. For paste operation's target platform is Linux, Older X applications do not use a clipboard. Instead, they let you paste the currently selected text (called the "primary selection") without copying it to a clipboard. Pressing the middle mouse button is usually the way to paste the primary selection. For more information see Copying and pasting from a Windows guest to Linux host.

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$False  

$creds = Get-Credential -Message "Enter credentials for Lockdown Exception User"  
$vmhosts = @()
101..109 | foreach { $vmhosts += "namehost" + $_.ToString("000") + ".vmware.com" }  

foreach ($vmhost in $vmhosts){      
connect-viserver $vmhost -Credential $creds    
Set-vmhost -State Maintenance    
Set-VMHostFirmware -VMhost $vmhost -ResetToDefaults    
disconnect-viserver * -Confirm:$False  
}

VMware provides a powerful and convenient graphical interface for managing ESXi servers – you can use a VMware vSphere Client that is a standalone application on Windows machines for managing ESXi hosts and the entire vSphere environment. Another option is to use VMware vSphere Web/HTML5 Client on any machine. Thus, you can launch a web browser for managing vSphere with ESXi hosts and VMware Host Client for managing ESXi hosts in a web browser.

The majority of settings are available in the graphical user interface (GUI), though sometimes you may need to get some information or change a configuration that is not displayed in the GUI. In this case, using the command line interface (CLI) is what you need – it is possible to configure all settings, including the hidden ones in the command line, which is also referred to as the console. In addition to traditional commands that are the same in Linux and ESXi, ESXi has its own ESXCLI commands. The most useful ESXCLI commands are explained in today’s blog post. This blog post has been created in the format of a catalog which lists useful ESXCLI commands that are part of the ESXi shell commands.

By default, ESXi shell is disabled for local and remote access; hence, you are not able to run ESXi shell commands until you enable the ESXi shell. VMware has made this restriction for security reasons. There are three main methods for enabling the command line interface in ESXi.

Using the ESXi default interface

In the ESXi Direct Console User Interface (DCUI), go to Troubleshooting Options, navigate to Enable ESXi Shell and Enable SSH strings and press Enter to enable each option. After enabling the ESXi shell, press Alt+F1 to open the console on the machine running ESXi. You should enter your login and password after that (credentials of the root user can be used). If you need to go back to the ESXi DCUI, press Alt+F2. The Enable SSH option allows you to open the ESXi console remotely by using an SSH client.

Using VMware Host Client

Open a web browser and enter the IP address of your ESXi host in the address bar, then log in. Go to Host > Actions > Services and click Enable Secure Shell (SSH). Now you can connect to the ESXi console by using your SSH client remotely. Similarly, you can enable the console shell on a local ESXi host in the Services menu.

Using vCenter and VMware vSphere Client

This method can be used if your ESXi host is managed by vCenter Server. In VMware HTML5 vSphere Client, go to Hosts and Clusters, select your ESXi host, select the Configure tab, open System > Services and click SSH in the list of services. After that, hit Start to launch the SSH server once, or hit Edit Startup Policy and select Start and Stop with host if you wish to enable the SSH server for an extended period of time. You can also enable the ESXi shell in the Services menu.

In order to connect to the ESXi console remotely via SSH, in the Linux console, type a command like ssh 192.168.101.221, where 192.168.101.221 is the IP address of the ESXi server used in this example. You need to enter the login and password of the ESXi user in this case (root can be used by default).

In Windows, you can use PuTTY as an SSH client for running ESXI shell commands remotely.

About ESXCLI Commands

ESXCLI is a part of the ESXi shell, this is a CLI framework intended to manage a virtual infrastructure (ESXi components such as hardware, network, storage, etc.) and control ESXi itself on the low level. All ESXCLI commands must be run in the ESXi shell (console). Generally, ESXCLI is the command that has a wide list of subcommands called namespaces and their options. The ESXCLI command is present right after ESXi installation along with other ESXi shell commands. You can locate ESXCLI and explore the nature of ESXCLI after executing the following commands:

which esxcli

ls -l /sbin/esxcli

As you see in the console output, ESXCLI is a script written in Python that is located in the /sbin/ directory. If you want to see the contents of the script, you can use the built-in text editor vi.

Thus, ESXCLI consists of branches that are the main categories (namespaces) of ESXCLI commands. Notice that ESXCLI commands are case-sensitive, similarly to other console commands used in ESXi. The entire list of all available ESXCLI namespaces and commands is displayed after running the command:

esxcli esxcli command list

The list of available ESXCLI commands depends on the ESXi version.

Hence, the list of top ESXCLI namespaces for ESXi 6.7 is as follows:

• device – device manager commands
• esxcli – commands related to ESXCLI itself
• fcoe – Fibre Channel over Ethernet commands
• graphics – VMware graphics commands
• hardware – commands for checking hardware properties and configuring hardware
• iscsi – VMware iSCSI commands
• network – this namespace includes a wide range of commands for managing general host network settings (such as the IP address, DNS settings of an ESXi host, firewall) and virtual networking components such as vSwitch, portgroups etc.
• nvme – managing extensions for VMware NVMe driver
• rdma – commands for managing the remote direct memory access protocol stack
• sched – commands used for configuring scheduling and VMkernel system properties
• software – managing ESXi software images and packages for ESXi
• storage – commands used to manage storage
• system – commands for configuring VMkernel system properties, the kernel core system and system services
• vm – some commands that can be used to control virtual machine operations
• vsan – VMware vSAN commands

The main commands appear as verbs indicating the same action:

• list – show the list of objects available for the defined namespace (for example, esxcli hardware bootdevice list – list available boot devices)
• get – get the value of the defined setting or property (for instance, esxcli hardware clock get – check the time set)
• set – set the necessary parameter manually (for example, esxcli hardware clock set -y 2019 -s 00 – set the year to 2019 and set the seconds to 00)
• load/unload – load/unload system configuration (esxcli network firewall load – load the firewall module and firewall settings stored in the configuration file)

If you are unable to remember a particular ESXCLI command related to the appropriate namespace, you can enter the command and see a tip in the output of the console—for example, type:

esxcli network to see all available commands for the network namespace, then type:

esxcli network vm to check the commands for the vm namespace.

The ESXCLI log file is located in /var/log/esxcli.log

The data is written to this file if an ESXCLI command has not been executed successfully. If an ESXCLI command is run successfully, nothing is written to this log file.

Useful ESXCLI Commands

Now that you are familiar with the basic working principle of ESXCLI commands, let’s consider the particular examples of useful ESXCLI commands which can be used in VMware vSphere. The list of ESXCLI commands considered in this article is divided by categories equivalent to namespace names.

Checking hardware

By using the hardware namespace, you can view the full information about installed devices. In order to view installed PCI devices, run the following ESXCLI command:

esxcli hardware pci list | more

Check the amount of memory installed on the ESXi server:

esxcli hardware memory get

View the detailed information about installed processors:

esxcli hardware cpu list

System settings

In this section, you can see the commands of the system esxcli namespace.

Check the precise ESXi version and build number, including the number of installed updated and patches:

esxcli system version get

Check the hostname of an ESXi server:

esxcli system hostname get

Check the ESXi installation time:

esxcli system stats installtime get

Check the SNMP configuration:

esxcli system snmp get

Enter the ESXi host to the maintenance mode:

esxcli system maintenanceMode set --enable yes

Exit the maintenance mode:

esxcli system maintenanceMode set --enable no

After entering an ESXi host to the maintenance mode, you can shut down or reboot the host.

Power off an ESXi host:

esxcli system shutdown poweroff

The command for rebooting the host is similar:

esxcli system shutdown reboot

You can also set a delay and write a reason of rebooting the host to be saved in system logs:

esxcli system shutdown reboot -d 60 -r “Installing patches”

In this example, the delay is 60 seconds.

Another command is to set the custom welcome message instead of a standard background screen with a shaded inactive main menu where the “<F2> Customize System/View Logs <F12> Shut Down/Restart” tip and the IP address to manage the host are displayed. Notice that after setting a custom welcome message you will see only this set message on the black screen. You can type “Press F2” manually to avoid confusion. The custom message can be used for hiding information about your ESXi host on the display connected to the ESXi host when a user is not logged in.

esxcli system welcomemsg set -m="Welcome to NAKIVO! Press F2"

Verify whether the welcome message is already set:

esxcli system welcomemsg get

Network settings

The network namespace is one of the largest namespaces of ESXCLI. Let’s explore the commands that can be useful for diagnostics.

Check the status of active network connections:

esxcli network ip connection list

View the list of installed network adapters:

esxcli network nic list

Display the information about network interfaces:

esxcli network ip interface list

Display the information about IP addresses of the network interfaces that are present on the server:

esxcli network ip interface ipv4 get

Display the network information for VMs:

esxcli network vm list

View the domain search settings:

esxcli network ip dns search list

View the DNS servers set in the network settings:

esxcli network ip dns server list

List virtual switches and port groups:

esxcli network vswitch standard list

Show statistics for the vmnic0 network interface:

esxcli network nic stats get -n vmnic0

Check the firewall status and rule settings:

esxcli network firewall get

esxcli network firewall ruleset list

Note: The default firewall policy is to drop traffic if the opposite rules are not set.

You can temporary disable the firewall on an ESXi host for troubleshooting:

esxcli network firewall set --enabled false

The firewall must be enabled with the command:

esxcli network firewall set --enabled true

It is recommended to have the ESXi firewall enabled for security reasons.

The network namespace includes many commands. Only basic and the most popular of them are considered in the Network section of today’s blog post. It is possible to configure a high number of network parameters with esxcli, but would require a long walkthrough that is out of scope for today’s article.

Storage

The storage namespace allows you to check and edit storage settings.

Check the information about mounted VMFS volumes:

esxcli storage vmfs extent list

View mappings of VMFS file systems to disk devices:

esxcli storage filesystem list

List all the iSCSI paths on the system:

esxcli storage core path list

Display the list of mounted NFS shares:

esxcli storage nfs list

How do you check SMART with esxcli? S.M.A.R.T. is useful for disk diagnostics and for preventing disk failure. You can read the S.M.A.R.T. data and, if you discover that something is wrong with your disk, you can make a timely decision to replace the disk.

First, list all storage devices and locate the unique device name (see the screenshot below):

esxcli storage core device list

Then, use the command to get the S.M.A.R.T. data of that disk device:

esxcli storage core device smart get -d naa.50026b7267020435

where naa.50026b7267020435 is the name of the device used in this example.

iSCSI

iSCSI is a widely used protocol for accessing shared storage on a block level, and there is a separate iscsi namespace in ESXCLI for managing the iSCSI storage.

Show the list of available iSCSI adapters:

esxcli iscsi adapter list

Re-discover and re-scan iSCSI adapters:

esxcli iscsi adapter discovery rediscover -A adapter_name

esxcli storage core adapter rescan -A adapter_name

Instead of -A adapter_name you can rescan all adapters by using the --all option.

Software

Software packages intended for ESXi are usually distributed as VIB files (vSphere installation bundle). A VIB file is similar to a container with zipped packages that can be installed in the system, with a descriptor and a signature file. In turn, VIBs are usually distributed as files packed into an archive file in the standard ZIP format. You may need to include VIBs into an ESXi image in order to use the appropriate hardware or install VIBs in an existing system for applying a security patch.

You can view the list of VIB packages installed on your ESXi host:

esxcli software vib list

You can install a VIB with ESXCLI (the ESXi host must be in maintenance mode):

esxcli software vib install -d /vmfs/volumes/datastore1/patches/patch_name.zip

VM operations

The vm namespace can be used for operations on running virtual machines processes.

Check the list of running VMs and display their World IDs:

esxcli vm process list

You can kill the unresponsive virtual machine with ESXi shell commands. Using ESXCLI, in this case, can be helpful when a VM cannot be shut down via GUI, such as the GUI of VMware vSphere Client, VMware Host Client or VMware Workstation.

Shut down the VM by using the World ID displayed in the output of the esxcli vm process list command. In the current example, the World ID of the necessary VM is 75498.

esxcli vm process kill -w 75498 -t soft

If the soft command type was not helpful, consider performing an immediate shut down of the VM by using the hard method.

esxcli vm process kill -w 75498 -t hard

There are three available command options for the kill command:

soft - a correct signal is sent in the guest operating system to shut down a VM correctly;

hard - a VM is shut down immediately;

force - VM is powered off similarly to how a computer is powered off when unplugging the power cable. Only use this type of powering off the VM if the previous two types were unsuccessful.

Other Useful ESXi Shell Commands

Besides ESXCLI commands, you can use a lot of ESXi shell commands. The ESXi shell commands list that may be useful for you is provided below.

Open the ESXi DCUI from the console (the colors are different when you connect to the ESXi shell via SSH):

dcui

Press Ctrl+C to go back to the command prompt.

Convert a thick provisioned virtual disk to a thin provisioned virtual disk by using vmkfstools:

vmkfstools -i /vmfs/volumes/vmfs_datastore/vm_name/thick_disk.vmdk -d thin /vmfs/volumes/vmfs_datastore/vm_name/new_thin_disk_name.vmdk

Among ESXi shell commands, vmkfstools is a powerful command for performing storage operations as well as managing storage devices, VMFS volumes, and virtual disks. Read more about thick and thin provisioning as well as virtual disk shrinking in the blog post.

Open the ESXi task manager:

esxtop

After opening the task manager with the esxtop command, you can switch between tabs by pressing the appropriate keys:

C - CPU

I – interrupt

M – memory

N – network

D – disk adapter

U – disk device

V – disk VM

P – power management

Find the file in the current directory:

find . -name filename.txt

Replace the . character with the name of the directory in which you would like to locate a file, and replace filename.txt with your file name. For example, if you wish to find a diskname.vmdk file in the /vmfs/volumes/ directory, run the command:

find /vmfs/volumes/ -name diskname.vmdk

Open the interactive VMware console:

vsish

Show loaded vmkernel drivers:

vmkload_mod --list

Check the settings of the swap partition:

esxcli sched swap system get

You can list users by using one of the following commands:

esxcli system account list

cat /etc/passwd or less/etc/passwd

Creating a new user

There are at least two methods of creating a new ESXi user by using ESXi shell commands.

Using the adduser command

If you type the adduser command in the ESXi console, you will get the message:

-sh: adduser: not found

You should define the full path to the appropriate busybox binary to run this command:

/usr/lib/vmware/busybox/bin/busybox adduser

Now you can see the usage options for this command.

Finally, run the exact command to add an ESXi system user:

/usr/lib/vmware/busybox/bin/busybox adduser -s /bin/sh -G root -h / user1

Where:

-s /bin/sh is a shell used after user login;

-G root – the group name whose member is a new user (the root group);

-h / is a home directory (the root directory) of a new user;

user1 is the user name.

Enter a new password and confirm the password when prompted.

Using ESXCLI

As an alternative, you can add a new user just with the one command by using esxcli:

esxcli system account add -d="test user" -i="username" -p="Password-Test321" -c="Password-Test321"

Where:

-d means the displayed description

-p is the password set for the new user

-c is the password confirmation

Which method of creating a new user in the command line is better? The single command used in the second method may appear to be the optimal method for creating a new user, but it is not entirely true on account of security reasons. If you’ve been attentive, you should be able to remember the warning message displayed right after logging in to the ESXi shell:

All commands run on the ESXi shell are logged and may be included in support bundles. Do not provide passwords directly on the command line. Most tools can prompt for secrets or accept them from standard input.

If security is a concern for you, enter commands without including passwords as plain text into the commands. If a password is needed, it is usually prompted and can be entered in the standard console input. For example, if you would likr to create a new user with ESXCLI, use a command like:

esxcli system account add -d="user2" -i="user2" -p -c

A password will be prompted separately and will not be displayed in the console while entering the password.

Conclusion

Today’s blog post has covered a series of ESXi shell commands including ESXCLI commands. Using the command line interface in ESXi gives you more power in addition to nice graphical user interfaces of VMware vSphere Client and VMware Host Client for managing ESXi hosts. You can use ESXi shell commands for viewing and configuring settings that are hidden or not available in the GUI. Use the ESXi shell commands list provided in this blog post for fine ESXi tuning and experience the extra power of using the command line interface in VMware vSphere. You can learn more by reading about PowerCLI, another type of the command line interface for managing VMware vSphere from Windows PowerShell.

CTRL+ALT+END : Open the Microsoft Windows NT Security dialog box (CTRL+ALT+DEL)
ALT+PAGE UP : Switch between programs from left to right (CTRL+PAGE UP)
ALT+PAGE DOWN : Switch between programs from right to left (CTRL+PAGE DOWN)
ALT+INSERT : Cycle through the programs in most recently used order (ALT+TAB)
ALT+HOME : Display the Start menu (CTRL+ESC)
CTRL+ALT+BREAK : Switch the client computer between a window and a full screen
ALT+DELETE : Display the Windows menu
CTRL+ALT+Minus sign (-) : Place a snapshot of the entire client window area on the Terminal server clipboard and provide the same functionality as pressing ALT+PRINT SCREEN on a local computer (ALT+PRT SC)
CTRL+ALT+Plus sign (+) : Place a snapshot of the active window in the client on the Terminal server clipboard and provide the same functionality as pressing PRINT SCREEN on a local computer (PRT SC)

In the elevated command prompt, copy and paste the command below and press enter
slmgr.vbs /upk
Remove productkey Windows 7 Registry
In the elevated command prompt, copy and paste the command below and press enter
slmgr.vbs -cpky

Download Extpart van de Dell Site
Als je deze uitpakt wordt hij geinstalleerd in C:\dell\ExtPart
In de directory staan dan 2 bestanden
extpart.exe
extpart.txt
Mocht je de C:\ partitie willen vergroten met 10 GB
De groote moet je met 1024 vermenigvuldigen dus 10240
Open een command prompt en ga naar C:\dell\ExtPart, tik in extpart c: 10240
Krijg je een melding dat de disk in gebruik is, start dan op in veilige modus dan moet het wel lukken.

Voor een lijst van de Windows versie's >>>Klik hier<<<

Maak een regkey aan met de onderstaande info,

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation]
"Manufacturer"="Asus"
"SupportHours"="9 - 5"
"SupportURL"="www.support.nl"
"Model"="Cooler Master"
"SupportPhone"="1234567890"
"Logo"="C:\logo\logo.jpg"


Pas de gegevens naar wens aan.

Download MSE >>>klik hier voor download<<<
Set Compatiblity mode on Windows 7
Launch file with commandline
C:\Temp\mseinstall.exe /disableoslimit

Start eventviewer op de server,

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012, 2016 and 2019. It also lets you reorder SSL/TLS cipher suites offered by IIS, change advanced settings, implement Best Practices with a single click, create custom templates and test your website.

• Single click to secure your website using Best Practices
• Backup the registry before making any updates
• Change advanced registry settings
• Built in Best Practices, PCI 3.2, Strict and FIPS 140-2 templates
• Create custom templates that can be saved and run on multiple servers
• Revert back to the original server's default settings
• Stop DROWN, logjam, FREAK, POODLE and BEAST attacks
• Enable TLS 1.1 and 1.2
• Enable forward secrecy
• Reorder cipher suites
• Disable weak protocols and ciphers such as SSL 2.0, 3.0, MD5 and 3DES
• Site Scanner to test your configuration
• Command line version

iiscryptocli /backup backup.reg /template "C:\temp\MyServers.ictpl" /reboot

Version 1.0 of the TLS protocol is not secure. As such it needs to be disabled on servers which want to have a PCI compliance. Our GoGeek servers are PCI compliant by default, which is why we have disabled TLS 1.0 on them.

On Windows 7 and Windows 8.0 computers, the applications built on WinHTTP (Windows HTTP Services) such as Outlook, Word, etc. only support TLS 1.0. As a result of this, if you try to establish a secure connection from your Outlook client to a GoGeek server, Outlook will throw an error message "your server does not support the connection encryption type you have specified".

In order to resolve this and allow your Outlook to communicate securely to the GoGeek server using TLS 1.1 and TLS 1.2, you have to do the following:

1. Install the Windows update KB3140245, either through Windows Update where it is available as an Optional Update, or download it from the Microsoft Update Catalog (http://www.catalog.update.microsoft.com/search.aspx?q=kb3140245).
2. Download the file MicrosoftEasyFix51044.msi from the following page and install it on your computer:

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

The file is available for download in the section labeled Easy fix on the above mentioned page. If the easy fix option is not suitable for you and you prefer to edit the registry of your computer manually, the article also provides that information in section "How the DefaultSecureProtocols registry entry works".

Create Registry Key

HKCU\Software\Microsoft\Windows\CurrentVersion\Search

Value name: SearchboxTaskbarMode

Value type: REG_DWORD

Value Data: 0 HEX

Maak een gpo aan met de onderstaande gegevens
Vergeet bij het aanmaken de brakets niet ......

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{59031a47-3f72-44a7-89c5-5595fe6b30ee}"=dword:00000000
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000
"{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{018D5C66-4533-4307-9B53-224DE2ED1FE6}"=dword:00000001
"{59031a47-3f72-44a7-89c5-5595fe6b30ee}"=dword:00000000
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000
"{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"=dword:00000000

Find Locking Computer Using Event Logs

1. Login to the Domain Controller where authentication took place.
2. Open “Event Viewer“.
3. Expand “Windows Logs” then choose “Security“.
4. Select “Filter Current Log…” on the right pane.
5. Replace the field that says “<All Event IDs>” with “4740“, then select “OK“.
6. 
   
7. Select “Find” on the right pane, type the username of the locked account, then select “OK“.
8. The Event Viewer should now only display events where the user failed to login and locked the account. You can double-click the event to see details, including the “Caller Computer Name“, which is where the lockout is coming from.
9. 
   

@echo Create new E: drive mapping Video
@net use E: \\synology\video /user:synology\gebruikersnaam wachtwoord
@echo Create new F: drive mapping Programma
@net use F: \\synology\Proggies /user:synology\gebruikersnaam wachtwoord
:exit
@pause

@echo Disconnect E: drive mapping Video
@net use /del E:
@echo Disconnect F: drive mapping Programma
@net use /del F:
:exit
@pause

Instructions

We provide a PowerShell script here (also available as a text file) that you can use to return the installed .NET Framework version. Alternatively, we will observe where the code and build number are stored in the Windows registry so you can determine the .NET version manually without running any code on your computer.

PowerShell Method

1. Download the attached script Get-NetFrameworkVersion.ps1
2. Right click the script and select Run With PowerShell
3. The last output will be the version of Framework 4 installed:
   
4. You are now aware of what version of .NET Framework is running on the Windows computer.

Manual Method

1. Launch the registry editor by typing regedit in a Run box.
2. On the left-hand side, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
3. If the Full subkey is not present, then you do not have the .NET Framework 4.5 or later installed.
4. Select the key inside the Full subkey:
   
5. On the right hand side look for the DWORD value Release:
   
6. Take note of the 6 digit number in brackets and look it up in the table below:

Updaten via powershell gaat in 3 stappen,

Zorg voor de installatie dat .net 3.5 is geïnstalleerd

Install de module
install-module pswindowsupdate

Gevolgd door:
import-module pswindowsupdate

Kijk welke updates er beschikbaar zijn

Get-WindowsUpdate

Indien dit niet gaat voor het volgende commando uit
Powershell.exe -ExecutionPolicy Unrestricted

set-executionpolicy -executionpolicy unrestricted

Install de updates

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot

Get-NetAdapterBinding -ComponentID ms_tcpip6

Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6

Enable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6

Enable-NetAdapterBinding -Name "Wi-Fi" -ComponentID ms_tcpip6

1. In Microsoft Edge, go to edge://flags/#edge-click-once.

2. If the existing value is set to Default or Disabled in the dropdown list, change it to Enabled.

3. Scroll down to the bottom of the browser window and click Restart to restart Edge.

Note: Organizations can use Group Policy to disable ClickOnce support. To check if there is an organizational policy for ClickOnce support, go to edge://policy. The following screenshot shows that ClickOnce is enabled across the entire organization. If this policy value is set to false, you will need to contact an admin in your organization.

Install and run the eDiscovery Export Tool

1. Click Download results on the flyout page of an export in Content Search or an eDiscovery case.

2. You will be prompted with a confirmation to launch the tool, Click Open.

   If the eDiscovery Export Tool isn't installed, you will be prompted with a Security Warning,

3. Click Install. After it's installed, the export tool will launch automatically.

Generic Volume License Keys (GVLK)

In the tables that follow, you will find the GVLKs for each version and edition of Windows. LTSC is Long-Term Servicing Channel, while LTSB is Long-Term Servicing Branch.

Windows Server (LTSC versions)

Windows Server 2022

Windows Server 2019

Windows Server 2016

Windows Server (Semi-Annual Channel versions)

Windows Server, versions 20H2, 2004, 1909, 1903, and 1809

Windows 11 and Windows 10 (Semi-Annual Channel versions)

See the Windows lifecycle fact sheet for information about supported versions and end of service dates.

Windows 10 (LTSC/LTSB versions)

Windows 10 LTSC 2021 and 2019

Windows 10 LTSB 2016

Windows 10 LTSB 2015

Earlier versions of Windows Server

Windows Server, version 1803

Windows Server, version 1709

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows Server 2008

Earlier versions of Windows

Windows 8.1

Windows 8

Windows 7

To renew RDS grace period, you need to find the following registry key and delete it.

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod”

Before you can delete the registry key, you need to change ownership. You can do that by following these steps:

1. Right-Click on the key.
2. Click on “Permissions”.
3. Click on “Advanced”.
4. Click on “Owner”.
5. Select “Administrators”.
6. Click on “Apply”

You can now delete the key. Reboot the server and you now have a new grace period.

Setup Offline Root CA

First we will create the CApolicy.inf. This is a configuration file that defines multiple settings that are applied to the root CA certificate and all other certificates issued by the root CA. This file needs to be created before the ADCS is installed on the root CA. For more information about the Syntax go here.

1. Start powershell and type the following line and press “enter”:

notepad c:\windows\capolicy.inf

2. Select “yes” to create the new file

3.  Because this is a lab setup I will only setup some basic settings for the Root CA. I will configure the following settings:

• Renewalinformation for the CA certificate.
• The validity period for the base CRL.
• Disable the AlternateSignatureAlgorithm (more info on why can be found here).
• Disable the DefaultTemplates, these are not used because this is an offline CA.

For this lab I will use a random generated OID which is based on the Microsoft OID. Because these generated OID may not be unique you should request a private enterprise number at IANA (link). This number can be added to the CAPolicy.inf.

[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096 
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Years
CRLPeriodUnits=1
AlternateSignatureAlgorithm=0
LoadDefaultTemplates=0

4. Save the file as “capolicy.inf” using “All files” and “ANSI” Encoding.

5. Now we the role can be added and configured. Start the Server manager and select “Add roles and features”

6. The “Add Roles and Features Wizard” will start, press “Next” to continue.

7. Select “Role-based or feature-based installation” and press “Next”

8. Use the default settings and press “Next” to continue.

9. Select “Active Directory Certificate Services”

10. A pop-up will appear, press “Add Features” to continue.

11. Press “Next” to continue

12. Press “Next” to continue.

13. Check if the Servername is correct and press “Next” to continue.

14. Use the default settings, for the Root CA only the “Certification Authority” role is needed.

15. Press “install” to add the Active Directory Certificate Services to the server.

16. When the installation has completed, press the link “Configure Active Directory Certificate Services on the destination server”

17. Use the default settings and press “Next”

18. Select “Certification Authority” and press “Next”

19. Because this server is non-domain joined only Standalone CA can be selected. Press “Next” to continue.

20. As this server is the root of the PKI hierarchy select “Root CA” and press “Next”

21. Select “Create a new private key” and press “Next” to continue.

22. Because this is the Root CA Certificate I use a longer Key length of 4096. This will increase the security.

23. Use the default settings and press “Next” to continue.

24. Because this server will be used in a Test Environment I extend the validity period to 10 years. Press “Next” to continue.

25. Use the default settings and press “Next” to continue.

26. Press “Configure” to configure the server.

27. Press “Close” to continue.

28. Press “Tools” in the Server Manager and select “Certification Authority”

29. Right click the Servername and select “Properties”

30. Select the “Extensions” tab

31. In the “Extensions tab” select the extension “CRL Distribution Point (CDP) and remove all locations except the “C:\*” Location.

32. Because this server will be offline it cannot be contacted, therefore a location needs to be added to the subordinate server. Press “Add” to add the CDP on the Subordinate Server.

33. Enter the following location and press “OK”

http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Replace <serverDNSName> with the dnsname of the Subordinateserver in this demo the location will be:

http://SUBENT-CA02.vmlabblog.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

24. Check the boxes beginning with “Include in CRLs*” and “Include in the CDP*” and press “Apply”

35. Press “No” when asked to restart the service.

36. Select in “Select extension” the “Authority Information Access (AIA)” and remove all locations except the “C:\*” Location.

37. Press “Add” to add the AIA location on the Subordinate Server.

38. Enter the following location and press “OK” 

http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt

Replace <serverDNSName> with the dnsname of the Subordinateserver in this demo the location will be:

http://SUBENT-CA02.vmlabblog.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt

39. Check the box “Include in the AIA extension of issued certificates” and press “Apply”

40. Press “Yes” when asked to restart the service.

41. Select the “General” and select the Root Certificate and press “View Certificate”.

42. Select the tab “Details” and press “Copy to File…”.

43. In the Certificate Export Wizard press “Next”.

44.  Select “DER encoded binary X.509 (.CER)” and press “Next”.

45. In File name enter “C:\Windows\System32\CertSrv\CertEnroll\<CA-NAME>-CA.cer” and press “Next”.

46. Press “Finish” to export the RootCA Certificate.

47. A popup will appear when the export was successful, press “OK” to continue.

The setup of the Offline RootCA is now completed.

Setup Subordinate CA

1. Start the Server manager and select “Add roles and features”

2. The “Add Roles and Features Wizard” will start, press “Next” to continue.

3. Select “Role-based or feature-based installation” and press “Next”

4. Use the default settings and press “Next” to continue.

5. Select “Active Directory Certificate Services”

6. A pop-up will appear, press “Add Features” to continue.

7. Select “Web Server (IIS)

8. A pop-up will appear, press “Add Features” to continue.

9. Press “Next” to continue

10. Press “Next” to continue.

11. Check if the Servername before you start, this cannot be changed after the AD CS role has been installed and press “Next” to continue.

12. Keep the default role services (Certication Authority) and press “Next”

13. On the Web Server Role (IIS) page press “Next”

14. On the Role Services page select “Basic Authentication” and “Windows Authentication”. Press “Next” to continue.

15. In the confirmation screen press “Install” to start the installation.

16. When the installation has completed, press the link “Configure Active Directory Certificate Services on the destination server”

17. Make sure your Domain credentials have been entered and not your local admin credentials. Otherwise you will not be able to configure a Enterprise CA. Press “Next” to continue.

18. Select the box “Certification Authority” and press “Next” to continue.

19. Select “Enterprise CA” and press “Next” to continue. (if Enterprise CA is not available check if the server is domain joined and the credentials entered in step 17)

20. Select “Subordinate CA” and press “Next” to continue.

21. Select “Create a new private key” and press “Next”.

22. Use the default settings and press “Next” to continue.

23. Use the default settings and press “Next” to continue

24. Select the folder to save the Certificate Request and press “Next” to continue. (default is “c:\”)

25. Use the default settings and press “Next” to continue.

26. Press “Configure” to apply the configuration.

27. When the configuration has succeeded a warning is shown. This is just a notification that the untill a certificate of the RootCA has been obtained and applied to the subordinate ca the Configuration is not completed.

28. Switch over to the Offline Root CA (OFFENT-CA01) and browse to the folder “c:\windows\system32\certsrv\certenroll”. There should be three files, select and copy all files.

29. Switch back to the Subordinate CA (SUBENT-CA02) and browse to the folder “c:\windows\system32\certsrv\certenroll”. Paste all the files copied in the previous step.

30. Rightclick the Root CA certificate which you just copied and select “Install Certificate”

31. Select “Local Machine” and press “Next”

32. Press “Browse” and select the “Trusted Root Certification Authorities” store. Press “Next” to continue.

33. Press “Finish” to continue.

34. After some time a popup will appear when the import has finished. Press “OK” to continue

35. Create a new folder in “C:\inetpub\wwwroot” with the name “CertEnroll”

36. Copy the RootCA Certificate and Certifate Revocation List from “C:\Windows\System32\CertSrv\CertEnroll” to “C:\inetpub\wwwroot\CertEnroll”

37. Browse to the location entered in step 20 (default “c:\”) and copy the “*.Req” file to the C: Drive on RootCA server.

38. On the Root CA Server open ” Certification Authority” rightclick the servername and select “All Tasks” -> Submit new request…”

39. Browse to the request file on the C: driver and press “Open”

40. Select “Pending Requests”. Rightclick the pending request and select “All Tasks” -> “Issue”

41. Select “Issued Certificates”. Rightclick the issued certificate and select “Open”

42. Select “Details” and press “Copy to file…”

43. Press “Next” to continue

44. Select “Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B)” and check the box “Include all certificates in the certification path if possible”. Press “Next” to continue.

45. Press “Browse…”

46. Enter a name for the certificate and press “Save” (the default location is the Documents folder)

47. Press “Next” to continue.

48. Press “Finish” to export the CA Certificate.

49. After some time a popup will appear when the export has finished. Press “OK” to continue.

50. Copy the CA Certificate from the RootCA ( step 46) and switch to the subordinate server to paste the file.

51. On the Subordinate CA open the Certification Authority. Rightclick the Servername and select “All Tasks” -> “Install CA Certificate”

52. Select the copied CA Certificate and press “Open”

53. Rightclick the Servername and select “All Tasks” -> “Start Service”

The setup of the Subordinate CA is now completed

Setup Group Policy

1. Open “Group Policy Management”

2. Expand “Group Policy Management” -> “Forest: <domain>” -> “Domains” and Rightclick your domain. Select “Create a GPO in this domain, and link it here…” 

3. Enter a name for the policy for example “Root CA Distribution policy” and press “OK”

4. Select the created policy and press “Edit”

5. Go to: “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Public Key Policies” and Rightclick “Trusted Root Certification Authorities” and select “Import”

6. Press “Next” to continue

7. Press “Browse”

8. Browse to <subordinate-ca>\c$\inetpub\wwwroot\CertEnroll and select the RootCA certificate. Press “Open” to continue

9. Press “Next” to continue

10. Use the default settings and press “Next”

11. Press “Finish” to import the Root CA Certificate.

12. After some time when the import has finished a popup will appear. Press “OK” to continue

The Root CA Certificate is now distributed to all domain devices.

Deploy Policy Templates

1. On the Subordinate CA start the “Certification Authority” and select “Certificate Templates”. In the right pane all the out of the box templates are visible. These can be requested by Users, Computers, etc depending on the type.

2. To add a new template rightclick “Certificat Templates” and select “Manage”

3. An overview with all available templates will appear.

4. To avoid editing the original template Rightclick the template and select “Duplicate Template”

5. Give the new template a unique name and press “OK”

6. Rightclick “Certificat Templates” and select “New” -> “Certificate Template to Issue”

7. Select in the “Enable Certificate Templates” list the template which was created and press “OK”

8. The certificate is now visible in the “Certificate Templates” Pane

Test the certificate

9. Logon to a domain joined computer. Start “MMC” and select “file” -> “Add/Remove Snap-in”.

10. Select the “Certificates” snap-in and press “Add”.

11. Select “My user account” in the Certificates snap-in popup and press “Finish”. Press “OK” to close the snap-in manager. (Only select “my user account” for user templates, for computer related templates select “Computer account”)

12. Rightclick “Personal” and select “All Tasks” -> “Request New Certificate”

13. Press “Next”

14. Press “Next” (by default “Active Directory Enrollment Policy” is selected)

15. In the “Request Certificates” overview all available user related policy templates are displayed. The created template should appear. Check the box of the created template and press “Enroll”

16. The template will be requested. After a while the status should be “Succeeded”. Press “Finish” to continue.

17. The new certificate is now visible.

18. When you doubleclick the Certificate and select “Certification Path” you should see the RootCA, SubordinateCA and requested Certificate. All Certificates should be “OK”

This was the final post of the Setup Server 2019 Enterprise CA tutorial.

Download and install administrative templates for Windows Server 2016 and 2019 in your Windows Server 2012 R2 Active Directory

Folow these steps:

1. Download Windows 10 and Windows Server 2016 specific administrative templates – or .admx files.
2. Install the downloaded .msi file Windows 10 and Windows Server 2016 ADMX.msi on a supported system: Windows 10 , Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2. You also need user rights to run the Group Policy Management Editor (gpme.msc), or the Group Policy Object Editor (gpedit.msc). But that’s for later use.
3. The administrative templates are installed in C:\Program Files (x86)\Microsoft Group Policy\Windows 10 and Windows Server 2016, or whatever directory you provided during the installation. Copy over the entire folder PolicyDefinitions to your Primary Domain Controller’s SYSVOL\domain\Policies directory.
4. Verify you’ve copied the folder, and not just the files. The full path is: SYSVOL\domain\Policies\PolicyDefinitions. This is explained in Microsoft’s Technet article Managing Group Policy ADMX Files Step-by-Step Guide.

That’s it, you now have Group Policy Objects available for Windows Server 2016. Let’s enable Win32 long paths support now.

Configure Enable Win32 long paths Group Policy

Protip: learn how to set up WMI filters for Group Policy.

Now that you have your Windows Server 2016 Group Policy Objects available, it’s time to setup a GPO to enable NTFS long path support. Create the GPO in your preferred location, but be sure to target it on Windows Server 2016 only.

Please note that the GPO is called Enable Win32 long paths, not NTFS.

Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process.

Start your Group Policy Management console and click through to the location where you want to add the GPO. Create a new GPO: Create a GPO in this domain, and Link it here..., and provide your GPO with a relevant name.

In the Settings tab, right click and choose Edit…. Now under Computer Configuration in the Group Policy Management Editor, click through to Policies > Administrative Templates > System > Filesystem. Configure and enable the Setting Enable Win32 long paths.

This is all you have to do to create the Group Policy for long Win32 paths. All that is left is to run gpupdate in an elevated cmd.exe command prompt.

Verify LongPathsEnabled registry value

If needed, you can use the following cmd.exe or PowerShell commands to verify the LongPathsEnabled registry value is set correctly:

Code language: PowerShell (powershell)

Code language: PowerShell (powershell)

A reboot is not required, and don’t forget your Windows Server 2019 servers.

Get-NetFirewallProfile

Get-NetFirewallProfile | Format-Table Name, Enabled

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled false

set-NetFirewallProfile -Profile Domain -Enabled false

The edition configuration (EI.cfg) file and the product ID (PID.txt) file are optional configuration files that you can use to specify the Windows® product key and the Windows edition during Windows installation. You can use these files to automate the product-key entry page in Windows Setup instead of using an answer file. If you use an EI.cfg file to differentiate volume license media, but you do not include a PID.txt file, the user receives a prompt for a product key to continue Windows Setup.

You can reuse the product key in the product ID file for multiple installations. The product key in the product ID file is only used to install Windows. This key is not used to activate Windows. For more information, see Work with Product Keys and Activation.

Using EI.cfg and PID.txt

1. Create these configuration files in a text editor such as Notepad.

2. Save the files into the \Sources folder on the installation media. Windows Setup will use these files automatically during installation.

3. Run Windows Setup. Setup uses these files during the Windows PE configuration pass as soon as it is launched.

Note   An answer file takes precedence over these files. If you use an answer file during installation, Windows Setup ignores the EI.cfg and PID.txt files.

EI.cfg Format

The EI.cfg file specifies the values for the edition ID, the channel, and the volume license.

The EI.cfg file has the following format:

[EditionID]
{Edition ID}
[Channel]
{Channel Type}
[VL]
{Volume License}

{Edition ID} must be a valid Windows edition ID, for example, "Enterprise". To obtain the current EditionID, use the Dism /Get-ImageInfo command or the Dism /Get-CurrentEdition command. For more information, see Take Inventory of an Image or Component Using DISM and DISM Windows Edition-Servicing Command-Line Options.

{Channel Type} must be either "OEM" or "Retail"

{Volume License} must be either 1, if this is a volume license, or 0, if this is not a volume license. For example:

[EditionID]
Enterprise
[Channel]
OEM
[VL]
0

PID.txt Format

The PID.txt file contains the product key for the edition of Windows that you are installing.

The PID.txt file has the following format:

[PID]
Value=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

where XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is the product key.

Troubleshooting

"The product key entered does not match any of the Windows images available for installation. Enter a different product key.": You may need to download a separate version of Windows. OEM versions are only available to OEMs, and volume licenses are only available to MSDN subscribers.

Related topics

Work with Product Keys and Activation

Windows Setup Command-Line Options

Windows Setup States

Run the following command:

fsutil file createnew <file> <size in bytes>

For example, this command will create a 1GB file called 1gb.test on my desktop:

fsutil file createnew c:\users\steve\desktop\1gb.test 1073741824

The key is to input the size of the file in bytes so here are some common file sizes to save you from math:

1 MB = 1048576 bytes

100 MB = 104857600 bytes

1 GB = 1073741824 bytes

10 GB = 10737418240 bytes

100 GB =107374182400 bytes

1 TB = 1099511627776 bytes

10 TB =10995116277760 bytes

Use this link for the converter

Export-WindowsDriver -Online -Destination C:\drivers

Om te voorkomen dat er iets wordt geinstalleerd met admin rechten kun je een registry key toepassen dat altijd om het wachtwoord wordt gevraagd en niet alleen een bevestiging hoeft te geven.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000001

Open een command prompt met administrator rechten

Voer onderstaand commando in,

wmic path SoftwareLicensingService get OA3xOriginalProductKey

There are two installation paths available:

1. Upgrade by launching Setup on the media while running Windows 10. You will have the option to: 
   
   a. Perform a Full Upgrade, which keeps personal files (including drivers), apps, and Windows Settings. This is the default experience and is the one that Installation Assistant uses.
   
   b. Keep Data Only will keep personal files (including drivers) only, not apps and not Windows Settings.
    
   c. Clean Install will install Windows 11 and keep nothing from the Windows 10 installation. For more info, see Give your PC a Fresh Start.

Here is the regkey

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup]
"AllowUpgradesWithUnsupportedTPMOrCPU"=dword:00000001

How to disable Windows Defender Antivirus using Group Policy

On Windows 10 Pro, it's possible to use the Group Policy Editor to disable the Windows Defender Antivirus permanently.

1. Use the Windows key + R keyboard shortcut to open the Run command.
2. Type gpedit.msc and click OK to open the Local Group Policy Editor.

3. Browse the following path:

   Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus

4. On the right side, double-click the Turn off Windows Defender Antivirus policy.
5. Select the Enabled option.
6. Click Apply.
7. Click OK.

8. Browse the following path:

   Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Real-time Protection

9. On the right side, double-click the Turn on behavior monitoring policy.

10. Select the Disabled option.
11. Click Apply.

12. Click OK.

13. On "Real-time Protection," double-click the Monitor file and program activity on your computer policy.

14. Select the Disabled option.
15. Click Apply.

16. Click OK.

17. On "Real-time Protection," double-click the Turn on process scanning whenever real-time protection is enabled policy.
18. Select the Disabled option.
19. Click Apply.

20. Click OK.

21. On "Real-time Protection," double-click the Turn on behavior monitoring policy.
22. Select the Disabled option.
23. Click Apply.

24. Click OK.

25. Restart your computer.

Once you've completed the steps, Windows Defender Antivirus will no longer scan and detect malware on your device, even after restarting your computer.

At any time, you can enable the Windows Defender Antivirus using the same steps, but on step No. 5, 10, and 14, make sure to select the Not Configured option. Then just restart your device to apply the changes.

How to disable Windows Defender Antivirus using Registry

The Local Group Policy Editor is not available on Windows 10 Home, but you can still achieve the same results changing the Registry settings.

Warning: This is a friendly reminder that editing the registry is risky, and it can cause irreversible damage to your installation if you don't do it correctly. It's recommended to make a full backup of your PC before proceeding.

1. Use the Windows key + R keyboard shortcut to open the Run command.
2. Type regedit, and click OK to open the Registry.

3. Browse the following path:

   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

4. Right-click on the Windows Defender (folder) key, select New, and click on DWORD (32-bit) Value.

5. Name the key DisableAntiSpyware and press Enter.
6. Double-click the newly created key and set the value from 0 to 1.

7. Click OK.

8. Right-click on the Windows Defender (folder) key, select New, and click on Key.

9. Name the key Real-Time Protection and press Enter.

10. Right-click on the Real-Time Protection (folder) key, select New, and click on DWORD (32-bit) Value.
11. Name the key DisableBehaviorMonitoring and press Enter.
12. Double-click the newly created key and set the value from 0 to 1.

13. Click OK.

14. Right-click on the Real-Time Protection (folder) key, select New, and click on DWORD (32-bit) Value.
15. Name the key DisableOnAccessProtection and press Enter.
16. Double-click the newly created key and set the value from 0 to 1.

17. Click OK.

18. Right-click on the Real-Time Protection (folder) key, select New, and click on DWORD (32-bit) Value.
19. Name the key DisableScanOnRealtimeEnable and press Enter.
20. Double-click the newly created key and set the value from 0 to 1.

21. Click OK.

After completing the steps, simply restart your computer to disable the Windows Defender Antivirus permanently.

If you change your mind, you can always revert the changes using the same instructions, but on step No. 3, right-click the DisableAntiSpyware key, and select Delete. Then inside the Windows Defender (folder) key, right-click the Real-Time Protection (folder) key and select Delete to remove key and its content. Finally, restart your device to complete reverting the changes.

How to disable Windows Defender Antivirus using Security Center

Alternatively, if you're installing a piece of software that requires deactivating the antivirus to install correctly, or you simply want to disable the Windows 10 built-in antivirus temporarily, you can use the following steps:

1. Open Windows Defender Security Center.
2. Click on Virus & threat protection.

3. Click the Virus & threat protection settings option.

4. Turn off the Real-time protection toggle switch.

After completing the steps, Windows Defender Antivirus will be disabled making it unable to monitor and stop malware from taking over your device. However, this is a temporary solution, eventually, the antivirus will re-activate automatically after you restart your device.

Wrapping things up

While there could be scenarios where you may need to disable the antivirus, it's never recommended to have your device without malware protection.

If you're trying to get rid of Windows Defender Antivirus because you prefer another security software, you should know that the built-in antivirus will disable itself automatically during the installation of third-party security software.

It's should also be noted that the shield icon will continue to appear in the notification area of the Taskbar because it's the Windows Defender Security Center icon, not merely dedicated to the antivirus.

In the case you don't like the default anti-malware solution, here are a few alternatives that won't cost you a penny for basic protection

In Windows Server 2019 you may notice that the desktop icons such as My Computer are missing, however when you goto

Personalization > Themes > Desktop icon settings

You see the error
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

The quickest way to resolve this is to ignore the modern UI and

desk.cpl ,5

From here you can easily add the My Computer icon

Add user
net user test test123 /add

Add user to group administrators
net localgroup administrators test /add

Delete user
net user test /del

Disable user
net user test /active:no

Enable user
net user test /active:yes

Saved queries is a function in the Active Directory users and Computers MMC. It lets you create and save queries that can be used later.

1. Open Active Directory Users and Computers

2. Rick click “Saved Queries” then select “New” then “Query”

3. Name the Query

In this example I named it “All Locked out User Accounts”

4. Click “Define Query”

5. Select “Custom Search”

Click the “Advanced tab”

6.In the box copy and paste this query string below

(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

Then click “OK”

You will now have a saved query that can be used over and over again.

That’s how you create a saved query to find locked accounts. This query will be saved and used repeatedly to find locked accounts.

Methods 2: PowerShell

Using PowerShell to find all the locked user accounts is a simple command.

1. Open PowerShell

2. From the PowerShell command line type the following command:

Search-ADAccount -LockedOut

You can see this returns the same users as my saved query.

Both methods are great for quickly finding all the locked accounts in Active Directory. Either method will make administration more efficient and may reveal some suspicious activity in AD.

Geeft weer interface met een Ip connectie

Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE

Geeft weer de IP adressen op de host

Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName . | Select-Object -Property IPAddress

Geeft weer de MAC adressen

get-wmiobject Win32_NetworkAdapterConfiguration | format-table MacAddress, Description -autosize

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"NtpServer"="vul hier in de FQDN,0x1"
"Type"="NTP"

Open een command prompt als administrator,


vul in het volgende commando

desk.cpl ,5

Get-Filehash Demo.zip -Algorithm MD5

MACTripleDES
MD5
RIPEMD160
SHA1
SHA256
SHA384
SHA512

Algorithm Hash Path
--------- ---- ----
MACTRIPLEDES 236B9FD6738AC645 C:\Demo.zip

Algorithm Hash Path
--------- ---- ----
MD5 1D8EA14B4E06EFA3A8247169BD087AA7 C:\Demo.zip

Algorithm Hash Path
--------- ---- ----
RIPEMD160 5502E53C91B5B07104BF5556D79E14D50B0158FD C:\Demo.zip

Algorithm Hash Path
--------- ---- ----
SHA1 CE3FB50D284B71855A085851FD23243EB3C891FD C:\Demo.zip

Algorithm Hash Path
--------- ---- ----
SHA256 2807B649D02D96EEAAFEB1311E4E4015C0446A17160DEAC58473B52F0E148189 C:\Demo.zip

Algorithm Hash Path
--------- ---- ----
SHA384 C701DE81685A73FE809D115A08393843513C1C20EA362B230B2130D709169418C42... C:\Demo.zip

Algorithm Hash Path
--------- ---- ----
SHA512 212AE5CB315D46D9AFD7BD9CF99E7324D4108F600CE787D82833F3063C3A00C1727... C:\Demo.zip

robocopy C:\docs D:\Docs /e /copy:DAT /mt /z
robocopy C:\Backup D:\Backup /e /copy:DAT /mt /z
robocopy C:\Scripts D:\Scripts /e /copy:DAT /mt /z

ipconfig /all | findstr DNS

ipconfig /displaydns | clip

nslookup www.ictweetjes.nl

getmac /V

chkdsk /f

chkdsk /r

sfc /scannow

DISM /Online /Cleanup-Image /CheckHealth

DISM /Online /Cleanup-Image /ScanHealth

DISM /Online /Cleanup-Image /RestoreHealth

tasklist | findstr Teams

taskkill /f /pid 20184

netsh wlan show wlanreport

netsh interface show interface

netsh interface ip show address | findstr "IP Address"

netsh advfirewall set allprofiles state off

netstat -o

shutdown /r /fw /f /t 0

Alle edities van Windows (behalve de Home editie) kunnen lokaal geinstalleerd worden zonder een Microsoft account in te hoeven geven.
Zorg dat je internetverbinding verbroken is voor of net na het begin van de installatie.

De Windows Home editie is (officieel) niet met een lokaal account te installeren.
Op de volgende manier krijg je toch een lokaal geinstalleerd:

1: Start de installatie zonder actieve netwerkverbinding.
2: Als je op het scherm komt dat om een netwerkverbinding vraagt, druk je op Shift+F10 om een commandprompt te openen.
3: Type nu het volgende commando, gevolgd door een enter: taskkill /F /IM oobenetworkconnectionflow.exe
4: Sluit de commandprompt.

Als je nu om een reguliere accountnaam wordt gevraagd, heb je de verplichting voor een Microsoft-account succesvol omzeild.

Om dit te kunnen doen heb je een van onderstaande KMS keys nodig afhankeleijk van je versie.

Home: TX9XD-98N7V-6WMQ6-BX7FG-H8Q99
Home N: 3KHY7-WNT83-DGQKR-F7HPR-844BM
Home Single Language: 7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH
Home Country Specific: PVMJN-6DFY6–9CCP6–7BKTT-D3WVR
Professional: W269N-WFGWX-YVC9B-4J6C9-T83GX
Professional N: MH37W-N47XK-V7XM9-C7227-GCQG9
Education: NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
Education N: 2WH4N-8QGBV-H22JP-CT43Q-MDWWJ
Enterprise: NPPR9-FWDCX-D2C8J-H872K-2YT43
Enterprise N: DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4

Voor de Home versie 

Open een command prompt als administrator

Slmgr /ipk TX9XD-98N7V-6WMQ6-BX7FG-H8Q99

slmgr /skms kms8.msguides.com

slmgr /ato

Voor de Professional versie

Open een command prompt als administrator

Slmgr /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX

slmgr /skms kms8.msguides.com

slmgr /ato

Om toch nog updates te krijgen voor Windows 7 moeten er 2 hotfixen worden gedraait en wel,

Voor de X86 versie

Als Eerste de Windows6.1-KB3020369-x86.msu
en dan de windows6.1-kb3125574-v4-x86_ba1ff5537312561795cc04db0b02fbb0a74b2cbd.msu

Voor de x64 Versie

Als Eerste de windows6.1-kb3020369-x64
en dan de windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu

Daarna een reboot

You like to export the Let’s Encrypt certificate private key and import it on the other Exchange Servers. You first need to import the private key. This way you will be able to export the Let’s Encrypt certificate in Windows. The next step is to export the certificate.

Export Let's Encrypt certificate in Windows Server

Let’s Encrypt SSL certificate is not exportable

It’s good to know what happens if you don’t have the private key installed. Let’s see it in action.

Start MMC (Microsoft Management Console) and add the certificate snap-in. Right-click the Let’s Encrypt certificate and click All Tasks. Click Export…

The certificate export wizard is showing. Click Next.

The option we need is Yes, export the private key. We can’t select the option to export the private key because it’s greyed out. Click Cancel to go back.

In the next step, we are going to import the private key. When imported, we will do the same step as we just did. This time we will be able to select the option to export the private key. More on that later in the article.

Find private key password in Win-ACME

Before we can import the private key on the system, we have to get the certificate password. The certificate password can be found in the Win-ACME client.

Go to the Win-ACME folder and start the Win-ACME client. Select A to manage renewals and press Enter.



Select D to show the renewal details and press Enter.

Find the certificate .pfx password and copy the password. In my example it’s n8LVJLxx2vQrC3QB2G7cn/mdeMK/RyGMBt8ECq8GYjs=.

Now that we have the password for the private key, we can import the certificate in the system.

Import private key in Windows

Open the following path to find the certificate.

Double-click the certificate to start the certificate import wizard.

Select Local Machine and click Next.

The file name path will be filled in automatically. Click Next.

Paste the private key password that you copied in the earlier step. Check both of the checkboxes:

• Mark this key as exportable. This will allow you to back up or transport your keys at a later time.
• Include all extended properties

Click Next.

Click Next to automatically select the certificate store based on the type of certificate.


Click Finish to complete the certificate import wizard.

Certificate import was successful. Click OK.

The next step is to export the Let’s Encrypt certificate. Remember at the beginning of the article, we couldn’t export the certificate because of the private key not being exportable. Will we be able to select the option now?

Export Let’s Encrypt certificate to PFX

Click the refresh button in the toolbar, if you already have the MMC console open. If you want, you can close the MMC and start a new session.

Start MMC and add the certificate snap-in. Right-click the Let’s Encrypt certificate and click All Tasks. Click Export…

Click Next.

Export is this time selectable. Click Yes, export the private key and click Next.

Check the following checkboxes:

• Include all certificates in the certification path if possible
• Export all extended properties
• Enable certificate privacy

Click Next.

Select the checkbox Password. Fill in a secure password that will protect the certificate. You will need the password when importing the certificate. Click Next.

Click Browse and select a folder that you want to place the certificate in. In my example, it will be in the folder Certs on the C: drive. Make sure to write the name including PFX format.

Click Finish to complete the certificate export wizard.

The certificate export was successful. Click OK.

Start File Explorer and browse to the exported certificate. This is the exported Let’s Encrypt certificate including the private key.

Let’s Encrypt certificate private key is successfully exported in Windows Server. Now that you have the certificate you can import the certificate in another Exchange Server.

Conclusion

In this article, you learned how to export Let’s Encrypt certificate private key. It’s good to export the certificate and import the certificate on other  Exchange Servers. Find the password by starting the Win-ACME client. Install the private key with the password. After that, the certificate is exportable. You should not request a certificate per Exchange Server. One certificate can be installed on all the Exchange Servers.

In this article, we’ll be guiding you through the process of generating Let’s Encrypt certificates on your Windows Server 2022.

Before diving straight into the process make sure that you have the following prerequisites:

1. Create a DNS record that point at your wan adres.
2. Open port 80 and 443 and NAT them to your server. 
3. After that you can close the ports until you need a renewal.

1. Open your Start Menu and search for Server Manager.
2. In Server Manager, you’ll see Add roles and features in the dashboard. Click on it.
3. A new window will open. Click on the Next button to move forward.
4. The next page will ask you to choose between the two types of installation types. Click on Role-based or feature-based installation and then click on the Next button.
5. The next page is Server selection. Click on Select a server from the server pool. You’ll see a Server Pool list. Select your server from it and click on the Next button.
6. From the list of Roles select Web Server (IIS). A pop-up window will appear. Click on the Add Features button without changing anything. Click on Next.
   
7. Don’t make any changes on the next page also and click on the Next button.
8. The next page is Web Server Role (IIS). Click on Next and on the next page leave everything as it is. Click on the Next button.
9. This is the confirmation page. You can review all your selections here and then click on the Install button. This will start the installation.

After this, open a web browser and enter your domain name. You should see something like the following screenshot. This is the default IIS page.

Go to file explorer and navigate to C:\inetpub. Create a new folder and give it the name of your domain. Create a new file here. Name it index.html. Open it with notepad and enter the following code in it.

<!DOCTYPE html>
<html>
<head>
<title>TestPage</title>
</head>
<body>
<h1>Testing is fun</h1>
<p> TestPage</p>
</body>
</html>

1. Go to the search menu and enter IIS.
2.  Open the IIS manager. Under connection on the left panel, click on Host and then Sites.
3. Under sections in the right panel, click on the Add Website.
   

A new pop-up window will open up. Fill in a name in the box under Site Name. The Application pool is supposed to be the same as the Site Name. Under Physical path put the path of the file index.html. Put your website’s address under Hostname and leave everything else as default. Make sure the Start Website immediately checkbox is checked. Click on the OK button.

Open a web browser and visit your website again by entering the domain name. You’ll no longer see the IIS welcome page. Instead, you’ll see the website you created using HTML.

The internet is filled with a host of clients to generate Let’s Encrypt certificates and it is up to you to choose the right fit for you. However, for this tutorial, we’ll be using the win-acme client because of its simple interface and highly developed command-line application. A pro of this client is that it also automatically renews the certificates for you. Follow the following steps to download the client.

1. Go to the Github page of win-acme.

2. Scroll down a little, you’ll see the assets section. Find the zip file with the name win-acme.v2.x.x.x.zip

3. Extract the application after downloading.
   

Find wacs.exe from the folder you downloaded and run it. As it is an application downloaded from the internet, you might get a warning pop-up from Windows Defender. But it is completely safe to run this application as it is open source. Go ahead and click on Run Anyway, under More info.

1. In the application, you’ll be given a couple of options and then asked to choose one of them. Press the N key to choose the Create a new certificate option.
2. Then you’ll be asked to select the kind of certificate you want to create. Press 1 as we want to choose the Single binding of an IIS site.
   

3. You’ll be asked to choose the website you want to generate the certificate for. Choose the test website we created.

4. You’ll now be asked to enter your email address and then agree with the terms and conditions.
   

Yayy!! You have successfully generated an SSL certificate for your website. Not just this, the application will also renew the certificate whenever it’s due.

Open a web browser and try accessing your website using HTTPS. You’ll also see the Connection is secure dialogue box with the certificate section saying it’s valid.

SSL certificates are kind of a must-have now and Let’s Encrypt lets you generate one for yourself easily, as demonstrated in the tutorial above. We hope to have helped you with generating an SSL certificate and securing the connection between the user and the server.

Open a Command Prompt window (cmd) as admin

To check the WinRE status, run

reagentc /info

If the WinRE is installed, there should be a "Windows RE location" with a path to the WinRE directory.
An example is, "Windows RE location: [file://%3f/GLOBALROOT/device/harddisk0/partition4/Recovery/WindowsRE]\\?\
GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE." Here, the number after "harddisk" and "partition" is the index of the disk and partition WinRE is on

To disable the WinRE, run 

reagentc /disable

Shrink the OS partition and prepare the disk for a new recovery partition

To shrink the OS, run

diskpart

list disk 

To select the OS disk, run 

sel disk<OS disk index>  This should be the same disk index as WinRE

To check the partition under the OS disk and find the OS partition, run

list part

To select the OS partition, run

sel part<OS partition index>

shrink desired=250 minimum=250

To select the WinRE partition, run

sel part<WinRE partition index>

To delete the WinRE partition, run 

delete partition override

Create a new recovery partition

First, check if the disk partition style is a GUID Partition Table (GPT) or a Master Boot Record (MBR).  
To do that, run

list disk

Check if there is an asterisk character (*) in the "Gpt" column.  
If there is an asterisk character (*), then the drive is GPT. 
Otherwise, the drive is MBR

If your disk is GPT, run

create partition primary id=de94bba4-06d1-4d40-a16a-bfd50179d6ac 

followed by the command gpt

gpt attributes =0x8000000000000001 

If your disk is MBR,

run create partition primary id=27

list disk

To format the partition, run 

format quick fs=ntfs label="Windows RE tools"

To confirm that the WinRE partition is created, run

list vol

To exit from diskpart, run

exit

To re-enable WinRE, run

reagentc /enable

To confirm where WinRE is installed

reagentc /info

After completing these steps, reboot Windows and check for updates in Windows Update to try and install the KB5034441 security update again !!!

Need help: the Windows RE image was not found

Mount the Windows 10 ISO
Create a folder C:\mount
Open Command Prompt with administrator rights
Mount ISO
dism /mount-wim /wimfile:"E:\sources\install.wim" /index:1 /mountdir:C:\mount /readonly
Copy from C:\mount\Windows\System32\Recovery\winre.wim
To C:\Windows\System32\Recovery

dism /Unmount-image /MountDir:C:\mount /Discard
reagentc /enable
reagentc /info

Change the metrics from the following key in the registry

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics]

"IconSpacing"="-1128"
"IconVerticalSpacing"="-1128"

Or create a reg key file and launch it on your pc

Reboot the system...

To find the product key for your Windows 11 installation on your system, you can use several methods. Here’s how:

1. Using the Command Prompt

You can retrieve the product key using the Command Prompt with a simple command:

1. Press Win + S, type cmd, right-click on Command Prompt, and select Run as administrator.
2. Type or paste the following command and press Enter:
   cmd

   wmic path softwarelicensingservice get OA3xOriginalProductKey
3. The product key should be displayed on the screen.

2. Using PowerShell

You can also use PowerShell to find your product key:

1. Press Win + S, type PowerShell, right-click on Windows PowerShell, and select Run as administrator.
2. Type or paste the following command and press Enter:
   powershell

   (Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
3. The product key will be displayed.

3. Check in the Registry

You can find the product key stored in the Windows Registry, although it's often encrypted:

1. Press Win + R, type regedit, and press Enter to open the Registry Editor.
2. Navigate to the following path:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
3. Look for the entry labeled BackupProductKeyDefault. This might show your product key if it's stored in a readable format.

4. Using a Third-Party Tool

There are various third-party tools available that can help you retrieve your Windows product key:

• Belarc Advisor: A popular tool that provides detailed information about your system, including the Windows product key.
• ProduKey by NirSoft: A lightweight tool specifically designed to display product keys for Windows and other software installed on your computer.

5. Check Documentation or Email

If you purchased Windows 11, the product key might also be found:

• On a sticker attached to your PC (for OEM licenses).
• In an email confirmation from Microsoft or a retailer.
• In the physical packaging if you purchased a boxed copy of Windows.

Note:

• Digital License: If your Windows 11 is activated with a digital license (linked to your Microsoft account), you won't have a product key. Instead, Windows will automatically activate when you reinstall or upgrade as long as you sign in with your Microsoft account.

If you have a pre-installed OEM version, the product key might be embedded in the firmware, and these methods should retrieve it.

plaats onderstaande tekst in het .htaccess bestand in de root van je website....

RewriteEngine On

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\Comodo\DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.+$
RewriteRule ^(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

<IfModule mod_rewrite.c>
RewriteEngine on

Maak een bestand aan met de naam .htaccess

Plaats hierin de onderstaande tekst

Options +Indexes

Create a .htaccess file in the wp-admin dir or Administrator dir and past the correct lines below and change the ip address that is write for you.

For Wordpress
in the public_html/wp-admin create a .htaccess file and past tekst below and edit the IP address to that you need

# BEGIN Restrict WP-Admin Access To Specific IPsorder deny,allow

# whitelisted IP addresses
allow from xx.xxx.xx.xxx
deny from all

# END Restrict WP-Admin Access To Specific IPs

For Joomla
in the public_html/administrator create a .htaccess file and past tekst below and edit the IP address to that you need

# BEGIN Restrict Administrator Access To Specific IPs

order deny,allow
# whitelisted IP addresses
allow from xx.xxx.xx.xxx
deny from all

# END Restrict Administrator Access To Specific IPs

Installing a Web Server

In this section, I will show you how to install a web server on CentOS 7. I included this section so that you can have a real life experience on what I am talking about.

The most widely used web server software is Apache. Apache is available on the official package repository of CentOS 7.

To install Apache web server, run the following command:

Press ‘y’ and then press <Enter> to continue.

Apache web server should be installed.

Now run the following command to check whether Apache HTTP server is running or not:

As you can see from the screenshot below, the Apache HTTP server is not running.

You can start Apache HTTP server with the following command:

You will want the Apache HTTP server to start automatically on system boot. You can add Apache HTTP server to the startup with the following command:

Apache HTTP server is added to the startup.

Now open up a web browser and go to http://localhost

You should see the following page as shown in the screenshot below.

Checking for Open Ports with nmap

First check the IP address of your CentOS 7 server with the following command:

As you can see from the screenshot below, the IP address of my CentOS 7 server is 192.168.10.97

You can check for all the open ports with nmap utility from another computer as follows:

As you can see, right now, only the port 22 is open. What we are interested in is opening only port 80 and closing others.

Opening Port 80 and Closing Others

First check all the allowed services with the following command:

As you can see I have dhcpv6-client and ssh services allowed from outside. You may have more or less services allowed.

Now you have to disable them one by one.

You can remove the ssh service with the following command:

You can remove the dhcpv6-client service with the following command:

Now add HTTP service or port 80 with the following command:

Once you’re done, restart firewalld with the following command:

Now if you check the firewalld services again:

You should see only http service allowed as marked in the screenshot below.

Now you may do a port scan with nmap from another computer:

You should be able to see only port 80 open as shown in the screenshot below.

You can also test whether you can access the web server if you open up a browser and type in the web server’s IP address.

I can access the web server from a browser as you can see from the screenshot below.

So that’s how you open port 80 and block every other ports on CentOS 7. Thanks for reading this article.

Samba is a free and open-source re-implementation of the SMB/CIFS network file sharing protocol that allows end users to access files, printers, and other shared resources.

In this tutorial, we will show how to install Samba on CentOS 7 and configure it as a standalone server to provide file sharing across different operating systems over a network.

We’ll create the following Samba shares and users.

Users:

• sadmin - An administrative user with read and write access to all shares.
• josh - A regular user with its own private file share.

Shares:

• users - This share will be accessible with read/write permissions by all users.
• josh - This share will be accessible with read/write permissions only by users josh and sadmin.

The file shares will be accessible from all devices on your network. Later in the tutorial, we will also provide detailed instructions on how to connect to the Samba server from Linux, Windows and macOS clients.

Prerequisites

Before you begin, make sure you are logged in to your CentOS 7 system as a user with sudo privileges.

Installing Samba on CentOS

Samba is available from the standard CentOS repositories. To install it on your CentOS system run the following command:

sudo yum install samba samba-client

Once the installation is completed, start the Samba services and enable them to start automatically on system boot:

sudo systemctl start smb.service
sudo systemctl start nmb.service

sudo systemctl enable smb.service
sudo systemctl enable nmb.service

SELinux Configuration

vim /etc/sysconfig/selinux

Set SELinux value to disabled.

The smbd service provides file sharing and printing services and listens on TCP ports 139 and 445. The nmbd service provides NetBIOS over IP naming services to clients and listens on UDP port 137.

Configuring Firewall

Now that Samba is installed and running on your CentOS machine, you’ll need to [configure your firewall](https://linuxize.com/post/how-to-setup-a-firewall-with-firewalld-on-centos-7/ and open the necessary ports.
To do so, run the following commands:

firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --zone=public --add-service=samba

firewall-cmd --reload

Creating Samba Users and Directory Structure

For easier maintainability and flexibility instead of using the standard home directories (/home/user) all Samba directories and data will be located in the /samba directory.

Start by creating the /samba directory:

sudo mkdir /samba

Create a new group named sambashare. Later we will add all Samba users to this group.

sudo groupadd sambashare

Set the /samba directory group ownership to sambashare:

sudo chgrp sambashare /samba

Samba uses Linux users and group permission system but it has its own authentication mechanism separate from the standard Linux authentication. We will create the users using the standard Linux useradd tool and then set the user password with the smbpasswd utility.

As we mentioned in the introduction, we’ll create a regular user that will have access to its private file share and one administrative account with read and write access to all shares on the Samba server.

Creating Samba Users

To create a new user named josh, use the following command:

sudo useradd -M -d /samba/josh -s /usr/sbin/nologin -G sambashare josh

The useradd options have the following meanings:

• -M -do not create the user’s home directory. We’ll manually create this directory.
• -d /samba/josh - set the user’s home directory to /samba/josh.
• -s /usr/sbin/nologin - disable shell access for this user.
• -G sambashare - add the user to the sambashare group.

Create the user’s home directory and set the directory ownership to user josh and group sambashare:

sudo mkdir /samba/joshsudo chown josh:sambashare /samba/josh

The following command will add the setgid bit to the /samba/josh directory so the newly created files in this directory will inherit the group of the parent directory. This way, no matter which user creates a new file, the file will have group-owner of sambashare. For example, if you don’t set the directory’s permissions to 2770 and the sadmin user creates a new file the user josh will not be able to read/write to this file.

sudo chmod 2770 /samba/josh

Add the josh user account to the Samba database by setting the user password:

sudo smbpasswd -a josh

You will be prompted to enter and confirm the user password.

New SMB password:
Retype new SMB password:
Added user josh.

Once the password is set, enable the Samba account by typing:

sudo smbpasswd -e josh

Enabled user josh.

To create another user repeat the same process as when creating the user josh.
 

Next, let’s create a user and group sadmin. All members of this group will have administrative permissions. Later if you want to grant administrative permissions to another user simply add that user to the sadmin group.

Create the administrative user by typing:

sudo useradd -M -d /samba/users -s /usr/sbin/nologin -G sambashare sadmin

The command above will also create a group sadmin and add the user to both sadmin and sambashare groups.

Set a password and enable the user:

sudo smbpasswd -a sadmin
sudo smbpasswd -e sadmin

Next, create the Users share directory:

sudo mkdir /samba/users

Set the directory ownership to user sadmin and group sambashare:

sudo chown sadmin:sambashare /samba/users

This directory will be accessible by all authenticated users. The following command configures write/read access to members of the sambashare group in the /samba/users directory:

sudo chmod 2770 /samba/users

Configuring Samba Shares

Open the Samba configuration file and append the sections:

sudo vim /etc/samba/smb.conf  

/etc/samba/smb.conf  

[users]    
path = /samba/users    
browseable = yes    
read only = no    
force create mode = 0660    
force directory mode = 2770    
valid users = @sambashare @sadmin

[josh]    
path = /samba/josh    
browseable = no    
read only = no    
force create mode = 0660    
force directory mode = 2770    
valid users = josh @sadmin  

The options have the following meanings:
[users] and [josh] - The names of the shares that you will use when logging in.
path - The path to the share.
browseable - Whether the share should be listed in the available shares list. By setting to no other users will not be able to see the share.
read only - Whether the users specified in the valid users list are able to write to this share.
force create mode - Sets the permissions for the newly created files in this share.
force directory mode - Sets the permissions for the newly created directories in this share.
valid users - A list of users and groups that are allowed to access the share. Groups are prefixed with the @ symbol.

For more information about available options see the Samba configuration file documentation page.

Once done, restart the Samba services with:

sudo systemctl restart smb.service
sudo systemctl restart nmb.service  

Korte versie 

create dir public

chmod 777 public

yum install samba

cd /etc/samba

vim /etc/samba/smb.conf

[RestrictedAdmin]
comment = Restricted access directory
path = /public
read only = No
guest ok = No
valid users = admin
browseable = Yes

host allow = ip subnet invullen

chcon -R -t samba_share_t /public
semanage fcontext -a -t samba_share_t " /public(/.*)?"

systemctl start smb

systemctl enable smb

systemctl status smb

smbpasswd -a admin

testparm

• NFS Server: server.example.com, IP address: 192.168.2.133
• NFS Client: client.example.com, IP address: 192.168.2.134

Yum -y install vim perl mlocate  

Configure the Firewall  

yum -y install firewalld  

systemctl start firewalld.service
systemctl enable firewalld.service  

firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --permanent --zone=public --add-service=nfs
firewall-cmd --reload  

Installing NFS  

yum -y install nfs-utils  

systemctl enable nfs-server.service
systemctl start nfs-server.service  

client:  

yum -y install nfs-utils  

Exporting Directories on the Server    

mkdir /var/nfs
chown nfsnobody:nfsnobody /var/nfs
chmod 755 /var/nfs  

vim /etc/exports  

/home           192.168.2.134(rw,sync,no_root_squash,no_subtree_check)
/var/nfs        192.168.2.134(rw,sync,no_subtree_check)  

exportfs -a  

Mounting the NFS Shares on the Client  

client:  

mkdir -p /mnt/nfs/home
mkdir -p /mnt/nfs/var/nfs  

mount 192.168.1.133:/home /mnt/nfs/home
mount 192.168.1.133:/var/nfs /mnt/nfs/var/nfs  

df -h  

[root@client ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/centos-root 28G 1.7G 26G 7% / devtmpfs 909M 0 909M 0% /dev tmpfs 919M 0 919M 0% /dev/shm tmpfs 919M 8.6M 910M 1% /run tmpfs 919M 0 919M 0% /sys/fs/cgroup /dev/sda1 497M 208M 290M 42% /boot tmpfs 184M 0 184M 0% /run/user/0 192.168.1.100:/home 28G 1.2G 27G 5% /mnt/nfs/home 192.168.1.100:/var/nfs 28G 1.2G 27G 5% /mnt/nfs/var/nfs   mount   [root@client ~]# mount sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=930320k,nr_inodes=232580,mode=755) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd) pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime) cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event) cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb) cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu) cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls) cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) configfs on /sys/kernel/config type configfs (rw,relatime) /dev/mapper/centos-root on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota) selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime) systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=25,pgrp=1,timeout=300,minproto=5,maxproto=5,direct) mqueue on /dev/mqueue type mqueue (rw,relatime,seclabel) debugfs on /sys/kernel/debug type debugfs (rw,relatime) hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,seclabel) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) nfsd on /proc/fs/nfsd type nfsd (rw,relatime) /dev/sda1 on /boot type xfs (rw,relatime,seclabel,attr2,inode64,noquota) tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=188060k,mode=700) 192.168.1.100:/home on /mnt/nfs/home type nfs4 (rw,relatime,vers=4.0,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,port
=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.101,local_lock=none,addr=192.168.1.100)
192.168.1.100:/var/nfs on /mnt/nfs/var/nfs type nfs4 (rw,relatime,vers=4.0,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,port
=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.101,local_lock=none,addr=192.168.1.100) 

Testing  

client:  

touch /mnt/nfs/home/test.txt
touch /mnt/nfs/var/nfs/test.txt  

server:  

ls -l /home/  

[root@server1 ~]# ls -l /home/
total 0
drwx------. 2 administrator administrator 59 Jun 21 16:13 administrator
-rw-r--r--. 1 root root 0 Jun 29 13:07 test.txt  

ls -l /var/nfs  

[root@server1 ~]# ls -l /var/nfs
total 0
-rw-r--r--. 1 nfsnobody nfsnobody 0 Jun 29 13:07 test.txt  

Mounting NFS Shares at Boot Time  

client:  

Open /etc/fstab and append the following lines:  

vim /etc/fstab  

[...]
192.168.2.133:/home  /mnt/nfs/home   nfs      rw,sync,hard,intr  0     0
192.168.2.133:/var/nfs  /mnt/nfs/var/nfs   nfs      rw,sync,hard,intr  0     0  

reboot  

df -h  

mount

Instructions
 

1. Connecting via SSH to your server
2. Browse to your user directory with the following command:
   cd ~
3. Create a .vimrc file with the following command:
   vim .vimrc
4. Click i for insert mode.
5. Type the following command below to enable syntax and give a specific colorscheme.
   This example uses the desert colorscheme:
   
   syntax on
   colorscheme desert
   
   
6. Hold Shift and hit : then type wq to save and quit the file.
7. You should now be able to use vi and the colorscheme you choose to edit files on your grid
   

yum install git

sudo -i
git clone https://github.com/FOGProject/fogproject.git /root/fogproject
cd /root/fogproject/
git checkout dev-branch
git pull
cd bin
./installfog.sh

Navigate to http://IPofYourFOGServer/fog/management

yum install -y yum-utils device-mapper-persistent-data lvm2

yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

yum install docker-ce

systemctl enable docker.service

systemctl start docker.service

yum install epel-release

yum install -y python-pip

pip install docker-compose

yum upgrade python*

docker-compose version

Continue pre-config

yum install firewalld -y
systemctl start firewalld
systemctl enable firewalld
for service in http https tftp ftp mysql nfs mountd rpc-bind proxy-dhcp samba; do firewall-cmd --permanent --zone=public --add-service=$service; 
done
echo "Open UDP port 49152 through 65532, the possible used ports for fog multicast" 
firewall-cmd --permanent --add-port=49152-65532/udp
echo "Allow IGMP traffic for multicast"
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p igmp -j ACCEPT
systemctl restart firewalld.service
echo "Done."

Add firewalld exceptions for DHCP and DNS (if you plan to run DHCP on your FOG server):

for service in dhcp dns; do firewall-cmd --permanent --zone=public --add-service=$service; done
firewall-cmd --reload
echo Additional firewalld config done.

Set SELinux to permissive on boot:

sed -i.bak 's/^.*\SELINUX=enforcing\b.*$/SELINUX=permissive/' /etc/selinux/config

Set SELinux to permissive on the fly (this is not persistent, the above config must be done to be persistent):

setenforce 0

Setup FOG

yum install git -y
cd ~
mkdir git
cd git
git clone https://github.com/FOGProject/fogproject.git
cd fogproject/bin
./installfog.sh
echo "Now you should have fog installed."

Set the FOG services to start 30 seconds after boot (Optional)

systemctl disable FOG{MulticastManager,Scheduler,SnapinReplicator,ImageReplicator}
systemctl disable nfs-server
systemctl disable rpcbind
echo FOG Services are now disabled.

Create a startup script with:

vi /etc/rc.d/rc.local

#!/bin/bash
sleep 30
touch /var/lock/subsys/local
systemctl start nfs-server
systemctl start rpcbind
systemctl start FOGMulticastManager
systemctl start FOGScheduler
systemctl start FOGSnapinReplicator
systemctl start FOGImageReplicator
exit 0

chmod +x /etc/rc.d/rc.local

[Inloggen in Mariadb] mysql -u root -p

CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';

GRANT ALL PRIVILEGES ON *.* TO 'username'@'localhost' WITH GRANT OPTION;

CREATE USER 'username'@'%' IDENTIFIED BY 'password';

GRANT ALL PRIVILEGES ON *.* TO 'username'@'%' WITH GRANT OPTION;

FLUSH PRIVILEGES;

show databases;

CREATE DATABASE db1;
Query OK, 1 row affected (0.18 sec)

CREATE DATABASE db1;
ERROR 1007 (HY000): Can't create database 'db1'; database exists

CREATE OR REPLACE DATABASE db1;
Query OK, 2 rows affected (0.00 sec)

CREATE DATABASE IF NOT EXISTS db1;
Query OK, 1 row affected, 1 warning (0.01 sec)

SHOW WARNINGS;
+-------+------+----------------------------------------------+
| Level | Code | Message |
+-------+------+----------------------------------------------+
| Note | 1007 | Can't create database 'db1'; database exists |
+-------+------+----------------------------------------------+

drop database test01;

SELECT User FROM mysql.user;

SELECT host, user FROM mysql.user;

SELECT host, user, password FROM mysql.user;

show grants for 'vivek'@'%';

show tables from mysql;

show full tables from mysql;

show columns from Jokes_table from test;
+---------------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+--------------+------+-----+---------+----------------+
| JokeID | int(11) | NO | PRI | NULL | auto_increment |
| Joke_question | varchar(500) | NO | | NULL | |
| Joke_answer | varchar(500) | NO | | NULL | |
+---------------+--------------+------+-----+---------+----------------+
3 rows in set (0.001 sec)

alter user testuser identified by 'wachtwoord';

MariaDB [(none)]> select password ('wachtwoord');
+-------------------------------------------+
| password ('wachtwoord') |
+-------------------------------------------+
| *B33F1075E48B7CB3B733C3B84DACE4FBD1135C97 |
+-------------------------------------------+
1 row in set (0.000 sec)

MariaDB [(none)]>

Login to Linux server and do the following steps

1. Update /etc/hosts and add active directory server IP and host name details

2.Login as root user and execute the following command

yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

3.Reboot the server

4.Join the server with active directory using following command

realm join --user=administrator servername.domain.com

5.Make sure it is properly added to the domain using the bellow command

realm list

6.Update /etc/sssd/sssd.conf file

update the following

use_fully_qualified_names = False

fallback_homedir = /home/%u

7.Restart sssd service

systemctl restart sssd

[root@backup02 ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 391
Server version: 5.5.68-MariaDB MariaDB Server  

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.  

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.  

MariaDB [(none)]> select version();
+----------------+
| version()      |
+----------------+
| 5.5.68-MariaDB |
+----------------+
1 row in set (0.00 sec)  

MariaDB [(none)]>    

yum -y update  

vim /etc/yum.repos.d/MariaDB10.repo  

[mariadb]
name = MariaDB baseurl = http://yum.mariadb.org/10.3/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1  

systemctl stop mariadb  

yum remove mariadb-server mariadb mariadb-libs  

yum clean all  

yum -y install MariaDB-server MariaDB-client  

systemctl start mysql  

systemctl enable mysql  

mysql_upgrade   Or   mysql_upgrade -u root -p  

mysql -u root -p  

[root@backup02 ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 27
Server version: 10.3.28-MariaDB MariaDB Server  

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.  

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.  

MariaDB [(none)]>  

On the host where the cron job is
ssh-keygen -t rsa -b 4096
No password
Cd ~/.ssh 760708 -rw-------. 1 root root 3401 May 14 04:34 id_rsa
760710 -rw-r--r--. 1 root root  757 May 14 04:34 id_rsa.pub (copy to remote server)
scp ~/.ssh/id_rsa.pub root@192.168.1.22:/root/.ssh/uploaded_key.pub  

On the remote server
cat ~/.ssh/uploaded_key.pub  >>  ~/.ssh/authorized_keys
cat ~/.ssh/authorized_keys
chmod 700 ~/.ssh/
chmod 600 ~/.ssh/*  

On the host where the cron job is
ssh root@192.168.1.22
Check if you can login without password  

On the remote server (for disableling password authentication)
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo vim /etc/ssh/sshd_config
unkommend PasswordAuthentication yes and replace yes with no  

sudo service ssh restart  

----------------------------------------------------------------------------------------------------
#Easy way to do it
On the host where the cron job is
ssh-keygen -t rsa -b 4096
No password
Cd ~/.ssh
760708 -rw-------. 1 root root 3401 May 14 04:34 id_rsa
760710 -rw-r--r--. 1 root root  757 May 14 04:34 id_rsa.pub  

ssh-copy-id root@192.168.1.22

Single file copy
scp file.txt root@192.168.1.22:/backup/  

Directory copy
scp -r /home/user/weekly root@192.168.1.22:/backup/weekly      


rsync -hvrPt /home/user/weekly root@192.168.1.22:/backup/ --log-file=mylog.log      

rsync -hvrPt /home/user/* root@192.168.1.22:/backup/ --log-file=mylog.log

Linux version

hostnamectl

cat /etc/*-release

lsb_release -a

Kernel version

uname -a

uname -mrs

cat /proc/version

dnf install dnf-automatic

rpm -qi dnf-automatic

vim /etc/dnf/automatic.conf

upgrade_type = default

apply_updates = yes

system_name = name server

emit_via = motd

systemctl enable --now dnf-automatic.timer

systemctl list-timers *dnf-*

If you have an existing data directory and wish to reset the root and user passwords, and to create a database on which the user can fully modify, perform the following steps.

First create a passwordreset.sql file:

CREATE USER IF NOT EXISTS root@localhost IDENTIFIED BY 'thisismyrootpassword';
SET PASSWORD FOR root@localhost = PASSWORD('thisismyrootpassword');
GRANT ALL ON *.* TO root@localhost WITH GRANT OPTION;
CREATE USER IF NOT EXISTS root@'%' IDENTIFIED BY 'thisismyrootpassword';
SET PASSWORD FOR root@'%' = PASSWORD('thisismyrootpassword');
GRANT ALL ON *.* TO root@'%' WITH GRANT OPTION;
CREATE USER IF NOT EXISTS myuser@'%' IDENTIFIED BY 'thisismyuserpassword';
SET PASSWORD FOR myuser@'%' = PASSWORD('thisismyuserpassword');
CREATE DATABASE IF NOT EXISTS databasename;
GRANT ALL ON databasename.* TO myuser@'%';

Adjust myuser, databasename and passwords as needed.

Then:

$ docker run --rm -v /my/own/datadir:/var/lib/mysql -v /my/own/passwordreset.sql:/passwordreset.sql:z mariadb:latest --init-file=/passwordreset.sql

On restarting the MariaDB container on this /my/own/datadir, the root and myuser passwords will be reset.

Cisco L2 Switch (same configuration for both switches)

!  Create VLANs 10 and 20 in the switch database
Layer2-Switch# configure terminal
Layer2-Switch(config)# vlan 10
Layer2-Switch(config-vlan)# end

Layer2-Switch(config)# vlan 20
Layer2-Switch(config-vlan)# end

!  Assign Port Fe0/1 in VLAN 10
Layer2-Switch(config)# interface fastethernet0/1
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 10
Layer2-Switch(config-if)# end

!  Assign Port Fe0/2 in VLAN 20
Layer2-Switch(config)# interface fastethernet0/2
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 20
Layer2-Switch(config-if)# end

!  Create Trunk Port Fe0/24
Layer2-Switch(config)# interface fastethernet0/24
Layer2-Switch(config-if)# switchport mode trunk
Layer2-Switch(config-if)# switchport trunk encapsulation dot1q
Layer2-Switch(config-if)# end

Cisco Layer 3 Switch

! Enable Layer 3 routing
Layer3-Switch(config) # ip routing

!  Create VLANs 10 and 20 in the switch database
Layer3-Switch# configure terminal
Layer3-Switch(config)# vlan 10
Layer3-Switch(config-vlan)# end

Layer3-Switch(config)# vlan 20
Layer3-Switch(config-vlan)# end

!  Configure a Routed Port for connecting to the ASA firewall 
Layer3-Switch(config)# interface FastEthernet0/48
Layer3-Switch(config-if)# description To Internet Firewall
Layer3-Switch(config-if)# no switchport
Layer3-Switch(config-if)# ip address 10.0.0.1 255.255.255.252

!  Create Trunk Ports Fe0/47 Fe0/46
Layer3-Switch(config)# interface fastethernet0/47
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end

Layer3-Switch(config)# interface fastethernet0/46
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end

!  Configure Switch Vlan Interfaces (SVI)
Layer3-Switch(config)# interface vlan10
Layer3-Switch(config-if)# ip address 10.10.10.10 255.255.255.0
Layer3-Switch(config-if)# no shut

Layer3-Switch(config)# interface vlan20
Layer3-Switch(config-if)# ip address 10.20.20.20 255.255.255.0
Layer3-Switch(config-if)# no shut

!  Configure default route towards ASA firewall
Layer3-Switch(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.2

Sunny Table


Als je 3 netwerken nodig hebt kijk je wat het beste past, 2 is te weinig maar bij 4 passen er 3 in dus selecteren we subnet 4.
Dan hebben we per netwerk 64 hosts ter beschikking met een subnetmask van /26

LET ER WEL OP DAT JE ER 2 MOET AFHALEN VOOR HET BROADCAST ID EN HET NETWERK ID.

Voor de opdracht is er een network id van 192.168.4.0 /24
Er moeten 3 netwerken worden gecreerd
Het 4e netwerk is over...

Broadcast uitreken,
63 + 64 = 127
127 + 64 = 191
191 + 64 = 255

snmp-server community test ro
snmp-server community test1 rw
snmp-server location Office
snmp-server contact Jane Doe
snmp-server host 192.168.1.21 version 2c test
snmp-server enable traps

*** kopiëren image via USB-stick ***

Op switch in enable mode:

<switch-naam>#copy usbflash0:c3750e-universalk9-mz.152-4.E10.bin flash:c3750e-universalk9-mz.152-4.E10.bin
(image naam opvragen: <switch-naam>#dir usbflash0:)

Als er niet genoeg ruimte in de flash op de switch is, eerst oude image(s) weggooien, behalve degene waarvan die normaliter boot (als er te weinig ruimte is doordat er beperkt flash memory in de switch zit, moet je ook het huidige image weggooien).
(<switch-naam>#dir flash:)
(<switch-naam>#show boot)

<switch-naam>#conf t
<switch-naam>(config)#boot system flash:<nieuwe image naam>
<switch-naam>(config)#exit (of "end")
<switch-naam>(config)#copy run start (of "wr")
<switch-naam>#reload

Als je terugval wilt naar de oude image kun je dit als volgt doen:
<switch-naam>(config)#boot system flash:<nieuwe image naam>,flash:<oude image naam>

Als je geen boot system meegeeft, of een boot system commando met een image die niet meer op de switch staat, dan zal de switch in z'n mini OS booten. Vanaf daar kun je dan weer uithuilen en opnieuw kijken wat er nog op de flash staat en de juiste image booten. Vergeet daarna niet de juiste boot system op te slaan!
Mocht er helemaal geen image meer in de flash staan, dan is het van bovenaf aan weer beginnen.

************************************************************************************

Uiteraard kun je een image ook via tftp overhalen, maar dan moet de switch uiteraard ergens een IP-adres hebben of in het uiterste geval via X-modem.

Ga naar de installatie folder van Microsoft Deployment Toolkit op de C: of welke locatie dan ook
ga naar de map E:\Microsoft Deployment Toolkit\Samples (bij mij staat deze op de E:\ drive)
Maak een copie van E:\Microsoft Deployment Toolkit\Samples\Background.bmp en sla deze op onder een andere naam.
Bewerk deze naar wens en copieer deze terug naar de Samples folder.
Open MDT en ga naar properties

Selecteer bij platform x64 en bij Custom background bitmap file de nieuwe achtergrond van de locatie waar je deze zojuist hebt neergezet.

Update de deployment share
In WDS vervang de bestaande boot image door de nieuwe

Herstart WDS service

En test het uit.

Controleer eerst waar de orginele file staat,



De locatie bij een standaard installatie is
C:\Program Files\Microsoft Deployment Toolkit\Samples
Hier staat een BMP file met de naam Background.bmp
Maak hier een kopie van en bewerk deze bv in Photoshop
Hernoem het orginele bestand zodat je dit bestand de oude naam kunt geven.
Wijzig niet het formaat  !!!!

Ga terug naar MDT en update de deployment Share


Vervang de boot images van de wds server
en herstart de service

dism /get-imageinfo /imagefile:D:\Install\ISO\1909-UK\install.wim

Dism /Mount-Image /ImageFile:D:\Install\ISO\1909-UK\install.wim /Index:1 /MountDir:D:\Mount\Offline

Dism /Image:D:\Mount\Offline /Get-CurrentEdition
Dism /Image:D:\Mount\Offline /Get-TargetEditions
Dism /Image:D:\Mount\Offline /Set-Edition:Professional

Dism /Unmount-Image /MountDir:D:\Mount\Offline /Commit

dism /cleanup-wim

dism /Cleanup-Mountpoints

dism /unmount-wim /mountdir:D:\Mount\Offline /discard

- Run command prompt or PowerShell as administrator: 

Type following command: 

dism /online /set-edition:ServerDatacenter /productkey:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx /accepteula . (Replace xxxx with your activation key).

To begin, open a command prompt as administrator.

To turn off Windows Firewall for Domain Networks type the following command:

netsh advfirewall set domain state off

To turn off Windows Firewall for Private Networks type the following command:

netsh advfirewall set private state off

To turn off Windows Firewall for Public Networks type the following command:

netsh advfirewall set public state off

To turn off Windows Firewall for All Networks (Domain, Private, Public) type the following command:

netsh advfirewall set allprofiles state off

Now, if you needed to turn Windows Firewall back on using this utility you can type the same commands and just change “off” to “on”. For example, if you wanted to turn the Windows Firewall on for all networks you would type the following command:

netsh advfirewall set allprofiles state on

This post will walk through installing and configuring Microsoft Deployment Toolkit to build a reference image of Windows 10 1809 (October 2018 Update) using a Hyper-V Virtual Machine. It is assumed that you have a Server or PC ready to install MDT onto and create an file share for MDT to build the image with.

Here are the links to the software we’ll be using:

• Windows 10 1809 Assessment and Deployment Kit (ADK)
• Windows PE add-on for the ADK
• Microsoft Deployment Toolkit (8456)
• Windows 10 1809 x64 Volume Licensing Service Center | MSDN Subscriptions site

Additional software which may be useful to you:

• Windows USB/DVD Download Tool – For creating a bootable USB from the Windows 10 ISO to build a PC for admin purposes.
• Remote Server Administration Tools for Windows 10 – Be sure to download the version of RSAT for the version of Server you want to administer.

Installing Microsoft Deployment Toolkit and Dependencies

1. First we’ll install the Windows 10 1809 ADK. During setup additional files will need to be downloaded, so it may take some time depending on your internet connection.
2. On the Select the features you want to install screen select:

• Deployment Tools
• Imaging And Configuration Designer (ICD)
• Configuration Designer
• User State Migration Tool (USMT)

1. Starting with the Windows 10 1809 ADK, WinPE is a separate install. Install the WinPE add-on by running the adkwinpesetup.exe, there is no specific configuration during the install wizard.
2. Now install MDT by running the setup file downloaded earlier. There is no specific configuration during the install wizard.

Creating the Deployment Share

1. Open the Deployment Workbench from the Start Menu.
2. Right click on Deployment Shares.
3. Select New Deployment Share.
4. Enter the path for the Deployment Share: E:\Build.
5. Enter the Share name: Build$.
6. Give the share a description.
7. On the Options screen, accept the defaults as you can change them later.
8. Complete the wizard to create the share.
9. By default, the share permissions are set the local administrators group. We’ll revisit this later.

Adding an Operating System

1. Mount the Windows 10 1809 ISO in File Explorer.
2. Go to Deployment Workbench > Operating Systems.
3. Right click and select New Folder.
4. Enter the name Windows 10 1809 x64 and click through the wizard to create the folder.
5. Right click again and select Import Operating System.
6. In the wizard, select Full set of source files and then enter the root of the mounted ISO as the Source directory.
7. For the destination directory name enter Windows 10 1809 x64 and complete the wizard.
8. Go to the Operating Systems/Windows 10 1809 x64 node and rename the new entries added to Windows 10 1809<Edition>x64 for ease of use.

Creating Package Folder For Future Updates

1. Go to Deployment Workbench > Packages.
2. Create a folder named Windows 10 1809 x64.

Now we’ll create a selection profile so that the Task Sequence only attempts to install the updates for Windows 10 1809 x64.

Creating A Selection Profile

1. Expand the Advanced Configuration node.
2. Right click on Selection Profiles and select New Selection Profile.
3. Name it Windows 10 1809 x64.
4. On the Folders page, tick the Windows 10 1809 x64 folder under Packages and complete the wizard.

Importing Applications

If you want to add some applications to be a part of your reference image, here I’ll cover how to add Microsoft Office. MDT recognises Microsoft Office and provides automated/silent install options.

1. Go to Deployment Workbench > Deployment Share > Applications.
2. Right click on Applications and select New Application.
3. In the New Application Wizard, choose Application with source files.
4. Give the application the name: Microsoft Office.
5. Enter the Source directory of the installation files.
6. Enter the Destination directory: Microsoft Office.
7. For the Command line enter anything, we’ll revisit this later.
8. On the summary page, click Next and after the files are copied click Finish to complete the wizard.

Configuring Applications

1. Right click on Microsoft Office, go to the Office Products Tab.
2. Choose the desired Office Product to Install from the drop down menu.
3. Check the desired Office language.
4. Enter a product key, unless you will be activating Office via KMS in which case leave the Product Key option unchecked.
5. Check the Customer name option and enter the desired information.
6. Check the Display level option and select None in the drop down menu.
7. Check the Accept EULA option.
8. Check the Always suppress reboot option.
9. Click Apply.
10. Go to the Details tab and the Quiet install command should now read:

    1	setup.exe /config proplus.ww\config.xml

Microsoft Office is now set up to be installed silently by a Task Sequence. If you wish to customise the installation to a greater degree, the Office Customization Tool can be launched from the Office Products tab. This process can also be done for Microsoft Visio and Project.

To add other popular third party software, you’ll need to repeat the steps above, with the relevant Command line to quietly or silently install them.

Google Chrome – Enterprise Installer

Adobe Reader – Enterprise Installer

We now need to create a new Task Sequence to create a reference image.

Creating a Task Sequence

1. In Deployment Workbench, go to Task Sequences.
2. Right click and select New Task Sequence.
3. For the ID enter: W10-1809.
4. Name it Build Windows 10 1809.
5. Select Standard Client Task Sequence.
6. Select the Operating System Windows 10 1809 x64.
7. Select Do not specify a product key at this time.
8. Enter an Organization name.
9. Select Do not specify an Administrator password at this time.
10. Complete the wizard.

Now we’ll configure the Task Sequence.

Configuring the Task Sequence

1. Right click on the Task Sequence just created and select Properties.
2. Go to the Task Sequence tab on the Properties window of the Task Sequence.
3. Expand the Preinstall folder, and select the Apply Patches item.
4. Change the Selection Profile to Windows 10 1809 x64.
5. Go to the State Restore folder and select Windows Update (Pre-Application Installation).
6. On the right side of the Properties window, go to the Options tab.
7. Uncheck the Disable this step tick box and do the same with Windows Update (Post-Application Installation).
8. If you skipped the Importing Applications section, please disable the Install Applications item and go to step 16, if not please continue.
9. Go to the Install Applications item.
10. In the right side of the Properties box, select the Install a single application option and click the Browse… button.
11. Select Microsoft Office and change the name Install Applications to Microsoft Office.
12. Install other Applications, copy and paste the Install Applications item and repeat steps 13 – 15 for the applications of your choice.
13. Click Apply and close the Task Sequence.

Blocking Internet Access to prevent Microsoft Store App Updates

To block internet access to the VM whilst the image is building, we’ll use the script from Peter Löfgren’s System Center Ramblings post.

1. First create a PowerShell script file called Internet-Access.ps1 with the following code:

1. Save the script in your MDT share, where the Task Sequence will be able to access it. I save my custom scripts in a folder called _scripts the Applications folder.
2. In the Task Sequence created above, we’ll add the items required to run the PowerShell script to enable and disable the internet blocking firewall rules.

• Go to the Task Sequence tab on the Properties window of the Task Sequence.
• Go to State Restore and click on the Add button.
• Go to General > Run PowerShell Script.
• Name the new item PS Script – Disable Internet Access.
• Enter Z:\Applications\_scripts\Internet-Access.ps1 or your own path to the PowerShell script we just created.
• Scroll down the Task Sequence to just above the Imaging folder.
• Once again, add a new Run PowerShell Script item.
• Name it PS Script – Enable Internet Access.
• Again, enter Z:\Applications\_scripts\Internet-Access.ps1 or or your own path to the PowerShell script.
• Important: Add -Disable to the Parameters section.
• Click Apply and OK to close the Task Sequence.

What will happen now is that after Windows boots up, a firewall rule will be added to block internet traffic on ports 80 and 443, and just before starting the SysPrep and capture process the firewall rule will be removed.

Next, we’ll create a domain user account for MDT.

Creating a service account for MDT in Active Directory

1. Go to Active Directory Users and Computers.
2. Create a user called mdt_admin and give it a complex password.
3. Go to the Server or PC where the Deployment Share is hosted.
4. Give the user mdt_admin Full Control share permissions and Full Control permissions to all the files and folders in the Deployment Share.

Next we need to configure the Bootstrap.ini and the CustomSettings.ini files to control certain aspects of the deployment environment. The settings below enable auto log in and skip the welcome screen, so these should only be used for lab or closed development environments.

Configuring Bootstrap.ini

1. In Deployment Workbench, right click the Deployment Share and select Properties.
2. Select the Rules tab and click the Edit Bootstrap.ini button.
3. Add the settings below to the Bootstrap.ini.
4. Close and Save the Bootstrap.ini

Configuring CustomSettings.ini

On the Rules tab of the Deployment Share properties window, add the settings below.

We now need to create the boot media to boot the VM into the deployment environment.

Creating The Boot Media

1. In Deployment Workbench, right click on the Deployment Share.
2. Select Update Deployment Share.
3. Select Completely regenerate the boot images.
4. Complete the wizard. It will take some time to create the boot images.

Testing and Capturing a Reference Image

To test everything we need to copy the ISO file that we just generated. It is located in the Boot folder in the Deployment Share. Go to the Server or PC that is hosting the deployment share and navigate to the boot folder. Inside there should be a file named LiteTouchPE_x64.iso. Copy this file to a location where a Hyper-V Virtual Machine will be able to access it.

Create a new VM in Hyper-V with the following configuration:

• 2x vCPUs
• 4GB of RAM
• Network Adapter with access the local network.
• Virtual Hard Drive of at least 40GB, preferably on an SSD.
• Boot from CD using the LiteTouchPE_x64.iso from MDT.
• If using Hyper-V on Windows 10 1709 and above, make sure Use Automatic Checkpoints is disabled.

Start the VM and it will boot from the LiteTouchPE_x64.iso into the deployment environment. You will be presented with a screen with the name of the Task Sequence you created earlier. Select your Task Sequence and click Next and the task sequence will begin.

The Task Sequence will install Windows 10 1809, update from the WSUS server, install the optional applications if you added them, and then run Windows Update from the WSUS server again. It will then run SysPrep and the reboot back into the deployment environment and MDT will capture the image.

When this process completes the VM will be shutdown and a file named W10-1809_YEAR_MONTH_DAY_HOUR_MINUTE.wim will be in the Captures folder in the Deployment Share.

You now have a reference image for Windows 10 1809 and a Microsoft Deployment Toolkit installation, with a deployment share specifically configured for building reference images.

We’ll cover setting up a deployment share and focus on tasks to support deploying Windows to real hardware in this article.

I take great care to test my ideas and make sure my articles are accurate before posting, however mistakes do slip through sometimes. If you’d like to get in touch with me please use the comments, Twitter (you can tweet me and my DMs are open) or my contact form.

I hope this article helps you out, please consider supporting my work here. Thank you.

Stap 1:

In Windows Server 2012 R2, klik op het Startsymbool (Links onderin het scherm):

Stap 2:

Klik op het pijltje naar beneden onderin het scherm voor alle programma’s:

Stap 3:

Een nieuwe Deployment Workbench is gecreëerd. Start de Deployment Workbench (NEW):

Stap 4:

Als u het programma voor het eerst start, ziet u het overzicht van MDT 2013:

Stap 5:

Klik met uw rechtermuisknop op Deployment Shares in het linker navigatievenster op New Deployment Share:

Stap 6:

Klik op next:

Stap 7:

Verander de Share name naar DeploymentShare$, klik daarna op next: 

Stap 8:

Klik next:

Stap 9:

Zet alle vinkjes uit en klik next:

Stap 10:

Check of de details kloppen en klik next:

Stap 11:

Klik Finish:

Stap 12:

Open File Explorer:

Stap 13:

Klik op This PC links in het navigatievenster:

Stap 14:

Open Local Disk (C:):

Stap 15:

Klik met uw rechtermuisknop op DeploymentShare:

Stap 16:

Klik op Properties:

Stap 17:

Klik op Advanced Sharing…:

Stap 18:

Klik op Permissions:

Stap 19:

Kijk of Everyone is toegevoegd en Full Control heeft (zo niet: klik op Add…):

Stap 20:

In de Security tab van de share, voegt u Users en Domain Users toe. U geeft ze de volgende rechten: Read & Execute, List folder contents en Read:

Stap 21:

Terug in “the Deployment Workbench”, klik u met de rechtermuisknop op MDT Deployment Share en daarna op Properties:

Stap 22:

Onder de Rules tab, voegt u de volgende rij met opties toe onder het kopje [Default] :

OSInstall=Y

SkipCapture=YES

SkipAdminPassword=YES

SkipProductKey=YES

SkipComputerBackup=YES

SkipBitLocker=YES

SkipComputerName=YES

SkipDomainMembership=YES

JoinDomain=testwds.local

DomainAdmin=Administrator

DomainAdminDomain=testwds

DomainAdminPassword=Welkom01

SkipUserData=YES

SkipCapture=YES

DoCapture=NO

SkipLocaleSelection=YES

SkipTaskSequence=NO

SkipTimeZone=YES

SkipApplications=YES

SkipSummary=YES

SkipBDDWelcome=YES

TimeZone=110

TimeZoneName=Europe Standard Time

De opties zijn toegevoegd, klik nu op Edit Bootstrap.ini:

Stap 23:

Onder het kopje [Default] voegt u de volgende opties toe:

Stap 24:

Klik op File en dan op Save:

Stap 25:

Klik op Apply:

Stap 26:

Klik op OK:

Stap 27:

Volgende, we importeren het Besturingssysteem voor Windows 8.1. om dit te doen, klikt u met de rechtermuisknop op nl_Windows_8_1_enterprice_x64_dvd_2971893 en dan op Mount:

Stap 28:

De ISO is nu geopend als installatie media.

Stap 29:

In de Deployment Workbench, klikt u met uw rechtermuisknop op Operating System en klikt u op Import Operating System:

Stap 30:

Selecteer Full set of source files en klik next:

Stap 31:

Typ E:\ om de Installatie media (ISO) te selecteren. Klik daarna next:

Stap 32:

Vul de naam van het besturingssysteem in (in dit geval Win 8.1 x64). Klik daarna op next:

Stap 33:

Klik next:

Stap 34:

Na een paar minuutjes (wanneer het proces is afgelopen) klikt u op next:

Stap 35:

Volgende, verander de naam naar: Windows8.1×64.wim:

Stap 36:

Klik met uw rechtermuisknop op Task Sequence en klik daarna op New Task Sequence:

Stap 37:

Typ: Deploy8.1 bij Task sequence ID: en Deploy Windows 8. 1 x64 bij Task sequence name:

Stap 38:

Selecteer Standard Client Task Sequence en klik next:

Stap 39:

Selecteer Windows8.1×64.wim en klik op next:

Stap 40:

Selecteer Do not specify a product key at this time. Klik daarna op next:

Stap 41:

Voer een Naam, organisatie en startpagina in. Klik next:

Stap 42:

Voer een administratorswachtwoord in. Klik daarna op next:

Stap 43:

Klik Next:

Stap 44:

Klik Finish:

Stap 45:

Nu gaan we de “task sequence” wijzigen, hierdoor kunnen windows updates worden geïnstalleerd.

Klik met uw rechtermuisknop op Deploy Windows 8.1 x64 klik daarna op properties:

Stap 46:

Ga naar het tabje Task Sequence bovenin:

Stap 47:

Onder State Restore staan 2 onderdelen voor Windows Update die allebei uitgeschakeld zijn (vinkje is te vinden onder het tabje “options“). Verwijder het vinkje bij Disable this step. Klik OK om de wijzigingen op te slaan:

Stap 48:

Klik met uw rechtermuisknop op MDT Deployment Share (C: Deploymentshare) klik daarna op Update Deployment Share:

Stap 49:

Klik Next:

Stap 50:

Klik Next:

Stap 51:

Als het proces succesvol is afgerond klikt u op Finish:

Stap 52:

In Windows Server 2012 R2, klik op het Startsymbool (Links onderin het scherm):

Stap 53:

Klik op het pijltje naar beneden onderin het scherm voor alle programma’s:

Stap 54:

Open Windows Deployment Services:

Stap 55:

Klik met de rechtermuisknop op de servernaam en klik daarna op Configure Server:

Stap 56:

Klik Next:

Stap 57:

Selecteer Integrated with Active Directory en klik op Next:

Stap 58:

Selecteer de locatie waar u de RemoteInstall folder wilt plaatsen en klik op next:

Stap 59:

Selecteer “Do not listen on DHCP and DHCPv6 ports” en “Configure DHCP options for Proxy DHCP“. Klik hierna op next:

Stap 60:

Selecteer Respond to all client computer (known and unknown). Klik hierna op next:

Stap 61:

Klik Finish:

Stap 62:

Klik met uw rechtermuisknop op Boot Images en kies voor Add Boot Image…:

Stap 63:

Ga naar de gedeelde locatie van de deploymentshare (\\servernaam\deploymentshare$\Boot).

Kies nu het x64 besturingssysteem: LiteTouchPE_x64.wim en klik op open:

Stap 64:

Klik Next:

Stap 65:

Klik next:

Stap 66:

Klik Next:

Stap 67:

De boot image is aangemaakt! Klik op Finish:

Stap 68:

Start de client op met networkboot en de image wordt ingeladen:

Stap 69:

Klik Deploy Windows 8.1, klik daarna op Next om de installatie te starten:

Stap 70:

Het gekozen besturingssysteem wordt geïnstalleerd:

Stap 71:

De installatie is voltooid. Klik op Finish:

Download  eerst de msu update https://www.catalog.update.microsoft.com/

Je kunt een MSU bestand ook los installeren via het wusa.exe commando (Silent mode)

wusa.exe c:\Temp\windows10.0-kb4056887-x64.msu /quiet /norestart

Om te testen of de update goed is geinstalleerd kun jet het volgende commando gebruiken
wmic qfe list | findstr 4056887 (het nummer is van het KB nummer)

Hoe extract je een cab file van een MSU pakket
expand _f:* “C:\Temp\windows10.0-kb4056887-x64.msu” C:\Temp\kb4056887

Installeer een CAB update file in Windows 10
DISM.exe /Online /Add-Package /PackagePath:c:\Temp\kb4056887\Windows10.0-KB4056887-x64.cab

Installeer een CAB file in silent mode en met een uitgestelde restart
start /wait DISM.exe /Online /Add-Package /PackagePath: c:\Temp\kb4056887\Windows10.0-KB4056887-x64.cab /Quiet /NoRestart

Dism /Get-ImageInfo /ImageFile:D:\DISM_CREATE\install.wim

Index : 3

Name : Windows 10 Enterprise

Description : Windows 10 Enterprise

Size : 14.895.975.620 bytes

 DISM /mount-wim /wimfile:"C:\Install\WIM\install.wim" /index:3 /mountdir:"C:\Install\Mountdir"

 Dism /Add-Package /Image:"C:\Install\Mountdir" /PackagePath="C:\Install\DISM_CREATE\windows10.0-kb4550945-x64_8bc93fe5c681ddf741120602899a730c65c155d6.msu" /LogPath=C:\Install\DISM_CREATE\LogPath\dism.log

Dism /Add-Package /Image:"mount dir" /PackagePath="updates folder\cu1.msu" /PackagePath="updates folder\cu2.msu" /PackagePath="updates folder\cu3.msu" /LogPath=log the output to a file

Dism /Get-Packages /image:C:\Install\Mountdir

dism.exe /Unmount-wim /mountdir:"C:\Install\Mountdir" /commit

dism /unmount-wim /mountdir:"C:\Install\Mountdir" /discard

dism /cleanup-wim

dism /get-mountedwiminfo

Dism /Online /Cleanup-image /Checkhealth

Dism /Online /Cleanup-image /ScanHealth

Dism /Online /Cleanup-image /Restorehealth

Open command prompt with administrator rights

For serial number

wmic bios get serialnumber

For product

wmic csproduct get name

wmic computersystem get manufacturer

Manufacturer
Hewlett-Packard

wmic computersystem get model

Model
HP ProDesk 600 G1 SFF