Wednesday, August 2, 2017

Recompiling Chocolatey packages

Chocolatey is a very popular tool among system administrators as it helps automate package management for Windows. Since Chocolatey can be used completely with a CLI, you can programmatically create, install and uninstall packages locally and remotely. One of the main issues I normally hear from Chocolatey users is that they do not trust to install packages directly from the main Chocolatey public repository. This is for good reason since in order to trust the repository you must trust whoever is maintaining that package and there is only so much vetting Chocolatey can do to ensure a package is safe. Not to mention if you use the public repository exclusively as your source of packages you are constantly downloaded packages from the internet which leads to additional security concerns.

One feature of Chocolatey Business I enjoy is the capability to recompile packages hosted on its public repository and internalize them so they can be deployed from on your own NuGet server. During this process Chocolatey downloads the NuGet package and changes its code so that all resources needed are now on your NuGet server.

Now this may not be a feature you want to use for all packages hosted on Chocolatey, but for simple packages that pull their installers directly from a known good URL such as Google Chrome, it will save you hours of time. Note that you should always inspect packages from the Chocolatey public repository to ensure you understand how it is installing packages.

In this article I will show you how you can automate this process using a list of packages you want to recompile using PowerShell.

For this example I will recompile Google Chrome, Evernote and LastPass from Chocolatey.

First I will put these packages in an array by package name.



Now this is where the fun begins. I can simply pipe this array in PowerShell to the choco download command which will automatically download the package from the Chocolatey repository and internalize the package.



Within 30 seconds I have all three packages recompiled to my local machine along with their resources. What Chocolatey does during this process is extracts each package into the C:\Recompile\downloads folder, downloads any resources it needs (such as the public installer URL) changes the installation code to automatically point to local installer files and then creates a NuGet package.

Tuesday, August 1, 2017

Use PowerShell to create your Fantasy Football Draft order

With the NFL season upon us, Fantasy Football owners are starting to research and plan out which players they will draft. One of the hot topics is always the order of the draft, which if left to the commissioners, can be create a feeling of disapproval. There is no better tool to use to create a random and totally objective draft order than a computer. This will ensure that no player can complain that there was collusion in order to keep them at the back of the draft.

With this said, I emailed the commissioner of my league to let him know I will be doing the order in PowerShell, this way when I wind up inevitably missing the playoffs, I can only blame myself and PowerShell. I created a function this morning that will generate the order using the players in an array and Sort-Object {Get-Random} called New-FantasyDraftOrder. 

To use the function, we just add the players in the -Players parameter and the order is created.



As you can see, I got the 7th pick in my draft. Even I, the creator of this draft cannot "fix" the outcome. 

Saturday, July 22, 2017

How to Access ESXCLI with PowerCLI


If you have worked with vSphere, chances are you have had to perform some tasks on an ESXi host using ESXCLI. This command line interface created by VMware enables you to perform such tasks as installing software, configuring NIC adapters or seting firewall rules on ESXi. Since ESXi runs only Linux, using ESXCLI can be a bit daunting for Windows admins who don’t have much experience with Linux. Luckily, if you know PowerShell, you can use PowerCLI as a door into ESXCLI.

Connecting to an ESXi host


First, we need to connect to either a vCenter server or ESXi host. We can do this with the Connect-VIServer cmdlet. Keep in mind you can also connect to your vCenter server as well.

Connect-VIServer -Server devhost -Credential (Get-Credential)

Exposing ESX CLI


Now that we are connecting to our ESXi host "Devhost" we can use the Get-EsxCli cmdlet in PowerCLI to expose the ESXCLI functionality by placing it into a variable.

$DevHost = Get-EsxCli -VMHost devhost -V2
Notice I used the –V2 parameter. This means we are using version 2 of this cmdlet as version 1 is deprecated and compatibility is not guaranteed.
Now if we just run the output of $DevHost we see the "elements" we have to work with for this ESXi host.
Read more on Toms's IT Pro

Tuesday, June 20, 2017

Windows 10 in-place upgrade with PowerShell and MDT



In this article, I will demonstrate how to use Microsoft Deployment Toolkit (MDT) and PowerShell to create a reusable in-place upgrade process for domain-joined computers. This is a completely automated process. Thus, no end-user interaction is necessary, and it can take place on any remote computer. Although I have not tested it specifically, theoretically this function should be able to upgrade hundreds of workstations simultaneously with the proper computing in place.

While adoption of Windows 10 for businesses has been growing, many workstations still run Windows 7 or Windows 8. For mass in-place upgrades, System Center Configuration Manager (SCCM) is the most widely used option as it allows administrators to push out the upgrade easily. For organizations that do not use SCCM, such as small to medium-sized businesses, there are other viable options, notably using MDT along with PowerShell.

Please note this solution will not be a fit for every organization. It requires the use of the Remote Desktop Protocol (RDP) on each machine to launch the upgrade process, and it is widely known that RDP is not entirely secure. The need for using RDP is due to the MDT upgrade process requiring a user logged on to the computer to launch the litetouch.vbs file. With that said, there are ways to reduce the security hole by using public key infrastructure (PKI) and enabling RDP only during the upgrade process. I also recommend changing the password on the account connecting via RDP immediately after the upgrade is complete.

Read more at 4Sysops.com

Wednesday, June 7, 2017

A safer way to patch ESXi using PowerCLI and VUM

Patching vSphere is fairly straightforward using vSphere Update Manager. You can let vCenter/VUM automate the patching of an entire datacenter or cluster if you want. Many VMware professionals prefer to have more control over how their clusters get patched, and with good reason. Yes, vCenter is capable of figuring out how many hosts can run your cluster via DRS so you can patch multiple hosts at once, but that is a bit scary if you ask me and unless you have a massive cluster, it is not worth the time savings in my opinion. I prefer to patch each host one by one and do some testing of vMotioning VM's for each host post installation to ensure the host is functioning correctly.

So I created a little function to do just that, Install-VUMPatch. You can grab it from my Github repo below. I included a good amount of error checking so that hopefully if anything goes wrong with a patch installation, the function stops and asks the user to halt or continue.


#Requires -Modules VMware.VimAutomation.Core
#Requires -Modules VMware.VumAutomation

function Install-VUMPatch
{
    [CmdletBinding()]
    param
    (
    [Parameter(Mandatory=$true)]
    [string]$VCenter,

    [Parameter(Mandatory=$true)]
    [pscredential]$Credential,

    [Parameter(Mandatory=$true)]
    [string]$ClusterName,

    [Parameter(Mandatory=$false)]
    [string]$BaselineName = 'Critical Host Patches (Predefined)',

    [Parameter(Mandatory=$true)]
    [string]$VM
    )
    begin 
    {
        ##Try connecting to vcenter
        try
        {
            Connect-VIServer $VCenter -Credential $Credential -ErrorAction Stop
        }
        catch
        {
            $ErrorMessage = $_.Exception.Message
            Write-Error $ErrorMessage 
            break
        }
    }
    process 
    {
        Try 
        {
            # Put baseline into variable and validate existence for later use
            $Baseline = Get-Baseline -Name $BaselineName -ErrorAction stop
            # Attach baseline to all hosts in cluster
            Attach-Baseline -Entity $ClusterName -Baseline $Baseline -ErrorAction stop
            # Test compliance against all hosts in cluster
            Test-Compliance -Entity $ClusterName -UpdateType HostPatch -Verbose -ErrorAction stop
            # Build array of noncompliant hosts
            $VMHosts = (Get-Compliance -Entity $ClusterName -Baseline $Baseline -ComplianceStatus NotCompliant -ErrorAction Stop).Entity.Name
            #Copy patches to noncompliant hosts
            Copy-Patch -Entity $VMhosts -Confirm:$false -ErrorAction stop
        }
        Catch 
        {
            $ErrorMessage = $_.Exception.Message
            Write-Error $ErrorMessage 
            Write-Output 'Error getting $Vmhosts variable'
            break
        }
        # For each noncompliant host install patches
        foreach ($VMhost in $VMHosts)
        {
            Write-Output "Patching $VMHost"
            try 
            {   
                # Put VMHost in maintenance mode
                Set-VMHost $VMhost -State Maintenance -Confirm:$false -ErrorAction Inquire | Select-Object Name,State | Format-Table -AutoSize
                # Remediate VMHost
                $UpdateTask = Update-Entity -Baseline $baseline -Entity $vmhost -RunAsync -Confirm:$false -ErrorAction Stop
                Start-Sleep -Seconds 05
                # Wait for patch task to complete
                while ($UpdateTask.PercentComplete -ne 100)
                {   
                    Write-Progress -Activity "Waiting for $VMhost to finish patch installation" -PercentComplete $UpdateTask.PercentComplete 
                    Start-Sleep -seconds 10
                    $UpdateTask = Get-Task -id $UpdateTask.id
                }
                # Check to see if remediation was sucessful
                if ($UpdateTask.State -ne 'Success')
                {
                    Write-Warning "Patch for $VMHost was not successful"
                    Read-Host 'Press enter to continue to next host or CTL+C to exit script'
                    Continue
                }
                # Check to see if host is now in compliance
                $CurrentCompliance = Get-Compliance -Entity $VMHost -Baseline $Baseline -ErrorAction Stop
                if  ($CurrentCompliance.Status -ne 'Compliant')
                {
                    Write-Warning "$VMHost is not compliant"
                    Read-Host 'Press enter to continue to next host or CTL+C to exit script'
                    Continue
                }
                # Set VMHost out of maintenance mode 
                Set-VMHost $vmhost -State Connected -Confirm:$false -ErrorAction Inquire | Select-Object Name,State | Format-Table -AutoSize
                # VMotion VM to VMHost and sleep for 3 seconds
                Move-VM -VM $VM -Destination $VMhost -Confirm:$false -ErrorAction Stop | Out-Null
                Start-Sleep -seconds 3
                # Test network connectivity to VM to ensure VMHost is operating correctly
                Test-Connection $VM -Count 4 -Quiet -ErrorAction Stop | Out-Null
                Write-Output "$VMHost patch successful."
            }
            catch 
            {
                $ErrorMessage = $_.Exception.Message
                Write-Warning $ErrorMessage 
                # Comment out the Read-Host if you do not want the script to prompt after an error. 
                Read-Host -Prompt 'Press enter to continue to next VMHost or CTRL + C to exit' 
                Continue
            }
        }
    }
    end 
    {
        Disconnect-ViServer -Confirm:$False -Force
        Write-Output  'Script completed'
    }
}

Monday, June 5, 2017

Capture network traces with the PowerShell module NetEventPacketCapture



Every network admin will at some point need to capture and view network events to help troubleshoot network issues. The PowerShell module NetEventPacketCapture is an interesting option to capture network traces

IT professionals have many tools that can enable the capturing and viewing of network traffic. Tools such as Wireshark and Netmon have been staples for performing network traces. Starting with Windows 7/2008 the netsh trace command became available to allow capturing traces via the command line.

The NetEventPacketCapture module


One tool I have recently started using is the PowerShell NetEventPacketCapture module to capture and show trace events. Microsoft released the module with Windows 8.1/2012 R2, so although it is a few years old, it is not a widely used tool. One of the main reasons why using this module is appealing to me is that you can do many of the tasks within PowerShell without having to use other tools.

In order to create a trace log (.etl file), you must use four cmdlets from the NetEventPacketCapture module. In addition, you need a tool to view the trace file. This would be the bare minimum process for capturing a network event trace:

  • Use New-NetEventSession to create a trace session. For remote traces you can use the ‑CimSession
  • Add-NetEventProvider to add an event-tracing provider to the session you created. For instance the provider "Microsoft-Windows-TCPIP" would trace TCP/IP events.
  • Start-NetEventSession will begin logging live events to the .etl file.
  • Stop-NetEventSession will end the trace session.
  • Finally, to view the .etl file, you can use a number of tools. In this article, I will use the Get-WinEvent cmdlet in PowerShell.

Read more on 4Sysops.com

Sunday, May 21, 2017

Using the Windows Defender PowerShell cmdlets

There are several ways to manage and configure Windows Defender, such as via the System Center Configuration Manager (SCCM), Desired State Configuration (DSC), Intune, and Group Policy. The Defender PowerShell module is another tool you can use. In this article, I will provide an introduction to the Defender module and examples of using its commands.

With the release of the Windows 10 Anniversary Update, Microsoft has improved their antivirus (AV) solution by adding features, including the ability to perform offline scans, cloud integration, and enhanced notifications as noted here. One advantage of Windows Defender over third-party AV products is Defender's built-in PowerShell support.

Running Get-Command -Module Defender shows the cmdlets you can use to work with Defender. Essentially, you can manage preferences, threats, definitions, scans, and get the current status of Windows Defender.



Read more on 4Sysops.com

Recompiling Chocolatey packages

Chocolatey is a very popular tool among system administrators as it helps automate package management for Windows. Since Chocolatey can be u...