Tuesday, June 20, 2017

Windows 10 in-place upgrade with PowerShell and MDT



In this article, I will demonstrate how to use Microsoft Deployment Toolkit (MDT) and PowerShell to create a reusable in-place upgrade process for domain-joined computers. This is a completely automated process. Thus, no end-user interaction is necessary, and it can take place on any remote computer. Although I have not tested it specifically, theoretically this function should be able to upgrade hundreds of workstations simultaneously with the proper computing in place.

While adoption of Windows 10 for businesses has been growing, many workstations still run Windows 7 or Windows 8. For mass in-place upgrades, System Center Configuration Manager (SCCM) is the most widely used option as it allows administrators to push out the upgrade easily. For organizations that do not use SCCM, such as small to medium-sized businesses, there are other viable options, notably using MDT along with PowerShell.

Please note this solution will not be a fit for every organization. It requires the use of the Remote Desktop Protocol (RDP) on each machine to launch the upgrade process, and it is widely known that RDP is not entirely secure. The need for using RDP is due to the MDT upgrade process requiring a user logged on to the computer to launch the litetouch.vbs file. With that said, there are ways to reduce the security hole by using public key infrastructure (PKI) and enabling RDP only during the upgrade process. I also recommend changing the password on the account connecting via RDP immediately after the upgrade is complete.

Read more at 4Sysops.com

Wednesday, June 7, 2017

A safer way to patch ESXi using PowerCLI and VUM

Patching vSphere is fairly straightforward using vSphere Update Manager. You can let vCenter/VUM automate the patching of an entire datacenter or cluster if you want. Many VMware professionals prefer to have more control over how their clusters get patched, and with good reason. Yes, vCenter is capable of figuring out how many hosts can run your cluster via DRS so you can patch multiple hosts at once, but that is a bit scary if you ask me and unless you have a massive cluster, it is not worth the time savings in my opinion. I prefer to patch each host one by one and do some testing of vMotioning VM's for each host post installation to ensure the host is functioning correctly.

So I created a little function to do just that, Install-VUMPatch. You can grab it from my Github repo below. I included a good amount of error checking so that hopefully if anything goes wrong with a patch installation, the function stops and asks the user to halt or continue.


#Requires -Modules VMware.VimAutomation.Core
#Requires -Modules VMware.VumAutomation

function Install-VUMPatch
{
    [CmdletBinding()]
    param
    (
    [Parameter(Mandatory=$true)]
    [string]$VCenter,

    [Parameter(Mandatory=$true)]
    [pscredential]$Credential,

    [Parameter(Mandatory=$true)]
    [string]$ClusterName,

    [Parameter(Mandatory=$false)]
    [string]$BaselineName = 'Critical Host Patches (Predefined)',

    [Parameter(Mandatory=$true)]
    [string]$VM
    )
    begin 
    {
        ##Try connecting to vcenter
        try
        {
            Connect-VIServer $VCenter -Credential $Credential -ErrorAction Stop
        }
        catch
        {
            $ErrorMessage = $_.Exception.Message
            Write-Error $ErrorMessage 
            break
        }
    }
    process 
    {
        Try 
        {
            # Put baseline into variable and validate existence for later use
            $Baseline = Get-Baseline -Name $BaselineName -ErrorAction stop
            # Attach baseline to all hosts in cluster
            Attach-Baseline -Entity $ClusterName -Baseline $Baseline -ErrorAction stop
            # Test compliance against all hosts in cluster
            Test-Compliance -Entity $ClusterName -UpdateType HostPatch -Verbose -ErrorAction stop
            # Build array of noncompliant hosts
            $VMHosts = (Get-Compliance -Entity $ClusterName -Baseline $Baseline -ComplianceStatus NotCompliant -ErrorAction Stop).Entity.Name
            #Copy patches to noncompliant hosts
            Copy-Patch -Entity $VMhosts -Confirm:$false -ErrorAction stop
        }
        Catch 
        {
            $ErrorMessage = $_.Exception.Message
            Write-Error $ErrorMessage 
            Write-Output 'Error getting $Vmhosts variable'
            break
        }
        # For each noncompliant host install patches
        foreach ($VMhost in $VMHosts)
        {
            Write-Output "Patching $VMHost"
            try 
            {   
                # Put VMHost in maintenance mode
                Set-VMHost $VMhost -State Maintenance -Confirm:$false -ErrorAction Inquire | Select-Object Name,State | Format-Table -AutoSize
                # Remediate VMHost
                $UpdateTask = Update-Entity -Baseline $baseline -Entity $vmhost -RunAsync -Confirm:$false -ErrorAction Stop
                Start-Sleep -Seconds 05
                # Wait for patch task to complete
                while ($UpdateTask.PercentComplete -ne 100)
                {   
                    Write-Progress -Activity "Waiting for $VMhost to finish patch installation" -PercentComplete $UpdateTask.PercentComplete 
                    Start-Sleep -seconds 10
                    $UpdateTask = Get-Task -id $UpdateTask.id
                }
                # Check to see if remediation was sucessful
                if ($UpdateTask.State -ne 'Success')
                {
                    Write-Warning "Patch for $VMHost was not successful"
                    Read-Host 'Press enter to continue to next host or CTL+C to exit script'
                    Continue
                }
                # Check to see if host is now in compliance
                $CurrentCompliance = Get-Compliance -Entity $VMHost -Baseline $Baseline -ErrorAction Stop
                if  ($CurrentCompliance.Status -ne 'Compliant')
                {
                    Write-Warning "$VMHost is not compliant"
                    Read-Host 'Press enter to continue to next host or CTL+C to exit script'
                    Continue
                }
                # Set VMHost out of maintenance mode 
                Set-VMHost $vmhost -State Connected -Confirm:$false -ErrorAction Inquire | Select-Object Name,State | Format-Table -AutoSize
                # VMotion VM to VMHost and sleep for 3 seconds
                Move-VM -VM $VM -Destination $VMhost -Confirm:$false -ErrorAction Stop | Out-Null
                Start-Sleep -seconds 3
                # Test network connectivity to VM to ensure VMHost is operating correctly
                Test-Connection $VM -Count 4 -Quiet -ErrorAction Stop | Out-Null
                Write-Output "$VMHost patch successful."
            }
            catch 
            {
                $ErrorMessage = $_.Exception.Message
                Write-Warning $ErrorMessage 
                # Comment out the Read-Host if you do not want the script to prompt after an error. 
                Read-Host -Prompt 'Press enter to continue to next VMHost or CTRL + C to exit' 
                Continue
            }
        }
    }
    end 
    {
        Disconnect-ViServer -Confirm:$False -Force
        Write-Output  'Script completed'
    }
}

Monday, June 5, 2017

Capture network traces with the PowerShell module NetEventPacketCapture



Every network admin will at some point need to capture and view network events to help troubleshoot network issues. The PowerShell module NetEventPacketCapture is an interesting option to capture network traces

IT professionals have many tools that can enable the capturing and viewing of network traffic. Tools such as Wireshark and Netmon have been staples for performing network traces. Starting with Windows 7/2008 the netsh trace command became available to allow capturing traces via the command line.

The NetEventPacketCapture module


One tool I have recently started using is the PowerShell NetEventPacketCapture module to capture and show trace events. Microsoft released the module with Windows 8.1/2012 R2, so although it is a few years old, it is not a widely used tool. One of the main reasons why using this module is appealing to me is that you can do many of the tasks within PowerShell without having to use other tools.

In order to create a trace log (.etl file), you must use four cmdlets from the NetEventPacketCapture module. In addition, you need a tool to view the trace file. This would be the bare minimum process for capturing a network event trace:

  • Use New-NetEventSession to create a trace session. For remote traces you can use the ‑CimSession
  • Add-NetEventProvider to add an event-tracing provider to the session you created. For instance the provider "Microsoft-Windows-TCPIP" would trace TCP/IP events.
  • Start-NetEventSession will begin logging live events to the .etl file.
  • Stop-NetEventSession will end the trace session.
  • Finally, to view the .etl file, you can use a number of tools. In this article, I will use the Get-WinEvent cmdlet in PowerShell.

Read more on 4Sysops.com

Windows 10 in-place upgrade with PowerShell and MDT

In this article, I will demonstrate how to use Microsoft Deployment Toolkit (MDT) and PowerShell to create a reusable in-place upgrade pr...