Category: PowerShell

Last updated by at .

Azure Firewall Setup

The Azure Firewall

Last week Microsoft announced some cool new and long awaited Azure Network functionalities, which are now in public preview. One of the is the Azure Firewall, which is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. The Azure Firewall is centrally created, enforced, and allows you to log application and network connectivity policies across subscriptions and virtual networks.

This is especially help full in scenarios where you simply want to block internet traffic or you need centralized management and logging. Obviously, there is still space for third-party firewall appliances with even more functionality, but if you need something easy to configure, without any additional licensing, which you can automatically configure using the existing tooling and has unrestricted scaling capabilities, Azure Firewall is a great option.

It is also important to notice that Azure Firewall is still in preview and additional functionality might be added as well as existing functionality might change.

Azure Firewall Spoke and Hub Network

(Image credit: Microsoft)

The Azure Firewall provides you with the following features:



VSCode in Azure Cloud Shell

You can now run a Visual Studio Code based editor in Azure Cloud Shell

Azure Cloud Shell, a browser-accessible shell for managing Azure resources, just got even more powerful. Today Microsoft added a new Visual Studio Code editor to Azure Cloud Shell. Okay, it is not the real Visual Studio Code, it is an editor based on the Visual Studio Code open-source project Monaco. Monaco is the same web-standards based editor that powers Visual Studio Code, and the editor is now integrated directly into Cloud Shell.

Now you not only have editors like vim, emacs or nano, you also able to run code, directly with in the Azure Cloud Shell. This is pretty handy when it comes to quickly edit some files like scripts or ARM templates.

This is not the first time the Azure Cloud Shell team and the Visual Studio Code team collaborated: Azure Cloud Shell in Visual Studio Code



Windows 10 SleepStudy Report

Troubleshoot Windows 10 Battery Life and Modern Standby

More and more mobile devices are out there and Windows 10 has some need features like Modern Standby, formerly known as InstantGo or Connected Standby, which provides an instant on/instant off user experience that users expect to have with their phones. Now that said there are always scenarios where battery life or standby doesn’t work as we wish. This blog post should help to troubleshoot battery life and standby on Windows 10, using inbox tools.

Check hardware support for standby modes

Powercfg information

First of all you can check with power states, standby modes or the available sleep states supported by your hardware using the following command:

General Battery life and standby issues

In some case you can run in some issues where you have your battery draining more than expected during the Modern Standby time. This could be of the following reasons:

  • Drivers – Make sure you have the latest drivers installed
  • Firmware – Make sure you have the latest Firmware (BIOS) installed
  • Mails –  The Windows communication app keeps the broker infrastructure (BI) system active. BI, in turn, keeps the WLAN network up so that the system stays up-to-date with emails. If you get a lot of emails this can end up in a higher power drain.
  • Software –  Some installed legacy Software which does not let you go into the InstantGo modus.
  • VPN Clients – Some older VPN Clients can also cause issues with InstantGo
  • Network Activity – The WLAN device might have a challenging radio environment and the Windows system might not be able to establish a reliable Internet connection. We see how these events affect the WLAN device, which, in turn, impacts the battery.


Windows Users with PowerShell

Manage Local Windows User with PowerShell

Awhile ago Microsoft added a new PowerShell module to manage local Windows user accounts. This post should quickly show you how easily you can for example use PowerShell to create a new Windows User account, remove a Windows user account or modify windows users and groups with PowerShell.

List Windows User accounts with PowerShell

The most simple one is obviously to list Windows users or groups, using the PowerShell Get- commands.

List all local Windows Users:

List all local Windows Groups:

Create new Windows User account using PowerShell

There are three different account types you can add to Windows 10:

The following part describes how you can add them to your Windows system using PowerShell

To create a new Windows User account you can simply use the following command:

If you want to see that password you can also use this method, to create a new Windows User:

Create a new Windows User account connected to a Microsoft Account using PowerShell

With Windows 10 you have the opportunity to login using Microsoft Accounts, for example with outlook.com or hotmail.com email aliases. For that you can use the folloing command to create a new Windows User connected to a Microsoft Account. In this case you will not need to configure a password for the account, since this is connected to the Microsoft Account.

You can also add Azure Active Directory (Azure AD) accounts if your business is for example using Office 365. The following command adds an Azure AD account to the local Windows Users:

Remove Windows User account using PowerShell

You can also simply remove user accounts from Windows using PowerShell. The following command will delete the account:

Change password of a Windows User account using PowerShell

To change the password of a local Windows User account, you can use the Set-LocalUser cmdlet. This also has some other options as well, but one of the most common ones is to reset the password.

Rename a Windows User account using PowerShell

To rename a Windows User account with PowerShell, you can use the following command:

Add Windows User account to group using PowerShell

This command for example adds users to the Windows Administrator group:

I hope this gives you a quick overview how you can manage local Windows User accounts using PowerShell.



Inked Azure Security Center Just in time VM access_LI

Azure – Just in Time VM access

If you run virtual machines with public IP address connected to the internet, attackers immediately try to run attacks against it. Brute force attacks commonly target management ports, like RDP or SSH, to gain access to a VM. If the attacker is successful, he can take control over the VM and access other resources in the environment. To address that issue it is highly recommended to reduce the ports open, especially for the management ports. However, sometimes you will need to open to ports for some of the virtual machines for management tasks. Microsoft Azure has a simple way to address this issue, called Just in time virtual machine (VM) access. Just in time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

How does Azure Just in Time VM Access work

In the Azure Security Center you can enable just in time VM access, this will create a Network Security Rule (NSG) to lock down inbound traffic to the Azure VM. During the initial JIT VM access configuration, you will be configuring the ports specified, which will be managed by Azure Security Center, these ports will be locked down by the Azure Security Center using an NSGs.

Configure Azure just in time VM access

Inked Configure Just in time VM access_LI

Azure JIT VM access is configured in the Azure Security Center. To configure and enable JIT on a virtual machine open up the Azure Security Center and click on Just in time VM access.

Here you will find three states, Configured, Recommended and No recommendation.

  • Configured – VMs that have been configured to support just in time VM access. The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
  • Recommended – VMs that can support just in time VM access but have not been configured to. We recommend that you enable just in time VM access control for these VMs. See Configuring a just in time access policy.
  • No recommendation – Reasons that can cause a VM not to be recommended are:
    • Missing NSG – The just in time solution requires an NSG to be in place.
    • Classic VM – Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager. A classic deployment is not supported by the just in time solution.
    • Other – A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn’t have an NSG in place.

To configure you click on Recommended and select the Virtual Machine, for which you want to enable JIT.

Click on Enable JIT on VMs and configure the ports which should be managed by Just in time VM Access. Just in time VM access will recommend some default ports like RDP, SSH and PowerShell Remoting. You can also add other ports to the virtual machine if you want or need to.

Requesting Just in time VM Access for Azure Virtual Machine

Request Just in time VM access

On the Configured section, you can select the VM you want to request access to and click on Request access. You can now select the ports you want to be open for a specific time and a specific IP address. This will open up the ports and after 2-3 minutes you will be able to access the virtual machine.

To send such a request, the user which requests access to the Virtual Machine needs to have write access to the virtual machines in the Azure Role-Based Access Control (RBAC).

Auditing Azure just in time VM access activity

Of course all the request get logged and can be reviewed in the Activity Log.

Licensing of Azure just in time VM access

Azure just in time VM access is licensed over Azure Security Center and needs the Standard Tier to be enabled for the specific virtual machine.

I hope this gives you an idea how you can leverage Just in time VM access in Azure for your workloads.



Windows Container Images

The New Windows Container Image

At Microsoft Build 2018, Microsoft announced a new Windows container image, next to the Windows Server Core container image and the Nano Server container image. This new Windows container image is for applications and workloads which need additional API dependencies beyond Nano Server and Windows Server Core.

With the release of the latest Windows 10 Insider Preview (Build 17704), you can now download a preview of that container image. Your container host will need to run at least on the Windows Insider build 17704.

Windows Container Image

The IT world is transforming and Microsoft can see a huge demand by customers for containers. However the container images available today, Nano Server and Windows Server Core are lightweight versions of Windows and not including some of the components of Windows. A huge scenario for containers is to put legacy applications into containers. With the new Windows container image, Microsoft is offering a new option for applications who need more components which are not included in Windows Server Core, like DirectX or proofing support.

Microsoft Windows Container Images

As of today, Microsoft offers 3 container images in preview:

ImageVersionSize
mcr.microsoft.com/nanoserver-insider10.0.17704.1000232 MB
mcr.microsoft.com/windowsservercore-insider10.0.17704.10003.38 GB
mcr.microsoft.com/windows-insider10.0.17704.10008.07 GB

Getting started with Windows Containers

First you need to have a host running Windows Insider Preview Build 17704 or higher. After that you can simply use docker to get the latest Insider container images from the Microsoft Container Registry:

You can read more about the new Windows Container image here on the Microsoft Virtualization Blog.

If you want to know more about the production Container Images for Windows, check out my blog post: Docker Container Images for Windows Server 1709 and new tagging



OpenSSH Server on Windows Server

Install OpenSSH Server on Windows Server

Back in 2017 Microsoft made OpenSSH available on Windows 10. Shorty after OpenSSH was also available for Windows Server, version 1709. This blog post should give you a simple step by step guy how you install OpenSSH Server on Windows Server. OpenSSH is available for Windows Server, version 1709 and higher. If you are running Windows Server 2016, and you want to stay in the long-term servicing branch, you will need to wait for the next Windows Server LTSC build.

Install OpenSSH Server on Windows Server

If you are running a Windows Server 1709 or higher, you can simply use PowerShell to install the OpenSSH Client and Server.

OpenSSH on Windows Server

You can use the following PowerShell commands to install the OpenSSH Server on Windows Server.

After the installation you can find the OpenSSH Server files and some more configuration options under “C:\Windows\System32\OpenSSH”

Next you need to configure the OpenSSH Server (sshd)

To enable authentication into an SSH server on Windows, you first have to generate host keys and repair the ACL on the host keys.

Configure OpenSSH Server on Windows

To configure the OpenSSH Server on Windows Server, just run the following PowerShell commands:

Now you should be able to access your Windows Server using an SSH client.

OpenSSH Server on Windows Server

Remember if you run your server in Microsoft Azure, you might also need to configure the Network Security Group to allow SSH Remoting on port 22.