All posts tagged Windows

Recently I’ve encountered a challenge of deploying Wazuh agent to bunch of Windows servers. Wazuh agent MSI package takes several parameters, and if given enough information it is able to register the agent, perform basic configuration and add itself to appropriate groups – all unattended. Generally this would be quite straightforward if old school startup scripts worked properly on Windows 2012. Unfortunately, they didn’t work for me.

After short amount of research I realized that simplest way to add parameters to a GPO based MSI installation is to use MSI transformations (MST files) that you can create with Orca.

Download Windows SDK (can be found here). During the setup process you can select MSI tools only, if you don’t need the rest of the tools. It will make for a quicker download.

This will only download Orca, you need to install it manually. I had to search through program files to realize that – I should have seen that this provides the “Download” button, not install. Anyway, Orca installer will be located at “C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86” (note that path might not be exact since I would assume the build version will only change in the future). Simply run Orca-x86_en-us.msi to install it. After that you should see Orca-esque icon in “C:\Program Files (x86)\Orca”.

Orca.exe will provide a handy graphical interface where you can edit a bunch of attributes of MSI files and generate MST that we need. Open up Wazuh agent MSI in Orca, and select new Transform.

Navigate to “Propery” table and right click whitespace, then select “Add Row”

Add all the properties that you need for your Wazuh Agent installation by repeating this process.
Make sure you use the correct names for the parameters. More information about deployment variables can be found on the official docs pages of Wazuh.

Generally, I would recommend testing the installation parameters manually before trying to create the MST. Simply run the Wazuh Agent MSI from the command line with all the parameters you plan to use. After you have successfully registered the server from the command line (without graphical interface), use the same parameters in Orca.

After you’ve added all the values simply click on “Generate Transform” from the “Transform” drop-down menu and save the MST file.

At this point you have everything you need to create custom GPO software deployment. Generate a new policy, or even add to existing. Click on “New” “Package” under “Computer Configuration” -> “Policies” -> “Software installation”.
Theoretically you can also use the “User Configuration” but for something like FIM you would want agent deployment to happen irregardless of the users.

This will prompt you to select the MSI file. Here you need to select the original Wazuh Agent MSI that is store on the network shared location (it needs to be accessible by computer objects that will receive the package)

Choose Advanced, so we can add the MST.

On the next screen you can make sure that default values are fine for your environment.

Then the crucial part is to add the MST file under “Modifications” tab. Keep in mind that MST file also needs to be accessible by the computer object.

Then apply the GPO to appropriate OU that contains your servers. You’ll probably have to reboot the servers for the actual deployment to occur.

This approach should be applicable to majority of MSI files, but your mileage may vary.

If you are like me using MDT 2012 Update 1, and recently decided to update old images with fresh install and latest Microsoft patches, there is a strong chance that you might run into following error during image deployment.Windows could not parse

Error is encountered during the processing of unattend.xml, more precisely on IE customization. It appears that IE10 does not support <IEWelcomeMsg>  tag  and that causes the whole deployment to hang. IEWelcomeMsg tag is present by default in unattend.xml file created by MDT 2012, so the solution is to either upgrade to MDT 2013 which has this issue resolved or to manually remove/comment this line.

You’ll find the unattend.xml file for each sequence under MDTDeploymentShare\Control\%Task Sequence ID%\

Just remove or comment the line like this:

<!-- <IEWelcomeMsg>false</IEWelcomeMsg> -->

My company is using Microsoft Exchange 2010 SP1, there we have a few mailboxes that have permanent out of office assistant set for the purpose of informing people that their message has been received and that we’ll process it ASAP. And that’s fulfilling its purpose, but at some point we realized that the notification is sent only once to each email sender. It doesn’t matter how much time has passed between two sent emails, you would always get out of office reply only for the first message.

This is actually all by design, hard-coded, without the possibility to change or modify this behavior. The Microsoft’s intended purpose for OOF is to notify senders that the recipient is out of office, usually on vacation for some period of time. For that objective, usually there is no need for auto reply with OOF info to be sent out more than once. But for our intents and purposes, this will not do. Those accounts have permanent Auto Reply, and we want our server to respond more than once.

But not too often 🙂 Microsoft left out the possibility to modify OOF settings out of the box for a good reason. If an email server would respond with OOF each time it received an email on that particular mailbox, it could be really easy to either purposely or not cause an email loop. Two mail servers would bounce (auto reply) emails until one of them dies or reaches the mailbox limit. Hence, you should be really careful when meddling with  OOF auto reply.

One way I found to make OOF respond more than once is to reset the Auto Reply configuration. Basically, disable it, and enable it right away. The OOF will be sent to each sender again on the first email, at least until the configuration is changed again.

So, one would schedule a PowerShell script to disable/enable OOF on speciefic mailboxes that fit aforementioned intent. Do not reset OOF too often, set the scheduler for an interval of one day at least.

set-MailboxAutoReplyConfiguration -id -AutoReplyState Disabled
set-MailboxAutoReplyConfiguration -id -AutoReplyState Enabled

Few days ago I installed Hyper-V Server 2012, Microsoft’s free virtualization platform and the equivalent of VMware ESXi.
The very first thing that I was stuck with is that Hyper-V Manager available through RSAT doesn’t have an option to mount an ISO or capture a drive from a machine on which is running. Instead it gives you drives of the Hyper-V host, and that would of course require you to have an ISO or the disc itself present on the host.

For most of us this is very inconvenient, we like the ability to mount an ISO from a network share or our machine. One would think, this a Windows box, no problem, i will map a network drive with my ISOs. The mapping would succeed, but mapped drive (letter) will not be visible in Hyper-V manager when trying to mount an ISO. Ok, the next step that the one would consider is mounting from UNC share directly, but that would also fail, with the message “‘VM’ failed to add device ‘Virtual CD/DVD Disk'” & “User account does not have permission required to open attachment”.


The cause of this is that the Hyper-V is intended to run with VMM Library Server and to mount files from it, not any random share. To circumvent this:

  • You need to assign full NTFS and share permissions to computer account of Hyper-V on a shared folder with ISO’s you want to mount.
  • In AD on the computer account of Hyper-v machine delegate specific service ‘cifs’ to the machine you want your ISO’s mounted from, microsoft calls this constrained delegation.

Here is step by step procedure for the constrained delegation:

  1. Go to Active Directory Users and Computers
  2. Find the Hyper-V server computer account and open up its properties.
  3. Go to Delegation tab.
  4. Select Trust this computer for delegation to the specified services only radio button.
  5. Click the Add button.
  6. Click the Users or Computers… button.
  7. In the Add Services window, click Users or Computers and enter the computer account that will  act as a library server and click OK.
  8. Select the cifs Service Type and click OK.

The resulting setup should look something like this:

Constrained delegation

You could reboot the Hyper-V server just for the good measure.

     Secure Shell or SSH is a highly versatile application layer network protocol used for secure communication between networked hosts (in Server/client model).   Designed as a replacement for telnet with Public-key cryptography  for data confidentiality on unsecured networks ie. Internet.
SSH is most popular on Unix like systems and used for remote administration, tunneling, TCP and X11 forwarding and even file transfer (SFTP and SCP).  This post will focus on SSH on windows as I mostly work with it,  and for me one of the most interesting features – the SSH tunneling / TCP forwarding.


Needed software

Most popular flavor on POSIX systems is OpenSSH, that includes ssh (the client),  sshd (the SSH server daemon),  scp, sftp and others.
On Windows: You can actually go with the same OpenSSH package under Cygwin (Unix-like environment for Microsoft Windows).
There are of course some Windows native servers and clients, notable:
KpyM Telnet/SSH Server, freeSSHd, the unbeatable PuTTY and its many forks with my favourite being KiTTY.
DD-WRT and Open-WRT feature Dropbear SSH server and client for its light use of resources.


Local port forwarding

Local port forwarding enables you to tunnel TCP traffic from your machine to ssh server or remote network that ssh server has access to.
SSH client  on your local machine listens on specified port and forwards all TCP traffic to the specified destination address and port.

For example: VNC Viewer (with traffic destined to localhost on port 5900 > SSH client listening on port 5900 and forwarding traffic to the specified IP and port on server side of the tunnel -> server ->  Other hosts that server has access to (optional).

Note that local port is arbitrary port number as long as you can specifiy it in software that you wish to tunnel.
Continue Reading