Change the timezone on a Server 2016 Nano Server

This article will show you how to change the local time zone on a Windows Server 2016 Nano Server TP4.

To complete this task, I’ll use built-In utility Tzutil.exe which Is already loaded into the Nano server.

To change the time Zone create a remote PowerShell Session to your Nano Server.

Once you logged In check the current timezone with the command below:

tzutil.exe /g

To view all available timezones type:

Tzutil.exe /I

To change the TimeZone type:

tzutil.exe /s "AUS Eastern Standard Time"

Office 2016 Batch file activate

@echo off
C:

REM Check if Office16 has been activated previosuly
IF EXIST "C:\Windows\Office16Activation\" (
	Echo Already Activated

	) ELSE (
	mkdir C:\Windows\Office16Activation
	IF EXIST "C:\Program Files (x86)\" (
		REM 64Bit Machine
		REM Check if Office16 key has been installed 
		IF NOT EXIST "C:\Windows\Office16Activated\Key" (
			cscript "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
			mkdir C:\Windows\Office16Activation\KeyInstalled
			)
		REM Check if Office16 key has been activated
		IF NOT EXIST "C:\Windows\Office16Activated\Act" (
			cscript "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /act
			mkdir C:\Windows\Office16Activation\Activated
			)
		) ELSE (
		REM 64Bit Machine
		REM Check if Office16 key has been installed 
		IF NOT EXIST "C:\Windows\Office16Activated\Key" (
			cscript "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
			mkdir C:\Windows\Office16Activation\KeyInstalled
			)
		REM Check if Office16 key has been activated
		IF NOT EXIST "C:\Windows\Office16Activated\Act" (
			cscript "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" /act
			mkdir C:\Windows\Office16Activation\Activated
			)
		)
		)

Windows 10 SysPrep Woes

New image created at a school I support, fully updated, all apps installed tested and working. Come to sysprep the image and BOOM – “Sysprep will not run on a upgraded OS.”

It can now after this quick “fix” –

Remove this KEY from the Registry:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade

Remove this REG_DWORD from the Registry:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade

Set this REG_DWORD from the Registry:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus\CleanupState [Set Hexadecimal Value: 7]

Run this command as Administrator:
slmgr /dli

So then I though great sorted, NOPE! Windows 10 SysPrep brings in AppX Applications, they now have to be removed before sysprep also

To resolve this issue, remove the package for the user who’s running sysprep, and also remove the provisioning. To do this, follow these steps.

Note To prevent Windows Store from updating apps, unplug the Internet connection or disable Automatic Updates in Audit mode before you create the image.

  1. Run the Import-Module Appx PowerShell cmdlet.
  2. Run Import-Module Dism.
  3. Run Get-AppxPackage -AllUser | Where PublisherId -eq 8wekyb3d8bbwe | Format-List -Property PackageFullName,PackageUserInformation.

    Notes

    • In the output of this last cmdlet, check the users for whom the package is showing up as Installed. Delete these user accounts from the reference computer, or log on to the computer by using these user accounts. Then, run the cmdlet in step 4 to remove the Appx package.
    • This command lists all packages that were published by Microsoft and installed by any user of that reference computer. Because the computer is to be sysprepped, we assume that these user profiles no longer require the package.
    • If you have manually provisioned apps that belong to other publishers, run the following command to list them:

      Get-AppxPackage -AllUser | Format-List -Property PackageFullName,PackageUserInformation

  4. Run Remove-AppxPackage -Package <packagefullname>.
  5. Remove the provisioning by running the following cmdlet:

    Remove-AppxProvisionedPackage -Online -PackageName <packagefullname>

If you try to recover from an update issue, you can reprovision the app after you follow these steps.

Note The issue does not occur if you are servicing an offline image. In that scenario, the provisioning is automatically cleared for all users. This includes the user who runs the command.

PS – Read remote mySql Data from Powershell

#Load the .net MySql DLL
[system.reflection.Assembly]::LoadFrom("C:\MySql.Data.dll")
Clear

#Create the connection object
$myconnection = New-Object MySql.Data.MySqlClient.MySqlConnection

#Create the ConnectionString
$myconnection.ConnectionString = "database=my_database;server=my.sql.server.com;Persist Security Info=false;user id=my_database_user;pwd=my_database_pwd"

$myconnection.Open()

$command = $myconnection.CreateCommand()
$command.CommandText = "SELECT * FROM `Tablet` WHERE `ID` = '1'";

$dataSet = New-Object System.Data.DataSet

$reader = $command.ExecuteReader()

while
($reader.Read()) {
  for ($i= 0; $i -lt $reader.FieldCount; $i++) {
    write-host $reader.GetValue($i).ToString()
  }
}

$myconnection.Close()

Prevent Ransomeware with GPO and Software Restriction Policies

Software Restriction Policies

Software Restriction Policies (SRPs) allow you to control or prevent the execution of certain programs through the use of Group Policy. You can use SRPs to block executable files from running in the specific user-space areas that Cryptolocker uses to launch itself in the first place. The best place to do this is through Group Policy, although if you’re a savvy home user or a smaller business without a domain, you can launch the Local Security Policy tool and do the same thing.

One tip: if you’re using Group Policy, create a new GPO for each restriction policy. This makes it easier to disable a policy that might be overly restrictive.

Here’s how to do it:

Open up Local Security Policy or the Group Policy Object editor and create a new GPO. I’ll show you how to create two here — one for Windows XP machines (which use slightly different paths for the user space) and one for Windows Vista and later machines.
Name the new GPO “SRP for XP to prevent Cryptolocker” or something similar for you to remember easily.
Choose Computer Configuration and then navigate through Policies ’ Windows Settings ’ Security Settings ’ Software Restriction Policies.
Right-click Software Restriction Policies and choose New Software Restriction Policy from the context menu.
Now, create the actual rules that will catch the software on which you want to enforce a restriction. Right-click Additional Rules in the left-hand pane. Choose New Path Rule.
Under Path, enter %AppData%\*.exe.
Under Security level, choose Disallowed.
Enter a friendly description, like “Prevent programs from running in AppData.”
Choose New Path Rule again, and make a new rule like the one just completed. Use the following table to fill out the remainder of this GPO.

Path Security Level Suggested Description
%AppData%\*.exe Disallowed Prevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exe Disallowed Prevent virus payloads from executing in subfolders of AppData
%UserProfile%\Local Settings\Temp\Rar*\*.exe Disallowed Prevent un-WinRARed executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\7z*\*.exe Disallowed Prevent un-7Ziped executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\wz*\*.exe Disallowed Prevent un-WinZIPed executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\*.zip\*.exe Disallowed Prevent unarchived executables in email attachments from running in the user space

WinRAR and 7Zip are the names of compression programs commonly used in the Windows environment.

Close the policy.

To protect Windows Vista and newer machines, create another GPO and call this one “SRP for Windows Vista and up to prevent Cryptolocker.” Repeat the steps above to create the SRP and create path rules based on the following table.

Path Security Level Suggested Description
%AppData%\*.exe Disallowed Prevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exe Disallowed Prevent virus payloads from executing in subfolders of AppData
%LocalAppData%\Temp\Rar*\*.exe Disallowed Prevent un-WinRARed executables in email attachments from running in the user space
%LocalAppData%\Temp\7z*\*.exe Disallowed Prevent un-7Ziped executables in email attachments from running in the user space
%LocalAppData%\Temp\wz*\*.exe Disallowed Prevent un-WinZIPed executables in email attachments from running in the user space
%LocalAppData%\Temp\*.zip\*.exe Disallowed Prevent unarchived executables in email attachments from running in the user space

Close the policy.

Once these GPOs get synchronized down to your machines — this can take up to three reboots to happen, so allow some time — when users attempt to open executables from email attachments, they’ll get an error saying their administrator has blocked the program. This will stop the Cryptolocker attachment in its tracks.

Unfortunately, taking this “block it all in those spots” approach means that other programs your users may install from the web, like GoTo Meeting reminders and other small utilities that do have legitimate purposes, will also be blocked. There is a solution, however: You can create ad-hoc allow rules in the software restriction policy GPOs. Windows allows these “whitelisted” apps before it denies anything else, so by defining these exceptions in the SRP GPO, you will instruct Windows to let those apps run while blocking everything else. Simply set the security level to Unrestricted, instead of Disallowed as we did above.

PS – Windows Server Feature check using XML

$ServerFeatures = Import-Clixml $PWD\PreRequsits\ServerFeatures.xml
foreach ($feature in $ServerFeatures) {if ($feature.displayname.Contains("3.5")) {Install-WindowsFeature -Name $feature.name -Source E:\sources\sxs\} else {Install-WindowsFeature -Name $feature.name}}