When attempting to install a Microsoft Exchange Cumulative Update, the readiness checker may fail and stop you from proceeding with the upgrade and installation.
You will be presented with the following error, or one similar:
There is a pending reboot from a previous installation of a Windows Server role or feature. Please restart the computer and then run Setup again.
After restarting the server, and re-attempting to install the Exchange CU, it will continue to present this and stop you from proceeding with the installation.
There’s a few different things that can cause this. I experienced this issue when trying to upgrade Exchange 2016 CU18 to Exchange 2016 CU20. This issue can also happen when upgrading from Microsoft Exchange 2019 CU versions, as well as earlier versions of Exchange 2013.
I found a few posts online referencing to delete two registry keys, “UpdateExeVolatile” and “PendingFileRenameOperations”, however these didn’t exist for me.
I figured I’d try to install a feature, specifically something small that I may or may not ever use, to see if it would work and to see if it would clear whatever flag had been set for the pending restart.
First, I left the Exchange CU installer window open on the prerequisite check, opened the Server Manager and installed the TFTP Client. After finishing, I hit retry and it continued to fail.
I restarted the server, ran the CU installer again which got stuck on the pending restart. This time I closed the Exchange CU upgrade, installed the “Telnet Client” feature, opened the CU upgrade again, and it finally worked and proceeded!
So with the above in mind, to bypass this issue you must:
Launch Exchange CU Installer
Wait for readiness check to fail (warning of a pending reboot), close installer
Install a feature with the Server Manager, such as “TFTP Client” or “Telnet Client”
Open Exchange CU Installer
Install Microsoft Exchange Cumulative Update successfully!
Hope this helps! Leave a comment and let me know if it worked for you!
So you’re looking at deploying Microsoft Teams for your Horizon View VDI deployment.
This guide will allow you to deploy Microsoft Teams Optimization for Manual Pools, Automated Pools, and Instant Clone Pools, for use with both persistent and non-persistent VDI. This guide will NOT provide instructions on deploying Microsoft Teams inside of non-persistent VDI or Instant Clones (stay tuned for a guide for that soon).
Before Microsoft Teams VDI Optimization, VMware’s RTAV (Real-Time Audio-Video) was generally used. This offloaded audio and video to the VMware Horizon Client utilizing a dedicated channel over the connection to optimize the data exchange. With minor tweaks (check out my post on enhancing RTAV webcam with VMware Horizon), this actually worked quite well with the exception of microphone quality on the end-users side, and high bandwidth requirements.
Starting with Horizon View 7.13 and Horizon View 8 (2006), VMware Horizon now supports Microsoft Teams Optimization. This technology offloads the Teams call directly to the endpoint (or client device), essentially drawing over the VDI VM’s Teams visual interface and not involving the VDI Virtual Machine at all. The client application (or thin client) handles this and connects directly to the internet for the Teams Call. One less hop for data, one less processing point, and one less load off your server infrastructure.
Microsoft Teams Optimization uses WebRTC to function.
Deploying Microsoft Teams Optimization on VMware Horizon VDI
There are two components required to deploy Microsoft Teams Optimization for VDI.
Microsoft Specific Setup and Configuration of Microsoft Teams
VMware Specific Setup and Configuration for Microsoft Teams
We’ll cover both in this blog post.
Microsoft Specific Setup and Configuration of Microsoft Teams Optimization
First and foremost, do NOT bundle the Microsoft Teams install with your Microsoft 365 (Office 365) deployment, they should be installed separately.
We’re going to be installing Microsoft Teams using the “per-machine” method, where it’s installed in the Program Files of the OS, instead of the usual “per-user” install where it’s installed in the user “AppData” folder.
Non-persistent (Instant Clones) VDI requires Microsoft Teams to be installed “Per-Machine”, whereas persistent VDI can use both “Per-Machine” and “Per-User” for Teams. I use the “Per-Machine” for almost all VDI deployments. This allows you to manage versions utilizing MSIs and GPOs.
Please Note that when using “Per-Machine”, automatic updates are disabled. In order to upgrade Teams, you’ll need to re-install the newer version. Take this in to account when planning your deployment.
For Teams Optimization to work, your endpoints and/or clients MUST have internet access.
Let’s Install Microsoft Teams (VDI Optimized)
For Per-Machine (Non-Persistent & Persistent) Install, use the following command:
And that’s it for the Microsoft Specific side of things!
VMware Specific Setup and Configuration for Microsoft Teams Optimization
When it comes to the VMware Specific Setup and Configuration for Microsoft Teams Optimization, it’s a little bit more complex.
VMware Horizon Client Installation
When installing the VMware Horizon Client, the Microsoft Teams optimization feature should be installed by default. However, doing a custom install, make sure that “Media Optimization for Microsoft Teams” is enabled (as per the screenshot below):
Group Policy Object to enable WebRTC and Microsoft Teams Optimization
You’ll only want to configure GPOs for those users and sessions where you plan on actually utilizing Microsoft Teams Optimization. Do not apply these GPOs to endpoints where you wish to use RTAV and don’t want to use Teams optimization, as it will enforce some limitations that come with the technology (explained in Microsoft’s documentation).
We’ll need to enable VMware HTML5 Features and Microsoft Teams Optimization (WebRTC) inside of Group Policy. Head over and open your existing VDI GPO or create a new GPO. You’ll need to make sure you’ve installed the latest VMware Horizon GPO Bundle. There are two switches we need to set to “Enabled”.
Expand the following, and set “Enable HTML5 Features” to “Enabled”:
Next, we’ll set “Enable Media Optimization for Microsoft Teams” to “Enabled”. You’ll find it in the following:
Computer Configuration -> Policies -> Administrative Templates -> VMware View Agent Configuration -> VMware HTML5 Features -> VMware WebRTC Redirection Features -> Enable Media Optimization for Microsoft Teams
And that’s it, you’re GPOs are now configured.
If you’re running a persistent desktop, run “gpupdate /force” in an elevated command prompt to grab the updated GPOs. If you’re running a non-persistent desktop pool, you’ll need to push the base image snapshot again so your instant clones will have the latest GPOs.
Confirming Microsoft Teams Optimization for VDI
There’s a simple and easy way to test if you’re currently running Microsoft Teams Optimized for VDI.
Open Microsoft Teams
Click on your Profile Picture to the right of your Company Name
Expand “About”, and select “Version”
After selecting this, you’ll see a toolbar appear horizontally underneath the search, company name, and your profile picture with some information. Please see the below examples to determine if you’re running in 1 of 3 modes.
The following indicates that Microsoft Teams is running in normal mode (VDI Teams Optimization is Disabled). If you have configured VMware RTAV, then it will be using RTAV.
The following indicates that Microsoft Teams is running in VDI Optimized mode (VDI Teams Optimization is Enabled showing “VMware Media Optimized”).
The following indicates that Microsoft Teams is configured for VDI Optimization, however is not functioning and running in fallback mode. If you have VMware RTAV configured, it will be falling back to using RTAV. (VDI Teams Optimization is Enabled but not working showing “VMware Media Not Connected”, and is using RTAV if configured).
If you’re having issues or experiencing unexpected results, please go back and check your work. You may also want to review Microsoft’s and VMware’s documentation.
This guide should get you up and running quickly with Microsoft Teams Optimization for VDI. I’d recommend taking the time to read both VMware’s and Microsoft’s documentation to fully understand the technology, limitations, and other configurables that you can use and fine-tune your VDI deployment.
When you’re looking for additional or enhanced options to secure you’re business and enterprise IT systems, MFA/2FA can help you achieve this. Get away from the traditional single password, and implement additional means of authentication! MFA provides a great compliment to your cyber-security policies.
MFA is short for Multi Factor authentication, additionally 2FA is short for Two Factor Authentication. While they are somewhat the same, multi means many, and 2 means two. Additional security is provided with both, since it provides more means of authentication.
Traditionally, users authenticate with 1 (one) level of authentication: their password. In simple terms MFA/2FA in addition to a password, provides a 2nd method of authentication and identity validation. By requiring users to authentication with a 2nd mechanism, this provides enhanced security.
Why use MFA/2FA
In a large portion of security breaches, we see users passwords become compromised. This can happen during a phishing attack, virus, keylogger, or other ways. Once a malicious user or bot has a users credentials (username and password), they can access resources available to that user.
By implementing a 2nd level of authentication, even if a users password becomes compromised, the real (or malicious user) must pass a 2nd authentication check. While this is easy for the real user, in most cases it’s nearly impossible for a malicious user. If a password get’s compromised, nothing can be accessed as it requires a 2nd level of authentication. If this 2nd method is a cell phone or hardware token, a malicious user won’t be ale to access the users resources unless they steal the cell phone, or hardware token.
How does MFA/2FA work
When deploying MFA or 2FA you have the option of using an app, hardware token (fob), or phone verification to perform the additional authentication check.
After a user attempts to logs on to a computer or service with their username and password, the 2nd level of authentication will be presented, and must pass in order for the login request to succeed.
Please see below for an example of 2FA selection screen after a successful username and password:
After selecting an authentication method for MFA or 2FA, you can use the following
2FA with App (Duo Push)
Duo Push sends an authentication challenge to your mobile device which a user can then approve or deny.
Please see below for an example of Duo Push:
Once the user selects to approve or deny the login request, the original login will either be approved or denied. We often see this as being the preferred MFA/2FA method.
2FA with phone verification (Call Me)
Duo phone verification (Call Me) will call you on your phone number (pre-configured by your IT staff) and challenge you to either hangup to deny the login request, or press a button on the keypad to accept the login request.
While we rarely use this option, it is handy to have as a backup method.
2FA with Hardware Token (Passcode)
Duo Passcode challenges are handled using a hardware token (or you can generate a passcode using the Duo App). Once you select this method, you will be prompted to enter the passcode to complete the 2FA authentication challenge. If you enter the correct passcode, the login will be accepted.
Here is a Duo D-100 Token that uses HOTP (HMAC-based One Time Password):
When you press the green button, a passcode will be temporarily displayed on the LCD display which you can use to complete the passcode challenge.
You can purchase Hardware Token’s directly from Digitally Accurate Inc by contacting us, your existing Duo Partner, or from Duo directly. Duo is also compatible with other 3rd party hardware tokens that use HOTP and TOTP.
2FA with U2F
While you can’t visibly see the option for U2F, you can use U2F as an MFA or 2FA authentication challenge. This includes devices like a Yubikey from Yubico, which plugs in to the USB port of your computer. You can attach a Yubikey to your key chain, and bring it around with you. The Yubikey simply plugs in to your USB port and has a button that you press when you want to authenticate.
When the 2FA window pops up, simply hit the button and your Yubikey will complete the MFA/2FA challange.
What can MFA/2FA protect
Duo MFA supports numerous cloud and on-premise applications, services, protocols, and technologies. While the list is very large (full list available at https://duo.com/product/every-application), we regularly deploy and use Duo Security for the following configurations.
Windows Logins (Server and Workstation Logon)
Duo MFA can be deployed to not only protect your Windows Servers and Workstations, but also your remote access system as well.
When logging on to a Windows Server or Windows Workstation, a user will be presented with the following screen for 2FA authentication:
Below you can see a video demonstration of DUO on Windows Login.
DUO works with both Windows Logins and RDP (Remote Desktop Protocol) Logins.
VMWare Horizon View Clients (VMWare VDI Logon)
Duo MFA can be deployed to protect your VDI (Virtual Desktop Infrastructure) by requiring MFA or 2FA when users log in to access their desktops.
When logging on to the VMware Horizon Client, a user will be presented with the following screen for 2FA authentication:
Below you can see a video demonstration of DUO on VMware Horizon View (VDI) Login.
Sophos UTM (Admin and User Portal Logon)
Duo MFA can be deployed to protect your Sophos UTM firewall. You can protect the admin account, as well as user accounts when accessing the user portal.
If you’re using the VPN functionality on the Sophos UTM, you can also protect VPN logins with Duo MFA.
Unix and Linux (Server and Workstation Logon)
Duo MFA can be deployed to protect your Unix and Linux Servers. You can protect all user accounts, including the root user.
We regularly deploy this with Fedora and CentOS (even FreePBX) and you can protect both SSH and/or console logins.
When logging on to a Unix or Linux server, a user will be presented with the following screen for 2FA authentication:
Below you can see a video demonstration of DUO on Linux.
Duo MFA can be deployed to protect your WordPress blog. You can protect your admin and other user accounts.
If you have a popular blog, you know how often bots are attempting to hack and brute force your passwords. If by chance your admin password becomes compromised, using MFA or 2FA can protect your site.
When logging on to a WordPress blog admin interface, a user will be presented with the following screen for 2FA authentication:
Below you can see a video demonstration of DUO on a WordPress blog.
How easy is it to implement
Implementing Duo MFA is very easy and works with your existing IT Infrastructure. It can easily be setup, configured, and maintained on your existing servers, workstations, and network devices.
Duo offers numerous plugins (for windows), as well as options for RADIUS type authentication mechanisms, and other types of authentication.
How easy is it to manage
Duo is managed through the Duo Security web portal. Your IT admins can manage users, MFA devices, tokens, and secured applications via the web interface. You can also deploy appliances that allow users to manage, provision, and add their MFA devices and settings.
Duo also integrates with Active Directory to make managing and maintaining users easy and fairly automated.
Today we take it back to basics with a guide on how to create an Active Directory Domain on Windows Server 2019. These instructions are also valid for previous versions of Microsoft Windows Server.
This video will demonstrate and explain the process of installing, configuring, and deploying a Windows Server 2019 instance as a Domain Controller, DNS Server, and DHCP Server and then setting up a standard user.
Check it out and feel free to leave a comment! Scroll down below for more information and details on the guide.
Who’s this guide for
No matter if you’re an IT professional who’s just getting started or if you’re a small business owner (on a budget) setting up your first network, this guide is for you!
What’s included in the video
In this guide I will walk you through the following:
Installing Windows Server 2019
Documenting a new Server installation
Configuring Network Settings
Installation and configuration of Microsoft Active Directory
Microsoft 365 Standard, Office 365 Business, Office 365 Business Premium, and Office 365 Business Essentials cannot be used as they do not include or support Shared Computer Activation.
An exception is made for Microsoft 365 Business Premium which actually includes Microsoft 365 Apps for Business, but doesn’t support enabling “Shared Computer Activation” via Group Policy Objects and must be done using the XML configuration file method.
Installing Office 365
Once you have the proper licensing and you’re ready to proceed, you can start!
In the last few
months, the crisis with COVID19 has put organizations in a panic to enable employees
to be able to work from home, to continue business productivity, keep employees
safe, and keep employees on the payroll. It’s good for business, and it’s good
for employees to avoid layoffs so everyone keeps their jobs.
This has put IT departments and IT professionals in a hectic position where they must roll out and deploy remote access technologies on the fly, often with little or no notice.
I’ve heard horror stories where organization leadership has made decisions without consulting IT which resulted in the inability to work, also where organizations didn’t involve their IT teams in strategizing and planning moving forward.
In this post I’m going to outline the most efficient way to rapidly deploy Remote Desktop Services (RDS) for employee remote access.
Remote Access Technologies
There’s a number of different remote access technologies and software packages available today. Some are designed to allow you to work fully remotely (providing a remote desktop to office resources), and some are designed to provide access to specific resources remotely (such as documents, files, etc).
The main technologies typically used for remote access include:
Miscellaneous 3rd party packages providing remote access to desktops
The main software packages that enable a remote workforce include:
Microsoft Office 365
Skype for Business
Numerous other applications and cloud suites
Every technology or application has it’s purpose and is deployed depending on the business requirements, however in this specific situation we need a solution that is easy and fast to deploy.
For most small to medium sized businesses, Remote Desktop Services would be the easiest solution to roll out on such short notice.
Remote Desktop Services (RDS)
Remote Desktop Services is a server/client technology that allows the client to connect to the server, and have access to a full Windows desktop that’s actually running on the server itself.
These sessions are encrypted, secure, and essentially brings the display to the connecting client, and brings back mouse and keyboard feedback.
With Remote Desktop Services, you’re maintaining one Windows Server that provides multiple concurrent sessions for multiple concurrent users. You can install software packages (database applications, Microsoft Office 365, and other line of business applications), and make them available to the connecting users.
Even users who are accessing large files have a beautiful experience since the data never leaves your IT environment, only the sessions display is transmitted.
This works great for home users who have slow internet connections, users who are travelling, or using their cell networks LTE connection to connect.
For administrators, it provides an easy way to manage a desktop experience for multiple users by maintain a single server. There are also many additional controls you can implement to limit access and optimize the experience.
When deploying RDS, you’ll need the following:
A dedicated Server or dedicated Virtual Machine running Microsoft Windows Server to be configured as a Remote Desktop Services server.
Remote Desktop Services CALs (Client Access Licenses – One CAL is required for each user or device)
A high speed internet connection (that can handle multiple RDS sessions)
A firewall to protect the RDS Server and preferably 2FA/MFA logins
A Static IP and DNS entries to make the server available to the internet and your users
You’ll want the RDS server to be dedicated strictly to Remote Desktop Services sessions. You will not want to run any other servers or services on this server or virtual machine.
You will need to purchase RDS CALs. A Remote Desktop Services Client access license, is required for every device or user you have connected to your RDS server. During your initial purchase of RDS CALs, you must choose between user count based licensing, or device count based licensing. If you need help with licensing Microsoft Remote Desktop Services, please feel free to reach out to me.
The connections between the server and client consist of an encrypted presentation of the display, as well as mouse/keyboard feedback, and other peripherals. For a single session it’s not much, which means your users don’t ultra fast internet connections. However, on the server side if you are running multiple sessions, the bandwidth requirements add up.
Configure Remote Desktop Services and Remote Desktop Web Access
Configure an SSL Certificate
Configure user session settings
Install user software on the RDS Server (Including Office 365, Line of Business applications, and others)
Configure ACLs (Access Control) to secure user access.
Move to production
Even with limited to no experience with Remote Desktop Services, an IT professional will be able to deploy the first server within hours. A focus must be paid to securing the environment, performance enhancements can be made later after deployment.
Your new RDS server while enabling a mobile workforce, also substantially increases your security footprint. Considerations must always be made and factored in when deploying internet available services.
Below is a video demo of what Duo Security Two Facter authentication looks like when logging in to an RDP session.
There’s a fair number of optimizations which can be made in an RDS environment. I’m going to cover a few of the most widely used below.
Please note, you should also configure the RDS Group Policy Objects (GPO) as well.
While most data should be stored on network shares, we often find that users will store data and files on their Desktop and My Documents.
If you have available and extra storage, you can enable Desktop and My Documents Folder redirection. This will redirect users Desktop’s and My Document’s folders to a network share. On local computers on your network, the computers will retain a cached copy for performance.
If you deploy an RDS Server and have Folder redirection configured, the users My Documents and Desktop will be available to that user. Additionally since the server is on the same network as the share hosting the data, the RDS server will not retain a local cached copy (saving space).
If you are considering implementing and turning on Folder Redirection, I would recommend doing so before deploying an RDS Server (especially before a user logs in for the first time).
Anti-virus and Endpoint Protection
Careful consideration must be made when choosing the antivirus and endpoint protection software for your RDS environment.
First, you must make sure that your antivirus and/or endpoint protection vendor supports Remote Desktop Services, and then also deploy their recommended settings for that type of environment.
A proper endpoint protection solution should run few processes for all users, and not individual processes for each user.
For continued service delivery, your IT staff must monitor and maintain the server. This includes monitoring logs, updating it via Windows Update, and updating the various applications your users are using.
As the environment grows, you can deploy additional RDS Servers and create an RDS Farm. If you get to this point you’ll be able to deploy a load balancer and grow as more performance is required, or additional users are brought online.
Deploying a Remote Desktop Services server is a great way to get a large number of users online and working remotely in a short amount of time. This keeps management happy, employees happy, and maintains a productive workforce.
As I mentioned, there are numerous other technologies so depending on what your company has already implemented or is using, may change what solution would be best for you.
If you have any questions or require help or assistance with deploying Remote Desktop Services for your organization, don’t hesitate to reach out to me!
With over 50 Small Business Server migrations under my belt, I can assist, perform, and provide consulting services if your company or organization is looking to migrate from Microsoft Small Business Server to a new platform.
While us pros usually stay away from this tool, it is needed sometimes. Recently I found myself in a situation where I wanted to run the “Disk Cleanup” Windows app, on a Windows Server 2019 VM running Server Core.
As you all know, Server Core has a limited GUI. You’re able to run things like a command prompt, Task Manager, notepad, and other limited things. I wanted to see if we could get Disk Manager running on it, because of it’s light UI I was thinking it may be possible.
How to install Disk Cleanup (cleanmgr.exe) on Windows Server 2019, Server Core edition
Two files are required for Disk Cleanup:
cleangmgr.exe – The Disk Cleanup executable
cleanmgr.exe.mui – I’m assuming this is the language files required for the application
The above files when installed, are stored here:
When it comes to installing Disk Cleanup, you need to have those two files placed in their appropriate directories.
You can source these files from other servers (preferably running the same version of Windows Server), or you can snag the files from the WinSXS folder on a valid Windows install. An example of the WinSXS paths can be found below:
Yesterday, December 12th 2019, I powered on my Windows 10 1909 workstation to see that the start menu wasn’t working, along with the notification tray. I could launch programs from the taskbar, but search, start, and notifications were not functioning.
Attention: If you are experiencing issues with search, please continue reading to the bottom of the blog post and the update marked February 5th, 2020.
Since my workstation is running as a VDI instance, I checked vSphere and noticed the VM was running at extremely high CPU. Inside of the workstation, I opened up the event log and found numerous errors pertaining to the User Shell Experience, as well as multiple Windows 10 apps (UWP apps).
I tried to troubleshoot this using multiple methods found online on google. It sounds like this is a common issue for the past couple months, but no one has been able to find a fix.
Finally, after 14 hours of frusteration, I finally decided to restore the workstaton (VM) from a snapshot backup the night before. Powering it on the start menu was working. I installed some updates and everything is still working great.
If anyone has any information on this, please post it in the comments! I was surprised this isn’t easily fixable and actually required a restore from backup. I’m assuming numerous others are experiencing this issue.
Privacy & Cookies Policy