Edge Enterprise Site List

Hi everyone

With the end of Internet Explorer this month, if you update your computer, I wanted to talk a bit the enterprise site list manager of Microsoft.

It’s a nice tool to create a list of site that need IE mode inside Edge.

Keep in mind that if you hardcode a shortcut, ie; “iexplorer.exe https://link_to_go” the redirection no longer work, as the update make Edge display the EOL of Internet Explorer and Edge open with tip for Enterprise mode, thus not catching the link that was trying to open.

For enterprise site list it’s in basic a simple .XML file with entry inside it.

You can put the file inside a fileshare, locally into a desktop or on a website centrally.

The file format look like that;

That way it’s empty;

<site-list version="1">
  <created-by>
    <tool>EMIESiteListManager</tool>
    <version>12.0.0.0</version>
    <date-created>02/06/2023 18:34:29</date-created>
  </created-by>
</site-list>

Inside the file we can add site now;

<site-list version="1">
  <created-by>
    <tool>EMIESiteListManager</tool>
    <version>12.0.0.0</version>
    <date-created>02/06/2023 18:34:29</date-created>
  </created-by>

<site url="127.0.0.1">
    <compat-mode>IE11</compat-mode>
    <open-in>IE11</open-in>
  </site>
</site-list>

If you manage multiple site you can note;

<site-list version="1">
  <created-by>
    <tool>EMIESiteListManager</tool>
    <version>12.0.0.0</version>
    <date-created>02/06/2023 18:34:29</date-created>
  </created-by>
<!-- Dev website  -->
<site url="127.0.0.1">
    <compat-mode>IE11</compat-mode>
    <open-in>IE11</open-in>
  </site>
</site-list>

If your website need special rule for authentication to work with cookie, some command like that can be used;

<site-list version="1">
  <created-by>
    <tool>EMIESiteListManager</tool>
    <version>12.0.0.0</version>
    <date-created>02/06/2023 18:34:29</date-created>
  </created-by>
<!-- Authentification  -->
<shared-cookie domain=".localhost" name="AUTH" source-engine="Both"/>
<!-- Dev website  -->
<site url="127.0.0.1">
    <compat-mode>IE11</compat-mode>
    <open-in>IE11</open-in>
  </site>
</site-list>

The magic here is after that, if you need help to write the file Microsoft did a tool for that purpose;

Enterprise Mode Site List Manager (schema v.2)

After the file is created and deployed, be sure to check in edge://compat to see if the list is ok 🙂

Advertisement

Debugging Edge Policies

Hi everyone

Today I wanted to share some small tips to debug Egde policies.

Not everyone know it, but you can list your GPO settings you push to the client !

It’s a really nice add-on to Edge, as it allow to see if your targetting in your GPO work or not, and if the settings you push is the desired’s one.

To display the windows you just have to enter in the browser bar; edge://policy

A windows like this one will appear;

Inside the windows you have the timestamps of the last time the policy was retrived.

If you need tod ebug IE Enterprise mode you can go to the edge://compat windows.

Like in that example we can see the .xml push by GPO was in error.

Next post I will talk how to debug the xml’s file 🙂 but with those tips atleast now we can spot where the error is if the policy dont work as intended.

Thanks everyone for the read !

Windows Dc Renaming Error

Hi everyone

Today I wanted to talk an issue I seen, it’s not common, but it’s an error that can happen. It’s if you rename a DC like if it’s a normal computer, not the correct way. The problem after is it break your Active Directory Database.

After the reboot you will see that error on the login screen of the DC;

Security database on the server does not have a computer account for this workstation trust relation on domain controller.

To recover you need to use netdom the old way.

Please know it’s an issue with only one DC in a single forest. Don’t do those step if you have other working DC or a bigger forest.

  1. First we do a backup in case something bad happen.
  2. netdom computername <CurrentName> /enumerate
  3. netdom computername <CurrentName> /add:<NewGoodName>
  4. netdom computername <CurrentName> /makeprimary:<NewGoodName>
  5. Restart
  6. Check all service if OK, after we remove the old name
  7. netdom computername <NewGoodName> /Remove<CurrentName>
  8. Restart again.

That should do the trick to revert back to the good name, after that if you want to rename a DC, remember it’s not a good idea, but at that point it’s easier to promote another’s one to do the trick. If you need to keep the old server up, you can make sure you have another DC, and after you demote and re-promote with the good name the DC you wanted to change the name.

Reference for the post

Windows AutoPilot and QEMI / kvm-virtualization UUID issue

Hi everyone

Today I wanted to share a small bug you can encounter on QEMU / KVM if you are testing Windows 10’s machines. It’s something new I seen, so I wanted to discuss it.

The bug is simple to see, it’s in the Windows 10 setup at the start if you see a business login / portal that is not for your business then you must think the system UUID is probably taking one already registered online.

It’s something I never seen before, but it was reported there (or there), so it’s why I talk it.

In that case the user was seeing a login page from another business, as seen here when he used a normal ISO.

The QEMU command used to deploy the machine;

qemu-system-x86_64 -drive file=Windows.img,format=qcow2,if=virtio \
 -drive file="en-us_windows_10_enterprise_ltsc_2021_x64_dvd_d289cf96.iso",media=cdrom -drive file=virtio-win.iso,media=cdrom \
 -boot order=d -enable-kvm -machine type=q35 -cpu host,hv_vpindex,hv_runtime,hv_synic,hv_stimer,hv_reset,hv-relaxed,hv-vapic,hv-spinlocks=0x1fff,hv-time \
 -m 32G -smp sockets=1,cores=6,threads=1 \
 -device virtio-vga-gl -display sdl,gl=on \
 -netdev user,id=network0 -device e1000,netdev=network0,mac=52:54:00:12:34:56

In such case to bypass that problem make sure to change the UUID, that way to make QEMU use the system UUID;

 -enable-kvm -uuid $(dmidecode -s system-uuid)

In the OOBE make sure it’s offline too.

I will quote the answer from Aarad Prasad for that part;

Make sure the process is offline, by disabling your network adapter while in the OOBE process. Get an elevated prompt by pressing Shift+F10 and executing the following in powershell:

Disable-NetAdapter -Name "Adapter Name" -Confirm:$false

You may get the adapter name by

Get-NetAdapter

Add Domain Group to Local Admin Group – PowerShell

Hi everyone !

Today I will share a quick tip if you want to add a group to the locla admin group easily.

Sometime you need to use restricted group’s policy, but when the environement is already setup some time it’s easier to just do a batch.

The batch is nice as it target the OU you want, and it add the Domain Group you want to the local admin group. Please adjust the script for the Administrators groups name depending on the Windows language.

$DomainName = “CONTOSO”
$UserName = “Gestionnaire”
$User = [ADSI]”WinNT://$DomainName/$UserName,group”

$OUpath = ‘OU=Ordinateurs,DC=CONTOSO,DC=HQ,DC=qc,DC=ca’
$Computers = Get-ADComputer -Filter * -SearchBase $OUpath | Select-object

$Computers | ForEach {
$computerName = $_.Name
Write-Host $computerName
$AdminGroup = [ADSI]”WinNT://$computerName/Administrateurs,group”
$AdminGroup.Add($User.Path)
}

Thanks everyone 🙂

List Installed Update WMI

Hi everyone

Today I wanted to share a small but handy tip to list all updates.

It come handy when you want to compare all updates on some machines for problems.

wmic qfe get hotfixid,installedon

The output look like that;

As you can see it’s easy after to compare server, or to know which update got installed when.

Remove Teams Auto Signin with Domain Account

Hi everyone !

Today I wanted to share a small tip if you want to disable team from using the domain upn when the session open for the first time.

The tip is nice as when the user open Team for the first time if you are hybrid / on-prem the users can have difficulty to open team as they need to select “use another email” in the windows footer. If the user don’t use the correct login then a loop happen, the sign-off seem impossible from Teams when it try to load an unexisting account. (Removing team and reisntalling it is the easiest workaround if it happen)

The tip can be easilly done by Group Policy.

The magic registry key to use in our case is SkipUpnPrefill (HCU\Software\Microsoft\Office\Teams)

You can create the settings are in GPP;

As you can see it’s a easy tip to do 🙂 (more read on the settings here; https://learn.microsoft.com/en-us/microsoftteams/troubleshoot/authentication/teams-defaults-to-domain-joined-account)

Thanks everyone

Windows Server 2019 – Clean WSUS WID Database

Hi everyone

Today I wanted to share a tip to clean up your WSUS WID database.

The tip allow you to not remove and reinstall to achieve the same goal. You save 2 reboot in the least.

The first step is to close the services;

Stop-Service WSUSService, W3SVC

Make sure the service is stopped;

Get-Service WSUSService, W3SVC

Erase the database file;

C:\windows\WID\Data\susdb.*

After that we need to connect to the database service, as for it the data is still there yet;

We need to restart the service;

Start-Service WSUSService, W3SVC

Use HeidiSQL portable edition, (https://www.heidisql.com/download.php)

Use named pipe and that to connect;

\.\pipe\MICROSOFT##WID\tsql\query

The connection might give you such error; just click OK and ignore it

From there use that command to reset the database;

ALTER DATABASE SUSDB

SET OFFLINE WITH ROLLBACK IMMEDIATE;

DROP DATABASE SUSDB;

Click to Run

Now technically speaking the WSUS is empty, but the console will fail to open at that point. We need to redo the WSUS wizard, which can be run that way;

Program Files\Update Services\Tools\Wsusutil.exe postinstall CONTENT_DIR=”e:\WSUS”

Make sure the folder you write in CONTENT_DIR is empty.

After the command, the WSUS’s console should open correctly, and it should ask you about what product and language you want 🙂

Force GPUpdate for all computers

Hi everyone !

Today I wanted to talk about a small tip if you need to refresh a computer gpo for some computer OU.

I will talk the powershell command let; Invoke-GPUpdate

The commad let is powerfull, as you can target a computer, and to update only user settings; that way;

Invoke-GPUpdate -Computer “DOMAIN\WORKSTATION-001” -Target “User”

The last command let I wanted to talk is a more complex’s one, like this one;

Get-ADComputer –filter * -Searchbase “ou=Site-A, dc=Domain,dc=com” | foreach{ Invoke-GPUpdate –computer $_.name -force}

That one will search a complete OU for all computer account, and invoke a gpupdate /force on them.

Before running it I suggest to try the Get-ADComputer command let to be sure it target computer you want;

Get-ADComputer –filter * -Searchbase “ou=Site-A, dc=Domain,dc=com” | fl

Make sure you know that the remote user will see a gpupdate’s windows, to have it hidden make sure you use -AsJob in your command let.

Thansk everyone for listening