Some Notes on the Machines

Here it is:

$BLVolume = Get-BitLockerVolume -MountPoint "C:"
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLVolume.KeyProtector[1].KeyProtectorId

The Microsoft Update Health Tools appears to be an optional add-on which helps Windows do updates. Beyond that all of my searching has come up with vagueness. But Microsoft recommends it and often installs it without informing us, so probably it helps fairly often.

Microsoft Update Health Tools comes in KB4023057. To install KB4023057, we can use PSWindowsUpdate:

www.business.com/articles/install-windows-patches-powershell/

Here’s a complete run-anywhere command paste for preparing to use the module (administrative shell only please):

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Executionpolicy RemoteSigned -Scope Process -Force
Install-PackageProvider -Name NuGet -Force -ErrorAction 'SilentlyContinue' > $null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
If (Get-InstalledModule -Name PsWindowsUpdate -ErrorAction 'SilentlyContinue') {
	Update-Module -Name PSWindowsUpdate -Force
} Else {
	Install-Module -Name PSWindowsUpdate -Force
}
Import-Module PSWindowsUpdate

and the command for just KB4023057:

Install-WindowsUpdate -KBArticleID KB4023057

PSWindowsUpdate is a very interesting module all by itself, it can do lots of things, e.g., install all updates available from Microsoft. Another nice function is:

Reset-WUComponents

To get a full list of functions:

Get-Command -Module PSWindowsUpdate

Get-Help works for all of them.

One can install all updates available from Microsoft, though this can be dangerous, there are huge ones and drivers and BIOS too. So this simple command won’t be here :-)

To just see the list of available updates:

Get-WindowsUpdate

To install all available updates except one KB:

Install-WindowsUpdate -AcceptAll -NotKBArticleID KB000000

and except a list (here of two) KBs:

Install-WindowsUpdate -AcceptAll -NotKBArticleID "KB000000,KB000001"

where KB000000 is a KB to be excepted. There’s also -NotCategory and -NotTitle for items without KB articles.

This will log off all users, whether console or RDP:

logoff console
quser /server:localhost | ForEach-Object {
		logoff $_.ID
		}

Run these in an administrative or SYSTEM-level command prompt.

In Windows 8.1/2012R2/10/2016 and later, we set a scheduled task, we do have to specify the actual full date:

schtasks /create /tn "schtasks_REBOOT" /tr "C:\Windows\System32\shutdown.exe -f -r -t 0" /sc once /st 04:00 /sd 01/01/2016 /ru System

In 8/2012R1, we have to have a “/Y on the very end:

schtasks /create /tn "schtasks_REBOOT" /tr "C:\Windows\System32\shutdown.exe -f -r -t 0" /sc once /st 04:00 /sd 01/01/2016 /ru System /Y

Under 7/2008R2 and before, it was easier, we could schedule for 4:00 AM tomorrow:

AT 4:00 c:\windows\system32\shutdown.exe -f -r -t 0

and we could schedule for 4:00 AM next Monday:

AT 4:00 /next:Monday c:\windows\system32\shutdown.exe -f -r -t 0

Version overview:

docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

For 10:

netsh advfirewall firewall set rule group="remote desktop" new enable=yes
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

For 7:

netsh firewall Set service REMOTEDESKTOP ENABLE
netsh firewall set service REMOTEAdmin ENABLE
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

For XP:

netsh firewall set service remotedesktop enable
netsh firewall set service remoteadmin enable
reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v  fDenyTSConnections /t REG_DWORD /d 0

When we install new group policy templates from Microsoft, e.g., the Windows 10 set by which we may upgrade existing networks, they now come in the newer ADMX format. Do this on every domain controller:

1. The package is downloaded as a self-installing EXE which requires you to specify a folder. Do not try to manually unpack this, for some reason the contents are in small pieces which the installer assembles. Just run the EXE and give a useful path, e.g., C:\IT.
2. Open an administrative CMD, and CD to the extraction point. Then CD into the folder “admx”, one level down.
3. Run the following. If your language is not en-us, replace it in the last two lines. If your servers have multiple languages, you’ll need to replicate lines with multiple language specifications.

xcopy *.admx \\%userdnsdomain%\sysvol\%userdnsdomain%\Policies\PolicyDefinitions /Y /I
xcopy *.admx %SystemRoot%\PolicyDefinitions /Y /I
xcopy en-US\*.adml \\%userdnsdomain%\sysvol\%userdnsdomain%\Policies\PolicyDefinitions\en-us /Y /I
xcopy en-US\*.adml %SystemRoot%\PolicyDefinitions\en-us /Y /I

Another very common set needing this install, is the Office Administrative Templates.

Multiple versions of Office templates coexist nicely. But the same cannot be said for Windows OS templates. It appears that when a complete refresh of OS templates is required, good results obtain by removing all of the OS templates and then installing new.

There are a few different places to turn this off. To turn two of them off:

1. First log into the tenant, and browse here: aad.portal.azure.com
2. Then click on “Azure Active Directory” on the left pane.
3. Click on “Password reset” on the middle pane (might need to scroll down). The Properties of “Password reset” will be visible. In the right pane, choose None, and click Save.
4. With “Password reset” still visible, click “Registration” in the middle pane.
5. Under “Require users to register when signing in?”, choose No, and click Save.

There are a few others, and there may well be more in the future.

Here’s the page:

www.lenovo.com/us/en/software/vantage

Here are some helpful estimates rewritten, courtesy of Axcient: