Windows Server 1709 is the first semi-annual update for Windows Server 2016. Just to avoid consistency Microsoft have decided on different naming conventions for the Windows 10 and Windows Server semi-annual updates. The Windows 10 update can be applied over an existing instance of Windows 10 but the server update involves a complete new download. That’s where you might run into the Windows Server 1709 download problem.
Server 1709 is available through the software assurance channels and seems to download OK from there. Its also available to subscribers to MSDN – now renamed myvisualstudio.com for some inexplicable reason – and that’s where the problem comes in.
If you’re running a machine that doesn’t default to US English you’ll get a perpetual loading spinner when you try to access the download on MSDN. This is irrespective of browser – its been reported for Edge, IE, Chrome and Firefox.
The answer is to load up the US English language onto your machine and make it the default. May need a restart. You should then be able to download Server 1709.
Microsoft have finally, after over a week of posts from lots of people finally acknowledged that there is a problem with this download – the other downloads I looked at seemed OK – but haven’t given any time frame for a fix. In the meantime the work around of changing your machine to US English solves the Windows server 1709 download problem.
PowerShell remoting gives you access to all of the functionality on the box by default. You can created constrained (or restricted) endpoints that limit that functionality to specific cmdlets.
Alternatively you can use Just Enough Admin (JEA) to lock down an endpoint through a Role Based access Control (RBAC) system.
JEA is the later option and is more flexible.
The PowerShell Team has an interesting (and new to me) take on Constrained Language and JEA. https://blogs.msdn.microsoft.com/powershell/2017/11/02/powershell-constrained-language-mode/
I recommend you read it
Project Honolulu is Microsoft’s brand new, still under development, browser based admin tool. It can’t use Internet Explorer – it only supports Microsoft Edge or Google Chrome.
Windows Server 2016 (and all earlier versions of Windows Server) only has Internet Explorer. MS Edge isn’t available on Windows servers.
If you use a jump off server for your administrators like many organisations do, you can’t use the web browser on that server to access Honolulu unless you install Chrome.
So we have a new Microsoft admin tool that doesn’t support Microsoft’s browser.
You can’t make this stuff up.
Registration for the 2018 PowerShell + DevOps Global Summit is open.
These are the important links you’ll need:
The recent announced project Honolulu – https://blogs.technet.microsoft.com/windowsserver/2017/09/22/project-honolulu-technical-preview-is-now-available-for-download/ – is Microsoft’s new browser based Server management tool.
You can install it on Windows 10, Windows Server 1709 and Windows Server 2016, 2012 R2 and 2012
Honolulu is the proposed replacement for the MMC based tools we’ve been using since Windows 2000.
Honolulu functions as a gateway that uses Remote PowerShell and WMI over WinRM (WS-MAN) to manage servers. The gateway connects to an app on the server. You need PowerShell 5.0 or higher on the servers to be managed.
You can currently manage these areas through Honolulu:
Displaying resources and resource utilization
Configuring Local Users and Groups
Viewing/Ending Processes and Creating Process Dumps
Managing Windows Services
Enabling/Disabling Roles & Features
Managing Hyper-V VMs & Virtual Switches
Managing Windows Update
There are some big gaps at present including:
Is this a replacement for the RSAT tools – not at present.
These tools are still under development so this is an opportunity to help shape the next generation of tools. Be really nice if you can generate PowerShell scripts from the commands as you can with later MMC tools.
Ask any number of users and you’ll get at least that many different answers but at its core PowerShell is an administration tool. To be effective your administration tools have to be able to access remote machines. RDP is the traditional way to do this for GUI bound admins – should that be the coding challenged? PowerShell remoting is the answer scripting and automation.
In PowerShell v5.1 you have a number of remoting options.
The simplest uses DCOM/RPC at the individual cmdlet level e.g. the *-process; *-service; *-computer cmdlets. This gives you ease of use but depends on you being able to use DCOM remotely. DCOM is blocked by default by the Windows firewall and isn’t a network (router) friendly protocol. The advice is to use it where you can if you need to but you’re better off using PowerShell remoting.
PowerShell remoting, introduced in PowerShell uses WS-MAN for communication with the remote server. Your target needs remoting enabled and the WinRM service to be running. Remoting is enabled by default in Windows Server 2012 and later but has to be enabled in all client versions of Windows and Windows Server 2008 R2 and earlier.
Within a domain remoting is easy because Kerberos authentication is available dramatically reducing the need for credentials. There are a few issues though. Remoting out or or into the domain can be problematic because Kerberos doesn’t support that. You need to use the trusted hosts option (not recommended) or certificate based remoting (safer but harder to configure). There’s also the double hop issue to contend with where you can’t issue a command from computer A that runs on computer B and accesses computer C. You can overcome this using CredSSP or an AD based delegation option.
PowerShell v3 brought a further expansion in remoting option with the introduction of CIM Sessions. These provide remoting options over WS-MAN for the CIM cmdlets (the WMI cmdlets use DCOM) that are analogous to the PowerShell remoting options.
In PowerShell v6 the remoting options change.
The DCOM based remoting option for individual cmdlets has been or is in the process of being removed.
WS-MAN based PowerShell remoting is still available between Windows machines – v6 to v6 or v6 to earlier PowerShell version or earlier PowerShell version to v6. Between Windows machines WS-MAN based remoting works as you would expect with all of the same issues you’ve come know and love through PowerShell versions v2-v5.1.
You also get Linux to Windows remoting over WS-MAN (basic and NTLM based authentication only). You need to install the OMI provider – https://github.com/Microsoft/omi/releases – and the PRSP package – https://github.com/PowerShell/psl-omi-provider.
PowerShell v6 has switched to using SSH as the primary communication protocol for remoting. SSH (using the OpenSSH project which isn’t currently production ready ) will be the focus of future remoting development. SSH based remoting works for Linux <-> Linux, Linux <-> Windows, Windows <-> Linux, Windows <-> Windows but its PowerShell v6 only and won’t be back ported (current team statement) to earlier versions of PowerShell.
SSH based remoting works in the scenarios given above – see demos from PowerShell Summit 2017 – but has issues. Its a very painful process to install and enable OpenSSH on a Windows machine. Doing this across your environment would be a huge job. There is an install script (incomplete last time I looked) and a chocolately package if you use that package management option but its still no where as easy as enabling WS-MAN based remoting.
SSH based remoting supplies a great option for the remoting into and out a domain scenarios but the current reduction in functionality available through PowerShell v6 compared to v5.1 means that while you can create a remote session to the machine you may not be able to do what you need.
If you have OMI installed on your Linux box you can make CIM calls to that box and establish CIM sessions. You won’t get much back as there aren’t the equivalent CIM classes for Linux boxes that you’re used to on Windows. Installing OMI is a pre-requisite for DSC for Linux.
Remoting in PowerShell v6 is changing – some changes are beneficial and some will cause problems as they are very definitely breaking changes from earlier version of PowerShell. If you haven’t investigated PowerShell v6 you need to do so. You need to determine what remoting options you need in your environment and how PowerShell v6, v5,1 WS-MAN and SSH are going to coexist or what subset of those options you’ll use.
There are a number of file extensions associated with PowerShell. If you’re not aware of them they may cause you problems. You’ll commonly find these PowerShell file extensions:
.ps1 – a PowerShell script. May contain functionality such as functions or workflows. This is the most common extension
.psm1 – a PowerShell module file. Contains one or more advanced functions that are managed as a package
.psd1 – a PowerShell data file. Most commonly used as module manifest to control the .psm1 files that are loaded and the functionality that is exposed
.ps1xml – a PowerShell XML file. Used by the formatting and type systems e.g. Registry.format.ps1xml or types.ps1xml.
.pssc – a PowerShell configuration file. Created by New-PSSessionConfigurationFile when you want to define a constrained or restricted endpoint
.psrc – a PowerShell role capability file. Used during the creation of a JEA endpoint
.cdxml – a cmdlet definition XML file. Used by the PowerShell cmdlets-over-objects engine to publish a module created from a CIM class e.g. the NetAdapter module
DSC is a configuration management tool that first appeared in PowerShell v4 and was refined in PowerShell v5/5.1. Major changes are coming to DSC of which more later. DSC takes a configuration and applies it to a server. What about the situation where you have an existing server and want to derive a DSC configuration for it. Various home grown methods have been discussed at the PowerShell Summit, amongst others, but now we have Reverse DSC – https://blogs.technet.microsoft.com/heyscriptingguy/2017/10/27/reverse-desired-state-configuration-how-it-works/
Reverse DSC is available for SharePoint, SQLServer, RemoteDeskTopSession and PSDesiredStateConfiguration. You do need the required resource module for Reverse DSC to work.
Reverse DSC uses the Get functions of resources to get the configuration information.
You get get hold of Reverse DSC, and contribute, at https://www.GitHub.com/Microsoft/ReverseDSC
PowerShell Attacks–advice on defending from Lee Holmes – PowerShell security expert – is available at
Read, learn, inwardly digest and apply
The Windows 2016 1709 release is the first of the semi-annual updates for Windows Server – interestingly its referred to as Windows Server 1709 in the documentation.
Its now available for download through your Software Assurance channels and Windows evaluation centre. MSDN subscribers can also get a copy.
A big surprise is that 1709 is Server Core only! You can’t get a GUI version. The suggestion is to use the (very) incomplete project Honolulu web browser based admin tool to manage the servers. More on that in another post.
Windows Server 1709 new features are described here
The standouts are the new features for containers and virtual machines.