Latest posts

Windows Server 2025 Changes

Microsoft Windows Server 2025 has just reached general availability. I decided to install it and see what’s changed compared to Windows Server 2022.

Right off the bat, the installer loading screen is slightly different.

Windows Server installer loading

With Windows Server 2025, there are two setups the new setup UI, which is the default, and the previous setup UI, which I will call the old setup UI, as it is very much like the Windows setup UI we are all used to.

In this post, I will compare the install screens from Windows Server 2022 with the Windows Server 2025 new setup UI and the Windows Server 2025 old setup UI to see what’s different, along with the initial changes I noticed once Windows Server 2025 was installed.

With the Windows Server 2022 setup UI, the first screen is the language, time format, and keyboard selection. In the Windows Server 2025 new setup UI, the whole screen has been redesigned, and the language selection is its own screen, followed by the keyboard settings. Using Windows Server 2025 with the old setup UI is essentially the same as the Windows Server 2022 setup UI.

Windows Server initial settings screen

The next screen is the install or repair screen. With the new setup UI on Windows Server 2025, the repair option is much more prominently featured, along with a new required option to select I agree everything will be deleted including files, apps, and settings. This screen also allows you to switch back to the old setup UI.

Windows Server install screen.

Active Directory Based Activation

There are many ways to activate Windows, and a really cool way to activate Windows is with Active Directory-Based Activation.

Active Directory-Based Activation (ADBA) was first introduced in Windows Server 2012 and is only usable if your Microsoft Volume licensing has a KMS host key. If you don’t have a KMS key, you may need to request one from Microsoft.

ADBA works very similarly to KMS (Key Management Services), except it doesn’t have the dependency of 25 activations before it becomes active and doesn’t need DNS or SRV records to work. The systems just need to talk to your domain, and because your domain is highly available, so is ADBA.

Systems that are activated with ADBA remain activated while communicating with the domain. However, if systems cannot communicate with the domain, they will remain activated for 180 days. If a system cannot communicate with the domain for more than 180 days, Windows will deactivate, but it will reactivate once it can communicate with the domain again.

In this post, I will show you step-by-step how to install, configure, and test Active Directory Based Activation.

Prerequisites

  • An account that is a member of Enterprise Admins and Domain Admins.
  • Active Directory schema version 56 (Windows Server 2012) or higher.

If you need to learn how to check your schema version, my blog post, Active Directory Schema, covers how.

Adding Volume Activation Services Role

GUI

  • Launch the Add Roles and Features Wizard and click Next.
  • For the installation type, select Role-base or feature-based installation and click Next.
  • Select the server you want to install the role to and click Next.
  • Select Volume Activation Services.
  • Click on Add Features to add the required features.

SolarWinds Kiwi CatTools Upgrade

If you haven’t heard of SolarWinds Kiwi CatTools, it is a great tool for network automation. I primarily use it to back up network configurations.

Before 2009, Kiwi CatTools (KCT) was developed by Kiwi Enterprises. In 2009, SolarWinds acquired Kiwi Enterprises. SolarWinds continues to develop KCT.

The upgrade process can feel a bit scary if you’ve never upgraded Kiwi CatTools. In this post, I will show you step-by-step how to upgrade SolarWinds Kiwi CatTools.

The Process

First, we should review the release notes to see if there are any changes we need to be aware of. You can view the release notes for Kiwi CatTools here.

Before we begin the upgrade, we should take a backup. A database backup is crucial as sometimes the database is not backward compatible.

Backup

  • Open CatTools
  • Click on File > Database > Backup current database
  • Enter an encryption password for the backup and click ok.
  • Click ok to confirm that the database backup has been completed.

I Went to EUC World Independence

EUC World Independence is a two-day EUC (End User Computing) conference from October 22nd to October 23rd in Silver Spring, Maryland, USA. This was the world premier of the EUC World conference, and I was able to attend it.

World of EUC hosted EUC World Independence. If you haven’t heard of World of EUC, it is an independent organization that was formed to bridge the gap between all the vendors and technology and community programs in the EUC space. They aim to be a one-stop shop to connect everything and remain independent from all vendors, as there are a lot of vendors in the EUC space.

In this post, I will detail my experience at EUC World 2024.

Getting to Silver Spring

Getting to Silver Spring, Maryland, USA, is a bit challenging when travelling from Calgary, Alberta, Canada. The original plan was a flight from Calgary to Montreal, Quebec, Canada and then a 90-minute layover to a connecting flight from Montreal to Washington, DC, USA.

The morning began with a notification from the airline saying that the flight from Calgary to Montreal was delayed by 2 hours. This presented a problem as the connection flight would be missed, I wouldn’t get to the event until the next day, and I would miss a large chunk of the first day of the event.

Fortunately, I was travelling with my friend Stephen Wagner (who also has a blog), an expert at dealing with airline chaos. He got the airline to transfer things around, and now we’d be flying from Calgary to Toronto, Ontario, Canada, then Toronto to Washington.

We made it to the first flight

On the flight, I got free food. I had never eaten on a plane before, and it was pretty good. I wonder why comedians always make fun of airplane food. I ordered the butter chicken option.

Butter chicken airplane food.

By the time we reached the hotel, it was 11:30 pm Maryland time.

Day 1

The first day of the conference started with complimentary breakfast, registration, and then the EUC World conference started.

On my way to the event, I ran into Holly Lehman, one of the people who runs the Omnissa Tech Insider program that I am a part of.

The first day of EUC World took place at the AFI Silver Theatre.

The AFI Silver Theatre

I got registered and picked up my badge.

My EUC World badge

It was neat that the day one took place at a theatre. I thought a theatre was an odd place to host a conference, but when you think about it, it makes sense as every room has many seats and projectors. The only thing you need to bring is the presentation. I suspect that helps simplify a lot.

Palo Alto User-ID and Terminal Server Agent Certificates

On November 18th, 2024, the certificates that the Palo Alto User-ID agent and the Palo Alto Terminal Server agent use to communicate with a Palo Alto firewall will expire, causing all communication to fail.

Palo Alto Networks has made new versions of the User-ID and TS agents with updated certificates that will expire on January 1st, 2032.

Before upgrading the User-ID or TS agent, you must upgrade your Palo Alto firewall to a version that supports the updated User-ID and TS agent certificate. Check the Palo Alto advisory here to determine which PAN-OS version you need.

If you want to know how to upgrade a Palo Alto firewall using CLI my blog post Upgrade Palo Alto HA Pair (Active/Passive) with CLI covers the entire process. If you want to upgrade your Palo Alto firewall using the GUI, my blog post, Upgrade Palo Alto Firewall HA Pair (Active/Passive), covers the entire process.

Once you’ve upgraded your Palo Alto firewall, you can upgrade the User-ID and TS agents to the new version.

My blog post, Palo Alto User-ID Agent Upgrade, details the entire upgrade process for the User-ID agent. My blog post, Palo Alto Terminal Server Agent Upgrade, details the upgrade process for the Terminal Server agent.

After I upgraded my User-ID and TS agents, I wanted to validate that everything was using the new certificates before the expiry deadline. I couldn’t find a straightforward way to check. However, I figured out a way.

In this post, I will detail step-by-step how to check the certificates that the Palo Alto User-ID agent and the Palo Alto Terminal Server agent use to communicate with PAN-OS.

The Process

  • Connect to the system that has the Palo Alto User-ID or TS agent installed and browse to the installation directory.

User-ID is typically installed to C:\Program Files (x86)\Palo Alto Networks\User-ID Agent

TS Agent is typically installed to C:\Program Files\Palo Alto Networks\Terminal Server Agent

Active Directory Recycle Bin

If you accidentally delete something in Active Directory, it can be difficult to undo. Fortunately, you can enable a recycle bin for Active Directory, making life much easier if you need to restore something.

The Active Directory Recycle Bin (sometimes called ADRB) was first introduced in Windows Server 2008 R2. You need to enable it to take advantage of it. You can never turn it off once you enable the Active Directory Recycle Bin.

Once the Active Directory Recycle Bin is enabled, when you delete an object out of Active Directory, the object is not instantly deleted. It is placed in the Active Directory Recycle Bin for some time. After some time has passed, the object is actually permanently deleted. The default retention for the recycle bin is 180 days.

In this post, I will show you step-by-step how to check the Active Directory Recycle Bin status using the GUI or PowerShell, how to enable the Active Directory Recycle Bin with the GUI or PowerShell and how to check the Active Directory Recycle Bin retention using the GUI or PowerShell.

Prerequisites

  • Active Directory Forest Functional Level at Windows 2008 R2 or higher
  • Active Directory Domain Functional Level at Windows 2008 R2 or higher
  • Domain Admin account

Checking Active Directory Recycle Bin Status

Before enabling the Active Directory Recycle Bin, it’s a good idea to check if it’s already enabled.

GUI Way

  • Open the Active Directory Administrative Center (aka dsac)
  • In the top right, click on Manage > Add Navigation Nodes…
  • Select your domain, click on the arrows to add it, then click ok.
  • Click on the domain.

Palo Alto Terminal Server Agent Upgrade

Palo Alto Networks makes a program named Terminal Server Agent, aka the TS Agent. It is similar to the User-ID agent. However, the TS Agent is built to identify users on a multi-user system.

In this post, I will show you step-by-step how to upgrade the Palo Alto Networks Terminal Server agent.

Prerequisites

  • Verify that the new Terminal Server agent version is compatible with your PAN-OS.

The TS Agent is typically compatible with the same release number along with earlier still-supported PAN-OS versions. For example, TS agent 11.0 works with PAN-OS 11.0 and earlier. You can confirm this by reading the OS Compatibility section in the release notes.

The Process

  • Log in to the Palo Alto Networks Customer Support Portal.
  • Click on Updates.
  • Click on Software Updates.
  • Select the Terminal Services Agent.
  • Click on the version you need to start the download.
  • Connect to the system that is running the Palo Alto TS Agent.
  • Open Services.
  • Stop the PAN Terminal Server Agent service.

Microsoft 365 Passkey Setup

Microsoft 365 supports hardware security keys with passkeys. Passkeys are sometimes called FIDO2. Passkeys are one of many ways you can secure your accounts.

In this post, I will show you step-by-step how to set up a passkey in Microsoft 365, including configuring a passkey with a break glass emergency access account.

Prerequisites

  • Hardware security key that is FIDO2 compliant. (A common one is YubiKey 5)
  • Microsoft Entra ID Authentication Method for Passkey (FIDO2) and Temporary Access Pass enabled.

The Process

  • Login to Microsoft 365.
  • Click on your account in the top right and click on View account.
  • Click on Security info.
  • Click on Add sign-in method.
  • Select Security key and click Add.
  • Select the type of security key you have.

In this example, I will use a USB device.

  • Plug your security key into your computer and click Next.
  • On the new window select the Security key option to save the passkey to the security key and click Next.

Outlook Email Mover

The way I manage my email might seem a bit strange. Due to working in IT, I get lots of emails. Some emails need action, some are regular emails, and some are notifications I want to know about as soon as they happen. I feel like a normal person would make an Outlook rule to move emails into folders and just check those folders when needed.

The problem I have with dumping emails into folders automatically is when I only have my phone on me, I won’t know if a new email comes in when it’s auto-moved to a folder, so I’d have to keep checking the folders, and that doesn’t work with my workflow.

An example is I get notifications when backups run. If a backup is successful, I have an activated Outlook rule that moves the email into a folder. However, if a backup has an issue or something like that, I want it in my inbox so I see it immediately, no matter what device I’m using.

After I’ve addressed the email, I could move it into a folder. But that is a manual step, I’d rather have an automated way. Also, it doesn’t scale well if you get a lot of emails, and due to the nature of IT and alerts, I get lots of emails for all sorts of things that I want to see, but after I’ve read the email, I want the email to get filed away correctly.

I used to select blocks of emails and move them into folders. However, I’ve accidentally moved an email I needed to reply to into a folder and didn’t notice. If I don’t have a way to move the emails around, an email I need to action could also get lost in the noise of other emails.

A normal person might say to use a different system for alerts. While that’s valid, the issue I have is that’s another system that I’d need to keep checking when I’m not in front of a computer, and I don’t want to do that because I am stubborn and my current system does work, which is why I prefer email notifications.

I expressed the issue of my email clutter to a friend, and they told me about a system they’ve been using to help with it. They use Outlook rules that aren’t enabled to move emails around to different folders. They trigger the rules by using a macro in Outlook.

I tried the Outlook rules macro option, and it worked wonderfully with the one catch you need to enable macros in Outlook. I am worried that having macros enabled in Outlook will increase the attack surface for my account.

Rather than using macros, I found a way to do the same thing but with PowerShell and com objects. This works great, but you have to have Outlook open for it to work, and it doesn’t work with New Outlook. Currently, there doesn’t seem to be any support for com objects in New Outlook.

I went down the rabbit hole of figuring out how I could upgrade the script to support moving emails without using com objects. The rabbit hole led me to Microsoft Graph. With Microsoft Graph, there is a way to retrieve a user’s Outlook rules, but there doesn’t appear to be a way to execute the rules on demand like the macro and com object methods did.

However, Microsoft Graph does support moving emails around. Most of the Outlook rules I use to move emails around are basic rules that can be easily rebuilt using Microsoft Graph. I now have a script that I’m calling Outlook Email Mover that moves emails around based on some provided parameters, which is exactly what an Outlook rule does.

The Script

Outlook Email Mover uses Microsoft Graph to connect to the user’s mailbox and move emails around.

You can find the script on my GitHub https://github.com/thedxt/Outlook-Email-Mover

Prerequisites

How It Works

Outlook Email Mover uses Microsoft Graph to connect to a user’s mailbox. The required scope is "Mail.ReadWrite".

Inside the Outlook Email Mover script is a function called Outlook-email-mover-connector.

The Outlook email mover connector is a function you can use to connect to Microsoft Graph. You can also connect to Microsoft Graph yourself and not use the function as it is optional.

Reset VMware vCenter Root Password

You should always know the root password for your VMware vCenter. Fortunately, if you don’t remember your VMware vCenter root password, there’s a way to reset it.

In this post, I will show you step-by-step how to reset the root password for VMware vCenter.

The Process

  • To be extra safe, take a snapshot of your current vCenter VM.
  • Determine which ESXi host is running your vCenter VM by looking at the related objects and the host listed.
  • Connect to the ESXi host that is housing the vCenter VM.
  • Restart the vCenter VM.
  • When you see the Photon boot screen, press the letter e.