How to Install and Enable Bitlocker Encryption on Windows 10 Pro

To enable Bitlocker on your Windows computer, you first need to be running the Windows 10 Pro operating system. Windows 7, Windows 8, and ‘Windows 10 Home’ versions do not support Bitlocker.

It’s a good idea to first know your current operating system version. To do so, click on the Start Button and type “WinVer” and then press Enter:

Check the version of operating system. You need to have Windows 10 Pro. As of the time of writing this article, the most version of Windows 10 is Version 1909 (OS Build 18363.592).

If you have Windows 7, follow the upgrade instructions below. If you have Windows 10 Home, then you need to purchase the upgrade to Windows 10 Pro, and follow instructions here.

You need to upgrade from Windows 7 Home to Windows 10 Home before you can upgrade to Windows 10 Pro.

Upgrade from Windows 7 Home to Windows 10 Pro

If you are on Windows 7 or Windows 8, do a web search for the Windows Media Creation Tool, or you can find it here: https://www.microsoft.com/en-us/software-download/windows10

When running the Media Creation Tool, run the Upgrade option. It will take a while and several reboots to upgrade from Windows 7 or 8 to Windows 10. If you started with Windows 7 Home or Windows 8 Home, the tool will most likely upgrade your PC to Windows 10 Home.

After you’ve finished the ‘Windows 7 Home’ to ‘Windows 10 Home’ upgrade, you now need to upgrade from Windows 10 Home to Windows 10 Pro in order to get the Bitlocker feature.

Upgrade from Windows 10 Home to Windows 10 Pro

To upgrade from Windows 10 Home to Windows 10 Pro, click on the start button and type ‘Microsoft Store‘ and press Enter.

In the store, search for Windows 10 Pro in the upper-right corner of the store:

Purchase the upgrade ($99) and then run the upgrade. The process will take a while and several reboots.

Once you are on Windows 10 Pro, open the File Explorer, click This PC, then Righ- click on the C: drive and choose Turn on Bitlocker or Manage Bitlocker.

Follow the prompts and enable bitlocker.

  • You may encounter a problem where an old PC does not have a TPM chip, so you will have to edit the local Group Policy in order to allow Bitlocker without TPM enabled. The guide for doing so can be found here: https://www.digitalcitizen.life/how-enable-bitlocker-without-tpm-chip-windows-7-windows-8
  • Enable Bitlocker for the C: drive – Save the Bitlocker encryption/decryption key to a removable USB drive, save to the cloud, and print for a hard copy. This password to unlock the drive and the Recovery/Decryption key are very important, do not lose them.
  • Follow the default prompts (ok to skip system check) and the drive will begin encryption. You should see a status bar and progress indicator showing the percentage of encryption. When it reaches 100%, the encryption process has finished.
  • Reboot the system to complete the encryption of the drive.

After the reboot, log in to the desktop again, and use the Windows Control Panel to check the status. Please follow instructions here:

https://social.technet.microsoft.com/wiki/contents/articles/969.how-to-determine-if-bitlocker-drive-encryption-is-enabled.aspx

Office 365 Outlook for Desktop constantly prompts for login password after enabling MFA two factor authentication – how to Enable Modern Authentication for Exchange Online

If you have recently enabled MFA multi factor authentication or 2FA on your Office 365 tenant, your Microsoft Outlook for Office 365 MSO 16.0.11929 (desktop version) users may be prompted over and over for their password, even though you are sure you have the correct password and even the apppassword / app password hash. I’m sure you’ve tried to re-configure Outlook, look at Azure settings, reinstall Outlook, check your autodiscover records, make sure you have the correct Office Suite version and perhaps have even attempted to change the windows 10 registry with the following settings:

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeExplicitO365Endpoint"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeLastKnownGoodUrl"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeHttpsRootDomain"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeSrvRecord"=dword:00000001

However doing these things did not resolve the issue, and the only fix that worked for us, was to follow the instructions on how to enable modern authentication for Exchange Online here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online

So I thought it would be helpful to have a step-by-step how to enable modern authentication in Exchange Online for Office 365 based on the instructions provided in the link above.

With MFA enabled, connecting to Exchange Online with powershell is not as simple as it used to be, but still not all that bad. I’ve found the easiest way to connect to Exchange Online with Powershell is to do the following.

Note: A forewarning here, with certain browsers, when clicking on the Exchange Hybrid “Configure” button, and then installing the Hybrid configuration, the Office 365 login screen may may flash on the screen as a white box, and then disappears before you can authenticate and use your 2FA txt code. I’ve seen this when using Microsoft Edge, Chrome, and even the new version of Microsoft Edge based on Chromium. The only browser I’ve gotten this to consistently work with is the Internet Explorer browser built into Windows 10. The Internet Explorer browser is installed on Windows 10 by default, it’s hidden in the start menu under Accessories:

If you do attempt to run the Exchange Powershell Module using chrome you may encounter the error:

“Application cannot be started. Contact the application vendor.”

When clicking the Details… button, you may find information similar to the following:

PLATFORM VERSION INFO
	Windows 			: 10.0.18363.0 (Win32NT)
	Common Language Runtime 	: 4.0.30319.42000
	System.Deployment.dll 		: 4.8.3752.0 built by: NET48REL1
	clr.dll 			: 4.8.4121.0 built by: NET48REL1LAST_C
	dfdll.dll 			: 4.8.3752.0 built by: NET48REL1
	dfshim.dll 			: 10.0.18362.1 (WinBuild.160101.0800)

SOURCES
	Deployment url			: file:///C:/Users/Jason/Downloads/Microsoft.Online.CSE.PSModule.Client%20(3).application

IDENTITIES
	Deployment Identity		: Microsoft.Online.CSE.PSModule.Client.application, Version=16.0.3527.0, Culture=neutral, PublicKeyToken=45baf49ae30bdb15, processorArchitecture=msil

APPLICATION SUMMARY
	* Installable application.
	* Trust url parameter is set.
ERROR SUMMARY
	Below is a summary of the errors, details of these errors are listed later in the log.
	* Activation of C:\Users\Jason\Downloads\Microsoft.Online.CSE.PSModule.Client (3).application resulted in exception. Following failure messages were detected:
		+ Deployment and application do not have matching security zones.

COMPONENT STORE TRANSACTION FAILURE SUMMARY
	No transaction error was detected.

WARNINGS
	There were no warnings during this operation.

OPERATION PROGRESS STATUS
	* [4/3/2020 3:32:57 PM] : Activation of C:\Users\Jason\Downloads\Microsoft.Online.CSE.PSModule.Client (3).application has started.
	* [4/3/2020 3:32:57 PM] : Processing of deployment manifest has successfully completed.
	* [4/3/2020 3:32:57 PM] : Installation of the application has started.

ERROR DETAILS
	Following errors were detected during this operation.
	* [4/3/2020 3:32:57 PM] System.Deployment.Application.InvalidDeploymentException (Zone)
		- Deployment and application do not have matching security zones.
		- Source: System.Deployment
		- Stack trace:
			at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
			at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
			at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState& subState, ActivationDescription actDesc)
			at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl, Uri& deploymentUri)
			at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivationWithRetry(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
--- End of stack trace from previous location where exception was thrown ---
			at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
			at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivationWithRetry(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
			at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)

COMPONENT STORE TRANSACTION DETAILS
	No transaction information is available.

At this point, it may be necessary to uninstall the existing module and then re-install and run using Internet Explorer. You may even receive the following error:

"You cannot start application Microsoft Exchange Online Powershell Module from this location because it is already installed from a different location."

To uninstall the module, click the Start Button > type “appwiz.cpl” and press Enter.

Inside of the Programs and Features screen find the application and click Uninstall.

After uninstall, log into your tenant (with an administrator account) at https://www.office.com using Internet Explorer 11, and click the Admin link:

Next, Expand the Menu on the left menu by clicking Show All… and then click on Exchange:

Next we want to click on the Hybrid link to get to our Powershell Configure button:

Go ahead and install the component if it asks, and when it completes, you’ll be greeted with a Windows Powershell screen with the following message:

Experience the fast and reliable Exchange PowerShell V2 Cmdlets via new PowerShellGallery module. Go to https://aka.ms/exops-docs

This PowerShell module allows you to connect to Exchange Online service.
To connect, use: Connect-EXOPSSession -UserPrincipalName <your UPN>
This PowerShell module allows you to connect Exchange Online Protection and Security & Compliance Center services also.
To connect, use: Connect-IPPSSession -UserPrincipalName <your UPN>

To get additional information, use: Get-Help Connect-EXOPSSession, or Get-Help Connect-IPPSSession

We now want to initiate our session using the instructions provided. At the prompt, type in the command:

Connect-EXOPSSession -UserPrincipalName [email protected]

You’ll now be prompted to sign into your tenant (Work or School). You’ll see some status bars go by and then be prompted with a warning about unapproved verbs (for example banish?)

So now we want to (only look before making changes) get our organization structure, and more precisely, find the status of our OAuth2ClientProfileEnabled setting by issuing the command:

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

Your output should look similar to the following (with the exception being that your result will probably be set to False:)

Finally we can set this to True by using the following command:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

To verify the command was successful, run the previous command again:

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

That’s about it! Give the setting about an hour to propagate and then try testing Outlook on the desktop again. You may get a few clients where their profile needs to be recreated. You can do this by going into the control panel > (1) choose Small Icons > (2) Mail Microsoft Outlook 2016.

Then click Show Profiles

Click Add…

Now when setting up the new mail account, you should be prompted with the modern authentication and you’ll be prompted for your txt code or Microsoft Authentication Application.

Working Remotely -Windows 10 virtual desktops and RDP Tips for laptops and multiple monitors

If you’re working remote with just a laptop, or a laptop and a small 2nd monitor, the desktop gets pretty cramped for a sysadmin. One way to mitigate the pain is to use your OS’s virtual desktops functionality.

Here’s links to guides for Windows, Ubuntu, and MacOS on how to get started with them for your OS. Using Windows as the example, you just press Win-Tab and click the plus sign at the top for New Desktop.

Then drag existing windows on to it, and now they’re on a separate screen. To quickly move between virtual desktops, you can use the CTRL-WIN-left/right arrows.

Once you get in a habit of using them, it’s great for keeping multiple small applications visible on a whole desktop, or multiple full screen apps on their own window that you don’t have to constantly minimize/maximize. You can use Win-Tab (or the Task View button next to the Cortana button on your taskbar) to mass organize things or rearrange, and your Taskbar will reflect what items are open on that particular Desktop.

Alerts and notifications will still appear, even if you’re on a different virtual desktop, and interacting with the notification will teleport you to the relevant desktop.

One gripe with the Windows Virtual desktops is that there’s no easy way to move between desktops without taking your hand off the mouse. You can use the buttons on the side of your mouse (if your mouse has them) to switch desktops if you have the buttons on the side. If your mouse software doesn’t support the windows key combos check out X-Button Mouse Control. Set the buttons to generic and tell X-BMC to change it to the virtual desktop switches.

In order to display an application on all virtual desktops, do Win+Tab, then Right click the Chrome window you want Show window on all desktops.

One thing to note is if you have an AWS Workspace desktop open inside of a virtual desktop, it’s best to have the workspaces desktop in the far-left/primary desktop.

When working remotely in RDP, and you have multiple monitors, and you remote into a machine with multiple monitors, when you open the Remote Desktop client, click the Show Options button then under the display tab, ‘select use all my monitors’ for the remote session.

How to Install Visio 2016 Standard with Office 365 ProPlus Click to run using the Office Customization Tool

When trying to install Microsoft Visio or Publisher with a Volume License MAK license key alongside Office 365 Pro Plus, the Visio .iso installer may give the error: “this version of O365 does not get along with the Installer, or you cannot install 32bit with 64bit”. You may even have tried uninstalling the 32 bit version of Office, install the 64 bit version, only to receive the same exact message. You may find installing 64 bit Visio Volume License with 64 bit Office 2016 Pro Plus doesn’t work, nor does 32 bit with 32 bit, nor 64 bit with 32 bit. It can be frustrating.

The problem is that Microsoft has moved away from mixing the Volume License .iso installations (downloaded from the Volume Licensing website here: https://www.microsoft.com/Licensing/servicecenter/default.aspx ) – on the same computer with the “Click to Run” versions of Office you typically download from within Office 365 online. Instead, to get around the issue, you need to use the Office Deployment Tool. This will allow you build a build a package you’ll run from the command prompt to install for example, Visio or Publisher, on the same computer as Office 365 Pro Plus Click to Run. The configuration and setup is not all too difficult and we’ve documented the installation instructions below. 

*NOTE: While I’ve found Visio .ISO/MAK can be happy with CTR, and although I have gotten it to work in a few instances, I wholeheartedly recommend to bite the bullet and use O365 Visio monthly licensing alongside the O365 Click-to-Run suite. It’s orders of magnitude easier to deploy Visio with O365 than to mix CTR with ISO’s/MAKs! It will save you worlds of frustration when someone moves to a new PC, or MAK licensing changes. Instead, go to Office365 licensing, purchase a Visio license, and assign it to a user. Any money saved by mixing MAK licensing with click to run, in my opinion is not worth the headache. That being said, a lot of the instructions below are relevant to a sysadmin’s job, and you should be familiar with how the deployment tools and office ‘configurator’ works, so read on.

The first thing we need to do is download the Office deployment tool from the following site:

https://www.microsoft.com/en-us/download/details.aspx?id=49117

C https//www.microsoft.com/en-us/download/details.aspx?id=49117 
Apps 0365 
Microsoft I 
Download Center 
This is your 365 
Windows 
Office 
Web browsers 
More v 
All Mi 
Discover what's possible every day with Office 365 
FOR 1 USER > 
Office Deployment Tool 
FOR UP TO 6 U 
Important! Selecting a language below will dynamically change the complete page content to that language. 
Language: 
English

Run the .exe you downloaded, accept the license terms, and extract the tool to a new folder you create named c:\admin\ODT

The Microsoft Office 2016 Click-to-Run Administrator Tool 
You must accept the Microsoft Software License Terms in order to continue the installation. 
MICROSOFT SOFW,'ARE LICENSE TERMS 
MICROSOFT OFFICE DEPLOYMENT TOOL 2016 
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please 
read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply 
to any Microsoft 
• updates, 
• supplements, 
• Internet-based services, and 
• support services 
for this software, unless other terms accompany those items. If so, those terms apply. 
BY USING THE SOFW,'ARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTVVARE. 
IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE PERPETUAL RIGHTS BELOW. 
I . INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices. 
2. SCOPE OF LICENSE. The software is licensed, not sold. This agreement only gives you some rights to use the software. Microsoft 
reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly 
permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it 
in certain ways. You may not 
• work around any technical limitations in the software; 
• reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite 
this limitation; 
[Z Ick here to accept the Microsoft Software License Terms. 
Continue
Browse For Folder 
Select a folder to store the extracted files 
Desktop 
Documents 
Downloads 
Music 
[e Pictures 
Videos 
v Local Disk C:) 
admin 
Saf es 
SmartMaiI 
temp 
Intel 
keypairs 
PerfLogs 
Program Files 
Program Files (x86) 
Make New Folder

Click OK

The Microsoft Office 2016 Click-to-Run Administrator Tool 
Files extracted successfully

Next, let’s switch gears and configure and run the online XML generator tool to build the XML file which we’ll need to configure the tool we just downloaded and extracted above.

The online XML generator can be found here: https://config.office.com

At this website you can log into your office account (Recommended), or alternatively choose to continue without signing in:

C a https://config.office.com 
Apps 0365 
Microsoft I Office Client 
Welcome to the Office 
365 Client Configuration 
Service 
Sign in with your Azure AD Account to get access to all the features 
Get Office 
Sign in 
Continue without signing in? Choose from the options below. 
Create a new configuration 
Create, modify and export Office 
deplcyment configurations. 
Create 
Import your configuration 
Import and modify 'ßur existing 
configurations. 
Import

In our example we’ll create the file by logging in first by clicking “Sign in.”

Once logged in, click on Customization > Device Configuration > +Create.

C https://config.office.com/officeSettings/configurations 
Apps 0365 
Office 365 Clients 
Home / Device Configuration 
Home 
Security 
Customization 
evice Confi uration 
Policy Management 
Learn More 
O 
Office Customization 
O 
+ Create 
opy Remove 
Name 
64-CTR and Vision.. 
Q) Get Link U 
Date created 
07/05/2019 
Download Upload 
Description v

You’ll notice in the screenshot above we’ve already created a customization file which installs the 64 Bit version of Office Click to Run along with Visio 2016 Standard Volume license. We can download ImageFileNamethis configuration file again at a later date if we lose our .xml file.

In this example, we’ll create a customized file that pairs and combines installations of 32bit Office 365 Pro Plus with Visio Standard 2016 Volume License. 

Click on the + Create button.

We first give the configuration a title, something like:

32-Office365CTR_and_Visio2016-32-VL_Key

Our configuration will be setup something similar to the following:

32-Office365CTR and 
.xml 
A 
Products and releases 
Architecture 
Which architecture do you want to deploy? 
@ 32-bit 
C) 64-bit 
Products* 
Which products and apps do you want to deploy? 
Office Suites 
Office 365 ProPlus 
Visio Standard 2016 - Volume License 
Project 
Select Project product 
Additional Products 
Select Additional product 
Update channel 
Select the update channel, which controls the timing of feature updates Learn more CS 
Semi-Annual Channel 
Which version do you want to deploy? Learn more CS 
La test

Take note that Office365 has different versions, and you click the “Learn More” link to decide which version to install or accept the default “Latest”. You might want to install the version that all of your other deployed Office365 versions are using. If you choose “Latest” you’ll most likely get a newer version of Office365 installed than everyone else. As a reference, I’ve copied one of the version tables below:

The following table lists the supported version, and the most current build number, for each update channel. 
Channel 
Monthly 
Semi-Annual 
Semi-Annual (Targeted) 
Semi-Annual 
Semi-Annual 
Version 
1907 
1902 
1902 
1808 
1803 
Build 
1 1901.20176 
1 1328.20368 
1 1328.20368 
10730.20360 
9126.2428 
Release date 
July 29, 2019 
July 9, 2019 
July 9, 2019 
July 9, 2019 
July 9, 2019 
Version supported until 
Version 1908 is released 
September 8, 2020 
September 10, 2019 
March 10, 2020 
September 10, 2019

Also take a look at the primary language, and any other Office Suite apps you don’t want installed. It’s worth it to click through each heading to see what’s inside. 

Next, we need to provide our Visio Standard 2016 volume license key. Do this by first logging into the Microsoft Volume Licensing Center here: https://www.microsoft.com/Licensing/servicecenter/default.aspx , find your product, your version, expand the license keys, and copy the license key into the Office Customization Tool under the heading Licensing and Activation > Product Key > Multiple Activation Key:

Office Customization Tool 
Learn more about the Office Customization Tool C.f 
32-Office365CTR and 
.xml 
anu acuvauull 
Product key 
C) KMS Client Key 
Product key entry is not required for Key Management Service (KMS) activation. 
@ Multiple Activation Key (MAK) 
Multiple Activation Key (MAK). Type a valid 25 character volume license key with no spaces. 
Visio Standard 2016 - 
Volume License 
Autoactivate 
Automatically accept the EULA 
o 
Shared computer activation 
12345-12345-12345-12345-12345 
on 
Off 
Off 
Allow the licensing token to roam 
Network. local, or HTTP path 
Next

Finish by clicking Done in the upper right-hand corner. 

Next, place a check next to the configuration file we’ve just created and click Download:

Office Customization 
+ Create [C Copy Remove Get Link Download Upload 
Name 
'—0365-64-CTR and_Visi020... 
32-Offce365CTR and Visi02016-32-VL 
Date created 
07/05/2019 
07/29/2019 
Description v

Once you’ve downloaded the .xml file, copy it into the c:\admin\ODT folder.

Open the command prompt on the computer onto which we’ll be installing Office 365 and Visio. 

Change directory to c:\admin\ODT with the command:

cd c:\admin\ODT

Run the setup.exe tool from the command Prompt first with the /download switch, followed by the name of your .xml configuration file (use tab to auto-complete the long file name.) For example the filename would look like:

setup.exe /download configurationFileName.xml

The download will be “silent” – it will take about 10 minutes to download the installer to the c:\admin\ODT\Office folder.

Once the download completes, the cmd prompt will be waiting for input again. Next run the setup.exe, except this time, with the  /configure switch (again, reference your .xml file.) The /configure switch will process and install your applications as demonstrated in the following screenshot. For example the command would look like the following:

setup.exe /configure ConfigurationFileName.xml
(c) 2e18 Corporation. All rights reserved. 
: / dmmload 
: 'configure 
7/5/2019 
Type 
XML 
Office 
Installing Office 
Well be done injust a moment

When it finishes both the click to run Office365 will be installed as well as the Visio Volume License MAK version.

Drawing I 
- Visio Standard 
Account 
User Information 
S out 
Switch account 
Account Privacy 
Manage Settings 
Office Background: 
Clouds 
Office Theme: 
Product Information 
Product Activated 
Microsoft Visio Standard 2016 
This product contains 
Change Product Key 
Office Updates 
Updates are automatically downloaded and installed. 
About Visio

We’re done! Now if we need to do another install on a different computer of our Office365+Visio, we can copy the deployment tool and the .xml file to the computer and run the command prompt installer again. 


OpenVPN Cannot Authenticate -Google Authenticator Code Incorrect – Android Windows 10

When trying to setup and authenticate to an AWS Instance running OpenVPN, a user could not complete a new connection to OpenVPN after entering the initial un/pwd. They receive the error: Permission denied. This is after successfully setting up the OpenVPN client on Windows 10 and scanning an Authenticator code using Google Authenticator App on a Samsung S8 Active Android mobile phone running Android 8.0.0 ‘lollipop’. Ultimately the reason the user could not authenticate was their mobile phone’s time was off by about 3 minutes. Continue below to find additional information on how to troubleshoot this and other authentication issues with OpenVPN.

When troubleshooting OpenVPN login errors it’s a good idea to first try some of the following:

Unlock a Disabled or Locked account on OpenVPN Admin console

To check for the events related to a user lockout, first log into the Admin web console > Status > Log Reports. Here you will find the errors related to bad authentication and eventually an account lockout.

The errors you may find could be the following:

Google Authenticator Code is incorrect.
LOCKOUT: user temporarily locked out due to multiple authentication failures.

To unlock a user account (if using local authentication), Login to the Admin Web Console, Go to “General” under Authentication and change Authentication to “PAM”, Save Settings > Update Running Server > “Local” > Save Settings> Update Running Server.

This procedure should unlock disabled or locked user accounts on OpenVPN.

Reset A User Account on OpenVPN

To reset a user’s OpenVPN account:

Log in to the admin web console, click on User Permissions.

Find the username, place a checkmark in the Delete column, then Apply > Save. Next, re-create the account.
Scroll to the bottom of the list, type the new user name:
Eg. jcoltrin
Save > update server

Go back find the username again in the list and hit Show:

Enter in the Local Password: ([email protected]!)
Save > Update

Check OpenVPN for Valid Concurrent License

In the admin web console, under the Configuration menu, click License. Check to ensure that your concurrent users have not reached or exceeded the limits of your licenses (under At a glance,) or that your licenses have not expired.

Use SSH to check the logs of the OpenVPN server and get the specific errors for an individual’s login problems.

After logging into the server using Putty/SSH, you can change directory to the scripts directory:

cd
/usr/local/openvpn_as/scripts/

and then issue the command ./authcli –user <username> –pass [email protected]

./authcli --user jcoltrin --pass [email protected]

This will produce something similar to the following information:

Result:
API METHOD: authenticate
AUTH_RETURN
  status : COM_FAULT
  reason : An error occurred while connecting: 13: Permission denied. (twisted.internet.error.ConnectError)
  user : jcoltrin

Addtionally you can find more messages related to authentication failures in /var/log. You’ll find these messages in the latest log files:

openvpnas.log

openvpnas.log.1

Use your favorite editor (vi) to search through the logs

vi openvpnas.log

use the command / and then the username to search for that term and hit “n” to go to the next instance of your term, for example:

/jcoltrin > n > n

and then :q to quit.

Here are some typical error messages for my authentication errors:

2019-02-26 14:03:26-0800 [-] WEB OUT: "2019-02-26 14:03:26-0800 [UDSProxyQueryProtocol,client] Web login authentication failed: {'status': 1, 'reason': 'local auth failed: password verification failed: auth/authlocal:42,web/http:1609,web/http:750,web/server:126,web/server:133,xml/authrpc:110,xml/authrpc:164,internet/defer:102,xml/authsess:50,sagent/saccess:86,xml/authrpc:244,xml/authsess:50,xml/authsess:103,auth/authdelegate:308,util/delegate:26,auth/authdelegate:237,util/defer:224,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:245,internet/defer:102,auth/authdelegate:61,auth/authdelegate:240,util/delegate:26,auth/authlocal:42,util/error:61,util/error:44', 'user': 'jcoltrin'}"
2019-02-26 14:19:40-0800 [-] WEB OUT: "2019-02-26 14:19:40-0800 [UDSProxyQueryProtocol,client] Web login authentication failed: {'status': 1, 'no_lockout': True, 'reason': 'challenge', 'user': 'jcoltrin', 'proplist': {'pvt_google_auth_secret_locked': 'true', 'prop_cli.script.win.user.connect': '[redacted]', 'pvt_google_auth_secret': '[redacted]', 'prop_autogenerate': 'true', 'prop_deny': 'false', 'prop_cli.script.win.user.disconnect': '[redacted]', 'prop_superuser': 'false', 'pvt_password_digest': '[redacted]', 'prop_cli.script.linux.user.connect': '[redacted]', 'prop_autologin': 'false', 'conn_group': 'Default', 'type': 'user_connect'}, 'client_reason': 'CRV1:R,E:[redacted]==:Enter Google Authenticator Code'}"
2019-02-26
14:20:08-0800 [-] WEB OUT: '2019-02-26 14:20:08-0800
[UDSProxyQueryProtocol,client] Web login failed
(twisted.cred.error.UnauthorizedLogin)'
2019-02-26 14:21:30-0800 [-] WEB OUT: "2019-02-26 14:21:30-0800 [UDSProxyQueryProtocol,client] Web login authentication failed: {'status': 1, 'client_reason': 'LOCKOUT: user temporarily locked out due to multiple authentication failures', 'reason': 'LOCKOUT: user temporarily locked out due to multiple authentication failures', 'user': 'jcoltrin'}"

Make sure the phone with Google Authenticator has the correct time and set the phone to sync it’s clock with the network/carrier

As mentioned at the beginning of this article, what the original login issue came down to was the Android phone, on which the Google Authenticator was running, had it’s time off by about 3 minutes. To set and change the correct time on an Android Galaxy S8 Active, first, go to Settings > General Management > Date and Time > Set/Turn on Automatic Date and Time.

I’m not sure why the value for this phone had it’s time set to not have automatic sync with the network/carrier. This may have been due to a recent android update because I found this setting off on a couple phones in the office. Ensure the time on your server is accurate as well by issuing the bash/ssh command:

date 

Your result should look like the following:

[email protected]:/var/log$ date
Thu Feb 28 14:46:57 PST 2019

If you find the time on your server is not accurate, check out my article on how to set the time on Ubuntu and Synchronize NTP here.

Solved – Office365 Sharepoint Open with File Explorer not working on Windows 10 Internet Explorer 11

On Office365 SharePoint, when trying to open a file in the Windows File Explorer, you might get something similar to the following error:

An error occurred while reconnecting Z: to (sharepoint location) - Web Client Network: Access Denied. Before opening files in this location you must first add the web site to your trusted sites list, browse to the web site, and select the option to login automatically. The connection has not been restored.

….or clicking the Open With Explorer button does nothing, or the button is greyed out.

If the button is greyed out using Windows 10 Edge, Edge does not support Active X controls, so go the Start button, type in Internet Explorer, open IE 11, and try again.

To get to the Open in Explorer button.

  1. Log into https://portal.office.com
  2. Click on your apps menu and choose SharePoint
  3. Browse to a document library > Documents
  4. In the bottom left corner of the browser click the “Return to classic SharePoint”
  5. Place a check mark next to a folder, click on the “Library” tab at the top of the screen, and then click “Open in Explorer”
  6.  

To resolve, make sure you have the following:

  • Windows 10 is up to date (v1803) as of this article
  • The Webclient service is Started and set to Automatic (Start > services.msc )

Make sure the following sites are added to your Trusted Sites in Internet Explorer settings:

  • https://yourdomain-files.sharepoint.com
  • https://*.sharepoint.com
  • https://login.microsoft.com
  • https://portal.office.com
  • https://yourdomain-myfiles.sharepoint.com

Next, restart your IE web browser, open IE, log into Office 365, and try again.

It may be beneficial to reset IE to its default settings:

IE > Gear Menu > Internet Options > Advanced Tab > Reset (delete personal settings) – use caution, try the following first, then if still having issues, try resetting your browser.

 

How to Set Clock Time on AD domain Controller and Sync Windows Clients

How to find your Active Directory Network Time Server

If someone complains that the time on a Windows 7 /Windows 10 PC is off, we can first sync the Domain Controller to an External Time Source, then sync their PC to the DC. How do you sync the computer to the same time as the cell phone/NIST/External Time Source, and make sure that all computers on your network have the same time as the domain controller?

First, determine from a client computer which computer is the authority for your time server. This is usually your Primary Domain Controller. To do so, on the client PC, open a command prompt and run the command:

net time

This should return something similar to the following:

This shows “Current time at \\NETTIMESERVER.domain.com” which is your net time authority.

How to check your domain controller time against a global time provider:

On the server that net time identified (NETTIMESERVER / primary domain controller,) right-click on your PowerShell icon and choose Run as Administrator.

Run the following command to only check how much time your server is off from the global time authority. This command doesn’t do the sync, it just displays how much time your server is off. The result will display plus or minus hours/minutes/seconds/fractions of seconds.

w32tm /stripchart /computer:time.windows.com /dataonly

The results should display something similar to the following (hit CTRL+C to stop the data stream):

So we can see our DC is ahead by 39 seconds.

Sync Domain Controllers Time Against Global Time Authority

So now we want to manually configure our server to use a certain global time provider: time.windows.com – to do this run the following command:

w32tm /config /manualpeerlist:time.windows.com /syncfromflags:MANUAL

The terminal should return “The command completed successfully.”

Next type:

w32tm /config /update

Again you should receive a message “The command completed successfully.”

Now to immediately synchronize the time use the following command:

w32tm /resync

We can now check again how much the time is off from the global provider by issuing the stripchart/dataonly command and check the results. You can see here that our time is now off by less than a second:

Sync Windows 7 or Windows 10 with Domain Controller

PC’s on the network that authenticate against our domain controller should automatically pick up the new time from the time server after a reboot. However if we want we can manually sync the time on the client with the net time domain controller. To do so, issue the command:

net time \\NETTIMESERVER.DOMAIN.com /set /y

This command should return the message “The command completed successfully.”

Our time on our PC is now synced with the domain controller, and the domain controller is now synced with time.windows.com.

How to find the Windows Experience Index in Windows 10 with Powershell

Use PowerShell to get the Windows Experience Index in Windows 10

Windows 7 has the Windows Experience Index which is used often by hardware techs to get a good idea about the kind of hardware installed in a PC. It also allows you to quickly find  where improvements can be made to get the machine to run faster. The following screenshot is an example of the Windows 7 Windows Experience Index:

You can get an idea about how fast the components of your Windows 10 computer are by running the Windows System Assessment Tool, but the readout is a little hard to understand. Skip this part (winsat formal) to get the Windows Experience Index in Windows 10 or Windows 7 with PowerShell below.

First open an elevated command prompt and run the command:

winsat formal

Below is a screenshot of the command running and it’s output. Running this tool will slow down your PC for a few minutes as it runs the tests:

Results:

The Windows Experience Index WMI modules are still available in Windows 10, however, the scores are not readily apparent in the Windows 10 system settings.
To get your Windows 10 Windows Experience Index subscores with PowerShell, first open up the Windows PowerShell ISE. Next, go to the following link: https://pastebin.com/i5M81xsV, -credit goes to reddit user:
*(as of 12/20/18 this code was no longer available on pastebin, so I’ve copied below)
$SysInfo = Get-CimInstance -Query "SELECT WinSPRLevel,CPUScore,MemoryScore,DiskScore,GraphicsScore,D3DScore From Win32_WinSAT"

    $SysParams = @{
                    Perf_WinExp_All = $SysInfo.WinSPRLevel
                    Perf_WinExp_CPU = $SysInfo.CPUScore
                    Perf_WinExp_RAM = $SysInfo.MemoryScore
                    Perf_WinExp_DSK = $SysInfo.DiskScore
                    Perf_WinExp_VID = $SysInfo.GraphicsScore
                    Perf_WinExp_D3D = $SysInfo.D3DScore
                    Perf_WinExp_AVG = "{0:N2}" -f ((($SysInfo) |
                    ForEach-Object {$_.CimInstanceProperties.Value})[0..4] |
                    Measure-Object -Average).Average
                   }
                   
    New-Object -TypeName PSobject -Property $SysParams
Copy the code into the Windows 10 PowerShell ISE and then run the script, or create a .ps1 file, and you can get the Windows Experience Index with PowerShell in either Windows 10 or Windows 7:

Here’s my results

Perf_WinExp_D3D : 9.9
Perf_WinExp_DSK : 7.55
Perf_WinExp_CPU : 9.1
Perf_WinExp_AVG : 8.91
Perf_WinExp_RAM : 9.1
Perf_WinExp_VID : 8.9
Perf_WinExp_All : 7.55
Here are the scores from my friend’s laptop (thanks Stan):
Perf_WinExp_D3D : 9.9
Perf_WinExp_DSK : 8.15
Perf_WinExp_CPU : 8.2
Perf_WinExp_AVG : 8.09
Perf_WinExp_RAM : 8.2
Perf_WinExp_VID : 6
Perf_WinExp_All : 6

So you can see that in my results, my WEI score would be 7.5 – where the lowest subscore determines my overall result. Looking at the scores, I can improve my score and upgrade my computer by increasing the DSK (disk) performance. To do this I would probably have to upgrade my motherboard to one that supports an NVME hard drive.

My friend’s laptop’s lowest score is VID (video) which means his laptop GPU is keeping the score low. There are a few options for upgrading a laptop GPU, such as an external GPU, but this isn’t surprising as most laptops GPUs can’t compete with a full-sized computer and GPU.

How to clone a Dell Optiplex 7050 M.2 NVME Hard Drive with Clonezilla and an External USB HDD

I ran into trouble when trying to clone a new Optiplex 7050. My normal procedure for cloning with clonezilla required a little tweaking to accommodate Windows 10, UEFI, NVME M.2, Secure Boot, and RAID On. Follow the procedure below to clone your systems on these newer hard drives and BIOS versions.

As a side thought, I enjoy using Clonezilla and have used it for many years. I love the convenience of it and not having to manage Windows images with something like SCCM. While SCCM has a place in some organizations, I believe it’s perfectly fine to use Clonezilla to create OS images of different models of computers. I have approx 15 different OS images; everything from Lenovo laptops to Dell Optiplex 380’s to Optiplex 7050’s.

Requirements:

  • 1 x USB 2.0 or 3.0 USB thumb drive min 2GB capacity for the clonezilla bootable USB drive made bootable to 20170905-zesty version of clonezilla
  • 1 x USB 3.0 USB External HDD with a minimum HDD size that is larger than the TOTAL size of your M.2 NVME HDD. (I use a 4 TB Western Digital My Passport) – In my previous experience with Clonezilla, it has created images only writing images of the Used Space on the Source HDD, in this case with UEFI / NVME HDD’s, the image created on disk is the total size of the NVME drive.
  • 2 x Dell Optiplex 7050 (Source and Target) computers
  • 1 x Separate PC or laptop you can use to create a bootable USB Clonezilla Thumb Drive

1. Configure your Source Windows 10 Dell Optiplex 7050 machine as necessary. Install all applications, create user accounts, and uninstall bloatware. Make sure you create an administrator user account and password. In final preparation for cloning, either run Sysprep (found in C:\Windows\System32\Sysprep), or alternatively ensure you shut down Windows 10 completely by creating a Shutdown /s /t 0 shortcut and executing it.

2. On a separate PC, download Rufus which we’ll use to create a bootable USB thumb drive.

3. On a separate PC, download the AMD64 version of alternative (Ubuntu-based) as outlined on the Clonezilla website (this version is required for newer BIOS’):

4. Change the file type to ISO and hit Download.

5. Attach your USB thumb drive into your separate computer, run Rufus, tell Rufus to use the drive you just attached under Device, point Rufus ” to the .iso file you just downloaded.

6. Hit Start and the bootable USB thumb drive with Clonezilla will be created.

7. On the Source computer, insert the USB thumb drive into one of the front panel’s top (black) USB ports, and insert the USB External HDD separately into the Blue USB 3.0 port. Attach the keyboard, mouse, power, and monitor.

8. Power on the Source computer and start mashing the F12 key on the keyboard to get to the one-time boot menu.

9. Before we begin, we need to make sure clonezilla can find our NVME HDD. By default UEFI and Secure Boot will be enabled. We need to disable these as well as Boot Path Security so that we can continue.

10. Select Setup from the Boot Menu:

11. In the BIOS, under the General Heading, select UEFI Boot Path Security and change it from Always to Never.

12. Next change System Configuration > SATA Operation from RAID On to AHCI

13. Lastly, change Secure Boot > Secure Boot Enable “Enabled” to “Disabled”

Apply, Save and Exit the BIOS. On the next boot, start mashing the F12 key again and this time select UEFI: USB DISK 2.0 PMAP

Clonezilla will boot from the USB drive so choose the default (hit Enter):

Select English > Don’t touch keymap > Start Clonezilla > device-image (Ok)

Under Mount Clonezilla image directory, choose Local_dev (Ok)

Press Enter to continue.

Review the clonezilla Scan disk preview to ensure it’s found both your Source and Target hard drives:

Press Ctrl-C to continue.

Arrow down and select your large external USB hard drive (sda1) to set the location of /home/partimg . This is where the clone image will be stored.

In the Directory Browser, hit “Browse” and go to your Parent Directory (top-most level) and select Done. This is where your image will be saved. You can see in my screenshot I’ve already saved an image here.

You will get a Summary location of Source (dev/sda1) and Target (/home/partimag). Press Enter to continue.

Choose Beginner mode

Choose Save Disk (Save_local_disk_as_an_image) – in my previous experience with Clonezilla, using normal spinning HDD’s and even SSD’s, I’ve used Samba to save my images to a separate server over the network using gigabit ethernet perfectly fine. However, in the case of these new computers and hard drives, I would get a permissions error when selecting SAMBA/SMB 2.1. The imaging would begin to take place and a couple smaller partitions would copy, but as soon as the primary large partition started it’s copy, I would get the permission error and the clone would halt. This is why we are using a local external USB hard drive.

Give a descriptive name for the image (Dell7050_NVME_256GB_DATE-IMG) hit OK.

Select the local disk as source (should only be one here)

Select -sfsck (Skip Checking)

Select Yes, check the saved image

Select -senc Not to encrypt the image (or encrypt if desired)

Select Action to perform when everything is finished: -p power off.

Press Enter to continue, (Yes/Yes) – the image process will run and the image of the Source PC will be written to the External USB HDD. The machine should shut down when complete.

Image Target Computer

Now that we have our image saved on our external HDD, we can image our Target PC. On the powered-off PC, Connect the USB thumbdrive, External HDD, keyboard, mouse, and monitor, and again Boot into the BIOS.

On the new target computer, we want to again change the BIOS settings to mirror those we made in steps 11., 12., and 13.

After saving the BIOS, restart and hit F12 again, select the USB thumb drive, and boot Clonezilla.

Start Clonezilla > Device Image > Local_dev > select image repository (sda1) > in Directory Browser, browse to the image we created, highlight it and select Done:

Choose Beginner Mode > Restore Disk:

Choose the image to restore:

Select the target disk to restore onto (Should only be one listed here):

Select “Skip checking the image before restoring” > poweroff > Enter >

Heed the warning here. If important data is on the target disk, do not proceed. All data will be overwritten:

Hit y (enter) > y (enter) >

Partclone will run, clone the image to your disk, then shut down:

With the system powered down, remove your external HDD and boot thumb drive.

Power on the newly-imaged PC, hit the F12 button to go into the BIOS again. Reverse the changes made in steps 11, 12, and 13. Save the BIOS settings, and boot normally into windows. Congrats, you’re done! Hope this helps someone clone their newer systems with Clonezilla.

Windows 10 Creators Edition New Keyboard Shortcuts

Some new Windows Keyboard Shortcuts in Windows 10

With the release of Windows 10 Creators Edition version 1709, comes more bells, whistles, tricks, and shortcuts for us to dig into and explore. In this article, we’ll look mostly at the Windows Key shortcuts available and how the shortcuts and key combos can help us in our daily workflow.

  1. In the event you’re not already aware, the Windows Key on your keyboard (usually between the Ctrl and the Alt keys in the lower left area of most keyboards) has a lots of capabilities when held down while pressing other keys on the keyboard. Pressing this key on it’s own launches the Start Menu:
  2. Windows Key + A – Brings up the Windows Notifications SideBar. Here we can find existing notifications, switch to tablet mode, get into the windows settings panel, join a WiFi network, and change our location settings.           
  3. Windows Key + B – Select / Activate the Systray / Show Hidden Icons Expansion menu. This can come in handy as a few applications run as services and can only be accessed by right-clicking on the icon in the Systray; if your mouse stops working, this is a good shortcut to know.         
  4. Windows Key + C – Opens Cortana in Listening Mode. “Hey Cortana!” This is disabled by default and can be activated in the Cortana Settings. (Enable in Cortana > Menu > Notebook                                    
  5. Windows Key + D – Show the desktop
  6. Windows Key + E – Open File Explorer
  7. Windows Key + F – Open the Feedback Hub and Take a screenshot (this didn’t work for me)
  8. Windows Key + G – Open the X-Box Game Bar
  9. Windows Key + H – Open the Dictation control bar 
  10. Windows Key + I – Opens the Windows 10 Settings
  11. Windows Key + J – Sets focus to Windows Tips when one is available (Turn off tips in Settings > Notifications & Actions) 
  12. Windows Key + K – Open the Connect Quick action (connect to a wireless projector)                                            
  13. Windows Key + L – Lock your PC or Switch Accounts
  14. Windows Key + M – Minimize all windows
  15. Windows Key + O – Lock the device orientation (helpful for tablets)
  16. Windows Key + P – Choose a presentation display mode (Sidebar Projectors tool) 
  17. Windows Key + Q – Quick file search
  18. Windows Key + R – Open Run dialog box
  19. Windows Key + S – Open Windows Search (same as Windows Key + Q)
  20. Windows Key + T – Cycle through apps pinned to the taskbar (cycle in reverse is Windows Key + Shift + T)
  21. Windows Key + U – Open Ease of Access Center
  22. Windows Key + V – Cycle through windows notifications
  23. Windows Key + W – Opens the Windows Ink Workspace
  24. Windows Key + X – Opens the Quick Links Menu (right-click on the start menu) 
  25. Windows Key + Y – Switch input between Windows Mixed Reality and desktop (Your PC may not meet the minimum specs for Windows Mixed Reality)
  26. Windows Key + Z – Shows menus or commands available when an app is in full-screen mode.
  27. Windows Logo Key + period (.) or semicolon (;) – Opens the Windows 10 Emoji control panel 👍                                                 
  28. Windows Key + Comma (,) – temporarily peek at the desktop
  29. Windows Key + Pause/Break – Opens the System Properties
  30. Windows Key + Ctrl + F – Search for Active Directory computers on a network
  31. Windows Key + Number/Shift/Ctrl/Alt – Manage TaskView Virtual Desktops

I’m sure there are more so let me know in the comments if I missed any and let us know which are your favorites (mine is Windows Key + Pause/Break)