How to activate Windows 2012 R2 Terminal License with command line - powershell

I have Installed Remote Desktop Session Host and Remote Desktop Licensing services on Windows 2012 R2 Server which is working in WORKGROUP.
I have Enterprise Agreement Number for "Per user Cal Licensing". Normally I can make this activation using Remote Desktop Licensing Manager. But, I want to make this activation via command line such as powershell or cmd..
I need to fill some fields such as company name, email, name surname, Enterprise Agreement Number etc..
Is there any way to make this or it is impossible via command line ??
I found this command ;
gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
But, I could not found usage scenario for my case.

First of all, you need to import the module
Import-Module RemoteDesktopServices
Then you can use:
Set-RDLicenseConfiguration -LicenseServer license_server_name -Mode PerUser -ConnectionBroker connection_broker_name

Related

Enter Office 365 Shell Multi-Factor Authentication credentials inside Powershell

I've been trying to find a way to enter the username, password and token code for the Office 365 shell directly into the terminal and not have the normal secondary GUI window pop-up. Currently I have a basic script that logs in with:
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA + "\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse).FullName | Where-Object {$_ -notmatch "_none_"} | Select-Object -First 1)
Connect-MSOLService
Import-PSSession (New-ExoPSSession -UserPrincipalName USER#domain.tld) -AllowClobber -DisableNameChecking
Is it even possible to use strictly the TUI over the GUI for entering credentials?
Don't guess at how to do X or Y. It will just lead you down a very frustrated path. Always look to the help files and online docs.
What you are trying to do is a common practice, these days, and fully documented from Microsoft and many other web resources. There are specific module to assist with this use case.
Connect to Exchange Online PowerShell using multi-factor authentication
Connect to Exchange Online PowerShell by using MFA
1.On your local computer, open the Exchange Online Remote PowerShell Module ( Microsoft Corporation > Microsoft Exchange Online Remote
PowerShell Module).
2.The command that you need to run uses the following syntax:
Connect-EXOPSSession -UserPrincipalName <UPN> [-ConnectionUri <ConnectionUri> -AzureADAuthorizationEndPointUri <AzureADUri>]
Connect to Office 365 PowerShell
Step 2: Connect to Azure AD for your Office 365 subscription
> To connect to Azure AD for your Office 365 subscription with an
account name and password or with multi-factor authentication (MFA),
run one of these commands from a Windows PowerShell command prompt (it
does not have to be elevated).
Exchange Online PowerShell Module has been around since circa 2016 from the MFA PowerShell team
There is even a script from the gallery, that specifically for EXO using MFA.
Connect to Exchange Online PowerShell using multi-factor authentication (MFA)
If you want to use multi-factor authentication (MFA) to connect to
Exchange Online PowerShell, you can't use the instructions at regular
Connect to Exchange Online PowerShell to use remote PowerShell to
connect to Exchange Online.
Download : MFA.ps1

Change BIOS password through powershell

I want to build a script to change and/or set up BIOS password to HP workstations.
Script i run as follows:
C:\> $computers=Get-Content -Path c:\computers.txt
C:\> foreach ($computer in $computers) {
$passChange=Get-WmiObject -computername $computer -Namespace root/hp/instrumentedBIOS -Class HP_BIOSSettingInterface
$passChange.SetBIOSSetting('Setup Password','<utf-16/>MYNEWPASSWORD','<utf-16/>')
}
Now, the following happen:
If my BIOS has no password, the script works just fine!
If my BIOS has password already, script has Return: 6. I suppose there is
a different option for changing the BIOS password?If yes, any help
is appreciated!
If i run the script for my computer, it works.
If i run the script for another computer i get the following error:
The RPC server is unavailable. (Exception from HRESULT: 0x800706BA).
Is there a way to enable an option to enable the RPC for this feature and then disable it again?
Thank you in advance
According to HP's documentation HP Client Management Interface the WMI interface supports remote interfacing.
You need to ensure all remote computers you're attempting to connect to have the HP custom WMI Namespace.
You also need to ensure the account you're running under has administrative permissions on all of the remote computers.
You may also need to explicitly set the impersonation to 3 which is impersonate.
For more information: Connecting to WMI Remotely with PowerShell
Also ensure the firewall on the remote computers is either off or has exclusions for WMI

Possible to use PowerShell's Get-AppvClientPackage to list AppV packages on a machine other than my own?

I can use Get-AppvClientPackage -all [| select name] or Get-WmiObject -Namespace root\appv -Class AppvClientPackage [|select name] to list all installed AppV packages installed on my own machine. It doesn't appear to be possible to use this cmdlet to get the AppV packages installed on another machine, without remote execution.
I am asking this question in hopes of finding something that works (see purpose) or get a definitive answer that it's not possible. There may be better options available (other than PS), but my question is simply if it is possible or not, so that if the latter is the case, we can push to develop a script (which could be run by someone with elevated privileges) to gather information needed.
Purpose: Our team doesn't have visibility into SCCM (that's another option is to have that team report on what is installed where, though sometimes we need answers quickly) and remote PS execution is restricted to one security team (which is understandable), but at times (for support or decommission purposes) we need to check to see if a specific client machine has a package installed, check what AppV packages a specific client has installed, as well as check to see which machines have a particular package installed.
If there is another module or cmdlet (or even something other than powershell or WMI) that might be able to yield the same information, suggestions are welcome.
Get-WmiObject utilizes RPC to connect to remote PCs and does not require PSRemoting. In this effort, all you need to do is add the -ComputerName parameter.
#Requires -Version 3
$Target = 'localhost'
$Params=#{
Namespace = 'root\appv'
Class = 'AppvClientPackage'
Property = 'Name'
ComputerName = $Target
}
Get-WmiObject #Params
PS C:\> Get-Help -Name 'Get-WmiObject' -Parameter 'ComputerName'
-ComputerName <String[]>
Specifies the target computer for the management operation. Enter a fully
qualified domain name (FQDN), a NetBIOS name, or an IP address. When the remote
computer is in a different domain than the local computer, the fully qualified
domain name is required.
The default is the local computer. To specify the local computer, such as in a
list of computer names, use "localhost", the local computer name, or a dot (.).
This parameter does not rely on Windows PowerShell remoting, which uses
WS-Management. You can use the ComputerName parameter of Get-WmiObject even if
your computer is not configured to run WS-Management remote commands.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false

Install RDS with Powershell on local server

I'm pretty new to Powershell and wanted to create a script that install the Remote Desktop Service which is a prerequisite of my application. (I'm on R2012 btw)
I already found that it's possible to do so with a domain account on a remote server (due to the restart needed during installation). I used:
New-RDSessionDeployment [-ConnectionBroker] <String> [-SessionHost] <String[]> [[-WebAccessServer] <String> ]
Now, I want to install RDS on my local server when I launch my Powershell script (as I can do with the Server Manager GUI). The goal is to install RDS and my application in the same Powershell script without the need to do it using a remote server.
Is it possible to do so ? Should I use the role-based RDS installation or is there any tricks I can use to bypass the local server restart (like maybe a workflow) ?
You just need to add the RDS Feature
Add-WindowsFeature –Name RDS-RD-Server –IncludeAllSubFeature -Restart
If you don't include -Restart the restart is not performed - but will be needed before the feature can be used.
Yes , on the context that you need to use New-SessionDeployment but having being said you still need the remotedesktop module to be imported first using
Import-Module RemoteDesktop
Now you need have RD Connection Broker, RD Web Access, and RD Session Host by using:
New-SessionDeployment –ConnectionBroker server.domain.com
–WebAccessServer server.domain.com –SessionHost server.domain.com
Now you need a Licensing Role, use:
Add-RDServer -Server server2.domain.com -Role RDS-LICENSING
-ConnectionBroker server1.domain.com
NOw we have use the deployment for the licensing , use :
Set-RDLicenseConfiguration -LicenseServer server2.domain.com -Mode PerUser
-ConnectionBroker server1.domain.com
Now you can use ,
New-RDSessionCollection and can publish New-RDRemoteapp
This should help you in proceeding further.

Powershell remoting - cannot execute an exe as another user

I've a commandline program (c#) that encrypts config files based on machine key.
A powershell script copies the build to a Target Server, modifies configs accordingly and installs windows services.
All the windows services run as local system account (standard user, non-admin) - let's call this account "locuser".
The Target Server is a Win 2012 R2 Server. All of the above is achieved by PS remoting from the Build Server to this Target server.
Now, I need to run the encrypt commandline program as "locuser", so that the program can use the account specific key to do the encryption.
I know that this can be easily achieved by calling Start-Process cmdlet with -Credentials parameter. Well, here's the catch, the above works fine, if I remote in (RDP) to the Target Server and then run the Start-Process .... -Credential $cred from a Powershell Console.
However, I need this to be working while I remote-in (using my scripts) to the TargetServer whilst deploying. When I remote-in to the TargetServer I use credentials that has Admin privileges.
I've tried the following
I've granted "locuser" both "Full Control" and "Invoke (Execute)" permissions by using the Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI command. I've run this command for both Microsoft.Powershell and Microsoft.Powershell32 - Still get Access Denied
I've edited the "Local Security Policy"->"Local Policies"->"User Rights Assignment"->Impersonate a client after authentication - and added both the Admin account (that I login with) and the "locuser" account - Still get Access Denied
I've also granted locuser admin rights - Still get Access Denied
I'm pretty sure, there is some configuration on the PS Remoting Side of things that I'm missing out but can't figure out what - because all Powershell throws me is a Access Denied error (see screenshot) with little to no useful information to troubleshoot further.
Also, checked Event logs for any traces but to no avail.
You've fallen prey to the dreaded Double Hop. Basically you're authenticating from computer A to computer B, then trying to authenticate again from computer B to computer C (which also happens to be B in this case).
If at all possible, you would be better off ending the session and starting a new one with the locuser credentials, then just calling Start-Process. Another, more messy approach is to use schtasks.
I can tell you how to do it in the same session but it's a bit messy and very complicated, and should only be a last resort:
On the originating server (Build Server):
Run the command Enable-WSManCredSSP -Role Client -Delegate [name] where [name] is an IP or DNS address / range including any target servers (eg "192.168.1.*")
Open GPEdit.msc, navigate to Computer Configuration\Administrative Templates\System\Credentials Delegation and check that the rules Allow delegating fresh credentials and Allow delegating fresh credentials with NTLM... are enabled and include [name]
On the Target Server:
Run the command Enable-WSManCredSSP -Role Server
Running the command:
Invoke-Command [targetserver] [-Credential $cred] -Scriptblock {
## do stuff
Invoke-Command . -Credential $locusercred -Authentication Credssp -ScriptBlock {
Start-Process -FilePath $sc #etc
}
}
Some things to be aware of:
Firstly I used this setup to create a local session, then remote from there (so A-A-B instead of A-B-B) so the Group Policy stuff might be in the wrong place but pretty sure it's right.
Secondly I found that credentials are a pain to get working in sessions (in this case $locusercred). I did get it going natively but weirdly it suddenly couldn't decrypt the securestring. I ended up saving a securestring with a defined key to the registry so it can always be decrypted from any account, you may need to come up with your own solution there.
All this stuff is explained in the free eBook "The Secrets of PowerShell Remoting", if you go for the double-hop approach I recommend giving it a read.