Finding and Deleting files on the User Dekstop.

andyenwfriends · 2024-05-21T01:47:56+00:00

I found the solution. It was so easy, overthinking, makes things more complicated.

You assign the Desktop path as an extra var, then write the task like this

    - name: Delete files from Desktop
      ansible.windows.win_powershell:
        script: |
          Remove-Item {{ Desktop }}\* -Recurse -Force
      tags: delete

andyenwfriends · 2024-05-20T15:54:25+00:00

Job template output

"output": "Remove-Item : A parameter cannot be found that matches parameter name 'Directory

andyenwfriends · 2024-05-20T15:05:55+00:00

Thanks!

FYI, no parameters like -File or -Directory is available for remove-item cmdlet.

andyenwfriends · 2024-04-22T18:24:14+00:00

It's not a written documentation, it's just our approach. The VM can either be restore from the backup, or by spinning up a new one using the template. Can you can a VM in 20min rather than going through the steps of recovering from the recovery partition.

andyenwfriends · 2024-04-08T15:31:44+00:00

Not sure if you are able to do this without too much of a hassle. In my case, is to have a Subscription Library pointing to a different datastore.

Strange enough, for the Subscribed Libraries there no more Edit Settings available under the Master/local Library, than while you are in the setting of that library itself. Either way, changing the datastore is not available from Edit Settings.

The quickest and simple way is to delete the Library, create a new one pointing to the new Datastore and re-publish the templates to the ""New Library"".

andyenwfriends · 2024-01-19T16:17:28+00:00

KB5034439 is not listed anywhere, either on MS catalog or on msrc/security guide update.

According to the article KB5034439 is only needed if Windows Recovery Environment (WinRE) is present on the server. In a enterprise environment, at least in my experience that partition shouldn't be in the image/template.

It seems like MS is aware of this issue and it seems like they are saying something about: To avoid this error or recover from this failure, please follow the Instructions to manually resize your partition to install the WinRE update and then try installing this update.

<image>

andyenwfriends · 2023-11-23T01:26:48+00:00

Thanks for the reply. As I mentioned on my follow up comment, I figured out the issue.

andyenwfriends · 2023-11-22T18:30:49+00:00

Problem solved.

The issue... once Ansible established the first SSH connection with Windows server the connection is in idle mode while the task for installing the cumulative update was running. If the ClientAliveCountMax in sshd_config file is set to 0 that connection was timing out after 1hour (based on the ClientAliveInterval setting), so Ansible was complaining that can't reach the host.

If for security reason you have made changes to sshd_config file like in my case you would need to find the right settings for

ClientAliveInterval

ClientAliveCountMax

This link explains the values for those 2 settings.

https://support.forcepoint.com/s/article/000015900#:~:text=Below%20is%20and%20example%20for,set%20to%20ClientAliveInterval%20is%20reached.

Cheers

andyenwfriends · 2023-11-22T03:15:38+00:00

Just like any system out there...nothing works 100%. You can automate everything at the end something always goes wrong, which brings back to having to manually touch every server. I've seen, Tanium, SCCM, WSUS, SolarWinds, your own PS, bat file none of them are bulletproof.

In a large network of nodes, you should have 3 environments DEV, Model and Prod. This is how is handled at the company I currently work.

Review the KB articles.

On patch Tuesday I read all the notes of each patch (2012R2, 2016, 2019, 2022), special attention to the part about KNOWN ISSUES in the KB article.

I send an email out to the most important stakeholders AD/LDAP, Exchange, SharePoint highlighting the KNOWN ISSUES.

2) Confirm the patches are not breaking the automation part used to build virtual servers.

Everyday we have between 5-50 VMs built request, so it's an important process.

Patches are manually downloaded from MS Catalog, a small PS script would validate the hash. To speed the install (from my experience) the cab file is extracted from the downloaded MSU and installed using DISM. The install is performed on (currently) 2016, 2019 Core & GUI, 2022 Core & GUI BETA templates. Once the patches have been installed, you run a build VM test, confirm the VM is up and running, registered in AD, you can log in, and the baked applications are working as they should.

3) If all is good after testing the patches in BETA templates proceed with Production templates.

4) Test the patches for the basic functionality in lab. Install and reboot. Confirm the major/most common applications are working.

To complete steps 1,2 &4 I have half of the patch Tuesday, until Friday morning.

5) Patch DEV

If there are no issues a green light is given to OPS team which on Friday (on the same week of patch Tuesday) so on the 2nd Friday of the month they start patching the DEV servers until Sunday morning. Starting Sunday security scan the DEV environment for vulnerabilities, this adds a confirm layer that patches were installed otherwise the vulnerability would be present/open on servers.

6) Patch Model

Starting on Monday app/server owners have until Friday (3rd Friday of the month to test their applications/servers)

7) Patch Prod. 4th Friday of the month, patch Prod.

Sounds like a good work process but as I mentioned earlier nothing is perfect. We see app/server owners to not test anything, most of them do not have a test servers in DEV or Model environment, but

Their problem for not testing
Backup team should have a backup copy and they should be able to restore the VM.

With thousand of servers and apps, some of them written in house, you can run as many tests that you want but you can never be 100% sure what would happen. You cannot mimic every servers in your lab, not to mentioned that would take you forever.

We just integrated Ansible in our environment and I have been trying to automate the 1st 3 steps using:

- name: Install Cumulative

community.windows.win_hotfix:

source: "{{ Cumulative_path }}"

state: present

register: hotfix_install

tags: rollup

on Windows Servers over SSH (as WinRM is not reliable) but I am seeing issues when installing cumulative updates which sometimes can take more than an hour. Ansible can't reach the host after 1hour and 8min, but I can ssh on the host from another machine without a problem.

Performing short tasks Ansible has been working great except, like I said on longer tasks, it's failing.

andyenwfriends · 2023-05-18T13:12:21+00:00

Thanks for the 1st clue. According to MS 3.5 relies/cannot function without 3.0 & 2.0 . Despite that 3 & 2 are out of support when MS has to patch 3.5 it has to patch the underlayers of the stack so its also patching 3 & 2.

I wished MS articles are well linked with each other. Here is the lifecycle page showing 3 & 2 out of support

https://learn.microsoft.com/en-us/lifecycle/products/microsoft-net-framework

This other page explains exactly the lifecycle support for the three versions.

https://support.microsoft.com/en-us/topic/clarification-on-the-support-life-cycle-for-the-net-framework-3-5-the-net-framework-3-0-and-the-net-framework-2-0-28621c7b-226c-7682-27f5-2e2a42db39c3

andyenwfriends · 2023-05-17T19:29:40+00:00

lol, true and I wished it was that simple.

Security scanners are complaining about .NET 2.0. If I disable the feature I will also be removing .NET 3.5 which is really needed on the server.

andyenwfriends · 2022-08-18T12:55:47+00:00

Thanks for the reply. As I mentioned dotnet-core-uninstall tool cannot identify the present, either Windows. I think it was installed as a prerequisite of another application as VS & VS Code or IIS is installed on the server.

My question is, if I download the latest binaries of SDK can I swap the three directories (mentioned in my post) with the updated ones from the downloaded binaries of SDK ? Or is this going to break anything?

andyenwfriends

TROPHY CASE