Ever wondered who runs the Internet, or those "servers" you keep hearing about? I'm a network admin, and I could very well be living right next door to you. Take a step over into my world, and see what you might learn!
I recently configured SMTP relay with SMTPget and iDealSMTP, and it was incredibly smooth! Both offer excellent reliability and seamless setup for bulk email campaigns. Highly recommended.
Love the series! My question is with a lot of orgs using Intune/autopilot to ship laptops directly to staff, is there an equivalent method to clean up windows that way?
I really don't think so, because in that case the Windows installation is being pre-installed and sent out directly to your staff members. You're kind of stuck with shipping them Windows as Microsoft sees fit, and then using Intune to customize it out later.
This would be handy as if you're deploying like an office or classroom of pcs. I haven't played with PXE booting since windows XP days and remember it being not such a pain to setup when UEFI wasn't a thing. Maybe mention the UEFI in the title so others can find this helpful video, thanks & cheers!
Wow! It's amazing that the installation can go directly to Audit Mode, what a great toy, I hope to have a good time before the New Year. I hope you'll have a good time before the New Year! I like your smile, although there is no fast forwarding, you can hear the game scene, and your thinking mode, your priorities, and you can learn the reasons for your choices; which is good, because most of the non-native English speakers feel unfamiliar and don't know why and what is going to happen. You can only change the user folder defaults in Audit Mode, because you don't use the system defaults, which cut the system drive and the data drive. Today is a good day, I can eat 50 NTD watermelon and learn interesting methods, thanks for your hard work! ( Translated by DeppL ) 哇!原來安裝可以直接進入 Audit Mode ,真是令人驚奇,真是好玩具,希望過年前能玩的愉快。對了!喜歡你的笑容,雖然沒有快轉,不過可以聽到遊戲場景,以及您的思考模式、側重,可以學習到選擇的原因;這樣很好,因為不是英文母語者,大部份感覺陌生,不知道為什麼,以及會發生什麼。在 Audit Mode 才能更改使用者資料夾預設值,因為不使用系統預設值,切割系統磁碟機和資料磁碟機。今天真是好日子,可以吃到 50元新臺幣的西瓜,也學到有趣的方法,辛苦了,感恩!( DeppL翻譯 )
For any new machine I touch (work or personal), I start by erasing whatever's already on it. If you don't have to worry about multiple users on the machine, or if you don't need to create a master image to be cloned to multiple machines, then you probably don't need to muck around in Audit mode. Definitely prepare your installation media first by deprovisioning junk apps and inserting some registry settings, but then you can take the settings from unattend.xml and merge them into Autounattend.xml. If you do it right, it should automatically wipe the disk, boot through OOBE, and create a new user account for you. You can also use the "OEMkey.ps1" script I provided to reactivate your copy of Windows, using the OEM license already burned into the BIOS.
It'll work fine for a laptop with multiple users! If you're doing that, just follow the whole process, Audit mode and all. :) Uncomment the section in deploy1.cmd to allow the OEMkey.ps1 script to run, and you should be good to go.
The machine isn't (and shouldn't!) be attached to any domain while it's in audit mode, so group policies won't apply. Once you've created the image and it's booting into OOBE, that's when you join the domain and get group policy applied! On the other hand, if you're talking about Local Group Policy... it's a bit more complicated. First, remember that group policies are just a more user-friendly way of inserting values into the Windows registry. Most user-specific registry entries will be persisted into the default profile if you're using CopyProfile. Most machine-specific registry entries will also be persisted... but some won't. When Sysprep comes through and resets the machine in preparation for capture and cloning, some parts of the registry are cleaned up, and changes may be lost. This is something you may need to test a fair amount. I've spent weeks testing and re-testing things, sometimes. If your desired changes are cleaned up during sysprep, you may be able to re-load and modify the registry hives offline, or you may be able to re-insert the desired values on first boot via a command script... there's always ways to get things done! :)
Am I safe to assume the unattend.xml and autounattend.xml files get copied into the root directory of the installation media/ISO file used to deploy this custom image? Also, I'm very interested in how you "slipstream" 3rd party programs and/or custom app settings into an installation (I would love to never have to go thru the mind-dumbing process of de-crapifying Edge ever again.) Also also, does the profile settings copy function work on adding domain user profiles to the PC as well? Awesome series of videos!
1. If Autounattend.xml is present on the root directory of any drive attached when Windows Setup starts, it will be used. So, if you boot off a setup DVD, but Autounattend.xml is present in the root of a connected USB drive, Setup will still use it. 2. When any unattend file is being used (auto or regular), Setup will copy it into the filesystem of the new operating system. (Specifically, C:\Windows\Panther.) This allows Setup to go through multiple reboots to process the different phases of setup, while still using the same unattend file. (edit)2a. If you were to copy an unattend.xml file into C:\Windows\Panther during initial setup, Setup will start using the settings as if it was an "in-progress" unattend file after it reboots. Rufus uses this method to insert any custom settings chosen by the user. 3. When we sysprep the image out of audit mode and into OOBE, we'll pass an argument telling sysprep exactly which unattend file we want it to use. I also prep the filesystem manually, as a belt-and-suspenders approach. 4. All the slipstreaming is done in Audit mode! That's what we're going to see in the next video. :) 5. The default profile copy does work for domain users... with a slight catch. If domain users are using local profiles or a roaming profile which hasn't been instantiated yet, the default profile will be used to provision their new profile. But if domain users are using an existing roaming profile, then their existing roaming profile will be used (as you would expect).
I do not and would not sell these images. I'm happy to share them, but I suspect that selling them would put me immediately at odds with Microsoft. There's a lot of difference, after all, between using Microsoft's available tools to customize their software (and telling other people how to do the same thing themselves), versus reselling their software without authorization.
Not yet. I haven't built out a website or email just yet (though I do have plans for that), so for now the best way to reach me is right here in the comments! That being said, I intend to put much of the details for this online, so other people can access it more freely. I haven't exactly figured out how I want to do that, but in the next couple weeks I should have something for everybody as we wrap up the series. :) I just need to get enough time to sit down and figure it all out!
The BypassNRO registry key set here removes the requirement to use a Microsoft account in Windows 11. The use of local accounts is re-enabled, and a Microsoft account becomes optional.
That's a different discussion altogether. :) I use Linux, and as I've said in other comments, I personally have chosen to move to Linux instead of using Windows 11 on my personal systems. But that doesn't mean I can tell all of my business clients that I refuse to install Windows any more--that's a complete non-starter. So I still need to know how to do this for work purposes.
HW raid, sw raid (by controller or by operating system), btrfs, or zfs all really depends on case use and is not a one for all. We also see it with raid levels too. But there is very little out there of people doing content actually showing you differences to help people understand the differences to make the decision of what is best for them.
Thank you for that wonderful "discussion" of ZSF. I am a new to RAID although I have been around since before MSDOS 1.0 was a thing, but drive arrays are new to me. Best way to keep from aging early is to learn new things...too late! But I still like learning new things.
NTlite is a program that facilitates in doing all this for you in a GUI. But I like tlo know how things work and you explained to me what NTLite is doing in the background. Thank You
It concerns me that the website simply redirects me to a RU-vid channel. If I'm going to use something created by somebody else, I want to know EXACTLY what has been done--and ideally, I want to use that process myself to replicate their work, rather than take it on trust. Windows is opaque enough as it is. If I'm going to modify it, I want to be able to start from an official download from Microsoft and then do the modifications myself, so I know exactly what has been done and what (if anything) has been added. That's just my personal preference, though. I'm sure lots of people have had nothing but good experiences with it, but I haven't had experience with it at all, good or bad! Most of my work focuses on cleaning up Windows 10/11 for a business environment, which is a different target. I need stability, support from Microsoft, and the ability to be able to enable telemetry for business purposes if needed; I can't afford to strip everything out like some of those builds do. (I just need to learn to control it.)
Think of a business application, developed and written in-house rather than purchased. A new update to the application is pushed out, and people start to report that it crashes sometimes. But it doesn't crash all the time, and it doesn't crash on every machine, so troubleshooting it is taking some time... Or, think of pushing out a critical security update. It installs properly on most machines, but it's failing on a few machines here and there. What's different about the machines where it fails? Maybe your business pays for some very expensive applications, and you'd like to know which application(s) you should focus on trying to eliminate--which departments use which applications, and how often? Telemetry is useful for these kinds of problems. If there's a crash, Windows error reporting can log it and send some of the details needed to help fix the issue. If an update fails, diagnostic data can help shed light on what's different about the hardware or software on the problem PCs, so you can adjust the details of which machines are assigned which updates--or which machines you might need to fix in another fashion. Microsoft's telemetry functions are primarily intended to help spot issues like these, particularly as Windows grows more complex. But Microsoft also has settings to allow the business to store the telemetry data for their own in-house reporting needs, in which case Microsoft only collects and forwards the data. You can also turn off Windows error reporting completely without having to remove it--there's a setting for that. (Microsoft used to have a service that allowed businesses to examine and use the telemetry from the Windows PCs in their own fleet, but a lot of the data is now available through the use of Intune or other such agents, some of which still use the built-in data collection functionality in order to provide the needed information.)
I think it is. At the moment, I consider somebody with a CCNA to be "entry-level". I know Cisco has added additional certifications below CCNA these days... I personally have my CCNP, and I consider myself to be a mid-level networking guy in the grand scheme of things. Might get up to CCIE eventually. :) Cisco certifications spend entirely too much time on the Cisco-specific marketing stuff. Learn it to pass the test, forget it afterwards. The important parts are the general networking principles, yes, but because Cisco is one of the big granddaddies of the Internet, I have found that learning more of the Cisco-specific CLI commands is a massive benefit as well--a lot of other networking gear echoes the Cisco design and command structure!
There are lots of programs out there. :) For cleaning up an installation file, specifically, there is a program to do this... but it went further than I thought was beneficial, so I went through it all myself to choose what to get rid of and what to keep. It's also worth pointing out that sometimes programs to do this automatically can have negative effects--some previous versions rendered Windows unable to install any security updates, making them quite vulnerable to exploitation. I'm going to show you all one of those tools at the end of this series, but I thought it would be important for people to know how it works and why, so they can make their own decisions about whether they want to go through it manually (like I have).
It's quite irritating when apps don't close file handles when they're supposed to be done with them. It's something that every programing 101 class teaches, yet _so many_ apps still don't do it correctly--even Microsoft's! It's even worse when a Windows service or the user shell clings to an old file handle. Ever tried to unmount a removable drive only to be rejected with an error message...even when _every_ app that ever touched the drive was already closed? Yep, a random service or part of the user shell left a damn file handle on the drive open.
Indeed! I've had some success using Procexp to find the offending handle and force it closed, but I've found that when it's System holding it open, force-closing the handle leads to system instability. Usually, though, a System file handle is the result of an anti-virus scanner, a file opened remotely via SMB, or something else of that nature. Makes me go on a bit of a hunt!
@@NextDoorNetAdmin Yep, I've had Procexp fail a few times too. Sometimes the offending process just re-spawns the handle. On rare cases, it just fails with an error. Rather than trying to force it at that point, most people would give up and just reboot the system to clear the issue. My end run around an inclosable file handle is to simply unplug the drive in sleep mode. When the system wakes up, the offending process just has to deal with the file error...for a file it never should have kept open anyway. Technically, it was done with the file. If the system successfully goes to sleep, any pending file operations and cached versions of the file should have been committed to disk. Of course, I wouldn't do that with a complex file system, such as a database or enterprise-level system. For the average PC, I hadn't had any issues with that trick. If I keep having the same problem with the same app/process, it's still preferable to actually find and correct the issue.
I decided I would rather switch to Linux than run Windows 11 on my personal systems. But that doesn't stop me from having to deploy Windows 11 for work purposes, so I needed to figure out how to clean this all up anyway. :)
We're definitely going to be taking a look at disabling the requirement for a Microsoft account in order to use your computer! There's also going to be some more settings that we can toggle to reduce the amount of "cloud" prompting we have to deal with. Stay tuned!
This is (mostly) protected from being changed in future updates. Microsoft wouldn't make any friends if classified government networks suddenly had new stuff showing up on their secured PCs, after all! These registry keys exist specifically to disable this behaviour, and for that reason, you can expect them to work through all versions of Windows 11. (And even if Microsoft did add new provisioned applications, it would affect any existing user accounts on the machine. Provisioned apps only install themselves for brand-new users on the machine, so you're fairly safe from that, too!)
I'm only 6 minutes in, and it seems this is about exchange. Do you have any suggestions on how to get a relay set up in windows 10 without exchange? Using hmail as server at the moment. Trying to find information on how to get a proper mail server set up on a linux machine, but all tutorials are strictly for VPS/docker systems.
You should find the bits about SPF records are still useful to you, since that applies whether you're running an SMTP server or setting up an SMTP relay. I don't have any information about hmail specifically. But it looks like that's an actual server. I'm not clear on whether you're attempting to send directly from that machine (from the SMTP server), or whether you're setting up a Windows 10 machine to send outbound email via the server (SMTP relay, from sending machine to server to Internet). If you're doing relay, then there's nothing special for Windows 10. Just point it at your SMTP server, and as long as you've configured the server correctly to allow relay from that machine, you should be able to send outbound. :)
@@NextDoorNetAdmin hmail is the mailserver I have running on a windows 10 machine. I'd need a relay service to actually enable the server to send mail. Receiving works perfectly. I found that it isn't maintained anymore since 2021, so I'm going to look for a complete solution. Might as well go for a linux server for everything, since I'll need web hosting, file server, chat server etc. anyway. And I have an old HP proliant lying around anyway. Thank you for your quick reply! I'll definitely watch the entire video too. There's no such thing as learning too much after all ;)
Heartbleed disproved _many eyeballs make a bug shallow_. I'm happy this outage proved that we still need supe secure mainframes. Also, i wonder if Intel Itanium (EPIC, not EPYC) created the monoculture, because it killed off a lot of non-PC (RISC) architectures.. 🤔
I'm not sure I would agree that Heartbleed disproved the aphorism you mention. If anything, I think Heartbleed proved the general point that those who use a product commercially should contribute to its development. Crypto in general is a hard subject to do well, and the OpenSSL devs were chronically short on money and people who were both skilled enough and had sufficient free time to contribute. They didn't have the "many eyes" they needed to make the bugs shallow, nor did they have the resources to hire more. I don't think Itanium created any sort of a monoculture. Other RISC lines (including SPARC, ARM, and the IBM Power series) continued for decades after Itanium's introduction. They may not be especially common (certainly not as common as the x86-64 CISC microarchitecture), but they're still out there, and many are still being actively developed and sold today. Itanium, on the other hand, has itself been discontinued.
If you have only one backbone you've lost all redundancy. In the good old days when it was the wild west I had a provider no one had heard of, people be bellyaching about outages and downtime but my little insignificant outfit was still chugging along. It was bought out and of course we're all forced to swim in the same pond. It's like driving 10 cars sharing one engine, lose one engine and you've lost 10 cars.
You don't want to delete those certificate exports altogether because if you have to restore that VM to a reloaded Host or a new Host environment, you cannot boot the TPM enabled VM without importing those certificates.
I would leave it enabled. Certainly won't hurt anything! Then if something tries to use multicast and you happen to have a router which supports it, and all the stars align... it should work! If you disable IGMP snooping, that might end up being the piece which breaks it.
Hi, Comcast and some other ISPs are blocking port 25, and the SMTP authenticators will be removed from Office 365. Do you know how to get around this port 25 issue?
I do! Use a business connection. :) Not to be glib about it, but residential connections often have port 25 blocked in order to combat spam being sent from unaware customers infected with malware. Customers accessing their remote email accounts will usually use a different port--sending directly to port 25 (with or without STARTTLS) is indicative of a server-to-server (relay) connection. Conversely, since a business connection is expected to be running business applications (including email servers), all ports are generally left unblocked. Since you would need a static IP to add into the SPF record to permit the relay, that's also something typically available on a business connection.
@@NextDoorNetAdmin Sorry to say, Comcast in Florida is blocking port 25, even for businesses (which is why I asked). Many companies are dealing with this. To get around it, I set up an SMTP relay server with postfix. It connects to Office 365 using TLS and an account with SMTP authentication enabled.
@@JavierDiaz-zh2jo Ouch! That boggles my mind, honestly. Business connections should be unfiltered, in my mind--it's one of the main reasons to even get a business connection in the first place! I'm going to guess that switching ISPs is likewise not a feasible option. If so, then I would honestly next look at ways of proxying the connection. First thing I would try is probably setting up an SSH tunnel to another endpoint where port 25 isn't blocked. If you had a way to SOCKSify the outbound connection, so much the better--you could use dynamic port forwarding instead of local port forwarding. But I'm afraid that I don't have a ready-made solution at hand for that problem... just ideas that would need more work.
If there are multiple public ip that need to be added, because of multiple locations, would you just add all of them to the spf record? Also, does that not create some other security concerns public the companies public ip on the spf record?
@TheTF01 Every IP address that needs to be allowed to send mail does need to be added... but there's different ways of doing that, depending on the exact circumstances. If they're just single IPs that aren't connected to each other, you can use multiple ip4: entries. If the IPs can be summarized into a CIDR range, you can also enter that. (Example: "ip4:192.168.2.36/30") Does it create a security concern? I don't think it does. For one thing, there's nothing saying that these IP addresses belong to your company. Let's say you have a rule sending all outbound email to a third-party service that adds a signature. (My company does this!) You need to add the third-party service to your SPF record, and they'll typically have documentation telling you what you can put in (it's usually an "include:service.com" entry). But you could just as easily put in the actual IP addresses if you wanted, and it would work the same way. The actual SMTP headers on the email message also include a record of all the machines the email has passed through (using SMTP), including their IP addresses, from start to finish. This not only reveals the sender's IP address (if they used SMTP), but all servers along the mail path. This is standard because it helps to diagnose mail flow issues, as well as allowing things such as SPF to function correctly. And it's been that way since the very beginning of email! As a general security rule, you never want to rely on "security through obscurity"--keeping things safe by keeping them secret. You definitely want to make sure you have a firewall to protect the network, whether you publish the external IPs in an SPF record or not. And if you do have a firewall in place, I think any additional security risk created by an SPF record is minimal, if not negligible.
I have a problem with this Microsofts solution. If we need SMTP relay for printers it would mean including all public IPs from each office to our SPF record. what that means is that every office will have permission to send whatever they want on behalf our domain. And I know ppl are capable of doing really amazing stuff, like buying some instagram like counter machine, plugging that to network and all I know is that every IDS and FW will turn on red alerts that there is port sweeping by some unknown linux machine happening. Also they have various visitors etc etc.. So for me allowing IP per each office in SPF will not do the trick at all. To me it is reckless and dangerous and also it would basicaly expose public IP of each of our office in one generaly available text record which is HELL NO. And now to my situation with this in mind we need simple SMTP relay - we could use on-prem exchange, but we are getting rid of that as our steps to cloud and also I do not want to deal with zero day every 5 minutes. We could use really handy SMTP server feature available on win server eddition - securing that would be piece of cake as I could even combine that with the setup you provided and have just one out of physical reach IP in SPF. BUT Microsoft decided in their infinite wisdom to deprecate it without direct replacement. So what can we do? Third party? - I would like to avoid third party funky solutions as plague. High volume mailbox? - feature in preview, so it can stretch and change thousands of time. To me what Microsoft is providing with this is good for some startup hipster office, but in corporate it is half baked and potentialy dangerous. Me sad, me angry, me wanna bonk somebody from Microsoft with bonkstick PS: Great video, there is not much about this topic around. Nicely done :)
0. OBS. Capture multiple inputs, such as camera and desktop (picture in picture). 1. Davinci Resolve community edition. Overwhelming at first, but plenty of help is out there. 2. Excalidraw: draw out complex diagrams as you narrate them. 3. Or a second overhead camera: draw it out on paper while you record. Some very large channels use this retro technique. 4. Learn a little bit of editing each video. It won't all be learned overnight. I'm sure you know this from your network learning adventure. 5. "Keep 'em coming! heh heh" (Duke Nukem voice) subbed