Having a the ZVM configured with only 2 CPU processors, no hot add for CPU or Mem and only 4GB of memory is not good when this server is crucial in recovering Client sites. 

Using the Evacuate Host and Populate Host in this location is mainly only used for Production sites NOT recovery Sites. 

Going to the Setup tab of the ZVM page bottom of the left menu, going to the elipsis at the right of any HOST provides you a list of options, the option “Change VM Recovery VRA” allows you to manually balance the VMs across all Hosts but needs to be checked before the machines are in Failover test or real failover. Here is where you can seperate a client so they are across all of the hosts.

• No Comments

Users can’t send email ( Stay in outbox ) 

On Send and Recieve , Email error “Not Implemented”

Cannot change profile settings , freezes when I click Email acconts

Looks like you need to search the current user registry for OLMAPI32.DLL

e.g. HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{ED475410-B0D6-11D2-8C3B-00104B2A6676}\InprocServer32

C:\\Program Files\\Microsoft Office 15\\Root\\Office15\\OLMAPI32.DLL

and replace with 

C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\OLMAPI32.DLL

• No Comments

Issue is a known issue

Field_Advisory_#90v2.2.docx (nutanix.com)

Download ISO  FA-90-Phoenix-Autofix_v1.zip , mount on ESXI Host via java console , and reboot

Unmount ISO after fix and reboot which should fix CVM

• No Comments

There’s spam going around where a “security researcher” will try to claim a security bounty due to you not having a reject dmarc record per below

Greetings Team,

I hope this finds you well!

I am a professional freelance security researcher. I have taken the liberty of performing a cursory audit of your website’s public security configuration (the public-facing information for domain.com and associated services), and have discovered a vulnerability that I believe you would appreciate being made aware of.

In the spirit of responsible disclosure, I have included a report for one of the issues below, detailing the exact nature of the vulnerability, and would greatly appreciate consideration for a bounty reward from your department if such is available. If I do not receive a response I may attempt to contact you again once or twice in an effort to ensure my message has reached you.

DESCRIPTION:
The issue I’m going to discuss here is Domain Impersonation (Email- Spoofing). To demonstrate the authenticity of the issue I just sent a forged email to [email protected] that appears to originate from [email protected] . I was able to do this because of the following:

DMARC record lookup and validation for domain.com 

“No DMARC Record found”
And / Or
“DMARC Quarantine/Reject policy not enabled”

Recommended Fix:

·         Publish DMARC Record. (If not already published)

·         Enable DMARC Quarantine/Reject policy

·         Your DMARC record should look like

“v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:[email protected]“

This can be done using any PHP mailer tool like this,

<?php

$to = “[email protected]“;

$subject = “Password Change”;

$txt = “Change your password by visiting here – [VIRUS LINK HERE]”;

$headers = “From: [email protected]domain.com

mail($to,$subject,$txt,$headers);

?>

Impact:
These attacks may be used to launch phishing attacks so as to get information from users. In addition, these may be used to spam users with emails. Spoofed emails are also used to carry infections like Trojans to do harm to victim systems.

You can check your DMARC record at: “https://mxtoolbox.com” If you need any reference link to support this reported vulnerability, let us know and I will share It with you.

In the end, kindly keep me informed if you require me to send a forged email just when you relieve any doubts.

In addition to this, let me tell you that this is not a scam, and please don’t narrate this with fishing tactics, I am here suggesting certain changes that will save you from numerous forgeries.

Conclusion: Wishing to receive a bounty for this responsible disclosure as a reward and I would like to serve you further reports in the near future if only you also wish the same.

Many thanks!

• No Comments

IoC (indicators of compromise) are essentially breadcrumbs that are left behind from an attempted or successful attack on a system.

SPARK Core – Free IOC and YARA Scanning – Nextron Systems (nextron-systems.com)

Watch out for False Positives

Example is “r.exe” which matches a commonly used pattern with intrusions of a single character file name with an exe extension.
However R.exe is also a legitimate application with MSSQL when the “R Analysis” role is installed.

• No Comments

 Windows copy isn’t ReFS block clone API aware , so when you copy REFS data it reinflates and you loose the space savings 🙁 

3 Methods to do this 

1) GSRichCopy360 Enterprise @ 180$ utilizing their Block Level copy with their Rich Transfer Agent

2) Clone Drive using Storage Replication Windows 2016 Storage Replica and ReFS Volumes – Virtual to the Core

3) If its Veeam data , start a new backup chain.

• No Comments

Recently had an issue where I spun up a new session host for an existing collection and added it and Users logged into the server via the gateway where not getting their UPD. Logging into the server direct instead of the gateway they were above to get their UPD

Source Event ID Task Category
Error 27/03/2014 21:55:57 Microsoft-Windows-TerminalServices-RemoteConnectionManager
20491 None  Remote Desktop Services could not disconnect a user disk for the user account with a SID of S-1-5-21-3629416733-2688236061-3029337882-1142. The error code is 0xAA.93

ID 20494

Remote Desktop Services could not obtain a user profile disk for the user account with a SID of [SID]. Verify that the user profile disk location is accessible, the server’s computer account has read and write permissions to it, and that the location has a user profile disk template file present. The error code is 0x2.82

ID: 20493

Remote Desktop Services could not apply a user desktop for a user account with a SID of [SID]. A temporary profile was enforced for the user. Verify that the user profile disk settings are correct. The error code is 0x2.82

ID 20494

Remote Desktop Services could not obtain a user profile disk for the user account with a SID of [SID]. Verify that the user profile disk location is accessible, the server’s computer account has read and write permissions to it, and that the location has a user profile disk template file present. The error code is 0x2.82

Turns out the RDConnection broker need a cert to be able to distribute the UPD’s to a session host 

• No Comments

nmap –script llmnr-resolve –script-args ‘llmnr-resolve.hostname=%hostname%’

On Windows you need to change to “

nmap –script llmnr-resolve –script-args “llmnr-resolve.hostname=%hostname%”

• No Comments

There’s a free “Google Cloud Identity” license in GSuite. There’s 50 by default but you can increase this where needed

https://cloud.google.com/identity/pricing

You can then work on migrating the SSO provider to 365 using SAML at a later stage

• No Comments

Machines usually need a GPO to join them to Intune and Line of Sight access to the Domain Controller to join to Azure AD. You can actually build and deploy a Package  to help with this for computers that don’t access the Domain but still need to by Hybrid Joined

reate a provisioning package, using Windows Configuration Designer (which you can download from the Microsoft Store app):

Once that’s downloaded, we’ll create a new project:

The most important step will be going to Account Management, selecting Enroll in Azure AD, and getting a Bulk Token:

Once you have a bulk token, select Finish and then click Switch to advanced editor in the bottom left. We need to switch to the advanced editor to remove any extra settings other than the bulk token.

Here I’ll delete the DNSComputerName:

And then the HideOobe setting:

Once we only see Authority and BPRT under Azure, we’re ready to export the package:

Then we just need to copy the RunTime Provisioning Package (.ppkg) file in the exported directory to our device:

Once the PPKG is on the device, double click it to kick off the process:

Unfortunately PPKGs don’t really report any progress, but you can check under Settings > Accounts > Access work or school > Add or remove a provisioning package to see if it applied:

• No Comments