Start IE in lock down mode

When we publish a website URL via Citrix, we always to lockdown the website user can access.
The easiest way is to use IE lock down mode. To enable lock down mode is simple, you only need to add “-p” parameter.
For example,

Then when user start the application, they will get a full screen IE with no addressbar, no bottons.
But please be aware that, in lock down mode there is no exit botton, so User need to press ALT+F4 to close IE.

Is there any better option?
Yes, you can use below script:

Then publish “IE.vba www.google.com”

Update Domain Controller to Windows Server 2016/2019 and move FSMO roles to new domain controller

I’m still using Windows 2012R2 as my home lab’s domain controller. Since MS released Windows Server 2019, so I think it’s the time to upgrade my test lab to Windows Server 2019.
The first server I want to upgrade is my domain controller.

Even though you can mount the ISO and click setup.exe to upgrade Domain Controller to Windows 2016/2019, but after a test, I found that this kind of “upgrade” is a fresh installation…If you upgrade your DC in this way, you will find after reboot, your DC is gone…You will only have a standalone server running windows 2016/2019 which is in a workgroup… I don’t know why MS permit people doing “upgrade” in this way and don’t show any warning message at all…

So how to upgrade DC to Windows 2016/2019 in the right way?

The right way is to build a new server, and prompt it to domain controller, and then move all FSMO roles to it.

1. Install a new Windows 2016/2019 Server.
2. Install “Active Directory Domain Services” on the server
3. Promote the server to a domain controller. Make sure you also installed DNS services on it.
4. Reboot the server.
5. Once the serer is up and running. Open Server Manager, then open “Active Directory Module for Windows PowerShell”
6. Run below command:

Press Y to move all FSMO roles to this server.
7. Run below command to make sure all FSMO roles are migrated to the new domain controller

8. demote the old domain controller and then remove the old DC from domain. And then shut down the old DC
9. Change the new DC IP address to the Old one. Then run below command to make sure all DNS records are updated and also no error.

upgrade VCSA6.7 to VCSA6.7u1

It seems there is a bug in vCenter 6.7 which caused the update check of VCSA is not working.
So to upgrade VCSA from 6.7 to 6.7u1, you need to

Then you should be able to see all the patches.

Install / deploy Office Professional Plus 2019

Microsoft released Office 2019 yesterday. But it seems Microsoft push very hard to get people move from traditional office to office 365.

After I login Microsoft Volume Licensing Service Center, I found that Microsoft stopped to provide the ISO for Office Professional Plus 2019. And Microsoft only provides the deployment tool to deploy office 2019.

Office Professional Plus 2019 will be released with Click-to-Run installation technology only. We are not providing MSI as a deployment methodology for Office Professional Plus 2019.

Ok, then how can we install Office Professional Plus 2019?

First of all, download Office_Deployment_Tools_2019_MLF_X21-88134.exe from Microsoft website.

Then create an xml file as following:

Please be aware “ProPlus2019Volume” is the only available channel for office 2019 “ProPlus2019Volume”.

3. Run below command to get office 2019 installed

And you can also download a copy of the installation files if you want via below command:

RDP failed, and got system event ID 36870 fatal error occurred when attempting to access the SSL server credential private key.

It’s a wired issue.
Port 3389 is open, and can telnet to it. But if try to RDP to the server, the RDP connection will failed immediately.
And in system event log, there is an error message said “Description: A fatal error occurred when attempting to access the SSL server credential private key.”

After investigation, found out this issue was caused by the incorrect file permission were set on files within C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.

So the fix is, grant system full control access to folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys as well as all files within this folder.