Make a Windows 11 Local Account Passwordless

Change this from 2 to 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device]
"DevicePasswordLessBuildVersion"=dword:00000000

Create a .reg file with the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device]

"DevicePasswordLessBuildVersion"=dword:00000000

Next:

Command: netplwiz
➨ Check: Users must enter a user name and password to use this computer

Deploy Java Deployment Rule Set (Eneterprise White List)

由於 PLM 版本太舊，其中的 Java 程式憑證過期，使用者使用時會彈出警告視窗
所以需要設定企業白名單，而白名單需要進行數位簽章，所以還要有憑證架構

jdk1.8.0_202 Download
https://master.dl.sourceforge.net/project/msi-installers/msi-archive-files/Java/v8u31/jre-8u31-windows-i586.exe

先產生 ruleset.xml

<?xml version="1.0" encoding="UTF-8"?>

<ruleset version="1.0+">

  <rule>

    <id location="https://plmap.contoso.com.tw/"/>

    <action permission="run"/>

  </rule>

  <rule>

    <id location="https://plmifs.contoso.com.tw:8080/"/>

    <action permission="run"/>

  </rule>

  <rule>

    <id/>

    <action permission="default"/>

  </rule>

</ruleset>

Elevate privileges using PowerShell

Start-Process cmd -Verb RunAs

Configure IIS SMTP Service to receive mail over TLS and forward to a non-TLS SMTP service on one Windows Server

Scenario

1. An older custom SMTP service only accepts unencrypted SMTP connections and does not support TLS.
2. A solution is required to receive emails over TLS using IIS SMTP Service and relay them to the custom SMTP service without encryption.
3. The goal must be achieved on a single virtual machine.

---

Environment Setup

Install two network interfaces on a single Windows Server with the following IP addresses:

• Network Interface 1: 10.11.11.11 (physical NIC)
• Network Interface 2: 10.22.22.22 (Description: Microsoft KM-TEST Loopback Adapter)

批次建立 win-acme 用 DNS Record 取得憑證的任務

批次建立 win-acme 用 DNS Record 取得憑證的任務

$RecordNames = @();
$RecordNames += "www";

$Domain = "contoso.com";

foreach ($RecordName in $RecordNames) {
    
    $FQDN = ($RecordName + '.' + $Domain);
    write-host ('Request Certificate for ' + $FQDN);

在 Azure DNS Zone 用 DNS Record 來驗證 Let's Encrypt 的 PowerShell Script

前情提要: 在 Microsoft DNS Server 上用 DNS Record 來驗證 Let's Encrypt 的 PowerShell Script

AzureDNSZoneVerification.ps1

# -Step "create" -Identifier "{Identifier}" -RecordName "{RecordName}" -Token "{Token}"

# -Step "delete" -Identifier "{Identifier}" -RecordName "{RecordName}" -Token "{Token}"

param (

[string]$Step,

[string]$Identifier,

[string]$RecordName,

[string]$Token

);

[string]$AzureResourceGroupName = "Infra_Network"

[string]$ZoneName = "contoso.com"

[int]$TTL = 3600

write-host ('Step: ' + $Step);

write-host ('Identifier: ' + $Identifier);

write-host ('RecordName: ' + $RecordName);

write-host ('Token: ' + $Token);

PowerShell 更新 IIS Site Bind SSL Cert

$PublishedURL = "www.contoso.com"
$IISSiteName = "www.contoso.com"

$PFXPath = "C:\Cert\Cert\"
$Password = "password"

$PFXFullPath = "$PFXPath$PublishedURL.pfx"

$pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.Import($PFXFullPath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::EphemeralKeySet)

Import-Module IISAdministration

在 Exchange Online 如果寄給某個外部網域的信件無法送達，不要退信給原寄件者

在 Exchange Online 如果寄給某個外部網域的信件無法送達，不要退信給原寄件者
方法是透過 Remote Domain 設定停用 NDR（Non-Delivery Report）

首先要建立 Remote Domain (在 EAC Mail flow -> Accepted domains)
New-RemoteDomain -Name "DomainNameOne" -DomainName "Domain.Name.One"
New-RemoteDomain -Name "DomainNameTwo" -DomainName "Domain.Name.Two"

停用 NDR必須用 PowerShell 指令，EAC 不支援 (這裡的 -Identity 是上面的 -Name)

Set-RemoteDomain -Identity "DomainNameOne" -NDREnabled $false
Set-RemoteDomain -Identity "DomainNameTwo" -NDREnabled $false

Fix: SMTP Service MMC has detected an error in a snap-in

When right-click on [SMTP Virtual Server #1] in IIS 6.0 Manager and SMTP Server, you may get this error:

"MMC has detected an error in a snap-in. It is recommended that you shut down and restart MMC."

Here's the fix:

1. Stop SMTPSVC service [Display Name: Simple Mail Transfer Protocol (SMTP)]
2. Stop IISADMIN service [Display name: IIS Admin Service]
3. Edit "C:\Windows\System32\inetsrv\MetaBase.xml"
4. Find: <IIsSmtpServer Location ="/LM/SmtpSvc/1"
5. Add (Settings are alphabetical): RelayIpList=""
6. Save file
7. Start IISAdmin Service
8. Start SMTPSVC service

Credit: https://serverfault.com/questions/1095395/how-do-i-resolve-the-snapin-error-when-setting-up-smtp-on-iis-server

以下提供 PowerShell 程式，直接執行完成上述步驟

Replace Ceritificate on IIS SMTP Virtual Server

$PFXPath = "C:\Cert\"

$PFXPW  = ''

$PublishedURL = "smtp.contoso.com"

Import-Module WebAdministration

$MicrosoftIISv2WMI = Get-CimInstance -Namespace root/MicrosoftIISv2 -Class __Namespace -ErrorAction SilentlyContinue

if ($MicrosoftIISv2WMI -eq $Null) {

Install-WindowsFeature Web-Mgmt-Compat, Web-WMI;

};

$SMTPServer = Get-CimInstance -Namespace root/MicrosoftIISv2 -Class IIsSmtpServerSetting -Filter ("FullyQualifiedDomainName='".$PublishedURL."'")

if ($SMTPServer.AccessSSL -ne $True) {

write-host 'TLS not enabled';

exit;

};