A UAC prompt will pop up every time you try to install a printer from a printer server. To bypass that, you can deploy two group policy settings, both for computer devices and in the same location.

Open Group Policy Management and head over to the following location.

Computer Configuration > Administrative Templates > Printers

Then disable both following settings.

• Limits print driver installation to Administrators
• Point and Print Restrictions

The first setting is to allow non-admin users to install printers and the second one is to bypass the UAC prompt when doing so. Ideally, you should enable (instead of disabling it) the second setting to limit the installation only from certain printer servers.

Obviously, disabling both settings will also undo the meditation the patch put in place. Use it as the final resort or as a temporary solution.

References:

• KB5005010
• KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481) – Microsoft Support

To view account license and service details

First, connect to Microsoft Graph.

Connect-Graph

To list all license plans you purchased with part number and ID,

Get-MgSubscribedSku | Select-Object SkuPartNumber, SkuID

To list the services that are available in each license plan,

$allSKUs = Get-MgSubscribedSku
$allSKUs | ForEach-Object {
  "Service Plan: " + $_.SkuPartNumber
  $_.ServicePlans | Select-Object ServicePlanName, ServicePlanID
}

To list all license plans assigned to a specific user,

Get-MgUserLicenseDetail -UserID $userID

To list all services from all assigned license plans for a specific user,

(Get-MgUserLicenseDetail -UserID $userID -Property ServicePlans).ServicePlans

Service plans can be quite messy if you manage them manually so using PowerShell could save a lot of time and could make things a lot easier.

To assign or remove a license plan from a user account

Now you need to sign in to Microsoft Graph with some extra permission scope.

Connect-MgGraph -Scopes User.ReadWrite.All

You will also need to make sure the UsageLocation is set for the user before assigning any license plans, e.g. US for the United States and CA for Canada, etc. To find out all the accounts in your tenant that don’t have a UsageLocation value, run the command below.

Get-MgUser -Select Id,DisplayName,Mail,UserPrincipalName,UsageLocation,UserType | where { $_.UsageLocation -eq $null -and $_.UserType -eq 'Member' }

To assign a license plan to a specific user,

Set-MgUserLicense  -UserID $userID -AddLicenses @{SkuID = $skuID} -RemoveLicenses @()

You can retrieve the license SKUID like this, where $partNumber is the name of the license plan, such as SPB for Business Premium, etc.

$skuID = (Get-MgSubscribedSku -All | Where-Object SkuPartNumber -eq $partNumber).SkuID

To remove a license plan from a specific user,

Set-MgUser-License -UserID $userID -RemoveLicenses @($skuID) -AddLicenses @()

To remove all license plans from a specific user,

Get-MgUserLicenseDetail -UserId $userID | ForEach-Object {Set-MgUserLicense -Userid $userID -RemoveLicenses @($_.skuid) -AddLicenses @()}

References:

• View Microsoft 365 Licenses and Services with PowerShell

Before you go any further, check if you have turned on the Audit Log Search in your tenant first.

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

If you haven’t, do this to turn it on.

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

To do the search, you can either go through the Compliance Portal or use the PowerShell cmdlet.

1. Sign into the Compliance Portal
2. Go to the Audit tab on the left panel
3. Select the New Search tab at the top of the Audit page.

Then configure the search criteria as applicable. It took me some time to figure it out and then a few tries to get my result.

Check details on how to perform the search here.

Obviously, as always, using PowerShell cmdlets or scripts makes things much easier. Check out this script from Microsoft to get started on how it works. But if you like a more powerful script that works out of the box. Give this a serious look.

For example, I used it to check if any email deletions were happening after May 30, 2024 from a mailbox called overtime.

./auditdeleteemails.ps1 -mailbox "overtime" -StartDate 05/30/2024

It saves the result in a CSV file for you to review.

Adding alternate DNS name to a Server

If DNS name resolution is the only thing you need, you can either manually add an A record in the DNS server to point the old server name to the same IP address of the new server or add a REG_Multi_SZ registry key to the following location:

HKLM\System\CurrentControlSet\Services\DNSCache\Parameters\AlternateComputerNames

One FQDN per line and run ipconfig /registerdns for the change to take place.

Adding alternate NetBIOS name to a Server

Add a REG_Multi_SZ registry key to the following location:

HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\OptionalNames

One NetBIOS name per line and restart the server once done.

If you are adding an additional NetBIOS name to the same server, you most likely will need to access a shared network resource through that name. If that’s the case, you might need one more step to run the following command in an elevated Command Prompt to allow NTLM authentication for the new alias.

setspn -A host/host_servername alias_name

Just in case, if you encounter an error saying that the Target account name is incorrect when trying to access a shared file server after adding the name, you may need to use the setspn command line to check and remove the old NetBIOS name from another server.

A few resources

• Multiple server names on Windows
• Disable Strict Name Checking
• Setspn command

Go to the URL Rewrite Module site to download the installation file and run it on a server you want to enforce the HTTPS traffic.

Once installed, go to the SSL-enabled site on IIS Manager, select URL Rewrite, Add Rules, and a Blank rule.

Name your rule and set up the details as below:

Match URL
Requested URL: Matches the Pattern
Using: Wildcards
Pattern: *
Ignore case: Checked

Conditions
Logical grouping: Match Any
Condition input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: OFF
Ignore case: Checked
Track capture groups across conditions: Not checked

Server Variables
Leave blank.

Action
Action type: Redirect
Redirect URL: https://{HTTP_HOST}{REQUEST_URI}
Append query string: Not checked
Redirect type: Permanent (301)

Restart the IIS server and you are all set.

Self-Signing a Certificate

Simply open an elevated PowerShell window and run the following command to self-sign a 5-year certificate to the certificate store on the local machine.

New-SelfSignedCertificate -DnsName "servername" -CertStoreLocation cert:\LocalMachine\My -FriendlyName "servername" -NotAfter (Get-Date).AddYears(5)

Technically, you can do so on any given computer but it’s easier to run it right on the IIS server so you don’t have to move the certificate around.

Binding the certificate to IIS

Right-click the site on IIS and choose Edit Binding. Add the HTTPS (443) binding and pick the certificate you just self-signed from the list.

Exporting the certificate

Open the Certificate detail from Server Certificates on the IIS Manager, go to the Details tab, and choose Copy to File… button.

Follow the wizard, choose Yes, export the private key, and Include all certificates in the certification path option to save it with a password.

Distributing the certificate via the Group Policy

Open the Group Policy Management console, and head over to the following location.

Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies

Right-click the Trusted Root Certification Authorities and choose Import.

Then on the File to Import window, pick the PFX file you exported from the last step. Make sure you pick the *.pfx type from the dropdown list.

Forcing HTTPS

Once the certificate gets distributed to the workstations, redirect all HTTP traffic to HTTPS to enforce secure access.

If that’s the case, it’s time to add the drivers of the new computer model to the MDT system. Ideally, you will need two sets of drivers for that new device, one for the WinPE bootable drive and one for regular deployment.

Download these drivers from the official website first and then import them to the MDT system under the Out-of-Box Drivers section. You can create separate folders to better manage different types of drivers.

To update the bootable LiteTouch ISO image, right-click the Deployment Share and choose Update Deployment Share.

And choose the Completely regenerate the boot image option. It may take a while to get all drivers updated in the boot image.

Lastly, make sure you have the Inject Drivers step in the Task Sequence when deploying a new computer.

• SMTP Auth
• Direct Send
• SMTP relay

SMTP Auth

If you can deal with Modern Authentication in the form of OAuth, this option provides you with the most reliable email delivery. And you do need a licensed mailbox to send emails from.

Direct Send

Direct Send doesn’t require SMTP Auth, nor a licensed mailbox. All you need is to specify your own MX endpoint as the mail server or smart host with an unblocked Port 25, you are all set to send emails to recipients in your own organization. Adding an SPF record to avoid having the message flagged as spam is recommended but not required.

v=spf1 ip4: include:spf.protection.outlook.com ~all

SMTP Relay

If you need to send emails to external recipients, or not every device on your network has Port 25 open or allowed, SMTP Replay could be your answer. The basic setup is the same as the Direct Send but you do need to set up a Mail Flow connector first, whether it’s certificate-based or IP-based.

Obviously, an IP-based connector is much easier.

And again, SPF is highly recommended to avoid your messages being trapped in the spam folder.

Pre-upgrade

First, if you have Azure (Entra) AD Connect installed on the server, an in-place upgrade will mess things up quite badly. What Microsoft suggests is to use the Swing migration to set the original server in stage mode and temporarily move the Azure (Entra) AD Connect to a different server.

You will also need to prepare the AD schema before the in-place upgrade. Mount the Windows Server 2019 or 2022 Installation ISO media, go to the support\adprep folder and run the following commands.

adprep /forestprep
adprep /domainprep

Once done, run the following PowerShell cmdlet to confirm the result about the schema version you are about to upgrade to.

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

Here is the schema version value table for your reference.

Windows Server 2012 R2 - 69
Windows Server 2016 - 87
Windows Server 2019 - 88
Windows Server 2022 - 88

The actual upgrade

Now, it is good to go with the in-place upgrade. The actual process will be quite straightforward and should be done fairly quickly.

Post-upgrade

Everything should be up and running right away, including DNS, AD services as well as group policy setups. Two things might require your attention.

The DHCP server might need to be re-authorized to be used again.

Also, if you are using the SMTP services from the legacy IIS 6, you might need to re-configure everything. The settings were wiped out during one of my upgrades. It’s a good idea to document the setup before doing the upgrade.

References:

• Microsoft Entra Connect: Upgrade from a previous version to the latest
• Upgrade domain controllers to a newer version of Windows Server

Uninstalling a program via WMI

First, let’s see how to view the installed program.

Get-CimInstance -Class Win32_Product -ComputerName $computername

To specify which program, you can pipe the result to Where-Object with a query like this.

Get-CimInstance -Class Win32_Product -ComputerName $computername | Where-Object {$_.Name -Like 'Adobe Acrobat 2017'}

You can even use the wildcard in this case to find all Adobe-related programs.

Get-CimInstance -Class Win32_Product -ComputerName $computername | Where-Object {$_.Name -Like 'Adobe*'}

If the output has only one result, you can simply call up the Uninstall() procedure to uninstall the program.

(Get-CimInstance -Class Win32_Product -ComputerName $computername | Where-Object {$_.Name -Like 'Adobe Acrobat 2017'}).uninstall()

If the output has multiple results, you can use the ForEach() method to loop through each app and uninstall it.

$apps = Get-CimInstance -Class Win32_Product -ComputerName $computername | Where-Object {$_.Name -Like 'Adobe*'}
ForEach ($app in $apps) {
  $app.uninstall()
}

Uninstalling a program via Uninstall-Package

Not all installed programs can be uninstalled via WMI. If the above method fails, Uninstall-Package would be a good option next in the line. Also, if it’s a MSI installed program, you have a better chance of uninstalling it this way.

Use the Get-Package cmdlet to find the program and pipe the result to Uninstall-Package to get it uninstalled. The nice thing about this method is that you can uninstall a bunch of related programs in one line.

Get-Package -Name "Kofax*" | Uninstall-Package

The drawback is that you would need to use the Invoke-Command cmdlet to execute it on a remote computer.

Invoke-Command -ComputerName $computername -Scriptblock {Get-Package -Name 'Kofax*' | Uninstall-Package