Archive for January, 2018

To monitor activityID and ADFS health in general:

In case of problems restart in the following order:

1.Microsoft AD Health Diagnostics Agent (service name: AdHealthAdfsDiagnostics)
2. Microsoft AD Health Monitoring Agent (service name: AdHealthAdfsMonitor)
3. Microsoft AD Health Insights Agent (service name: AdHealthAdfsInsights)


PS C:\Program Files\Azure Ad Connect Health Adfs Agent\Diagnostics> import-module .\ADFSDiagnostics.psm1

PS C:\Program Files\Microsoft AD Health Agent\Microsoft AD Diagnostics Service> Get-Command -Module ADFSDiagnostics

CommandType Name Version Source
———– —- ——- ——
Function Get-AdfsServerConfiguration 0.0 ADFSDiagnostics
Function Get-AdfsServerTrace 0.0 ADFSDiagnostics
Function Get-AdfsSystemInformation 0.0 ADFSDiagnostics
Function Get-AdfsVersionEx 0.0 ADFSDiagnostics
Function Receive-AdfsServerTrace 0.0 ADFSDiagnostics
Function Set-ADFSDiagTestMode 0.0 ADFSDiagnostics
Function Start-AdfsServerTrace 0.0 ADFSDiagnostics
Function Test-AdfsServerHealth 0.0 ADFSDiagnostics
Function Test-AdfsServerHealthSingleCheck 0.0 ADFSDiagnostics
Function Test-AdfsServerToken 0.0 ADFSDiagnostics

Monitor ActivityID:

Sometimes it is useful to have it in a table format. For that, use the parameter OutHtmlFilePath, and the cmdlet will format the output to an HTML file and opens up the browser:

PS C:\Program Files\Azure Ad Connect Health Adfs Agent\Diagnostics> Get-AdfsServerTrace -ActivityId 00000000-0000-0000-ce70-0080000000df -OutHtmlFilePath .\report.htm


Test ADFS server health:
PS C:\Program Files\Azure Ad Connect Health Adfs Agent\Diagnostics> test-adfsserverhealth | ft name,result -autosize

Name Result
—- ——
IsAdfsRunning Pass
IsWidRunning Pass
PingFederationMetadata Pass
CheckAdfsSslBindings Pass
Test-Certificate-Token-Decrypting-Primary-NotFoundInStore NotRun
Test-Certificate-Token-Decrypting-Primary-IsSelfSigned NotRun
Test-Certificate-Token-Decrypting-Primary-PrivateKeyAbsent NotRun
Test-Certificate-Token-Decrypting-Primary-Expired Pass
Test-Certificate-Token-Decrypting-Primary-Revoked Pass
Test-Certificate-Token-Decrypting-Primary-AboutToExpire NotRun
Test-Certificate-Token-Signing-Primary-NotFoundInStore NotRun
Test-Certificate-Token-Signing-Primary-IsSelfSigned NotRun
Test-Certificate-Token-Signing-Primary-PrivateKeyAbsent NotRun
Test-Certificate-Token-Signing-Primary-Expired Pass
Test-Certificate-Token-Signing-Primary-Revoked Pass
Test-Certificate-Token-Signing-Primary-AboutToExpire NotRun
Test-Certificate-SSL-Primary-NotFoundInStore Pass
Test-Certificate-SSL-Primary-IsSelfSigned Pass
Test-Certificate-SSL-Primary-PrivateKeyAbsent Pass
Test-Certificate-SSL-Primary-Expired Pass
Test-Certificate-SSL-Primary-Revoked Fail
Test-Certificate-SSL-Primary-AboutToExpire Pass
CheckFarmDNSHostResolution Pass
CheckDuplicateSPN Pass
TestServiceAccountProperties Pass
TestAppPoolIDMatchesServiceID NotRun
TestComputerNameEqFarmName Pass
TestSSLUsingADFSPort NotRun
TestSSLCertSubjectContainsADFSFarmName Pass
TestAdfsAuditPolicyEnabled Pass
TestAdfsRequestToken Pass
CheckOffice365Endpoints Pass
TestADFSO365RelyingParty Fail
TestNtlmOnlySupportedClientAtProxyEnabled Pass





Full article:

Topic #1: What is the purpose of this tool as opposed to other tools available?

This certainly should be the first question. This tool is focused toward delivering an easy to understand approach to obtaining network captures on remote machines utilizing PowerShell and PowerShell Remoting.

I often encounter scenarios where utilizing an application such as Message Analyzer, NETMON, or Wireshark to conduct network captures is not an option. Much of the time this is due to security restrictions which make it very difficult to get approval to utilize these tools on the network. Alternatively, it could be due to the fact that the issue is with an end user workstation who might be located thousands of miles from you and loading a network capture utility on that end point makes ZERO sense, much less trying to walk an end user through using it. Now before we go too much further, both Message Analyzer and Wireshark can help on these fronts. So if those are available to you, I’d recommend you look into them, but of course only after you’ve read my entire post.

Topic #2: Where can I get this tool?



One of the easiest way to remove the expired SSL Certificate from the Exchange server is using the Powershell command.
When any of the Certificate installed in it get expired , the Outlook starts showing the Security alert. To get rid of that Security alert we need to remove the Expired Exchange Certicate and should install the new one if required.

A) Identify all the Expired Certificates from the Exchange


This command will show all the certificates that were installed in Exchange Server with the Expiry date.  Find out the Certificate whose date is expired.

After finding out the Expired Exchange Certificate, remove them if you want. The Powershell command used to carry out the process is  Remove-ExchangeCertificate. The Syntax of the command is given below: –

The highlighted dates indicate that the date of the Certificate has been expired.

B) Run Remove-Exchange Certificate Command:

Now run Remove-ExchangeCertificate Command along with the thumbprint to remove the expired certificate from the Exchange

Office 365 endpoints management:

You can use the new web Service provided by Microsoft:

Notice that the current XML file and old RSS feed will be available until October 2nd, 2018

A PowerShell script can be used to query the Web service:

The extract of this PS script can be generated in different format (i.e.  JSON, CSV, txt…)


Other reference articles:

Did you see on the top of the URL below:

Else using PowerShell scripts:

Run the script below on the client machine that’s generating the WMI corruption errors. It recompiles all .mof WMI files found in the %windir%\System32\Wbem\Repository folder.

  • @ECHO OFFsc config winmgmt start= auto

    reg add HKLM\SOFTWARE\Microsoft\Ole /v EnableDCOM /t REG_SZ /d “Y” /f
    reg add HKLM\SOFTWARE\Microsoft\Ole /v LegacyAuthenticationLevel /t REG_DWORD /d “2” /f
    reg add HKLM\SOFTWARE\Microsoft\Ole /v LegacyImpersonationLevel /t REG_DWORD /d “3” /f

    reg delete HKLM\SOFTWARE\Microsoft\Ole /v DefaultLaunchPermission /f
    reg delete HKLM\SOFTWARE\Microsoft\Ole /v MachineAccessRestriction /f
    reg delete HKLM\SOFTWARE\Microsoft\Ole /v MachineLaunchRestriction /f

    NET STOP SharedAccess

    NET STOP winmgmt

    CD %WINDIR%\System32\Wbem\Repository
    DEL /F /Q /S %WINDIR%\System32\Wbem\Repository\*.*
    CD %WINDIR%\system32\wbem

    REGSVR32 /s %WINDIR%\system32\scecli.dll
    REGSVR32 /s %WINDIR%\system32\userenv.dll

    MOFCOMP cimwin32.mof
    MOFCOMP cimwin32.mfl
    MOFCOMP rsop.mof
    MOFCOMP rsop.mfl
    FOR /f %%s IN (‘DIR /b /s *.dll’) DO REGSVR32 /s %%s
    FOR /f %%s IN (‘DIR /b *.mof’) DO MOFCOMP %%s
    FOR /f %%s IN (‘DIR /b *.mfl’) DO MOFCOMP %%s
    MOFCOMP exwmi.mof
    MOFCOMP -n:root\cimv2\applications\exchange wbemcons.mof
    MOFCOMP -n:root\cimv2\applications\exchange smtpcons.mof
    MOFCOMP exmgmt.mof

    rundll32 wbemupgd, UpgradeRepository

    NET STOP Cryptsvc
    DEL /F /Q /S %WINDIR%\System32\catroot2\*.*
    DEL /F /Q C:\WINDOWS\security\logs\*.log
    NET START Cryptsvc

    cd c:\windows\system32
    lodctr /R
    cd c:\windows\sysWOW64
    lodctr /R


    msiexec /unregister
    msiexec /regserver
    REGSVR32 /s msi.dll

    NET START winmgmt
    NET START SharedAccess

    Execute the commands below in an elevated Command Prompt on the client machine that’s generating the WMI corruption errors. This is an alternate way of resetting the WMI repository to the initial state when the operating system was first installed:

          Winmgmt.exe /standalonehost
          Winmgmt.exe /resetrepository

          Winmgmt.exe /salvagerepository


  • Execute the command below in an elevated Command Prompt on the client machine that’s generating the WMI corruption errors. It checks the integrity of Windows operating system files and attempts to repair errors it finds.
    sfc /scannow
  • If all else fails, reinstall the Windows operating system on the client machine that’s generating the WMI corruption errors.




Latest news:





If you’re looking for a deep-dive course on strategic approaches to building better cybersecurity defenses in your organization, look at the Microsoft Cybersecurity Reference Architecture. PPT :

Planning and implementing a security strategy to protect a hybrid of on-premises and cloud assets against advanced cybersecurity threats is one of the greatest challenges facing information security organizations today. Microsoft has built a set of strategies and integrated capabilities to help you solve these challenges and is continuing to invest in making this easier.

This training course explore real-life use cases to help address your organization’s security issues, and offer guidance on protecting an enterprise that spans cloud and mobile devices outside your network controls. Explore common challenges and recommended approaches for threat protection, building an identity-based security perimeter, information protection, and software as a service (SaaS) security. Plus, take a look at device and datacenter security, along with threat detection along the kill chain.

The course outline includes:

  • Overview
  • Building an Identity Security Perimeter
  • Threat Detection
  • Server and Azure Security

Watch the deep dive