Skip navigation

Tag Archives: Windows 2012

okay, I’m glad I can back and write something newish. This post is all about creating event log forwarding , centralized event log and WinRM.


Why you need centralized event log solution

Windows Event log has always been first line of defense and reflect what happened to your computers.  It will be  your company’s frontier defense line against PTH, or any hack attacks. If any events happened to IT people’s laptop that has privilege account logged in before, it will be great early alert for IT Admin to take action against this account or focus and track it down.

In the ideal world, we would have all events from everyone and understand what exactly happened. But the reality is no one is able to handle that amount of work and whether this can be efficient enough to provide useful information is another question.

If collector servers or clients are offline, the related events will be holding and submit to server once client/server comes back online.

so this is big Yes to nice to have, but how?

Who we are collecting

Because we only monitor very critical and abnormal events (like security logs get wipe out), the chance it happens should be very minimum so we don’t need big space for log collector. We can collect event logs from Laptops, Servers, Desktops which is assigned by computer groups.  We can deploy GPO to enable computers to look for collector for subscriptions. Each computer can submit to multiple collectors at same time.

What we collecting

We only collect critical events like security logs get wipe out, local administrator account get logged in laptop or local administrator group membership has been changed, service get installed at beginning level. Those events will be absolutely critical. We can control which event we want easily for each subscriptions.

What we do with those logs

SCOM can be used to monitor those security logs and alert to related teams for further investigation. SIEM can be used to collect logs from log collect server and log server can overwrite old logs to save disk space.

Enough to say, let’s take some action here.

I’m going to build 1 collector server to collect one client log. Yes, you can use multiple collectors as active active solution just in case one of collectors is down.

In this lab, I’m going to use HTTPS as protocol rather than HTTP.



Tasks on Collect server

We have quite few things to do on the collect server. The first step is to enable Winrm on the server.

WinRM configuration

WinRM is acting as proxy and interface on the server and passing the request to event log service in the background. Hence we must enable WinRM.

One of precondition to enable WinRM is to enable firewall service. Because when you run winRM qc, following things happened.

The above command will perform the following steps:

  • Start the WinRM service.
  • Set the WinRM service type to auto start.
  • Create an HTTP listener on port 5985 to accept requests on any IP address.
  • Enable firewall exception for WS-Management traffic (for http only)


In old WinRM, it’s using port 80/443. From WinRM 2.0, it starts to use 5985/5986.

Hence, yes, windows Firewall must be on.

Next, we need to create a new Rule as we are going to use HTTPS 5986.

So You must create Inbound Rules to allow TCP 5986 to work.

If you enable windows firewall, you might want to open following ports as well.

Remote Desktop – User Mode (both TCP/UDP)

File and Printer Sharing (Echo Request – ICMPv4-In)


Then, you can run Winrm qc

Winrm qc is Winrm quick config to configures this machine to accept WS-Management request from other machine. (think about Web Proxy)

By default, WinRM can be used for different Resource URIs. It can be used by WMI, IPMI, WinRM Configuration and of course, Eventlog URI.(think about Web proxy acting as front listener and pass information to Exchange or other servers behind firewall).

When client hit on listener, depends on the path of files client API is access, different URIs will respond.

After you run winrm qc, (you also need to start WinRM service on all clients, just need to start service, no need to create listener). you can use following command to test.

You can run Winrm id


This information to prove WinRM is starting correctly. Also it tells you which URI responsible for security profiles.

For detecting client firewall and server whether they can reach to each other, following command can be used.

Winrm id -r:dest_server

Winrm id -r:source_server


now, we need to check whether listener is present.

Winrm e winrm/config/listener



Great, now we have a listener which accept request.

But notice it is HTTP protocol, there is no HTTPS?

In terms of getting HTTPS, you would need to have a Web Server certificate. A standard web server certificate will suffice there is no need to create a template for it. Just make sure you put FQDN in common name and DNS name as well. nothing special.

Once the certificate in place, you need to run mmc->Add Certificate snap-in ->Computer account

Double click the certificate (you generated from CA), go to Details and select Thumbprint


Now, you need to high light all details of certificate thumbprint and Ctrl+C to copy the content

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  @{Hostname=”ServerFQDNhere”;CertificateThumbprint=”9d0a10cbafd10fb34ff234a9c3ebbe7bee876d96″}

Modify above commandline with new content from thumbprint and also ServerFQDN, run it in Server command windows.

Use Winrm e winrm/config/listener to double check

You should see HTTPS appears as well.


Notice you got hostname, IP, and Certificate Thumbprint here.

If you somehow want to delete and reset everything because you did something wrong, use following command.

winrm invoke Restore winrm/Config @{}

Be aware this reset winrm configuration. so if you have other important thing on WINRM, you need to be more specific

Now, Winrm is ready to use on Server.

Setup SPN for your server

WinRM is using kerberos as authentication by default, hence SPN is required.

after finishing WinRM, you can double check whether SPN is registered by running

setspn -l servername

then, you are looking for WSMAN/servername and WSMAN/ServerFQDN

If you can’t find it, you must use setspn to create one.


Eventlog configuration

Next step is configure Event forwarding subscription.

go to services.msc to make sure Windows event Collector service is running

Remember client will reach server to download subscription to find out what they need to upload.

First, we need to create subscription, open event viewer




Notice I select Source computer initiated.



the reason I select event 999 is I can only create my event between 1-1000. so 999 is selected here.


select HTTPS and Minmize Latency for the lab fact

click OK, OKAY, then it’s finished.

GPO configuration

Now, we need to create GPO.

There are two basic items you must put into GPO.

first one is the link lead client to server.



This is where you configure the link for client seeking collector server. As you can see from the picture, I have setup two servers and one for http, one for HTTPS. Client is able to send events to both servers.

Be aware the format of link has to be Server=http://serverFQDN:5985/wsman/SubscriptionManager/WEC,Refresh=10

The refresh here means how often client contacts server for subscription information. 10 means 10 minutes.


If you want to refresh client to download latest subscription, best way to do is run gupdate /force


The second part of GPO item is security for event log Service.

Event log service on client must allow Network Service to access and transfer events to collector Server. hence, you need to grant permission for it.

The way you do is as following:

log on to client and run following command line

wevtutil gl security


noticing everything after ChannelAccess:, which is start with O:BAG:SYD:xxxxx this is the one we after.

now, let’s read this line, it doesn’t contain (A;;0x1;;;NS). If it doesn’t, you need to add this one at the end of this line.

now, put it into GPO.



and push the policy to client.

Client Configuration

Client configuration is relatively easy. Just make sure WinRM service is running(don’t need to be configured). Group policy has been pushed and applied.

Now, we do can use command line to manually create event to verify whether collector has got it.

eventcreate /T Error /ID 999 /L application /D “Test0001”

run this command in CMD window, it will create event in the application.



The main troubleshooting log is from server and client end.

Event logs

check Forwarded Events from  Windows Logs of Server to see forwarded events

Check Applications and Services->Microsoft->Windows->EventCollector

Check Applications and Services->Microsoft->Windows->Eventlog-ForwardingPlugin

Check Applications and Services->Microsoft->Windows->Windows Remote Management

Errors I have encountered

Access denied, error code 5


I had a terrible experience on my first run which I spent days trying to resolve it.

If you can recall that network service is used from client to communicate to server, well, network service will act as computer object over the network. so from server point of view, this is request from Client computer account. My server somehow get default setting in security to block all computer account access.



by default, there should be a group called “Everyone”. but it’s missing. After I added authenticated users group into this security, everything works.


Encountered an internal error in SSL library


this is one of silly mistake I made in my life. After successful test with HTTP, I switched to HTTPS to make it work. but clearly, I forget to change port from 5985 to 5986. For trying to fix that, I even created a whole new template of cerificate….


If you replacing certificate, you need to reboot your server. Restart WINRM service is not enough.


Leave comments if you want




Just run into this issue and tried to connect iSCSI disk to Win2012 cluster. No matter how hard I tried, it just disappear from Failover manager.
I googled it and found this

What types of drives can I use with Storage Spaces?

You can use commodity drives attached via Serial-Attached SCSI (SAS), Serial ATA (SATA), or USB. Storage layers that abstract the physical disks are not compatible with Storage Spaces. This includes VHDs and pass-through disks in a virtual machine, and storage subsystems that layer a RAID implementation on top of the physical disks. iSCSI and Fibre Channel controllers are not supported by Storage Spaces.
RAID adapters, if used, must be in non-RAID mode with all RAID functionality disabled. Such adapters must not abstract the physical disks, cache data, or obscure any attached devices including enclosure services provided by attached just-a-bunch-of-disks (JBOD) devices. Storage Spaces is compatible only with RAID adapters that support completely disabling all RAID functionality.
Yes, in Windows Server 2012 you are able to leverage Clustered Spaces only for SAS connected JBODs.

To explain the philosophy/rationale behind this: In Windows 8 (equally applicable to Windows Server 2012), Storage Spaces enables delivery of a new category of highly capable storage solutions at dramatically lower price-points & maximized operational simplicity. In doing so, we have strived to ensure a predictably consistent usage experience (irrespective of storage component hardware failures) while delivering excellent performance. Our internal testing exposed complex interactions when combining Spaces with “storage arrays” connected via iSCSI and/or FC. Therefore, for Windows 8 (Windows Server 2012), we are constraining Spaces based deployments to SAS connected JBODs (for business critical deployments), and SATA/USB connected disks (for home/enthusiast/small-business customers).


Stand by for answer from Microsoft



I have found solution how to connect iSCSI server to VMM, but not via cluster though. I will write a new post about how to do it. However, still waiting for MS reply regarding this interesting thing.


With fresh installation of Windows 2012 and Windows 8, you can’t access old SMB share or CIFS share correct.

The solution is following.

· To enable SMBv1 on the SMB client, run the following commands:

· sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

· sc.exe config mrxsmb10 start= auto

· To enable SMBv2 and SMBv3 on the SMB client, run the following commands:

· sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

· sc.exe config mrxsmb20 start= auto




Run following Powershell command to disable new security negotiate on SMB 3 which some third party doesn’t support. 

Be aware once you disable this security negotiate, you need to disable all Windows 8 and Windows 2012 in your environment so they can talk to each other.


Set-SmbClientConfiguration -RequireSecuritySignature $false


Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters” RequireSecureNegotiate -Value 0 -Force

So one of most common software is Microsoft Office 2010. We all want that software be installed regardless it’s on physical machine or VDI. There are so many different options you can choose and you may face. This post is focusing on deploying Microsoft Office 2010 to VDI via App-V.


Why do we need to use App-V?

App-V allows user to steam down application parts which this app really needs when it runs. With VDI solution, if we don’t use App-V, we may install entire Office 2010 on each VDI VM and if you have 100 VDI VMs in your environment, it may use 200 or 300GB precious SAN space easily just for this software only. With tons of benefits of using App-V, I am not going to explain it too detail.


Why don’t people use App-V Office?

Well, reason No.1, it’s complicated. With using App-V, it involves so many different other technologies and all of them have to work together. Second reason is App-V still has some limitation with one app working other app since each App is supposing to work in it’s own sandbox. But this is going to change with App-v 5.0 sp1 and other tools to help you deploy office.

with no further ado, Let’s start

Environment introduction


Testhyp02: Windows 2012 with Hyper-v running on it, App-V Server & Management component has been installed. For more details, please to see my last post.


All workstations are VMs running on Hyper-v.

You will need to have at least two workstations.


Windows 7 SP1, 32bit (As App-v Sequencing server to catch software installation)


windows 7 SP1, 64bit ( As VDI template to run App-V software).


You must use Windows 7 with Service Pack 1 as client. Win7 without SP1 doesn’t support App-v Client. You must use 32bit for App-v Sequencing server since there are certain software which only has 32bit version!

Preparation for your VMs:

Now, I must ask you to focus on preparation of your VMs before you start installing.

  1. Build windows 7 32bit SP1 VM from scratch. (64bit if it is VM2)
  2. Make sure you have installed Integrated Service
  3. Make sure you have join the VM into your domain
  4. Disable firewall
  5. Create Install folder under c:\


  Search Internet and download following software on your c:\install\Other Toolsclip_image002

Notice: You need both 32bit and 64bit Powershell to install on VM1 and VM2.

6.    Install above software

7.    Download following software and put into c:\install\AppV Prep


                 You need both 32bit and 64bit version of Deployment Kit

  • Office 2010 SP1 Professional Plus 32bit ISO (extract to a folder)
  • Office 2010 SP1 Profession Plus Volume License (XXXXX-XXXXX-XXXXX)
  • Microsoft Desktop Optimization Package (It contains App-V 5.0 sp1 non RDS client)
  • Microsoft Application virtualization 5.0 SP1 (from Volume License Portal)



You need to extract Office Deployment Kit to separated folder like above picture shows. Also extract Sequencing kit.



Extract Office 2010 Professional Plus ISO (must be 32bit) to a folder. Only 32bit Office will work with integration and it can work on both 32bit and 64bit Win7.

Copy App-V_Seq_Kit into Office folder and also Deployment kit as well





Deploy Office 2010 App-v Kit

There are lots of articles about it on the Internet. In this case, I’m using MAK to register.


Few things about this deployment.

1. Must use elevated CMD to run this command

2. Must NOT USE Powershell to run, it won’t work

3. When it is running, don’t jump on Services.msc to check what’s New, it will crash the installation


So what this command does is to install a License service like KMS in local PC with Volume serial number of Office 2010 to make sure Office application works correctly.

After installation, you can open servcies.msc and see whether it works or not.



Install App-V Sequence

Install App-V Sequence on VM1 which is running windows 7 sp1 32bit with “Other Tools” installed first. Add IP address, DNS, Join domain, disable firewall and copy all above software on the VM1.

You shouldn’t have issue to run App-V Sequence





Run App-v Sequence and do following steps


Add keys like following

Open the "Exclusion Items" tab and add the following: [{Common AppData}]\Microsoft\OfficeSoftwareProtectionPlatform [{Common AppData}]\Microsoft\Windows With Mapping Type = “VFS”






Capture Office 2010 with Accelerate Package

Yes, you are very lucky that Microsoft has this accelerate package which does lots of work for you.

Now, it’s time to start App-v sequence








If you don’t have AP, you have to capture office installation procedure and hope it’s clean capture!




With AP helps, system all generate 3 copies of appv file with some modification in each. All what you need is the last version with integration embedded.








Following is the first version.


Continue to capture running parameters, do not run Sharepoint and Outlook components












Now, start to integration procedure





You need to be patient since VM1 is loading 1.5GB office installation appv file.









Save as your package to new folder



Deploy Office 2010 with App-v

Add your App-V package




Setup connection group and grant domain users group permission to connect



Setup Package access permission with domain users





Log on Publishing port to test

If it is empty like below, then it’s time to run IISRESET on app-v server.



check again



Deploy on VDI client

This is VM2 which needs to install all “other tools” list above.

App-v client must be installed on this template machine which will be used to deploy VDI.

There are two typies of Client. with RDS and without RDS. With RDS version is used in Session Host. In this case, we use without RDS version.








You also need to run Set-AppvClientconfiguration –EnablePackageScripts 1




Wait for 5 mins, Office applications should be push down to this client




Prepare VM for VDI




Once you create new pool and deploy VM as VDI, the Office 2010 will just work. Winking smile


Please leave any feedback.




How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0 using a Package Accelerator