How to set up Mimecast Personal Portal to authenticate to DUO Cloud SSO (SAML2) 2021

 Here is how to set up Mimecast to work with Duo's Cloud SSO.  The online instructions are confusing and inaccurate.

DUO SSO-
Deploy and configure DUO SSO if you haven't already.
https://duo.com/docs/sso

DUO Application-
In Duo, go to Applications, click Protect an Application, search for Generic, there will be two Generic Service Providers, select the one that says "2FA with SSO hosted by DUO".

Fill in the following-
Entity ID- us-api.mimecast.com.ACCOUNTCODE (Replace account code with your account code, it will be something like CUSA88U99)
Assertion Consumer Services ACS URL- https://us-api.mimecast.com/login/saml
Copy the metadata URL to notepad, you'll need it later.
Name (under settings)- Mimecast
Leave everything else alone, click save.

Mimecast-
Administration, Services, Applications, Authentication Profiles, Default Authentication Profile.
Check the box that says "Enforce SAML Authentication for Mimecast Personal Portal"
Provider- Other
Metadata URL- paste the Metadata URL you copied earlier.  Click Import.
Click Save and Exit.
Repeat above if you want to enforce User Applications.
Repeat above in Administration, Services, Applications, Authentication Profiles, Account_Administrators_Authentication_Profile if you want to enforce it for admins.

Start Menu won't open for users on Windows Server 2016

 1. DISM /Online /Cleanup-Image /RestoreHealth

2. Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”} --

3. Delete this folder for each user: C:\Users\username\AppData\Local\TileDataLayer

Chrome "You cannot visit localhost right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later."

 

You get- "You cannot visit localhost right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later."

IF YOU'RE CERTAIN the page is safe, you can type thisisunsafe and you will be able to reach the site.

Delete or Disable AD account but keep mailbox in Office 365

You want to keep a user's mailbox indefinitely, however, you do *not* want to keep their AD account (or you want it disabled).  Converting it to a shared mailbox still anchors it to their AD account, so purging that deletes the mailbox.

 - Delete or Disable the account in AD, or, move the account to an OU not synced by AD Sync

 - Run an AD Sync.

 - Ensure the account is gone in Office 365. 

 - In Office 365 Admin Center, open the Azure Active Directory Admin Center.

 - Go into Users, Deleted Users, find the user in question, check the box and click "Restore User".

 - Go into the user's cloud account and reapply the license.

 - Once their mailbox is in Exchange Admin Center, convert the mailbox to a shared mailbox.

 - Remove the license from their user account.

You get HTTP 500 after Exchange Security Update (SU)

 (Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)

Set-AuthConfig -PublishCertificate

Set-AuthConfig -ClearPreviousCertificate

IISReset

VEEAM B&R- Warning Skipping credentials backup because the encryption is disabled.

 In Veeam Backup and Replication you get the notification "Warning Skipping credentials backup because the encryption is disabled. This will complicate the restore process significantly. Enable configuration backup encryption to stop receiving this warning."

Personally, I do not want the credentials stored in the configuration backups, so this is the desired behavior.  To suppress this warning-

HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication "ConfigurationBackupSuppressEncryptionWarning", DWORD, value "1"

Upgrade VMware ESXi from CLI

SSH into ESXi server. In vcenter, go to Configure, Scroll down to Services under System. Start the SSH service.

From SSH-
Disable Firewall-
esxcli network firewall ruleset set -e true -r httpClient

All One Line-
esxcli software profile update -p <INSERT IMAGE NAME> -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

For exmple-
esxcli software profile update -p ESXi-8.0U1c-22088125-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Re-enable firewall
esxcli network firewall ruleset set -e false 

If you have a VIP conflict, list the VIBs and remove the conflicting one.
esxcli software vib list |grep driver_name

esxcli software vib remove -n driver_VIB_name 

For example-

esxcli software profile update -p ESXi-8.0U3d-24585383-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

List profiles - Online

esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Use grep to filter the list for your version, 

esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-6.7

If you get [MemoryError]-

esxcli system settings advanced set -o /VisorFS/VisorFSPristineTardisk -i 0
cp /usr/lib/vmware/esxcli-software /usr/lib/vmware/esxcli-software.bak
sed -i 's/mem=300/mem=500/g' /usr/lib/vmware/esxcli-software.bak
mv /usr/lib/vmware/esxcli-software.bak /usr/lib/vmware/esxcli-software -f
esxcli system settings advanced set -o /VisorFS/VisorFSPristineTardisk -i 1

https://williamlam.com/2024/03/quick-tip-using-esxcli-to-upgrade-esxi-8-x-throws-memoryerror-or-got-no-data-from-process.html