Search This Blog

Friday, December 23, 2016

New Feature in SCCM 1610: Client peer cache

SCCM 1610 has a new feature called Peer Cache to improve content download in remote locations which don't have a local distribution point. It works like this:

  1. You configure SCCM clients to for this new feature using client settings, select option called "Enable Configuration Manager client in full OS to share content"
  2. SCCM client will configure necessary Windows Firewall ports on client, but if there are any network firewalls, ports must be opened also there.
  3. If SCCM client with Peer Cache enabled will have a package it will tell to management point that it has the package.
  4. If another SCCM client will ask for content then management point will return all distribution points and Peer Cache enabled SCCM clients for it (if they are in clients current boundary group).
  5.  Peer Cache is fully SCCM technology and does not rely on Windows Branch Cache feature.

Keep in mind that although this is a nice feature, you must not enable it for all clients and your boundary groups must be configured correctly for this to work as expected.

Microsoft documentation here

Windows Server 2016 New Features: Nested Virtualization

Nested virtualization is a new feature available in Windows Server 2016 and Windows 10 v 1607 and it allows to run Hyper-V feature inside a virtual machine:
There are some prerequisites for nested virtualization:

  • Hyper-V host or guest must be Windows Server 2016 or Windows 10 v 1607
  • Guest must be with configuration version 8.0 or higher
  • Host must have Intel processor with VT-x and EPT technology.

Note alsow that dynamic memory and hot add/remove memory feature does not work in nested VMs.
There are also additional networking configuration necessary for this to work.

More info here:

Thursday, December 22, 2016

Changes in SCCM 1610 Boundary Group behavior

SCCM 1610 introduces changes how boundary groups work. The main differences are following:
1. There is a new term relationships, these are boundary group relations between them.
2. If a SCCM client is in boundary group, then now it is called its current boundary group.
3. Neighbor relationships can be defined between boundary groups. Neighbor relationships define period in minutes when client can fallback to next boundary group.
4. Boundary groups are converted to new model when SCCM is upgraded to version 1610.

So lets have an example. Client is in boundary group 1 (its current boundary group) that has 30 minute neighbor relationship with boundary group 2. Each boundary group has one distribution point associated to it.
Client first tries to locate content on DP which associated to boundary group 1. If it does not get content in 30 minutes, then it starts to query also DP in boundary group 2. 

Here is full documentation

Friday, December 16, 2016

Windows 10 feature upgrade to v1607 fails with error 0xC1800118 when deployed through SCCM Servicing

I guess most of you already know that with Windows 10 you will have to do OS feature upgrades frequently to stay supported.
If you are using SCCM then this is done through feature called Windows 10 Servicing. It works almost the same as Auto Deployment Rules.
If you upgrade to Windows 10 v1607 through Servicing and get 0xC1800118 error

 then most likely you have not installed required update when synchronizing Upgrades classification in SCCM Software Update Point / WSUS.

These WSUS updates  and must be installed before you synchronize Upgrades classification.

To solve 0xC1800118 the error you must follow the steps described in Workaround section in this KB article

FIXED: Outlook drag and drop does not work on Windows 10 v1607

Previously I blogged about an issue with Outlook drag and drop feature in Windows 10 v1607. The issues has been finally fixed in latetest Windows 10 v1607 cumulative update KB3206632 (

I installed the update and so far it seems that the problem is gone :)

Thursday, December 15, 2016

Step-by-step: How to create a virtual machine from VHD in Azure Portal

You cannot create a new VM in Azure portal from Azure web portal, so the only way at this point is to use Powershell. Here are steps to create a working VM from existing VHD:

1. Upload the VHD to Azure using Azure Storage Explorer or other tool. Make sure that it really is VHD format, upload it as Page Blob and the OS in VHD has been configured to obtain IP address from DHCP.

2. Start Powershell.
3. Login-AzureRmAccount to login to Azure tenant.
4. Use these commands
$resourceGroupName = "ResourceGroupName"

$virtualNetworkName = "VirtualNetworkName"

$virtualNetwork = Get-AzureRmVirtualNetwork -ResourceGroupName $resourceGroupName -Name $virtualNetworkName

5. Create a Network interface in Azure Portal
6. Use these Powershell commands
$networkInterface = Get-AzureRmNetworkInterface -Name "NetworkInterfaceName" -resourcegroupname $resourceGroupName

$vmConfig = New-AzureRmVMConfig -VMName "VMName" -VMSize "Standard_D1_v2"

$vmConfig = Set-AzureRmVMOSDisk -VM $vmConfig -Name "VirtualDiskName" -VhdUri UploadedVHDUrl -CreateOption Attach -Windows

$vmConfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -Id $networkInterface.Id

$vm = New-AzureRmVM -VM $vmConfig -Location $locationName -ResourceGroupName $resourceGroupName

You can obtain VHD URL from Azure Storage Explorer when you right-click onto VHD.
After you execute the last command it will take a while to create the VM.

Saturday, December 10, 2016

Delegate Unlock Account permissions in Active Directory

To delegate "Unlock account" permissions follow these steps:
1) Open Active Directory Users and Computers console
2) Select Properties for the target Organizational Unit where you want to delegate permissions;
3) Select Security tab and then click Advanced
4) Add user to which you want to delegate permissions and select to apply to "Descendant User objects":
5) Select permissions Read lockoutTime and Write lockoutTime:

And that's it!

Friday, December 9, 2016

Enable Windows Firewall remotely, through registry

If you happen to be in situation where you have remote registry access and need to disable Windows Firewall through registry, then open this registry key


Select necessary firewall profile (DomainProfile, PublicProfile, StandardProfile) and modify EnableFirewall value to 0:

Then restart Windows Firewall service and firewall will be disabled.

Tuesday, December 6, 2016

Outlook drag and drop does not work on Windows 10 v1607

Previously I wrote here and here about Outlook drag and drop issues.
The problem again appeared on my Windows 10 v1607 with Outlook 2016 (365) machine. As I use this feature all the time, I wanted to find out the root cause.
After some googling I found that this is a bug with Windows 10 v1607 and hopefully will be fixed in mid-December, as written here

Sunday, December 4, 2016

Windows Server 2016 New Features: Hot Add/Remove Network adapter for VM

One more cool feature on Windows Server 2016 Hyper-V host is that you can add/remove network adapters while the VM is running.
This works only for Generation 2 VMs, but both on Windows and Linux VMs.

Saturday, December 3, 2016

Windows Server 2016 New Features: Hot Add/Remove Memory for VM

Starting from now on I will blog about new features in Windows Server 2016.
The first one is about new feature in Hyper-V - starting from Windows Server 2016 (and also Windows 10 v1607) you can add or remove memory for guest virtual machine while it is runnning. If you do this, actual memory amount in guest VM Task Manager will also change.

The requirement for guest OS is Windows 10 or Windows Server 2016. And this feature works both for Generation 1 and Genereation 2 virtual machines.

Friday, November 25, 2016

Windows Server 2016 will have different features in Standard and Datacenter editions

Windows Server 2012 R2 had the same feature set for Standard and Datacenter editions, the only difference was how many OS instances each edition allowed to run.

Windows Server 2016 is different - Standard and Datacenter don't have the same feature set. Check this link 

In which branch is Windows Server 2016 - current branch or LTSB?

There are many articles which describe update branches for Windows 10, but that's not the same for Windows Server 2016. I have heard a lot of people asking if Windows Server 2016 will have the same branch configuration as Windows 10.
So here is the answer - "Windows Server 2016 with Desktop Experience" and "Windows Server 2016 Core" will work as LTSB, that is the same way as previous Windows Server editions have worked.
But "Windows Server 2016 Nano Server" will work in current branch, that is it will receive full updates each 6 months or so.

"Available updates will be downloaded and installed automatically" in Windows Server 2016

If you check for updates in Windows Server 2016, then it always shows that "Available updates will be downloaded and installed automatically, except over metered connections (where charges may apply)."

If you change update behavior as described here, then it still shows the same.

Microsoft says that it is interface bug and it will be fixed in future releases.

Monday, November 21, 2016

Updated: How to change Windows Update behavior in Windows Server 2016

Previously I wrote about Windows Update behavior in Windows Server 2016.
So at this point there is no way to change Windows Update behavior from GUI in Windows Server 2016 and the default value is "Download Updates only".

To change this:
1. Open Command Prompt.
2. Type sconfig
3. Select 5, to configure Windows Update

4. Select on of three options - Manual (which never checks for updates), DownloadOnly (which is default and only downloads updates), Automatic (which downloads and installs updates automatically)

Force SCCM 1610 update to appear in console

If the SCCM 1606 update does not appear in console, then use this script and follow these steps:
1. Extract .ps1 file frrom downloaded .exe.
2. Run .ps1 with Powershell on SCCM Site server
3. Check for updates in SCCM console

Saturday, November 19, 2016

Configure Windows 10 Start Menu with group policies

Since Windows 10 v1607 there are group policies to configure Windows 10 Start Menu and there is no science there (, it's a four step process:
1. Configure Start Menu as you wish.
2. Export it to .xml file using Export-StartLayout Powersehll cmdlet.
3. Copy it on a share where users can read it.
4. Configure this group policy User Configuration / Computer Configuration > Administrative Templates > Start Menu and Taskbar > Start Layout

The thing to note is that at this point group policy works only in Windows 10 v1607 and in Enterprise and Education versions.

WSUS doesn't synchronize after reinstalling on SCCM sever and causes 100% CPU

I have had several times when it was necessary to reinstall WSUS on a SCCM server, you can do it and it is not a very complicated process. But the last time I did it - on a Windows Server 2012 R2 box and SCCM 1606 after reinstalling WSUS did initial sync and then failed.
In addition to it I saw 100% CPU usage for 10-15 minutes and then it stopped, also causing WSUS service to stop.
The problem for this is that WSUS initially has lots of request to process and lacks resources. So you have to configure WSUSPool application pool to have enough resources. Follow these steps:

1. Open IIS Manager;
2. Go to Application Pools, select WSUSPool
3. Select Advanced settings
4. Modify these values to
Queue Length = 3000
Private Memory Limits = 7843200 or 0 (which means there is no limit)

Windows 10 v1607 capture with SCCM fails with error code 0x00004005

I have been doing OS captures with SCCM created capture CD for ages and it always has been an error prone process, but that's not true with Windows 10.

In this situation there was necessary to create additional local user account in the captured image, which was the problematic part in the end.
I did everything as usual - prepared the image, inserted capture CD and let the process capture the WIM image. But syspreping the image failed with error 0x00004005.
Further digging into c:\System32\Sysprep\Panther\setuperr.log revealed error 0x80073cf2 and error message that some modern apps like Twitter, Candy Crush, BingNews "was installed for a user, but not provisioned for all users".

At first I tried to remove these apps, but there always appeared new appp which was installed for a user, but not provisioned for all users". I didn't want to remove all apps. So after little bit of playing around I was able to avoid the error when doing capture with built-in administrator account and deleting all other user profiles before capture.

Friday, November 18, 2016

Ste-by-step: Move virtual machine from local disks to highly available Hyper-V cluster

By accident someone had created a virtual machine on server local disks, not on Cluster Shared Volume (CSV). So this VM was not highly available, but had to be.
Process to make VM highly available actually was not so difficult and consisted of to steps:

1. Move VM files to CSV disk. To do this open Hyper-V Manager, right-click VM, select Move, in the Wizard select to move virtual machine storage

then select to move all VM files:

For the new destination specify the Cluster Shard Volume.

2. From the Failover Cluster Manager console right-click Roles, select Configure Role. For the role type select "Virtual Machine":

In the next step you will be able to see the VM that is not yet higly available. Finish the Wizard and VM will be higly available. That's it!

The only thing to note is that for Windows Server 2012 Hyper-V cluster the VM can be online, but for Windows Server 2008 R2 clusters the VM must be offline.

Wednesday, November 16, 2016

Windows 10 Feature update installation fails with error 0x80240020 when using SCCM servicing

Finally I had a chance to test out Windows 10 Servicing in SCCM, so everything was set up and on my Windows 10 v1511 machine I had deployed an upgrade to Windows 10 v1607, but it failed with error code 0x80240020. Event log wrote 0x80240022 error.
Anyway, I resolved this by deleting all the files in C:\Windows\SoftwareDistribution\Download directory. After this I was able to successfully update Windows 10 to v1607.

Windows Update logging has been moved to Event Viewer in Windows 10 v1607

In previous Windows versions if you had problems with Windows Update, the first place to look for detailed information was C:\Windows\WindowsUpdate.log file.
In Windows 10 v1607 WindowsUpdate.log file doesn't log any information, instead logging has been moved to System log in Event Viewer.

WindowsUpdate.log now says:

Windows Update logs are now generated using ETW (Event Tracing for Windows).
Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log.

For more information, please visit

Tuesday, November 15, 2016

SCOM 2012 R2 Agent push fails with Error Code: 80004021

If  you are pushing SCOM 2012 R2 agent and it fails with error code 80004021 and error description is "The operation attempted is not supported"

Then one of the possible causes for this is that there is already SCOM agent on the server. In my cause there was Operations Management Suite (OMS) agent, which was installed for testing purposes.
To solve the error uninstall OMS agent.

Monday, November 14, 2016

SOLVED: Windows 10 v1607 LTSB does not activate from KMS server

If you are using Windows 10 v1607 LTSB and they do not activate against your KMS server even if Windows 10 v1511 are successfully activating, then you have to:

  1. Install Windows 10 v1607 KMS key on KMS server;
  2. Apply hotfix KB3172614

Saturday, October 29, 2016

Windows Update behavior in Windows Server 2016

Configuring Windows Update in Windows Server 2016 is a bit confusing.
If you open update settings, then there is written that updates will be downloaded and installed automatically which is relly not good for a server:

Even worse is the fact that there is no option to change this behavior from Update Settings section.

The good news is that this is not actually true. if you open Server Manager, then it will say that it will download updates only:

Configure Windows Update settings through registry

If you ever wondered which registry settings control Windows Update behavior, then here is the answer.
This key has values which control the Windows Update:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update

For example, AUOptions refers to this dropdown

If AUOptions value is set to 3, then Windows Update is configured to "Download updates but let me choose whether to install them"

Check out the new Software Center in SCCM Current Branch

In SCCM Current Branch there is a new Software Center available. It looks different:

and you can enable it modifying Client Settings policy in SCCM console, when navigating to Administration - Overview - Client Settings, choosing a client settings object and in the Computer Agent section setting "User new Software Center" to Yes


The coolest thing about new Software center is that it user can install applications directly from it and do not require Silverlight instlalled on their machines.

Easy tip how to fix Microsoft Word heading numbering

Recently I have heard many complaints about Microsoft Word heading numbering.
So here is an easy tip how to sort things out.

1. Go to the Paragraph section in Word ribbon.
2. Select Multilevel list 
3. In the List Library section choose numbering with headings:

Friday, October 28, 2016

Change DNS to custom for Azure Virtual Machine restarts all servers in Availability set

There is a possibility for Azure Virtual Machines to use a custom DNS servers (not to inherit DNS servers from VNET configuration), which is good and 100% necessary feature.

The thing you have to note is that if you have set up a Azure VM and it is part of availability set, then changing VMs configuration to custom DNS will restart the VM and all other servers which are part of availability set.

Backup Certitificate Authority database from command line

Here is a command you can use on Windows Server 2012 R2 and other OSes to backup Certificate Authority database from command line:

certutil -backup -p "password" -f -gmt -seconds -v \\ServerName\ShareName\

Updated: Outlook drag and drop emails doesn't work in Outlook 365 v2016 (build 16.0.7167.2060)

Previously I wrote some solutions when drag and drop emails function doesn't work in Outlook.

It appears that the for me this was a problem with Outlook 365 v2015 build 16.0.7167.2060. After updating Office 365 Pro Plus to version 16.0.7329.1017 there are no more problems with drag and drop for me.

Saturday, October 22, 2016

Limitations when using Azure Backup and MARS agent

Azure Backup is promising to be a good feature for small on-premises environements and all-in-Azure environements.

If you are using Azure Backup then there are two options - backup Azure objects or use MARS (Microsoft Azure Recovery Services) agent on on-premises servers.

Currently if you are thinking of Azure Backup, then keep in mind that it:

  • For Azure it allows only full Azure virtual machine backups;
  • For on-premises servers it allows only file level backups if no other Azure Backup components are installed on-premises.

Friday, October 21, 2016

ShrewSoft VPN failed to attach to key daemon error

If you are using ShrewSoft VPN client and suddenly it does not connect with error "failed to attach to key daemon", then most likely one or all of the ShrewSoft services are not working.
Start theses services to solve the issue:

  • ShrewSoft DNS Proxy Daemon
  • ShrewSoft IKE Daemon
  • ShrewSoft IPSEC Daemon

Drag and drop does not work in Outlook 2013 /2016

Drag and drop has been a nice feature in Outlook for a while and it certainly helps to quickly move emails to folders and keeps things sorted. 
What if this features stops working? I have found following solutions for Outlook 2013 and 2016:
1. Right-click email select Move and then select folder (this actually doesn't solve the issue);
2. When Outlook is opened press Esc button several times and drag and drop will start working again.
3. Use drag and drop with right mouse button and then drag and drop will start working again

Saturday, October 15, 2016

Windows Server 2016 Exam numbers

If you wanna get certified with Windows Server 2016, then start with MCSA (Microsoft Certified Solutions Associate) required exams:

70-740: Installation, Storage, and Compute with Windows Server 2016
70-741: Networking with Windows Server 2016
70-742: Identity with Windows Server 2016

Also note that at this point these exams are still in development stage.

Change system locale (language for non-unicode programs) on Windows 10 / Windows 7 using group policies or registry

There are no builtin options in group policies to change system locale (language for non-unicode programs) on Windows 10 / Windows 7, so you have to use registry.
These three registry values control the system locale:


To find out necessary registry values, change system locale to needed on a test computer, watch these values change and then deploy them using group policy preferences. After these registry values are changed, restart is required to take affect.

For example English (United Kingdom) has following values:


Friday, October 14, 2016

Solved: Cannot delegete permissions in Azure AD for Microsoft live account

I needed to do a simple task, but in the end it wasn't as simple as I would imagine.
I had to delegate a User Admin role to a specific account.

So I went in Azure AD to User section, clicked Add, selected necessary Microsoft Live account, selected User Admin role. But the user didn't get those permissions.
More confusing was the fact that for other user this worked.

So after calling Microsoft support we found out that there was already existed a user with the same name (email address) and that user was synced to different Azure AD from local AD, and target user was not logging on with his Microsoft Live account, but synced user.

The resolution to this was to select "User in another Microsoft Azure AD directory" when delegating permissions:

Updated: Microsoft changes the way updates are released for Windows operating systems starting from October 2016

Here is update to my previous post after October patches have been released.

So my hope that there will be two updates has disappeared, there are still around ten security bulletins, but this how it will work from now on for Windows 7 / 8.1 / Server 2012 / Server 2012 R2:

1. There will be a rollup update for all security updates in each month. All subsequent rollups will include previous security fixes since October 2016. This update will be released in second Tuesday.
2. There will be a rollup update for all security and non-security updates in each month. All subsequent rollups will include previous security and non-security fixes since October 2016. This update will be released in second Tuesday.
3. There will be a rollup update for all non-security updates in each month. All subsequent rollups will include previous non-security fixes since October 2016. This update will be released in thirdTuesday.
4. There will be a separate update for Internet Explorer.
5. There will be separate rollup updates for .NET framework one will be security only and second will be security and non-security rollup.

More info here:

Saturday, October 8, 2016

Solve post-upgrade issues after SCCM primary site server Windows Server upgrade from 2008R2 to 2012R2

Previously I wrote how to upgrade Windows Server OS from 2008 R2 to 2012 R2 on SCCM primary site server.
Here are a few post-upgrade issues you can encounter:

1. After reinstalling WSUS and forcing Software Update Point (SUP) to sync, the initial sync fails with following error in wsussync.log

Sync failed: WSUS update source not found on site XXX. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource

To make things more complicated, WCM.log doesn't show any errors.
To solve this you have to uncheck newest (or all) products which are syncing with WSUS, do the sync and the re-add all necessary products and sync again.
I suspect this is because WSUS after fresh install doesn't know all the newest products (like Windows 10, Office 2016, Windows Server 2016), but it syncs these products at first sync. Error occurs when WSUS tries to sync products of which it doesn't has knowledge.

2. Remote SCCM consoles cannot connect to site server. SMSAdminUI.log shows following errors:

\r\nSystem.Management.ManagementException\r\nAccess denied \r\n   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
:System.Management.ManagementException\r\nAccess denied \r\n   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)

This is because during upgrade site server has lost some permissions, to re-add these permissions on site-server:

  • Open wmimgt.msc
  • On WMI Control click properties
  • Select Security
  • Navigate to Root --> SMS
  • Click Security. Add Enable Account and Remote Enable for local SMS Admins group
  • Navigate to Root --> SMS --> site_XXX
  • Click Security. Add Execute Methods, Provider Write Enable Account and Remote Enable for local SMS Admins group

After re-adding thos permissions you will be able to connect again.

Friday, October 7, 2016

Step-by-Step: Upgrade Windows Server from 2008 R2 to 2012 R2 on SCCM primary site server

Since the release of SCCM 1602 it is supported to upgrade Windows Server OS on SCCM site server from 2008 R2 to 2012 R2, before that it was not supported.

Here is a step by step how to do this:

1. Backup SCCM and Windows Server.
2. Uninstall Software update point and WSUS
3. Disable SMS_Executive, SMS_Component_Manager services (this is not required, but I did this).
4. Restart Windows.
5. Upgrade Windows Server 2012 R2.
6. Enable, set startup type to Automatic and start these services "World Wide Web Publishing Service" and "Windows Process Activation Service"
7. Got to IIS Manager -> Application Pools. You will see following picture:

For  "Classic .NET AppPool" select v2.0 in ".NET CLR Version" field for others select the v4.0.

8. Install WSUS and this hotfix  to add Windows 10 upgrades installation possible.
9. Start SCCM services, install Software update point.
10. Install Windows Updates.
11. Check in SCCM Component Monitoring that everything works.

Thursday, October 6, 2016

Adobe Flash updates deployed with SCUP fail on Windows 8.1 and Windows 10 with error 0x80246002

If you are using SCUP and and all updates through it are deployed correctly except Adobe Flash updates on Windows 8.1 and Windows 10 computers (WUAhandler.log shows 0x80246002), then be informed that it is not possible, discussion about this topic is here 

This is because Adobe Flash is integrated in these OSes and are updated as standard Windows updates.

Wednesday, October 5, 2016

How to solve black screen issue when logging to Windows Server Core through RDP

Today I had to do some maintenance tasks on a server with Windows Server Core OS. I logged onto server through RDP, but command prompt didn't show up. I disconnected RDP session then connected back, but that didn't solve the issue. Obviously the command prompt was gone and on server core there is nothing more when you connect to it.
This is how I solved the issue:
1. Ran this command to get logged on users and respective session IDs
2. Ran this command to log off my session:
I reconnected through RDP and command prompt was there, so I could perform my maintenance tasks.

Saturday, October 1, 2016

Cannot connet to Azure WebApp / App Service which is integrated to VNET

Here is a limitation when you integrate your Azure WebApps / App Services to VNET.

Traffic is possible only one way - that is from Web App to VNET, not the other way round. Here is a quote from official documentation, which is not so obvious when you read the document in first place:

VNET Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. Private site access is only available with an ASE configured with an Internal Load Balancer (ILB). 

SOLVED: WSUS synchronization history loading takes long time

If you want to view the WSUS synchronization history, but it loads very long time, then you have to clear the WSUS synchronization history from database.
You can do it with following query

DELETE FROM tbEventInstance WHERE EventNamespaceID = ‘2’ AND EVENTID IN (‘381’, ‘382’, ‘384’, ‘386’, ‘387’, ‘389’)

Note also that if you have internal database, then connection to DB is slightly different. See this article for more information.

Thursday, September 29, 2016

Microsoft changes the way updates are released for Windows operating systems starting from October 2016

Starting from October 2016 Microsoft will change the way updates are released. There will no longer be individual patches, but instead there will be a single update that will contain all patches.
There will be two types of updates:
1. Monthly rollup: this update will contain all security and non-security updates and it will superseed all previous monthly rollups.
2. Security-only: this update will contain only security patches released in current month and will not superseed previous security-only updates.

More info here

Tool to generate configuration.xml for Office 365 ProPlus deployment with Office Deployment Tool

If you are familiar with Office 365 ProPlus deployment, then you know that you have to generate a configuration.xml file for deployment.
Here is a tool which will greatly assist in creating configuration.xml file

Wednesday, September 28, 2016

Proofing Tools available as separate download for Office 2016, finally

Office 2016 was released some time ago, but unfortunately there where was separate download available for just proofing tools. 
Proofing tools where bundled inside Language Accessory Packs (, so you could not install just proofing tools.
Recently Microsoft has finally released separate Proofing Tools (

Friday, September 23, 2016

SCCM Client Health check fails with third party antivirus on Windows 10 computers

Previously I explained how SCCM Client Health check process works, which describes general troubleshooting steps if you are having SCCM Client Health check issues.

Now about an exact issue - if you are using third party (something other than Microsoft) antivirus and health check fails on Windows 10 computers. Probably in ccmeval.log you also see that these checks are failing:
Verify/Remediate Antimalware service status for Windows 10 or up.
- Verify/Remediate Antimalware service startup type for Windows 10 or up.

So the root cause of this is that third party antivirus (or you have done it with group policy) has disabled Windows Defender from starting, but in the same time the computer has still left that Endpoint Protection has to be managed in Client Agent settings:

To resolve the issue you must remove Endpoint Protection policy from the computer. If SCCM client will not manage Endpoint Protection, then Client Health check will not perform tests againts Microsoft Antimalware and Windows Defender services.

SCCM Client Health Check process explained

So here is short explanation of how SCCM Client health Check process works.

1. SCCM Agents creates a Scheduled Task called "Configuration Manager Health Evaluation" which runs approximately once a day.
When This task starts it creates and writes information in CcmEvalTask.log in SCCM client logs folder.
2. The task starts C:\WINDOWS\CCM\ccmeval.exe file, which in turn logs information in CcmEval.log file.
3. Output information is sent to Management Point with state messages which by default is done each 15 minutes, you can monitor state message sending to server in StateMessage.log

Remove Azure AD Directory Integration stucks on Deactivating

Nowadays it is pretty common to synchronize local Active Directory with Azure AD or Office 365, but this time I had to remove Directory integration between local AD and Azure AD. 

So I went to Azure portal, selected directory, chose Directory Integration tab and clicked Deactivate button. Azure started to work and status turned to Deactivating... I waited and waited, but it was stuck.
As it turned out this process can take up to 72 hours, I didn't measure exactly it in about three days Directory Integration status switched to Deactivated. 
So waiting is the answer :)

Thursday, September 22, 2016

Step-by-step: How to activate Windows 10 computers with Windows Server 2012 R2 KMS server

If you have a Windows Server 2012 R2 KMS server, but you cannot activate Windows 10 computers, you have to do some configurations, which are a little bit tricky.

So first you have to install hotfix If you try to install it on server, but receive an error, then first you have to install, which consists of several updates and has one more prerequisite update
So the update install order should be like this:
1. Install KB2919442
2. Run clearcompressionflag.exe from KB2919355
3. Install KB2919355
4. Install KB2932046
5. Install KB2959977
6. Install KB2937592
7. Install KB2938439
8. Install KB2934018
9. Restart the server
10. Install KB3058168

Once you have installed all updates, you have to find correct KMS key. If you will use Windows 10 KMS key then you will not be able to install it onto KMS server and you will receive error 0xC004F015, as described here

You will have to find Windows Srv 2012R2 DataCtr/Std KMS for Windows 10 in the VLSC portal. Once you install it on KMS server, Windows 10 computers will be able to activate!

SOLVED: Task Sequence fails with 0x80070002, SMSTS.log shows "DownloadFile failed. 80072efe"

If your SCCM OS Task Sequence fails with 0x80070002 error and when further inspecting SMSTS.log you see "DownloadFile failed. 80072efe" error, then most likely this is an error with some networking device. In my case this was the firewall.

Friday, September 16, 2016

FIXED: Maximum event log size group policies do not work

Today I was asked to create a group policy which sets the maximum size of security, application and system event logs.
So I opened group policy editor, navigated to Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs and defined these settings
Maximum application log size
Maximum security log size
Maximum system log size

Unfortunately GPO applied to computers, but values had not changed.
It turned out that defined values that are not multiliers of 64 do not work. I set 102400 for 100 MBs and polices worked as expected.

Free ebook about Azure: Microsoft Azure Essentials

Microsoft obiously is interested admins to learn Azure, so the have released a free ebook about Azure "Microsoft Azure Essentials: Fundamentals of Azure". It's the second edition and you can download it here

I will try to write a review when a read the book, so stay tuned.

Thursday, September 15, 2016

FIXED: Windows 10 Start button does not work after applying Applocker policies

Applocker is a realy good feature (available only in Windows Enterprise editions), but as all security features it has some gotchas.
One of them is that if you enable Applocker on Windows 10 the Start button doesn't work anymore. If you left-click it then nothing happens. You can right-click it but that's obviously not enough.

In addition to this there are following errors logged in Applocker log in Event Viewer (Applications and Services - Microsoft - Windows - Applocker)

"No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured."

To solve this you need to create a Packaged App rules in Applocker group policy. To do this follow these steps:
1. Go to Computer Configuration / Policies / Windows Settings / Security Settings / Application Control Policies / Applocker 
2. Right-Click Packaged App Rules and select Create Default Rules
3. After the policy is applied to Windows 10 workstation, Start button will work again.

P.S. If you have a Windows 2008 R2 domain controller, then you will not see "Packaged app Rules" in Group Policy Management Console. You will need to create this policy from Windows Server 2012 server with GPMC.

FIXED:.Epp files in inbox folder are not being deleted and folder is huge in SCCM 1606

If you have upgraded your SCCM infrastructure to th 1606 version and find that inbox on site server grows huge and there are ton of .epp files in the subfolders, then apply Update Rollup 1 for SCCM 1606,
This hotfix solves the issue. Also I think you can safely delete .epp files because they are processed and written into the SCCM database.

Wednesday, September 14, 2016

How to disable OneDrive on Windows 10 using group policies

If you don't want to use OneDrive and don't want users to see OneDrive then here are three things you can do:
1. Use this group policy to disable OneDrive appearing in File Explorer:
Computer Configuration\Administrative Templates\Windows Components\OneDrive\Prevent the usage of OneDrive for file storage
2. Use group policy preferences to prevent OneDrive at startup:
Create a Delete registry preference OneDrive value in this registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
So it looks like this:

3. Use Applocker to prevent users from launching OneDrive.

Windows 10 v1607 LTSB release data

I was asked if Windows 10 1607 build will have a Long-Term Servicing Branch (LTSB) release and if it will, what will be the release dates.
Here are the answers:
1. Windows 10 v1607 will have a LTSB release.
2. It will be available after 01.10.2016.

More info here

Friday, September 9, 2016

Solved: Audit policies don't work on Windows Server 2012 domain controllers

I was working on a case where I needed to track logon events on domain controllers. So check Security event log domain controllers, but there were no Logon/Logoff events there.
So checked Defaul Domain Controllers policy GPO and saw that Logon/Logoff events were enabled for logging:

As it turned out on Windows Server 2008 or later you have to enable Advanced Audit policies. After enabling appropriate policies events started to show up in Security event log on domain controllers:

Step-by-step: Create a Point-to-Site VPN to Azure VNET using Azure Portal

Today I found out that setting up a Point-to-Site connection to Azure VNET at this point is not straightforward and is not documented accurately at this point.
So let's assume we have set up a VNET in Azure and added a Virtual Network Gateway to it. Not much magic there, you can do it from GUI.
Hardest part comes when you need to enable Point-to-Site connections on the gateway.

So here is step-by-step:
1. First in Azure Portal go to Virtual Network Gateways, select desired gateway and then choose Point-To-Site Configuration.
2. Specify address pool for VPN clients, no specific requirements there, just make sure network range doesn't conflict with other networks.
3. You have to create and upload Root certificate, but there is no Upload button in Portal, so we will have to do this with Powershell, but first lets create the Root certificate.
4. Here is a documentation how to create certificates
5. First download the Software Development Kit for Windows to get the MakeCert utility. For Windows 10 you can download it here
6. Install only the Windows Software Development Kit component, others are not necessary.
7. Create the Root certitificate with following command
makecert -sky exchange -r -n "CN=TestVNETP2S" -pe -a sha1 -len 2048 -ss My "TestVNETP2S.cer"

This will create a certificate in Current User's store.

8. Export the certificate in Base-64 format without private key. And in my case save it as C:\Temp\TestVNETP2S.cer:

9. Upload the certificate using Powershell. First connect to your Azure tenant and then perform following commands:

$Text = Get-Content -Path C:\Temp\TestVNETP2S.cer

$CertificateText = for ($i=1; $i -lt $Text.Length -1 ; $i++){$Text[$i]}

$rootCert = Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName "C:\Temp\TestVNETP2S.cer:" -PublicCertData ($CertificateText | out-string) -VirtualNetworkGatewayName $gw.Name -ResourceGroupName Network

where $gw.Name is you gateway's name.
After this you will see in Azure Portal that Root certificate has been uploaded.

10. Create a client authentication certificate using command:
makecert.exe -n "CN=YourName" -pe -sky exchange -m 96 -ss My -in "TestVNETP2S" -is my -a sha1

This will create another certificate in your Current User's certificate store. This certificate will be used for authentication when starting VPN client. 

11. Download the VPN client, again starting from Powershell

Get-AzureRmVpnClientPackage -ResourceGroupName $RG -VirtualNetworkGatewayName $GWName -ProcessorArchitecture Amd64

This command will output the download link, which you can paste in browser and download the VPN installation package.
This package will setup the VPN connection in Windows.

12. And finally you can connect to VPN and access your resources in Azure VNET.

Tuesday, September 6, 2016

Find group policy corresponding registry entry

If you need to find a registry key which corresponds to a given group policy option, then navigate to, where you will be able to find most of them.

Step-by-step: Migrate group policy objects (GPO) cross-forest using copy / paste

There is a very simple way to migrate group policies between different forests if you have a trust between them.
To do this follow these steps:

  1. Open Group Policy Management Console (GPMC) in source forest.
  2. Right-click on top of tree on left side and select "Add Forest"
  3. Enter the destination forest name.
  4. You will have a GPMC with two forests opened.
  5. Go to source forest, navigate to "Group policy objects", select GPO, right-click it and select Copy.
  6. Go to destination forest, navigate to "Group policy objects", right-click it and select Paste.
  7. Complete the wizard and you are done!!!
P.S. If you don't see the Paste option in step 6, then give the account administrative permissions in destination forest. The easiest way is to add account to Builtin\Administrators group.

Wednesday, August 31, 2016

Hyper-V could not make replica virtual machine a clustered resource

Today I was trying to create a Hyper-V replica for a virtual machine. Both VMs (actual VM and Replica VM) were host on clusters. But I got error that "Hyper-V  could not make replica virtual machine a clustered resource". All other Hyper-V replica VMs were working without a problem.
As it turned out the problem here was that on destination Hyper-V cluster there was a cluster resource with the same name as the VM.
I deleted the cluster resource which had the same name and replica creation succeeded!

DPM supports VMWare virtual machine backups, finally

Earlier this year I blogged that System Cetnter Data Protection Manager (DPM) will support VMWare virtual machine backups 
With DPM 2012 R2 Update Rollup 11 this feature has finally been included in product. More information can be found here

I will give you more information, when I have time to test this feature, I hope it will work smoothly :)

Tuesday, August 30, 2016

SCUP catalogs for Java, Chrome, Firefox and many others

I know this is a kind of advertisment.. but this product really has great price / performance.
And the product is named  Patch My PC ( - which gives System Center Updates Publisher (SCUP) catalogs for many products, including Java, Chrome, Firefox and lots of others. And the pricing is also great!

Friday, August 26, 2016

"Failed to load expressions host assembly" in SCCM Reporting services after SQL inplace upgrade

I did a SQL inplace upgrade from 2008 R2 to 2014 SP2. The SQL was dedicated to SCCM server and hosted only SCCM, WSUS and Reporting Services databases.

Upgrade was easy, but after upgrade the SQL Reports were not opening and the error was "Failed to load expressions host assembly. Details: Could not load file or assembly ‘SrsResources. Culture=Neutral’ or one of its dependencies. The system cannot find the file specified."

To solve this just reinstall the Reporting Services Point role in SCCM.

There is a workaround described here, but I think it is not supported by Microsoft.