Search This Blog

Tuesday, June 28, 2016

SCCM 1606 - Cloud Proxy Role

Hello there!

Microsoft has recently released SCCM 1606 version which is Technical Preview, but all features will be included in next full release (1607), more here https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/update-1606-for-configuration-manager-technical-preview-available-now/

For me the most interesting feature is Cloud Proxy Role, I didn't find more particulare documentation about this feature, but it promises to be an easier way to manage SCCM clients on the Internet.

At this time there is internet-based client managemnt, but that is not trivial to configure this. Also if hybrid connection with Intune is used - it is not possible to install just Intune client un Internet computers and get info back to SCCM.

I will test this out and write more details about his feature later.

Thursday, June 23, 2016

KB3159706 / KB3148812 breaks WSUS

Microsoft realeased KB3148812 in April, which was a buggy update. After applying it on a server were WSUS was running, the WSUS stopped working.
Microsoft withdraw the update from WSUS catalog.

Later on Microsoft released KB3159706 which was a replacement for KB3148812. But yet again after applying KB3159706, WSUS stopeed working.
Luckily this time there was few postinstall step which were necessary to resolve problems. So after installing KB3159706:
1. Run as Administrator: "C:\Program Files\Update Services\Tools\wsusutil.exe postinstall /servicing"
2. Add HTTP Activation feature: Under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard.
3. Restart the WSUS service.

https://support.microsoft.com/en-us/kb/3159706

Dynamic port range in Windows operating systems

If you ever see a requirement to open dynamic ports in firewall then this information is for you.
In Windows Vista / Windows Server 2008 and later Windows OSes dynamic port range is 49152 - 65535.

Prior to Windows Vista / Server 2008 dynamic port range was 1025-5000.

https://support.microsoft.com/en-us/kb/832017

Saturday, June 18, 2016

How to fix 0x80220014 error with Windows 10 ADK v1511 and SCCM

If you are using Windows 10 ADK version 1511 then you have to use KB3143760 to make it actually work. Otherwise you will get 0x80220014 error as written here https://blogs.technet.microsoft.com/configurationmgr/2016/03/03/hotfix-windows-pe-boot-images-from-winadk-fail-to-initialize-and-log-error-code-0x80220014/

There is a step-by-step guide how to apply the hotfix, but I would like to stress that in the second step when executing command:
dism /mount-wim /wimfile:C:\WinPE_amd64\media\sources\boot.wim /index:1 /mountdir:C:\WinPE_amd64\mount

"C:\WinPE_amd64\media\sources\boot.wim" should be the actual Boot image which is having the problem. So if you are using SCCM then you should specify something like this:
C:\Program Files\Microsoft Configuration Manager\OSD\Boot\x64\boot.wim

SOLVED: SCCM client error "Signature verification failed for PolicyAssignmentID"

I got this error in SCCM client PolicyAgent.log after recovering SCCM primary site server.
All SCCM clients got error "Signature verification failed for PolicyAssignmentID" and thus tehy could not get policies from SCCM server.
I resolved error with three steps:
1) Deleted all certificates on primary site server in Computer\SMS store
2) Restarted SCCM server (deleted certificates were regenerated);
3) Reinstalled Management Point role.

Friday, June 17, 2016

SCCM OS Task Sequence error 0x80070643

Here is how I solved the 0x80070643 during an operting system deployment with SCCM.
First, I checked the smsts.log and saw that there is no much information, only that application installation ended with 0x80070643 error, which translates to "Fatal error during installation" and this means nothing...

After a bit of initial furstration I noticed that disk space was pretty low and this really was the problem. This was a virtual machine with anly 30 GB of disk space. After increasing disk space the error disappeard and the Task Sequence finished successfully.

Updated: Intra-forest domain change error "The security database on the server does not have a computer account for this workstation trust relationship"

This is an update to my previous post http://justforadmins.blogspot.com/2016/05/intra-forest-domain-change-error.html.

If you want to disable duplicate SPN creation prevention, then use this hotifx https://support.microsoft.com/en-us/kb/3070083 and you will be able to migrate computers with ADMT or any other tool without "The security database on the server does not have a computer account for this workstation trust relationship" error.

Be sure to add back duplicate SPN check, once the AD migration is complete.

Group policies don't work after installing KB3159398

Hi guys,

This week was the week of patches. As it happens frequently there was also a buggy patch from Microsoft. It was KB3159398 https://support.microsoft.com/en-us/kb/3159398 which caused group policies to stop working.
As later explained by Microsoft in it's bulletin as a known issue, this bulletin changes the way policies targeted for user are read.
"Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context."

It would be nice to warn about this in advance ...

But if you have installed the patch and have problems, there is no reason to uninstall the patch.
The solution (also described in KB) is to add Read permissions for "Domain Computers" group in affected group policy objects and affected GPOs are the ones which have secureity filtrering applied, the ones where default group (Authenticated Users) has been removed and replaced with some other group.

Here is a script to automate adding read permissions https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/

Sunday, June 5, 2016

Troubleshoot SCCM client push installation step-by-step

Here are steps to troubleshoot SCCM client installation with push method:
1) Make sure client push account has admin rights on target computer;
2) Make sure that firewall ports are opened on target computer https://technet.microsoft.com/en-us/library/gg682180.aspx
3) If installation does not start on target computer, then on the SCCM server inspect %SCCM Install Directory%\Logs\ccm.log
4) If installation does not finish successfully (no Configuration Manager Control Panel icon) then on target computer inspect %windir%\ccmsetup\ccmsetup.log
5) If target computer does not communicate with SCCM server (is not shown as Active in SCCM console), then on target computer inspect ClientIDStartupManager.log, LocationServices.log, ClientLocation.log in %windir%\CCM\Logs directory!

Azure AD Self-service password reset explained

Here is a short explanation of Azure AD premium feature Self-service Password Reset.
So there are such steps to use this feature:
1) You must have Azure AD Premium licence;
2) You must enable feature for the tenant;
3) User must register for self-service password reset;

At this point there is no way to centrally enable feature so that no user action is required. But it is possible to force users to register for self-service password reset at first logon.

Active Directory trust suddenly broken (The local security authority is unable to obtain an RPC connection) through Palo Alto Firewall

Yet another issue I had to trougleshoot where Palo Alto firewall was involved.

So overnight AD trust was brokent, when attempting to validate the trust it gave error "The local security authority is unable to obtain an RPC connection".

It was not an easy issue to solve, because at first it seemed that no changes in the infrastructure made, no errors where found in AD logs, DNS was working, firewall ports where open, and also the Palo Alto firewall didn't show any blocked traffic.
But then I wound that Palo Alto had updated it's Applications and Threats definitions overnight. After reverting the definitions AD trust work once again. Immediately I also disabled auto update for this feature.

SOLVED: Cannot access internet through Palo Alto Firewall, status Incomplete

I am not usually involved in networking, but this time a was on an issue where internet was working from one network, but not from the other. Both networks where protected with Palo Alto Firewall.
Access rules to access the internet where created, but when inspecting Palo Alto firewall logs it showed status "Incomplete" for the problematic network, which meant that TCP three-way handshake could not be established.
So I found that an NAT rule also must be created. When NAT rule was created internet access worked as expected.