Search This Blog

Thursday, September 29, 2016

Microsoft changes the way updates are released for Windows operating systems starting from October 2016

Starting from October 2016 Microsoft will change the way updates are released. There will no longer be individual patches, but instead there will be a single update that will contain all patches.
There will be two types of updates:
1. Monthly rollup: this update will contain all security and non-security updates and it will superseed all previous monthly rollups.
2. Security-only: this update will contain only security patches released in current month and will not superseed previous security-only updates.

More info here https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

Tool to generate configuration.xml for Office 365 ProPlus deployment with Office Deployment Tool

If you are familiar with Office 365 ProPlus deployment, then you know that you have to generate a configuration.xml file for deployment.
Here is a tool which will greatly assist in creating configuration.xml file http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html

Wednesday, September 28, 2016

Proofing Tools available as separate download for Office 2016, finally

Office 2016 was released some time ago, but unfortunately there where was separate download available for just proofing tools. 
Proofing tools where bundled inside Language Accessory Packs (https://support.office.com/en-us/article/Language-Accessory-Pack-for-Office-2016-82ee1236-0f9a-45ee-9c72-05b026ee809f), so you could not install just proofing tools.
Recently Microsoft has finally released separate Proofing Tools (https://technet.microsoft.com/en-us/library/mt771641.aspx#BKMK_LinksToDownloadsForProofingTools).

Friday, September 23, 2016

SCCM Client Health check fails with third party antivirus on Windows 10 computers

Previously I explained how SCCM Client Health check process works, which describes general troubleshooting steps if you are having SCCM Client Health check issues.

Now about an exact issue - if you are using third party (something other than Microsoft) antivirus and health check fails on Windows 10 computers. Probably in ccmeval.log you also see that these checks are failing:
Verify/Remediate Antimalware service status for Windows 10 or up.
- Verify/Remediate Antimalware service startup type for Windows 10 or up.

So the root cause of this is that third party antivirus (or you have done it with group policy) has disabled Windows Defender from starting, but in the same time the computer has still left that Endpoint Protection has to be managed in Client Agent settings:

To resolve the issue you must remove Endpoint Protection policy from the computer. If SCCM client will not manage Endpoint Protection, then Client Health check will not perform tests againts Microsoft Antimalware and Windows Defender services.



SCCM Client Health Check process explained

So here is short explanation of how SCCM Client health Check process works.

1. SCCM Agents creates a Scheduled Task called "Configuration Manager Health Evaluation" which runs approximately once a day.
When This task starts it creates and writes information in CcmEvalTask.log in SCCM client logs folder.
2. The task starts C:\WINDOWS\CCM\ccmeval.exe file, which in turn logs information in CcmEval.log file.
3. Output information is sent to Management Point with state messages which by default is done each 15 minutes, you can monitor state message sending to server in StateMessage.log

Remove Azure AD Directory Integration stucks on Deactivating

Nowadays it is pretty common to synchronize local Active Directory with Azure AD or Office 365, but this time I had to remove Directory integration between local AD and Azure AD. 

So I went to Azure portal, selected directory, chose Directory Integration tab and clicked Deactivate button. Azure started to work and status turned to Deactivating... I waited and waited, but it was stuck.
As it turned out this process can take up to 72 hours, I didn't measure exactly it in about three days Directory Integration status switched to Deactivated. 
So waiting is the answer :)

Thursday, September 22, 2016

Step-by-step: How to activate Windows 10 computers with Windows Server 2012 R2 KMS server

If you have a Windows Server 2012 R2 KMS server, but you cannot activate Windows 10 computers, you have to do some configurations, which are a little bit tricky.

So first you have to install hotfix https://support.microsoft.com/en-us/kb/3058168. If you try to install it on server, but receive an error, then first you have to install https://support.microsoft.com/en-us/kb/2919355, which consists of several updates and has one more prerequisite update https://support.microsoft.com/en-us/kb/2919442.
So the update install order should be like this:
1. Install KB2919442
2. Run clearcompressionflag.exe from KB2919355
3. Install KB2919355
4. Install KB2932046
5. Install KB2959977
6. Install KB2937592
7. Install KB2938439
8. Install KB2934018
9. Restart the server
10. Install KB3058168

Once you have installed all updates, you have to find correct KMS key. If you will use Windows 10 KMS key then you will not be able to install it onto KMS server and you will receive error 0xC004F015, as described here https://support.microsoft.com/en-us/kb/3086418

You will have to find Windows Srv 2012R2 DataCtr/Std KMS for Windows 10 in the VLSC portal. Once you install it on KMS server, Windows 10 computers will be able to activate!

SOLVED: Task Sequence fails with 0x80070002, SMSTS.log shows "DownloadFile failed. 80072efe"

If your SCCM OS Task Sequence fails with 0x80070002 error and when further inspecting SMSTS.log you see "DownloadFile failed. 80072efe" error, then most likely this is an error with some networking device. In my case this was the firewall.

Friday, September 16, 2016

FIXED: Maximum event log size group policies do not work

Today I was asked to create a group policy which sets the maximum size of security, application and system event logs.
So I opened group policy editor, navigated to Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs and defined these settings
Maximum application log size
Maximum security log size
Maximum system log size

Unfortunately GPO applied to computers, but values had not changed.
It turned out that defined values that are not multiliers of 64 do not work. I set 102400 for 100 MBs and polices worked as expected.

Free ebook about Azure: Microsoft Azure Essentials

Microsoft obiously is interested admins to learn Azure, so the have released a free ebook about Azure "Microsoft Azure Essentials: Fundamentals of Azure". It's the second edition and you can download it here https://blogs.msdn.microsoft.com/microsoft_press/2016/09/01/free-ebook-microsoft-azure-essentials-fundamentals-of-azure-second-edition/?MC=MSAzure&MC=BusApps&MC=EntMobile&MC=CloudPlat&MC=SecSys

I will try to write a review when a read the book, so stay tuned.

Thursday, September 15, 2016

FIXED: Windows 10 Start button does not work after applying Applocker policies

Applocker is a realy good feature (available only in Windows Enterprise editions), but as all security features it has some gotchas.
One of them is that if you enable Applocker on Windows 10 the Start button doesn't work anymore. If you left-click it then nothing happens. You can right-click it but that's obviously not enough.

In addition to this there are following errors logged in Applocker log in Event Viewer (Applications and Services - Microsoft - Windows - Applocker)

"No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured."

To solve this you need to create a Packaged App rules in Applocker group policy. To do this follow these steps:
1. Go to Computer Configuration / Policies / Windows Settings / Security Settings / Application Control Policies / Applocker 
2. Right-Click Packaged App Rules and select Create Default Rules
3. After the policy is applied to Windows 10 workstation, Start button will work again.

P.S. If you have a Windows 2008 R2 domain controller, then you will not see "Packaged app Rules" in Group Policy Management Console. You will need to create this policy from Windows Server 2012 server with GPMC.

FIXED:.Epp files in EpMgr.box inbox folder are not being deleted and folder is huge in SCCM 1606

If you have upgraded your SCCM infrastructure to th 1606 version and find that EpMgre.box inbox on site server grows huge and there are ton of .epp files in the subfolders, then apply Update Rollup 1 for SCCM 1606, https://support.microsoft.com/en-us/kb/3186654.
This hotfix solves the issue. Also I think you can safely delete .epp files because they are processed and written into the SCCM database.

Wednesday, September 14, 2016

How to disable OneDrive on Windows 10 using group policies

If you don't want to use OneDrive and don't want users to see OneDrive then here are three things you can do:
1. Use this group policy to disable OneDrive appearing in File Explorer:
Computer Configuration\Administrative Templates\Windows Components\OneDrive\Prevent the usage of OneDrive for file storage
2. Use group policy preferences to prevent OneDrive at startup:
Create a Delete registry preference OneDrive value in this registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
So it looks like this:

3. Use Applocker to prevent users from launching OneDrive.

Windows 10 v1607 LTSB release data

I was asked if Windows 10 1607 build will have a Long-Term Servicing Branch (LTSB) release and if it will, what will be the release dates.
Here are the answers:
1. Windows 10 v1607 will have a LTSB release.
2. It will be available after 01.10.2016.

More info here https://blogs.technet.microsoft.com/windowsitpro/2016/08/02/whats-new-for-it-pros-in-the-windows-10-anniversary-update/

Friday, September 9, 2016

Solved: Audit policies don't work on Windows Server 2012 domain controllers

I was working on a case where I needed to track logon events on domain controllers. So check Security event log domain controllers, but there were no Logon/Logoff events there.
So checked Defaul Domain Controllers policy GPO and saw that Logon/Logoff events were enabled for logging:

As it turned out on Windows Server 2008 or later you have to enable Advanced Audit policies. After enabling appropriate policies events started to show up in Security event log on domain controllers:


Step-by-step: Create a Point-to-Site VPN to Azure VNET using Azure Portal

Today I found out that setting up a Point-to-Site connection to Azure VNET at this point is not straightforward and is not documented accurately at this point.
So let's assume we have set up a VNET in Azure and added a Virtual Network Gateway to it. Not much magic there, you can do it from GUI.
Hardest part comes when you need to enable Point-to-Site connections on the gateway.

So here is step-by-step:
1. First in Azure Portal go to Virtual Network Gateways, select desired gateway and then choose Point-To-Site Configuration.
2. Specify address pool for VPN clients, no specific requirements there, just make sure network range doesn't conflict with other networks.
3. You have to create and upload Root certificate, but there is no Upload button in Portal, so we will have to do this with Powershell, but first lets create the Root certificate.
4. Here is a documentation how to create certificates https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-certificates-point-to-site/
5. First download the Software Development Kit for Windows to get the MakeCert utility. For Windows 10 you can download it here https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
6. Install only the Windows Software Development Kit component, others are not necessary.
7. Create the Root certitificate with following command
makecert -sky exchange -r -n "CN=TestVNETP2S" -pe -a sha1 -len 2048 -ss My "TestVNETP2S.cer"

This will create a certificate in Current User's store.

8. Export the certificate in Base-64 format without private key. And in my case save it as C:\Temp\TestVNETP2S.cer:


9. Upload the certificate using Powershell. First connect to your Azure tenant and then perform following commands:

$Text = Get-Content -Path C:\Temp\TestVNETP2S.cer

$CertificateText = for ($i=1; $i -lt $Text.Length -1 ; $i++){$Text[$i]}

$rootCert = Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName "C:\Temp\TestVNETP2S.cer:" -PublicCertData ($CertificateText | out-string) -VirtualNetworkGatewayName $gw.Name -ResourceGroupName Network

where $gw.Name is you gateway's name.
After this you will see in Azure Portal that Root certificate has been uploaded.

10. Create a client authentication certificate using command:
makecert.exe -n "CN=YourName" -pe -sky exchange -m 96 -ss My -in "TestVNETP2S" -is my -a sha1

This will create another certificate in your Current User's certificate store. This certificate will be used for authentication when starting VPN client. 

11. Download the VPN client, again starting from Powershell

Get-AzureRmVpnClientPackage -ResourceGroupName $RG -VirtualNetworkGatewayName $GWName -ProcessorArchitecture Amd64

This command will output the download link, which you can paste in browser and download the VPN installation package.
This package will setup the VPN connection in Windows.

12. And finally you can connect to VPN and access your resources in Azure VNET.

Tuesday, September 6, 2016

Find group policy corresponding registry entry

If you need to find a registry key which corresponds to a given group policy option, then navigate to http://gpsearch.azurewebsites.net, where you will be able to find most of them.

Step-by-step: Migrate group policy objects (GPO) cross-forest using copy / paste

There is a very simple way to migrate group policies between different forests if you have a trust between them.
To do this follow these steps:

  1. Open Group Policy Management Console (GPMC) in source forest.
  2. Right-click on top of tree on left side and select "Add Forest"
  3. Enter the destination forest name.
  4. You will have a GPMC with two forests opened.
  5. Go to source forest, navigate to "Group policy objects", select GPO, right-click it and select Copy.
  6. Go to destination forest, navigate to "Group policy objects", right-click it and select Paste.
  7. Complete the wizard and you are done!!!
P.S. If you don't see the Paste option in step 6, then give the account administrative permissions in destination forest. The easiest way is to add account to Builtin\Administrators group.