Search This Blog

Saturday, October 29, 2016

Windows Update behavior in Windows Server 2016

Configuring Windows Update in Windows Server 2016 is a bit confusing.
If you open update settings, then there is written that updates will be downloaded and installed automatically which is relly not good for a server:

Even worse is the fact that there is no option to change this behavior from Update Settings section.

The good news is that this is not actually true. if you open Server Manager, then it will say that it will download updates only:

Configure Windows Update settings through registry

If you ever wondered which registry settings control Windows Update behavior, then here is the answer.
This key has values which control the Windows Update:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update

For example, AUOptions refers to this dropdown

If AUOptions value is set to 3, then Windows Update is configured to "Download updates but let me choose whether to install them"

Check out the new Software Center in SCCM Current Branch

In SCCM Current Branch there is a new Software Center available. It looks different:

and you can enable it modifying Client Settings policy in SCCM console, when navigating to Administration - Overview - Client Settings, choosing a client settings object and in the Computer Agent section setting "User new Software Center" to Yes


The coolest thing about new Software center is that it user can install applications directly from it and do not require Silverlight instlalled on their machines.

Easy tip how to fix Microsoft Word heading numbering

Recently I have heard many complaints about Microsoft Word heading numbering.
So here is an easy tip how to sort things out.

1. Go to the Paragraph section in Word ribbon.
2. Select Multilevel list 
3. In the List Library section choose numbering with headings:

Friday, October 28, 2016

Change DNS to custom for Azure Virtual Machine restarts all servers in Availability set

There is a possibility for Azure Virtual Machines to use a custom DNS servers (not to inherit DNS servers from VNET configuration), which is good and 100% necessary feature.

The thing you have to note is that if you have set up a Azure VM and it is part of availability set, then changing VMs configuration to custom DNS will restart the VM and all other servers which are part of availability set.

Backup Certitificate Authority database from command line

Here is a command you can use on Windows Server 2012 R2 and other OSes to backup Certificate Authority database from command line:

certutil -backup -p "password" -f -gmt -seconds -v \\ServerName\ShareName\

Updated: Outlook drag and drop emails doesn't work in Outlook 365 v2016 (build 16.0.7167.2060)

Previously I wrote some solutions when drag and drop emails function doesn't work in Outlook.

It appears that the for me this was a problem with Outlook 365 v2015 build 16.0.7167.2060. After updating Office 365 Pro Plus to version 16.0.7329.1017 there are no more problems with drag and drop for me.

Saturday, October 22, 2016

Limitations when using Azure Backup and MARS agent

Azure Backup is promising to be a good feature for small on-premises environements and all-in-Azure environements.

If you are using Azure Backup then there are two options - backup Azure objects or use MARS (Microsoft Azure Recovery Services) agent on on-premises servers.

Currently if you are thinking of Azure Backup, then keep in mind that it:

  • For Azure it allows only full Azure virtual machine backups;
  • For on-premises servers it allows only file level backups if no other Azure Backup components are installed on-premises.

Friday, October 21, 2016

ShrewSoft VPN failed to attach to key daemon error

If you are using ShrewSoft VPN client and suddenly it does not connect with error "failed to attach to key daemon", then most likely one or all of the ShrewSoft services are not working.
Start theses services to solve the issue:

  • ShrewSoft DNS Proxy Daemon
  • ShrewSoft IKE Daemon
  • ShrewSoft IPSEC Daemon

Drag and drop does not work in Outlook 2013 /2016

Drag and drop has been a nice feature in Outlook for a while and it certainly helps to quickly move emails to folders and keeps things sorted. 
What if this features stops working? I have found following solutions for Outlook 2013 and 2016:
1. Right-click email select Move and then select folder (this actually doesn't solve the issue);
2. When Outlook is opened press Esc button several times and drag and drop will start working again.
3. Use drag and drop with right mouse button and then drag and drop will start working again

Saturday, October 15, 2016

Windows Server 2016 Exam numbers

If you wanna get certified with Windows Server 2016, then start with MCSA (Microsoft Certified Solutions Associate) required exams:

70-740: Installation, Storage, and Compute with Windows Server 2016
70-741: Networking with Windows Server 2016
70-742: Identity with Windows Server 2016

Also note that at this point these exams are still in development stage.

Change system locale (language for non-unicode programs) on Windows 10 / Windows 7 using group policies or registry

There are no builtin options in group policies to change system locale (language for non-unicode programs) on Windows 10 / Windows 7, so you have to use registry.
These three registry values control the system locale:


To find out necessary registry values, change system locale to needed on a test computer, watch these values change and then deploy them using group policy preferences. After these registry values are changed, restart is required to take affect.

For example English (United Kingdom) has following values:


Friday, October 14, 2016

Solved: Cannot delegete permissions in Azure AD for Microsoft live account

I needed to do a simple task, but in the end it wasn't as simple as I would imagine.
I had to delegate a User Admin role to a specific account.

So I went in Azure AD to User section, clicked Add, selected necessary Microsoft Live account, selected User Admin role. But the user didn't get those permissions.
More confusing was the fact that for other user this worked.

So after calling Microsoft support we found out that there was already existed a user with the same name (email address) and that user was synced to different Azure AD from local AD, and target user was not logging on with his Microsoft Live account, but synced user.

The resolution to this was to select "User in another Microsoft Azure AD directory" when delegating permissions:

Updated: Microsoft changes the way updates are released for Windows operating systems starting from October 2016

Here is update to my previous post after October patches have been released.

So my hope that there will be two updates has disappeared, there are still around ten security bulletins, but this how it will work from now on for Windows 7 / 8.1 / Server 2012 / Server 2012 R2:

1. There will be a rollup update for all security updates in each month. All subsequent rollups will include previous security fixes since October 2016. This update will be released in second Tuesday.
2. There will be a rollup update for all security and non-security updates in each month. All subsequent rollups will include previous security and non-security fixes since October 2016. This update will be released in second Tuesday.
3. There will be a rollup update for all non-security updates in each month. All subsequent rollups will include previous non-security fixes since October 2016. This update will be released in thirdTuesday.
4. There will be a separate update for Internet Explorer.
5. There will be separate rollup updates for .NET framework one will be security only and second will be security and non-security rollup.

More info here:

Saturday, October 8, 2016

Solve post-upgrade issues after SCCM primary site server Windows Server upgrade from 2008R2 to 2012R2

Previously I wrote how to upgrade Windows Server OS from 2008 R2 to 2012 R2 on SCCM primary site server.
Here are a few post-upgrade issues you can encounter:

1. After reinstalling WSUS and forcing Software Update Point (SUP) to sync, the initial sync fails with following error in wsussync.log

Sync failed: WSUS update source not found on site XXX. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource

To make things more complicated, WCM.log doesn't show any errors.
To solve this you have to uncheck newest (or all) products which are syncing with WSUS, do the sync and the re-add all necessary products and sync again.
I suspect this is because WSUS after fresh install doesn't know all the newest products (like Windows 10, Office 2016, Windows Server 2016), but it syncs these products at first sync. Error occurs when WSUS tries to sync products of which it doesn't has knowledge.

2. Remote SCCM consoles cannot connect to site server. SMSAdminUI.log shows following errors:

\r\nSystem.Management.ManagementException\r\nAccess denied \r\n   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
:System.Management.ManagementException\r\nAccess denied \r\n   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)

This is because during upgrade site server has lost some permissions, to re-add these permissions on site-server:

  • Open wmimgt.msc
  • On WMI Control click properties
  • Select Security
  • Navigate to Root --> SMS
  • Click Security. Add Enable Account and Remote Enable for local SMS Admins group
  • Navigate to Root --> SMS --> site_XXX
  • Click Security. Add Execute Methods, Provider Write Enable Account and Remote Enable for local SMS Admins group

After re-adding thos permissions you will be able to connect again.

Friday, October 7, 2016

Step-by-Step: Upgrade Windows Server from 2008 R2 to 2012 R2 on SCCM primary site server

Since the release of SCCM 1602 it is supported to upgrade Windows Server OS on SCCM site server from 2008 R2 to 2012 R2, before that it was not supported.

Here is a step by step how to do this:

1. Backup SCCM and Windows Server.
2. Uninstall Software update point and WSUS
3. Disable SMS_Executive, SMS_Component_Manager services (this is not required, but I did this).
4. Restart Windows.
5. Upgrade Windows Server 2012 R2.
6. Enable, set startup type to Automatic and start these services "World Wide Web Publishing Service" and "Windows Process Activation Service"
7. Got to IIS Manager -> Application Pools. You will see following picture:

For  "Classic .NET AppPool" select v2.0 in ".NET CLR Version" field for others select the v4.0.

8. Install WSUS and this hotfix  to add Windows 10 upgrades installation possible.
9. Start SCCM services, install Software update point.
10. Install Windows Updates.
11. Check in SCCM Component Monitoring that everything works.

Thursday, October 6, 2016

Adobe Flash updates deployed with SCUP fail on Windows 8.1 and Windows 10 with error 0x80246002

If you are using SCUP and and all updates through it are deployed correctly except Adobe Flash updates on Windows 8.1 and Windows 10 computers (WUAhandler.log shows 0x80246002), then be informed that it is not possible, discussion about this topic is here 

This is because Adobe Flash is integrated in these OSes and are updated as standard Windows updates.

Wednesday, October 5, 2016

How to solve black screen issue when logging to Windows Server Core through RDP

Today I had to do some maintenance tasks on a server with Windows Server Core OS. I logged onto server through RDP, but command prompt didn't show up. I disconnected RDP session then connected back, but that didn't solve the issue. Obviously the command prompt was gone and on server core there is nothing more when you connect to it.
This is how I solved the issue:
1. Ran this command to get logged on users and respective session IDs
2. Ran this command to log off my session:
I reconnected through RDP and command prompt was there, so I could perform my maintenance tasks.

Saturday, October 1, 2016

Cannot connet to Azure WebApp / App Service which is integrated to VNET

Here is a limitation when you integrate your Azure WebApps / App Services to VNET.

Traffic is possible only one way - that is from Web App to VNET, not the other way round. Here is a quote from official documentation, which is not so obvious when you read the document in first place:

VNET Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. Private site access is only available with an ASE configured with an Internal Load Balancer (ILB). 

SOLVED: WSUS synchronization history loading takes long time

If you want to view the WSUS synchronization history, but it loads very long time, then you have to clear the WSUS synchronization history from database.
You can do it with following query

DELETE FROM tbEventInstance WHERE EventNamespaceID = ‘2’ AND EVENTID IN (‘381’, ‘382’, ‘384’, ‘386’, ‘387’, ‘389’)

Note also that if you have internal database, then connection to DB is slightly different. See this article for more information.