Search This Blog

Sunday, April 5, 2020

OneDrive client log location

As part of troubleshooting OneDrive Known Folder Move, I was trying to find location where OneDrive stores its log files.
The path for OneDrive logs is this one %LocalAppData%\Microsoft\OneDrive\logs

Unfortunately, as discussed in this forum post the logs are stored in .edl and .odl format and only Microsfot Support can analyze the logs.

Office 365 ProPlus will be rebranded to Microsoft 365 Apps

Microsoft recently announced that Office 365 Pro Plus will change their name to Microsoft 365 Apps. Some other Office 365 products will also be renamed, see https://www.microsoft.com/en-us/microsoft-365/blog/2020/03/30/new-microsoft-365-offerings-small-and-medium-sized-businesses/


Friday, April 3, 2020

How to solve Intune enrollment errors 0x80180026 and 0xcaa90014

Windows device management with Intune becomes more common, so we need to enroll (and autoenroll) devices in Intune.
One of the ways to enroll devices in Intune is to hybrid join them to Azure AD and then use group policy to autoenroll them to Intune.

In one of my projects I did exactly that, but for around half of devices autoenrollment failed. The first thing to check when autoenrollment fails is the DeviceManagement-Enterprise-Diagnostics-Provider Event Log.

There were two errors reported there:
Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x80180026)

Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0xcaa90014)





As it turned out the problem was that for these Windows 10 devices old SCCM agent was running, after uninstalling the SCCM agent devices shortly appeared in Intune (autoenroll scheduled task tries to enroll to Intune every five minutes).

Saturday, March 7, 2020

How to solve SCCM client install error 0x87d0027e

In  a new SCCM environement I was installing SCCM client on a single computer, but the install failed, the SCCM client install log (C:\Windows\ccmsetup\Logs\ccmsetup.log) reported error 0x87d0027e.

As this was a new environment, it was not configured completely. I created a boundary for that network and then boundary group.
For the boundary group, select Properties, then References and "Use this boundary group for site assignement". After that retry SCCM client install and installs successfully.


Thursday, February 20, 2020

How to list attached ISO files to all Hyper-V machines

The event log for one of my Hyper-V hosts was full of "Failed to get disk information" errors, saying that it could not find attached ISO file. So I needed a command to list all VMs and their attached ISO files. To list all attached ISO files you just simply run this Powershell command:

Get-VMDvdDrive -VMName *

Thursday, February 13, 2020

How to clear local GPO cache

Group Policy is a very mature technology and it works near 100% of time. Recently I had one of these rare case when there were Group Policy issues.
The policy was removed from computer but the settings were left on the computer, gpupdate /force also did not help.
The solution was to clear local computer GPO cache. To do that, first you need to run Powershell as administrator and then execute this command:

Remove-Item "$env:windir\system32\GroupPolicy" -Force -Recurse

Tuesday, February 11, 2020

What is Configuration Manager baseline version?

If you hear the term Configuration Manager "baseline version" and don't know what it is, then here is a short explanation:

Configuration Manager baseline version can be used for new Configuration Manager installations, but non-baseline versions cannot. For example, if you want to install new Configuration Manager 1910 site, the you first need to install Configuration Manager 1902, which is a baseline version and then use in-console updates to upgrade to version 1910.

The updated list of Configuration Manager baseline versions and terminology is here https://docs.microsoft.com/en-us/configmgr/core/servers/manage/updates

There will not be a separate Windows 10 ADK version for build 1909

Windows Assessment and Deployment Kit (ADK) is a toolkit for assisting in Windows operating system deployment. So far Microsoft had released ADK for each Windows 10 build.
This has changed for Windows 10 v1909 as there will be no ADK for v1909, so version v1903 remains the latest at the moment and you can use it to deploy Windows 10 v1909.




https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

Friday, February 7, 2020

Is it possible to convert Windows Server 2016 / 2019 from Desktop Experience to Core?

Recently I was asked if it was possible to convert Windows Server 2019 from Desktop Experience to Core version. I certainly new that this was possible but was not sure about Windows Server 2016 / 2019.
Apparently there is no way to convert Windows Server 2016 or 2019 from Desktop Experience to Core as documented here https://docs.microsoft.com/lv-lv/windows-server/get-started/getting-started-with-server-core?redirectedfrom=MSDN


Monday, February 3, 2020

Step-by-step: Prevent weak passwords in Active Directory using Azure AD Password Protection

Hello guys,

I already posted a few main details about Azure AD Password Protection, and here is a step-by-step guide how to implement it in your Active Directory.
Before you start, make sure that all the latest Windows updates have been installed and have Global Admin rights in Azure AD and Domain Admin rights in Active Directory.

1. Configure Azure AD

Go to the Azure Portal - Azure Active Directory - Security - Authentication Methods - Password Protection and enable password protection for Windows Active Directory and set the mode to audit.



2. Download the agents

Download the Azure AD DC agent and Azure AD Proxy Service agent, both can be found here

3. Install the Azure AD Proxy Service agent

Run the AzureADPasswordProtectionProxySetup.exe file, accept licence agreement and click install.


Open Powershell as administrator and execute these commands:

  1. Import-Module AzureADPasswordProtection
  2. Register-AzureADPasswordProtectionProxy -AccountUpn 'yourglobaladmin@yourtenant.onmicrosoft.com'
  3. Register-AzureADPasswordProtectionForest -AccountUpn 'yourglobaladmin@yourtenant.onmicrosoft.com'
  4. Use this command to check the configuration: 
  5. Get-AzureADPasswordProtectionProxyConfiguration | fl

4. Install the Azure AD DC agent

DC agent installation is as easy as it could be (except that it requires restart) - just run the installation file AzureADPasswordProtectionDCAgentSetup.msi on the domain controller, accept licence agreement and click Install:


Then click Finish and choose if you want to restart immediately:



4. Monitor weak passwords

Once installed you can monitor weak passwords in Event log under Applications and Services Logs - Microsoft - AzureADPasswordProtection - DCAgent - Admin



5. Block weak passwords

When you are ready configure Azure AD Password Protection Enforced mode to block the passwords. See the first step of this guide step .





Friday, January 31, 2020

New feature in Notepad starting from Windows 10 v1903

Yes, you read correctly. Microsoft has made an improvement in Notepad - starting from Windows 10 v1903, you will see an asterisk on the top left corner in Notepad, when you have unsaved changes.

It looks like this:

Yes, this really is a surprise from Microsoft!

Wednesday, January 29, 2020

Azure AD Password Protection together with Active Directory

Azure AD Password Protection is a cool feature which prevents the use of simple passwords, for example Summer1234, such password would satisfy the complexity requirements and usually length requirements, but still is pretty easy to guess.
The good news is that Active Directory can be integrated with Azure AD Password Protection feature.
I will be posting a step-by-step guide how to configure integration between AD and Azure AD Password Protection in near future, but for now here is a brief overview:

  1. You need Azure AD Premium P1 or P2 licences to use Azure AD Password Protection in your on-prem AD.
  2. There is a DC agent, which needs to be installed on every domain controller.
  3. There is a Proxy agent which needs to be installed on member server that has access to internet.
  4. DC agent talks to Proxy agent over RPC.
  5. Proxy agent connects to Azure AD Password Protection service over HTTPS.
  6. Azure AD Password Protection can be enabled in audit mode.
  7. Azure AD Password Protection banned password dictionary does not contain localized (non-English) words at this time.
  8. You can add your custom banned-word list.
  9. Custom words do not have to exact match, they can be part of password. For example, if you add "justforadmins" to the banned list, then "justforadmins123" will also be denied.
  10. Blocked passwords change attempts are logged in the domain controllers event log, there are different events if restriction comes from global blocklist or your custom blocklist.
  11. Azure AD Password Protection is not a real-time feature, it updates once in an hour. So, if you add your custom banned password, then this change will be updated to domain controllers in an hour or so.
If you do have any questions, feel free to comment.

Thursday, January 23, 2020

SOLVED: Office 365 ProPlus Sign-In "Your request can't be completed right now"

For one of my customers we were facing a strange issue - sign-in in Office 365 desktop applications (Word, Excel, PowerPoint) was not working, it looked like this:


When clicking Sign-in, entering user name and password, it told that Your request can't be completed right now.
We were using federated authentications, there were no errors in ADFS logs. A quick Google-ing suggested that Azure AD Conditional access could be blocking the sign-in, but in Azure AD there were now Conditional Access policies enabled.

After some struggling, I found out that there are Classic conditional access policies and indeed once disabling them the issue was solved. Be sure to check these also!


Monday, January 20, 2020

Is it possible to save customized columns view in Microsoft Intune portal?

Intune is starting to become a solid product, but sometimes still lacking some basic functionality.

For example if you go to Intune Portal (https://devicemanagement.microsoft.com/) All Devices and open the Devices view, then you will be shown default view of devices with default columns. You can customize the view to add or remove the displayed columns. But.. unfortunately there is no way to save your customized view, meaning if you close the view and come back to devices, you will need to customize the view again.

These has been asked in UserVoice, but still has not been implemented:
https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/38967298-save-customized-column-view-devices-all-device

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/32269477-save-column-and-filters-for-later-use

I will post in if there are any updates!


Saturday, January 18, 2020

Google Chrome automated configuration options (policies) for all platforms

Nowadays there is a great chance that you need some kind of centralized management for Google Chrome browser.
Google has done a great job to summarize all available configuration options. You can check all the available options here https://cloud.google.com/docs/chrome-enterprise/policies/.
It is very easy to search settings based on platform (Windows, Android, Mac, Linux) or Chrome version.



Thursday, January 16, 2020

How to delete (not unpublish, but delete) an application from Google Play Console

I was working in an Intune project where we had to publish a private application to Google Play and then further to Intune managed devices. For one application we needed to publish under different Google Play account and we found out that it is impossible, because package names were the same and there cannot be two applications with the same package name.

Obviously, the first idea was to delete the application from the wrong account, but there was no such option. Event worse - some googling around suggested that there is no way to delete an application, it could just be unpublished, which prevented new installs, but left the application in the Google Play Console.

The solution came unexpectedly, I was submitting a ticket to Google Support and saw an option to request app deletion. It mentioned that it was required to have zero lifetime installs to unpublish the app, but I went forward and tried my luck.

Luckily Google Support said that an app can be deleted if it is in Unpublished state for more than 24 hours. Google Support asked to approve the deletion request from the email which owns the Google Play Console and once that was done, the app was deleted after several hours and could be published under the correct account.

Hurray!

Tuesday, January 14, 2020

Read receipts in Microsoft Teams finally released!

Today I received the Microsft Teams update (version 1.2.00.34161), the popup informed me about new long waited feature Read Receipts (you can see whether message is sent or read). Congratulations Microsoft :)

If message is sent, you can see a checkbox next to message, like this:


And if message is seen then following picture is added:


Happy to this finally!


Monday, January 13, 2020

All 0x80000000 error codes (Updated 19.01.2020)

In this article I will be summarizing all the 0x80000000 error codes I have dealt with.

SCCM
    
    0x80090304 - https://www.justforadmins.com/2019/11/sccm-client-does-not-appear-in-console.html

   0x8007274d - https://www.justforadmins.com/2019/10/sccm-task-sequence-error-8007274d-no.html
 
   0x8000ffff - https://www.justforadmins.com/2019/02/solved-regtask-failed-to-refresh-site.html

   0x8024401c - https://www.justforadmins.com/2019/02/solved-onsearchcomplete-failed-to-end.html

OneDrive

    0x8004de40 - https://www.justforadmins.com/2020/01/fixed-error-there-was-problem.html


KMS

   0xC004F042 - https://www.justforadmins.com/2020/01/activate-windows-server-2019-windows-10.html

Office 365 Pro Plus
 
   0xc0000361 - https://www.justforadmins.com/2019/01/fixed-office-365-proplus-apps-do-not.html

OneDrive Known Folder Move in non-English environment

If you are reading this, then you probably know what OneDrive Known Folder Move (KFM) feature does. It is like the old Folder Redirection, but the target is not file server, but OneDrive.

Here is an explanation of how OneDrive chooses names for Desktop, Documents and Pictures folders. And it chooses names for these folders based on the system locale configured on the system where OneDrive KFMis enabled.
So for example, if you enable KFM on system with Swedish locale, you will get Bilder, Dokument and Skrivbordet folders as mentioned here.

This creates a potential issue in scenarios where system local is different on computer where KFM is activated and for example on RD Session Host servers, if locale differs there. Then there will be in total six folders - two for documents, two for pictures and two for desktop.

One workaround for this is to configure PreferredLanguage attribute for AD user, sync it Azure AD and then user will have provisioned KFM folders always in prefereed language.

Saturday, January 11, 2020

SOLVED: SCVMM 2016 console crashes with error .NET Runtime error (Event ID: 1026)

Recently I did an upgrade from SCVMM 2012 R2 to SCVMM 2016. The upgrade was not complex, but after the upgrade the SCVMM console crashed when clicking properties on some VMs.
In event log there was error with Event ID 1026, which stated that "The process was terminated due to an unhandled exception", the event source was .NET Runtime, and Framework version was  v4.0.30319.

I checked the .NET version and it was 4.6, which is suported with SCVMM 2016.

The issue was only with console on SCVMM server not on remote consoles.

It turned out that I had installed there are two binaries of SCVMM 2016 update rollup that need to be installed on SCVMM server:

After installing also the admin console update (not just the VMM management server update), the issue was gone.

Friday, January 10, 2020

FIXED: Error "There was a problem connecting to OneDrive", 0x8004de40

If you are getting error "There was a problem connecting to OneDrive", error code 0x8004de40 when setting up OneDrive for the first time, then most likely you do not have internet access or if you are inside corporate network, then your proxy or firewall is blocking the traffic.


For corporate customers follow this article to open required URLs and IP addresses.

Semi-Annual channel for System Center (DPM, SCVMM, SCOM) products has been retired

Approximately two years ago Microsoft decided to go the same path for System Center products (DPM, VMM, SCOM) as for Windows 10, that is to have two support cycles - Semi-Annual with shorter support lifecycle and long term channel with classic 10-year support lifecycle.

A while ago Microsoft decided to not continue the Semi-Annual channel for System Center products, thus proving that their focus clearly is on cloud products.

For existing System Center Semi-Annual channel versions (1801 and 1807) the recommendation is to upgrade to 2019th version as soon as possible.



Sunday, January 5, 2020

Activate Windows Server 2019 / Windows 10 v1809 LTSC on KMS server 2012 R2

Hello,

If you have working KMS server and it works on Windows Server 2012 R2, then it is possible to activate Windows Server 2019 and Windows 10 v1809 LTSC clients with it.
If you are receiving error 0xC004F042, then continue reading.

To configure KMS server follow these steps:

  1. Install latest cumulative updates on KMS server.
  2. Get the correct KMS key, it is called Windows Srv 2019 DataCtr/Std KMS, and you can find it in volume licensing portal:
  • Log on to the Volume Licensing Service Center (VLSC)
  • Click License.
  • Click Relationship Summary.
  • Click License ID of your current Active License.
  • After the page loads, click Product Keys.
  • In the list of keys, locate Windows Srv 2019 DataCtr/Std KMS
  1. Install the product key as usual 
    1. Open eleveted command prompt 
    2. Run slmgr.vbs /ipk your product key to install the key
    3. Run slmgr.vbs /ato to activate the server
  2. If your KMS server happens to be disconnected from the Internet, then you also need to install Volume Activation Services Windows Server role and activate the server over the phone, follow this article https://blogs.technet.microsoft.com/askcore/2013/03/14/installing-volume-activation-services-role-in-windows-server-2012-to-setup-a-kms-host/