Sunday, September 15, 2019

Have a device (Roku or other) that won't connect to wifi?

I have a sister-in-law that bought a new Roku express this weekend.  She spent 4 hours fighting an issue where it wouldn't connect to her wifi claiming that the passcode is incorrect.  She searched forums, called xfinity support, and Roku support all to no solution.  She found that she should enter the MAC address in the router which didn't help.  Reset her router passcode, but why when every other device is working on the wifi just fine with that passcode. Change the WPA2 AES settings to something else.  Again why, the other devices are working fine.

Finally she decides to call me.  After about 20 seconds looking at her router settings I advice making the 2.4GHz and 5GHz wifi networks the same password.  Since the Roku Express only supports 2.4GHz it's trying to connect to 2.4, but since they are different passcodes and the same SSID there is nothing indicating to her that she needs to enter the 2.4GHz passcode.  In fact she didn't even know it or that there was ANY difference as Xfinity staff set it up.

Immediately this resolved the issue

Make them the same SSID and Passcode and let it just work.  The device will connect to the frequency it wants / supports and the end user doesn't need to care.  Or if you insist on different passcodes for some reason, make the SSID different as well as a visual indicator.

Thursday, June 27, 2019

Testing your website for weak ciphers and protocols

With recent deployments and integrations of systems I have had to ensure that several websites are secure. After digging around and setting registry keys I figured someone else has done this already, so I started looking for a quick script.

One better I found this handy software:

These guys have it setup so you can set the Schannel, and Cipher Suites plus orders.
Then click the site scanner and you'll see the familiar Qualys SSL Labs site. https://www.ssllabs.com/ssltest/index.html


Monday, February 18, 2019

Wyse ThinOS and RD Gateway with Broker - External Access

The other day I was able to get my hands on a Dell Wyse 3040 with ThinOS unit. I wanted to test out connecting to a Windows Remote Desktop Gateway with Connection Broker and RDSH from home. My intended end users are at remote sites with VPN connections, but I had other ideas for some remote workers to utilize these devices (without VMWare or Citrix) to connect in.

This post isn't about setting up RDSH, RDGateway, etc.  This is in line with getting ThinOS 8.6+ working with your RD Gateway and RD Connection Broker to RDS Hosts.  Something that in hind sight was very easy, but took me a bit to weed through the online posts, ini settings, etc.

I used Wyse Management Suite to configure the device (online trial). This has been a great option and works very well.  For production I will be deploying WMS Standard onsite.

Windows Remote Desktop environment layout:
The environment consists of the following layout. 
  • All servers running Windows Server 2016
  • 1 server with RD Gateway and Web installed together.  We'll refer to this as rds.externaldomain.com
  • 1 server with Connection Broker installed (NOT in HA config)
  • 2 servers running RDSH and the desktop being published - Collection Name: Desktop Resources
  • Dell Wyse 3040 ThinOS 8.6_013 connected to my home network. NO VPN to main datacenter.
Goal: To get the 3040 to connect through the rds.externaldomain.com and broker the connection to the proper RDSH server.  I want it to prompt the user for login upon boot and upon disconnect to logout of the gateway and prompt for login again (Shared workstation).

WYSE config:
I'm going to break this down by section in the WMS portal.  Then I will do my best to put the wnos.ini out.  Obviously there are other areas to configure, I'm just giving the basics for the RDGateway to work.

Security:
Require Domain Login: First area of interest to me was to disable the "Require domain login".  I want the thin client to load and prompt with the connection to the RD Gateway. 

Certificates: Depending on the CA you used on your Gateway you'll need to import the certificates.  I used Godaddy so I had to get the .cer for the Root and Secondary.  This was as easy as going to my site, viewing the certs, and then downloading (copy to file) the GoDaddy Root CA and GoDaddy Secure CA to files.  From there you will upload both files into Apps & Data tab under the File Repository (select certificate for the type).
Now you can check the option for certs and you will see all of the certs you need listed.

Security Policy: I set mine to Full
TLSCheckCN: enabled
VNC: I turned on VNC to allow ease of testing

Visual Experience:
Action after all sessions exit: "sign off automatically"


Microsoft Broker:
Broker Server: https://rds.externaldomain.com
This should be set to your gateway server.  Include the https:// but do not including anything past the FQDN.

Sessions to connect automatically: Desktop Resources
This is the collection name.  Since in this case I'm pushing out a collection of desktops there is only the collection name and not app names.  

Microsoft RDP Settings:
Enable NLA: Enabled  
In my environment I have this on for all servers.


That's it.  Restart the device to apply and test it out.  Notice that when you logout it puts the workstation back at the login screen, perfect for shared workstations!
Note that I did NOT put any Direct RDP Connections in as this isn't needed.



here's the devices wnos.ini as delivered from WMS.

Signon=Yes SaveLastDomainUser=no LastUserName=No
DisableDomain=Yes
FastDisconnect=No
AddCert="Go Daddy Root CA - G2.cer"
AddCert="Go Daddy Secure CA - G2.cer"
SignOn=No ExpireTime=0 RequireSmartCard=No SCRemovalBehavior=0 DisableGuest=No
SecurityPolicy=full SecuredNetworkProtocol=Yes TLSMinVersion=1 TLSMaxVersion=3 DNSFileServerDiscover=Yes TLSCheckCN=Yes
AutoSignoff=10 Shutdown=no Reboot=no
ShutdownCounter=0
SysMode=Classic toolbarclick=No ToolBarAutoQuit=No EnableLogonMainMenu=No
Desktop=No
AutoLoad=2 VerifySignature=yes
ConnectionBroker=MICROSOFT \
host=https://rds.externaldomain.com AutoConnectList="Desktop Resources"
SessionConfig=all \
Reconnect=0
SessionConfig=rdp \
EnableNLA=yes EnableRecord=no EnableRFX=yes EnableTSMM=no ForceSpan=no enablegfx=no EnableUDP=yes EnableVOR=yes USBRedirection=rdp defaultcolor=2 MaxBmpCache=128 RDPScreenAlign4=no AutoDetectNetwork=yes EnableRdpH264=yes 










Tuesday, September 18, 2018

Office 365 "Belongs to:" incorrect / activation

When re provisioning laptops and desktops that utilize Office 365 installations the subscription login doesn't update properly. Although this can be fixed as sugested by many by logging into the old users OWA account, Install Status, and deactivate this doesn't help any when the user account no longer exists.
The user can wait the 31 days until it begins to complain that it's unlicensed, but that's not good product administration in my opinion. I don't want my users to have to worry about it, period.

Logging out on the account page and logging back in also does not update the "belongs to" field.

Options:

  • Reinstall Office - wow, what a waste of time for something that should be easy
  • Do an online repair - Again, this works, but it takes awhile depending on your connection.
  • Run a quick script - YAY (but again, what the heck is MS thinking, this should be easy!)
Thanks to our good friends over at Spiceworks and in particular Marcragusa for this post.

additionally, there is a lot out there covering this once you know its an issue.

Open up a cmd prompt as administrator
  • cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" /dstatus
  • then run
  • cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" /unpkey:XXXXX

I have to do this fairly often so I slapped together a weak powershell file with this. Since I'm not overly skilled with PS I have to retype the last 5 of the key back in, but at least I don't have to remember the commands. Maybe someone can take the output of the first one and pull out the last 5 for the second command automagically.

Invoke-Command -ScriptBlock {cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus}
$prodkey = Read-Host "Enter the last 5 characters of the product key"
Invoke-Command -ScriptBlock {cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /unpkey:$prodkey} -ArgumentList $prodkey

Monday, July 30, 2018

Office 365 Outlook prompts for password

We have a deployment of Office 365 with ADConnect SSO enabled. Additionally, with the implementation of modern authentication (MA) we have set the flag to true. https://support.office.com/en-gb/article/enable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662

We also enabled MA for Skype online even though we do not use it fully currently.

More info on Modern Authentication:

We started seeing issues where Outlook would prompt for password, especially after password change. After much searching we found the following reg key that is recommended by MS when MA is utilized in order to force outlook to use MA.

We deployed the keys with GPO Preferences.
Outlook:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover
Dword: 1

Skype for Business:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync\ AllowAdalForNonLyncIndependentOfLync
Dword: 1


Update: 
We've had a few users where this issue started again. 
Settings - Accounts - Access Work or School - select user - disconnect.  Fixes every time, instantly so far.

Wednesday, July 11, 2018

Windows 10 Fall Creators Update 1709 fails to apply (update 1803 I experienced same issue)

I recently had a number of Dell Latitude e7450 laptops that would rollback the installation of 1709. I also had several of the exact same model laptop that installed successfully.
In most cases I would be left with no indication of why it failed. I attempted installation from WSUS, Windows Update Assistant, and Windows Media Creation to USB.

I updated drivers, bios, all applications, removed AV (note had most succeed with AV), repair windows update, rename the softwaredistribution folder, etc, all to no effect.

Only when using the Windows Media Creation tool and then running the update from USB did it give me any workable indication of what was going wrong. (double click setup from the USB drive)

"We couldn't install Windows 10.  We've set your PC back to the way it was right before you started installing.  0x8007042B - 0x3000D  The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation"



That helps! MS even gives a "click here" for troubleshooting codes that pertain. Unfortunately, none of them are this code.  Google foo gave some info and short time later I was looking at the C:\Windows\Panther\  folder.  In particular the C:\Windows\Panther\NewOs\Panther\setuperr.log.

Almost at the very bottom I found a line stating:
Error WRITE, 0x000000B7 while gathering/applying object: File, C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk]. Will return 0[gle=0x00000002]
Error 183 while applying object C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk]. Shell application requested abort[gle=0x00000002]
Abandoning apply due to error for object: C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk][gle=0x00000002]
Apply failed. Last error: 0x00000000

The recent folder under AppData\Roaming\Microsoft\Windows ended up being the issue for every computer that I had issues updating to 1709 or 1803!


Cleanup profile:
I went to the path in question and dumped the entire recent folder.  Started upgrade again and success!
What a pain, why can't the error descriptions be descriptive and helpful.

Thursday, June 7, 2018

Office 365 - Add Shared Mailbox's Calendar to mobile device

With all the recent changes to Office 365 I found that it's become confusing as to how to easily add a Shared Mailbox OR Room Calendar to a users mobile device.  This works for both Native iOS calendar app or the Outlook for iOS / Android app.

This post goes over the new features
Calendar Sharing in Office 365

Additionally, this post goes over sharing your calendar!
Share your calendar in Outlook on the web for business

And finally, this has instructions for opening a shared mailbox in a seperate window so that you can access the necessary share button which is critical step.
Open and use a shared mailbox in Outlook Web App

Natively, when you create a new Shared or Room mailbox and assign delegates from the O365 Admin portal the new mailboxes / calendars will automatically show up in your Outlook for PC application after a short period.  They do not however automatically show up on your mobile device.  Instead, you must access the Shared / Room mailbox directly and add each user as a delegate which in turn emails an invitation to the users.  The user must then accept the invite from the mobile device which will add it to all of their mobile devices.



  1. First, we've created the Shared mailbox we want and added the "members".  This will automatically add the mailbox / calendar to those users Outlook for PC application. 
  2. Log into OWA with an account that has permission to the Shared Mailbox / Room that was just created.  Click the user account in the top right corner.  Click the "Open another mailbox..." option.

  3. Type in the name of the mailbox / room and ensure it finds it in the list.  If you don't have the proper permissions then you'll get an error "Something went wrong".  It can take some time after assigning permissions to yourself before they properly propagate.
  4. The mailbox will open in a new window.  Open the calendar.
  5. Click the Share button at the top middle.  This will open up the "Share this calendar:Calendar" window.
  6. Search for the person you want to add and give them the proper permission level.  Then click "Share"
  7. This will send an email invitation to the user. They will need to open the email invitation from a mobile device!

  8. From iOS native app the calendar is listed.
  9. Or from the Outlook for iOS / Android
  10. If the user wants to remove the calendar they can click on the i / information option on the right side (iOS) or settings gear (Outlook for iOS / Android) and at the bottom is the remove option.

Hopefully MS will give the option of having these calendars auto deploy to mobile device same or similar to the way it does with outlook for PC in the future.

Thursday, March 29, 2018

Veeam Backup Error Code 32768

Last night we received the following error on a previously working server.

Failed to create VM recovery checkpoint (mode: Veeam application-aware processing) Details: Job failed (''). Error code: '32768'.
Failed to create VM recovery snapshot, VM ID 'f74ddb15-6900-4f62-ad2a-31ed600531f1'.  

Environment:
Host: Windows Server 2016
VM: Windows Server 2016 - hosting Quickbooks database manager and Azure AD Connect

Changes:
Several updates had been applied to the server the day prior.  Additionally, AD Connect had been updated to version 1.1.750


Additional error from eventvwr: 
Log Name:      Application
Source:        VSS
Event ID:      8229
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Description:
A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error.  If the backup process is retried,
the error is likely to reoccur.
. Changes that the writer made to the writer components while handling the event will not be available to the requester. Check the event log for related events from the application hosting the VSS writer. 

Some googling ended up with this hit: http://www.insidetechnologies.eu/en/blog/veeam-backup-replication-9-5-error-code-32768/

Open the appwiz.cpl, select "Microsoft SQL Server 2012 Express LocalDB" and repair.  This will require a reboot.

We are now able to create checkpoints of the VM again without issue.

Wednesday, November 1, 2017

Chrome Browser - prevent / restrict user sign in

In the past I've always forced my end users to use IE.  This made sense as IE is integrated with Windows and could be heavily managed by GPO and other domain settings.
More and more I found myself personally going to Chrome for tasks since it "worked better".  So, I finally admitted (few years back actually) that maybe it makes sense for me to loosen up a bit and let the end users in on Chrome in the workplace as well.

As with all good things come that pain in the arse with them as well.  Google of course wants users to utilize it's services and logging into the Chrome site helps simplify this.  But in the workplace this may not be a great thing to have end users purposely or accidentally logging into their personal Gmail (or even other company G Suite) accounts.

One would think a simple google search would yield lots of results on how to prevent login to Chrome browser, but for me at least I only found lots of irrelevant junk.  Perhaps I need to work on my googlefoo.

At one time Chrome ADM templates had a settings called "Allow sign-in to chrome" or something to that respect.  Fairly obvious and easy to find.  That has since been removed.

NOW there is a setting in the ADMX labeled "Restrict which users are allowed to sign in to Google Chrome".  This is the new setting that we want.  Found under the following after you add your ADMX template.
Computer Configuration/Administrative Templates/Google/Google Chrome  (also under User Config if that meets your needs better)

Enable the setting, put in a bogus expression (or your organizations matching expression if you utilize Google business apps) and deploy to computers or users depending on your needs.


Users can now attempt to login to Chrome and they are greeted with a lovely "you can't do that"


Funny enough I found that I could go to other Google services, for instance blogspot, and login.  But then once I tried to go away from blogspot to say, gmail, it choked.

Wednesday, November 2, 2016

Powershell - FSMO Roles

Viewing FSMO with Powershell
Get-ADDomainController -Filter * | ForEach-Object {$_.Name; $_.OperationMasterRoles; Write-Host}


Transfering FSMO roles with Powershell
Move-ADDirectoryServerOperationMasterRole -Identity servername -OperationMasterRole InfrastructureMaster, RIDMaster, DomainNamingMaster, PDCEmulator, SchemaMaster

Tuesday, July 19, 2016

WSUS Error: Connection Error after KB3148812 and KB3159706

After getting a WSUS server up to date the console no longer worked.

The error is very uninformative...


Log Name:      System
Source:        Service Control Manager
Date:          7/18/2016 10:39:15 AM
Event ID:      7034
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      
Description:
The WSUS Service service terminated unexpectedly.  It has done this 3 time(s).


The proper fix for both of these KB's which you SHOULD install:
https://support.microsoft.com/en-us/kb/3159706

Also, don't forget that if you are not using SSL for WSUS you should be!

Tuesday, July 5, 2016

Remove iPhone Native apps

With our recent iPhone re-deployment there where several native apps that I wanted to remove.  This is pretty easy to do with Apple Configurator and XenMobile.  This requires the phone to be supervised.  Supervised mode can be set with Apple Configurator or if you sign up for Apple DEP.  Supervising the phone will wipe it.


  1. Ensure Apple Configurator is version 2.x
  2. Click File - New Profile
  3. Restrictions - Configure - Apps tab
  4. Under "Restrict App Usage"
  5. Set to "Do not allow some apps"
  6. Click the plus sign
  7. Type the App name you want to remove and choose it
  8. File - Save - name it and save it
Now you have a profile for the app(s) that will remove them.  You just need to upload this into XenMobile (or other MDM) and apply it to your devices.  Can also be applied straight from Apple Configurator.  I prefer to not use the Configurator to apply ANY configuration and instead push it through MDM.  This allows easier removal of profiles and policies.

XenMobile - do this from the Mac with Apple Configurator on it.
  1. Under Configure - Device Policies - Add
  2. More - Custom - Import iOS & Mac OS X Profile
  3. Name it and then browse to the newly created and saved profile.
  4. Assign to the proper delivery policy and you're all set!
Sit back and watch the native app disappear.

How to get the native app back?  Just remove the profile.


Wednesday, May 25, 2016

DHCP Migrate Failover Deployment to Server 2012 R2

Awhile back I wrote a guide to migrate from split scope to failover that is new in Windows 2012.
http://didyourestart.blogspot.com/2013/02/dhcp-migrate-from-split-scope-to.html

This guide is intended to move the failover to a new Windows Server 2012 R2.  As you already know you can only have two servers in each failover scope.  So in order to do the migration we'll need to drop a server.  The steps to do this are very easy, but attention needs to be paid to where you execute the commands or you could drop the wrong server.

We'll identify our servers as the following:
  • Win2012-01 - Primary DHCP server moving away from
  • Win2012-02  - Secondary DHCP server moving away from
  • Win2012R2-01 - Primary DHCP server moving to
  • Win2012R2-02 - Secondary DHCP server moving to
I'm assuming you already have your new servers built and DHCP role installed.

Also important to note first! If the static IP address of a DHCP server needs to be changed, you must first delete all DHCP failover relationships that exist on that server, and then recreate the relationships when the new IP address is active.
https://technet.microsoft.com/en-us/library/dn338982(v=ws.11).aspx 

First we'll remove DHCP failover from Win2012-02
  1. Get a good backup of DHCP
  2. Log into Win2012-01 and open powershell as administrator (right click run as administrator)
  3. Run Get-DhcpServerv4Failover
    1. This gives us necessary information for removing the failover.  Note this will also tell you which partner it's connected to.
  4. Make note of the Name.  In my case it's TF-192.168
  5. The next command will remove the failover AND the scope from the opposite server.  For instance, I'm running this on Win2012-01, which will leave it's scope and leases intact.  But it will remove the scope and leases from Win2012-02.  Always run the remove command from the server you want to leave intact.
    1. Remove-DhcpServerv4Failover -Name TF-192.168
  6. Note that Win2012-02 no longer has the scope available (refresh the console)
Now let's add Win2012R2-01 into the scope (note I'm leaving my scope name the same, also I'm using hot standby which is indicated by "ServerRole")
  1. This command is run from Win2012-01
  2. Add-DhcpServerv4Failover -ComputerName Win2012-01 -PartnerServer Win2012R2-01 -name TF-192.168 -ScopeId 192.168.1.0 -ServerRole Active -SharedSecret Ican'tTellYou -Force
  3. From the DHCP console we can now confirm that Win2012R2-01 is getting the scope and leases replicated to it (F5)
  4. In addition run Get-DhcpServerv4failover and you should see the new replication partner of Win2012R2-01 listed, ServerRole of Active (meaning Win2012-01 is still the primary), and Mode of hotstandby.
NOTE: Notice that it only replicates over the scope, but not anything below that.  If you set your Options or policies at the server level then this will not move them!  It also won't move your Filters.  

At this point we have DHCP Failover between Win2012-1 (Active) and Win2012R2-01 (Standby)

Now let's drop Win2012-01 out of the failover
  1. This command is run from Win2012R2-01  (Important, otherwise you'll drop the wrong server)
  2. Remove-DhcpServerv4Failover -Name TF-192.168
  3. Confirm in DHCP console that Win2012-01 no longer has any dhcp scopes (refresh)
Now we can add in Win2012R2-02
  1. From Win2012R2-01
  2. Add-DhcpServerv4Failover -ComputerName Win2012R2-01 -PartnerServer Win2012R2-02 -name TF-192.168 -ScopeID 192.168.1.0 -ServerRole Active -SharedSecret Ican'tTellYou -Force

As a final step run your Get-DhcpServerv4Failover and check status.  Also refresh your DHCP consoles and ensure all is happy.  Make sure you configure your Server level options and Policies if needed as well as Conflict Detection Attempts.








Thursday, May 19, 2016

Powershell Moving and Viewing FSMO roles

Recently wanted to move my FSMO roles, but didn't want to use the old method of netdom.  Besides, everything is going powershell so might as well start learning now!

View the current holders:

  1. Thanks to The Scripting Guy - Get-ADDomainController -filter * | Select-Object Name, OperationMasterRoles


https://blogs.technet.microsoft.com/heyscriptingguy/2014/11/28/powertip-use-powershell-to-get-list-of-fsmo-role-holders/


Now we can move them

  1. Move-ADDirectoryServerOperationMasterRole -Identity "servername" -OperationMasterRole 0,1,2,3,4 (or use their names)


http://thelazyadmin.com/2013/08/managing-fsmo-roles-with-powershell/

Wednesday, April 27, 2016

Domain Controller high CPU - Service Host / Security Log

I had been having problems for sometime with our Windows Server 2012 and 2012 R2 domain controllers.  The CPU would spike to 50% and sit there occasionally dropping down to 2% and then shortly after back up to 50%.

The process in question was the Service Host: Local Service (Network Restricted).
The sub processes are:

  • TCP/IP NetBIOS Helper
  • Windows Event Log
  • DHCP Client

It doesn't take a lot of google fu to find the following post:
https://www.experts-exchange.com/questions/28440274/Why-does-security-logging-on-the-DC-eat-all-the-CPU.html

From this post it indicates that the Windows Security log could be at fault.  I took a look at ours and it was set to overwrite and had a maximum size of 1GB (actually well under the MS maximum size, but still large imo).  A quick test of clearing the log fixed the issue.

Of course the issue started up again a few days later when the log got full and started to overwrite again.  So, I reduced the maximum size of the security log to 10mb (not large enough to hold much of course, but we're just testing at this point).  Once the log started overwriting again no issue.  From this I made the conclusion that the issue isn't just overwriting events, but rather overwriting the events when the log is very large.

Solution:
  1. Ensured that our SIEM solution was collecting the logs every hour.
  2. Set the maximum log size for the security log to a value that will hold 12 hours of logs and then overwrite.  To determine this value I just had to wait and then check it's properties (for each DC!)
  3. If any logging event success / failures are ever changed I'll need to re-evaluate that the size is still sufficient.
Another solution that I didn't like as much was to throw hardware at the issue, ie add a CPU.

In addition here's a good table of MS recommendations on logging settings
https://technet.microsoft.com/en-us/library/dn487457.aspx