Thursday, July 16, 2020

Trend Micro Worry Free Business - very slow opening of apps

We recently switched from Webroot to Trend Micro Worry Free (I now believe this was a mistake).  Almost immediately I started getting reports of "computer slowness" and started noticing this myself.  Primarily I had issues with Onedrive having issues synchronizing, opening Chrome and Edge (chromium) very slow, clicking links in emails (again opening browsers) slow, logging into Windows after a reboot long delay, slow loading of additional tabs / webpages, and other areas.

This appears to be a well known issue when using Trend Micro with "Unauthorized Change Prevention Service".  Watching the task manager when doing many of the tasks and I could see this service jump to the top.
Unfortunately, many of the TM options are dependent on this service, but at the end of the day I'm a firm believer that machines need to be speedy, so I disabled the service.  Note: I also disabled the Behavior Monitoring as this is dependent on the service.

If you're reading this while "thinking" of moving to Trend Micro I would advice you to take a test drive first.  I've found several issues which support is working through, but it's been a bumpy road.

  1. Extreme slowdown when scheduled scans run (as opposed to what we're used to seeing with Webroot).
  2. Unauthorized Change Prevention Service slowdown.
  3. Issue with builds prior to 6.7.1319 being unable to restore to domain OU's.
  4. Issue with many of our installs prior to 6.7.1319 being unable to update to latest build automatically - support still looking into issue.

Tuesday, June 2, 2020

Dot net 3.5 install error

I've had lots of issues in the past with being unable to install Dot Net 3.5 on Windows 10.  Typically, I can easily load the Win10 ISO, mount it, and use DISM with the sources switch.  Today I started encountering 2 laptops running Windows 10 that I continued to have issues and errors.

ISO mounted and received "the source files can't be found".  This was with the latest Win10 Iso download.

Checked WSUS and feature on demand is checked.

Easy fix is to bypass WSUS temporarily...
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
UseWUServer set to 0
Reboot
Install Dot Net 3.5
Set the reg key back to 1
reboot

Monday, March 30, 2020

Windows Server 2016 RDSH - Start Menu stops working

On our farm of Windows Server 2016 RDSH (Remote Desktop Session Host) I've had seemingly random issues with the start menu stopping working.  This likely correlates with a Windows update being applied, but it's hard to tell as you do not always know immediately that it's stopped working (users complain days later or never complain and you notice when doing other maintenance, etc).

Searching the internet you find a number of solutions, but the most crazy (in my opinion) solution I found was the one that actually worked! 

In this post user MrManual says to delete and recreate a registry key dealing with the Firewall.  One, like me, would think this crazy and continue on trying all the other solutions only to have the issue remain (or return shortly).

Finally, figuring it's best to try a crazy solution than rebuild the server I open powershell and give it a go:

Remove-Item "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System" New-Item "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"

Click start menu and GASP it opens!

Note: other ideas on the thread do work, but seemingly only temporary.  I still suspect this to have something to do with the crappy UPD's.
On the note of UPD's one might ask "if you hate UPD's so much why not switch to fxlogic?  I mean, it is free afterall..."
https://blogs.microsoft.com/blog/2018/11/19/microsoft-acquires-fslogix-to-enhance-the-office-365-virtualization-experience/

https://www.brianmadden.com/opinion/Microsoft-FSLogix-free-to-all-customers

Saturday, March 21, 2020

Dell Latitude 7480 / 7490 loud fan issue

We have a lot of Dell Latitude 7480 / 7490 laptops deployed.  When I first got them in we had lots of issues and complaints about the loud fan speed.  Under load this is understandable, but many times this would be with no load.   This is a common issue early on for these models as one can see from the numerous posts online:

https://www.dell.com/community/Latitude/fan-noise-and-heat-Dell-Latitude-7490/td-p/7439643

https://www.dell.com/community/Latitude/Dell-7480-and-Dell-5480-fan-noise-and-heating-issue-on-more-than/td-p/6072570

https://www.dell.com/community/Latitude/Latitude-7490-Overheating/td-p/6073431


In the past when I would get one of these laptops it was a matter of ensuring the BIOS was up to date and the issue would be gone.  Lately, my own laptop (7490) started having high pitch fast fan noise.  Of course I remembered right away that I had recently updated the BIOS to 1.13.1.
I quickly decided to do a BIOS downgrade to 1.11.0 to see if that would help.

No more loud fan noise at this point... Having issues with your fan always running top speed? Try an older BIOS version and call Dell rep to complain.


UPDATE:
I recently allowed a BIOS update to install and the issue came back on a Latitude 7490.
I then installed the Dell Power Manager application and found a section called "Thermal Management".  Under this section you can choose "Quiet", this instantly made the computer more bearable. 

Sunday, September 15, 2019

Have a device (Roku or other) that won't connect to wifi?

I have a sister-in-law that bought a new Roku express this weekend.  She spent 4 hours fighting an issue where it wouldn't connect to her wifi claiming that the passcode is incorrect.  She searched forums, called xfinity support, and Roku support all to no solution.  She found that she should enter the MAC address in the router which didn't help.  Reset her router passcode, but why when every other device is working on the wifi just fine with that passcode. Change the WPA2 AES settings to something else.  Again why, the other devices are working fine.

Finally she decides to call me.  After about 20 seconds looking at her router settings I advice making the 2.4GHz and 5GHz wifi networks the same password.  Since the Roku Express only supports 2.4GHz it's trying to connect to 2.4, but since they are different passcodes and the same SSID there is nothing indicating to her that she needs to enter the 2.4GHz passcode.  In fact she didn't even know it or that there was ANY difference as Xfinity staff set it up.

Immediately this resolved the issue

Make them the same SSID and Passcode and let it just work.  The device will connect to the frequency it wants / supports and the end user doesn't need to care.  Or if you insist on different passcodes for some reason, make the SSID different as well as a visual indicator.

Thursday, June 27, 2019

Testing your website for weak ciphers and protocols

With recent deployments and integrations of systems I have had to ensure that several websites are secure. After digging around and setting registry keys I figured someone else has done this already, so I started looking for a quick script.

One better I found this handy software:

These guys have it setup so you can set the Schannel, and Cipher Suites plus orders.
Then click the site scanner and you'll see the familiar Qualys SSL Labs site. https://www.ssllabs.com/ssltest/index.html


Monday, February 18, 2019

Wyse ThinOS and RD Gateway with Broker - External Access

The other day I was able to get my hands on a Dell Wyse 3040 with ThinOS unit. I wanted to test out connecting to a Windows Remote Desktop Gateway with Connection Broker and RDSH from home. My intended end users are at remote sites with VPN connections, but I had other ideas for some remote workers to utilize these devices (without VMWare or Citrix) to connect in.

This post isn't about setting up RDSH, RDGateway, etc.  This is in line with getting ThinOS 8.6+ working with your RD Gateway and RD Connection Broker to RDS Hosts.  Something that in hind sight was very easy, but took me a bit to weed through the online posts, ini settings, etc.

I used Wyse Management Suite to configure the device (online trial). This has been a great option and works very well.  For production I will be deploying WMS Standard onsite.

Windows Remote Desktop environment layout:
The environment consists of the following layout. 
  • All servers running Windows Server 2016
  • 1 server with RD Gateway and Web installed together.  We'll refer to this as rds.externaldomain.com
  • 1 server with Connection Broker installed (NOT in HA config)
  • 2 servers running RDSH and the desktop being published - Collection Name: Desktop Resources
  • Dell Wyse 3040 ThinOS 8.6_013 connected to my home network. NO VPN to main datacenter.
Goal: To get the 3040 to connect through the rds.externaldomain.com and broker the connection to the proper RDSH server.  I want it to prompt the user for login upon boot and upon disconnect to logout of the gateway and prompt for login again (Shared workstation).

WYSE config:
I'm going to break this down by section in the WMS portal.  Then I will do my best to put the wnos.ini out.  Obviously there are other areas to configure, I'm just giving the basics for the RDGateway to work.

Security:
Require Domain Login: First area of interest to me was to disable the "Require domain login".  I want the thin client to load and prompt with the connection to the RD Gateway. 

Certificates: Depending on the CA you used on your Gateway you'll need to import the certificates.  I used Godaddy so I had to get the .cer for the Root and Secondary.  This was as easy as going to my site, viewing the certs, and then downloading (copy to file) the GoDaddy Root CA and GoDaddy Secure CA to files.  From there you will upload both files into Apps & Data tab under the File Repository (select certificate for the type).
Now you can check the option for certs and you will see all of the certs you need listed.

Security Policy: I set mine to Full
TLSCheckCN: enabled
VNC: I turned on VNC to allow ease of testing

Visual Experience:
Action after all sessions exit: "sign off automatically"


Microsoft Broker:
Broker Server: https://rds.externaldomain.com
This should be set to your gateway server.  Include the https:// but do not including anything past the FQDN.

Sessions to connect automatically: Desktop Resources
This is the collection name.  Since in this case I'm pushing out a collection of desktops there is only the collection name and not app names.  

Microsoft RDP Settings:
Enable NLA: Enabled  
In my environment I have this on for all servers.


That's it.  Restart the device to apply and test it out.  Notice that when you logout it puts the workstation back at the login screen, perfect for shared workstations!
Note that I did NOT put any Direct RDP Connections in as this isn't needed.



here's the devices wnos.ini as delivered from WMS.

Signon=Yes SaveLastDomainUser=no LastUserName=No
DisableDomain=Yes
FastDisconnect=No
AddCert="Go Daddy Root CA - G2.cer"
AddCert="Go Daddy Secure CA - G2.cer"
SignOn=No ExpireTime=0 RequireSmartCard=No SCRemovalBehavior=0 DisableGuest=No
SecurityPolicy=full SecuredNetworkProtocol=Yes TLSMinVersion=1 TLSMaxVersion=3 DNSFileServerDiscover=Yes TLSCheckCN=Yes
AutoSignoff=10 Shutdown=no Reboot=no
ShutdownCounter=0
SysMode=Classic toolbarclick=No ToolBarAutoQuit=No EnableLogonMainMenu=No
Desktop=No
AutoLoad=2 VerifySignature=yes
ConnectionBroker=MICROSOFT \
host=https://rds.externaldomain.com AutoConnectList="Desktop Resources"
SessionConfig=all \
Reconnect=0
SessionConfig=rdp \
EnableNLA=yes EnableRecord=no EnableRFX=yes EnableTSMM=no ForceSpan=no enablegfx=no EnableUDP=yes EnableVOR=yes USBRedirection=rdp defaultcolor=2 MaxBmpCache=128 RDPScreenAlign4=no AutoDetectNetwork=yes EnableRdpH264=yes 










Tuesday, September 18, 2018

Office 365 "Belongs to:" incorrect / activation

When re provisioning laptops and desktops that utilize Office 365 installations the subscription login doesn't update properly. Although this can be fixed as sugested by many by logging into the old users OWA account, Install Status, and deactivate this doesn't help any when the user account no longer exists.
The user can wait the 31 days until it begins to complain that it's unlicensed, but that's not good product administration in my opinion. I don't want my users to have to worry about it, period.

Logging out on the account page and logging back in also does not update the "belongs to" field.

Options:

  • Reinstall Office - wow, what a waste of time for something that should be easy
  • Do an online repair - Again, this works, but it takes awhile depending on your connection.
  • Run a quick script - YAY (but again, what the heck is MS thinking, this should be easy!)
Thanks to our good friends over at Spiceworks and in particular Marcragusa for this post.

additionally, there is a lot out there covering this once you know its an issue.

Open up a cmd prompt as administrator
  • cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" /dstatus
  • then run
  • cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" /unpkey:XXXXX

I have to do this fairly often so I slapped together a weak powershell file with this. Since I'm not overly skilled with PS I have to retype the last 5 of the key back in, but at least I don't have to remember the commands. Maybe someone can take the output of the first one and pull out the last 5 for the second command automagically.

Invoke-Command -ScriptBlock {cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus}
$prodkey = Read-Host "Enter the last 5 characters of the product key"
Invoke-Command -ScriptBlock {cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /unpkey:$prodkey} -ArgumentList $prodkey

Monday, July 30, 2018

Office 365 Outlook prompts for password

We have a deployment of Office 365 with ADConnect SSO enabled. Additionally, with the implementation of modern authentication (MA) we have set the flag to true. https://support.office.com/en-gb/article/enable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662

We also enabled MA for Skype online even though we do not use it fully currently.

More info on Modern Authentication:

We started seeing issues where Outlook would prompt for password, especially after password change. After much searching we found the following reg key that is recommended by MS when MA is utilized in order to force outlook to use MA.

We deployed the keys with GPO Preferences.
Outlook:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover
Dword: 1

Skype for Business:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync\ AllowAdalForNonLyncIndependentOfLync
Dword: 1


Update: 
We've had a few users where this issue started again. 
Settings - Accounts - Access Work or School - select user - disconnect.  Fixes every time, instantly so far.

Wednesday, July 11, 2018

Windows 10 Fall Creators Update 1709 fails to apply (update 1803 I experienced same issue)

I recently had a number of Dell Latitude e7450 laptops that would rollback the installation of 1709. I also had several of the exact same model laptop that installed successfully.
In most cases I would be left with no indication of why it failed. I attempted installation from WSUS, Windows Update Assistant, and Windows Media Creation to USB.

I updated drivers, bios, all applications, removed AV (note had most succeed with AV), repair windows update, rename the softwaredistribution folder, etc, all to no effect.

Only when using the Windows Media Creation tool and then running the update from USB did it give me any workable indication of what was going wrong. (double click setup from the USB drive)

"We couldn't install Windows 10.  We've set your PC back to the way it was right before you started installing.  0x8007042B - 0x3000D  The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation"



That helps! MS even gives a "click here" for troubleshooting codes that pertain. Unfortunately, none of them are this code.  Google foo gave some info and short time later I was looking at the C:\Windows\Panther\  folder.  In particular the C:\Windows\Panther\NewOs\Panther\setuperr.log.

Almost at the very bottom I found a line stating:
Error WRITE, 0x000000B7 while gathering/applying object: File, C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk]. Will return 0[gle=0x00000002]
Error 183 while applying object C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk]. Shell application requested abort[gle=0x00000002]
Abandoning apply due to error for object: C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk][gle=0x00000002]
Apply failed. Last error: 0x00000000

The recent folder under AppData\Roaming\Microsoft\Windows ended up being the issue for every computer that I had issues updating to 1709 or 1803!


Cleanup profile:
I went to the path in question and dumped the entire recent folder.  Started upgrade again and success!
What a pain, why can't the error descriptions be descriptive and helpful.

Thursday, June 7, 2018

Office 365 - Add Shared Mailbox's Calendar to mobile device

With all the recent changes to Office 365 I found that it's become confusing as to how to easily add a Shared Mailbox OR Room Calendar to a users mobile device.  This works for both Native iOS calendar app or the Outlook for iOS / Android app.

This post goes over the new features
Calendar Sharing in Office 365

Additionally, this post goes over sharing your calendar!
Share your calendar in Outlook on the web for business

And finally, this has instructions for opening a shared mailbox in a seperate window so that you can access the necessary share button which is critical step.
Open and use a shared mailbox in Outlook Web App

Natively, when you create a new Shared or Room mailbox and assign delegates from the O365 Admin portal the new mailboxes / calendars will automatically show up in your Outlook for PC application after a short period.  They do not however automatically show up on your mobile device.  Instead, you must access the Shared / Room mailbox directly and add each user as a delegate which in turn emails an invitation to the users.  The user must then accept the invite from the mobile device which will add it to all of their mobile devices.



  1. First, we've created the Shared mailbox we want and added the "members".  This will automatically add the mailbox / calendar to those users Outlook for PC application. 
  2. Log into OWA with an account that has permission to the Shared Mailbox / Room that was just created.  Click the user account in the top right corner.  Click the "Open another mailbox..." option.

  3. Type in the name of the mailbox / room and ensure it finds it in the list.  If you don't have the proper permissions then you'll get an error "Something went wrong".  It can take some time after assigning permissions to yourself before they properly propagate.
  4. The mailbox will open in a new window.  Open the calendar.
  5. Click the Share button at the top middle.  This will open up the "Share this calendar:Calendar" window.
  6. Search for the person you want to add and give them the proper permission level.  Then click "Share"
  7. This will send an email invitation to the user. They will need to open the email invitation from a mobile device!

  8. From iOS native app the calendar is listed.
  9. Or from the Outlook for iOS / Android
  10. If the user wants to remove the calendar they can click on the i / information option on the right side (iOS) or settings gear (Outlook for iOS / Android) and at the bottom is the remove option.

Hopefully MS will give the option of having these calendars auto deploy to mobile device same or similar to the way it does with outlook for PC in the future.

Thursday, March 29, 2018

Veeam Backup Error Code 32768

Last night we received the following error on a previously working server.

Failed to create VM recovery checkpoint (mode: Veeam application-aware processing) Details: Job failed (''). Error code: '32768'.
Failed to create VM recovery snapshot, VM ID 'f74ddb15-6900-4f62-ad2a-31ed600531f1'.  

Environment:
Host: Windows Server 2016
VM: Windows Server 2016 - hosting Quickbooks database manager and Azure AD Connect

Changes:
Several updates had been applied to the server the day prior.  Additionally, AD Connect had been updated to version 1.1.750


Additional error from eventvwr: 
Log Name:      Application
Source:        VSS
Event ID:      8229
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Description:
A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error.  If the backup process is retried,
the error is likely to reoccur.
. Changes that the writer made to the writer components while handling the event will not be available to the requester. Check the event log for related events from the application hosting the VSS writer. 

Some googling ended up with this hit: http://www.insidetechnologies.eu/en/blog/veeam-backup-replication-9-5-error-code-32768/

Open the appwiz.cpl, select "Microsoft SQL Server 2012 Express LocalDB" and repair.  This will require a reboot.

We are now able to create checkpoints of the VM again without issue.

Wednesday, November 1, 2017

Chrome Browser - prevent / restrict user sign in

In the past I've always forced my end users to use IE.  This made sense as IE is integrated with Windows and could be heavily managed by GPO and other domain settings.
More and more I found myself personally going to Chrome for tasks since it "worked better".  So, I finally admitted (few years back actually) that maybe it makes sense for me to loosen up a bit and let the end users in on Chrome in the workplace as well.

As with all good things come that pain in the arse with them as well.  Google of course wants users to utilize it's services and logging into the Chrome site helps simplify this.  But in the workplace this may not be a great thing to have end users purposely or accidentally logging into their personal Gmail (or even other company G Suite) accounts.

One would think a simple google search would yield lots of results on how to prevent login to Chrome browser, but for me at least I only found lots of irrelevant junk.  Perhaps I need to work on my googlefoo.

At one time Chrome ADM templates had a settings called "Allow sign-in to chrome" or something to that respect.  Fairly obvious and easy to find.  That has since been removed.

NOW there is a setting in the ADMX labeled "Restrict which users are allowed to sign in to Google Chrome".  This is the new setting that we want.  Found under the following after you add your ADMX template.
Computer Configuration/Administrative Templates/Google/Google Chrome  (also under User Config if that meets your needs better)

Enable the setting, put in a bogus expression (or your organizations matching expression if you utilize Google business apps) and deploy to computers or users depending on your needs.


Users can now attempt to login to Chrome and they are greeted with a lovely "you can't do that"


Funny enough I found that I could go to other Google services, for instance blogspot, and login.  But then once I tried to go away from blogspot to say, gmail, it choked.

Wednesday, November 2, 2016

Powershell - FSMO Roles

Viewing FSMO with Powershell
Get-ADDomainController -Filter * | ForEach-Object {$_.Name; $_.OperationMasterRoles; Write-Host}


Transfering FSMO roles with Powershell
Move-ADDirectoryServerOperationMasterRole -Identity servername -OperationMasterRole InfrastructureMaster, RIDMaster, DomainNamingMaster, PDCEmulator, SchemaMaster

Tuesday, July 19, 2016

WSUS Error: Connection Error after KB3148812 and KB3159706

After getting a WSUS server up to date the console no longer worked.

The error is very uninformative...


Log Name:      System
Source:        Service Control Manager
Date:          7/18/2016 10:39:15 AM
Event ID:      7034
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      
Description:
The WSUS Service service terminated unexpectedly.  It has done this 3 time(s).


The proper fix for both of these KB's which you SHOULD install:
https://support.microsoft.com/en-us/kb/3159706

Also, don't forget that if you are not using SSL for WSUS you should be!