KB4464330 For Windows 10 Version 1809 Released By Microsoft

Microsoft releases KB4464330 for Windows 10 version 1809 to fix the issue that resulted in the deletion of user profile when upgrading to the OS Version 1809. After the release of Windows 10 1809 (October update), many users reported a serious issue with this update. As the users started to install the latest update, they reported that the upgrade process is wiping out their data from user profile. This included documents, pictures, and personal files along with other installed programs. After the upgrade, the data was not found and this annoyed the Windows 10 users.

The statement from Microsoft:

“We have paused the rollout of the Windows 10 October 2018 Update (version 1809)* for all users as we investigate isolated reports of users missing some files after updating.”

https://support.microsoft.com/en-us/help/4464619/windows-10-update-history

After a week now, MS released an update for the issue.  The updated will be delivered by your Update Management solution, like WSUS or Windows Updated for Business. For a manually download visit the MS Update catalog: catalog http://www.catalog.update.microsoft.com/Search.aspx?q=KB4464330%20

2018-10-11 13_04_09-Settings

This KB addresses following changes:

  • Addresses an issue where an incorrect timing calculation may prematurely delete user profiles on devices subject to the “Delete user profiles older than a specified number of day” group policy.
  • Security updates to Windows Kernel, Microsoft Graphics Component, Microsoft Scripting Engine, Internet Explorer, Windows Storage and Filesystems, Windows Linux, Windows Wireless Networking, Windows MSXML, the Microsoft JET Database Engine, Windows Peripherals, Microsoft Edge, Windows Media Player, and Internet Explorer.

https://support.microsoft.com/en-us/help/4464330/windows-10-update-kb4464330

 

Configure Device Registration with Azure AD Connect

Azure AD Connect is a great tool to On-board your On-Premise Identities to the Azure Cloud. If you like to use a Hybrid Join of your Windows 10 Devices – Local Domain join & Azure AD join – you can configure Device Registration. What is the benefit if you enable this option?

PREPARE

Since a few version back of Azure AD Connect it allows you to use the wizard to configure the necessary options for you. First of all, make sure you use the latest version of Azure AD Connect. You can also check the Auto-Upgrade Option of the engine by using the PowerShell command on the server where AAD Connect is installed:

Get-ADSyncAutoUpgrade
Further information can found here.

CONFIGURE AZURE AD CONNECT

Run Azure AD Connect – Configure – and select “Configure device options”

2018-08-15 19_29_00-Window

On the “Overview” page click Next.
On the “Connect to Azure” page enter your Global Admin credentials and click Next.
On the “Device options” page select “Configure Hybrid Azure AD Join” and click Next.

2018-08-16 12_57_27-192.168.1.4 - Remote Desktop Connection

On the next step you will configure the Service Connection Point (SCP) to help your Windows 10 devices to find the necessary Azure Tenant information’s. To configure the SCP you need to provide Enterprise Admin Credentials. If you cannot provide this credentials during the wizard, you will be able to download the script to set the SCP in a later phase or offline.

2018-08-16 13_01_08-192.168.1.4 - Remote Desktop Connection

This step helps you also to verify your current configuration. AAD Connect is checking the configured configuration on your AD. You can manually to that by browsing your ADSI Editor. Connect to the configuration naming context and then load the CN:   “CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=xy,DC=xy”

2018-08-16 13_16_52-192.168.1.4 - Remote Desktop Connection

Back to the wizard, provide the Enterprise Admin credentials and click “Next”.

2018-08-16 13_09_18-192.168.1.4 - Remote Desktop Connection

Device Registration is also supported for Windows Downlevel Devices, like Windows 10 prior 1607 build, Windows 8.1, 8 & 7. For further information regarding downlevel devices visit the docs.microsoft.com page.

2018-08-16 13_10_51-192.168.1.4 - Remote Desktop Connection

This will configure the Device Registration for a Hybrid Join. Click configure.

2018-08-16 13_14_01-192.168.1.4 - Remote Desktop Connection

This will complete your On-Prem configuration for Device Registration.

2018-08-16 13_43_25-192.168.1.4 - Remote Desktop Connection

POST CONFIGURATION TASKS

https://docs.microsoft.com/de-ch/azure/active-directory/connect/active-directory-azure-ad-connect-hybrid-azure-ad-join-post-config-tasks

Check out point 10 on the post tasks. You should create a GPO to make sure your devices getting Hybrid joined in Azure:

  • Create a new GPO and Name it
  • Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration
  • Select : Register domain-joined computers as devices
  • OK
  • Link the policy to your Windows 10 Devices

 

#ConfigMgr and Unknown Computer – SMSPXE.log displays a “Rejected” entry

Hi everybody!

Let’s talk about Unknown Computer Support in ConfigMgr Current Branch. I’m personally not a big fan of this feature, but some customer have a requirement to enable this option and that’s OK .

In one case we had to enable this because the customer missed to get a hardware list from his hardware vendor and was not able to do a bulk import of the devices to ConfigMgr. So we decided to build a service which is using PowerShell in a WIM to create a computer asset in the CMDB. The other reason to enable “Unknown Computer” support can be, the issue with DELL SMBIOS GUIDs.
If you boot some DELL devices (also new models like Latitude 7280), you receive a different SMBIOS GUID on the Screen of the Device compared to the one you get with WMI or in the SMSPXE.log of the Distribution Point. Here an example:

DELL Screen:
2017-07-05 21_38_52-20170705_124207.jpg ‎- Photos

SMSPXE.log
2017-07-05 21_39_27

This can be a reasons to enable Unknown Computer support. But I’m still not a fan of. Why? Normally when you PXE boot a Unknown Computer it will create a new entry in the Console called “Unknown”. To find all the current Unknown devices select the Devices and filter them by “Unknown”:

2017-07-05 21_31_19-srvitsm33vm - Remote Desktop Connection - __Remote

But not all devices are listet – for some reason and I couldn’t find out why. Reply to me if you have some information’s about.

If you now would like to boot the device again as Unknown, you won’t be able and the SMSPXE.log will show you a “Rejected” message for the specific SMBIOS GUID.

No advertisement found, No boot action, Rejected, Not serviced
 2017-07-05 21_43_34-Remote

You can do any queries to find the MAC or the SMBIOS GUID of the device in the Console (GUI), but you won’t find any entries.
To get that sorted, start the SQL Management Studio and navigate to your CM_SiteCode Database. There select “Tables” and scroll down to the table called dbo.LastPXEAdvertisement. You can right click the table and show the first 1000 entries. This will list you a few entries and hopefully your SMBIOS will be listet there.

Run the following query to get your SMBIOS GUID (for your own use, change the bold entries, DB name and GUID)

select * from [CM_ABC].[dbo].[LastPXEAdvertisement]
where
SMBIOS_GUID = ‘4C4C4544-0037-4E10-8047-B4C04F425331

To delete the PXE flag for the Unknown device run the following script:
Be careful with deleting entries from any databases. This is a workaround. Make sure you’re aware what you do!

delete from [CM_M01].[dbo].[LastPXEAdvertisement]
where
SMBIOS_GUID = ‘4C4C4544-0037-4E10-8047-B4C04F425331

This is how you will be able to boot the device again as Unknown Computer. Each PXE flag also get an Advertisement ID from your deployed Task Sequence. You can find this entry in the same table called LastPXEAdvertisementID.

Hope this helps.

 

Disable OneDrive in #Windows10 1607 and #Office365

I know, most of you (including me) using OneDrive or OneDrive for Business in your environment. But in some cases customers won’t allow users to save stuff on OneDrive or won’t let them connect to this service.

If you plan to disable OneDrive in Windows 10 1607 and Office365 Version 16 you have to consider two steps. Disabling it in the File Explorer of Windows 10 and the second point is preventing Office to offer for saving stuff to OneDrive.

All that can be done using a single group policy. Create a group policy and name it with your preferred naming convention. If you use the loop back mode you can use just one policy for computers and user settings.

First: Navigate to Computer Configuration\AdministrativeTemplates\Windows Componets\OneDrive\ and enable “Prevent the usage of OneDrive for file storage”. This will disable OneDrive in File Explorer and removes the cloud icon in the status bar of your Windows Clients.

1

Second: Navigate to Users Configuration\Preferences\Windows Settings\Registry and add a new Registry item. Create a new key with the following settings:

Hive: HYEY_Current_User
Key path: Software\Microsoft\Office\16.0\Common\Internet
Value Name: OnlineStorage
Value Type: Reg_DWORD
Value: 3
Base: Decimal

2
3

This key disables the option to save files on additional Online Storage such as OneDrive. Of course you won’t be abele to use SharePoint Online as well. Assign the policy to your computers and test it.

The result in the Office365 applications such as Word, Excel, PowerPoint, etc… is like that:

(Save as)
4

Thanks for the hint @ericatoelle on http://ericatoelle.com/2016/manage-save-as-locations-in-office-2016/

Let me know if you have any questions regarding this.

 

 

 

ConfigMgr 1511 MP Troubleshooting – HTTP test request failed, status code is 403. “Forbidden” – Managing MAC OSx

I have recently faced following issue “HTTP test request failed, status code is 403. “Forbidden” ” on Management Point and was not Abel to connect MAC OSx Devices to the MP. To fix this issue, I followed the below steps and maybe you can do so.

Issue

We have HTTPS enabled on the Management Point for managing MAC OSx Clients and it is still not able authenticate. Due to this it is reporting this error.

The MPControl.log is reporting following error:
“Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden” “HTTP test request failed, status code is 403. ‘Forbidden”

error1

Solution

Look at the IIS Log files under your inetpub folder for more details of the error. The log files are located under  (C or D drive)  \inetpub\logs\Logfiles\W3SVC1

As you see in the below highlighted line error code 403 13, which indicates an issue with Client Certificate Revocation (CRL) Check on IIS.

error2

To fix this issue disable the Revocation check. Client Certificate Revocation is enabled by default. We need to delete all existing bindings on IIS and readd them again. The easiest way to do this is using the netsh command.

  1. Run the below command line and make a note of the details
    netsh http show sslcert
    blog_060115_3
  2. Delete existing SSL bindings
    netsh http delete sslcert ipport=0.0.0.0:443
    blog_060115_4
  3. Readd SSL binding and disable CRL check
    netsh (enter)
    http add sslcert ipport=0.0.0.0:443 certhash= 6cfa619aa7cb9eed29d1ccb0ec783ee40d20281c appid={4dc3e181-e14b-4a21-b022-59fc669b0914}  certstorename=My  verifyclientcertrevocation=disable
    blog_060115_5
  4. Run “netsh http show sslcert” again to check the status of the CRL check
    blog_060115_6
  5. Check the mpcontrol.log. The error is gone.

Tray again to connect your MAC OSx ConfigMgr Client to your ConfigMgr Primary Site Server. You should now be able to connect. Your MAC will also appear in the ConfigMgr console.

blog_060115_7.PNG

Connection to ConfigMgr established:

blog_060115_9.PNG

Now manage your MAC under “Devices” in the ConfigMgr Console:

blog_060115_8

Use this as a workaround if you’re not able to publish the CRL for your Site Servers.

Enjoy ConfigMgr!

 

How to deploy Remote Desktop Services 2012 R2 Certificates using internal CA #RDS

Hi –  It’s me, Al

Blog post updated: July 19th 2017

Remote Desktop Services (RDS) on Windows Server 2012 R2 is now on market since a while. Let’s have a look at the 2012 R2 Certificate configuration (for a Lab).

First we have to create a template on the internal Certificate Authority (CA). We use a Workstation Authentication Template for that. Open your CA Manager – Cartificate Templates – Manage

Duplicate the “Workstation Authentication” Template.
Continue reading “How to deploy Remote Desktop Services 2012 R2 Certificates using internal CA #RDS”