Monthly Archives: February 2016

Windows 10 – Group Policy Objects (GPO) not applied

Posted on by
Reply

I was working with Windows 10 (1511 version), fully patched the client and to my surprise on some Windows 10 machines the Group Policy Objects (GPO) were not applied.

I did a little search and it seems that Microsoft has pushed 2 updates (MS15-011 and MS15-014) that harden the Group Policy process. Well actually they harden the Kerberos authentication to Network Shares. And the NETLOGON and SYSVOL folders are network shares.

The updates are described by the PFE team here.

But why is it working on Windows 7, 8 and 8.1 and NOT on Windows 10?

First of all UNC Hardening is standard disabled in Windows 7, 8 and 8.1 and enabled in Windows 10!

Furthermore Microsoft Support confirmed that there is a bug in Windows 10 and they will provide a hotfix one day they have fixed it.

Until now the only Workaround is to disable the UNC hardening for netlogon and sysvol Shares in the registry.

And it can be done this way:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
“\\*\SYSVOL”
“RequireMutualAuthentication=0”

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths “\\*\NETLOGON”
“RequireMutualAuthentication=0”

And the Windows 10 machines start talking to the logon shares again 😉

Follow the Microsoft thread here.

Microsoft Failover Cluster – Requested resource is in use – Disk Manager

Posted on by
Reply

So I made the ‘mistake’ of destroying a Microsoft Failover Cluster and thinking Windows would release my disks. Well I was wrong!

I went to Disk Manager and saw my disks as ‘Online’, ‘Primary’ and ‘RAW‘.

And off course I could not access the disks from the Explorer, giving me a nice Error.
OK to Disk Manager and wipe the disk.

No Go:

But wait, in USE??

So there must have gone something wrong.
Technet search gave me this: http://technet.microsoft.com/en-us/library/ee461016.aspx

There is a command for releasing the disks that need releasing after a Cluster destroy, or even an ungraceful shutdown!

Powershell and give in:

Clear-ClusterDiskReservation –Disk <DiskNumber>

A Refresh of Disk Manager showed my disk again and it became visible in Explorer, yeah!

WSUS Server 2012 R2 Windows 10 Feature Updates not found

Posted on by
Reply

So you are on Server 2012 R2 and have a WSUS server to serve your updates to your Windows 10 clients. Perfect!
But now you need to deploy the upgrade features (i.e. version 1511).

Well first you have to deploy a hotfix to your WSUS server (https://support.microsoft.com/en-us/kb/3095113).

About this hotfix:

This hotfix enables Windows Server Update Services (WSUS) on a Windows Server 2012-based or a Windows Server 2012 R2-based server to sync and distribute feature upgrades for Windows 10. This hotfix is not required to enable WSUS to sync and distribute servicing updates for Windows 10.

And here it comes:

This update must be installed before you sync the upgrades classification. Otherwise, you might encounter issues when you synchronize and distribute feature upgrades for Windows 10. For more information, see the Important update for WSUS 4.0 (KB 3095113).

Uhhh wait, I did not RTFM…..

At least I can see the updates:


But when I deploy them my clients all come with the message ‘File not found’ (or WSUS error 0x8024200D or 0x80246007). And of course they all report failure back. Nice now everything is Red.

But the fix is easy. The new feature updates are delivered as .esd files. And the IIS instance of WSUS doesn’t know what to do with them. So they are not downloaded!

See in the WSUS console under ‘File Information’


Just go to the WSUS console and add the right MIME-type for .esd.

This is application/octet-stream

Just the Content directory will suffice.


Not even a reboot or anything is needed.

And now the clients are downloading the feature update and installing them!

LayoutModification.xml file not working for customizing StartMenu Windows 10

Posted on by
39

So you are in the process of developing a Windows 10 image, nice!

You want de customize your StartMenu, nice!

You have built a reference machine, and exported the StartMenu file.
https://msdn.microsoft.com/en-us/library/windows/hardware/mt171092(v=vs.85).aspx

We know how to do that with PowerShell:

Export-StartLayout – Path C:\Export\MyStartMenu.xml

And in your task sequence you import the file again with PowerShell:

Import-StartLayout C:\Import\MyStartMenu.xml –MountPath $env:SystemDrive\

(or you can rename your MyStartMenu.xml file to LayoutModification.xml and do a xcopy to C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\)

xcopy /e /s /y /h /i “%~dp0LayoutModification.xml” “C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml”

Ok you do a deployment, log on with a new user who has no profile on the computer, open up the startmenu and……Nothing, still the default startmenu!

Like this:

Windows 10 Original StartMenu - LayoutModification.xml

Windows 10 Original StartMenu

But I wanted this:

Windows 10 Wanted StartMenu - LayoutModification.xml

Windows 10 Wanted StartMenu

Well I found a nasty line in the generated XML file while exporting with PowerShell

Export:

And with this it is NOT working.

Just remove the line and things will start to work! Nice!

Sysprep was not able to validate your Windows installation

Posted on by
1

On a machine running Windows 8, 8.1, 10 or even Windows Server 2012, 2012R2 or 2016 you can get a strange error when sysprepping the machine.

Sysprep was not able to validate your Windows installation.

(Error 0x8007139f)

Normally this is true because you can’t sysprep an upgraded machine. But I had this in a fresh install.

So the error is telling me to look in C:\Windows\System32\Sysprep\Panther and open the setupact.log file. So I did:

Error [0x0f0036] SYSPRP spopk.dll:: Sysprep will not run on an upgraded OS. You can only run Sysprep on a custom (clean) install version of Windows.

Error [0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing ‘Sysprep_Clean_Validate_Opk’ from C:\Windows\System32\spopk.dll; dwRet = 0x139f

Error SYSPRP SysprepSession::Validate: Error in validating actions from C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml; dwRet = 0x139f

Error SYSPRP RunPlatformActions:Failed while validating SysprepSession actions; dwRet = 0x139f

Error [0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x139f

Error [0x0f00d8] SYSPRP WinMain:Hit failure while pre-validate sysprep cleanup internal providers; hr = 0x8007139f

What we see here is that for some reason Windows thinks it has been upgraded.
Ok now we know that, what is the solution?

Actually pretty easy, in the registry!

In the HKEY_LOCAL_MACHINE\SYSTEM\Setup\ node you will
find a REG_DWORD ‘Upgrade‘ with a value of probably 0 (meaning not an upgrade…)

Just delete the ‘Upgrade’ key and you are good to go!

Not even a reboot is required.

Reset Trust Relationship for Domain Computer

Posted on by
1

When a computer somehow loses the trust relationship with the domain (for instance when longer than 30 days not connecting to the domain, or in a virtual environment returning to a snapshot) the usual steps you have to take are:

  1. Get the computer out of the domain to a workgroup (remember the local admin password!)
  2. Reboot
  3. Rejoin the domain
  4. Reboot

With powershell to the rescue it is an easier process:

Test-ComputerSecureChannel -Repair -Credential YourDomain\AdminUser

From the get-help

NAME

Test-ComputerSecureChannel

SYNOPSIS

Tests and repairs the secure channel between the local computer and its domain.

SYNTAX

Test-ComputerSecureChannel [-Credential [<PSCredential>]] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}] [-InformationVariable [<System.String>]] [-Repair] [-Server [<String>]] [-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION

The Test-ComputerSecureChannel cmdlet verifies that the secure channel between the local computer and its domain is working correctly by checking the status of its trust relationships. If a connection fails, you can use the Repair parameter to try to restore it.

Test-ComputerSecureChannel returns “True” if the secure channel is working correctly and “False” if it is not. This result lets you use the cmdlet in conditional statements in functions and scripts. To get more detailed test results, use the Verbose parameter.

This cmdlet works much like NetDom.exe. Both NetDom and Test-ComputerSecureChannel use the NetLogon service to perform the actions.

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/p/?linkid=293925

Checkpoint-Computer

Reset-ComputerMachinePassword

Restart-Computer

Stop-Computer

REMARKS

To see the examples, type: “get-help Test-ComputerSecureChannel -examples”.

For more information, type: “get-help Test-ComputerSecureChannel -detailed”.

For technical information, type: “get-help Test-ComputerSecureChannel -full”.

For online help, type: “get-help Test-ComputerSecureChannel -online”

Windows Installer Error Codes

Posted on by
Reply

When working with Windows msi installers you sometimes run into some kind of error or message.

Here is an overview of the most common errors or messages. They are most commonly found at the end of your installer log (always install with logging ;-)) usually prefaced by “MainEngineThread is returning”. This is the place where a zero is most preferred.

Enable logging on installation:

msiexec /I “yourInstaller.msi” /l*v “LOGlocation.log”

(There are versions where you have to use capital l (so L) instead of the lowercase l)

Value Description Error Code
0 Action completed successfully. ERROR_SUCCESS
13 The data is invalid. ERROR_INVALID_DATA
87 One of the parameters was invalid. ERROR_INVALID_PARAMETER
120 This function is not available for this platform. It is only available on Windows 2000 and Windows XP with Window Installer version 2.0. ERROR_CALL_NOT_IMPLEMENTED
1259 This error code only occurs when using Windows Installer version 2.0 and Windows XP or later. If Windows Installer determines a product may be incompatible with the current operating system, it displays a dialog informing the user and asking whether to try to install anyway. This error code is returned if the user chooses not to try the installation. ERROR_APPHELP_BLOCK
1601 The Windows Installer service could not be accessed. Contact your support personnel to verify that the Windows Installer service is properly registered. ERROR_INSTALL_SERVICE_FAILURE
1602 User cancel installation. ERROR_INSTALL_USEREXIT
1603 Fatal error during installation. ERROR_INSTALL_FAILURE
1604 Installation suspended, incomplete. ERROR_INSTALL_SUSPEND
1605 This action is only valid for products that are currently installed. ERROR_UNKNOWN_PRODUCT
1606 Feature ID not registered. ERROR_UNKNOWN_FEATURE
1607 Component ID not registered. ERROR_UNKNOWN_COMPONENT
1608 Unknown property. ERROR_UNKNOWN_PROPERTY
1609 Handle is in an invalid state. ERROR_INVALID_HANDLE_STATE
1610 The configuration data for this product is corrupt. Contact your support personnel. ERROR_BAD_CONFIGURATION
1611 Component qualifier not present. ERROR_INDEX_ABSENT
1612 The installation source for this product is not available. Verify that the source exists and that you can access it. ERROR_INSTALL_SOURCE_ABSENT
1613 This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service. ERROR_INSTALL_PACKAGE_VERSION
1614 Product is uninstalled. ERROR_PRODUCT_UNINSTALLED
1615 SQL query syntax invalid or unsupported. ERROR_BAD_QUERY_SYNTAX
1616 Record field does not exist. ERROR_INVALID_FIELD
1618 Another installation is already in progress. Complete that installation before proceeding with this install. ERROR_INSTALL_ALREADY_RUNNING
1619 This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package. ERROR_INSTALL_PACKAGE_OPEN_FAILED
1620 This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package. ERROR_INSTALL_PACKAGE_INVALID
1621 There was an error starting the Windows Installer service user interface. Contact your support personnel. ERROR_INSTALL_UI_FAILURE
1622 Error opening installation log file. Verify that the specified log file location exists and is writable. ERROR_INSTALL_LOG_FAILURE
1623 This language of this installation package is not supported by your system. ERROR_INSTALL_LANGUAGE_UNSUPPORTED
1624 Error applying transforms. Verify that the specified transform paths are valid. ERROR_INSTALL_TRANSFORM_FAILURE
1625 This installation is forbidden by system policy. Contact your system administrator. ERROR_INSTALL_PACKAGE_REJECTED
1626 Function could not be executed. ERROR_FUNCTION_NOT_CALLED
1627 Function failed during execution. ERROR_FUNCTION_FAILED
1628 Invalid or unknown table specified. ERROR_INVALID_TABLE
1629 Data supplied is of wrong type. ERROR_DATATYPE_MISMATCH
1630 Data of this type is not supported. ERROR_UNSUPPORTED_TYPE
1631 The Windows Installer service failed to start. Contact your support personnel. ERROR_CREATE_FAILED
1632 The temp folder is either full or inaccessible. Verify that the temp folder exists and that you can write to it. ERROR_INSTALL_TEMP_UNWRITABLE
1633 This installation package is not supported on this platform. Contact your application vendor. ERROR_INSTALL_PLATFORM_UNSUPPORTED
1634 Component not used on this machine ERROR_INSTALL_NOTUSED
1635 This patch package could not be opened. Verify that the patch package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer patch package. ERROR_PATCH_PACKAGE_OPEN_FAILED
1636 This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer patch package. ERROR_PATCH_PACKAGE_INVALID
1637 This patch package cannot be processed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service. ERROR_PATCH_PACKAGE_UNSUPPORTED
1638 Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs on the Control Panel. ERROR_PRODUCT_VERSION
1639 Invalid command line argument. Consult the Windows Installer SDK for detailed command line help. ERROR_INVALID_COMMAND_LINE
1640 Installation from a Terminal Server client session not permitted for current user. ERROR_INSTALL_REMOTE_DISALLOWED
1641 The installer has started a reboot. This error code not available on Windows Installer version 1.0. ERROR_SUCCESS_REBOOT_INITIATED
1642 The installer cannot install the upgrade patch because the program being upgraded may be missing or the upgrade patch updates a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch.
This error code is not available on Windows Installer version 1.0.		 ERROR_PATCH_TARGET_NOT_FOUND
1643 The patch package is not permitted by system policy. This error code is available with Windows Installer versions 2.0 or later. ERROR_PATCH_PACKAGE_REJECTED
1644 One or more customizations are not permitted by system policy. This error code is available with Windows Installer versions 2.0 or later. ERROR_INSTALL_TRANSFORM_REJECTED
3010 A reboot is required to complete the install. This does not include installs where the ForceReboot action is run. This error code not available on Windows Installer version 1.0. ERROR_SUCCESS_REBOOT_REQUIRED