Cached Credential

Hi everyone !

Today I wanted to share another tip. It’s something I see a lot in help desk call, and sometimes it make call a lot longer to not know that one.

It’s for the managed credential in the Windows Account’s store.

You could be renaming an account on a Domain Controller, or it can be a pass through user set for authentication, but changing it can break thing.

The tip is just to never forget to go there and delete the cached credential that give you problem;

enter image description here

enter image description here

You can see my answer there, and it’s something useful to know 🙂

Blocked Windows Update on restart

Hi everyone

Today I wanted to share a small tip that can help if your server is stuck on reboot with a Windows patch that don’t want to terminate.

Please use with precaution the tip to not loose data or break the OS.

In my case it was useful on a Windows Server 2019, as it was stuck for 3 hours and more, and the CBS log was growing indefinitely.

You can use ps exec, but we have tasklist that support a remote computer.

To use that way;

tasklist /s remote_computer with the username and password. /u domain\username /p password

tasklist /s remote_computer /u domain\username /p password

After the command we got a list with all PID.

To stop the Windows Update, in my case I had to close Windows Installer service.

The command is the same, except we give to it the PID, or we could use the /im parameter to target the executable image name. (/f force the closure)

taskkill /s remote_computer /u domain\username /p password /pid PID /f

Command reference

YK22 bug ! Exchange 2016, 2019

Hi everyone

Happy new year 2022! And I wanted to share that if you have the latest patch installed in your Exchange you might have run into a YK22 bug !

The Microsoft Filtering Service got hit by a bug in it’s patch system.

To resolve in the short term please run;

Set-MalwareFilteringServer -BypassFiltering $True -identity <server name>

Or;

Disable-AntimalwareScanning.ps1 -forcerestart from the script folder.

The bug is explained there; https://old.reddit.com/r/sysadmin/comments/rt91z6/exchange_2019_antimalware_bad_update/ but it’s a variable error from the year 2021 to 2022 that make a long overflow vs an unsigned long that would had been ok.

Thanks everyone for reading, and good year !! 🙂

Update; it’s now fixed;

MSI: The System Administrator has set policies to prevent this installation

Hi everyone

Today I wanted to talk a problem I seen on newer Windows Server 2019 in a RD setup.

Some user were having problem with a GPO for software installation (per user).

After some diagnostic I found on all my 2019 that the MSI system is restircted now by default.

If you stumble upon this bug;

enter image description here

Then you must be like me, and you have a registry to change.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
“DisableMSI”=dword:00000000

Now it should work.

Windows RDS | Publishing RADC shortcut on the DesktoP (part 2)

Hi

Today I will talk a small tip to be transparent to the users, and thus to enhance a tip I already gave in the past, as seen there; Windows 2019 RDS | Publishing RADC shortcut on the Desktop

In my older blog post I was creating a shortcut to only the RADC’s folder from the start menu, but on the desktop.

Today I wanted to be more granular and create shortcut for each applications on the user desktop. The user experience is greatly enhanced that way.

It’s a 3 steps GPO to do, but first we need to generate our .ico and .rdp’s files to use.

Go inside a computer that as the RADC’s farm installed correctly, and navigate inside the folder; %AppData%\Microsoft\Windows\Start Menu\Programs\Work Ressources (RADC)

From there select the shortcut you want to deploy, like Word, and click property.

From the property windows, check the path of the argument, it’s where our .rdp and .ico are. The shortcut created are just mstsc.exe “path/to/local profile/”. It should be a path liks, %AppData%\Roaming\Microsoft\Workspaces\{….-….-….-….}\Ressources\Word.rdp”

Copy the .RDP you want and the associated .ICO, which are cached there too.

I usually copy them to a folder where all computer can read, like a sub folder in NETLOGON.

From there we start our GPO.

1. Create a GPO, in my example, “RADC – Desktop Word shortcut”

2. Create a file copy to copy the .rdp. Under user\Preference\Windows parameters\Files. The source is like \\dc\netlogon\source\Word.rdp, the destination is a administrative folder on the computer, like c:\it\word.rdp.

3. Create a file copy to copy the .ico. Same source and destination’s folder as the previous one.

4. After that we create a shortcut, under preference too.

We use target as %DesktopDir%\Word, target; c:\it\Word.rdp, and we select the the target icon as c:\it\Word.ico.

I use to copy the files for a reason, if you DC become available for a short period of time, it’s more efficient to simply copy the files locally and create a shortcut to those local’s files.

5. After that we use the same security to apply this GPO’s to as the group you make Word visible with in your RADC’s console.

Voila, the shortcut should be visible easily after that. It’s more work in the start, but after that it’s less call to find the resource in my own opinion.

Thanks for the reading

Push Acrobat Reader via GPO

Hi everyone

Today I will share some step necessary to push by GPO Acrobat Reader if you need it in your environment.

You can download the latest Acrobat Reader installer for offline installation.

For that you need to get to the enterprise portal; https://get.adobe.com/fr/reader/enterprise/

After that you need to extract the .exe, as installation GPO need a .MSI.

Go in a command prompt where your download is, and type such command;

AcroRdrDCxxxxxxxxxx_en_US.exe -sfx_o”C:\Temp\Acrobat” -sfx_ne

After that we got our folder with the correct files. Copy that where your computer can access it. I tend to use the netlogon subfolder on my side, but it can be anywhere.

Next step is to modify the .MST to include the correct’s option. For that you need to use the Acrobat Wizard, available there; https://www.adobe.com/devnet-docs/acrobatetk/tools/Wizard/index.html (Direct download; https://ardownload2.adobe.com/pub/adobe/acrobat/win/AcrobatDC/misc/CustWiz2000920067_en_US_DC.exe)

With the wizard please open Acrobat.MST that you have in your folder where you uncompressed the data (c:\temp\acrobat from my example)

In the first section I click to Accept the EULA, and in the next section I click to enable silent’s mode, to have the GPO per machine. Click save.

Now we need create the GPO, click in advanced mode. Point the software installation package to your Acrobat.MSI, and after that go in the deployment option, and click to add the .MST.

Make sure the other files from the download are in the same folder.

After that it should work 🙂

GPP for Printers and print driver / Mapping problem, part 2

Hi everyone

In my last post I talked about the print driver restriction, but you can fall into another case, where the computer are not updated at all which will cause another problem, they would not be able to connect to the printer share at all…

This may happen for some reason, like LTSC/LTSB IoT device which are restricted for Windows Update, or older OSs.

The registry key to use on your printserver for the time you remediate to the problem is; RpcAuthnLevelPrivacyEnabled

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print

RpcAuthnLevelPrivacyEnabled (DWORD) to 0.

1: Enables Enforcement mode. Before you enable Enforcement mode for server-side, make sure all client devices have installed the Windows update released on January 12, 2021 or a later Windows update. This fix increases the authorization level for printer IRemoteWinspool RPC interface and adds a new policy and registry value on the server-side to enforce the client to use the new authorization level if Enforcement mode is applied. If the client device does not have the January 12, 2021 security update or a later Windows update applied, the printing experience will be broken when the client connects to the server through the IRemoteWinspool interface.

0: Not recommended. Disables the increase authentication level for printer IRemoteWinspool, and your devices are not protected.

Reference: Managing deployment of Printer RPC binding changes for CVE-2021-1678 (KB4599464)

GPP for printers and print driver / Mapping problem

Hi everyone

Following KB5005652 from Microsoft that fix some security flaw (CVE-2021-34481) it’s now reported that some GPP can have difficulty to map the printer.

If it cause problem a registry key can be changed to allow the mapping and driver installation.

Keep in mind that registry key don’t need a restart, so it can be enable and disabled easilly in your GPO sequence.

The registry is: RestrictDriverInstallationToAdministrators

The location is: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint

You need to set it to 0 (DWORD)

It can be scripped that way too;

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint” /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f

You can put it back on 1 after your last GPP has applied.

Thanks