Windows Azure AD Join missing option

Hi everyone !

Today I wanted to talk a small issue that can happen if you try to join a machine to Azure AD. The issue is the Join Azure AD’s option is just not displayed in the Account’s windows but would work in OOBE.

That would show that way;

The error can come if the computer got no internet access, as it can’t log into Azure at all. The error can come too if you have a Microsoft Account too into the computer, like there;

For that computer I was able to log to an Microsoft Account AND an Azure AD account, but the computer was forced to stay inside a unmanaged state as the option to join the Azure AD was just not there.

To allow the computer to join the Azure AD you need in that case to remove the Microsoft’s account. That will allow you to join the Azure AD, like shown there after the removal of the Microsoft’s account;

After you can join completely;

GPO WMI Filter Trick – No clause and multiple query(s)

Hi everyone !

Today I wanted to share a tip for creating more complex group policy.

WMI filter come handy to target the needed computer in group policy. Adding a NOT LIKE clause like in SQL can be there important.

Creating multiple query help to make a full target.

Keep in note that in multiple query EACH query must be TRUE. So if you do two query, both need to be evaluated as TRUE for the filter to apply.

I will start with the NO clause. If inside your WMI filter you need to use a NO clause please remember that it must be wrote select * … WHERE NOT ….

An example that do a compare on the version;

select * from Win32_OperatingSystem WHERE NOT Version like “10.0.14393%”

Now time to talk on how to make multiple WMI check filter.

I would show an example of how it can be useful; if in example your GPO must target all Windows 10, except a LTSB version. That would look that way;

select * from Win32_OperatingSystem WHERE NOT Version like “10.0.14393%”

select * from Win32_OperatingSystem WHERE Version like “10.%” AND ProductType=”1″

Limit WSUS memory usage with HeidiSQL

Hi everyone

Today I wanted to share a tip if your WSUS database (SQL) is eating too much resource on your server.

Like shown there;

or there too;

There is multiple way to do it, but I wanted to share a simple way to do it without any native SQL tool installed. For that reason I used HeidiSQL portable edition.

After it’s open, you need to select a named pipe;

Click to use windows authentication, and in the database path please put;

\\.\pipe\Microsoft##WID\tsql\query (Windows Server 2012 +)
or 
\\.\pipe\mssql$microsoft##ssee\sql\query (pre 2012)

It would look that way;

After that you it the Request tab, and you enter;

You can check the configuration;

After you issue the last command to set the memory you want it to use;

In my example I used 512, but I recommend 1024+ in the minimum.

To resume, it would be those command we used;

exec sp_configure 'show advanced option', '1';

reconfigure;

exec sp_configure;

exec sp_configure 'max server memory', 2048;

reconfigure with override;

Windows Store Error – Firewall

Hi everyone

Today I wanted to share a tip for any sysadmin can encounter. It’s for the Windows Store app and the GPO.

I stumbled into a environment that blocked the Windows Store to work, after multiple test I found that you really need the Windows Firewall at On to be able to restore the Windows Store.

The culprit in my case was a GPO that set at Disabled that settings;

It took me time to figure it as the machine was using a third party firewall’s solution, so the computer was not alerting me at all that the firewall was missing, and the store app just refused to open without any error.

Older HP Universal Print Driver for GPP

Hi everyone

I wanted to share a small tip if you need older HP Universal Print Driver for your GPP.

You might ask why, it’s because in pushed GPO some older drivers work better for older printer to keep their settings, and to work in general.

The treasure groove is there; ftp://ftp.hp.com/pub/softlib/UPD/ 🙂

Enjoy if you need it 🙂

Office 365 TLS 1.2 support

Hi everyone

Today I wanted to talk a small problem I seen on Office 2016, but running on really older OS.. like Windows 7..

Office 365 support for older cryptography maked some older OS get a problem to authenticate, so it block adding a new account or to get the email in Outlook in example.

To fix, I would say, please by god, install Windows 10 .. but if you can’t convince your customer, at-least, for now, you can run that tool to get the TLS 1.2 by default in the OS, so it can connect back.

How to enable TLS 1.2 on clients and Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows

[Easy fix here]

Thanks !, and let hope Windows 7 don’t come back so fast

GPO – Per machine Printer Settings

Hi everyone

Today I wanted to share a small script if you use per machine GPO / GPP to distribute local TCP/IP printers to your computers park.

If like me sometime the settings are not push correctly I did a small script that check the local printer and find the corresponding print queue on the print server to set the options in the computer.

It seemed a need for me in some case depending on which driver I use, as some revert to the basic settings when pushed. The printing’s default got ignored in such case.

The script look like that;

$Printers = Get-Printer
Foreach ($Printer in $Printers) { 

$PrintConfig = Get-PrintConfiguration -ComputerName PRINTSERVER -PrinterName $Printer.name
Set-PrintConfiguration -PrinterName $Printer.name -PrintTicketXML $PrintConfig.PrintTicketXML
}

The script loop all locals printer and find the corresponding printer on the print server to set the option.

The script assume you use the same printer name than the one on the print server, which for me was logical because you have to enter a target print queue for publishing the printer.

Remote Desktop TSCLIENT Drive Mapping Problem (Content Redirection)

Hi everyone

Today I wanted to talk a symptom you might hit if you do content redirection with RemoteApp for a remote office while, the user click on a file located on a remote file share.

The symptom is a file lock can happen for the person and that block the document’s saving.

That cause a bug in example Word or Excel that throw an error that the file is already in use. The user need to re-save the document to another name to save it when that happen.

The cause is simple; The content redirection access the share via the tsclient’s client redirection. That force the remote computer to retrieve the file and send the file to the TS’s server to be able to use the content redirection.

I did that small chart;

In my scenario the impact appear when the remote office got a high latency’s link. You can see the RemoteApp connection got longer delay to open due to that fact.

To resolve the issue it’s all done in the way you map the drive to the users. Normal drive mapping cause this issue, while a mapping done via the network location wizard solve that issue, as the RemoteApp open directly the file so it prevent all the network discussion from happening.

I would call that network map VS network location method to access the file.

If you do the wizard’s mode to add a network location, it’s via Explorer that you can trigger the wizard:

If you want to push that via GPO, it’s where it become tricky .. You have to create a folder, an .ini and a .lnk for that folder..

In the GPO it’s a 3 step procedure.

  1. GPP to create a folder inside that folder; %APPDATA%\Microsoft\Windows\Network Shortcuts

Ie; %APPDATA%\Microsoft\Windows\Network Shortcuts\HR Department

2. GPP to create a desktop.ini inside that folder with two options set inside it;

Ie;

Action Mettre à jour
Chemin d’accès au fichier %APPDATA%\Microsoft\Windows\Network Shortcuts\HR Department\desktop.ini
Nom de la section .ShellClassInfo
Nom de la propriété CLSID2
Valeur de la propriété {0AFACED1-E828-11D1-9187-B532F1E9575D}

AND

Action Mettre à jour
Chemin d’accès au fichier %APPDATA%\Microsoft\Windows\Network Shortcuts\HR Department\desktop.ini
Nom de la section .ShellClassInfo
Nom de la propriété Flags
Valeur de la propriété 2

3. You set the link to the correct resource with a shortcut named target;

Type de cible Objet système de fichiers
Chemin de raccourci %APPDATA%\Microsoft\Windows\Network Shortcuts\HR DEpartment\target
Chemin d’accès de la cible \\fileserver\hr
Touche de raccourci None
Exécuter Fenêtre normale

After that, now your users can click inside those folder to navigate to the file share, and when they will click a resource MSTSC will open directly the file from the network share, bypassing the tsclient redirection !

Reset all printers share security / ACL to the default fast

Hi

Today I will share a tip if you need to reset a lot of printers share to the default security.

It come handy to me as if you secure too much your pritnqueue,it might block per computer GPP in example.

First, choose a printer that will be the template for all others.

Make sure Administrators, Everyone, Creator Owner, Print Operator and Server Operator is listed.

It should look that way;

First picture in workgroup, and second you add those accounts in domain.

After your template is done, you need a small powershell script, it look that way;

$printerperms = (Get-Printer -ComputerName PrintSvr -Name admin-printer -Full).PermissionSDDL
$allprinters = Get-Printer -ComputerName PrintSvr -Name * | Select name -ExpandProperty name
foreach ($printer in $allprinters)
{Set-Printer $printer -PermissionSDDL $printerperms -ComputerName PrintSvr}

Make sure to replace PrintSvr with your print server and make sure to replace admin-printer with the printer that you used as a template.

Thats all, Thanks for reading!