Wait for printer(s) Mapping on RemoteApp publication

Hi ! Today I wanted to share a small tip if you need to wait for the printer mapping to map before openning a RemoteApp.

This tip is handy in case where the application doesn’t refresh it’s internal list of printer when it start.

Microsoft Office suite is done perfect for that matter, as you can open it, as the list of printer just update when it’s ready to be used.

Some older applications (even newer) are done in more primitive’s way need the printer to be there when it start.

Sage 50 is a good example, and there is some in like FoxPro language, so the tip is still valid today.

The tip is to publish a command file, .cmd or .bat that launch the application, but inside the script you can enter that before launching the app;

@echo off
ping -n 3 127.0.0.1>null

That example will add a 3 second delay before openning the application.

Advertisement

Account lockout available for built-in local administrators

Hi

Today I wanted to share a nice new change Microsoft introduced in the 11 October 2022 cumulative update.

Account lockout are available for built-in local administrators for any network service (RDP, etc..) but not for Console access.

If you want to see where it’s;

It’s a nice way to be able to block password bruteforce tip.

The location is Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies

To note if you use a Windows build 22H2 with the newer update to deploy computer the option will be Enabled by default, and Microsoft will enable the use of complex password at the same time. You can unset the later setting, but it can be a security risk. (Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy)

You can read more on the topic are; KB5020282

PacRequestorEnforcement Enforcement date

Hi everyone

I wanted to share that soon enformement of the PAC inside a KRB ticket will be active. (22 October 2022)

If in your enviromment you still see such error;

The KDC encounters a TGT or other evidence ticket without a PAC. This prevents the KDC from enforcing security checks on the ticket.

That can have an impact if you have older domain controler, like a 2008R2 without the extended support option, as such the fix is not available for them.

A registry key exist, but after the 22 October 2022 it will no longer be checked;

To quote the registry key information;

Registry subkeyHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc
ValuePacRequestorEnforcement
Data typeREG_DWORD
Data1: Add the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated. If the user does not have the new PAC, no further action is taken. Active Directory domain controllers in this mode are in the Deployment phase.2: Add the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated. If the user does not have the new PAC, the authentication is denied. Active Directory domain controllers in this mode are in the Enforcement phase.0: Disables the registry key. Not recommended. Active Directory domain controllers in this mode are in the Disabled phase. This value will not exist after the July 12, 2022 or later updates.Important Setting 0 is not compatible with setting 2. Intermittent failures might occur if both settings are used within a forest. If setting 0 is used, we recommend that you transition setting 0 (Disable) to setting 1 (Deployment) for at least a week before moving to setting 2 (Enforcement mode).
Default1 (when registry key is not set)
Is a restart required?No

This come from KB5008380—Authentication updates (CVE-2021-42287) patch.

I suggest to quickly remove those older DC if you can, else just make sure you are updated.

Removing Team from autostarting GPO

Today I wanted to share a small tip if you need to remove Team from autostarting when the session start for your users.

The easiest way if you have installed it to your user without the autostart at off is to remove by GPO the run command.

The path is;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

com.squirrel.Teams.Teams

At the next logon your user will not see the Teams application loading, which can help on load time 🙂

Upgrading HP Thin Client T420

Hi

Today I wanted to share a tip if someday you want to upgrade the hard disk that Thin Client terminal. As by default it come with a 32 or 64 g HDD.

The terminal come with Windows 10 LTSB 2016 by default, which can be upgraded to LTSC 2019 with added licensing from HP, but it can be hard to do the update with the smaller SSD that the unit has, so the upgrade can be necessary in the end. (I didn’t tried Windows 11 in it)

The interior look that way;

As you can see we have not much room for improvement, but in that specific case I would be using the WiFi pciex connector to connect the new SSD.

I remove the card;

The goal will be to put an adapter;

In the end it look that way;

I recommend to use a small SSD, to be able to close back the case.

After that we can boot, and install the OS inside the SSD 🙂

Windows Azure AD Join missing option

Hi everyone !

Today I wanted to talk a small issue that can happen if you try to join a machine to Azure AD. The issue is the Join Azure AD’s option is just not displayed in the Account’s windows but would work in OOBE.

That would show that way;

The error can come if the computer got no internet access, as it can’t log into Azure at all. The error can come too if you have a Microsoft Account too into the computer, like there;

For that computer I was able to log to an Microsoft Account AND an Azure AD account, but the computer was forced to stay inside a unmanaged state as the option to join the Azure AD was just not there.

To allow the computer to join the Azure AD you need in that case to remove the Microsoft’s account. That will allow you to join the Azure AD, like shown there after the removal of the Microsoft’s account;

After you can join completely;

GPO WMI Filter Trick – No clause and multiple query(s)

Hi everyone !

Today I wanted to share a tip for creating more complex group policy.

WMI filter come handy to target the needed computer in group policy. Adding a NOT LIKE clause like in SQL can be there important.

Creating multiple query help to make a full target.

Keep in note that in multiple query EACH query must be TRUE. So if you do two query, both need to be evaluated as TRUE for the filter to apply.

I will start with the NO clause. If inside your WMI filter you need to use a NO clause please remember that it must be wrote select * … WHERE NOT ….

An example that do a compare on the version;

select * from Win32_OperatingSystem WHERE NOT Version like “10.0.14393%”

Now time to talk on how to make multiple WMI check filter.

I would show an example of how it can be useful; if in example your GPO must target all Windows 10, except a LTSB version. That would look that way;

select * from Win32_OperatingSystem WHERE NOT Version like “10.0.14393%”

select * from Win32_OperatingSystem WHERE Version like “10.%” AND ProductType=”1″

Limit WSUS memory usage with HeidiSQL

Hi everyone

Today I wanted to share a tip if your WSUS database (SQL) is eating too much resource on your server.

Like shown there;

or there too;

There is multiple way to do it, but I wanted to share a simple way to do it without any native SQL tool installed. For that reason I used HeidiSQL portable edition.

After it’s open, you need to select a named pipe;

Click to use windows authentication, and in the database path please put;

\\.\pipe\Microsoft##WID\tsql\query (Windows Server 2012 +)
or 
\\.\pipe\mssql$microsoft##ssee\sql\query (pre 2012)

It would look that way;

After that you it the Request tab, and you enter;

You can check the configuration;

After you issue the last command to set the memory you want it to use;

In my example I used 512, but I recommend 1024+ in the minimum.

To resume, it would be those command we used;

exec sp_configure 'show advanced option', '1';

reconfigure;

exec sp_configure;

exec sp_configure 'max server memory', 2048;

reconfigure with override;

Windows Store Error – Firewall

Hi everyone

Today I wanted to share a tip for any sysadmin can encounter. It’s for the Windows Store app and the GPO.

I stumbled into a environment that blocked the Windows Store to work, after multiple test I found that you really need the Windows Firewall at On to be able to restore the Windows Store.

The culprit in my case was a GPO that set at Disabled that settings;

It took me time to figure it as the machine was using a third party firewall’s solution, so the computer was not alerting me at all that the firewall was missing, and the store app just refused to open without any error.