How to solve EVENT ID 1202 SceCli 0x57 Parameter is incorrect

Customer is repeatedly getting this Event ID on all Servers and Clients, especially on the Domain Controllers being logged every 5 minute.

Searching for that Error gives thousands of results, most less helpful.The way I solved this problem was like this.

  1. On one of the servers having the problem, run RSOP.MSC
  2. Resultant Set of Policies showed a Warning on the Computer policies. Selecting properties there showed the same error as in our Event Log.
  3. Browsing the Tree showed that there were a problem in the Password Policy section, from the Default Domain Policy.
  4. Which were also visible in GPMC (Group Policy Management Console)
  5. By modifying the Default Domain Policy and fixing the bad entries (no clue how they got there). The Error message (and problem) is now gone.

 

 

 

 

 

KB4048953 and KB4049065 fails to install (hungs). How to fix it.

We had a server which failed to install Windows Server / Windows 10 Service Update and November 2017 updates with the names KB4049065 and KB4048953 through Windows Update. The installation simply never completed and it looked like it hung.

Rather than go through all the various (failed) steps I did to troubleshoot it, I’ll just tell how to solve it.

  1. Start by downloading the packages from Microsoft Update Catalog to c:\temp;
    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4049065 http://www.catalog.update.microsoft.com/Search.aspx?q=KB4048953 (Cumulative Update)
  2. Then expand the MSU files (using wusa.exe to install them failed for me) by doing this in a command prompt:
  3. You should now have two folders with files like this;
  4. As this is a Windows Server 2016 (or Windows 10) we can use Powershell rather than Dism to install the cab files into Windows.
  5. Open Powershell with elevated permissions (as Admin).
  6. To install both packages do this, and have patience. It took more than 4 hours for them to install on my server and it looked like the installation hung for a long time around 15%.
  7. When the installation has completed reboot the server and you are done!

 

 

WSUS Maintenance script for TechDays audience

WSUS Maintenance script for TechDays audience

 

 

How to automatically Hide “Configure this local server” in Server Manager

After you have installed a couple of hundred servers, you may start to feel that you have seen this text a couple of times too many and start to wonder how to get rid of it…

Hide Welcome Tile

You can obviously click the “Hide” button to hide the “Configure this local server” box, which is also called “Welcome Tile”.

Show Welcome Tile

And if you would ever want to get it back, you can find it in the “View Menu”. BUT… How do you disable the Welcome Tile by default for all users?

There is unfortunately no GPO (Group Policy) to control that. Just to set if Server Manager should auto-start or not. Which does not help in this case.

The settings in Server Manager is stored in a version folder in this location:

The configuration for Server Manager is stored in a file called user.config with the interesting bits highlighted here;

WelcomeTileVisibility

So you want to Modify the “WelcomeTileVisibility” setting in that file which can be done in numerous ways. But a easier solution is to just name and copy a file with this content to that folder.

user.config

That file only contains new default WelcomeTileVisibility setting, hiding the Welcome tile for you when you launch Server Manager. And if you do any changes in Server Manager, the new settings will be saved to that file too.

But that’s a per user setting and it has to be copied to the profile after it’s been created etc etc. Making it all a bit more complicated.
Luckily there is a better and easier way to do it, where you also help your co-workers at the same time!

In your reference image, or in your Server deployment script or with PowerShell or with Group Policies or any other way you find worthy. Just use the same information as above, but save it in this path to be machine wide;

Hide Welcome Tile for everyone

Notice that it’s still the exact same content of the file;

But it’s now stored together with the ServerManager.exe file in the system32 folder making it server wide. It’s a lot easier to copy it there just once so it’s applied to everyone rather than try to get the config file into each persons profile.

Notice: If you already have a user.config file in your Profile, it may override the settings from serverManager.exe.config so delete your user.config file to verify your new setup is working as expected.

In our environment, we are deploying the file in our Server Deployment solution, and also copying it to all server with a Group Policy Preference just in case someone installed a server manually for some unknown reason.

 

Change MAC Address with PowerShell of a Wireless Adapter

As I mentioned in my post a week ago, I’m commuting each day and there is a 200MB Quota on the Wireless Network. Luckily it’s based on the MAC Address of the WiFi Card, so it’s quite easy to get another 200MB Quota if you want  😉

wifi1

Here is my small powershell script that automatically Releases the IP Address, set’s a new random MAC Address and Re-Connects to the SSID, all done in a second or two.
Yay! Another 200MB Quota to burn.

 

I’m using a Window 10 client with Hyper-V, and I’ve created a Virtual NIC for the WiFi adapter, that’s why it’s called ‘vEthernet (External Wi-Fi)’.  But you should be able to use the script with a normal WiFi Adapter too.

I’m using a Virtual WiFi Adapter, to be able to give my Virtual Machines access to internet also when I’m without a LAN.

Here is the script for creating a Virtual WiFi NIC;

 

 

List of Private Cloud related Hotfixes – 2016-02-03

I’ve posted my list of resources for finding Hotfixes previously here.  And this is a list of hotfixes we’ve imported in our WSUS server for our and our customers Private Clouds.
I usually want to install a hotfix to avoid getting a known problem, than try to find a solution to a problem after it has already happened and affected the users and customers.

wsus3

I’ve used the script I posted here to make the list. I’m sorry for the format below, but there is no good way to extract the info from WSUS and as I don’t really know if anyone is interested in this besides myself, I won’t spend hours on fixing a nice output right now or I would never get this blogpost published.  Sorry!

I’m using the MUUri to paste into the WSUS IE to search and locate the hotfixes fast, instead of manually search for each. There is unfortunately no way to script the import according to Microsoft PM’s, so it has to be done manually. Sigh…

Continue reading “List of Private Cloud related Hotfixes – 2016-02-03”

Working with Virtual NIC’s in Windows

At times when I’m for example at a customer and need to connect my Laptop to different VLAN’s it’s really nice to add new virtual Network Cards (vNIC’s) on the fly, and be connected to multiple networks at the same time. vnics

By transforming the Network Cards in your computer, into a virtual switch, and then add Virtual Network Cards connected to that switch, it’s possible to do a bit of network magic.

Here is a part of the script that I run each time I reinstall my PC’s to create the vNIC’s that I need and use the most. The script is also installing the software I need and doing some other minor changes (always a work in progress).

Pre-Requisits: Hyper-V Role installed

Thanks to my friend and colleague Mikael Nyström who showed me this a few years ago.

 

List all expiring certificates on all domain joined servers

A colleague asked me if I could list all expiring certificates on all Domain Joined servers in the environment.
– Sure!

A few minutes later, a script that will connect to all Servers and list certificates that will expire in less than 90 days. I’m sure there are a thousand of scripts out there who does the same, and here is script number 1001.

The script will get all Windows Server Computer Accounts, that are not expired and is not a virtual object (like a Cluster Service).
It will then connect to those servers and list all Certificates that will expire in less than 90 days.

Short and easy to use, and we did find 2 certificates that need to be replaced ASAP!

Import a Cryptographic New Generation (CNG) certificate as a Legacy cert to use with ADFS

The current version of ADFS (Active Directory Federation Services for Windows Server 2012 R2) unfortunately does not support Cryptographic New Generation (CNG) Certificates.
Though if you already have a CNG cert, and does not want to re-request a legacy cert from your provider, it’s possible to import a CNG as a  Legacy cert by using this command.

And ADFS will then be able to use that certificate.

A Huge thanks to my colleague and security expert Hasain Alshakarti (Twitter: @Alshakarti  Blog: http://secadmins.com/) for providing me with the solution.

URL Rewrite (redirect) of HTTP to HTTPS with Powershell script

When deploying Web Application Proxy as a frontend to for example ADFS and Windows Azure Pack, or other services, the current version of Web AppProxy only supports HTTPS urls. It’s possible to use the “URL Rewrite” module for IIS to redirect users from HTTP to HTTPS. There are plenty of guides on internet on how to do that.
But I wanted to add that configuration to my WebApplication Proxy configuration script, and couldn’t find any powershell examples, so here is the script I’ve made.

It will use Web Platform installer to install the URL Rewrite module, then add the IIS Web Management tools, and in the end create a Global Rule redirecting all HTTP requests to HTTPS without the user noticing it.