27 April 2016

Windows 7 clients automatically rebooting for updates - no notifcation - WSUS

Recently I had a call from a client saying that they're having computers randomly reboot (without warning) to install Windows Updates.  All machines were Windows 7, and they were all on the client's domain.  They had WSUS installed and configured, with GPOs to define the backup settings etc.  In this case, the GPO stated that machines will automatically download and install updates at 4pm each day, and only reboot if there was no active user.

After checking the GPO, I was confident that the issue was not related to that, as it clearly stated that the computers won't be rebooting automatically.  I remoted into the workstations to ensure that they're actually applying the GPO (gpresult /r), which they were.  So it wasn't GPO, and it wasn't the workstations as far as I could tell.

I logged into WSUS itself, and checked the automatic approval settings.  That was all setup and was approving certain updates (such as Critical Updates and Security Updates etc).  When looking further down the Automatic Approval rules, I noticed that there had been a deadline set for installing the updates.


The deadline had been set for 5am on the same day that the Windows Updates were approved.  This means that the when a workstation turns on in the morning (which is usually after 5am...), it will realise that it has some updates available.  Because it's already past the deadline, the workstations starts installing the updates as soon as it can, and applying them immediately.  

The WSUS settings here overwrite the GPO settings, so even though it may have been defined in the GPO to not reboot, the computer knows that it's already past it's deadline to have these updates installed, so it ignores the remainder of the settings, and applies the updates straight away.  If the updates require a reboot, it will do the reboot immediately as well.  This was what was causing the 'random' rebooting of computers throughout the day.  

To resolve this issue, one could change the deadline to perhaps allow a couple of days after the update has been approved, or in my case, completely remove the deadline requirement.  The GPO will get machines to install updates each day anyway, so it's not needed in this case.

20 April 2016

Increase Package Size - WSUS

Recently I was looking at an application called CSI, which ties into WSUS, and releases packages through WSUS for 3rd party applications (such as Java etc).  This is a really good way to ensure that all applications are kept up to date, and managed through existing WSUS infrastructure.

I noticed that some packages were larger than the WSUS limit of 384mb.  This is obviously a problem, as WSUS wouldn't be able to package and push this out.  In order to get around this, I've had to tell WSUS that the package size can be larger than that.

The following Power Shell commands will get this job done:


  • Import-Module UpdateServices
  • [reflection.assembly]::LoadWithPartialName
  • ("Microsoft.UpdateServices.Administration") | out-null
  • $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
  • $serverconfig = $wsus.getConfiguration()
  • $serverconfig.LocalPublishingMaxCabSize = 1024
  • $serverconfig.Save($FALSE)
In these commands, the 1024 is the newly updated maximum package size.  
Note: WSUS cannot go larger than 2048mb, so don't set the size to above that.


15 April 2016

Define Start Screen Layout - Server 2012 R2 - Remote Desktop Services

Whilst setting up RDS Session Hosts today, I wanted to define the Start Menu layout for all users who will be logging in.

This TechNet article is rather handy for steps on how to export your start menu config, and then set it up under local group policy for all staff:

https://technet.microsoft.com/en-us/library/dn467928.aspx

Specify RDS Licensing Server from Session Host - 2012 R2

Earlier today I was setting up two new Session Hosts for a client, where we were creating a new collection.  Setting up the first one worked fine, but when logging into the second one, I noticed a message saying that there was no licenses for this server (for RDS) and it will stop working after 119 days.  Obviously there were licenses on the Licensing server, but for some reason this server couldn't communicate to it to find out.

When checking the RD Licensing Diagnoser, it confirmed that there was no licensing server linked to this Session Host.  I had a look online for a way to set this up using the GUI (on either the RDS Gateway/Licensing Server, or the Session Host, but couldn't find anything.

It's a nice and simple command (there's actually two of them) that is done through PowerShell to get it all working.  The command is the following:

Command #1
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting

Command #2

$obj.GetSpecifiedLicenseServerList("license.contoso.com")

"License" is the name of the RDS License Server in the environment.

After doing this, all I had to do was refresh the RD Licensing Diagnoser, and it accurately reflected the licensing server, and the amount of licenses I had etc.

13 April 2016

Windows 10 showing as Vista in WSUS

There is a bug with WSUS where Windows 10 machines are showing up as Windows Vista.


There is a hot-fix released by Microsoft, and it can be downloaded here:

https://www.microsoft.com/en-us/download/details.aspx?id=51534

10 April 2016

Windows 10 Start Menu not responding

Whilst at a client's office rolling out new infrastructure, I noticed that logging into all W10 machines caused some issues with the Start Menu.  Clicking on the Start Menu simply wouldn't do anything.  You could right-click on it without issue, but normal click did nothing.

This started to happen to all computers for all accounts.  I'd confirmed that everything was working well previously, so I started to look into whether it could be a new GPO rolled out or something like that.  Not being able to pin point any GPO which could have caused the issue, I started to investigate why the Start Menu wasn't  working.  Checking Event Logs, it showed that items were trying to register with the Firewall, but failing.

I checked the Services and the Windows Firewall service had actually been disabled.  After enabling this again, and starting it up, everything started to work.  It turns out a technician had gone through each computer and disabled the Windows Firewall service for some reason!

So if anyone has this issue with the W10 start menu, the first thing to check should be the Windows Firewall service!

09 April 2016

Exchange 2016 ECP Blank After Login

Recently I tried to log into an Exchange 2016 console, but after actually typing in my username and password,  it gave a blank screen:

This happened when accessing ECP (or OWA) from the Exchange server, any other machine on the network, or even accessing it externally.  Upon looking into this, I realised that there was no self-signed certificate for the Exchange server for some reason.  There was an SSL cert, but no self-signed cert.  This needs to be created, and added to the binding of the 'Back End' website within IIS.


Once this was created, and added back into IIS, and the bindings were set, ECP and OWA started to work again.

01 April 2016

File Permissions for Specific Security Group - Power Shell Script

Recently I have needed to run a report to get a list of all files and folders on a particular drive, and the security groups that have permissions assigned to those files/folders.  Upon looking into whether this was actually possible, I created a script to export a list of folders and their associated security group access.

Get-ChildItem C:\Users -recurse | ForEach-Object {Get-ACL $_.FullName} | select psPath,psParentPath,psChildName,AccessToString | Export-CSV -NoTypeInformation C:\TestExportFile.csv

This command will create a CSV file which we can use to then filter down, and get a list of all the folders that reference a particular group.  In this case, I have filtered the AccessToString field, which shows the security groups, and have searched for Testing Group 1 which was my test group.


This then shows only the folder locations which use the Testing Group 1 security group as NTFS permissions.  Although this is a rather manual process, it allows you to find all folders which use that particular security group.  This will come in handy if you're wanting to delete a security group, and want to quickly reference a File Server to ensure that nothing is referring to that particular group.