Microsoft Blue Screen of Death (BSOD)

BSOD KB ID 0001882

Problem

Recovering from a Microsoft Blue Screen of Death (BSOD) involves several steps to diagnose and resolve the issue. Here is a systematic approach to help you recover from a BSOD.

Solution : BSOD Resolution.

 

Note: If using Crowdstrike (18th Jul 2024) or you’re Stuck at the recovery screen. The problem is being worked on Ref:

TEMPORARY WORK AROUND

 

  1. Boot Windows into Safe Mode or WRE.
  2. Go to C:\Windows\System32\drivers\CrowdStrike
  3. Locate and delete file matching “C-00000291*.sys”
  4. Boot normally.

Alternative Crowdstrike Fix (from the recovery screen)

If you’re stuck at the recovery screen, try these steps:

  1. Click on ‘See advanced repair options’ on the Recovery screen.
  2. In the Advanced Repair Options menu, select ‘Troubleshoot’.
  3. Next, choose ‘Advanced options’.
  4. Select ‘Startup Settings’.
  5. Click on ‘Restart’.
  6. After your PC restarts, you will see a list of options. Press 4 or F4 to start your PC in Safe Mode.
  7. Open Command Prompt in Safe Mode.
  8. In the Command Prompt, navigate to the drivers directory: cd \windows\system32\drivers
  9. To rename the CrowdStrike folder, use ren CrowdStrike CrowdStrike_old

Alternative Crowdstrike Fix (For Virtual Machines)

  1. Attach an the system disk of the affected machine asunmanaged disk to another VM for offline repair (Note:Disks that are encrypted may need these additional instructions: Unlocking an encrypted disk for offline repair
  2. Once the disk is attached, customers can attempt to delete the following file. “Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys
  3. The disk can then be detached and re-attached to the original VM.

 

1. Note the BSOD Error Code

When a BSOD occurs, an error code is displayed on the screen. This code can be crucial in diagnosing the problem. Write down the error code and any associated information.

2. Restart Your Computer

Sometimes, a simple restart can resolve the issue. However, if the BSOD persists, proceed to the next steps.

3. Boot into Safe Mode

Safe Mode loads a minimal set of drivers and services. Booting into Safe Mode can help you determine if a default setting or basic device driver is causing the issue.

  • Windows 10/11:
    1. Restart your computer.
    2. As soon as your computer starts, press the F8 key repeatedly until the Advanced Boot Options menu appears.
    3. Select “Safe Mode” or “Safe Mode with Networking.”

4. Check for Hardware Issues causing BSOD

  • Disconnect External Devices: Unplug all external devices (USB drives, printers, etc.) and restart your computer to see if the BSOD persists.
  • Run a Memory Check: Use Windows Memory Diagnostic tool to check for memory issues.
    • Press Windows + R, type mdsched.exe, and press Enter.
    • Choose “Restart now and check for problems.”

5. Update or Roll Back Drivers

  • Update Drivers:
    • Open Device Manager (Windows + X > Device Manager).
    • Expand categories and update any drivers with a yellow exclamation mark.
  • Roll Back Drivers:
    • In Device Manager, right-click the driver causing the issue, select “Properties,” go to the “Driver” tab, and select “Roll Back Driver.”

6. Check for Software Issues

  • Uninstall Recent Software: Uninstall any software or updates installed recently.
    • Go to Settings > Apps > Apps & features and uninstall the problematic software.
  • Run System File Checker (SFC):
    • Open Command Prompt as Administrator.
    • Type sfc /scannow and press Enter.

7. Perform a System Restore

If the BSOD started after a recent change, performing a System Restore can revert your computer to a previous state.

  • Go to Control Panel > System and Security > System > System Protection > System Restore.
  • Follow the prompts to choose a restore point.

8. Check Disk for Errors

  • Open Command Prompt as Administrator.
  • Type chkdsk /f /r and press Enter.
  • Restart your computer to allow the check to run.

9. Update Windows

Ensure your Windows operating system is up to date.

  • Go to Settings > Update & Security > Windows Update and check for updates.

10. Perform a Clean Boot

A clean boot helps eliminate software conflicts.

  • Press Windows + R, type msconfig, and press Enter.
  • Go to the “Services” tab, check “Hide all Microsoft services,” and click “Disable all.”
  • Go to the “Startup” tab, open Task Manager, and disable all startup items.
  • Restart your computer.

11. Reset or Reinstall Windows

If none of the above steps work, you may need to reset or reinstall Windows.

  • Reset This PC:
    • Go to Settings > Update & Security > Recovery > Reset this PC.
    • Choose whether to keep your files or remove everything.
  • Reinstall Windows: Backup your data and perform a clean installation using a bootable USB drive with the Windows installation media.

Additional Tools and Resources

  • BlueScreenView: A utility to view minidump files created during BSODs.
  • WhoCrashed: Analyzes crash dumps to determine the cause of the crash.

Related Articles, References, Credits, or External Links

NA

Disable NTLM

Disable NTLM KB ID 0001880

Problem

NTLM (NT LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users in a network. It is an older protocol that has been largely replaced by Kerberos, (since Server 2008 and windows Vista!) In modern Windows environments due to its enhanced security features. NTLM is a challenge-response authentication protocol used to authenticate a client to a resource on a network. It operates in three versions: NTLMv1, NTLMv2, and NTLMv2 Session Security.

Key Components

Authentication Process:

    • Challenge-Response Mechanism: NTLM uses a challenge-response mechanism where the server challenges the client, and the client responds with a value that proves its knowledge of the user’s password.
    • Session Security: Provides confidentiality (encryption) and integrity (signing) for data sent over the network.

NTLM Versions:

    • NTLMv1:
      • Uses DES (Data Encryption Standard) for encryption.
      • The client sends a hashed password, and the server compares it to the stored hash.
      • Known for its vulnerabilities, including susceptibility to replay attacks and weak password hashes (LM hashes).
    • NTLMv2:
      • Introduced to address the security shortcomings of NTLMv1.
      • Uses HMAC-MD5 for cryptographic operations.
      • Provides stronger encryption and better resistance to replay attacks.
      • Supports mutual authentication where both client and server authenticate each other.
    • NTLMv2 Session Security:
      • Provides additional security by creating a session key based on both client and server challenge-response pairs.
      • Ensures integrity and confidentiality for the session.

Components of NTLM:

    • User Authentication: Verifies the identity of a user or system requesting access.
    • Message Integrity: Ensures that messages are not tampered with during transmission.
    • Message Confidentiality: Encrypts messages to protect sensitive information.

Security Weaknesses

  1. NTLMv1:
    • Weak Hashing (LM Hash): The LM hash is derived from passwords in a way that is susceptible to brute-force attacks.
    • Replay Attacks: Can be exploited to reuse valid authentication tokens.
    • Lack of Mutual Authentication: Only the client is authenticated, not the server.
  2. NTLMv2:
    • Improved but Still Vulnerable: While it significantly improves upon NTLMv1, it is still not as secure as Kerberos and can be vulnerable to certain types of attacks, especially in environments where NTLMv1 is still supported for backward compatibility.

Deprecation and Modern Alternatives

  • Kerberos: Introduced in Windows 2000, Kerberos provides stronger security features, including mutual authentication, and is now the default authentication protocol in Active Directory environments.
  • Recommendations: Organizations are encouraged to disable NTLM where possible, particularly NTLMv1, and to use Kerberos or other modern authentication protocols.

In Summary

NTLM played a crucial role in early Windows network security, providing a means of authenticating users and securing communications. However, due to its security vulnerabilities, especially in NTLMv1, it has been largely replaced by more secure protocols like Kerberos. NTLMv2 offers improvements but is still not as robust as modern alternatives, making it advisable for organizations to phase out NTLM in favour of stronger authentication methods.

As of Jun 2024 Microsoft has declared that NTLM (all versions) are depreciated.

Solution : Disable NTLM

Developers are being encouraged to STOP using NTLM, and the advice is to set your systems to ONLY use NTLM if Kerberos is not available. You first challenge is to find out what (if anything) is still using NTLM.

On your server(s) look in the (Security) Event logs for Event ID 4624 That mentions NTLM.

But there’s thousands of Event ID 4624 events, so let’s narrow the search with some PowerShell.

[box]

$query= @"
    <QueryList> 
           <Query Id="0"> 
              <Select Path="Security"> 
                *[System[(EventID='4624')]] 
                 and 
                *[EventData[Data[@Name='AuthenticationPackageName'] and (Data='NTLM')]]
               </Select> 
           </Query> 
    </QueryList>
"@
Get-WinEvent -FilterXml $query

[/box]

Now I can review each of those events (by their time stamp!) and I’ve only got two offenders to investigate.

You can also have a reconnoitre with WireShark, and scan for ntlmssp.

Disable NTLM v1

It’s considered best practice to disable NTLM version 1 first, then wait for a while (a period of a few weeks,) then you can attempt to disable NTLM version 2 also.

Edit the Default Domain Controller Policy and Navigate to.

[box]

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >  
Network Security: LAN Manager Authentication Level

[/box]

Settings;

  • Send LM and NTLM responses
  • Send LM and NTLM (use NTLMv2 session security if negotiated)
  • Send NTLM response only
  • Send NTLMv2 response only
  • Send NTLMv2 response only, Refuse LM: Domain controllers offer only NTLMv2 but still accept NTLMv1 authentication.
  • Send NTLMv2 response only, Refuse LM and NTLM: Domain controllers refuse LM and NTLMv1, accepting only NTLMv2.

To keep NTLM v2 and disable NTLM v1 choose the last option.

WARNING: This will effectively tattoo this setting into registry of the domain controller(s), even if you have a problem and revert the setting back to not defined, it will remain. If that happens to you, you can manually change the setting in the registry at.

[box]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

[/box]

 

There’s six settings (0 to 5) that correspond to the ones in the group policy for further information see this article.

Disable NTLM Completely

Before proceeding its a good idea to enable the “Restrict NTLM: Audit NTLM authentication in this domain” policy then waiting a while longer and reviewing the logs, if something does appear you can simply add it to the “Restrict NTLM: Add server exceptions in this domain” policy

This time in the default domain controller’s policy navigate to.

[box]

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >  
Network Security: Restrict NTLM: NTLM authentication in this domain

[/box]

  • Disable: the policy is disabled (NTLM authentication is allowed in the domain).
  • Deny for domain accounts to domain servers: the domain controllers reject NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error message is displayed.
  • Deny for domain accounts: the domain controllers are preventing NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears.
  • Deny for domain servers: NTLM authentication requests are denied for all servers unless the servername is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy.
  • Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.

To stop client computers attempting to connect with NTLM you can edit the Default Domain Policy.

  • Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Deny all

Related Articles, References, Credits, or External Links

NA

Windows Server Evaluation Extending & Converting

Server Evaluation Extending & Converting KB ID 0001879

Problem

If you download and install Windows Server evaluation, you get 180 days grace to upgrade it to a full licensed version. Now the internet is awash with articles telling you how you can extend that – In fact you can extend it by 180 days a further SIX TIMES. But what they fail to tell you, is this only works if you DONT LET IT EXPIRE. Once you’ve breached the 180 days you cannot extend it by 180 days (If you try you only get 10 days grace!)

Day 1

After 180 Days

Solution: Server Evaluation Extending

When the server is first deployed you will have 180 days and SIX REARMS available, which you can see with the following command.

[box]

slmgr -dlv

[/box]

Assuming you are within the 180 day period you can simply extend by 180 days with the following command.

[box]

slmgr -rearm

[/box]

Once rebooted you can check status with the same command we used above (slmgr -dlv).

Solution: Server Evaluation Extending (If Expired)

If you have been on the server it would have warned you with prompts like this.

What Happens If The Windows Server Evaluation License Expires?

The server will shut itself down, 1 hour after it has been powered on, (after logging Event ID 1074).

Event ID 1074
The License period for this installation of Windows has expired. the operating system is shutting down.

As mentioned above you can give yourself some breathing room (assuming you have a rearm count of 1 or more) by using the same command to extend (slmgr – rearm). But you will only get 10 days grace to enter a valid key/activation code.

Converting Windows Server Evaluation To Full Version

The other option, and of course what Microsoft want you to do, is convert the evaluation version to a full version. You can see what versions are available by running the following command.

[box]

DISM /Online /Get-TargetEditions

[/box]

My only option is ServerDatacenter – so I can convert to that version and enter a valid Windows Key to licence the server at the same time.

[box]

DISM /Online /Set-Edition:ServerDatacenter /ProductKey XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

[/box]

Then (when asked) reboot the server to complete the procedure.

Note: Before you email me to point out there’s a Windows licence key in that screenshot (above) that’s the Windows Server 2022 KMS Key.

Related Articles, References, Credits, or External Links

NA

Windows Create NFS Share

Windows Create NFS Share KB ID 0001869

Problem

It has been a while since I mentioned this, but if you have a Windows server, and you would like to present an NFS Share, the process is pretty straight forward. The following procedure was carried out on Windows Server 2022, but the process is pretty much the same going all the way back to Server 2012.

Solution : Windows Create NFS Share

Install Server for NFS (GUI)

You need to add the “Server For NFS” Server role. Server Manager > Manage > Add roles and features >  Next > Next > Next  > Next > Expand  “File and Storage Services” > Expand “File and ISCSI Services” > Server for NFS > Next > Next > Next > Install.

 

Install Server for NFS (PowerShell)

I much prefer this method. From an Administrative PowerShell prompt, use the following command.

[box]

Install-WindowsFeature FS-NFS-Service -IncludeManagementTools 

[/box]

Note: In some instances you may be asked to reboot (post role installation.)

Windows Create NFS Share

Assuming you have a folder to share > Right Click > Properties > NFS Sharing > Manage NFS Sharing > Tick ‘Share this folder” > Permissions > Change access to ‘Read and Write” and tick allow root access > OK > Apply > OK > Apply > OK.

Related Articles, References, Credits, or External Links

Windows NFS Overview

Migrate to Microsoft Entra Connect

 Migrate to Microsoft Entra Connect KB ID 0001857

Problem

You want to migrate from Microsoft Azure AD Connect to Microsoft Entra ID connect.

Let me let you into a secret, (at time of writing) Entra ID connect and Azure AD connect ARE THE SAME THING, if you go to download Entra ID connect, the file you will download is called AzureADConnect.msi. So what you want to do is, upgrade Azure AD Connect.

If your existing Azure AD connect is running on Window Server 2016 (or newer) you can simply ‘in place upgrade‘ the existing Azure AD connect to version 2 and there’s no need to migrate anything.

If you MUST Migrate, because you are deploying on a new server for example, the process is straight forward.

  • Install on New Server and put into Staging Mode.
  • Put Old Server into Staging Mode.
  • Take New Server out of  Staging Mode, (ensure there are no errors/problems).
  • Uninstall from Old Server.

Solution: Migrate to Microsoft Entra Connect

So if you simply want to perform an in place upgrade because your OS is Windows Server 2016 (or newer), use the following article.

Upgrade Azure AD Connect

If you’ve made it this far then you are WANTING to Migrate to Microsoft Entra ID Connect, or as previously mentioned migrate to Azure AD connect on another server!

Migrate to Microsoft Entra Connect Step One: Export Settings

On the Old Server, launch the Azure AD connect shortcut > Configure.

Select  ‘View or export current configuration’ > Next.

Export Settings > Save them (by default in C:\ProgramData\AADConnect) > Save > Exit.

Migrate to Microsoft Entra Connect Step Two: Import Settings

Assuming you’ve done nothing other than download the install package on the new server  > Run the installer package > Agree to the EULA > Continue.

Customise.

Select ‘Import synchronisation settings > In the Location section enter \\old-server-name\c$\ProgramData\AADConnect\filename.json >  Install.

From this point forward I will assume you want everything set the same, so other than usernames and passwords accept the defaults > Next.

Enter the password to authenticate to M365/Azure AD.

This next screen can be confusing because you can’t click Next, and it’s not apparent why! Next to your domain there should be a green tick, if there’s a red cross you need to select ‘change password’ > Then enter the (local AD account) account you use for synchronisation > Next.

Next.

Both options should be ticked by default > Install.

Exit.

Migrate to Microsoft Entra Connect Step Three: Put Old Server Into Staging Mode

I find this much easier to do with PowerShell, but I’ll put the graphical procedure below if you prefer. Issue the following two commands.

[box]

$aadSyncSettings=Get-ADSyncGlobalSettings
$aadSyncSettings.parameters

[/box]

Locate the ‘Microsoft.synchronize.StagingMode‘ section and you will see its value is set to ‘False‘ i.e. staging mode is NOT enabled (or it’s in production mode).

To change the value to ‘True‘ i.e. enable staging mode use the following command.

[box]

($aadSyncSettings.parameters | ?{$_.name -eq "Microsoft.Synchronize.StagingMode"}).value="True"
Set-ADSyncGlobalSettings $aadSyncSettings

[/box]

You can then  confirm that the staging mode value is set to ‘True’ with the following command.

[box]

$aadSyncSettings.parameters

[/box]

Migrate to Microsoft Entra Connect Step Four: Take the New Server Out of Staging Mode

On the New Server, use the following two commands.

[box]

$aadSyncSettings=Get-ADSyncGlobalSettings
($aadSyncSettings.parameters | ?{$_.name -eq "Microsoft.Synchronize.StagingMode"}).value="False"
Set-ADSyncGlobalSettings $aadSyncSettings

[/box]

You can then  confirm that the staging mode value is set to ‘False’ with the following command.

[box]

$aadSyncSettings.parameters

[/box]

Migrate to Microsoft Entra Connect Step Five: Check for Errors

On Premises: You can look in ‘Azure AD Connect Synchronisation Service.’

Microsoft 365: The main Admin console will tell you (in the user management pane).

Microsoft Entra Admin Panel: Look under identity > Provision from Active Directory.

Alternate Steps to Enable Staging Mode (From GUI)

On the Old Server, launch the Azure AD connect shortcut > Configure.

Configure Staging Mode > Next.

Enter your admin password > Next.

Tick to select ‘Enable Staging Mode‘ > Next.

Configure.

Exit

Alternate Steps to Disable Staging Mode (From GUI)

On the New Server, launch the Azure AD connect shortcut > Configure.

Configure Staging Mode > Next

Enter your admin password > Next.

Untick to deselect ‘Enable Staging Mode‘ > Next.

Configure.

Exit

Migrate to Microsoft Entra Connect Step Five: Uninstall Microsoft Azure AD Connect

On the Old Server, search for appwiz.cpl > run it > Select Microsoft Azure AD Connect > Uninstall > Yes > Remove.

Exit.

Related Articles, References, Credits, or External Links

Locate Your Azure AD Connect Server

Azure AD Connect: Correct Or Remove Duplicate Values

Cannot Recreate Azure AD ‘Local’ AD Connector

Forcing Azure AD Connect Sync

ERR_CERT_WEAK_SIGNATURE_ALGORITHM

ERR_CERT_WEAK_SIGNATURE_ALGORITHM KB ID 0001845

Problem

Error seen when attempting to open a web page that’s been secured by https with a certificate.

Your Connection isn’t private
Attackers might be trying to steal your information from {host-name} (for example, passwords , messages or credit cards)

Solution : ERR_CERT_WEAK_SIGNATURE_ALGORITHM

I had not seen this error for a while, and I was surprised I was seeing it now. It’s because the certificate that’s been used on the website is using SHA1 as its signature algorithm.

If you  have purchased this certificate you will need to get it reissued, but chances are this is a self-issued certificate form Certificate Services. If that is the case, you need to update your certificate services form SHA1 to SHA256.

For Complex (Multi-tier PKI Certificate Services)
Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

For most people (with a Stand-alone Enterprise Certificate Services CA Server

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Related Articles, References, Credits, or External Links

ERR_CERT_COMMON_NAME_INVALID

SSL_ERROR_UNSUPPORTED_VERSION

ERR_CERT_COMMON_NAME_INVALID

ERR_CERT_COMMON_NAME_INVALID KB ID 0001844

Problem

Error seen when attempting to open a web page that’s been secured by https with a certificate.

Your Connection isn’t private
Attackers might be trying to steal your information from  {host-name} (for example, passwords , messages or credit cards).

Solution : ERR_CERT_COMMON_NAME_INVALID

This error confused me GREATLY because I generated that certificate, and I was pretty certain the common name was correct, so I double checked.

The truth is this error is VERY  MISLEADING, the problem has nothing to do with the certificates Common Name (for the uninitiated, the Common Name or CN is a value within a certificate, that usually holds the ‘resolvable name’ of the website you are visiting i.e. on my certificate (above) you can see that’s www.petenetlive.com).

The certificate giving me the error in the picture above THERE NOTHING WRONG WITH THE COMMON NAME. The real reason that you are seeing this error is because there’s no entry in the Subject Alternative Name (SAN) value in the certificate.  So I created a new certificate and copied that same value into both the common name and subject alternative name fields – like so.

If your certificate is publicly signed, then you will need to go back to the certificate vendor and have the certificate reissued with a subject alternative name. However, I issue these certificates internally from my own Certificate Services, so I just needed to add that like so.

 

Related Articles, References, Credits, or External Links

Microsoft PKI Planning and Deploying Certificate Services

0x800094801 Certificate Issue Error

0x800094801 Certificate Issue Error

0x800094801 KB ID 0001843

Problem

Whilst attempting to get a certificate from a Windows server running certificate services, I got the following error:

The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE) Denied by policy module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute.

Solution 0x800094801 Error

Well that’s a descriptive error, as this is a certificate request I’ve created on third party piece of hardware, I’m not surprised there’s no template information. The only way to specify which template you want to use for the certificate issued is to resubmit the command via command line.

[box]

certreq -submit -attrib "CertificateTemplate:TEMPLATE-NAME" "C:\Folder\Request-file.csr"

[/box]

You will be prompted to select a certificate services server, then you will be asked where you want to save the certificate.

You can now use the issued certificate.

Related Articles, References, Credits, or External Links

Microsoft PKI Planning and Deploying Certificate Services

Moving Certificate Services To Another Server

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Migrate NPS Server

Migrate NPS Server KB ID 0001841

Problem

If you have deployed an NPS Server on your network, there may be a time when you want to replace that server – if all its doing is NPS and its 2012 or newer I’d be tempted to simply in-place upgrade it, but some people are rigid in their beliefs that that is not a good idea. So in that case you need to migrate to a new server.

Solution : Migrate NPS Server

Locate NPS Server

Just in case you know you have an NPS server, but you don’t know what server it’s on, (or how many you have!) The simplest way to find out is to look in the RAS and IAS Servers group in AD.

You can use the following procedure on Server 2012 (and newer) If your source server is Server 2008 then you need to use the netsh method I’ll outline below.

Migrate NPS Server : Export NPS Settings PowerShell

On the OLD (source) server,

 

[box]

Export-NpsConfiguration -Path C:\NPS-PS-Exported.xml

[/box]

Then simply copy that exported XML file to the new NPS server.

Migrate NPS Server : Import NPS Settings PowerShell

At this point I’ll assume that your target server is built, updated and domain joined. So we have three tasks, install NPS, authorise the NPS server in AD, then import the settings from the file you exported above. Note: There is no direct PowerShell command to authorise the new server in AD (at time of writing) So we need to use the netsh command to do that.

[box]

Install-WindowsFeature NPAS -IncludeManagementTools

netsh ras add registeredserver

Import-NpsConfiguration -Path C:\NPS-PS-Exported.xml

[/box]

Then at this point I’d stop and disable NPS services on the old server and give everything a test. REMEMBER if you have RADIUS clients you may need to change the IP address that THEY are set to to the new NPS Server.

WARNING: If you are using authentication protocols that need certification like PEAPMS-CHAP v2, PEAPTLS, or EAPTLSAND your client are set to check the server’s identification (this is optional usually). Then check the new server has the correct certificates.

Migrate NPS Server (Server 2008)

On older OSs you don’t have the Export-NpsConfiguration and Import-NpsConfiguration PowerShell commandlets to use, so you have to use the netsh command instead.

Export NPS with Netsh

[box]

netsh

nps

export filename="C:\NPS-Exported-NETSH.xml" exportPSK=YES

[/box]

Import NPS with Netsh

[box]

netsh

nps

import filename="C:\NPS-Exported-NETSH.xml"

[/box]

Remove NPS

Once you’ve waited long enough to be sure you no longer need the old NPS server you can remove it with the following commands.

[box]

netsh ras delete registeredserver

Uninstall-WindowsFeature NPAS

Restart-Computer

[/box]

Note: If you are removing from Server 2008 you may need to use Remove-WindowsFeature NPAS instead!

Related Articles, References, Credits, or External Links

NA

RDP Black Screen

RDP Black Screen KB ID 0001840

Problem

This problem has jumped up through various iterations of Windows operating systems. You attempt to RDP to a machine; it connects but you simply get a black screen.

 

RDP Black Screen Solution

Over the years various ‘hotfixes’ were known to cause this, but before proceeding make sure both the machine you are connecting FROM and the machine you are connected TO are fully patched and updated.

Common troubleshooting dictates that your first step is to see if you can replicate the same problem from another machine, and if possible, from a different OS. below I’m attempting the same from my MacBook and getting the same result.

 

If something is happening on the target that is simply preventing the desktop from showing press CTRL+ALT+END, or CTRL+ALF+Fn+END (depending on your keyboard). Hopefully you should be able to now launch Task Manager > New > Run New Task > Explorer.exe > OK.

You can also try disabling ‘Persistent Bitmap caching’. On the Experience tab of you rdp dialog.

In the same dialog on the Display tab also try some low resolutions in case the target machine is confused about what to display on your remote session.

If it’s still not working the next most likely culprit is a display driver, Either update it or roll it back to a known good one, try this n the source and target machines. Note: if you see something like this – then the target machine may just need its VMware tools updating.

Finally try using a different RDP client for windows there’s the Remote Desktop Connection Manager, and on a mac theres the Microsoft Remote Desktop app.

Did none of these work for you? or if you have a better solution post it below and Ill update the post accordingly.

Related Articles, References, Credits, or External Links

Remote Desktop Services – Connection Errors

Windows – Black Screen Of Death