Windows SSH ‘No Matching Key’

No Matching Key KB ID 0001900

Problem : No Matching Key

Typically I see this problem on my mac or within various Linux distributions. I’ve covered extensively how to fix this on a mac in the following article.

macOS – SSH Error ‘No Matching Exchange Method Found’

So when I saw the same question asked for a Windows client, I went and looked, and found some patchy information, so I thought I’d work it out and post it here for you. Essentially you will see an error when attempting to SSH to a device something like one of the following.

Unable to negotiate with {IP-Or-Hostname} port 22 : no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Unable to negotiate with {IP-Or-Hostname} port 22 : no matching host key type found. Their offer: ssh-rsa

Solution : No Matching Key

With windows the fix is similar, less secure algorithms and ciphers have been depreciated by Windows, to re-enable them* you need to edit your ssh_config file this file lives in a folder called ssh, which is in a hidden folder on the root of your C Drive called ProgramData. On most Windows machines this file wont exist, but check first to make sure (particularly if you’re on a server that may be running SSH Services).

*Note: They are depreciated for a reason, this weakens your machines security. The following procedure will GLOBALLY allow these depreciated cyphers for all SSH sessions, if you want to operate a little more securely go to the individual SSH config section.

Showing Hidden Files and Folders : No Matching Key

Assuming like me you don’t already have an ssh_config file already then you need to create one and add the connection algorithms required. Open an administrative command window (if you don’t do this you will get access denied errors going forward!) Then execute the following commands.

[box]

copy nul > C:\ProgramData\ssh\ssh_config

notepad C:\ProgramData\ssh\ssh_config

[/box]

Note: If after you execute the first command, you get “copy : Cannot find path ‘C:\Windows\system32\nul’ because it does not exist.” don’t worry, it will still create the file.

A notepad window will open, remove any text withing it and paste in the following.

[box]

MACs hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
PubkeyAcceptedAlgorithms +ssh-rsa
HostKeyAlgorithms +ssh-rsa

[/box]

Save the notepad file then re-try your ssh command, this time it should succeed, or if it errors it will tell you which MAC, KexAlgorithms, or Key algorithm it’s missing that you can paste into the ssh_config file.

Individual Host SSH Settings

Its considered better practice to have a config for each target you will SSH to, for me that’s impractical because I have hundreds of clients and thousands of switches, routers and firewalls. (but you could add them as you go, I suppose). For this procedure you create a config file in your user profile, and in that config file you put the requirements in, on a host-by-host basis.

Firstly create the config file, open an administrative PowerShell window, and execute the following command.

[box]

New-Item -Path $HOME\.ssh\config -ItemType File

[/box]

Then to edit the config file.

[box]

C:\WINDOWS\System32\notepad.exe $HOME\.ssh\config

[/box]

A Notepad window will open with the blank config file, here’s an example of a config for two devices (my test Cisco ASA, and my test core switch).

Example.

[box]

# Config for my test firewall
  Host cisco-asa
  HostName 192.168.254.254
  User petelong
  Port 22
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  KexAlgorithms diffie-hellman-group1-sha1
  HostKeyAlgorithms +ssh-rsa

[/box]

Now simply issue an ssh cisco-asa command.

 

Related Articles, References, Credits, or External Links

SSH: Host Identification Has Changed

Printers “Some Of These Settings are Managed By Your Organisation”

Managed By Your Organisation KB ID 0001899

Problem

When attempting to add a printer, or engage with the printer settings dialog, you may see.

Some Of These Settings are Managed By Your Organisation

Solution : Managed By Your Organisation

This is usually because a policy is being applied, (or has been applied) that is making a change in your registry, to the following key.

[box]

HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Policies > Explorer > NoAddPrinter 

[/box]

Values are.

  • ENABLED  = 1 (Printers cannot be added).
  • DISABLED = 0 (Printers can be added).

Of course if this IS being enforced by group policy changing the registry key will only fix the problem until the policy is re applied!

I’ve previously written about how to locate where a group policy is coming from. the policy you are looking for is

[box]

User Configuration > Administrative Templates > Control Panel > Printers > Prevent addition of printers  

[/box]

In this case it was being enforced by Local User Policies

Running gpedit.msc got me to the culprit.

If yours is being enforced from your domain, gpresult will point to the correct policy.

Related Articles, References, Credits, or External Links

Allow Users to Install Printers with Group Policy

Deploying Printers with Group Policy Preferences

What GPO are Applied?

What GPO KB ID 0001898

Problem

There are a number of reasons for you to test and demonstrate group policy application. Recently on Experts Exchange there was a question. where a user could not add a printer because those settings were “Controlled by their organisation’ but was pretty sure no printer GPOs were applied.

Or you may simply be setting up a new GPO and it’s not applying, or not working as you would expect.

Solution : What GPO

I’ve been doing this a long time! Back in the day you could create a new MMC console (run mmc.exe) then add the “Resultant Set Of Policy” Snap in and rung that to evaluate and model different GPO applications and results. You can still do that but now you can simply run the RSOP command from an administrative command window.

In this case it will produce a list of applied group policies for the logged in user and the machine it was ran on (if you want results for differennt users or computers you can add the RSOP snap-in to mmc, or run the modelling from a machinesthat had the group policy management console installed)

But RSOP will give you output like this, you can see what policies are being applied, and what is the name of the group policy that applying that change.

But this will produce a complete list of all GPO settings and their status (even if they are not defined (see above)). An easier way to search is to use GPRESULT and send the output of that to an HTML file that you can open in a browser.

[box]

gpresult /h C:\{Path}\GPresult.htm

[/box]

This produces an easier to read report

You can get the same report and change the input parameters for users and computers etc, by running the Group Policy Results wizard that included with the AD DS RSAT tools

Related Articles, References, Credits, or External Links

Group Policy: Item-Level Targeting

Apply Group Policy To a Security Group

Add The ‘Group Policy Management Console’

Take Ownership and Grant ‘Full Control’ Recursively

Take Ownership KB ID 0001200 

Problem

I had a bunch of old user profile folders I needed to delete today, When setup properly even the domain administrator can’t get in there and delete them;

You need permission to perform this action.

You don’t currently have persmission to access this folder

If it’s just one folder then simply take ownership, grant yourself rights and delete it! But I had a lot of folders so I needed a more robust (read less work) solution.

Solution: Take Ownership

Take Ownership of all Folders/Sub-Folders, and Files

Open an administrative command window, and execute the following command;

[box]

takeown /a /r /d Y /f C:\"Path-To-Folder"

[/box]

Grant ‘Full Control’ Rights to all Folders/Sub-Folders, and Files

Just because you are the owner, that does not mean you have any rights to the folders and files, to grant full control to the administrators group.

[box]

icacls C:\"Path-To-Folder" /grant administrators:F /t

[/box]

You can then delete the folder and its contents recursively with the following command.

[box]

Remove-Item -Path "Path-To-Folder" -Force -Recurse

[/box]

Related Articles, References, Credits, or External Links

Can’t Delete a File or Folder or Take Ownership

Microsoft Blue Screen of Death (BSOD)

BSOD KB ID 0001882

Problem

Recovering from a Microsoft Blue Screen of Death (BSOD) involves several steps to diagnose and resolve the issue. Here is a systematic approach to help you recover from a BSOD.

Solution : BSOD Resolution.

 

Note: If using Crowdstrike (18th Jul 2024) or you’re Stuck at the recovery screen. The problem is being worked on Ref:

TEMPORARY WORK AROUND

 

  1. Boot Windows into Safe Mode or WRE.
  2. Go to C:\Windows\System32\drivers\CrowdStrike
  3. Locate and delete file matching “C-00000291*.sys”
  4. Boot normally.

Alternative Crowdstrike Fix (from the recovery screen)

If you’re stuck at the recovery screen, try these steps:

  1. Click on ‘See advanced repair options’ on the Recovery screen.
  2. In the Advanced Repair Options menu, select ‘Troubleshoot’.
  3. Next, choose ‘Advanced options’.
  4. Select ‘Startup Settings’.
  5. Click on ‘Restart’.
  6. After your PC restarts, you will see a list of options. Press 4 or F4 to start your PC in Safe Mode.
  7. Open Command Prompt in Safe Mode.
  8. In the Command Prompt, navigate to the drivers directory: cd \windows\system32\drivers
  9. To rename the CrowdStrike folder, use ren CrowdStrike CrowdStrike_old

Alternative Crowdstrike Fix (For Virtual Machines)

  1. Attach an the system disk of the affected machine asunmanaged disk to another VM for offline repair (Note:Disks that are encrypted may need these additional instructions: Unlocking an encrypted disk for offline repair
  2. Once the disk is attached, customers can attempt to delete the following file. “Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys
  3. The disk can then be detached and re-attached to the original VM.

 

1. Note the BSOD Error Code

When a BSOD occurs, an error code is displayed on the screen. This code can be crucial in diagnosing the problem. Write down the error code and any associated information.

2. Restart Your Computer

Sometimes, a simple restart can resolve the issue. However, if the BSOD persists, proceed to the next steps.

3. Boot into Safe Mode

Safe Mode loads a minimal set of drivers and services. Booting into Safe Mode can help you determine if a default setting or basic device driver is causing the issue.

  • Windows 10/11:
    1. Restart your computer.
    2. As soon as your computer starts, press the F8 key repeatedly until the Advanced Boot Options menu appears.
    3. Select “Safe Mode” or “Safe Mode with Networking.”

4. Check for Hardware Issues causing BSOD

  • Disconnect External Devices: Unplug all external devices (USB drives, printers, etc.) and restart your computer to see if the BSOD persists.
  • Run a Memory Check: Use Windows Memory Diagnostic tool to check for memory issues.
    • Press Windows + R, type mdsched.exe, and press Enter.
    • Choose “Restart now and check for problems.”

5. Update or Roll Back Drivers

  • Update Drivers:
    • Open Device Manager (Windows + X > Device Manager).
    • Expand categories and update any drivers with a yellow exclamation mark.
  • Roll Back Drivers:
    • In Device Manager, right-click the driver causing the issue, select “Properties,” go to the “Driver” tab, and select “Roll Back Driver.”

6. Check for Software Issues

  • Uninstall Recent Software: Uninstall any software or updates installed recently.
    • Go to Settings > Apps > Apps & features and uninstall the problematic software.
  • Run System File Checker (SFC):
    • Open Command Prompt as Administrator.
    • Type sfc /scannow and press Enter.

7. Perform a System Restore

If the BSOD started after a recent change, performing a System Restore can revert your computer to a previous state.

  • Go to Control Panel > System and Security > System > System Protection > System Restore.
  • Follow the prompts to choose a restore point.

8. Check Disk for Errors

  • Open Command Prompt as Administrator.
  • Type chkdsk /f /r and press Enter.
  • Restart your computer to allow the check to run.

9. Update Windows

Ensure your Windows operating system is up to date.

  • Go to Settings > Update & Security > Windows Update and check for updates.

10. Perform a Clean Boot

A clean boot helps eliminate software conflicts.

  • Press Windows + R, type msconfig, and press Enter.
  • Go to the “Services” tab, check “Hide all Microsoft services,” and click “Disable all.”
  • Go to the “Startup” tab, open Task Manager, and disable all startup items.
  • Restart your computer.

11. Reset or Reinstall Windows

If none of the above steps work, you may need to reset or reinstall Windows.

  • Reset This PC:
    • Go to Settings > Update & Security > Recovery > Reset this PC.
    • Choose whether to keep your files or remove everything.
  • Reinstall Windows: Backup your data and perform a clean installation using a bootable USB drive with the Windows installation media.

Additional Tools and Resources

  • BlueScreenView: A utility to view minidump files created during BSODs.
  • WhoCrashed: Analyzes crash dumps to determine the cause of the crash.

Related Articles, References, Credits, or External Links

NA

C0090016 Error

C0090016 Error KB ID 0001848

Problem

C0090016 Error usually seen after a motherboard has been changed. when attempting to open an office 365 application, or something that requires Entra ID authentication.

Something went wrong.
Your computers Trusted Platform Module has malfunctioned. If this error persists, contact your system administrator with the error code C0090016.

Error Code: C0090016
Server Message: Unknown Error Code 0xC0090016

Solution: C0090016 Error

Settings > Privacy and Security > Device Security > Security Processor Details.

Security Processor Troubleshooting > Select  > “I am responding to this error 80090016.” > Follow the instructions.

Windows 10 Note: You can find these settings in Windows Defender Security App.

Related Articles, References, Credits, or External Links

NA

RDP Black Screen

RDP Black Screen KB ID 0001840

Problem

This problem has jumped up through various iterations of Windows operating systems. You attempt to RDP to a machine; it connects but you simply get a black screen.

 

RDP Black Screen Solution

Over the years various ‘hotfixes’ were known to cause this, but before proceeding make sure both the machine you are connecting FROM and the machine you are connected TO are fully patched and updated.

Common troubleshooting dictates that your first step is to see if you can replicate the same problem from another machine, and if possible, from a different OS. below I’m attempting the same from my MacBook and getting the same result.

 

If something is happening on the target that is simply preventing the desktop from showing press CTRL+ALT+END, or CTRL+ALF+Fn+END (depending on your keyboard). Hopefully you should be able to now launch Task Manager > New > Run New Task > Explorer.exe > OK.

You can also try disabling ‘Persistent Bitmap caching’. On the Experience tab of you rdp dialog.

In the same dialog on the Display tab also try some low resolutions in case the target machine is confused about what to display on your remote session.

If it’s still not working the next most likely culprit is a display driver, Either update it or roll it back to a known good one, try this n the source and target machines. Note: if you see something like this – then the target machine may just need its VMware tools updating.

Finally try using a different RDP client for windows there’s the Remote Desktop Connection Manager, and on a mac theres the Microsoft Remote Desktop app.

Did none of these work for you? or if you have a better solution post it below and Ill update the post accordingly.

Related Articles, References, Credits, or External Links

Remote Desktop Services – Connection Errors

Windows – Black Screen Of Death

 

Disabling IPv6

Disabling IPv6 KB ID 0001832

Problem

Stop! Why do you want to disable IPv6? I see this regularly in forums, with other unusual statements like “If you’re not using it disabling it” or “It’s just another attack vector, disable it.

Well unless you’re running Windows XP and Server 2012 you’re using IPv6. If something does not work and disabling IPv6 fixes it, then it’s usually because your network is not configured correctly, (usually your routers are doing something called IPv6 Address Allocation*)

“From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system, and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6”

Reference.

Microsoft said that in 2016, and still there’s people routinely disabling IPv6?

*Note: You can disable SLAAC (Stateless Address Autoconfiguration) on a Cisco router with the  interface command “no ipv6 address autoconfig

Disabling IPv6 Alternative Solution

Before people accuse me of ‘not living in the real world’ If you have legacy equipment or ages old applications – you may need to consider ‘doing something about IPv6’. but your first action should be to prefer IPv4 over IPv6.

Prefer IPv4 over IPv6

Navigate to the following registry key.

[box]

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Tcpip6 > Parameters

[/box]

Create (or edit) a REG_DWORD (32 bit) value called DisabledComponents and to prefer IPv4 over IPv6 set it to Hexadecimal 20

Or simply execute the following command from an administrative command window.

[box]

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 32 /f

[/box]

Disabling IPv6

I MUST STRESS: Only do this for troubleshooting, having IPv6 enabled is the preferred state.

From the same Registry key above set the DisabledComponents value to Hexadecimal FF

Or simply execute the following command from an administrative command window.

[box]

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 255 /f

[/box]

Related Articles, References, Credits, or External Links

NA

Windows Remote VPN no DNS

VPN no DNS KB ID 0001402

Problem

I’ve been setting up a VPN solution on the test bench as I’m looking at Always On VPN. When I noticed that I had a problem with my remote VPN connections on Windows. They would connect fine but I could not resolve any FQDNs for my domain?

VPN no DNS Solution

By default, all (Windows) VPN connections are ‘Force Tunnel’ (this means they have the option ‘Use default gateway on remote network’ selected). This also means that, (unless your RAS server is the default Gateway for your network,) you usually don’t have internet access when connected to the VPN. 

Now I connected fine, and I could ping IP addresses on my corporate network, but I could not ping my servers by their domain name, in fact Windows was trying to resolve my domain name to a public IP?

Google this problem and you’re simply told to ‘Disable IPv6 on your network card, and this works, (if you want to keep your remote users Force-Tunnelled). But disabling IPv6 is hardly a fix is it?

Also If you want internet access for your remote clients, (Commonly referred to as ‘Split Tunnel’), then even with IPv6 disabled, the problem comes back!

Why is this happening? Well even with Force Tunnel enabled, you can still use your local LAN (Connect to your VPN, and ping your home gateway, or printer or wireless access point if you don’t believe me!) This connection takes precedence over your remote VPN connection, to prove it run a netstat -rn command. 

From the above you can see my Ethernet Adaptor has a metric of 6, and my VPN connector, (in this case called Connection Template) has metric of 23. AND THE LOWEST ONE WINS, so your DNS queries are going out of your local internet connection NOT down the VPN tunnel!

How Do I Fix this VPN no DNS?

Well until Microsoft fixes this in Windows 10, (it’s fine on Windows 8 and earlier), you have to manipulate the metrics yourself, like so;

VPN no DNS On Your Physical Adapter;

Start > ncpa.cpl {enter}  > Right click your NIC > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 20 > OK > OK >OK.

On Your VPN Connector;

Start > ncpa.cpl {enter}  > Right click your VPN Connector > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 10 > OK > OK >OK. 

Now your DNS look-ups should behave!

Related Articles, References, Credits, or External Links

NA

Manually Update Windows Trusted Root Certificates

Manually Update Windows Trusted Root Certificates KB ID 0001831

Problem

These days your trusted root certificates are simply updated with Windows Update, but what if your servers have no internet access? In this example I will manually update the root certs by downloading them on a machine WITH internet access then importing on another machine that has not.

Bear in mind: If none of your machines have internet access they cannot check certificate revocation lists etc – so you may still get some errors. You may want to consider deploying you own internal PKI.

Microsoft PKI Planning and Deploying Certificate Services

Solution: Update Windows Trusted Root Certificates

On a machine that HAS INTERNET ACCESS open an administrative command window and use the following commands.

[box]

mkdir c:\trusted-root-certs
cd c:\trusted-root-certs
Certutil.exe -generateSSTFromWU roots.sst

[/box]

You can (if you wish) then double click the SST file you’ve just created and (once you expand the folders on the left.) It should look like this.

Now copy that SST file to a machine THAT DOES NOT HAVE INTERNET ACCESS.

Note: I’ve created the same folder (c:\trusted-root-certs) and open an administrative PowerShell window, then issue the following commands.

[box]

$sstStore = ( Get-ChildItem -Path c:\trusted-root-certs\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

[/box]

Of course you may wish to script this if you have many machines to update, and host roots.sst in a central location so you can periodically update it.

Related Articles, References, Credits, or External Links

NA