Take Ownership and Grant ‘Full Control’ Recursively

Take Ownership KB ID 0001200 

Problem

I had a bunch of old user profile folders I needed to delete today, When setup properly even the domain administrator can’t get in there and delete them;

You need permission to perform this action.

You don’t currently have persmission to access this folder

If it’s just one folder then simply take ownership, grant yourself rights and delete it! But I had a lot of folders so I needed a more robust (read less work) solution.

Solution: Take Ownership

Take Ownership of all Folders/Sub-Folders, and Files

Open an administrative command window, and execute the following command;

[box]

takeown /a /r /d Y /f C:\"Path-To-Folder"

[/box]

Grant ‘Full Control’ Rights to all Folders/Sub-Folders, and Files

Just because you are the owner, that does not mean you have any rights to the folders and files, to grant full control to the administrators group.

[box]

icacls C:\"Path-To-Folder" /grant administrators:F /t

[/box]

You can then delete the folder and its contents recursively with the following command.

[box]

Remove-Item -Path "Path-To-Folder" -Force -Recurse

[/box]

Related Articles, References, Credits, or External Links

Can’t Delete a File or Folder or Take Ownership

Microsoft Blue Screen of Death (BSOD)

BSOD KB ID 0001882

Problem

Recovering from a Microsoft Blue Screen of Death (BSOD) involves several steps to diagnose and resolve the issue. Here is a systematic approach to help you recover from a BSOD.

Solution : BSOD Resolution.

 

Note: If using Crowdstrike (18th Jul 2024) or you’re Stuck at the recovery screen. The problem is being worked on Ref:

TEMPORARY WORK AROUND

 

  1. Boot Windows into Safe Mode or WRE.
  2. Go to C:\Windows\System32\drivers\CrowdStrike
  3. Locate and delete file matching “C-00000291*.sys”
  4. Boot normally.

Alternative Crowdstrike Fix (from the recovery screen)

If you’re stuck at the recovery screen, try these steps:

  1. Click on ‘See advanced repair options’ on the Recovery screen.
  2. In the Advanced Repair Options menu, select ‘Troubleshoot’.
  3. Next, choose ‘Advanced options’.
  4. Select ‘Startup Settings’.
  5. Click on ‘Restart’.
  6. After your PC restarts, you will see a list of options. Press 4 or F4 to start your PC in Safe Mode.
  7. Open Command Prompt in Safe Mode.
  8. In the Command Prompt, navigate to the drivers directory: cd \windows\system32\drivers
  9. To rename the CrowdStrike folder, use ren CrowdStrike CrowdStrike_old

Alternative Crowdstrike Fix (For Virtual Machines)

  1. Attach an the system disk of the affected machine asunmanaged disk to another VM for offline repair (Note:Disks that are encrypted may need these additional instructions: Unlocking an encrypted disk for offline repair
  2. Once the disk is attached, customers can attempt to delete the following file. “Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys
  3. The disk can then be detached and re-attached to the original VM.

 

1. Note the BSOD Error Code

When a BSOD occurs, an error code is displayed on the screen. This code can be crucial in diagnosing the problem. Write down the error code and any associated information.

2. Restart Your Computer

Sometimes, a simple restart can resolve the issue. However, if the BSOD persists, proceed to the next steps.

3. Boot into Safe Mode

Safe Mode loads a minimal set of drivers and services. Booting into Safe Mode can help you determine if a default setting or basic device driver is causing the issue.

  • Windows 10/11:
    1. Restart your computer.
    2. As soon as your computer starts, press the F8 key repeatedly until the Advanced Boot Options menu appears.
    3. Select “Safe Mode” or “Safe Mode with Networking.”

4. Check for Hardware Issues causing BSOD

  • Disconnect External Devices: Unplug all external devices (USB drives, printers, etc.) and restart your computer to see if the BSOD persists.
  • Run a Memory Check: Use Windows Memory Diagnostic tool to check for memory issues.
    • Press Windows + R, type mdsched.exe, and press Enter.
    • Choose “Restart now and check for problems.”

5. Update or Roll Back Drivers

  • Update Drivers:
    • Open Device Manager (Windows + X > Device Manager).
    • Expand categories and update any drivers with a yellow exclamation mark.
  • Roll Back Drivers:
    • In Device Manager, right-click the driver causing the issue, select “Properties,” go to the “Driver” tab, and select “Roll Back Driver.”

6. Check for Software Issues

  • Uninstall Recent Software: Uninstall any software or updates installed recently.
    • Go to Settings > Apps > Apps & features and uninstall the problematic software.
  • Run System File Checker (SFC):
    • Open Command Prompt as Administrator.
    • Type sfc /scannow and press Enter.

7. Perform a System Restore

If the BSOD started after a recent change, performing a System Restore can revert your computer to a previous state.

  • Go to Control Panel > System and Security > System > System Protection > System Restore.
  • Follow the prompts to choose a restore point.

8. Check Disk for Errors

  • Open Command Prompt as Administrator.
  • Type chkdsk /f /r and press Enter.
  • Restart your computer to allow the check to run.

9. Update Windows

Ensure your Windows operating system is up to date.

  • Go to Settings > Update & Security > Windows Update and check for updates.

10. Perform a Clean Boot

A clean boot helps eliminate software conflicts.

  • Press Windows + R, type msconfig, and press Enter.
  • Go to the “Services” tab, check “Hide all Microsoft services,” and click “Disable all.”
  • Go to the “Startup” tab, open Task Manager, and disable all startup items.
  • Restart your computer.

11. Reset or Reinstall Windows

If none of the above steps work, you may need to reset or reinstall Windows.

  • Reset This PC:
    • Go to Settings > Update & Security > Recovery > Reset this PC.
    • Choose whether to keep your files or remove everything.
  • Reinstall Windows: Backup your data and perform a clean installation using a bootable USB drive with the Windows installation media.

Additional Tools and Resources

  • BlueScreenView: A utility to view minidump files created during BSODs.
  • WhoCrashed: Analyzes crash dumps to determine the cause of the crash.

Related Articles, References, Credits, or External Links

NA

C0090016 Error

C0090016 Error KB ID 0001848

Problem

C0090016 Error usually seen after a motherboard has been changed. when attempting to open an office 365 application, or something that requires Entra ID authentication.

Something went wrong.
Your computers Trusted Platform Module has malfunctioned. If this error persists, contact your system administrator with the error code C0090016.

Error Code: C0090016
Server Message: Unknown Error Code 0xC0090016

Solution: C0090016 Error

Settings > Privacy and Security > Device Security > Security Processor Details.

Security Processor Troubleshooting > Select  > “I am responding to this error 80090016.” > Follow the instructions.

Windows 10 Note: You can find these settings in Windows Defender Security App.

Related Articles, References, Credits, or External Links

NA

RDP Black Screen

RDP Black Screen KB ID 0001840

Problem

This problem has jumped up through various iterations of Windows operating systems. You attempt to RDP to a machine; it connects but you simply get a black screen.

 

RDP Black Screen Solution

Over the years various ‘hotfixes’ were known to cause this, but before proceeding make sure both the machine you are connecting FROM and the machine you are connected TO are fully patched and updated.

Common troubleshooting dictates that your first step is to see if you can replicate the same problem from another machine, and if possible, from a different OS. below I’m attempting the same from my MacBook and getting the same result.

 

If something is happening on the target that is simply preventing the desktop from showing press CTRL+ALT+END, or CTRL+ALF+Fn+END (depending on your keyboard). Hopefully you should be able to now launch Task Manager > New > Run New Task > Explorer.exe > OK.

You can also try disabling ‘Persistent Bitmap caching’. On the Experience tab of you rdp dialog.

In the same dialog on the Display tab also try some low resolutions in case the target machine is confused about what to display on your remote session.

If it’s still not working the next most likely culprit is a display driver, Either update it or roll it back to a known good one, try this n the source and target machines. Note: if you see something like this – then the target machine may just need its VMware tools updating.

Finally try using a different RDP client for windows there’s the Remote Desktop Connection Manager, and on a mac theres the Microsoft Remote Desktop app.

Did none of these work for you? or if you have a better solution post it below and Ill update the post accordingly.

Related Articles, References, Credits, or External Links

Remote Desktop Services – Connection Errors

Windows – Black Screen Of Death

 

Disabling IPv6

Disabling IPv6 KB ID 0001832

Problem

Stop! Why do you want to disable IPv6? I see this regularly in forums, with other unusual statements like “If you’re not using it disabling it” or “It’s just another attack vector, disable it.

Well unless you’re running Windows XP and Server 2012 you’re using IPv6. If something does not work and disabling IPv6 fixes it, then it’s usually because your network is not configured correctly, (usually your routers are doing something called IPv6 Address Allocation*)

“From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system, and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6”

Reference.

Microsoft said that in 2016, and still there’s people routinely disabling IPv6?

*Note: You can disable SLAAC (Stateless Address Autoconfiguration) on a Cisco router with the  interface command “no ipv6 address autoconfig

Disabling IPv6 Alternative Solution

Before people accuse me of ‘not living in the real world’ If you have legacy equipment or ages old applications – you may need to consider ‘doing something about IPv6’. but your first action should be to prefer IPv4 over IPv6.

Prefer IPv4 over IPv6

Navigate to the following registry key.

[box]

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Tcpip6 > Parameters

[/box]

Create (or edit) a REG_DWORD (32 bit) value called DisabledComponents and to prefer IPv4 over IPv6 set it to Hexadecimal 20

Or simply execute the following command from an administrative command window.

[box]

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 32 /f

[/box]

Disabling IPv6

I MUST STRESS: Only do this for troubleshooting, having IPv6 enabled is the preferred state.

From the same Registry key above set the DisabledComponents value to Hexadecimal FF

Or simply execute the following command from an administrative command window.

[box]

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 255 /f

[/box]

Related Articles, References, Credits, or External Links

NA

Windows Remote VPN no DNS

VPN no DNS KB ID 0001402

Problem

I’ve been setting up a VPN solution on the test bench as I’m looking at Always On VPN. When I noticed that I had a problem with my remote VPN connections on Windows. They would connect fine but I could not resolve any FQDNs for my domain?

VPN no DNS Solution

By default, all (Windows) VPN connections are ‘Force Tunnel’ (this means they have the option ‘Use default gateway on remote network’ selected). This also means that, (unless your RAS server is the default Gateway for your network,) you usually don’t have internet access when connected to the VPN. 

Now I connected fine, and I could ping IP addresses on my corporate network, but I could not ping my servers by their domain name, in fact Windows was trying to resolve my domain name to a public IP?

Google this problem and you’re simply told to ‘Disable IPv6 on your network card, and this works, (if you want to keep your remote users Force-Tunnelled). But disabling IPv6 is hardly a fix is it?

Also If you want internet access for your remote clients, (Commonly referred to as ‘Split Tunnel’), then even with IPv6 disabled, the problem comes back!

Why is this happening? Well even with Force Tunnel enabled, you can still use your local LAN (Connect to your VPN, and ping your home gateway, or printer or wireless access point if you don’t believe me!) This connection takes precedence over your remote VPN connection, to prove it run a netstat -rn command. 

From the above you can see my Ethernet Adaptor has a metric of 6, and my VPN connector, (in this case called Connection Template) has metric of 23. AND THE LOWEST ONE WINS, so your DNS queries are going out of your local internet connection NOT down the VPN tunnel!

How Do I Fix this VPN no DNS?

Well until Microsoft fixes this in Windows 10, (it’s fine on Windows 8 and earlier), you have to manipulate the metrics yourself, like so;

VPN no DNS On Your Physical Adapter;

Start > ncpa.cpl {enter}  > Right click your NIC > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 20 > OK > OK >OK.

On Your VPN Connector;

Start > ncpa.cpl {enter}  > Right click your VPN Connector > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 10 > OK > OK >OK. 

Now your DNS look-ups should behave!

Related Articles, References, Credits, or External Links

NA

Manually Update Windows Trusted Root Certificates

Manually Update Windows Trusted Root Certificates KB ID 0001831

Problem

These days your trusted root certificates are simply updated with Windows Update, but what if your servers have no internet access? In this example I will manually update the root certs by downloading them on a machine WITH internet access then importing on another machine that has not.

Bear in mind: If none of your machines have internet access they cannot check certificate revocation lists etc – so you may still get some errors. You may want to consider deploying you own internal PKI.

Microsoft PKI Planning and Deploying Certificate Services

Solution: Update Windows Trusted Root Certificates

On a machine that HAS INTERNET ACCESS open an administrative command window and use the following commands.

[box]

mkdir c:\trusted-root-certs
cd c:\trusted-root-certs
Certutil.exe -generateSSTFromWU roots.sst

[/box]

You can (if you wish) then double click the SST file you’ve just created and (once you expand the folders on the left.) It should look like this.

Now copy that SST file to a machine THAT DOES NOT HAVE INTERNET ACCESS.

Note: I’ve created the same folder (c:\trusted-root-certs) and open an administrative PowerShell window, then issue the following commands.

[box]

$sstStore = ( Get-ChildItem -Path c:\trusted-root-certs\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

[/box]

Of course you may wish to script this if you have many machines to update, and host roots.sst in a central location so you can periodically update it.

Related Articles, References, Credits, or External Links

NA

Windows LAPS

Windows LAPS KB ID 0001822

Problem

We used to have Microsoft LAPS, now we have Windows LAPS! LAPS is a solution that lets’ you store admin passwords ‘elsewhere‘ be that in your local Active Directory or Azure Active Directory*. Unlike previously, where you had to deploy/install client software, it’s now built into Windows from the following versions.

  • Windows 11 22H2 – April 11 2023 Update
  • Windows 11 21H2 – April 11 2023 Update
  • Windows 10 – April 11 2023 Update
  • Windows Server 2022 – April 11 2023 Update
  • Windows Server 2019 – April 11 2023 Update

*Note: Is in the pipeline at time of writing traditional (on-premises) AD only is supported.

The premise is that instead of having a single (easily compromised) local admin password (or DSRM password on a DC) for your assets you can have a different password (that can be controlled with a complexity policy) for each client/server and that password is stored securely in Active Directory, (as an attribute of the computer object).

  Backup to Azure AD Backup to Local  (On-Premises) AD
Azure AD Joined Yes No
Local (On-Premises)  Joined No Yes
Hybrid Joined Yes (if not backed up to on-premises AD) Yes (if not backed up to Azure AD)
Workplace Joined No No

Solution: Windows LAPS

Firstly, FULLY update all the domain controllers in the domain.

On a DC you can load the LAPS module and look at the commandlets.

[box]

ipmo LAPS
gcm -Module

[/box]

From these commandlets the first one we need to use is Update-LapsAdSchema, this will extend the active directory schema and add the LAPS attributes to the computer objects.

[box]

Update-LapsAdSchema

[/box]

It will ask you con conform you can watch each step by pressing Y – or if you’re lazy (like me) simply press A {Enter}.

You can’t really see what it is doing, but if you’re interested, you can run the same command again with a -verbose switch on it to see exactly what going on.

OK, but what has that done? Well as I said above, the computer objects have been extended and they now have ALL have the following attributes.

Note: Yes, there’s now a LAPS tab also, but there won’t be anything in there yet.

The next commandlet we need, Set-LapsADComputerSelfPermission, will grant the computer object the rights to manage its own LAPS password, You can set this on the root of the domain if you wish. Here I have all my computer objects in an OU called PNL so I’m applying that right at the TOP LEVEL OU, and it will apply to all children OUs.

[box]

Set-LapsADComputerSelfPermission -Identity "OU=PNL,DC=pnl,DC=com"

[/box]

Setting Windows LAPS Settings via Group Policy

Create a new GPO (or edit an existing one) that links to the OU where your COMPUTER objects live. (remember if managing DSRM passwords you will also need to link the policy to the Domain Controllers OU also).

Edit the Policy and navigate to;

[box]

Computer configuration > Policies > Administrative Templates > System > LAPS

[/box]

Note: If you have a LAPS folder directly under Administrative Templates, that’s for the older Microsoft LAPS settings!

Policies to edit;

  1. Enable Password Backup for DSRM accounts : Enable
  2. Name of administrator account to manage : Enable  > laps.admin
  3. Configure Password Backup Directory : Enable > Active Directory

Note: If you already have a local admin account, built into you master computer image for example, you can use that account instead.

Further policy to edit;

  1. Password settings : Enable > (I accept the defaults)

The screen shot below shows how the policy should look before you exit the group policy editor.

Windows LAPS Local Admin

Here I’ve manually created the local user, you can either roll this out by script, GPO, or building the account into the your default image for OS deployment.

Retrieving Windows LAPS Passwords

Below you can see we can retrieve both a local Windows LAPS password for a client, or a DSRM password for a domain controller.

Simply click Show password and Copy password, and the password will be on the clipboard (as shown).

To get the password via PowerShell use the Get-LapsADPassword commandlet.

[box]

Get-LapsADPassword "PNL-Win11" -AsPlainText

[/box]

Troubleshooting Windows LAPS

The update also allows you to view LAPS event logs in the Event Viewer, like so.

Interoperability Microsoft LAPS and Window LAPS

If you have the older Microsoft LAPS running (i.e. Your end clients have the LAPS client software being deployed to them, then when the Apr 23 LAPS update is deployed to them and used, BOTH Systems may stop working. To fix this you need to disable Legacy LAPS by setting the following registry key on your clients.

[box]

HKLM > Software > Microsoft > Windows > CurrentVersion > LAPS > Config

[/box]

Create a new 32 bit DWORD value called BackupDirectory and set its value to 0 (zero).

Once the Azure AD element is fully released and supported, I’ll loop back and include that also.

Related Articles, References, Credits, or External Links

Microsoft LAPS – Deployment and Configuration

MS: What is Windows LAPS Overview

OneDrive GPO (Domain Group Policy)

OneDrive GPO KB ID 0001821

Problem

The administrative template that you get with Win11 is somewhat out of date, so if you want to manage OneDrive with domain group policy your options are limited, if only there was a newer administrative template!

Well, there is, and it gets updated and sent to you quite regularly. Microsoft just do a good job of hiding it.

Solution OneDrive GPO

Depending on your deployment the files you need can be in different locations, the biggest challenge is finding them. execute the following PowerShell to locate them.

[box]

$OnePath = ("$env:LOCALAPPDATA\Microsoft\OneDrive", `
"$env:ProgramFiles(x86)\Microsoft\OneDrive", `
"$env:ProgramFiles\Microsoft OneDrive")
$OnePath | foreach{
    Get-ChildItem "$_\*\adm\onedrive.adm?" -ErrorAction SilentlyContinue
}

[/box]

As you can (above) see mine are in my user profile. The folder that they are in will also give you the build number, so you can check occasionally for updates (that will get pulled down when your OneDrive client gets updated).

Go to that directory and you will find the ADMX and ADML files.

Note: For anyone who is not English speaking, there may be a different ADML file in the locale folders you can see above.

Copy the OneDrive.admx file into your PolicyDefinitions folder (if unsure of the path, see below. obviously substitute your own domain name and here I’m on a domain controller so the SYSVOL volume on my local drive).

Now change to the INPUT LOCALE folder (in my case en-US) and copy the OneDrive.adml file into that folder.

Then when you are in the Group Policy Management Editor you will see the updated OneDrive options.

[box]

Computer Configuration > Policies > Administrative Templates > OneDrive

[/box]

If you can’t see them ensure your policy definitions have been setup correctly.

Related Articles, References, Credits, or External Links

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

Microsoft Edge Multiple Statup Pages (via GPO)

Microsoft Edge KB ID 0001818

Problem

Controlling Microsoft Edge with Group Policy is pretty straight forward, you just need to ensure the msedge.admx and msedgeupdates.admx files have been added to your policy definitions store in the right folders. If you have no idea what I’m talking about, see the following article.

Microsoft Edge on Server 2019/2016 (and Citrix)

Then you can deploy group policies to your server’s/client’s Microsoft Edge browsers.

Solution: Microsoft Edge ‘Start Pages’

Create a new GPO (or edit an existing one) that’s linked to your target COMPUTERS OU > Navigate to.

[box]

Computer configuration > Policies > Administrative Templates > Microsoft Edge > Sites to Open When the Browser Starts

[/box]

Enable the policy > Show > Enter the URLs you want to open line by line > OK > Exit the group policy editor.

Then wait, or force a policy update to test.

Related Articles, References, Credits, or External Links

NA