Printers “Some Of These Settings are Managed By Your Organisation”

Managed By Your Organisation KB ID 0001899

Problem

When attempting to add a printer, or engage with the printer settings dialog, you may see.

Some Of These Settings are Managed By Your Organisation

Solution : Managed By Your Organisation

This is usually because a policy is being applied, (or has been applied) that is making a change in your registry, to the following key.

[box]

HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Policies > Explorer > NoAddPrinter 

[/box]

Values are.

  • ENABLED  = 1 (Printers cannot be added).
  • DISABLED = 0 (Printers can be added).

Of course if this IS being enforced by group policy changing the registry key will only fix the problem until the policy is re applied!

I’ve previously written about how to locate where a group policy is coming from. the policy you are looking for is

[box]

User Configuration > Administrative Templates > Control Panel > Printers > Prevent addition of printers  

[/box]

In this case it was being enforced by Local User Policies

Running gpedit.msc got me to the culprit.

If yours is being enforced from your domain, gpresult will point to the correct policy.

Related Articles, References, Credits, or External Links

Allow Users to Install Printers with Group Policy

Deploying Printers with Group Policy Preferences

Windows 11 – Remove Search Adverts

‘Remove Search Adverts KB ID 0001897

Problem

Why this has to be a ‘thing‘ in a business version of Windows I’m not really sure, but if you want to remove these adverts from the Windows Search function.

They are called ‘Search Highlights‘ or ‘Dynamic Search Box‘.

Solution: Remove Search Adverts

Option 1 Remove Search Adverts with Domain Group Policy

In a domain envronment we can simply crete a GPO and link it to the the computers you want to ‘remove’ this ‘feature’ from. On a domain controller > Administrative Tools > Group Policy Managment Console > Selct a policy that’s linked to the computers OU that the affected machines are in, or create a new policy and edit it.

Navigate to.

[box]

Computer Configuration > Policies > Administrative Templates > Windows Components > Search > Allow search highlights

[/box]

Wait there is no Allow Search Highlights option? If so click here

Then either wait a couple of hours for the policies to enforce, or manually force a policy renewal.

Option 2 Remove Search Adverts with Local Group Policy

If your PC is in a workgroup or simply a stand alone PC you can acheive the same by using Local Policies. (Note: Not avalable with Home versions of Windows). In the start menu search for and execute gpmc.msc

Navigate to.

[box]

Computer Configuration > Administrative Templates > Windows Components > Search > Allow search highlights

[/box]

Select Disabled > Apply  > OK > Close the policy editor and reboot or manually force a policy renewal.

Option 3 Remove Search Adverts with Local Settings

Another option, is to go to settings.

Privacy and Security > Search Permissions.

Scroll all the way to the bottom > More Settings > Show Search Highlights > Off > Then reboot the PC.

Option 4 Remove Search Adverts within The Registry

If you have a home edition of Windows then sometimes it’s easier to simply set this in the registry. Locate and execute regedit.

Navigate to.

[box]

Computer > HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > SearchSettings > IsDynamicSearchBoxEnabled

[/box]

Set to 0 (Zero) for Disabled.

Allow Search Highlights Option Missing From GPO

If you attempt to disable this but find the option missing like so.

You need to update your policy definitions for Windows 11 the updates are here and here. When you execute the updates, it will put the policy definisions in an odd place make sure you take a note of where the definisions are getting put.


Now you simply need to copy the ADMX and ADML files to the correct location on one of your domain contollers, to understand how to do that read the following article.

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

Related Articles, References, Credits, or External Links

NA

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

PolicyDefinitions KB ID 0001339 

Problem

We have had ADMX files for group policies for ages now, they are the successor to the older ADM files. They only really trip you up if you have something unusual to do, (like roll out LAPS, or Forefront, or Customising Office Deployments.)

In most cases you will want to have a central store in your Windows domain, so the clients can see the ADMX files, (and ultimately enforce the policies within them). 

 

Solution: PolicyDefinitions

You probably already have ADMX files on your windows clients/servers,  look in C:\Windows\PolicyDefinisions. So if you have installed any new ADMX files, they will get put in this folder on your local machine, (or domain controller).

Do you already have a central PolicyDefinitions store? It’s easy  to find out, from any domain joined machine, run the following command;

[box]\\{Your-Domain-Name}\SYSVOL\{Your-Domain-Name}\Policies[/box]

If theres a PolicyDefinitions folder already there, half your work has been done for you!

Copying Files to the Central PolicyDefinitions Store

ADMX Files are usually accompanied by an ADML file, while the ADMX files live in the PolicyDefinitions folder, the ADML files are ‘location specific’, if you look in your PolicyDefinitions folder you will see another sub folder for your ‘locale’. Below you can see mine is en-US (English US) your ADML files will live in here.

IMPORTANT: As you can see, (below). I’ve navigated to the PolicyDefinitions folder ON A DOMAIN CONTROLLER, at the following path;

[box]C:\Windows\SYSVOL\sysvol\{Your-Domain-Name}\Policies[/box]

DON’T Try and copy the folder, (or ADMX and ADML) files to the network path of SYSVOL, or you ‘may’ get permission errors, (see error below).

You can simply copy the entire PolicyDefitions folder across if it does not already exist, or copy individual ADMX/ADML files (to the folder locations outlined above).

Now on your domain controller, Administrative tools > Group Policy Management console, create (or edit and existing policy). If you are setup correctly you should see this;

If something is wrong you will see this;

Copying PolicyDefinisions and ADMX/ADML Files: Access Denied

If this happens, you need to ensure you are NOT trying to copy folders or files to the network path of the SYSVOL folder, Open the LOCAL path to the SYSVOL folder directly on a domain controller.

Related Articles, References, Credits, or External Links

NA

Windows – Setting Domain Time

Domain Time KB ID 0000112

Problem

If you have arrived here, you have either noticed that the time is wrong on your server(s) or client PC(s), or you have looked in the event viewer and seen one of the following events being logged. Event ID’s 12, 22, 29, 36, 38, 47, and 50.

Time Problem Events – On the PDC Emulator

Event ID 12 (W32 Time Time Provider NtpClient: This machine is configured to use {text omitted}, but it is the PDC emulator…).

Event ID 29 (The time provider NtpClient is configured to acquire time from one or more time sources…).

Event ID 36 (The time service has not synchronized the system time for 86400 seconds…).

Event ID 38 (The time provider NtpClient cannot reach or is currently receiving invalid time data from…).

Event ID 47 (Time Provider NtpClient: No valid response has been received from manually configured peer…).

Domain Time Problem Events – On Domain Members

Event ID 50 (The time service detected a time difference of greater than 5000 milliseconds for 900 seconds…).

Event ID 22 (The time provider NtpServer encountered an error while digitally signing the NTP response for peer…).

Solution : Domain Time Problems

Setting domain time is a TWO-STEP process, set the time correctly on the PDC emulator, then let the clients take their time from the PDC emulator.

Locate the PDC Emulator

1. On a domain controller, Windows Key+R > netdom query fsmo {Enter}.

2. Take note of the PDC name and go to that server.

NTP Firewall config (Domain Time)

1. Ensure UDP Port 123 is open outbound from the PDC Emulator. How this is done will vary depending on your firewall vendor. If you have a Cisco ASA or a Cisco PIX see my article here.

To Test Use NTPTool

Below either the port is blocked (or the hostname/IP of the external NTP server is incorrect);

This is how it should look, every-time you press query you should get a response, now you know the correct port is open;

Configure the PDC Emulator to collect Reliable Domain Time

There’s two ways to do this, 1. Use Group Policy, and 2. Use command line.

Setting PDC Emulator Time With Group Policy

Of course our PDC Emulator is also a domain controller, so we need to link a GPO to the domain controllers OU. But we dont want all DC’s getting their time from an external source, so we will create a WMI filter to ensure the policy will only apply to the PDC emulator server.

Administrative tools > Group Policy Management > WMI Filter > New > PDC-Emulator-Only > Add > Select * from Win32_ComputerSystem where DomainRole = 5 > OK.

Don’t panic if you see this error > OK > Save.

Create a new GPO linked to the Domain Controllers OU.

Change the policy so it uses your WMI filter;

Edit The Policy, and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > set the NtpServer setting to server-name(comma)stratum-type(space). If you get this wrong you wont sync, and you will see this error.

Enable Windows NTP Client

Enable the Policy (The server still needs to get its time from the external source!)

Enable Windows NTP Server

Enable the policy (The server also needs to provide time to the domain clients).

Save and exit the policy editor, then on the PDC emulator force a policy update  and resync the time. Finally run rsop to make sure the settings have applied.

Setting PDC Emulator Time From Command Line

 

1. On the PDC emulator Windows Key+R > cmd {Enter}.

2. At command line execute the following four commands;

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update

net stop "windows time"

net start "windows time"

w32tm /resync 

[/box]

Note: If you are NOT in the UK or simply want to use a different NTP time server go here for alternatives.

3. Look in the servers Event log > System Log for Event ID 37.

 

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 37
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time provider NtpClient is currently receiving valid time 
data from ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

4. You will also see Event ID 35.

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time service is now synchronizing the system time with the time source 
ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

Step 2 Check the domain clients

This is all you should need to do, because, (by default) all Domain clients get their time from the PDC when they log on, but to check;

1. Windows Key+R > cmd {enter}.

2. Execute the following command;

[box] w32tm /monitor [/box]

3. You will see the time this client can see, on all the domain controllers.

[box]

C:Documents and SettingsAdministrator.yourdomain>w32tm /monitor
server-dc.yourdomain.co.uk [192.168.1.1]:
ICMP: 0ms delay.
NTP: +363.2032725s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.69.6]
site2-dc.yourdomain.co.uk [192.168.2.1]:
ICMP: 70ms delay.
NTP: +0.0470237s offset from server-pdc.yourdomain.co.uk
RefID: dc.yourdomain.co.uk [192.168.69.4]
serverdc2.yourdomain.co.uk [192.168.1.4]:
ICMP: 0ms delay.
NTP: +0.0000553s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.1.6]
server-pdc.yourdomain.co.uk *** PDC *** [192.168.1.6]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from server-pdc.yourdomain.co.uk
RefID: scarp.mc.man.ac.uk [130.88.203.64]

[/box]

(In the case above the time on server-dc is way out, address that first – (it was an old Windows 2000 server and running “net time server-pdc” {enter} fixed it).

4. Once all the domain controllers have a time that’s accurate (like the last three in the example above), then proceed.

5. Execute the following commands on a client machine;

[box]

net stop "windows time"

net start "windows time"

w32tm /resync 

[/box]

6. The machines event log should show the following successful events;

Event ID 37 (The time provider NtpClient is currently receiving valid time data from..).

Event ID 35 (The time provider NtpClient is currently receiving valid time data from..).

Setting Domain Clients Time via GPO

As already outlined you should not need to do this, (as it’s the default setting,) but if there’s a problem you can force domain clients to look at your PDC emulator for reliable time.

Create a GPO, and link it to the OU containing the computers you want to sync’

Edit the policy and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > Set the NtpServer to {Your-PDC-Name},0x9  > Set the Type to NT5DS.

Enable Windows NTP Client

Enable this policy.

Testing Client NTP Settings

Either run;

[box]w32tm /query /status[/box]

Or run RSOP.

 

Related Articles, References, Credits, or External Links

PDC Emulator: PDC Emulator: Cannot Sync Time From External NTP Server

Cisco ASA – Configuring for NTP 

 

Windows LAPS

Windows LAPS KB ID 0001822

Problem

We used to have Microsoft LAPS, now we have Windows LAPS! LAPS is a solution that lets’ you store admin passwords ‘elsewhere‘ be that in your local Active Directory or Azure Active Directory*. Unlike previously, where you had to deploy/install client software, it’s now built into Windows from the following versions.

  • Windows 11 22H2 – April 11 2023 Update
  • Windows 11 21H2 – April 11 2023 Update
  • Windows 10 – April 11 2023 Update
  • Windows Server 2022 – April 11 2023 Update
  • Windows Server 2019 – April 11 2023 Update

*Note: Is in the pipeline at time of writing traditional (on-premises) AD only is supported.

The premise is that instead of having a single (easily compromised) local admin password (or DSRM password on a DC) for your assets you can have a different password (that can be controlled with a complexity policy) for each client/server and that password is stored securely in Active Directory, (as an attribute of the computer object).

  Backup to Azure AD Backup to Local  (On-Premises) AD
Azure AD Joined Yes No
Local (On-Premises)  Joined No Yes
Hybrid Joined Yes (if not backed up to on-premises AD) Yes (if not backed up to Azure AD)
Workplace Joined No No

Solution: Windows LAPS

Firstly, FULLY update all the domain controllers in the domain.

On a DC you can load the LAPS module and look at the commandlets.

[box]

ipmo LAPS
gcm -Module

[/box]

From these commandlets the first one we need to use is Update-LapsAdSchema, this will extend the active directory schema and add the LAPS attributes to the computer objects.

[box]

Update-LapsAdSchema

[/box]

It will ask you con conform you can watch each step by pressing Y – or if you’re lazy (like me) simply press A {Enter}.

You can’t really see what it is doing, but if you’re interested, you can run the same command again with a -verbose switch on it to see exactly what going on.

OK, but what has that done? Well as I said above, the computer objects have been extended and they now have ALL have the following attributes.

Note: Yes, there’s now a LAPS tab also, but there won’t be anything in there yet.

The next commandlet we need, Set-LapsADComputerSelfPermission, will grant the computer object the rights to manage its own LAPS password, You can set this on the root of the domain if you wish. Here I have all my computer objects in an OU called PNL so I’m applying that right at the TOP LEVEL OU, and it will apply to all children OUs.

[box]

Set-LapsADComputerSelfPermission -Identity "OU=PNL,DC=pnl,DC=com"

[/box]

Setting Windows LAPS Settings via Group Policy

Create a new GPO (or edit an existing one) that links to the OU where your COMPUTER objects live. (remember if managing DSRM passwords you will also need to link the policy to the Domain Controllers OU also).

Edit the Policy and navigate to;

[box]

Computer configuration > Policies > Administrative Templates > System > LAPS

[/box]

Note: If you have a LAPS folder directly under Administrative Templates, that’s for the older Microsoft LAPS settings!

Policies to edit;

  1. Enable Password Backup for DSRM accounts : Enable
  2. Name of administrator account to manage : Enable  > laps.admin
  3. Configure Password Backup Directory : Enable > Active Directory

Note: If you already have a local admin account, built into you master computer image for example, you can use that account instead.

Further policy to edit;

  1. Password settings : Enable > (I accept the defaults)

The screen shot below shows how the policy should look before you exit the group policy editor.

Windows LAPS Local Admin

Here I’ve manually created the local user, you can either roll this out by script, GPO, or building the account into the your default image for OS deployment.

Retrieving Windows LAPS Passwords

Below you can see we can retrieve both a local Windows LAPS password for a client, or a DSRM password for a domain controller.

Simply click Show password and Copy password, and the password will be on the clipboard (as shown).

To get the password via PowerShell use the Get-LapsADPassword commandlet.

[box]

Get-LapsADPassword "PNL-Win11" -AsPlainText

[/box]

Troubleshooting Windows LAPS

The update also allows you to view LAPS event logs in the Event Viewer, like so.

Interoperability Microsoft LAPS and Window LAPS

If you have the older Microsoft LAPS running (i.e. Your end clients have the LAPS client software being deployed to them, then when the Apr 23 LAPS update is deployed to them and used, BOTH Systems may stop working. To fix this you need to disable Legacy LAPS by setting the following registry key on your clients.

[box]

HKLM > Software > Microsoft > Windows > CurrentVersion > LAPS > Config

[/box]

Create a new 32 bit DWORD value called BackupDirectory and set its value to 0 (zero).

Once the Azure AD element is fully released and supported, I’ll loop back and include that also.

Related Articles, References, Credits, or External Links

Microsoft LAPS – Deployment and Configuration

MS: What is Windows LAPS Overview

Microsoft Edge Multiple Statup Pages (via GPO)

Microsoft Edge KB ID 0001818

Problem

Controlling Microsoft Edge with Group Policy is pretty straight forward, you just need to ensure the msedge.admx and msedgeupdates.admx files have been added to your policy definitions store in the right folders. If you have no idea what I’m talking about, see the following article.

Microsoft Edge on Server 2019/2016 (and Citrix)

Then you can deploy group policies to your server’s/client’s Microsoft Edge browsers.

Solution: Microsoft Edge ‘Start Pages’

Create a new GPO (or edit an existing one) that’s linked to your target COMPUTERS OU > Navigate to.

[box]

Computer configuration > Policies > Administrative Templates > Microsoft Edge > Sites to Open When the Browser Starts

[/box]

Enable the policy > Show > Enter the URLs you want to open line by line > OK > Exit the group policy editor.

Then wait, or force a policy update to test.

Related Articles, References, Credits, or External Links

NA

Stop Windows 11 Upgrade

KB ID 0001773

Problem

I have no problem with Windows 11, In fact I prefer its UI. But if experience has taught me anything, it’s that businesses will not be as quick to adapt Windows 11 as the general public. Some private companies spend ‘ages‘ testing production OS’s with various applications, and getting a change to that config can be a ‘challenge‘. So there are valid reasons for wanting to stop a Windows 11 upgrade.

Stop Windows 11 Upgrade (Single PC)

To do this you are essentially just creating a couple of registry keys, but as most people don’t like poking around in the registry, here’s how to do the same via PowerShell. Make sure you open an administrative PowerShell window (or you will get a permission error!)

[box]

$path = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
New-item -Path $path
New-ItemProperty -Path $path -Name 'TargetReleaseVersion' -Value 1 -PropertyType DWord
New-ItemProperty -Path $path -Name 'TargetReleaseVersionInfo' -Value 21H2 -PropertyType String

[/box]

Note: At time of writing, 21H2 id the newest release, if there’s a newer Windows 10 version, update your command accordingly.

Stop Windows 11 Upgrade (In a Domain)

In a corporate environment, you can set this via Group Policy, Create a new (or edit and existing) policy object thats links to Computers (not Users!)

Navigate to;

[box]

Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business

[/box]

I can’t see Windows Update for Business? If that folder is missing then you need to update your central policy store with the policy definitions for the latest version of Windows 10 (Search for ‘Administrative Templates (.admx) for Windows 10‘) to get the latest, then read the article above to see where to put them.

Enable the policy and then set it to the newest version of Windows 10 (at time of writing thats 21H2) > Apply > OK.

Then simply wait or Force Domain Group Policy.

Related Articles, References, Credits, or External Links

NA

AnyConnect: Unauthorized Connection Mechanism

KB ID 0001699

Problem

I was assisting a colleague to setup some AnyConnect for a client this afternoon, when all of a sudden I was met with this;

VPN

Logon denied, unauthorised connection mechanism, contact your administrator

Solution

This was a confusing one, I replicated the problem on my own test firewall. All I had done was change the AAA method from LOCAL to LDAP? It took me a while to figure out what was going on?

The reason why this is happening is because the GROUP POLICY your AnyConnect PROFILE is using does not have SSL enabled. (This makes no sense as it was working with LOCAL authentication, but this is how I fixed it).

You will be either using a specific group policy or the DfltGrpPolicy

[box]

IF USING THE DEFAULT GROUP POLICY
Petes-ASA(config)# group-policy DfltGrpPolicy attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless

IF USING A SPECIFIC GROUP POLICY (Remember to include any, that already exist! e.g. l2tp-ipsec)

Petes-ASA(config)# group-policy PNL-GP-ANYCONNECT-ACCESS attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless l2tp-ipsec 

[/box]

Or, if you really HAVE TO use the ASDM.

Configuration > RemoteAccess VPN > Network (Client) Access > Group Policies > Select the Group Policy you are using > Edit.

General > More Options > Tick the SSL Options > OK > Apply.

Don’t forget to save your changes! Then try connecting again.

Related Articles, References, Credits, or External Links

NA

AnyConnect: Allow ‘Local’ LAN Access

KB ID 0001689

Problem

Note: This WONT WORK if you ‘force-tunnel’ or ‘tunnel-all’ remote VPN traffic, (if you are unsure Google ‘what’s my ip’ > Take note of it > Connect to AnyConnect and repeat the procedure, if your public IP address has changed to the IP address of the ASA then you force-tunnel/tunnel-all traffic).

With more people remote working now, I’m getting a lot more questions about RA-VPN and particularly AnyConnect. By default when connecting to any Cisco remote access VPN, it pretty much stops you connecting to anything outside the VPN tunnel, (unless you enable Split Tunnelling). This includes stopping you talking to assets on your remote network also.

This is basically ‘Good practice’, as a corporate entity you have authenticated a remote machine NOT the entire network it is on! But what happens when your MD want to print a work document on his/her home printer? Or you have a NAS drive at home with documents on it you can access while connected to the VPN?

Well, then you can ‘make a judgement call’ to whether or not you want to enable ‘Local LAN Access’ for your remote clients.

Full Disclosure: While this does not let everything on the remote clients LAN connect to the corporate network. If another client on a remote network was infected and compromised, and it proliferated its infection via the LAN,  (to your authenticated remote client), then that client could infect the corporate network. This is what’s known as a ‘pivot attack’.

Solution

Assuming you are happy to enable local LAN access its a TWO STEP procedure. Firstly you enable Local LAN Access on the AnyConnect Client Profile, then you enable split tunnelling and allow all networks, (because you don’t know what all the remote network addresses may be). 

Step 1: Add Local LAN Access to the AnyConnect Client Profile

If you are unfamiliar with ‘AnyConnect Client profiles’, they are simply XML files that are applied to to an AnyConnect Connection Profile, I already have one so I just need to edit it, And tick ‘Local LAN Access’.

What If you Don’t Already Have One? Not a problem. In the ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Add > Give it a name > Set the Group Policy to your AnyConnect Group Policy > OK > Apply > Edit.

What Does User Controllable Mean? It means your users can enable or disable it, (see below.) If you untick this then they wont have that option.

Step 2: Add 0.0.0.0/32 to Split Tunnelling

You configure split tunnelling in your AnyConnect Group-Policy (ASDM > Configuration > Remote Access VPN > Network (Client) Access > Group Policies) Locate yours and edit it, navigate to Advanced > Split Tunnelling > Policy: Untick inherit, and set to Exclude Network List Below > Network List: Untick Inherit and click Manage.

Firstly: Create an ACL and call it “ACL-Local-LAN-Access’ > OK

Secondly: Select the ACL you just created and add an ACE to it > permit 0.0.0.0/32 > OK > OK > OK > Apply > File > Save Running Configuration to Flash.

Your remote workers will need to disconnect and reconnect before it will take effect. In some cases with older clients they need to reboot, (or have the AnyConnect service stopped  and restarted.) If you experience problems make sure your clients have got the new XML file with;

<LocalLanAccess UserControllable="true">true</LocalLanAccess>

inside it, to find out where those files are stored see THIS POST.

Related Articles, References, Credits, or External Links

NA

AnyConnect – ‘VPN establishment capability for a remote user..

KB ID 0000546 

Problem

If you connect to to a client via RDP then try and run the AnyConnect client, you will see one of these errors;

VPN establishment capability for a remote user is disabled. A VPN connection will not be established

 

VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established

This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl  file, this file does not exist using Version 3 (I was using v 3.0.4235).

Update: With Early versions of AnyConnect version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;

Profile settings do not allow VPN initiation from a remote desktop.

Note: This is fixed in version 4.8 and you will se the error at the top of the page.

Solution

To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)

Edit AnyConnect Profile With ASDM

Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.

Give the profile a name  > Select a group policy to apply it to > OK.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

OR (older versions)

 

Apply the changes, and then save to the running configuration.

 

Edit AnyConnect Profile With Stand-Alone Profile Editor

1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).

Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to  step 3, and skip all the other steps.

If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.

2. Once you have installed the profile editor, launch the “VPN Profile Editor”.

3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

4. Save the profile somewhere you can locate it quickly.

5. Connect to the firewalls ASDM > Tools > File Management > File Transfer > Between Local PC and Flash.

6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.

7. Make sure the file uploads correctly > Close.

8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.

9. Click New > Browse Flash > Locate the profile you uploaded earlier.

10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.

11. Then reconnect with your AnyConnect Mobility Client software.

Related Articles, References, Credits, or External Links

Install and Configure Cisco ASA5500 AnyConnect SSL VPN