Windows Client(s) not ‘appearing’ in WSUS

KB ID 0000591 

Problem

Before you start troubleshooting clients, how long have you waited? I usually setup and configure WSUS up at the start of a job, then leave it alone for a few DAYS, before I start worrying.

Here are the steps I usually follow to get the machines listed in the WSUS management console.

Solution

Before doing anything further, simply try running the following two PowerShell commands, (on the problem client,) and then waiting for a few hours;

[box]

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

wuauclt /reportnow

[/box]

 

 

1. Assuming you are deploying your WSUS settings by GPO, make sure the machine in question is actually trying to apply the policy, you can do this by running rsop.msc like so:

Or by running gpresult /R from command line

Note: If you cannot see Computer Policy / Computer Settings, i.e. you can only see user settings, then you are probably not running the command window as ‘Administrator’ (Locate cmd.exe > right click > Run as Administrator).

2. If you are enforcing by GPO, or directly via registry edit, your next step is to check that the registry entries exist. Start > In the Search/Run box type regedit {Enter}. Navigate to:

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows > WindowsUpdate[/box]

3. Start > In the Search/Run box type services.msc {enter} Locate the Windows Update service and ensure it is running.

4. Then locate the Background Intelligent Transfer Service and make sure that’s also running.

5. To make sure the client can see the WSUS website, open a browser window, and navigate to http://{name-of-the-wsus-server}/iuident.cab and make sure you can open/download the file.

6. If all the above is OK, you can try forcing a registration with the following command;

[box]wuauclt /detectnow[/box]

7. All update events are being logged, you can find the log at c:windowsWindowsUpdate open the file with notepad.

8. Scroll all the way to the end, then work upwards looking for errors.

9. Sometimes if you image a machine (Or clone a VM) it keeps it’s unique update ID, if this happens then the first machine with this ID to register gets listed, and all the rest do not. To find out if this is your problem, locate and stop the Windows update service on an affected client.

10. Open the registry Editor and navigate to:

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > WindowsUpdate[/box]

Locate and delete the SusClientId entry.

11. Restart the Windows Update service and run the following two commands:

[box]wuauclt /resetauthorization /detectnow<br /> wuauclt /reportnow [/box]

Update 16/06/15

Received via Email from Patrick Mauger:

You can add an incorrect binding in IIS to the site WSUS Administration.

You need to add a binding for port 80, because the only ports configured are 8530 and 8531.

Related Articles, References, Credits, or External Links

Windows Server Update Services – Install and Configure (2008 R2)

WSUS Install Error – ‘The update could not be found. There may be a network connection issue.

Message ID 6600: sms wsus configuration manager failed to configure upstream server

WSUS Install Error on Windows Server 2008 R2

Windows – Lost / Forgotten Password?

KB ID 0000755

Problem

There are many reasons why you might want to do this, someone has managed to change a user password and that person is not available, you might simply have forgotten it. Or you might have been given a machine, or bought one from ebay that has come without a password. Also there have been a few times when a user has looked me in the eye and said “I’m typing my password in, but it’s not working”, I have never seen a password change on it’s own, so I will just put that down to the evil password gremlins.

The procedure will also work on the Windows local administrators password, just bear in mind that his account is disabled by default, (after Windows 8). This procedure will not work if the machine in question has had its hard drive encrypted using BitLocker.

You can use this procedure to blank, (or reset) a Domain Controllers DSRM (Directory Services Restore Mode) password.

You can avoid this procedure if you have access to another account on this machine that has administrative access. If you can log on as an administrator, then you can change the password of other local accounts on the affected machine without the need to do this.

Solution

How to Burn the ISO Disc Image

1. Download the Password Reset CD Image.

2. Download ImgBurn and install, Launch the program, if it does not look like this you need to select View >EX-Mode-Picker. Select the ‘Write image file to disc’ option.

2. The file you downloaded is a zip file that contains the disk image, you will need to extract the image from the zip file (i.e. drag it to your desktop). From within ImgBurn launch the browse option and navigate to the disk image you have just extracted > Open.

3. Select the burn to disc icon (Note: This will be greyed out, until there is a blank CD in the drive). The image is very small, it will not take long to burn.

Carry Out a Windows 8 Password Reset.

This procedure uses the boot CD you have just created, for it to work you need to make sure the machine will attempt to boot to its CD/DVD Drive before it boots to its hard drive. (Or it will simply boot into Windows again). This change in ‘Boot Order’ is carried out in the machines BIOS, how you enter this varies depending on machine vendor, when you first turn on the machine watch for a message that looks like Press {key} to enter Setup. Typically Esc, Del, F1, F2, or F9. When in the BIOS locate the boot order and move the CD/DVD Drive to the top of the list.

1. Boot your machine from your freshly burned CD, when you see this screen simply press {Enter} to boot.

2. Depending on how many disks/partitions you have it will discover them and assign a number to each one, here I only have 1 so I will type ‘1 {Enter}’.

Note: You may see a small 300Mb partition, ignore that. You may also see your machines recovery partition if it has one, if that’s the case you may have to carry out some trial and error to get the right one.

3. The system is set to look for the default registry location C:WindowsSystem32Config so simply press {Enter}. If it fails at this point you selected the wrong drive/partition.

4. We want password reset so select option 1.

5. We will be editing user data and passwords, so again select option 1.

6. You will be presented with a list of the user objects that it can locate, here I want to reset the password for the ‘PeteLong’ user object so simply type in the username you want to edit.

Note: As mentioned you can see here the administrator account is disabled, if you want to work with that account, you will need to unlock and enable it on the next screen before you blank or change the password.

7. You can choose option 2 and type in a new password, but I’m going the blank the password, then change it when I get back into the machine by selecting option 1.

8. To step back you need to enter an exclamation mark.

9. Enter a ‘q’ to quit.

10. To write the changes you have made enter a ‘y’.

11. As long as you are happy, and have no other accounts that need changing, enter ‘n’.

12. Now remove the boot CD, and press Ctrl+Alt+Delete to reboot the machine.

13. As the user object we are dealing with was the last one that has logged on, it will select that account as soon as the computer boots, and now it has a blank password it will automatically log on.

14. To change the password, press Ctrl+I > Change PC settings.

15. Users > Create a password.

16. Type and confirm your new password, and enter a password hint > Next.

17. Log off the account and test the new password.

 

Related Articles, References, Credits, or External Links

NA

Dcpromo Error: No Other Active Directory Controllers?

KB ID 0001453

Problem

I was trying to demote a domain controller yesterday morning, it was a 2008 R2 Domain controller, (in fact it was SBS 2011). I’d already added a nice new Server 2016 Domain Controller to the domain, and transferred all the FSMO roles, so I was surprised when I tried to gracefully demote the old DC and got this;

You did not indicate that this Active Directory domain controller is the last domain controller for the domain {domain-name}. However, no other Active Directory domain controllers for that domain can be contacted.

Do you want to proceed anyway?

If you click Yes, any Active Directory Domain Services changes that have been made on this domain controller will be lost.

Well, that’s a scary error, and pretty much made me cancel the demotion right away.

Solution

Well I could ping the other domain controller, by name and by IP address, and it was listed in ‘Sites and Services’, and I could replicate Active Directory? (Very Strange). It was not until I ran dcdiag that I saw some warnings about ‘sysvol replication‘. that steered my in the right direction.

On the ‘outgoing’ Domain Controller, run regedit, then navigate to the following location;

[box]HKEY LOCAL MACHINE > SYSTEM > CurrentControlSet > services > Netlogon > Parameters[/box]

Locate the SysvolReady value, (it’s probably set to 0 (Zero)).

Change it to 1 (one) then click OK, (this sort of ‘kicks windows up the backside’, and re-shares Sysvol with the correct permissions). Then after you have changed it, change it back to ZERO. You don’t need to restart any services, just change it, then change it back. Repeat the process on your other domain controllers. Have a coffee, then attempt to demote your Domain Controller again.

Related Articles, References, Credits, or External Links

NA

Stop Edge Hijacking PDF Files

KB ID 0001395

Problem

This question appeared in my inbox today, ‘Edge’ has a nasty habit of assigning itself the default PDF reader, particularly after a round of updates!

Solution

First I went and had a look at my old Experts Exchange Buddy Ramesh’s site (www.winhelponline.com) who had done the heavy lifting and worked out the registry keys;

Note: I’m only concerned with .pdf files, if you want to block .htm and/or .html files, then just repeat this process using the the REG_SZ values from above;

The solution for a single machine is to create the following two registry string values;

HKEY_CURRENT_USER\Software\Classes\AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723
REG_SZ Name = NoOpenWith
REG_SZ Name = NoStaticDefaultVerb

Then set the correct file associate like so;

Which is fine for one machine but what if you have hundreds of complaining users! Then we need to employ some Group Policies. But there’s a few hoops to jump though first. On your client machine, the one you have just tested the procedure on, export your file association to an XML file. Open an administrative command window, and execute the following command;

[box]

Dism /Online /Export-DefaultAppAssociations:C:\Windows\Temp\DefaultApps.xml

[/box]

If you take a look at the a file you will see, (providing you did it right) the Adobe/PDF file association.

Now copy the file to a location all your domain clients can see, in my case I’m going to drop it in the sysvol directory.

Crete a new Group Policy linked to the computers you want to apply the change to, then edit it.

Navigate to;

[box]Computer Configuration > Policies> Administrative Templates > Windows Components > File Explorer > Set default associations configuration file  >Enable > Put in the path to your .XML file[/box]

Save and exit the, group policy, now create a SECOND POLICY linked to your USERS.

Navigate to;

[box]User Configuration > Preferences > Windows Settings > Registry > New > Registry Item[/box]

Note: Ive already created the registry values on the machine I’m configuring the policy on, (you can export the key and import it on a domain controller to make things easier for you). Close and exit the policy editor.

Then wait, or Force Group Policy.

Related Articles, References, Credits, or External Links

NA

Windows 10 – Disable / Remove OneDrive

KB ID 0001328 

Problem

Microsoft have done a good job of embedding OneDrive into Windows 10. While Ive got nothing against OneDrive, for some admins the thought of users storing data out of their networks is quite worrying. So how do you ‘un-couple’ OneDrive from Windows 10?

Solutions

Option 1: Remove OneDrive ‘Quick and Dirty’

Open ‘Regedit’ and navigate to;

[box]

HKEY_CLASSES_ROOT > CLSID > {018D5C66-4533-4307-9B53-224DE2ED1FE6} > System.IsPinnedToNameSpaceTree 

[/box]

Change its value to 0 (zero).

Option 2: Remove OneDrive with Local Group Policy

Press ‘Windows Key + R’ > gpedit.msc {Enter} > Navigate to;

[box]Policies > Administrative Templates > Windows Components > OneDrive[/box]

Locate ‘Prevent usage of OneDrive for file storage’.

Enable > Apply > Close the policy editor > Reboot.

Option 3: Remove OneDrive Access through the Registry

Press ‘Windows Key + R’ > regedit {Enter} > Navigate to;

[box]HKLM > Software >Policies > Microsoft > Windows[/box]

Create a New Key called OneDrive.

In the new key, create a new DWORD called ‘DisableFileSyncNGSC‘ set its value to 1 (one).

Option 2: Remove OneDrive Through Domain Group Policy

On a domain controller  > Administrative Tools > Group Policy Management.

Create a new GPO linked to the OU that contains your computers > Give it a sensible name > OK.

Edit it.

Navigate to;

[box]Policies > Administrative Templates > Windows Components > OneDrive[/box]

Locate ‘Prevent usage of OneDrive for file storage’.

Enable it > Apply > OK > Close the Group Policy Management console.

Then either wait, or force a group policy update.

Windows – Forcing Domain Group Policy

Note: On ‘Home Edition’s‘ of Windows 10, you can remove OneDrive from ‘add/remove programs’ > ‘Enable/Disable Windows features’.

Related Articles, References, Credits, or External Links

NA

Windows – ‘Sorry, there was a problem mounting the file’ With ISO Files

KB ID 0001122 

Problem

Seen on Windows 10, and Server 2012, when attempting to open or mount an ISO file, (even downloaded direct from Microsoft). You get the following error;

Note: Can also been seen with .VHD files.

Couldn’t Mount File

Sorry, there was a problem mounting the file.

Solution

Before you try anything else simply COPY the iso file to the root of your C: drive, and try again.

99% of the time simply copying the file to the C: drive will fix the problem, but if you’re still reading then that’s probably not the case for you? The problem is most likely that the ISO file has had the sparse attribute set.

Option 1

Download Remove Sparse > Extract the Contents and > Run the .reg file.

Now you have the option to remove Sparse on the right click menu.

Option 2

You can open an administrative command window and remove the sparse attribute from command line;

[box]

fsutil sparse setflag {Path to the .iso file} 0

fsutil  sparse queryflag {Path to the .iso file}

[/box]

Related Articles, References, Credits, or External Links

NA

Event ID 36888

KB ID 0000634 

Problem

This was driving me nuts on my Windows 7 x64 Laptop.

Log Name: System
Source: Schannel
Event ID: 36888
Task Category: None
Level: Error
User: SYSTEM
Description:
The following fatal alert was generated: 10. The internal error state is 10.

I was getting a dozen of these an hour!

Solution

This error is caused (from what I can gather) by an error in certificate negotiation, your machine is trying to initiate communications with another machine/server using a certificate and TLS and the process is producing this error TLS1_ALERT_UNEXPECTED_MESSAGE (10).

1. If your browser is the cause of the problem, then simply open Internet Options > Advanced > Untick all the TLS options > Apply.

2. However this DID NOT WORK for me, so something is programmatically chatting from my laptop using TLS. The bottom line is, this problem is probably not even on your machine, so I’m simply going to disable SCHANNEL logging.

Note: If your Error does NOT say “The following fatal alert was generated: 10. The internal error state is 10“. then I would suggest NOT doing this.

3. In the search run box type regedit and navigate to the following key;

[box]
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > SecurityProviders > SCHANNEL
[/box]

Change the EventLogging value from 1 to 0 (that’s a zero).

Related Articles, References, Credits, or External Links

NA

Event ID 7000

KB ID 0000136 

Problem

Event ID 7000

The Network Load Balancing service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Even when Network Lo aad Balancing (NLB) is not currently installed, some NLB registry keys may be present in the registry. Microsoft has identified this as a problem in Windows 2000 Advanced server. The recommended solution also resolves the issue in Windows 2003.

Solution

Start > Run > Regedit {enter}

Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWLBS

Select the Group key it will be set to PNP_TDI delete this entry so there is no value

If the above doesn’t work on its own then delete the following keys

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogSystemWLBS

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWLBS

Related Articles, References, Credits, or External Links

http://seer.support.veritas.com/docs/263037 http://support.microsoft.com/?kbid=268437