ccolonbackslash

Just another WordPress.com site

MDT 2013 – WSUS updates not installing in task sequence

Following this great technet KB, i had issues applying WSUS updates to a reference image.

The pre and post application installation tasks were not running properly, although they didn’t error they failed to actually do anything. When i reviewed the ZTIWindowsUpdate.log i found this:

Command Line Procesed Query=False Registered=False  UpdateCommand=[IsInstalled = 0 and IsHidden = 0 and Type = ‘Software’]

Error searching for updates: Not Connected to Internet? (-2145107924)

This is despite telling it to connect to my wsus box.This job was running after an Office 365 2013 pro plus click to run installation.

I created a new command line task to run ZTIWindowsUpdate before the application installation, immediately after Tatoo and it completed just fine. Googled for hours, found nothing – this worked for me.

Lync 2010 Standard – 33060 events – PSTN dial in fails, SIP/2.0 503 Service unavailable, dial-in caller joins then immediately disconnected

Audio error message on PSTN dial-in of: “sorry i can’t seem to connect you to your meeting right now”…..

And in the event log:

User failed to join the conference.

Microsoft.Rtc.Collaboration.ConferenceFailureException:The operation failed due to a response from the server. For more information, examine the properties on the exception and inner exception.

Fought with this for three days then initiated a Microsoft support call, they spent another two days on it and finally the engineer hit on the right area….. surprise….. certificates.

Symptoms were: following loss of a Lync 2010 front end server we rebuilt it over a weekend, got all services working then noticed that although dial-out through our PSTN worked, dial-in didn’t.

Participants would dial into the server, hear the greeting, enter the conference, Lync client participants would see them join for a moment then get bounced out (they would show as anonymous) with the audio message: “sorry i can’t seem to connect you to your meeting right now, please try again later” etc.

We did traces, reinstalled conferencing service, the conference attendants, published and republished the topology etc etc, eventually some kind of timer tripped at Microsoft support in India and they brought out the big guns did a 25mb trace on the call join and went through it line by line.

At this point the engineer told me that the issue was with the certificate on the FE server, he showed me the certificate that we had (just) issued to our freshly minted Lync 2010 server and the certificate signing algorithm was RSASAA-PSS, apparently Lync ONLY works with certificates issued with the sha1RSA algorithm.

Since last issuing Lync certificates we have upgraded our enterprise PKI to 2012 R2 which it seems by default issues certs signed with RSASAA-PSS. Yes – this also affects Lync 2013 according to the support team.

Lync 2013 is also affected by this problem, and i believe it may also impact OSX’s use of windows issued certificates (our 802.1x wireless has not worked with certificate auth for some time).

At this point i was escalated to the directory services team but while i waited i did some googling and found this:

https://social.technet.microsoft.com/Forums/lync/en-US/50729001-8075-408f-902d-23599b0b6530/regression-introduced-in-cu2-and-possibly-not-fixed-in-cu3-either?forum=ocsplanningdeployment

It seems i’m not the only one to find this, I have requested MS refund me my support token as this is clearly an issue with their documentation.

Anyway as mentioned in the link above the resolution is to change a value in the registry on issuing PKI servers, restart cert services then reissue the FE cert, as stated by Rufat Aliyev in the technet forums:

https://social.technet.microsoft.com/profile/rufat%20aliyev/?type=forum&referrer=http://social.technet.microsoft.com/Forums/lync/en-US/50729001-8075-408f-902d-23599b0b6530/regression-introduced-in-cu2-and-possibly-not-fixed-in-cu3-either?forum=ocsplanningdeployment

You do this:

The problem is solved. There is a huge Microsoft mistake in documentation for MS Lync. I don’t know why but I can’t find any information about exact PKI requiments for MS Lync. In my case all my certificates use RSASSA-PSS algorythm instead of RSAsha1. I changed the registry key on my Enterprise CA server.   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\Your Cert Authority\CSP

value AlternateSignatureAlgorithm from 1 to 0 and restart CA service.

After this request a new certificate from Lync deployment withard and everything become OK.

It take me about 3 month to find out this!!!!”

Once the cert is installed, bounce the box and your conferences will function normally again. I hope this helps someone else.

Office 365 Update: OneDrive for Business – Too Buggy

ccolonbackslash:

Totally, totally agree with this. Been finding it pretty fickle, thankfully we haven’t deployed yet partly due to lack of OSX support and problems syncing sharepoint libraries, but for now…. back burner.

Originally posted on Single Malt Cloud:

This isn?t going to be a happy or positive post, which is too bad, because I see a lot of promise in the individual product I?m about to criticize and the overall service of which it is a part. For context, you can consider this an update to my earlier post about Office 365, and if I wished to follow that naming scheme, I might go with, ?OneDrive for Business: The Bad.?

My Uh-Oh Moment

I was finally burned by OneDrive for Business (OD4B) this week. It?s been giving a couple of my coworkers fits for a few weeks, but I know each of them has thousands and thousands of files and figured that may have contributed to their issues in some way. I?ve used OD4B exclusively for almost two months without a single hiccup, until it just stopped working this week. I saved a tiny change to a…

View original 696 more words

KB2919355 fails to install via SCCM on Windows 8.1 or Server 2012 R2

This update has been a mess on a number of levels from what I read but even after the April 15th update i was still unable to deploy it through SCCM until i found this:

http://social.technet.microsoft.com/Forums/windows/en-US/f24be582-8b67-4d42-9f09-8a434e434c62/ms14018-kb2919355-distribuzione-update-su-2012-r2-e-81-fallita?forum=windowsserverit

I saw this update failing to install in the event viewer with the reference: 8452bac0-bf53-4fbd-915d-499de08c338b.

installation failed

I went into SCCM, searched for the updates listed under KB2919355 and as instructed increased the installation timeout to 60 minutes.

updatetimeout

 

After which the update installed fine.

PSTN calls not connecting when made through Lync 2010 Edge server. “Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote”

Took a few days to get to the bottom of this.

Root of the issue is people could make pstn calls through our IPOffice via Lync when in the office, or on the vpn, but if connected over the edge server (for instance if using DirectAccess) – no beans. Basically the call is placed and when it is answered there is ten seconds of silence and then the call drops – no sound at all.

After much digging i eventually came across these technet forum posts:

This one

And this one 

When i looked in the topology on our mediation service, i saw the below (this is not my image but the technet forum posters), the edge server basically “Not Set” on the mediation service.

Somewhere/somehow it had gone missing on this particular front end server.

Image

In order to correct this i followed Kressmarks solution on the second link above:

and quoted below:

We then used the following command, clearly inserting your own fqdns for mediation and edge servers:

Set-CsMediationServer -Identity “MediationServer:standard.kressmark.com” -EdgeServer edge.kressmark.com

Once you restart the FE and mediation services, calls resume and the correct info is reported.

Sysprep 3.14 error when imaging Windows 8.1/2012 R2

If you have to build any 8.1 or 8 desktops/laptops and image them, heed the below advice or waste days. If you sysprep a machine more than an hour after installing it you will get a Sysprep 3.14 error and will be led a merry dance across the google wasteland. In short, to fix this you have to run the below command lifted from this link: http://technet.microsoft.com/en-us/library/dn303413.aspx as soon as the machine is installed to have any hope of sysprepping it. If you leave it more than an hour – you are stuffed as the below mentioned job will have already run.

From this site i quote:

  • If you attempt to run Sysprep.exe to create a WIM image more than one hour after the first user has logged on to the newly installed operating system, Sysprep.exe will fail. A scheduled maintenance task that recovers disk space by removing unused features is the cause.

    To avoid this, disable the maintenance task immediately after completing Setup. You can disable the task with this command:

    Schtasks.exe /change /disable /tn “\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup”

  • If you deploy an image using Microsoft Deployment Toolkit 2013 or Unattend.exe and include CopyProfile=true in the answer file, the deployment will fail with a “location is not available” error or each new login attempt will create a new temporary user account profile.

    To avoid this, do not use CopyProfile=true in the answer file. There is no other workaround at this time.

Apparently this was also a bug in the preview release.

 

Windows 8.1 – Surface Pro and WMI GPO filters for Windows 8.1 and other findings

Just put windows 8.1 enterprise on my surface pro, works lovely, boot seems faster and it ‘seems’ to run less hot when doing low-power activities like reading or web browsing. Not noticed any improvement in battery life, but the instant on seems very instant now. Again this is subjective, as it’s a fresh install it’s always going to be a little snappier.

I used the 8.1 iso from technet and installed it with Rufus as per the next article down, i should mention 8.1 seems surface aware in that there was no odd scaling after it was installed, it seemed aware of the hardware and i think i recall that the wireless worked straight off the bat which was not the case with 8.

Also, WMI GPO filters for windows 8 do not work with 8.1, for a wmi to capture both OS’s (8 and 8.1) you’ll need to change your filter to:

SELECT * FROM Win32_OperatingSystem WHERE (Version LIKE “6.2.%” OR Version LIKE “6.3.%”) AND ProductType=”1”

The existing filter did not work as they’ve changed the version numbering with this new  rapid release cadence adopted, similar to apples approach with OSX which will hopefully reduce the amount of updating a year old windows install requires.

Other findings? not much so far aside seeming snappier, more logical start screen arrangement etc, I appreciate having the start button even in it’s hobbled form as it’s so much easier when using over remote desktop no more hovering near the corner pixel…. Though I think classic shell will be going on my non-touch screen machines when they get updated.

One other thing – VMWare Workstation 9 does not install on 8.1, but VMWare 8 does, as does 10. Hopefully this will be addressed.

Install Windows 8 Enterprise onto Surface Pro – Easy thanks to Rufus

The new MS Surface Pro is a fantastic bit of kit – however it comes installed with Windows 8 Pro, a lot of enterprises will want to get Windows 8 Enterprise onto it so they can take advantage of DirectAccess etc.

First things first get the Microsoft surface pro wireless drivers down from MS update catalogue or similar:

Marvell AVASTAR 350N driver – http://catalog.update.microsoft.com/v7/site/home.aspx. Put this on a usb stick.

Now get hold of a copy of the Windows 8 x64 enterprise ISO and a 4gb+ usb stick.

Download this fabulous utility: http://rufus.akeo.ie/ and run it with admin rights, set it to point to the 4gb usb disk you are happy to wipe with settings similar to the below and point it to the windows 8 x64 enterprise ISO location on your machine and it will build a bootable usb from the iso.

New Picture (2)

While this boot disk is building (assuming you have another machine to do this on) hold down volume up and power on your surface whilst still holding down volume up. A couple of options will appear, one for the TPM one for secure boot, select secure boot and disable it. Save settings.

Boot into windows, hold down windows + r and type shutdown.exe /r /o /t 10 – this will reboot into advanced options after 10 seconds (if it’s tricksy add /f to force shutdown).

When it restarts select boot from USB device and you should shortly see the windows enterprise installer. Delete old main partition and install fresh using the wizard.

Once the installer finishes and you’ve logged on, insert the usb stick with the wireless driver you’ve just downloaded, extract it and install it through device manager or manually by right clicking the extracted .sys file.

You should now be able to connect to Windows update and pull down all the rest of the drivers and the surface pro firmware update, and other necessary windows updates etc.

I found i was able to add office to the completed install and still sysprep it, but if i added much more to the image before sysprepping it (Wireshark, LPS, Sophos, Skype, VLC, Chrome etc) it caused sysprep to fail and ruined the image. I’ll work through what caused this to fail and post back here.

Use the Windows ADK with Rufus to build a winpe boot disk to capture the sysprepped image with dism as per http://justworks.ca/blog/goodbye-imagex-hello-dism, then you can deploy at your leisure to other surface pros.

OWA Outlook Web Access – 500 error, Forms-Based authentication fails to start

In the process of creating a DAG lab i noticed that once the servers were in a DAG cluster, I was not able to log onto OWA, the symptoms were:

  • User could authenticate, if they failed to enter their creds they were asked to try again
  • Once they had successfully authenticated a 500 error was dished out by IIS.

A little digging found that Microsoft Exchange Forms-Based authentication fails to start, a manual start sorted this out in the short term, however for a longer term fix I changed the service behaviour to Automatic (Delayed Start), it now starts of its own accord.

I experienced these symptoms with Exchange 2010, SP2 RU4.

Microsoft System Centre EndPoint Protection 2012 vs Sophos

Having noticed an increasing number of fake AV and ransom-ware installations on our network where we now run Forefront Client Security as endpoint protection, I ran a comparison between the latest version of Microsoft’s latest A/V product, System Center EndPoint Protection 2012 SP1 and Sophos’s most recent PC client A/V to decide whether the MS offering was still up to snuff before we deployed it.

Having used malc0de’s database to retrieve live malware links posted over the last three days we used a pair of VM’s on a segregated network to test detection of malicious code. Both VM’s were snapshot-ted before infection, one was installed with a fully updated (defs: 07/01) EPP and the other with Sophos (defs: 07/01), both running W8 x64. The comparison is solely with Sophos as we currently use that product on our macs. We use the Microsoft forefront Client Protection A/V on PC’s as it is free as part of the software assurance benefits received as part of our EA, I should add that i realise this is no reason on which to base a choice of endpoint protection product and this experience has prompted an immediate review of that choice.

Admittedly this is a very limited range of tests, and not particularly thorough, but as a quick review it indicates that EPP is not sufficiently often or thoroughly updated and is severely compromised by the lack of access to a url blacklist (which in fairness it does not claim to offer). In the below list, every single piece of malware was allowed to be downloaded by EPP and was not detected when manually executed – though if you tried to run directly from IE all but one piece of malware was initially blocked due to signature verification problems. Sophos blocked access to the below known malware sites and where they were unknown it recognised the malware and prevented its execution. Time to read some reviews and get some prices for alternative endpoint protection.

avtest

Follow

Get every new post delivered to your Inbox.