Just another site

KB2919355 fails to install via SCCM on Windows 8.1 or Server 2012 R2

This update has been a mess on a number of levels from what I read but even after the April 15th update i was still unable to deploy it through SCCM until i found this:

I saw this update failing to install in the event viewer with the reference: 8452bac0-bf53-4fbd-915d-499de08c338b.

installation failed

I went into SCCM, searched for the updates listed under KB2919355 and as instructed increased the installation timeout to 60 minutes.



After which the update installed fine.

PSTN calls not connecting when made through Lync 2010 Edge server. “Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote”

Took a few days to get to the bottom of this.

Root of the issue is people could make pstn calls through our IPOffice via Lync when in the office, or on the vpn, but if connected over the edge server (for instance if using DirectAccess) – no beans. Basically the call is placed and when it is answered there is ten seconds of silence and then the call drops – no sound at all.

After much digging i eventually came across these technet forum posts:

This one

And this one 

When i looked in the topology on our mediation service, i saw the below (this is not my image but the technet forum posters), the edge server basically “Not Set” on the mediation service.

Somewhere/somehow it had gone missing on this particular front end server.


In order to correct this i followed Kressmarks solution on the second link above:

and quoted below:

We then used the following command, clearly inserting your own fqdns for mediation and edge servers:

Set-CsMediationServer -Identity “” -EdgeServer

Once you restart the FE and mediation services, calls resume and the correct info is reported.

Sysprep 3.14 error when imaging Windows 8.1/2012 R2

If you have to build any 8.1 or 8 desktops/laptops and image them, heed the below advice or waste days. If you sysprep a machine more than an hour after installing it you will get a Sysprep 3.14 error and will be led a merry dance across the google wasteland. In short, to fix this you have to run the below command lifted from this link: as soon as the machine is installed to have any hope of sysprepping it. If you leave it more than an hour – you are stuffed as the below mentioned job will have already run.

From this site i quote:

  • If you attempt to run Sysprep.exe to create a WIM image more than one hour after the first user has logged on to the newly installed operating system, Sysprep.exe will fail. A scheduled maintenance task that recovers disk space by removing unused features is the cause.

    To avoid this, disable the maintenance task immediately after completing Setup. You can disable the task with this command:

    Schtasks.exe /change /disable /tn “\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup”

  • If you deploy an image using Microsoft Deployment Toolkit 2013 or Unattend.exe and include CopyProfile=true in the answer file, the deployment will fail with a “location is not available” error or each new login attempt will create a new temporary user account profile.

    To avoid this, do not use CopyProfile=true in the answer file. There is no other workaround at this time.

Apparently this was also a bug in the preview release.


Windows 8.1 – Surface Pro and WMI GPO filters for Windows 8.1 and other findings

Just put windows 8.1 enterprise on my surface pro, works lovely, boot seems faster and it ‘seems’ to run less hot when doing low-power activities like reading or web browsing. Not noticed any improvement in battery life, but the instant on seems very instant now. Again this is subjective, as it’s a fresh install it’s always going to be a little snappier.

I used the 8.1 iso from technet and installed it with Rufus as per the next article down, i should mention 8.1 seems surface aware in that there was no odd scaling after it was installed, it seemed aware of the hardware and i think i recall that the wireless worked straight off the bat which was not the case with 8.

Also, WMI GPO filters for windows 8 do not work with 8.1, for a wmi to capture both OS’s (8 and 8.1) you’ll need to change your filter to:

SELECT * FROM Win32_OperatingSystem WHERE (Version LIKE “6.2.%” OR Version LIKE “6.3.%”) AND ProductType=”1”

The existing filter did not work as they’ve changed the version numbering with this new  rapid release cadence adopted, similar to apples approach with OSX which will hopefully reduce the amount of updating a year old windows install requires.

Other findings? not much so far aside seeming snappier, more logical start screen arrangement etc, I appreciate having the start button even in it’s hobbled form as it’s so much easier when using over remote desktop no more hovering near the corner pixel…. Though I think classic shell will be going on my non-touch screen machines when they get updated.

One other thing – VMWare Workstation 9 does not install on 8.1, but VMWare 8 does, as does 10. Hopefully this will be addressed.

Install Windows 8 Enterprise onto Surface Pro – Easy thanks to Rufus

The new MS Surface Pro is a fantastic bit of kit – however it comes installed with Windows 8 Pro, a lot of enterprises will want to get Windows 8 Enterprise onto it so they can take advantage of DirectAccess etc.

First things first get the Microsoft surface pro wireless drivers down from MS update catalogue or similar:

Marvell AVASTAR 350N driver – Put this on a usb stick.

Now get hold of a copy of the Windows 8 x64 enterprise ISO and a 4gb+ usb stick.

Download this fabulous utility: and run it with admin rights, set it to point to the 4gb usb disk you are happy to wipe with settings similar to the below and point it to the windows 8 x64 enterprise ISO location on your machine and it will build a bootable usb from the iso.

New Picture (2)

While this boot disk is building (assuming you have another machine to do this on) hold down volume up and power on your surface whilst still holding down volume up. A couple of options will appear, one for the TPM one for secure boot, select secure boot and disable it. Save settings.

Boot into windows, hold down windows + r and type shutdown.exe /r /o /t 10 – this will reboot into advanced options after 10 seconds (if it’s tricksy add /f to force shutdown).

When it restarts select boot from USB device and you should shortly see the windows enterprise installer. Delete old main partition and install fresh using the wizard.

Once the installer finishes and you’ve logged on, insert the usb stick with the wireless driver you’ve just downloaded, extract it and install it through device manager or manually by right clicking the extracted .sys file.

You should now be able to connect to Windows update and pull down all the rest of the drivers and the surface pro firmware update, and other necessary windows updates etc.

I found i was able to add office to the completed install and still sysprep it, but if i added much more to the image before sysprepping it (Wireshark, LPS, Sophos, Skype, VLC, Chrome etc) it caused sysprep to fail and ruined the image. I’ll work through what caused this to fail and post back here.

Use the Windows ADK with Rufus to build a winpe boot disk to capture the sysprepped image with dism as per, then you can deploy at your leisure to other surface pros.

OWA Outlook Web Access – 500 error, Forms-Based authentication fails to start

In the process of creating a DAG lab i noticed that once the servers were in a DAG cluster, I was not able to log onto OWA, the symptoms were:

  • User could authenticate, if they failed to enter their creds they were asked to try again
  • Once they had successfully authenticated a 500 error was dished out by IIS.

A little digging found that Microsoft Exchange Forms-Based authentication fails to start, a manual start sorted this out in the short term, however for a longer term fix I changed the service behaviour to Automatic (Delayed Start), it now starts of its own accord.

I experienced these symptoms with Exchange 2010, SP2 RU4.

Microsoft System Centre EndPoint Protection 2012 vs Sophos

Having noticed an increasing number of fake AV and ransom-ware installations on our network where we now run Forefront Client Security as endpoint protection, I ran a comparison between the latest version of Microsoft’s latest A/V product, System Center EndPoint Protection 2012 SP1 and Sophos’s most recent PC client A/V to decide whether the MS offering was still up to snuff before we deployed it.

Having used malc0de’s database to retrieve live malware links posted over the last three days we used a pair of VM’s on a segregated network to test detection of malicious code. Both VM’s were snapshot-ted before infection, one was installed with a fully updated (defs: 07/01) EPP and the other with Sophos (defs: 07/01), both running W8 x64. The comparison is solely with Sophos as we currently use that product on our macs. We use the Microsoft forefront Client Protection A/V on PC’s as it is free as part of the software assurance benefits received as part of our EA, I should add that i realise this is no reason on which to base a choice of endpoint protection product and this experience has prompted an immediate review of that choice.

Admittedly this is a very limited range of tests, and not particularly thorough, but as a quick review it indicates that EPP is not sufficiently often or thoroughly updated and is severely compromised by the lack of access to a url blacklist (which in fairness it does not claim to offer). In the below list, every single piece of malware was allowed to be downloaded by EPP and was not detected when manually executed – though if you tried to run directly from IE all but one piece of malware was initially blocked due to signature verification problems. Sophos blocked access to the below known malware sites and where they were unknown it recognised the malware and prevented its execution. Time to read some reviews and get some prices for alternative endpoint protection.


Converged Fabric for Hyper-V hosts on Server 2012 – super elegant.

Recently I’ve been working to simplify and consolidate our service provision. The path of least pain has been determined as placing core applications in colocation. While investigating the provision of storage and with memories of building 2008 R2 clusters still clear in my head I have begun trialling Server 2012. Having read a series of articles by Aidan Finn (his excellent blog here) about Virtualisation on server 2012 and I happened across his converged fabrics posts, here.

First some background, in Hyper-v R2 you need upwards of six nic’s to build a VM host cluster, you can get functionality with less but you leave yourself exposed, it would not be N+1. Also bear in mind that teaming for fault tolerance across multiport network cards is  only going to give you a false sense of security on the server side (it is after all only a single card regardless of how many ports it has).

In a nutshell, what I’m excited about is that you can use native teaming (or otherwise) on Server 2012 to bond a series of nics together, then spread your live-migration, storage, guest access and other nic requirements across a series of virtual nic’s connected to the virtual switch bound to this nic team (phew). You then set QOS on the virtual switch for the different virtual adaptors so you can guarantee service for the different aspects of connectivity your Hyper-V cluster will need. Anyway, have a look at the Aidan’s posts on the matter, they make for a great lab.

In my lab I’ve used a pair of 1gbe links and it works great for testing, in production you’d be looking at 2+10gbe links ideally, giving you resilience and most of the bandwidth you’d ever need in the forseeable future, at least for the kind of services/load experienced in most SME’s.

ISP Redundancy on Checkpoint R75.45 Gaia – does not work

I installed R75.45 Gaia on a UTM-1 270 appliance recently, installation from USB went fine and performance was adequate with a low load, VPN, default IPS and a short QOS rule set.

In order to support a degree of resilience we’re using ISP Redundancy at all sites with multiple internet connections, despite configuring this site identically I was not able to get the failover to work. Usually, the script cp_isp_update runs and updates the gateways default route to match that of the secondary ISP, however when i tested this on R75.45 the route was not updated when primary was disconnected.

I contacted Checkpoint support and was informed that ISP Redundancy does not work in either version of Gaia, R75.45 or R75.40 – however there is a patch available for R75.40 if you contact them and reference this sk. I applied this patch on 75.40 but still didn’t see the solution work as expected so instead deployed R75.30 as I have at other ISP redundant sites.

I should also mention that my in no way scientific, cursory observations indicated that load on the CPU was much lower (15-20pc lower) on SPLAT (with 75.30) than on either version of GAIA. Something to bear in mind for older appliances like the UTM-1 270.

VMWare vCenter Converter “Unable to obtain hardware information for the selected machine.”

When converting a machine from VMWare Workstation to another virtualisation platform you may come up against a “Unable to obtain hardware information for the selected machine.” warning and red cross after selecting the VM you wish to convert.

This is easily resolved, simply right click the VMWare VCenter Converter icon/start menu item and select run as administrator.


Get every new post delivered to your Inbox.