Warning Event 9327 from MSExchangeSA

In this case Warning Event 9327 from source: MSExchangeSA was logged in Application Event log on Exchange 2010 server responsible for OAB generation by default every day on 5 AM:

Log Name:      Application
Source:        MSExchangeSA
Date:          12/1/2014 5:04:50 AM
Event ID:      9327
Task Category: (13)
Level:         Warning
Keywords:      Classic
User:          N/A
OALGen skipped some entries in the offline address list '\Global Address List'.  To see which entries are affected, event logging for the OAL Generator must be set to at least medium.
- \Default Offline Address List

By default, event logging for the OAL Generator is set to lowest level. In order to see why some entries are skipped by OAL Generator, event logging level must be set to at least medium. One way to set this requirement is by using PowerShell :
Set-EventLogLevel -Identity "ExchangeServerName\msexchangesa\oal generator" -Level Medium

Setting the logging level to Medium for the OAL generator will produce a lot of events during the generation of OAB. Informational events generated from MSExchangeSA with Event ID 9359 can be safely ignored, but error events with id 9325 are the one that are triggering the event id 9327 from MSExchangeSA. For example:

Log Name:      Application
Source:        MSExchangeSA
Date:          12/25/2014 5:04:03 AM
Event ID:      9325
Task Category: (13)
Level:         Error
Keywords:      Classic
User:          N/A
OABGen will skip user entry 'John Doe' in address list '\Global Address List' because the SMTP address '' is invalid.
- \Default Offline Address List

John Doe was not having email address, but was having "ShowInAddressBook" property populated. So, in order to fix this behavior, I've created mailbox for this user, and after that immediately disabled the mailbox for this user, and all exchange related properties were cleared from this user.

Now, return (set) the event logging level for the OAL generator to default (lowest) value:
Set-EventLogLevel -Identity "ExchangeServerName\msexchangesa\oal generator" -Level Lowest
And, warning Event 9327 from source: MSExchangeSA was not logged in Application Event log on Exchange 2010 server responsible for OAB generation in 5 AM.

Setting calendar permissions in Exchange 2010

This is quick post for reference, and is intended to show how to manage user's calendar permissions in Exchange 2010. Four PowerShell cmdlets are available for achieving this task:
For example:
  • To list (get) assigned calendar permissions on user Jane.Doe here is the syntax:
Get-MailboxFoderPermission -identity jane.doe:\calendar
  • To assign John.Doe Reviewer permission on Jane.Doe calendar (John does not have any permission on Jane's calendar):
Add-MailboxFolderPermission -identity jane.doe:\calendar -user "John Doe" -AccessRights Reviewer
  • To modify already assigned permission to John Doe on Jane Doe calendar from Reviewer to Editor:
Set-MailboxFolderPermission -identity jane.doe:\calendar -user "John Doe" -AccessRights Editor
  •  And finally to remove already added permission for John Doe on Jane Doe calendar:
Remove-MailboxFolderPermission -identity jane.doe:\calendar -user "John Doe"

Nokia E72 stopped synchronizing emails

In this case my friend's "oldie" phone Nokia E72 stopped synchronizing emails using ActiveSync. He was also unable to access his mailbox using outlook web access link.
The reason for this behavior was that the company's IT has replaced expiring certificate with new one (nothing odd here), but the new certificate was having sha256RSA signature algorithm. Nokia E72 was unable to access https web sites secured with sha256 certificates.
In order to fix this behavior fortunately there is a fix which will enable Nokia E72 to successfully access https web sites secured with sha256 certificates. You can download this fix from http://dl.nokia.com/ns/symfix/networking_improvements.SIS .

After installing this fix for Symbian, my friend was able to synchronize email using ActiveSync again, and started to open https web pages secured with sha256 certificates.

Remote Desktop Connection Manager 2.7

Remote Desktop Connection Manager (RDCMan) 2.7, finally is publicly available. For those who never used RDCMan, it's probably the best tool for managing multiple remote desktop connections, and it's free.
You can download the installation package from Microsoft Download Center http://www.microsoft.com/en-us/download/details.aspx?id=44989 .

Here are the supported operating systems: Windows 10 Tech Preview , Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Tech Preview.

For users with OS versions prior to Win7/Vista will need to get version 6 of the Terminal Services Client. You can obtain this from the Microsoft Download Center: Windows Server 2003, XP.

Here are the new features:
  • Virtual machine connect-to-console support
  • Client size options come from the application config file (RDCMan.exe.config) rather than being hard-coded.
  • View.Client size.Custom menu item shows the current size
  • View.Client size => From remote desktop size
  • Option to hide the main menu until Alt is pressed. Hover over the window title also shows the menu.
  • Added Smart groups
  • Support for credential encryption with certificates
  • Better handling of read-only files
  • Added recently used servers virtual group
  • New implementation of thumbnail view for more predictable navigation
  • Thumbnail view remembers scroll position when changing groups, etc.
  • Performance improvements when loading large files
  • Allow scale-to-fit for docked servers (Display Settings.Scale docked remote desktop to fit window)
  • Allow scale-to-fit for undocked servers (Display Settings.Scale undocked remote desktop to fit window)
  • "Source" for inheritance in properties dialog is now a button to open the properties for the source node.
  • Focus release pop up => changed to buttons, added minimize option.
  • Added command-line "/noconnect" option to disable startup “reconnect servers” dialog
  • Session menu items to send keys to the remote session, e.g. Ctrl+Alt+Del
  • Session menu items to send actions to the remote session, e.g. display charms
  • Domain="[display]" means use the display name for the domain name.
And Bugs fixed:
  • Application is now DPI aware
  • Undocking a server not visible in the client panel resulted in the client not being shown in undocked form.
  • Ctrl+S shortcut didn’t work at all. It now works and always saves, even if there are no detected changes to the file.
  • Shortcut keys didn’t work when focus was on a thumbnail.
  • Add/delete profile in management tab. In same dialog instance, profiles are not updated. Similarly adding a new profile from combo doesn’t update the tab.
  • Window title was not updated when selected node is removed and no new node selected (open a file, close the file.)
  • Connect via keyboard didn’t always give focus when it should.
  • Connected Group would always show itself upon connecting to a machine, regardless of setting.
  • Selecting a built-in group then hiding via menu option didn’t work properly.
  • Editing server/group properties did not always mark a file as changed.
  • Non-changes could result in save prompts at exit. This should no longer happen.
  • Activating the context menu via the keyboard button was not always operating on the correct node.
  • Changing a server/group name doesn’t change window title if the server/group is currently selected.
  • ALT+PAGEUP and ALT+PAGEDOWN hotkeys were switched. This is fixed for new installs—for existing files you’ll want to change on the [Tools.Options.Hot Keys] tab.
  • /reset command line option wasn’t resetting all preferences
  • “Server Tree” option from “Select server” focus release dialog didn’t show the server tree if it was hidden.
  • New file directory now defaults to “Documents”.
  • ListSessions dialog sometimes popped up in a weird location. Now placed within the main window.

For more info please check the help.htm file located into the installation folder of RDCMan 2.7.

How to find matching mount points and volume guids ?

In this case I was experiencing VSS error events in application event log on one of the file servers. The related logged events were containing error information with associated Volume GUID instead of mount point (drive letter). Here is the example of the error event:
Volume Shadow Copy Service error: The shadow copy could not be committed - operation timed out. Error context: DeviceIoControl(\\?\Volume{GUID}

Since this error event was generated on file server with bunch of disk drives, I was wondering which mount point (drive letter) was associated with this Volume Guid.
One way to achieve this task was to run mountvol.exe without any switches. The output from this command looks like this:

Also, from Run dialog:

I could browse the contents of the drive, and figure out the drive letter.
Browsing the contents using Volume Guids from command prompt using dir requires additional backslash "\" at the end:

Another way is by comparing values in Registry in HKLM\System\MountedDevices for DosDevices and Volume Guids (picture contents are cropped):

At last, and I guess the best option is to use PowerShell and wmi. Win32_Volume class (not applicable for XP) will provide the necessary data by using DriveLetter an DeviceID properties. All filtering capabilities for filtering data using powershell are available, including querying the remote machines. For example, the following singleliner will return VolumeGuids and DriveLetters associated:

I guess all these methods will help you to find the matching pair :) If you have another way for matching volume guids and mount points, feel free to comment.

TechEd 2014 Europe, TechEd 2015 Europe ?

TechEd 2014 Europe (Barcelona) has finished yesterday, and if you were at the last session on Friday on Case of the Unexplained: Troubleshooting with Mark Russinovich, you could listen that it was the last his session on TechEd ... Ever ...
Is TechEd dead ? No, according from Microsoft. TechEd lives on, but as part of new unified Microsoft commercial technology event. This event for 2015 calendar for US is scheduled in May in Chicago and is known as Microsoft Ignite .
Until now, there are no announcements for such Microsoft's premier IT Pro conference for Europe, but let's hope that there will be one, because TechEd was a great place to explore Microsoft's solutions for delivering innovation and productivity for enterprises.

Free Exam Vouchers

If you're MCT, checkout the latest promotion from Microsoft Learning on http://borntolearn.mslearn.net/goodstuff/p/mctchallenge.aspx . Free Exam Vouchers Offer is valid until 30.11.2014 up to 10000 vouchers distributed worldwide, and a voucher may be redeemed to take any MCP Exam !!!
For the best MCTs there are special prizes like Surface Pro 3 and XBOX One !

Also, If you want to become an MCP checkout the latest promotion from Microsoft Learning on http://borntolearn.mslearn.net/goodstuff/p/mcp.aspx . There is free exam vouchers offer for Azure Exams and Office 365 Exams. The offer is valid until 31.12.2014 up to 10000 vouchers distributed worldwide.

Don't miss the offers !

Windows 10 Technical Preview demos

I have uploaded short videos on YouTube about:
  • Installing Windows 10 Technical Preview on Hyper V : http://youtu.be/7HXhor5vM_U .
    This video covers:
    • download location of the Windows 10
    •  Hyper V VM provisioning and installation of the Windows 10
  • Windows 10 Technical Preview Features : http://youtu.be/hlL06fy2vU0 .
    This video covers:
    • Introduction of the "new" Start Menu (Resize, Drag and drop, Add Recycle bin to start menu, Change the size of the tiles, Turn live tile (on|off), Switch between Start Menu and Start Screen)
    • Operating System version
    • Introduction of the new experimental tab on command prompt properties, from where the opacity of the window can be changed (for example), new features for selecting text, CTRL+C, CTRL+V .
    • PowerShell version
    • Internet Explorer version
    • Virtual desktops (create, delete, switch)
    • "New" applications run in window mode

I've added some annotations during video playback, so recommended view of the videos is from desktop.

Windows Technical Preview

Last week Microsoft made publicly available for download technical preview version of the next generation of client, server and system center products. Official names for the server and system center are not revealed, and they are available as Windows Server Technical Preview and System Center Technical Preview, while for the client Windows 10 will be the name of the operating system.

Here are the official Microsoft download links:

Windows 10:

Windows Server Technical Preview:

System Center Technical Preview:


Finding the currently logged on user using powershell and WMI

This is quick one for reference, here is an example how to find out currently logged on user on remote computer or local computer (administrative permission is required for querying remote computer) using PowerShell single liner:

Get-WmiObject win32_ComputerSystem -ComputerName Remote computer name or IP address | Select username
For finding out the currently logged on user, WMI and Win32_ComputerSystem class is used. Win32_ComputerSystem class has username property which contains the currently logged on user. For more information about Win32_ComputerSystem class please check the MSDN article http://msdn.microsoft.com/en-us/library/aa394102(v=vs.85).aspx .

My first thought was to find out the currently logged on user, but what about the users that are logged on and are switching between their profiles ? That's when the things get complicated. Anyway, here is PowerShell script which will list logged on users on remote or local machine, even if they are switching between profiles on same pc (for comp variable add the ip address or computer name of the machine, also administrative permission are required) :

$comp="computername or ip address"
Get-WmiObject win32_logonsession -ComputerName $comp -Filter "Logontype = '2' or Logontype='11' or logontype='10'" |
foreach {Get-WmiObject win32_loggedonuser -ComputerName $comp -filter "Dependent = '\\\\.\\root\\cimv2:Win32_LogonSession.LogonId=`"$($_.logonid)`"'" | select Antecedent } |
foreach { ($_.antecedent.split('"'))[1] + "\" + ($_.antecedent.split('"'))[3] } | select -unique

WMI is utilized and Win32_LogonSession and Win32_LoggedOnUser classes are used. From Win32_LogonSession I'm filtering for following logontype: Interactive, RemoteInteractive and CachedInteractive, and passing the logonid to Win32_LoggedOnUser class. From Win32_LoggedOnUser class Antecedent property is manipulated to create easy to read output.

For more info about Win32_LogonSession and Win32_LoggedOnUser classes, please check MSDN library : http://msdn.microsoft.com/en-us/library/aa394172(v=vs.85).aspx and http://msdn.microsoft.com/en-us/library/aa394189(v=vs.85).aspx .


Error obtaining generating internal key store for PROV_RSA_FULL

In this case, a friend of mine was complaining that from some reason he was unable to sign documents on web site which requires to proof his identity with certificates stored on token. The client operating system was Windows 8. Instead of a popup for token pin, there was an error message (WinCAPICryptoProvider() - Error obtaining generating internal key store for PROV_RSA_FULL):

I was suspecting that something was wrong with user's certificate. Certmgr.msc and personal folder was showing his certificates, and all of them were having the private key. Since all of the certificates were stored on a token, I have deleted all the certificates from the personal certificates store. After reinserting the usb token, certificate propagation service has successfully copied certificates from the token into user's certificate personal store. I was hoping that the problem has been successfully solved, but the same message from internet explorer has popped out, and he was unable to sign the documents.
Next, I have checked the activex component. The web site for signing documents was using ActiveX component, and that component was installed and was not disabled in internet explorer. The web site was located in trusted site zone.
Now, before creating new user profile, and migrating all the documents and settings from the old to the new profile, I have decided to check the crypto folder. The location of this folder is in following path C:\Users\Username\AppData\Roaming\Microsoft\Crypto\RSA\User's SID. First, I have backed up User's SID folder, and after that deleted the folder from C:\Users\Username\AppData\Roaming\Microsoft\Crypto\RSA location.
And finally, when he accessed the web site to sign the documents there was a popup to enter the PIN from the token, and he was able to sign the documents. The case was successfully closed.

TMG with HTTPS Inspection enabled fails with 0x8009000a

In this case, if you're still using TMG 2010 as proxy server with HTTPS Inspection option enabled, users may experience blank page when accessing https web sites with CNG certificates (for example: coursera, booking, sendspace, dropbox, twitter ...) . The reason for this behavior is that default self signed certificate (or the certificate issued by CA) which is used by the TMG for HTTPS inspection feature is not compatible with suite B certificates. For more info about the CNG certificates please check http://technet.microsoft.com/en-us/library/cc730763(v=ws.10).aspx .

You can check TMG logs to see if you're experiencing this behavior by creating filter (for example: looking for http status code 0x8009000a in last hour ) :

To avoid this behavior change the certificate used by TMG HTTPS Inspection with CNG certificate (self signed or issued by CA). This certificate must be trusted by clients. For more info about this behavior and a script for creating self signed CNG certificate please check: http://blogs.technet.com/b/isablog/archive/2014/05/28/tmg-https-inspection-is-failing-if-the-target-web-site-is-using-a-cng-certificate.aspx .

Microsoft Office 2010 Professional encountered an error during setup

A friend of mine has complained that he was unable to reinstall Office 2010 Professional on his laptop. The reason for his decision to reinstall Office 2010 was that latest updates for Office 2010 were failing to install on his Windows 8.1. The installer was failing to install the updates with generic code 1603. He has successfully uninstalled Office 2010 using Fix it from following location: http://office.microsoft.com/en-us/support/how-to-uninstall-or-remove-microsoft-office-2010-suites-HA104027750.aspx

Running the setup from Office 2010 installation CD, the installer was not detecting the old installation of Office 2010, and was trying to install new Office 2010 suite, but was failing with following error "Microsoft Office 2010 Professional encountered an error during setup" :

The error message is generic and not so descriptive, but fortunately Microsoft has published the following KB927153 article. Following the instruction from article, has successfully solved the problem. The new installation of Office 2010 has completed successfully, and all office 2010 related updates were successfully installed.

KB954430 repeatedly reinstalls

A colleague of mine was complaining that he had to install same update every day on his workstation. Every time he clicked to install the update, the same update was offered for installing again and again. The "problematic" update was KB954430 Security Update for Microsoft XML Core Services 4.0 Service Pack 2. Microsoft has published an article for resolving this kind on behavior in following KB 941729.
By following the instructions which are consisted of renaming the msxml4.dll and installing the latest MSXML security update, the annoying behavior of reinstalling the same update KB954430 again and again, has been successfully resolved.

Machine domain group policy failed to apply

In this case, domain joined workstation with Windows 7 operating system was failing to register itself on new WSUS server. Settings for the new WSUS server were entered into domain GPO. I tried to refresh the settings with gpupdate /force. But, the command was failing to apply computer settings from domain GPO, with following error message:
Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
The output from Gpresult /h gpresult.html was showing failed status for Registry in component status:


Error event was logged into System event log with ID 1096 and same description:

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

So, all errors were pointing for local policy corruption.
Navigating to c:\windows\system32\GroupPolicy\Machine folder and renaming the registry.pol file into registry-pol.bakup (for example), and running the gpupdate /force again, has resulted the command to successfully complete and apply the computer and user policy settings. The workstation has received new settings for the WSUS server and successfully registered itself on this new WSUS server.

I was using the same method for resolution in my article The processing of Group Policy failed. Event ID 1096, and the reason for not applying the domain GPOs was again the local policy corruption.

High CPU Usage from System Interrupts Process

In this case, a colleague of mine was complaining that her workstation was running very slow even tough the workstation was memory upgraded. Since the term "running slow" is very relative, I needed info about the hardware and OS. The operating system was Windows 8.1 Enterprise x64, and hardware was HP ProDesk 600 G1.
The reason for this "running slow" behavior was the CPU usage of system interrupts process. 20-30% of the CPU usage was dedicated to this process all the time. From my experience the reason for this kind of behavior is hardware or driver related. The OS was fully patched with latest updates. So, I've started updating the drivers and BIOS. After updating the drivers and BIOS to the latest HP official versions the behavior was still the same, system interrupts process was holding 20-30% of the CPU. There were no pending restarts. And, the CPU usage behavior was the same on every restart. This behavior of high CPU usage from System Interrupts process has stopped, when I have shut down and power on the workstation. It's very strange, but I have successfully succeeded to reproduce this behavior on this HP model PC. And, this is the scenario when this high CPU usage of system interrupts process will happen for this PC model:

Whenever there is memory size change, BIOS will "alert 164 memory size error " press F1 to continue, the OS will boot and system interrupts process will run high CPU usage. This behaviour will continue, even if the OS is restarted several times. But, if you shut down, and power on the workstation, the CPU usage will be back to normal !

I'll call this a bug, so in case you're doing memory upgrade on this PC model, do not forget to power off and power on the PC after successful memory upgrading.


How to move Azure VM to different Cloud Service

In this case I wanted to move Azure VM from one cloud service to another cloud service in same Azure Subscription. Using Microsoft Azure Web Portal this task can be achieved in following three steps:
  • Note the disk(s) that were attached on Azure VM, and other configuration settings like VM size, virtual network, endpoints and so on.
  • Delete the Azure VM with option to keep the attached disks
  • Create new VM from Gallery, and on first Wizard page (Chose an Image) select MY DISKS option, and select the disk noted in first step. Complete the wizard with assigning the VM to the new Cloud Service.
In my case the VM was having couple of additional data disk drives, and I was unable to attached them using Azure Web Portal Create New Virtual Machine from Gallery Wizard. But, this can be easily achieved using Powershell. The script is very easy to read, and is consisted of:
  • Setting the currentStorageAccount for the Azure Subscription
  • Setting basic variables for the VM, like Name, disks, virtual network, subnet and cloud service
  • Creating new configuration for the VM
  • And, finally creating the new VM

Set-AzureSubscription -SubscriptionName 'Name of the subscription' -CurrentStorageAccount 'teststorageaccount'

$disk0Name = 'test-os-disk0'
$disk1Name = 'test-data-disk-1'
$disk2Name = 'test-data-disk-2'
$vNetName = 'test-VirtualNetwork'
$subNet = 'Sub-1'
$cloudSvcName = 'test-Cloud-Service2'

$vm1 = New-AzureVMConfig -DiskName $disk0Name -InstanceSize Medium -Name $vmName -Label $vmName |
Add-AzureDataDisk -DiskName $disk1Name -Import -LUN 0 |
Add-AzureDataDisk -DiskName $disk2Name -Import -LUN 1 |
Set-AzureSubnet $subNet |
Add-AzureEndpoint -LocalPort 3389 -Name 'RDP' -Protocol tcp -PublicPort 3390 |
Add-AzureEndpoint -LocalPort 5986 -Name 'WinRmHTTPs' -Protocol tcp -PublicPort 5987 |
Add-AzureEndpoint -LocalPort 80 -Name 'http' -Protocol tcp -PublicPort 80 |
Add-AzureEndpoint -LocalPort 443 -Name 'https' -Protocol tcp -PublicPort 443

New-AzureVM -ServiceName $cloudSvcName -VMs $vm1 -VNetName $vNetName

In bold are the two additional data disk, that will be attached during creation of the VM in the new cloud service.

How to create predictible (static) ip address for Azure VMs

In Microsoft Azure all created VMs have internal IP addresses assigned from DHCP server, and those IP addresses are within the defined virtual network scope if you have created virtual network. The IP address assigned by the DHCP to the Azure VM, will remain the same for the vm's lifetime as long as the VM is not in Stop (Deallocated) state. Here is output from the ipconfig /all from the Azure VM:

This means that when the VM is shut down from the operating system (you're paying for the VM in this state), it will obtain the same IP (in this example when the VM will start up again. Also, while this VM is in Stopped state (shut down from the OS), no other VM will be offered the same address. And here is the state of the VM from Azure Portal:

In case when you don't want to pay for the VM, you have to shut down the VM from the Azure portal or Powershell, and the VM will be in Stopped (Deallocated) state :

Starting the VM from this (Stopped -Deallocated) state, the VM will start the new provisioning process and there is a chance to obtain some other IP address. So, here is a question: Is there a way to define some preferred address for the VM, when the VM is starting from Stopped (Deallocated) state ?
And, the answer is fortunately Yes. There is Set-AzureStaticVNetIP cmdlet which can set preferred IP address for the VM when starting from Stopped (Deallocated) state. For example the syntax for assigning the static (preferred) IP address for previously created Azure VM is:

Get-AzureVM -ServiceName testService -Name test | Set-AzureStaticVNetIP -IPAddress | Update-AzureVM

Note that running this command will trigger reboot of the VM. Related cmdlets for checking, testing and removing the assigned static IP addresses from the Azure VMs are also available ( Get-AzureStaticVNetIP, Test-AzureStaticVNetIP, Remove-AzureStaticVNetIP )

It's important to understand that, this static IP address assigned with Set-AzureStaticVNetIP will NOT create reservation of the IP address for that VM. Instead, it will create preferred IP address for the VM when starting from Stopped (Deallocated) state, which means that that IP address might be already taken by other virtual machine, while the VM with static assigned IP was in Stopped (deallocated) state !

The Software Protection service entered the running state

In this case I have experienced Event ID 7036 from Service Control Manager source with following information:
The Software Protection service entered the running state.
This event was filling up the System event log, because the same event was generated every 30 seconds.
In my case I have stopped this event from logging by starting the system from Control Panel (the system was already activated), but anyway clicked the View Details in Windows Activation and click the Activate with a new key. On Windows Activation wizard page, clicked cancel and new event with same ID 7036 was logged but with information that:
The Software Protection service entered the stopped state.
After this event, there were no more events with id 7036 logged for every 30 seconds in system event log with information that software protection service entered the running state.


Windows 7 SCCM 2012 R2 clients unable to download content

This is a case where Windows 7 x86 non domain workstations with SCCM 2012 R2 client installed were unable to download content from SCCM server. Network Access Account was properly configured, and the client was using it but was still unable to download content. Anonymous clients were not allowed to connect to distribution point. Here are the error messages from DataTransferService.log:

<![LOG[Job {...} impersonating Network Access Account.]LOG]!>
<![LOG[[CCMHTTP] ERROR: URL=http://servername:80/SMS_DP_SMSPKG$/PackageID, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!>
<![LOG[Error sending DAV request. HTTP code 401, status 'Unauthorized']LOG]!>
<![LOG[GetDirectoryList_HTTP('http://servername:80/SMS_DP_SMSPKG$/PackageID') failed with code 0x80070005.]LOG]!>

After installing the following hotfix KB2522623, this client has successfully downloaded and installed packages. This hotfix is applicable to Windows Server 2008 R2 SP1 also, so this kind of behavior should be expected for those server 2008 R2 SP1 clients that are members of workgroup or DMZ.

Application Catalog website point Status:Critical

In this case I was deploying Cumulative Update 1 for SCCM 2012 R2 and installation of CU has completed successfully, but Application Catalog website point site system role was in status Critical. Before installation of CU1, Application Catalog website point was in status OK. So, the quest for searching why the application catalog website point was in status Critical after installation of CU1 has begun.
  • I checked the log files and there were no errors in them.
  • All components were in status OK
  • There were no error messages for components
  • All counts were reset
  • System rebooted
And still the Application catalog website point was in status Critical, even though software center application catalog from clients was working as expected.
Finally, I have reinstalled the application catalog website point system role, and mysteriously the status was changed in OK state.

Setting Sleep Option on multiple Windows 8.1 domain computers

This was an easy task that I want to share, and the request was to set the power option when the computer will go into sleep state on a list of Windows 8.1 domain computers. Most of the computers on the list were having the default option of 30 minutes for going into sleep state. And this value of 30 minutes has to be changed into 5 hours, but all computers that were having a changed default setting of 30 minutes into Never must not be set. I was using PowerShell with WMI for achieving this task. And here is the script:

$comps =Get-Content "C:\Temp\Scripts\computers.txt"

foreach ($comp in $comps)

if (Test-Connection -ComputerName $comp.Trim() -Quiet)
#find the active powerplan
$a = (gwmi win32_powerplan -Namespace root\cimv2\power -ComputerName $comp.Trim() -filter { IsActive = 'True' }).instanceid.split("\")[1]

#find the powersetting for sleep option
$b = (gwmi win32_powersetting -Namespace root\cimv2\power -ComputerName $comp.Trim() -Filter { Elementname = 'Sleep After' }).instanceid.split("\")[1]

#get the value for sleep setting on active power plan
$seconds =  gwmi win32_powersettingdataindex -Namespace root\cimv2\power -ComputerName $comp.Trim() -Filter "InstanceID like '%$a%ac%$b'"

#check if the setting is Never
if ( $seconds.SettingIndexValue -ne 0 )

#set the value to 5 hours
    $seconds.SettingIndexValue = 18000

    write-host "$comp has sleep option Never"

The script is easy to understand, but anyway here is the overview:
  • Getting the list of computers from file and looping from each of the computer and checking if the computer is online.
  • In the main part I'm getting the guid for active power plan and guid for sleep option. After that I'm getting the value for sleep option in seconds.
  • And in the last part of the script I'm setting the option for going into sleep after 5 hours if the current value is not 0, which is the value for never put computer into sleep state.

Sweet Dreams :)

Error events in system event log after P2V conversion

In this case I was converting (P2V) HP ProLiant DL 360 G4 server with Windows Server 2003 operating system installed. The conversion has completed successfully, and the VM was running as should, but the following error events were logged in system event log on every reboot:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
The cpqasm2 service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
The HP ProLiant System Management Interface Driver service depends on the cpqasm2 service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
The HP ProLiant System Shutdown Service service depends on the HP ProLiant System Management Interface Driver service which failed to start because of the following error:
The dependency service or group failed to start.

All HP Software related to the old hardware was successfully uninstalled, but these three services were still trying to start. Here is the output of sc (service control) query for those services:


In order to prevent these services from starting in VM, I have deleted those services using sc delete, since they were absolutely not needed by the operating system, because the system now was running as virtual machine. Here is the screenshot of the output of sc command:

Happy P2V conversion ! :)


"Access Denied" when syncronizing offline files

A colleague of mine was complaining that he was experiencing Access Denied message while synchronizing his folder redirected offline files on his Windows 7 laptop machine with enabled option for encrypting the offline files cache. While he was able to successfully synchronize folder redirected offline files on his Windows 8.1 desktop workstation with disabled option for encrypting the offline files cache.
The reason for this strange behavior is that Windows for encrypting the offline files cache is using native EFS. Also, for testing purposes he tried to encrypt some folder on NTFS file system, but he was unable to do that. So, now it was easy to guess that EFS is not working as should. After checking the Data Recovery Agent in Computer Configuration\Windows Settings\Public Key Policies\Encrypting File System in Default Domain GPO, I have noticed that default self signed Administrator certificate for EFS data recovery agent has expired.
Deleting this expired certificate and generating new EFS data recovery certificate and importing it into Default Domain GPO, has solved all the problems. This new Data Recovery Agent certificate can be self signed and can be generated with cipher /r:cert_file_name, or if there is Microsoft CA in organization EFS recovery agent certificate template can be used.

Windows 8.1 Default File Associations

Setting the default file associations for Windows 8.1 can be a quite challenge. First to note is that User's Group Policy Preference Folder Option Open With ... setting does not work anymore. So, in order to set default file associations we have two "mechanisms" in our hands.
The first one is DISM with set of new options for viewing, removing, exporting and importing default file associations. Exporting and Importing option is using xml file. So, after we have assigned specific application associations for certain file extensions on our reference computer, we have an option to export those settings into xml file using DISM, for example:
Dism /Online /Export-DefaultAppAssociations:<path to xml file>\DefAppAssoc.xml>
This xml file can be imported into our image file that we're using for Windows 8.1 deployment scenarios, and everyone that will logon to the operating system deployed using that "modified" image file will have the same default file associations as our reference computer. This xml file can be imported to already deployed Windows 8.1 operating system, but file associations that we have predefined will have effect only to new users that will logon to that system.
So, what about the existing users that already have generated profiles ? Here comes the other mechanism for setting the default file associations and that is the new GPO setting located into:
Computer configuration\Administrative templates\Windows Components\File Explorer\Set a default associations configuration file
where we can specify the path to the exported xml file. This GPO setting will set the following registry entry with path to the default file association xml file:
This setting will be applied on every user logon. Negative side, or for someone might be Positive side (depends from the scenario) to this kind of setting the default file association, is that every time the user change some setting for file association it will be reverted back to our default defined file associations on next logon.

More about Export, Import options for DISM on http://technet.microsoft.com/en-us/library/hh825038.aspx .

SCCM 2012R2 Task Sequence Error 0x8007000b

When deploying Windows 8.1 x64 using SCCM 2012 R2, you may experience task sequence error 0x8007000b, if you're trying to execute for example DISM command without path information for the executable. For example, running the following task sequence command to set the default file association from xml file will fail:

dism /online /Import-DefaultAppAssociations:AppAssociations.xml

The reason for this failure is Windows redirect feature which tries to execute the 32bit version of DISM. In order to fix this behavior and run the 64bit version of DISM, sysnative function can be used. So, running the DISM like this:

%windir%\sysnative\dism /online /Import-DefaultAppAssociations:AppAssociations.xml

will successfully import the default file associations. More info about file system redirector check http://msdn.microsoft.com/en-us/library/aa384187.aspx .

Windows 8.1 Logon Script Delay

When joining Windows 8.1 or Windows Server 2012 R2 to your domain environment, you will experience delayed execution of logon scripts. By default, these Microsoft operating systems have 5 minutes preconfigured delay of execution of logon scripts. With this kind of behavior, Microsoft wanted to eliminate poorly written logon script from overall logon user experience and user's desktop responsiveness.
This behavior can be changed using following GPO setting: Computer Configuration > Administrative Templates > System > Group Policy > Configure Logon Script Delay :

Logon Script Delay can be changed by increments of one minute or setting it to zero which will disable this feature and logon scripts will execute as were in previous operating system versions.

HP Intelligent Provisioning 1.6

HP has finally published download link for Intelligent Provisioning (IP)1.6. Among other new features and fixes, IP 1.6 has support for installing Microsoft Windows Server 2012 R2 on HP Gen8 Servers. More info and download link for IP 1.6 on http://h17007.www1.hp.com/us/en/enterprise/servers/management/ilo/#tab=TAB5 .


Unable to open ILO3 with TLS 1.2

In this case I was unable to connect to ILO3 on HP DL 380 G7 with Internet Explorer 11 from Windows 8.1 client workstation. ILO Firmware version was 1.20. Starting from Windows 8.1 and Internet Explorer 11 all TLS protocols are enabled and supported by default:

ILO was not failing back to lower version of TLS if TLS 1.2 was selected. After unselecting TLS 1.2 from Internet Explorer 11, I was able to connect to ILO interface. This is issue was resolved with later version ILO firmware. So, after patching the server with latest ILO firmware, I was able to connect to ILO3 interface using Internet Explorer 11 with TLS 1.2  selected.

Internet Explorer Branding failed

On all Windows 8 and Windows 8.1 client Resultant Set of Polices (rsop.msc) was returning an error for Internet Explorer Branding component like this:

And in Group Policy event log the following event is logged Event ID 7016:
  • CSEElaspedTimeInMilliSeconds 0
  • ErrorCode 127
  • CSEExtensionName Internet Explorer Branding
  • CSEExtensionId {A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B} 
The reason for this behavior is that Internet Explorer Maintenance or Internet Explorer Branding has been removed from Windows 8 and Windows Server 2012. One way to resolve this error is to remove Internet Explorer Branding Group Policy client side extension using the following Microsoft KB 2813272 .
Another way to prevent this error is to prevent all the GPOs with some Internet Explorer Maintenance configured setting from applying to Windows 8 computers. But, there is also another catch, if you reset the Internet Explorer Maintenance settings in GPO, the extensions are not removed from GPO ! There is also published article from Microsoft about this bug http://support.microsoft.com/kb/2722241/EN-US . So, there might be GPOs with no settings about internet explorer branding, but still having the client extension in place. To find all the GPOs with configured Internet Explorer Maintenance extension, dsquery can be used with following syntax:
dsquery * -filter "(&(gPCUserExtensionNames=*{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}*))"
DSquery will return GUIDs of all affected GPOs with Internet Explorer Branding Extension. In order to remove the extension information from the GPOs, Active Directory Users and Computers snap-in on Windows Server 2008 or later can be used to edit the attributes. Navigate to Domain Name -> System -> Policies and locate and select the GUID of the GPO that was returned as result from dsquery command, and go to the attribute editor tab from the properties of the GPO. Search for gPCUserExtensionNames entry and edit the field. Locate the [{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}], and delete that entry including "[" and "]" brackets. Save the properties, and that GPO will not be qualified for running the Internet Explorer Branding client extension.
After removing "orphaned" extensions from GPOs, the Event ID 7016 with error code 127 was not logged anymore and rsop.msc was not returning failed status for Internet Explorer Branding since this extension is not in use anymore.

Note: If you're using Internet Explorer Maintenance for pushing Internet Explorer settings to clients, you should consider migrating to Group Policy Preferences for Internet Explorer for setting those settings. Also, you can't use Internet Explorer Maintenance for setting Internet Explorer 10 or 11 http://technet.microsoft.com/en-us/library/jj890998.aspx .

Group Policy Internet Settings Event ID 4098

In this post I'll explain how I've managed to fix the Warning Event ID 4098 from Group Policy Internet Settings source in Application Log. The following event was logged in Application Event Log on affected machines:

The user 'Internet Explorer 10' preference item in the 'Policy Name and ID' Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

The reason for this access denied was because Internet Settings preference 'Internet Explorer 10' was running under user's context.

Removing the check mark from common tab for Run in logged-on user's security context (user policy option) has resolved the warning event log. Preference items created either under computer or user part of the GPO are processed under System security context. For more info about configuring common option check http://technet.microsoft.com/en-us/library/cc772371.aspx .


Failed to recreate client evaluation task

In this case there was SCCM 2012R2 client that was reported as client that failed check from All Desktop and Server clients. The error message was Failed to recreate client evaluation task :

This SCCM 2012R2 client was installed on Windows Server 2003 R2 were the local administrators have disabled some services and among them was Task Scheduler. After setting the Task Scheduler service to Automatic and starting the service, and restarting the SMS Agent Host service the Configuration Manager Health Evaluation task was successfully created and the client was no longer reported as client that failed check.

TechEd Europe 2014 announced

Microsoft has finally announced TechEd Europe 2014 and will be held on 27-31 October in Barcelona, Spain. For more info visit the official TechEd Europe 2014 web page http://europe.msteched.com .


Shared Folder Quota Not Accurate

In this case users were complaining that cannot share files in shared folder on Windows Server 2008 R2 file server with quota assigned on that shared folder. The shared folder had hard quota assigned, and according to FSRM (File Server Resource Manager) Quota Management 90% was used. Here is the screenshot showing that only 10MB were available for that folder:

Dir command was running with elevated credentials, and I was gaining same output from dir command when running under SYSTEM account. So, I was suspecting that quota calculation for that folder was not accurate. In order to trigger quota recalculation I was using Dirquota, with following syntax:
dirquota quota scan /path:<Path to folder>
After running this command, FSRM Quota Management was showing that 9X% were free (instead used) and users started to share files without getting notified that are reaching maximum quota limit for that folder.

Adding additional keyboard layout for domain users

This is quick one, where I wanted to add additional keyboard layout to some users using GPO preferences. Using GPO preferences I have added following registry key to targeted domain users:

HKEY_CURRENT_USER\Keyboard Layout\Preload\
  • Value Name:2
  • Value type:REG_SZ
  • Value data:0000042f
42F is keyboard layout for Macedonian Language and 2 for value name is keyboard preference. Additional language codes can be found in following part of registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts.

Event ID 5120 Hyper V 2012 Failover Clustering and DPM 2012 Backup Behavior

In this article I would recommend installing the KB 2879635 update for Windows Server 2012 based failover clusters that improves resiliency. This update should prevent the "notorious" event 5120 with description:
Cluster Shared Volume 'Volume1' ('name’) is no longer available on this node because of 'STATUS_IO_TIMEOUT(c00000b5)'. All I/O will temporarily be queued until a path to the volume is reestablished.
from happening during backup of VMs from Hyper V host located on CSV volume. Note that after installing this hotfix on Hyper V hosts, you should update integration components on Windows Server 2012 based guest virtual machines running on those hosts.

Also, If you're using DPM 2012 SP1 as you're backup solution I would recommend installing the latest rollup 3 KB2836751 and hotfix KB2886362 .

From my point of view, before installing these updates and rollups I was experiencing strange behavior when I was doing Hyper V host based backup of Windows Server 2012 virtual machines using DPM 2012 SP1. After initial replica creation of vm with installed Windows Server 2012 which is basically transferring the whole vhd(x) file to the DPM 2012 SP1 server, all other scheduled recovery points were transferring again the same size of data to the DPM server. This is an example of backup of one Windows Server 2012 vm:

After installing all the rollups and updates, the situation has changed, and the DPM scheduled replica creation task was transferring significantly smaller amount of data, and naturally the backup task was completing much faster.
Also, you will eliminate memory spike on node which is owning the CSV resource, during backup of VMs located on that volume fixed with KB2813630 which is included in KB 2879635.

Configuring HP Desktop BIOS using SCCM 2012 Task Sequence

In this case I wanted to unify BIOS settings (setup password and bios version) on HP Desktop Computers (DC5800, DC6000, DC6300, 600 G1). I was using SCCM 2012 R2 for operating system deployment, and in the task sequence for operating system deployment I have added steps for setting the BIOS password and updating the BIOS to latest available version for HP desktop model. For setting up the BIOS password I was using BiosConfigUtility.exe from HP sp52095.exe, and for updating the BIOS to the latest available version I was using HPQFlash which is part of BIOS update package and can be downloaded from support web page of the HP desktop model.
What I want to notify here is that BIOS password set with numbers from numerical part of the keyboard is not the same when typed with same numbers from regular part of the keyboard. So, in my case I wanted to set the BIOS password with numbers from numerical part of the keyboard. For example, for BIOS password I wanted to set seven,eight and nine from numerical part of the keyboard, knowing that previous BIOS password is either blank or "abcd". And syntax for achieving that task is following:

BiosConfigUtility.exe /cspwd:"" /cspwd:"abcd" /nspwd:"<KEYPAD 7><KEYPAD 8><KEYPAD 9>"

Note that several "old" BIOS password can be specified in same line using /cspwd, and new password is specified after /nspwd with syntax specified as above when wanted to use numerical part of the keyboard.
My next step was to update BIOS version. For updating the BIOS using HPQFlash when BIOS setup is password protected, setup password has to be provided in encrypted form. Setup password must be encrypted using HPQPswd utility which is part of BIOS update package. HPQPswd will create a file with encrypted setup password. Specifying that file for BIOS setup password will allow HPQFlash to update the BIOS version. Presuming that BIOS update file is located in same location as HPQFlash, the syntax for updating BIOS in silent mode is:
HPQFlash.exe -s -psetuppass.bin
Where setuppass.bin is the encrypted BIOS setup password file created with HPQPswd, and note that there is no space between -p and name of the encrypted BIOS setup password file.

Happy BIOS flashing !

Unable to update to SCCM 2012 R2 SCEP client

In this case I was upgrading SCCM 2012 SP1 infrastructure to SCCM 2012 R2, and one of my tasks was to upgrade SCCM client to SCCM 2012 R2 version 5.00.7958.1000. During SCCM 2012 R2 client upgrade procedure, SCEP client upgrading is part of the upgrading process to version SCCM 2012 R2 client together with SCEP client were upgrading without any issues on most of the clients, but there were some clients where SCCM client was successfully upgraded to R2 version, but SCEP client was still with old version. SCCM 2012 R2 console for those clients was reporting the following information:

Deployment State: Failed 
Deployment Return Code: 0x80004005 
Deployment Description: Failed to trigger EP Installer to install.

On Client Side EndpointProtectionAgent.log was having following info:
![LOG[Failed to load xml from string <?xml version="1.0"?><SecurityPolicy xmlns="http://forefront.microsoft.com/FEP/2010/01/PolicyData" .........(truncated) > 
<![LOG[Failed to generate AM policy settings for SCEP installation with error code 0x80004005]LOG]!>

The reason for this behavior was that the Antimalware Policy assigned to client was having the ampersand "&" sign. After removing the "&" from the Antimalware policy, the SCEP client was successfully upgraded to version

How to check EMBG (Unique Master Citizen Number) using regex

In this post, I will share my implementation of how to check if some number looks like EMBG or Unique Master Citizen Number. For those of yo...