KB3161608 & KB3161606 replaced by KB3172605 & KB3172614

KB3172605 (Windows 7 and Windows Server 2008 R2 Sp1) and KB3172614 (Windows 8.1 and Windows Server 2012 R2) are July 2016 update rollups, and are replacing the update rollups from June 2016 (KB3161608 and KB3161606). July 2016 update rollups are fixing the issues that were caused by the June 2016 update rollups (for example: Hyper V and Integration Services issues).
All other updates introduced in June 2016 update rollups are present also into July 2016 update rollups.
So, introduction of new cipher suites to Internet Explorer and Microsoft Egde in Windows introduced in June 2016 update rollups, might break access to some old https enable sites.
This issue can be resolved by uninstalling these update rollups, or in my case adding the following registry key on affected machines (lowering the DHE key length on clients to 512bits, instead using the default 1024bits):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ClientMinKeyBitLength"=dword:00000200

After adding the registry key (restart is not necessary), https "oldies" started to open with Internet Explorer.

Happy Patching :)

Slow User Experience on Every Logon

In this case a colleague of mine was complaining that every time she reboots the workstation with Windows 8.1 x64 installed, and successfully login, she will have to wait for about 10 minutes before the operating system becomes responsive again and the disk utilization for these 10 minutes was 100%.
Process responsible for this high disk utilization was taskhostex.exe. Taskhostex.exe and taskhost.exe are host processes for Windows Tasks. For example, these three tasks are running under taskhostex.exe:

Wininet Cache Task is triggered whenever user is logged on. During my colleague's logon, the disk was heavily utilized by the taskhostex.exe and a file with most disk reads and disk writes operations was WebCacheV01.dat located on C:\users\userprofile\AppData\Local\Microsoft\Windows\WebCache. Starting from Internet Explorer 10, browser cache is stored in this database instead in index.dat as was in previous editions of Internet Explorer.
In this case, my colleague's WebCacheV01.dat was around 3GB (Initial size is around 20-30 MB).
In order to improve my colleague's logon experience, I've killed the taskhostex.exe process (Internet Explorer was already closed), and deleted the contents of  C:\users\userprofile\AppData\Local\Microsoft\Windows\WebCache and rebooted the workstation.
After the reboot, my colleague has logged on successfully with low disk utilization and newly created WebCacheV01.dat database.

I hope it will help someone debugging slow user's logons ...
 

Windows 8.1 x86 unable to boot

In this case a friend of mine was complaining that his pc was unable to boot to Windows 8.1 x86 OS, because it was stuck in endless loop of automatic repair and restart. Automatic repair was unable to fix windows booting problem.
Since Automatic Repair was unable to fix the booting problem, I've entered into command prompt (Troubleshoot->Advanced Options-> Command Prompt) and tried to fix the problem using bootrec.exe. I ran the bootrec.exe with /Fixmbr and /Fixboot options, but none of them have succeeded to fix the booting problem.
Diskpart was showing all the partitions on the disk that should be present, and configured as should.

Because bootrec.exe didn't fix the booting problem, I've tried to run bootsect with following options :

bootsect /nt60 C:

And finally the Windows 8.1 x86 booting problem was successfully solved.

For more info about these utilities check Microsoft articles bootsect, bootrec, diskpart .
 

High CPU Usage from System Interrupts Process

In this case, a colleague of mine was complaining that her workstation was running very slow even tough the workstation was memory upgraded. Since the term "running slow" is very relative, I needed info about the hardware and OS. The operating system was Windows 8.1 Enterprise x64, and hardware was HP ProDesk 600 G1.
The reason for this "running slow" behavior was the CPU usage of system interrupts process. 20-30% of the CPU usage was dedicated to this process all the time. From my experience the reason for this kind of behavior is hardware or driver related. The OS was fully patched with latest updates. So, I've started updating the drivers and BIOS. After updating the drivers and BIOS to the latest HP official versions the behavior was still the same, system interrupts process was holding 20-30% of the CPU. There were no pending restarts. And, the CPU usage behavior was the same on every restart. This behavior of high CPU usage from System Interrupts process has stopped, when I have shut down and power on the workstation. It's very strange, but I have successfully succeeded to reproduce this behavior on this HP model PC. And, this is the scenario when this high CPU usage of system interrupts process will happen for this PC model:

Whenever there is memory size change, BIOS will "alert 164 memory size error " press F1 to continue, the OS will boot and system interrupts process will run high CPU usage. This behaviour will continue, even if the OS is restarted several times. But, if you shut down, and power on the workstation, the CPU usage will be back to normal !

I'll call this a bug, so in case you're doing memory upgrade on this PC model, do not forget to power off and power on the PC after successful memory upgrading.

 

Setting Sleep Option on multiple Windows 8.1 domain computers

This was an easy task that I want to share, and the request was to set the power option when the computer will go into sleep state on a list of Windows 8.1 domain computers. Most of the computers on the list were having the default option of 30 minutes for going into sleep state. And this value of 30 minutes has to be changed into 5 hours, but all computers that were having a changed default setting of 30 minutes into Never must not be set. I was using PowerShell with WMI for achieving this task. And here is the script:

$comps =Get-Content "C:\Temp\Scripts\computers.txt"

foreach ($comp in $comps)
{
if (Test-Connection -ComputerName $comp.Trim() -Quiet)
{
#find the active powerplan
$a = (gwmi win32_powerplan -Namespace root\cimv2\power -ComputerName $comp.Trim() -filter { IsActive = 'True' }).instanceid.split("\")[1]

#find the powersetting for sleep option
$b = (gwmi win32_powersetting -Namespace root\cimv2\power -ComputerName $comp.Trim() -Filter { Elementname = 'Sleep After' }).instanceid.split("\")[1]

#get the value for sleep setting on active power plan
$seconds =  gwmi win32_powersettingdataindex -Namespace root\cimv2\power -ComputerName $comp.Trim() -Filter "InstanceID like '%$a%ac%$b'"

#check if the setting is Never
if ( $seconds.SettingIndexValue -ne 0 )
{

#set the value to 5 hours
    $seconds.SettingIndexValue = 18000
    $seconds.Put()
   
}
else
{
    write-host "$comp has sleep option Never"
}
}
}

The script is easy to understand, but anyway here is the overview:

• Getting the list of computers from file and looping from each of the computer and checking if the computer is online.
• In the main part I'm getting the guid for active power plan and guid for sleep option. After that I'm getting the value for sleep option in seconds.
• And in the last part of the script I'm setting the option for going into sleep after 5 hours if the current value is not 0, which is the value for never put computer into sleep state.

Sweet Dreams :)
 

"Access Denied" when syncronizing offline files

A colleague of mine was complaining that he was experiencing Access Denied message while synchronizing his folder redirected offline files on his Windows 7 laptop machine with enabled option for encrypting the offline files cache. While he was able to successfully synchronize folder redirected offline files on his Windows 8.1 desktop workstation with disabled option for encrypting the offline files cache.
The reason for this strange behavior is that Windows for encrypting the offline files cache is using native EFS. Also, for testing purposes he tried to encrypt some folder on NTFS file system, but he was unable to do that. So, now it was easy to guess that EFS is not working as should. After checking the Data Recovery Agent in Computer Configuration\Windows Settings\Public Key Policies\Encrypting File System in Default Domain GPO, I have noticed that default self signed Administrator certificate for EFS data recovery agent has expired.
Deleting this expired certificate and generating new EFS data recovery certificate and importing it into Default Domain GPO, has solved all the problems. This new Data Recovery Agent certificate can be self signed and can be generated with cipher /r:cert_file_name, or if there is Microsoft CA in organization EFS recovery agent certificate template can be used.
 

Windows 8.1 Default File Associations

Setting the default file associations for Windows 8.1 can be a quite challenge. First to note is that User's Group Policy Preference Folder Option Open With ... setting does not work anymore. So, in order to set default file associations we have two "mechanisms" in our hands.
The first one is DISM with set of new options for viewing, removing, exporting and importing default file associations. Exporting and Importing option is using xml file. So, after we have assigned specific application associations for certain file extensions on our reference computer, we have an option to export those settings into xml file using DISM, for example:

Dism /Online /Export-DefaultAppAssociations:<path to xml file>\DefAppAssoc.xml>

This xml file can be imported into our image file that we're using for Windows 8.1 deployment scenarios, and everyone that will logon to the operating system deployed using that "modified" image file will have the same default file associations as our reference computer. This xml file can be imported to already deployed Windows 8.1 operating system, but file associations that we have predefined will have effect only to new users that will logon to that system.
So, what about the existing users that already have generated profiles ? Here comes the other mechanism for setting the default file associations and that is the new GPO setting located into:

Computer configuration\Administrative templates\Windows Components\File Explorer\Set a default associations configuration file

where we can specify the path to the exported xml file. This GPO setting will set the following registry entry with path to the default file association xml file:

HKLM\Software\Policies\Microsoft\Windows\System\DefaultAssociationsConfiguration

This setting will be applied on every user logon. Negative side, or for someone might be Positive side (depends from the scenario) to this kind of setting the default file association, is that every time the user change some setting for file association it will be reverted back to our default defined file associations on next logon.

More about Export, Import options for DISM on http://technet.microsoft.com/en-us/library/hh825038.aspx .
 

SCCM 2012R2 Task Sequence Error 0x8007000b

When deploying Windows 8.1 x64 using SCCM 2012 R2, you may experience task sequence error 0x8007000b, if you're trying to execute for example DISM command without path information for the executable. For example, running the following task sequence command to set the default file association from xml file will fail:

dism /online /Import-DefaultAppAssociations:AppAssociations.xml

The reason for this failure is Windows redirect feature which tries to execute the 32bit version of DISM. In order to fix this behavior and run the 64bit version of DISM, sysnative function can be used. So, running the DISM like this:

%windir%\sysnative\dism /online /Import-DefaultAppAssociations:AppAssociations.xml

will successfully import the default file associations. More info about file system redirector check http://msdn.microsoft.com/en-us/library/aa384187.aspx .
 

Windows 8.1 Logon Script Delay

When joining Windows 8.1 or Windows Server 2012 R2 to your domain environment, you will experience delayed execution of logon scripts. By default, these Microsoft operating systems have 5 minutes preconfigured delay of execution of logon scripts. With this kind of behavior, Microsoft wanted to eliminate poorly written logon script from overall logon user experience and user's desktop responsiveness.
This behavior can be changed using following GPO setting: Computer Configuration > Administrative Templates > System > Group Policy > Configure Logon Script Delay :

Logon Script Delay can be changed by increments of one minute or setting it to zero which will disable this feature and logon scripts will execute as were in previous operating system versions.
 

Unable to open ILO3 with TLS 1.2

In this case I was unable to connect to ILO3 on HP DL 380 G7 with Internet Explorer 11 from Windows 8.1 client workstation. ILO Firmware version was 1.20. Starting from Windows 8.1 and Internet Explorer 11 all TLS protocols are enabled and supported by default:

ILO was not failing back to lower version of TLS if TLS 1.2 was selected. After unselecting TLS 1.2 from Internet Explorer 11, I was able to connect to ILO interface. This is issue was resolved with later version ILO firmware. So, after patching the server with latest ILO firmware, I was able to connect to ILO3 interface using Internet Explorer 11 with TLS 1.2  selected.
 

Internet Explorer Branding failed

On all Windows 8 and Windows 8.1 client Resultant Set of Polices (rsop.msc) was returning an error for Internet Explorer Branding component like this:

And in Group Policy event log the following event is logged Event ID 7016:

• CSEElaspedTimeInMilliSeconds 0
• ErrorCode 127
• CSEExtensionName Internet Explorer Branding
• CSEExtensionId {A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B} 

The reason for this behavior is that Internet Explorer Maintenance or Internet Explorer Branding has been removed from Windows 8 and Windows Server 2012. One way to resolve this error is to remove Internet Explorer Branding Group Policy client side extension using the following Microsoft KB 2813272 .
Another way to prevent this error is to prevent all the GPOs with some Internet Explorer Maintenance configured setting from applying to Windows 8 computers. But, there is also another catch, if you reset the Internet Explorer Maintenance settings in GPO, the extensions are not removed from GPO ! There is also published article from Microsoft about this bug http://support.microsoft.com/kb/2722241/EN-US . So, there might be GPOs with no settings about internet explorer branding, but still having the client extension in place. To find all the GPOs with configured Internet Explorer Maintenance extension, dsquery can be used with following syntax:

dsquery * -filter "(&(gPCUserExtensionNames=*{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}*))"

DSquery will return GUIDs of all affected GPOs with Internet Explorer Branding Extension. In order to remove the extension information from the GPOs, Active Directory Users and Computers snap-in on Windows Server 2008 or later can be used to edit the attributes. Navigate to Domain Name -> System -> Policies and locate and select the GUID of the GPO that was returned as result from dsquery command, and go to the attribute editor tab from the properties of the GPO. Search for gPCUserExtensionNames entry and edit the field. Locate the [{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}], and delete that entry including "[" and "]" brackets. Save the properties, and that GPO will not be qualified for running the Internet Explorer Branding client extension.
After removing "orphaned" extensions from GPOs, the Event ID 7016 with error code 127 was not logged anymore and rsop.msc was not returning failed status for Internet Explorer Branding since this extension is not in use anymore.

Note: If you're using Internet Explorer Maintenance for pushing Internet Explorer settings to clients, you should consider migrating to Group Policy Preferences for Internet Explorer for setting those settings. Also, you can't use Internet Explorer Maintenance for setting Internet Explorer 10 or 11 http://technet.microsoft.com/en-us/library/jj890998.aspx .
 

Internet Explorer 11 opens Exchange OWA Light

By default, Internet Explorer 11 will open OWA Light when accessing Exchange (2013,2010,2007) environment. The reason for this behavior is that Internet Explorer 11 does not include MSIE token in user-agent string.
In order to avoid this behavior and let the Internet Explorer 11 to open OWA Premium by default, for Exchange 2013 there is CU2, and for other versions of Exchange the workaround is from client side:

• Open Internet Explorer 11 in private mode

or

• Add OWA site in compatibility view list

Microsoft has published KB for this Internet Explorer 11 behavior. For more info check http://support.microsoft.com/kb/2866064 .

SecureBoot isn't configured correctly

After installing Windows 8.1 on my workstation, I have experienced following watermark on my Desktop:

And, YES I'm aware that SecureBoot is not enabled, but I do not want that watermark to be present on my Desktop. Microsoft has responded on complains with following update http://support.microsoft.com/kb/2902864, which removes the watermark from desktop. After installing the update you will be prompted for restart, and after the reboot the watermark will disappear.

KMS activation of Windows 8.1 and Windows Server 2012 R2

In order to activate Windows 8.1 and Windows Server 2012 R2 using KMS hosted on previous generation of Windows operating system, Microsoft has published following kb article http://support.microsoft.com/kb/2885698/en-us .
After installing the update, you will be able to install and activate your KMS key for Windows 8.1 and (or) Windows Server 2012 R2.
Procedure for installing the KMS host key is the same as installing KMS host key from previous versions of Windows operating systems:

cscript %windir%\system32\slmgr.vbs /ipk <KMS host key>

You will experience following error if you are installing KMS host key on Windows operating system that is not associated with that host key:

0xc004f015: The Software Licensing Service reported that the license is not installed. SL_E_PRODUCT_SKU_NOT_INSTALLED

 For example:

• Windows 7 KMS host key install on Windows Server 2008 R2
• Windows 8 KMS host key install on Windows Server 2008 R2, Windows Server 2012
• Windows 8.1 KMS host key install on Windows Server 2008 R2, Win Server 2012 and R2

 Activate the KMS host key using:

cscript %windir%\system32\slmgr.vbs /ato

In my case the KMS server was using proxy for connecting to internet and the user activating the KMS host key was not having proper permission to access the Microsoft's Internet Activation Servers. The activation was failing with following error message 0x8004FE92:

On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x8004FE92' to display the error text. Error: 0x8004FE92

Running the 'slui.exe 0x2a 0x8004FE92' does not provide a lot of help:

 

After providing proper Internet access for the user, activating the KMS host key has completed successfully. More about 0x8004FE92 error message can be found on http://support.microsoft.com/kb/2009934/en-us .