Sep 10

KB2966828 breaks Net.Pipe listener adapter service and more!

Install from Windows Server 2012 R2 Update 1 media (technet, MSDN, etc. – doesn’t matter):
Install Server 2012 R2

Add the features .NET 3.5, HTTP, and Non-HTTP activation, and you will end up with the service in question, Net.Pipe Listener Adapter:
Service is working...

Install KB2966828, and restart (that is the awesome PSWindowsUpdate in action):
Install KB2966828...

The service is now busted:
It's not working anymore!

I’ve also encountered it causing issues with starting ASP.NET app pools and causing failures while running iisreset. A quick workaround is to add the public key token that is failing (b03f5f7f11d50a3a, found while debugging the crash) to the registry in the strong name validation bypass list:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\StrongName\Verification\*,b03f5f7f11d50a3a

Adding that will allow things to work again, until the problem is fixed by Microsoft at some point.

Permanent link to this article: http://www.cluberti.com/blog/2014/09/10/kb2966828-breaks-net-pipe-listener-adapter-service-and-more/

Sep 05

Put agent into maintenance mode remotely via PowerShell in SCOM 2012 R2

Our SCOM monitoring environment monitors one of our provisioning environments, where machines come and go regularly. These hosts are potentially in many, many different groups depending on function, and they can come and go many times a day. Yes, a group can be put into maintenance mode easily, but doing so for a host, remotely, isn’t necessarily as easy. Here’s a PowerShell script (created after reading about something similar on the Coretech Blog, here) that takes machine names passed in as the first parameter, places all machine names in an array, and sets each machine into maintenance mode in a particular SCOM management group. There’s little error checking here, so if you wanted to make this more robust, you’d probably want to add some parameter validation, etc. Without ado, here it is:

Permanent link to this article: http://www.cluberti.com/blog/2014/09/05/put-agent-into-maintenance-mode-remotely-via-powershell-in-scom-2012-r2/

Jul 18

VSS “System Writer” missing? No CryptSvc or CAPI errors? No problem!

I had a set of Windows 2008R2 servers today that were having trouble backing up the system state via Windows Server Backup – they would fail with the error “System writer is not found in the backup”. I scoured the ‘net and talked to colleagues, and all of the resolutions I could find involved re-registering components, re-securing things in the Cryptography Service (prompted by CAPI or CryptSvc errors in the event log), setting ownership on WinSXS folders, etc. I did not have any such errors in my logs to indicate a permissions issue – in fact, I saw no errors at all (usually good – not so much when something is broken!). However, every time I ran “vssadmin list writers”, indeed the system writer was missing.

After taking a procmon, I noticed that the last thing that was searched were some setupapi.ev* files in \Windows\Inf:

Permanent link to this article: http://www.cluberti.com/blog/2014/07/18/vss-system-writer-missing-no-cryptsvc-or-capi-errors-no-problem/

May 26

Getting Kerberos token size with PowerShell

Recently, I had the unpleasant requirement to validate Kerberos token size for a network where users were experiencing random issues hitting certain sites and databases. Today I validated it was token size, but not until after I found Jacob Ludriks’ excellent PowerShell script to do so. I was about to write one myself when I stumbled across this gem, which came in immensely useful in helping a good colleague in a bad situation.

Without further ado, here’s the link to the script:
http://jacob.ludriks.com/getting-kerberos-token-size-with-powershell/

In the event this script ends up getting taken down, here’s the content – please visit Jacob’s site if you find this useful. He’s got some other PowerShell goodies over there too that you might like.

Permanent link to this article: http://www.cluberti.com/blog/2014/05/26/getting-kerberos-token-size-with-powershell/

Feb 17

KB2871690, Hyper-V, Server 2012, and Gen2 VMs

If you’re finding this post, it’s possible (or maybe even likely) that you’ve tried to install KB2871690 onto a Generation 2 Windows Server 2012 virtual machine on a Hyper-V host, and the installation failed. For those of you that haven’t run into this issue yet, you will if you attempt to install this particular update on a Windows Server 2012 (or Windows 8.0) Gen2 VM. It’s very frustrating to have a few hundred VMs patch, reboot, and fail to install a particular update and restart again… and then have the update offered again, and go through the cycle yet again because the admin installing updates was unaware this update wasn’t going to work, the update wasn’t pulled from WSUS or SCCM, etc. It happens.

Permanent link to this article: http://www.cluberti.com/blog/2014/02/17/kb2871690-hyper-v-server-2012-and-gen2-vms/

Feb 12

Enable RDP, firewall exceptions, and NLA settings via PowerShell and WMI (aka “the right way”)

I’ve come across quite a few folks over the years that enable RDP by setting the registry values to do so manually, and enabling firewall rules the same way (or disabling the firewall service itself, which is not supported by Microsoft, so don’t). While neither of these things are “the right way” to do it (I found this out from dealing with Microsoft support on this, and apparently doing it manually via the registry can cause issues), the right way isn’t really called out as such very well that I can find either.

I’ve created a very simple PowerShell script (I put it in my MDT and SCCM task sequences when deploying machines as one of the first things done after the OS is deployed) that enables RDP for the Administrators group, opens the right port on the firewall, and can also be used to set it to NLA only if $NLAEnable = 1. Credit where credit is due, the script below was based on a script that does this same thing here. Thanks Robin!

Permanent link to this article: http://www.cluberti.com/blog/2014/02/12/enable-rdp-firewall-exceptions-and-nla-settings-via-powershell-and-wmi-aka-the-right-way/

Nov 12

Windows 7 VDI? Here are some hotfixes you should be installing…

Microsoft PFE Robert Smith has published a list of hotfixes recommended be tested and deployed, if no issues arise, on Windows 7 installations used for VDI. Find the data at the link, here:
http://social.technet.microsoft.com/wiki/contents/articles/20893.windows-7-vdi-image-hot-fixes.aspx

Permanent link to this article: http://www.cluberti.com/blog/2013/11/12/windows-7-vdi-here-are-some-hotfixes-you-should-be-installing/

Oct 15

Easy Windows Updating on Server Core from PowerShell!

Are you running Server Core installations of Windows Server 2008, 2008R2, 2012, or 2012R2?  If you can, you should be.  And if you are, or just like using PowerShell for everything, you should really take a look at the Windows Update PowerShell module available from the TechNet Script Center, by MVP Michal Gajda.  It’s gotten quite good over the last few revisions, and I find myself loathing working on systems where it’s not been installed.

If you want an easy way to go about updating your Windows installations from PowerShell (locally or remotely), consider giving this add-on a try.  I think you’ll like it.

http://gallery.technet.microsoft.com/scriptcenter/2d191bcd-3308-4edd-9de2-88dff796b0bc

Permanent link to this article: http://www.cluberti.com/blog/2013/10/15/easy-windows-updating-on-server-core-from-powershell/

Aug 19

Installing IE10 into your Windows 7 image offline? You’re missing an update or two…

If you’re like me, you like to make sure the latest version of Internet Explorer supported by your organization is baked into the images you push into production, and IE10 on Windows 7 is no different.  Whether you’re slipstreaming it into the base image, or (better) using MDT to rebuild your base image and including IE10 into it, Microsoft has provided a handy list of updates that you should have already included before you attempt to install IE10 on Windows 7 without internet access (as most image build environments should be – right?  Right????):
How to obtain prerequisite updates for Internet Explorer 10 for Windows 7 that fail to install

That article lists 5 hotfix packages you will need – KB2533623, KB2670838, KB2729094, KB2731771, and KB2786081.  However, the astute amongst you have probably noticed that the IE10 installer, when left to it’s own devices during install, actually installs 6 hotfix packages, not 5.  That “extra” hotfix package is:
“0x00000050″ Stop error after you install update 2670838 on a computer that is running Windows 7 SP1 or Windows Server 2008 R2 SP1

Permanent link to this article: http://www.cluberti.com/blog/2013/08/19/installing-ie10-into-your-windows-7-image-youre-missing-an-update-or-two/

Mar 26

Microsoft Hotfix rollup and updates to attack Slow Boot / Slow Logon in Windows 7 SP1–plus some other things to help out

I get asked pretty often in my day job to help people troubleshoot / analyze / attack slow boot and slow logon issues they face in their Windows client or Windows terminal services environments, whether they be physical machines or VDI instances.  I wanted to share a few of the very quick and easy plans of attack that I take when the client endpoints are Windows 7 SP1 or servers are 2008 R2 SP1.

1. Install the latest enterprise hotfix rollup for Windows 7 SP1 or Windows 2008 R2 SP1 on all of your endpoints involved in the boot or logon process – that includes DCs, file servers, infrastructure servers, virtualization hosts, etc:

An enterprise hotfix rollup is available for Windows 7 SP1 and Windows Server 2008 R2 SP1
http://support.microsoft.com/kb/2775511

Windows 7 SP1-based or Windows Server 2008 R2 SP1-based SMBv2 client computer freezes when the computer is under a heavy load
http://support.microsoft.com/kb/2792026

Permanent link to this article: http://www.cluberti.com/blog/2013/03/26/microsoft-hotfix-rollup-and-updates-to-attack-slow-boot-slow-logon-in-windows-7-sp1plus-some-other-things-to-help-out/

Older posts «

Bad Behavior has blocked 4695 access attempts in the last 7 days.