More info on tweaks needed for Windows 10

Rob aka Mr. Essentials is going to town with his additional tweaks needed to get Windows 10 working with Essentials.

Check out http://titlerequired.com/2015/08/06/windows-server-essentials-2012-r2windows-10/ and http://titlerequired.com/2015/08/06/windows-server-2012-essentialswindows-10/ and http://titlerequired.com/2015/08/06/sbs-2011-essentials-windows-10/

Bottom line you need to make tweaks in the Group policy to make it see the 10’s due to the WMI filter.

RWW and RWA with Windows 10

So your client installed Windows 10 and he can’t use RWA/RWW now?

For SBS 2011 you can actually use the Edge browser without adjustment.  It actually works just fine with no adjustment.  If they want to use IE remember you need to use trusted site and compat mode. For SBS 2008 I’m checking with the product team but the story isn’t as good. https://social.technet.microsoft.com/Forums/en-US/fb9b0354-0eaf-4cfe-a6db-aace25fce12a/windows-10-and-remote-web-workplace-rdp?forum=winRDc AE_MGS in the forum found this workaround:Sign in to vote 

I found a work around for this on SBS 2008. Navigate to “C:\Program Files\Windows Small Business Server\Bin\webapp\Remote” on the SBS server. In that directory you will find a file named tsweb.aspx, right click it and edit it. Go about 1/4 to 1/3 of the way through the file and look for the section that looks this:

sub window_onload()
Dim targetMachineName
Dim version
On Error Resume Next
version = MsRdpClient.Version
if Err then
msgbox ControlLoadFailed_ErrorMessage,0,RemoteDesktopCaption_ErrorMessage
exit sub
end if
On Error GoTo 0
if strcomp(version,”6.0.6000″) < 0 then
msgbox IncorrectClientVersion_ErrorMessage, 0, RemoteDesktopCaption_ErrorMessage
window.close
exit sub
end if

What I did was to comment out the second part of that statement so it looks like this

‘if strcomp(version,”6.0.6000″) < 0 then
‘   msgbox IncorrectClientVersion_ErrorMessage, 0, RemoteDesktopCaption_ErrorMessage
‘   window.close
‘   exit sub
‘end if

 

I have done limited testing and this seems to work, but I don’t know if there are any bad side effects at this time. Windows 7 clients do not seem to have issues connecting after this change was made. You also may have to temporarily adjust permissions on that file so that you can save the file. I also had the compatibility mode on and had it as a trusted site, but I have not tested it without those on.

Just sync’d up on WSUS

Is the July 29th cumulative update for Windows 10.  This includes several security fixes as well as non security fixes.

This is the new style of update – it’s a cumulative update, not individual patches.

https://support.microsoft.com/en-us/kb/3074683

And hang loose for a blog post on how to add group policy templates for 8/8.1 as we’re still waiting for the official ADMX files for Windows 10 as well as the RSAT tools.

https://www.microsoft.com/en-us/download/details.aspx?id=36991

Windows 10 and SBS/Essentials platforms

Be aware that at this time Windows 10 will need a connector update in order to connect to/be backed up by Essentials 2012 r2

http://blogs.technet.com/b/sbs/archive/2015/07/23/client-connector-availability-with-windows-home-server-small-business-server-and-windows-server-essentials-for-supported-client-os.aspx

I have Windows 10 installed behind SBS 2011 and there’s a few tweaks that need to be done that aren’t listed there

1. Windows 10 RDP group policy

The default Group policy rule on the server allowing RDP/RWA access needs to have an additional rule set to work with Windows 10 (also this is needed for 8.1 as well).

Instead of merely having a firewall rule for RDP, you need a firewall rule for RDP- user mode both the TCP-in rule and the UDP-in rule.

rdoub

2. Don’t want your Windows 10 to list like they are Vista machines on SBS 2011’s WSUS? Then follow Robert’s post:

http://titlerequired.com/2015/07/22/windows-10-on-wsus-shows-as-windows-vista/

WSUS already has Windows 10 categories up there ready and waiting for you.

As far as where to get media/how to get media, be aware that behind a domain the Windows 10 reservation icon thing is blocked. But not to worry you don’t NEED it. Just manually go to Microsoft update after 7/29 to pull it down or look for more info on means to get it after 7/29.

If you want to TOTALLY block the ability for folks to manually install it from MU

How to manage Windows 10 notification and upgrade options:
https://support.microsoft.com/en-us/kb/3080351
To configure this Group Policy Object by using Group Policy, the following conditions apply:

  • The appropriate update must be installed.
  • You must use the updated WindowsUpdate.admx file by copying the file from the editing policy location.
Computer Configuration

To block the upgrade by using Computer Configuration, follow these steps:

  1. Click Computer Configuration.
  2. Click Policies.
  3. Click Administrative Templates.
  4. Click Windows Components.
  5. Click Windows Update.
  6. Double-click Turn off the upgrade to the latest version of Windows through Windows Update.
  7. Click Enable.

Policy path: Computer Configuration / Administrative Templates / Windows Components / Windows Update Policy
Setting: Turn off the upgrade to the latest version of Windows through Windows Update

Windows registry

Important Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

To suppress this offer through the registry, set the following registry value:

Subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DWORD value: DisableOSUpgrade = 1

And finally

Single number with 8 digits error code received early on in the process:

Suggests that it’s a Windows update issue. (Example 0x800700)

Troubleshoot with KB956702

https://support.microsoft.com/en-us/kb/956702

Common root causes:

WU components not functioning properly

Internet connection issue

Malware

 

Two part error number:

Example: 0xc1900101 – 0x2000c and 0xc1900101 – 0x30018

The first part tells you what happened, the second part tells you where.

If the second code starts with 1 or 2 the error occurred during the Downlevel or WinPE/Safe OS setup phases.

If the second code starts with 3 or 4, the error occurred during the first or second boot.

 

Code 1 or 2:

Check compatibility of the PC with the manufacturer

Remove security and system utility software

Check integrity of download of ISO and recreate if necessary

Common root causes:

System partition out of space

Damaged installation source files

Incompatible security or utility software

Firmware compatibility or security setting issue

Non standard boot configuration

 

Code 3 or 4:

Errors in this section are difficult to diagnose to a root cause particularly when they end with 17 or 18. These are often driver errors. Issues in this category may be caused by other software or hardware issues.

Disconnect all non-essential hardware

Update drivers for remaining hardware

Install all available Windows updates

Common root causes:

Incompatible device or driver

Incompatible security or utility software

Issue with the user profiles during migration of data

 

More resources:

How to: Troubleshoot common Setup and Stop Errors during Windows – Microsoft Community:

http://answers.microsoft.com/en-us/insider/wiki/insider_wintp-insider_install/how-to-troubleshoot-common-setup-and-stop-errors/324d5a5f-d658-456c-bb82-b1201f735683 Windows 10 system requirements: http://www.zdnet.com/article/windows-10-will-your-pc-run-it/

  • Processor: 1 gigahertz (GHz) or faster
  • RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)
  • Free hard disk space: 16 GB
  • Graphics card: Microsoft DirectX 9 graphics device with WDDM driver
  • A Microsoft account and Internet access


The fail of support

http://www.businessinsider.com/microsoft-ceo-satya-nadella-responded-to-azure-support-cry-from-tiny-startup-2015-7#

So some are saying how cool this is that Satya Nadella stepped up and helped to support this customer.  I see this as a failure of support and I’m guessing that it’s a failure of forum support.  With Azure you have to purchase a support case or you post into the MSDN forum.

http://azure.microsoft.com/en-us/support/plans/
http://azure.microsoft.com/en-us/support/forums/

Bottom line it never should have taken an email to the top.  This should have been totally handled by support.  But I’m not convinced that the customer opened an Azure support case because in my experience with IT pro cases, they call you back and want to work on it as they have a mandate to work on it or close it.  I’m guessing this was forum support where there’s no guarantee of any sort of response time.

 

Helping out Mrs. Essentials

Many of you know Robert (Mr. Essentials) Pearman as the key person who blogs about Essentials topics – more so than I do these days honestly.

http://titlerequired.com/

If you’ve never been to his site for his Essentials content, you should book mark it.

But that’s not what this post is about, it’s about helping his better half.  You know…. his wife!  She’s got an admirable goal to get a Masters as well as everything else she has to do like raising two cute daughters and ….uh, well… like putting up with Mr. Essentials I’m sure.  😉  Seriously I think it’s a wonderful goal so if you feel like I do, please consider helping out to fund her education.

So check out her gofundme page!

Gary passes along a PSA

Gary passes along this info…

“I didn’t see this here, and your blog is usually the first place I look for “SBS” (er.. essentials now) information:

Samsung 850 EVO SSD drives do NOT get along well with Windows 2012 R2.  In an essentials server, they’ll produce 100% crashes, and in any other 2012 R2 server, they’ll produce crashes any time the write cache is turned off (which happens when a server is promoted to a DC — which happens 100% of the time for Essentials.)

Sadly, nothing about the crashes leads a person to believe that it’s the SSD drive, but it has been narrowed down by several people.

There’s quite a bit of information once you know what to search for.  Isn’t that always the case?

Here’s some links:

This guy had the problem, even though it wasn’t narrowed down:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/ebc71806-37ab-49c4-9218-9964b30d958a/0xc000021a-during-server-2012-r2-essentials-setup?forum=winserveressentials

This one narrows it down:
http://community.spiceworks.com/topic/869314-warning-do-not-use-samsung-850-evo-ssd-with-windows-server-2012-r2

Here’s the one that generated my own “ah, ha!” moment:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/81c6d52f-578c-44c8-a6ec-18c03a818295/cant-promote-server-2012-r2-to-domain-controller-get-error-0xc000021a?forum=winserverDS

Patching Exchange

When updating Exchange servers remember that since 2010 era they no longer automatically MU down.

To know what the latest and greatest is – check out this post:

http://blogs.technet.com/b/rmilne/archive/2013/10/29/how-to-check-exchange-2010-ru-version.aspx

For an oneoff clicking on help-about is probably the easiest.

Then compare it to this list here:  https://technet.microsoft.com/library/hh135098.aspx?f=255&MSPPError=-2147217396

Then keep in mind for Exchange 2010 if you do any PCI/TLS tweaking that you need to be on  update rollup 9 as noted here:

SMTP is not transported over TLS 1.1 or TLS 1.2 protocol in an Exchange Server 2010 environment:
https://support.microsoft.com/en-us/kb/3029667

Following up on MS15-010 side effects

Just to follow up on a few updates:  The hotfix for this issue is now out and we’re still pushing for this to be on Microsoft update:  http://blogs.technet.com/b/sbs/archive/2015/03/13/the-ms15-10-security-update-for-windows-server-2012-r2-essentials-and-the-client-restore-functionality.aspx

If you have a 2012 R2 (and only 2012 R2 Essentials is impacted) you’ll need to install this hotfix on all workstations to use the console to restore files.

You cannot restore files and folders from Server Essentials Backup on a Windows-based computer after installing MS15-010
https://support.microsoft.com/en-us/kb/3045682

Want to block the Windows 10 upgrade icon?

Looking to block the Windows 10 upgrade icon from the system tray?

 

Remove windows 10 upgrade icon from sys. tray – Spiceworks:
http://community.spiceworks.com/topic/983148-remove-windows-10-upgrade-icon-from-sys-tray

1, Run the following command

taskkill /f /im GWX.exe /T

This will take about 30 seconds to close it

2. Copy the following into notepad and save it as Disable.reg (ensure the file ending is .reg)

———————————–

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\GWX\shell\open\command]

[-HKEY_CLASSES_ROOT\ms-gwx\shell\open\command]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GWX\shell\open\command]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ms-gwx\shell\open\command]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{18abebc9-83ec-435f-8f15-6d1e9187c999}]

————————————————

Run the Disable.reg file and restart the computer.

Want to get it back? Do the same only copy this and save it as Enable.reg

—————————————————

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\GWX\shell\open\command]

@=”C:\\Windows\\System32\\GWX\\GWX.exe %1″

[HKEY_CLASSES_ROOT\ms-gwx\shell\open\command]

@=”C:\\Windows\\System32\\GWX\\GWX.exe %1″

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GWX\shell\open\command]

@=”C:\\Windows\\System32\\GWX\\GWX.exe %1″

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ms-gwx\shell\open\command]

@=”C:\\Windows\\System32\\GWX\\GWX.exe %1″

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{18abebc9-83ec-435f-8f15-6d1e9187c999}]

@=”Microsoft-Windows-GWX-Ins”

“ResourceFileName”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\

00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\

5c,00,47,00,57,00,58,00,5c,00,47,00,57,00,58,00,2e,00,65,00,78,00,65,00,00,\

00

“MessageFileName”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\

6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\

00,47,00,57,00,58,00,5c,00,47,00,57,00,58,00,2e,00,65,00,78,00,65,00,00,00

“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{18abebc9-83ec-435f-8f15-6d1e9187c999}\ChannelReferences]

“Count”=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{18abebc9-83ec-435f-8f15-6d1e9187c999}\ChannelReferences]

@=”Microsoft-Windows-GWX-Ins/Operational”

“Id”=dword:00000010

“Flags”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{18abebc9-83ec-435f-8f15-6d1e9187c999}\ChannelReferences\1]

@=”Microsoft-Windows-GWX-Ins/Debug”

“Id”=dword:00000011

“Flags”=dword:00000000