SolarWinds Orion – Certificate Expiration Template

I’m back again with one more PowerShell script, this time getting certificate expiration warnings from Windows machines.

You can use the PowerShell script below to create a template and get warnings, critical, down etc. if a certificate is close to expiration or already is expired.

Read More

WSUS – High CPU due to “supersedence” updates.

Lately I have been seeing high CPU (90-100%) usage on servers where the Windows Server Updates Services (WSUS) is installed.

This is mainly caused by updates that is superseded, and is filling the database causing the CPU to spike.

Read More

WSUS – Windows 10 Clients – Error 0x8024500c

Error

Just finished troubleshooting an error with Windows 10 clients (build 1607 and above) contacting WSUS server getting 0x8024500c like below while searching updates.

The client had an on-premise WSUS server which they wanted to push out Windows Updates, instead of using the internet (windowsupdate.microsoft.com).

Cause/Solution

They had configured the following group policy to enable:

  • Computer Configuration\Administrative Templates\Windows Components\Windows Update
    • Do not connect to any Windows Update Internet location

This caused the Windows Update on the clients to break, instead they should disabled the above and configured the following instead:

  • Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
    • Turn off access to all Windows Update features

The above will allow users to download apps on the Windows Store, but still only allowing the users to use the on-premise WSUS server.

Unfortunately Microsoft introduced a new feature called “Dual Scan” (read more about it here) which allows the Windows clients to access both WSUS and the internet, which would potentially bypass the local WSUS.

To disable the dual scan, the client needs to have the following registry keys deleted.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update
    • BranchReadinessLevel
    • DeferFeatureUpdatesPeriodInDays
    • DeferQualityUpdatesPeriodInDays
    • DeferUpdatePeriod
    • DeferUpgradePeriod
    • ExcludeWUDriversInQualityUpdate
    • PauseDeferrals
    • PauseFeatureUpdates
    • PauseQualityUpdates
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
    • BranchReadinessLevel
    • DeferFeatureUpdatesPeriodInDays
    • DeferQualityUpdatesPeriodInDays
    • ExcludeWUDriversInQualityUpdate
    • DeferUpgrade

If though you set the matching group policies to “Not Configured” or “Disable”, it will not delete the keys but only set them to zero (DWORD) in the registry.

For those clients that are running build 1607, you need to install kb4025334 which will add a local policy “Do not allow update deferral policies to cause scan against Windows Update” under “Computer Configuration\Administrative Templates\Windows Components\Windows Update“.

You can set this group policy on those 1607 clients by adding the following registry through group policy.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    • Key: DisableDualScan
    • Value: 0x1
    • Type: DWORD

The WSUS server was also tuned a little, because all resources was used. This caused the clients to take a long time to talk and eventually timeout.

  • All superseded updates was declined in the WSUS management console.
  • The WSUS IIS application pool (“WsusPool“) was also tunned with the following settings (remember IISRESET afterwards):
    • .NET Framework Version: v4.0
      • Already on Windows Server 2012 above, but this server was Windows Server 2008 R2
    • Queue Length: 2000
    • Private Memory Limit: 7843200

You can test the Windows Update by executing the following command in a elevated command prompt.

  • usoclient.exe StartScan

Troubleshooting

Registry Keys

If you want to see what registry keys you have on your client, you can run the following in a command prompt with elevated rights.

  • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
  • reg query HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update
  • reg query HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings

Windows Update Log

Check the Windows Update log by running the following command in PowerShell.

  • Get-WindowsUpdateLog

CBS Log

Check the Component-Based Servicing log here.

  • C:\Windows\Logs\CBS

That is my 2 cents, hope you can use it!

 

 

 

 

PowerShell – Create a TFS team project with PowerShell using REST API

I’m back again with a new PowerShell script to create a TFS project without Power Tools (which isn’t supported on TFS 15+).

 

PowerShell – Automated Remote Desktop Services (RDS) web feed.

Recently I wanted to make it easy for users to add a Remote Desktop Service web feed through group policies. I created a script that needs to be run in the user context.

You need to specify a URL in the script as a variable.

Read More

PowerShell – Find nested Active Directory members of a group

Lately I found out that the following doesn’t always work, I had problem with returning all users in a group.

So I have created a small PowerShell function that basically does the same thing. Use it free of charge!

 

PowerShell – Convert a text document to a PDF.

Looong time, no posts.

Just wrote a PowerShell function that can convert text documents into PDF format. You need Microsoft Office Word installed.

Use free of charge:

 

Event 15021 – An error occurred while using SSL configuration for endpoint 0.0.0.0:443

Lately I had the issue that SolarWinds Orion was detecting an expiring certificate on one of our servers. I have replaced every certificate on the server and double checked (of thought!) that the old certificate was deleted. But it was still complaining about an expiring date on a certificate I couldn’t find. I checked the event logs and found the event 15021, which told me something was still wrong.

I found out that a certificate was on a binding with “netsh show http certssl” in a command prompt.

It was resolved by doing the following.

Read More

SharePoint – User Profile Image Cross-Site with ADFS

If you have spread the MySite and a web application into separated SharePoint Web Application and both of these is using ADFS for authentication. You maybe noticed that you are not able to load user profile thumbnails from the MySite. This is because a token is not issued from the MySite webapplication and Cross-Origin Resource Sharing (CORS) that is a security measure.

But luckily Microsoft have acknowledged this an added a PowerShell command that allows to load pictures/resources from other SharePoint web applications on the same farm.

Read More

SharePoint – Reduce the search system impact

It’s possible to set the performance for a SharePoint search crawl with PowerShell. This becomes handy if you are on a developing environment where performance isn’t crucial.

There are 3 valid modes:

  • Reduced
    • Total number of threads = number of processors, Max Threads/host = number of processor.
  • PartlyReduced (default)
    • Total number of threads = 4 times the number of processors , Max Threads/host = 16 times the number of processors
  • Maximum
    • Total number of threads = 4 times the number of processors , Max Threads/host = 16 times the number of processors (threads are created at HIGH priority)

Use the following PowerShell commands in a SharePoint Management Shell.

Read More