Group Policy | Alex Ø. T. Hansen

Alex Ø. T. Hansen

16/09/2018

Tutorial – Deploy Always On VPN

Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, non-domain-joined (workgroup), or Azure AD–joined devices, even personally owned devices. With Always On VPN, the connection type does not have to be exclusively user or device but can be a combination of both. For example, you could enable device authentication for remote device management, and then enable user authentication for connectivity to internal company sites and services.

The purpose for this guide is to demonstrate how to deploy the Always On feature easily. In this guide we will deploy the following platforms primarily using PowerShell where possible:

Active Directory (AD DS)
DNS
Certificate Authority (AD CS)
DHCP
Routing and Remote Access Service (RRAS)
Network Policy Server (RADIUS)

It will not be demonstrated how to install Windows Server or Windows 10 operating system.

Do not attempt to deploy Remote Access on a virtual machine (VM) in Microsoft Azure. Using Remote Access in Microsoft Azure is not supported, including both Remote Access VPN and DirectAccess.

Alex Ø. T. Hansen

03/08/2017

WSUS – Windows 10 Clients – Error 0x8024500c

Error

Just finished troubleshooting an error with Windows 10 clients (build 1607 and above) contacting WSUS server getting 0x8024500c like below while searching updates.

The client had an on-premise WSUS server which they wanted to push out Windows Updates, instead of using the internet (windowsupdate.microsoft.com).

Cause/Solution

They had configured the following group policy to enable:

Computer Configuration\Administrative Templates\Windows Components\Windows Update
- Do not connect to any Windows Update Internet location

This caused the Windows Update on the clients to break, instead they should disabled the above and configured the following instead:

Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
- Turn off access to all Windows Update features

The above will allow users to download apps on the Windows Store, but still only allowing the users to use the on-premise WSUS server.

Unfortunately Microsoft introduced a new feature called “Dual Scan” (read more about it here) which allows the Windows clients to access both WSUS and the internet, which would potentially bypass the local WSUS.

To disable the dual scan, the client needs to have the following registry keys deleted.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update
- BranchReadinessLevel
- DeferFeatureUpdatesPeriodInDays
- DeferQualityUpdatesPeriodInDays
- DeferUpdatePeriod
- DeferUpgradePeriod
- ExcludeWUDriversInQualityUpdate
- PauseDeferrals
- PauseFeatureUpdates
- PauseQualityUpdates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
- BranchReadinessLevel
- DeferFeatureUpdatesPeriodInDays
- DeferQualityUpdatesPeriodInDays
- ExcludeWUDriversInQualityUpdate
- DeferUpgrade

If though you set the matching group policies to “Not Configured” or “Disable”, it will not delete the keys but only set them to zero (DWORD) in the registry.

For those clients that are running build 1607, you need to install kb4025334 which will add a local policy “Do not allow update deferral policies to cause scan against Windows Update” under “Computer Configuration\Administrative Templates\Windows Components\Windows Update“.

You can set this group policy on those 1607 clients by adding the following registry through group policy.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
- Key: DisableDualScan
- Value: 0x1
- Type: DWORD

The WSUS server was also tuned a little, because all resources was used. This caused the clients to take a long time to talk and eventually timeout.

All superseded updates was declined in the WSUS management console.
The WSUS IIS application pool (“WsusPool“) was also tunned with the following settings (remember IISRESET afterwards):
- .NET Framework Version: v4.0
  - Already on Windows Server 2012 above, but this server was Windows Server 2008 R2
- Queue Length: 2000
- Private Memory Limit: 7843200

You can test the Windows Update by executing the following command in a elevated command prompt.

usoclient.exe StartScan

Troubleshooting

Registry Keys

If you want to see what registry keys you have on your client, you can run the following in a command prompt with elevated rights.

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
reg query HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update
reg query HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings

Windows Update Log

Check the Windows Update log by running the following command in PowerShell.

Get-WindowsUpdateLog

CBS Log

Check the Component-Based Servicing log here.

C:\Windows\Logs\CBS

That is my 2 cents, hope you can use it!

Alex Ø. T. Hansen

12/06/2017

PowerShell – Automated Remote Desktop Services (RDS) web feed.

Recently I wanted to make it easy for users to add a Remote Desktop Service web feed through group policies. I created a script that needs to be run in the user context.

You need to specify a URL in the script as a variable.

Alex Ø. T. Hansen

05/09/2016

Group Policy – Found unlinked (disabled) GPO and delete it

If you have a lot of unused (not linked) group policy object, you can delete it with the following PowerShell script.

Alex Ø. T. Hansen

10/01/2016

SharePoint – WAS – Event ID 5021

I just had a customer who’s SharePoint application pool keep stopping.

We had the following output in the event log on the server:

The identity of application pool [AppPoolID] is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request.  If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

The identity of application pool [AppPoolID] is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

There can be 2 resolutions to this error, the following needs to be done.