Home

Windows 10 – Azure Active Directory – Overview

Pirate,

in many Windows 10 or MDM workshops, we come back to the point that we discuss how clients or devices will be connected with our on premise environment in future. Of course we then talk about Azure Active Directory. Reason enough that we deal with it here once.

In general I can tell you, that all Microsoft Online Services handle authentication via Azure AD (AAD). So whether you are using O365 (Exchange Online, SharePoint Online, etc.) or services from Azure (OMS, Azure Remote Apps, etc.) – the authentication process is always handled via Azure AD.

Continue reading

Windows 10 – Manage or disable Telemetry

Ahoy Pirate!

in my last post I wrote about the four levels of telemetry – what each level does and what it reports. Let’s now have a look on how you can reduce the level of transmission as a normal client and in enterprise business.

To wrap up the general stuff again:

  • the “Security” level is only available in Windows 10 Enterprise, Windows 10 Education and Windows 10 IoT Core editions.
  • the default level is “Full” for Windows 10 Home and Professional and
  • the default level is “Enhanced” for Enterprise edition.
  • On a device that is running an Insider preview edition, this value is set to “Full” and can only be changed by installing a released version.

Continue reading

Windows 10 – Telemetry levels

Ahoy Pirate,

Windows 10 is one of the most or maybe the most communicative operating system ever released. As we all know it is important for Microsoft to collect this data to improve the future quality of the operating system. Maybe thats why it collects the data by default. Nevertheless there might be some cases where you need to reduce or disable the level of communication. Today I will tell you how.

So lets start up with the question what is telemetry?

Continue reading

Windows 10 – Provisioning Packages – Frequently Asked Questions

Pirate,

this is part 3 of my provisioning package series:

Continue reading

Windows 10 Provisioning Packages – Installation of the Imaging and Creation Designer (ICD)

Pirate,

this is part 2 of my provisioning package series. In this part we will have a look on how to install the Imaging and Creation Designer out of the Windows 10 ADK.

Continue reading

Windows 10 – Provisioning Packages – Overview

Ahoy Pirate,

this is part 1 of my provisioning package series:

Continue reading

Visio Viewer 2013 does not open

Ahoey,

the way we’ve decided to install Office 2103 within a recent project includes the Viewer for Visio documents. So normally when you open a drawing with Visio Viewer, the drawing appears inside an Internet Explorer window. Technically the Visio Viewer implements and ActiveX control which renders Visio Drwaings inside IE. The pages are available as tabs along the bottom of the viewer. But after the uninstallation of the old version and the installation of Office 2013 there was no file association to the viewer. What needed to be done was to set the Visio viewer as default viewer.

This can be done easily by modifing the registry:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.vsd]
“Content Type”=”application/vnd.ms-visio.viewer”
@=”VisioViewer.Viewer”

[HKEY_CLASSES_ROOT\.vst]
“Content Type”=”application/vnd.ms-visio.viewer”
@=”VisioViewer.Viewer”

[HKEY_CLASSES_ROOT\.vdx]
“Content Type”=”application/vnd.ms-visio.viewer”
@=”VisioViewer.Viewer”

[HKEY_CLASSES_ROOT\.vss]
“Content Type”=”application/vnd.ms-visio.viewer”
@=”VisioViewer.Viewer”

[HKEY_CLASSES_ROOT\.vst]
“Content Type”=”application/vnd.ms-visio.viewer”
@=”VisioViewer.Viewer”

[HKEY_CLASSES_ROOT\.vsx]
“Content Type”=”application/vnd.ms-visio.viewer”
@=”VisioViewer.Viewer”

[HKEY_CLASSES_ROOT\.vtx]
“Content Type”=”application/vnd.ms-visio.viewer”
@=”VisioViewer.Viewer”

This issue very often appears if you remove Visio Standard 2010 and don’t install any later version. We then inserted a step within the task sequence which takes over this task by running the migration from Office 2010 to Office 2013.

This solved it for us in general.

 

Cheers

*Captain

SCCM Client Activity: Active / Inactive

Ahoey Pirate!

Recently I had an issue where every client went from active to inactive.

2015_02_17_17_39_06_Remotedesktopverbindung.png_2

 

At Site Status SMS_MP_CONTROL_MANAGER reported Management point as “critical” with two significant errors:

 

“MP could not write out CCM setting to WMI.

Possible cause: MP didn’t get installed properly.
Solution: Ensure MP setup succeeded; if not, reinstall MP”

 

and

 

“SMS Executive detected that this component stopped unexpectedly.

Possible cause: The component is experiencing a severe problem that caused it to stop unexpectedly.
Solution: Refer to your ConfigMgr Documentation or the Microsoft Knowledge Base for further troubleshooting information.”

 

For me the next step was to look into mpcontrol.log where I found these errors

2015-02-18 09_07_03- Remotedesktopverbindung

 

 

“CMPControlManager::WriteToCCMSettings(): pWmi->GetObject() failed – 0x80041002”

“MPStart(): WriteToCCMSettings() failed – 0x80041002”

“SMS_MP_CONTROL_MANAGER failed to start with 0x80041002”

“CMPControlManager::ReadConfigurationSettings(): m_pWmi->GetObject() failed – 0x80041010”

 

For me it seemed to be an issue with WMI. So first thing I tried was to connect to a client with Windows Management Instrumentation Tester (wbemtest) and that worked. Next I tried to do a clean client installation by using the “Uninstall existing Configuration Manager client before the client is installed” function. The client installation aboarded nearly instant with the following message:

 

“GetDPLocations failed with error 0x8000ffff”

“Failed to get DP locations as the expected version from MP ‘[SERVERNAME]’. Error 0x8000ffff”

 

So I tried to figure out if the client is able to connect to the management point. Therefore you can use your Web browser and type in following adress

 

HTTP://[Hostname or FQDN]/SMS_MP/.SMS_AUT?MPCERT

 

instead of something like this:

 

2015-02-18 10_39_03- Remotedesktopverbindung

 

I got an Internal server error.

So everything pointet out to be a faulty or misconfigured management point and I decided to reinstall that role. So I opened up Administration\Overview\Site Configuration\Servers and Site System Roles\ selected the affected Management Point and hit on Remove Role. In MPSetup.log you can follow the deinstallation.

 

2015-02-18 10_59_05- Remotedesktopverbindung_2

 

After a while I reinstalled the Management Point.

 

2015-02-18 11_41_17- Remotedesktopverbindung_2

Management Point was available via Internet Explorer and my client reported Client Activity as Active. Problem solved!

 

Good luck

*Captain

 

run as account cannot log on locally

Sailors,

I’ve set up a new SCOM environment at a customers side. Once the installation and the base configuration was finished, I let the server run and collect alerts for several days. On the next workshop day we had a lot of warnings like these and the customer asked me why:

CLEAN_run_as_account cannot log on locally

I have to admit, I was a litte bit confused in the beginning too, because I’m trying to configure my environments on the least privilege way. But then I recognized, that the customers admin has started to configure Run As Accounts on his own way and it became clearer…

If you create a Run as Account of type “Windows” and set the Distribution of this account to “less secure” this account gets distributed to every system and SCOM trys to autenticate with every “less secure” Run As Account on every system.

 

Run_As_Account_Type_Windows

You shouldn’t use “less secure” accounts at all. Work with more secure accounts and specify the servers on which you want them to be provided to.

 

Aaaaaaaaarrrrr

*Captian

© 2017 IT-Pirate