31 C
Dubai
Monday, May 12, 2025
Home Blog Page 50

Startup Options on this PC are Configured Incorrectly – Bit locker

Satheshwaran Manoharan
-
3
Startup Options on this PC are Configured Incorrectly – Bit locker

Enabling Bitlocker giving Error in Surface Pro Devices –

Error : The Startup Options on This PC are Configured incorrectly. Contact your System Administrator For More Information

image\

 

Solution –

Use of BitLocker authentication requiring preboot keyboard has to be enabled In Group Policy

Enable use of BitLocker authentication requiring preboot keyboard input on slates – Enabled

image

Default Recommended Group Policy for Surface Pro Devices –

Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
Disallow standard users from changing the PIN or password – Enabled
Enable use of BitLocker authentication requiring preboot keyboard input on slates – Enabled
Require additional authentication at startup – Enabled

Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM

Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.

If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.

Windows Components/MDOP MBAM (BitLocker Management)/Client Management

Configure automatically resetting TPM lockouts Enabled
Configure MBAM services Enabled
MBAM Recovery service endpoint: https://bitlocker.careexchange.in:443/MBAMRecoveryAndHardwareService/CoreService.svc

Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
Configure MBAM Status reporting service: Enabled
MBAM Status reporting service endpoint: https://bitlocker.careexchange.in:443/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 720
Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive

Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for operating system drives: 0
Operating system drive encryption settings Enabled
Allow BitLocker without a compatible TPM (requires a password) Disabled
Select protector for operating system drive:
Settings for computers with a TPM:
Configure minimum PIN length for startup 6

User Configuration (Disabled)

 

Default Recommended Group Policy for Laptops and Desktops –

Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
Disallow standard users from changing the PIN or password – Enabled
Require additional authentication at startup – Enabled

Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM

Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.

If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.

Windows Components/MDOP MBAM (BitLocker Management)/Client Management

Configure automatically resetting TPM lockouts Enabled
Configure MBAM services Enabled
MBAM Recovery service endpoint: https://bitlocker.careexchange.in:443/MBAMRecoveryAndHardwareService/CoreService.svc

Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
Configure MBAM Status reporting service: Enabled
MBAM Status reporting service endpoint: https://bitlocker.careexchange.in:443/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 720
Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive

Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for operating system drives: 0
Operating system drive encryption settings Enabled
Allow BitLocker without a compatible TPM (requires a password) Disabled
Select protector for operating system drive:
Settings for computers with a TPM:
Configure minimum PIN length for startup 6

User Configuration (Disabled)

Computer policy could not be updated successfully

Satheshwaran Manoharan
-
0
Computer policy could not be updated successfully

image

gpupdate /force

Updating Policy…

User Policy update has completed successfully.Computer policy could not be updated successfully. The following errors were encountered:The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.The following warnings were encountered during computer policy processing:The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Solution –

  • Verified machine account is active on Active Directory.
  • Verified Active Directory servers are reachable
  • Reboot – No Luck
  • Run as admin cmd – No Luck

Rename registry.pol on Below Location C:\Windows\System32\GroupPolicy\Machine


C:\Windows\system32>cd "C:\Windows\System32\GroupPolicy\Machine"

C:\Windows\System32\GroupPolicy\Machine>

C:\Windows\System32\GroupPolicy\Machine>ren registry.pol registry_pol.bak

C:\Windows\System32\GroupPolicy\Machine>gpupdate /force

Updating Policy...

User Policy update has completed successfully.

Computer Policy update has completed successfully.

The following warnings were encountered during computer policy processing:

The Group Policy Client Side Extension Software Installation was unable to apply

one or more settings because the changes must be processed before system startu

p or user logon. The system will wait for Group Policy processing to finish comp

letely before the next startup or logon for this user, and this may result in sl

ow startup and boot performance.

For more detailed information, review the event log or run GPRESULT /H GPReport.

html from the command line to access information about Group Policy results.

Certain Computer policies are enabled that can only run during startup.

OK to Restart?. (Y/N)y

Restarting the computer...

Group Policy Applied Successfully.

Windows Server Backup failed to Complete. System writer not found

Satheshwaran Manoharan
-
1
Windows Server Backup failed to Complete. System writer not found

In Windows Server 2016 when we take system state backup. It fails with an error.

Backup Failed to Complete. The System writer is not found in the backup

image

Solution –

Make sure System Writer is missing

Start – Cmd

vss admin list writers

(Working Machine)

image

Try Restarting Below services

  1. COM+ Event System
  2. COM+ System Application
  3. Distributed Transactions Coordinator
  4. Microsoft Software Shadow Copy Provider
  5. Volume Shadow Copy service
  6. Block Level Backup Engine Service

Check System writer is visible. if not.

Start Command Prompt Run as Administrator


Takeown /f %windir%\winsxs\temp\PendingRenames /a
icacls %windir%\winsxs\temp\PendingRenames /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames /grant BUILTIN\Users:(RX)
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant BUILTIN\Users:(RX)

net stop cryptsvc
net start cryptsvc

Now system writer should be visible.

SCCM Updates and Services Keep Downloading

Satheshwaran Manoharan
-
0
SCCM Updates and Services Keep Downloading

SCCM Update is stuck in Downloading state? … [Related Post – Fix SCCM Updates and Servicing Redist Download … Click OK to continue.

image

Log Files Location –

C:\Program Files\Microsoft Configuration Manager\Logs\dmpdownloader.log

Logs –  Failed to call Initialize. error = [error code: -2147467261, error message: Invalid pointer

Reading SOFTWARE\Microsoft\SMS\MPFDM\Inboxes\:Hierarchy Manager (Forwarding messages) from provider Registry~~  $$<SMS_DMP_DOWNLOADER><06-06-2017 15:02:17.354-240><thread=15032 (0x3AB8)>

Returning value C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\ForwardingMsg from provider Registry~~  $$<SMS_DMP_DOWNLOADER><06-06-2017 15:02:17.355-240><thread=15032 (0x3AB8)>

Reading SOFTWARE\Microsoft\SMS\Components\SMS_DMP_UPLOADER\:OfflineMode from provider Registry~~  $$<SMS_DMP_DOWNLOADER><06-06-2017 15:02:17.356-240><thread=15032 (0x3AB8)>

Returning value 0 from provider Registry~~  $$<SMS_DMP_DOWNLOADER><06-06-2017 15:02:17.357-240><thread=15032 (0x3AB8)>

Reading SOFTWARE\Microsoft\SMS\Identification:Installation Directory from provider Registry~~  $$<SMS_DMP_DOWNLOADER><06-06-2017 15:02:17.357-240><thread=15032 (0x3AB8)>

Returning value C:\Program Files\Microsoft Configuration Manager from provider Registry~~  $$<SMS_DMP_DOWNLOADER><06-06-2017 15:02:17.359-240><thread=15032 (0x3AB8)>

Failed to call Initialize. error = [error code: -2147467261, error message: Invalid pointer].~  $$<SMS_DMP_DOWNLOADER><06-06-2017 15:02:17.376-240><thread=15032 (0x3AB8)>

SMS_DMP_DOWNLOADER is exiting…  $$<SMS_DMP_DOWNLOADER><06-06-2017 15:02:17.377-240><thread=15032 (0x3AB8)>

Solution –

Added a Missing Registry

With Blank values.

  • SMS_DMP_CONNECTOR
  • ProxyUserName
  • ProxyUserPassword

HKLM\Software\Microsoft\SMS\SMS_DMP_CONNECTOR

image

Administration – Site Configuration – Servers and Site System Roles – Properties

Check and Uncheck Proxy if exist.

image

Restarted SMS_EXECUTIVE Service.

Surface Hub Corporate Setup with Device Account Configurations

Satheshwaran Manoharan
-
1
Surface Hub Corporate Setup with Device Account Configurations

Surface is an amazing device. As its new had to spend a lot of time to exploring the features make it suitable for our environment.

The quality of the collaboration is outstanding . It will make work environment more interesting on white boarding  and easy HD video conferencing options.

image

if you have an office 365 Account with wireless , Its bit straight forward , if you wish to join to internal Active directory and skype for business server, You have explore few things to make it to work the way you want.

if you wish to domain join the surface hub . The only way is to reset the hub completely.Get into the First Run Program

  • Country/region
  • App language
  • Keyboard layout
  • Time zone

image

Don’t Connect to Wireless if you joined the Hub with the LAN Cable – Note It supports DHCP only  . No way to set static ip.

image

Choose Next –

image

You can skip it and add later. To Minimize the troubleshooting.

image

Choose –

Use Active Directory Domain Services.

image

Enter Credentials which has access to Domain Join a Machine in Active Directory. (Example Domain Admin – Its just to create a Account. Device Name will be your Computer Account Name)

image

  • Create a Security Group for Service Desk Team to manage the settings of it locally.
  • Surface Hub Runs Windows 10 Team 10.0, if you connect to the internal WSUS Server you have to enter the wsus server details in Windows Updates advance options in Surface Hub as it doesn’t get any group policy from active directory.It will detect has Windows 10 in WSUS server to get feature updates.
  • Once you join the surface hub to Domain it detects the internal certificate authority of Skype for business and connect its automatically.

Creating Device Account for Surface Hub –

Create Room Mailbox –

New-Mailbox -UserPrincipalName HUB01@domain.local -Alias HUB01 -Name "HUB01" -Room –OrganizationalUnit "CN=Users,DC=careexchange,DC=IN"

Set Calendar Processing Settings

Set-CalendarProcessing -Identity HUB01@domain.local -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity HUB01@domain.local -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"

Set Password Never Expires True – (Surface hub has a option to reset the password periodically on its own for security purposes)

Set it on Active directory –

Set-AdUser HUB01 -PasswordNeverExpires $true

Enable CS meeting Room options in Skype for business 2015 Server –

Enable-CsMeetingRoom -SipAddress "sip:HUB01@careexchange.in" –RegistrarPool Skypeforbusinessserver.domain.com -Identity HUB01

To Hard Reset the HUB –

Update and Security – Recovery – Get Started

image

image

Cons –

  • When you join the Surface Hub into the domain. Edge Browser doesn’t support ADFS proxy to connect to the internet.  End user has to enter the credentials every time to get into the internet on the edge browser
  • No Remote Support Options

To Update from 1511 to 1607 ( Device Keeps saying Up to Date) –

Please go to Settings, Updates and from the Update settings check “Defer Feature updates”. The update should be available now. After the Anniversary update is installed, please uncheck “Defer Feature Updates”.

This will give you the anniversary update.  Tricky bug.

Adding Edge Browser Support to Support ADFS

Satheshwaran Manoharan
-
0
Adding Edge Browser Support to Support ADFS

By default Windows Server 2012 R2 ADFS 3.0 Setup Doesn’t support Edge Browsers.

To Add Support –

Set-ADFSProperties –ExtendedProtectionTokenCheck None

Get Properties –

Get-ADFSProperties | Select  -ExpandProperty WIASupportedUserAgents
$Props=Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
$Props=$Props+"Mozilla/5.0"
$Props=$Props+"Edge/12"
$Props=$Props+"Edge/14"
$Props
Set-ADFSProperties -WIASupportedUserAgents $Props
Restart-Service adfssrv

image

 

  • Still Edge Private mode gives ADFS Basic authentication prompt.  (No fix found so far)
1...495051...113Page 50 of 113

EDITOR PICKS

POPULAR POSTS

POPULAR CATEGORY

ABOUT ME

Satheshwaran Manoharan - Microsoft MVP - Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Contact : Info@Azure365Pro.com

FOLLOW US

© Azure365Pro.com

× How can I help you?