IT Consultant Everyday Notes

Just some problems/solutions storage

Category Archives: Uncategorized

SCCM: Edge Chromium installation failed with 1(1x)

With SCCM (MEMCM) 1910 we can create Edge deployment directly from SCCM console the same way as O365 (even though the old .MSI is still working).

Sounds like a nice idea. I created a deployment (here is a nice outline: and saw a new Application “Edge Deployment” under Applications node in SCCM.

I refreshed computer policies on a Client and manually started “Edge Deployment” Application installation from Software center. It miserably failed.

After digging fresh logs I found:

in AppEnforce.log

Unmatched exit code (1) is considered an execution failure

Long story short: Microsoft uses a PowerShell script for the .msi installation. Even though the script is signed, the default Powershell Execution POlicy (Restricted) does not allow that. So you need either relax the policy to “Remote Signed” at least or add –ExecutionPolicy Bypass clause to the installation command in your deployment type(s) like this:


After that update machine policy on your test client and start the installation again. At least that fixed the issue for me.

Azure: App Service cannot connect to vnet-base VM

Bumped into unusual issue today:

I do have a SQL Reporting Services VM on one of my Azure Vnets. I also have several App Services (Web Applications ) connected to it. Normally when I set up VNet integration for App Service Azure creates a P2S SSL VPN and routes, and ranges to the tunnel. An everything works fine.

I created a new App Service and configured it for Vnet Integration. Surprisingly the app was not able to connect to SSRS.

I ran Kudu debug console and found tcpping from the App to SSRS failed.

It turned out during P2S VPN creation Azure for some reasons added only qnd (???) as the tunnel destination.

Resolution: I added IP address of my SSRS to the table and successfully connected to the Web Service of my SSRS. I guess that happened because I an using hub-and-spoke for my vnet. The only question why it was working before for other App Services  Smile


Azure: Azure File Sync–registered servers are offline

I am working with Azure File Sync service, it is GA last week and I have a Customer who requires a scenario where AFS can fit.

I tested workgroup servers with AFS in my Lab and everything was ok. After that I decided to check ACL transfer for domain machines. So I brought a DC and joined the servers to the domain. It was working and I successfully tested ACL transfer .

I finished tests, stopped VMs.

Today I started them back and found my AFS Service shows both servers offline and Server end-point Health is in Error state. I tried to restart services, reboot etc.. nothing helped. I tried to remove endpoint – the task failed with time out. Finally I succeeded to unregister one of servers and  re-install Storage Sync Client on it; rebooted and re-register. It came back nice and green.

So took a look at the dashboard and found the server name is changed to FQDN for the fixed server, but still a NETBIOS for the server who is offline state.

I guess if the server name changed, or a server is added to a domain the AFS client should be reinstalled…


Azure: How to create a group of devices deployed by Autopilot

With Intune update we can create a dynamic group containing all devices deployed by Autopilot (and use this group for Application and Policy assignments).

Here is how to do that (according MS doc):

Create an AutoPilot device group

  1. In Intune in the Azure portal, choose Device enrollment > Windows enrollment > Devices.

  2. In the Group blade:

    1. For Group type, choose Security.
    2. Type a Group name and Group description.
    3. For Membership type, choose either Assigned or Dynamic Device.
  3. If you chose Assigned for Membership type in the previous step, then in the Group blade, choose Membersand add AutoPilot devices to the group. AutoPilot devices that aren’t yet enrolled are devices where the name equals the serial number of the device.

  4. If you chose Dynamic Devices for Membership type above, then in the Group blade, choose Dynamic device members and type any of the following code in the Advanced rule box.

    • If you want to create a group that includes all of your AutoPilot devices, type (device.devicePhysicalIDs -any _ -contains "[ZTDId]")
    • If you want to create a group that includes all of your AutoPilot devices with a specific order ID, type: (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")
    • If you want to create a group that includes all of your AutoPilot devices with a specific Purchase Order ID, type: (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")

    After adding the Advanced rule code, choose Save.

  5. Choose Create.

Keep in mind dynamic group may take several hours to run a query to populate the group. Fortunately the sync can be forced from Devices node in Intune Autopilot section.


SCCM: MDT boot image update failed: “Unable to mount the WIM, so the update process cannot continue”

Today I bumped into the abovementioned issue. I added some TS’ in my MDT 2013 Update 2, tweak settings for the boot image, tried to rebuild it and voila – the error.

Fortunately the fix was easy enough – I started Deployment Workbench ‘as Administrator” and this time the image was re-built successfully.

SCCM: OSD UDI – UI++ issue

I am not a big fan of SCCM/MDT integration and decided to use a little tool from MVP Jason Sandys. UI++

The tool provides a UDI interface for pure SCCM Task Sequences.

I configured XML file the tool is used and tried my TS. Dialog boxes popped up and I was able to select the applications, but when SCCM tried to installed the selected apps the TS failed with

No matching policy assignments received.
Policy download failed, hr=0x80004005

It turned out I forgot to allow Application installation without being advertised. I checked the box and the Application is installed as expected now…


Azure: Azure Database bacpac import failed with “The connection is broken and recovery is not possible.”

One of my Customers asked me to implement Azure PAAS database for PoC. I am not a SQL guru and when the database was set I went to google to see how to migrate data.


Microsoft recommends to use export/import data using bacpac file.

So we exported db to bacpac file (took 1.5 hour for a small 500MB DB). , copy it to azure VM and after that I tried to use SQL Management Studio to import the bacpac into the new Azure database as described here:


The attempt miserably failed with the following error:

“An Exception occured while executing a Transact-TSQL statement or batch (Microsoft.SqlServer.ConnectionInfo)

Additional Information:

The connection is broken and recovery is not possible. The client driver attempted to recover connection one or more times and all attempts failed. Increase the value of ConnectRetryCount to increase the number of recovery attempts. (Microsoft SQL Server)

Cannot open database “mydatabasename” requested by login. The login failed. Login failed for user ’myusername’. (Microsoft SQL Server, Error: 4060)


Unusual resolution: I tried to restore the bacpac to an existing database. This attempt naturally failed with error “database already exists. Try to restore into a new database”. After that I put a name of the saved database and this time bacpac was restored successfully (it took ~1 hour again Smile )

Top 10 Free tools


here is a snip from Redmond Mag, just for memory.


Azure: Azure Site Recovery (ASR). Virtual Network is NOT assigned to a migrated machine.

I set up ASR to protect my VMWare-based VM and tried to use “Test-Failover” to verify the machine can be successfully restored.


The “Test-Failover” wizard has only one question – what Virtual Network use to restore the VM (it is not recommended to use a Production networks since this is the test).


so I selected my ASR-failover-test network and start the Test Failover.

When the VM was restored and started I assigned a RDP endpoint (another surprise, even though the machine is created endpoints are not set by default).

When I RDPed to the VM I found assigned IP is from a random 100.x.x.x range, not from the VNet I indicated.

From several troubleshooting attempts I opened a case with Microsoft.



For unknown reasons, after you set up a Protection Group and add a VM to protect to this group you need to go to Configuration Tab in Properties of that VM and set up ANY Microsoft Azure Vnet there manually (by default it is set to “Not Connected”


Save the settings and wait for operation to complete.


After that if you select a VNET in “Test Failover” Wizard that VNET will be assigned properly and a VM will get a proper IP.

Thank you Microsoft for the help.

Internet explorer 11: Home Page setup via GPO

A customer asked me to create a GPO for IE11. One of the requirements was to lock a home page to local Intranet site, but allow users to add their own secondary home pages in new tabs.

With IE11 GPO ADM installed we have two ways to set up home page

1. Using Internet Explorer settings from ADM:


and a similar policy for the secondary page.

The issue here – if we lock the home page a user won’t be able to add secondary home page – the settings will be greyed out

2. Using IE10 preference (IE10 preference are compatible with IE11+ as per )

DO NOT FORGET to press F5 after you add a site name in home page field!


In this situation the primary home page will be enforced and the user will be able to add secondary page, BUT the user settings will be saved until GPO refresh which will revert everything to the state set in Preferences



I left both IE Settings and preferences in ‘Not Configured’ state and created a custom Registry preference to populate ‘Start Page’ value under HKCU\Software\Microsoft\Internet Explorer\Main key with URL of the Intranet site. That will enforce primary home page and leave custom secondary pages unchanged.



Here are the IE settings on a Client machine: