April 16, 2020
Posted by on
With SCCM (MEMCM) 1910 we can create Edge deployment directly from SCCM console the same way as O365 (even though the old .MSI is still working).
Sounds like a nice idea. I created a deployment (here is a nice outline: https://stevenbart.com/en/2020/01/09/deployer-microsoft-edge-chromium-au-travers-de-configuration-manager/) and saw a new Application “Edge Deployment” under Applications node in SCCM.
I refreshed computer policies on a Client and manually started “Edge Deployment” Application installation from Software center. It miserably failed.
After digging fresh logs I found:
Unmatched exit code (1) is considered an execution failure
Long story short: Microsoft uses a PowerShell script for the .msi installation. Even though the script is signed, the default Powershell Execution POlicy (Restricted) does not allow that. So you need either relax the policy to “Remote Signed” at least or add –ExecutionPolicy Bypass clause to the installation command in your deployment type(s) like this:
After that update machine policy on your test client and start the installation again. At least that fixed the issue for me.
November 5, 2018
Posted by on
Bumped into unusual issue today:
I do have a SQL Reporting Services VM on one of my Azure Vnets. I also have several App Services (Web Applications ) connected to it. Normally when I set up VNet integration for App Service Azure creates a P2S SSL VPN and routes 10.0.0.0/8, 172.16.0.0/16 and 192.168.0.0/16 ranges to the tunnel. An everything works fine.
I created a new App Service and configured it for Vnet Integration. Surprisingly the app was not able to connect to SSRS.
I ran Kudu debug console and found tcpping from the App to SSRS failed.
It turned out during P2S VPN creation Azure for some reasons added only 10.10.0.0/16 qnd 10.20.0.0/16 (???) as the tunnel destination.
Resolution: I added IP address of my SSRS to the table and successfully connected to the Web Service of my SSRS. I guess that happened because I an using hub-and-spoke for my vnet. The only question why it was working before for other App Services
August 2, 2018
Posted by on
I am working with Azure File Sync service, it is GA last week and I have a Customer who requires a scenario where AFS can fit.
I tested workgroup servers with AFS in my Lab and everything was ok. After that I decided to check ACL transfer for domain machines. So I brought a DC and joined the servers to the domain. It was working and I successfully tested ACL transfer .
I finished tests, stopped VMs.
Today I started them back and found my AFS Service shows both servers offline and Server end-point Health is in Error state. I tried to restart services, reboot etc.. nothing helped. I tried to remove endpoint – the task failed with time out. Finally I succeeded to unregister one of servers and re-install Storage Sync Client on it; rebooted and re-register. It came back nice and green.
So took a look at the dashboard and found the server name is changed to FQDN for the fixed server, but still a NETBIOS for the server who is offline state.
I guess if the server name changed, or a server is added to a domain the AFS client should be reinstalled…
June 8, 2018
Posted by on
With Intune update we can create a dynamic group containing all devices deployed by Autopilot (and use this group for Application and Policy assignments).
Here is how to do that (according MS doc):
Create an AutoPilot device group
In Intune in the Azure portal, choose Device enrollment > Windows enrollment > Devices.
In the Group blade:
- For Group type, choose Security.
- Type a Group name and Group description.
- For Membership type, choose either Assigned or Dynamic Device.
If you chose Assigned for Membership type in the previous step, then in the Group blade, choose Membersand add AutoPilot devices to the group. AutoPilot devices that aren’t yet enrolled are devices where the name equals the serial number of the device.
If you chose Dynamic Devices for Membership type above, then in the Group blade, choose Dynamic device members and type any of the following code in the Advanced rule box.
- If you want to create a group that includes all of your AutoPilot devices, type
(device.devicePhysicalIDs -any _ -contains "[ZTDId]")
- If you want to create a group that includes all of your AutoPilot devices with a specific order ID, type:
(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")
- If you want to create a group that includes all of your AutoPilot devices with a specific Purchase Order ID, type:
(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")
After adding the Advanced rule code, choose Save.
Keep in mind dynamic group may take several hours to run a query to populate the group. Fortunately the sync can be forced from Devices node in Intune Autopilot section.
December 22, 2016
Posted by on
Today I bumped into the abovementioned issue. I added some TS’ in my MDT 2013 Update 2, tweak settings for the boot image, tried to rebuild it and voila – the error.
Fortunately the fix was easy enough – I started Deployment Workbench ‘as Administrator” and this time the image was re-built successfully.
December 21, 2016
Posted by on
I am not a big fan of SCCM/MDT integration and decided to use a little tool from MVP Jason Sandys. UI++
The tool provides a UDI interface for pure SCCM Task Sequences.
I configured XML file the tool is used and tried my TS. Dialog boxes popped up and I was able to select the applications, but when SCCM tried to installed the selected apps the TS failed with
No matching policy assignments received.
Policy download failed, hr=0x80004005
It turned out I forgot to allow Application installation without being advertised. I checked the box and the Application is installed as expected now…
December 5, 2016
Posted by on
One of my Customers asked me to implement Azure PAAS database for PoC. I am not a SQL guru and when the database was set I went to google to see how to migrate data.
Microsoft recommends to use export/import data using bacpac file.
So we exported db to bacpac file (took 1.5 hour for a small 500MB DB). , copy it to azure VM and after that I tried to use SQL Management Studio to import the bacpac into the new Azure database as described here: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-cloud-migrate-compatible-import-bacpac-ssms
The attempt miserably failed with the following error:
“An Exception occured while executing a Transact-TSQL statement or batch (Microsoft.SqlServer.ConnectionInfo)
The connection is broken and recovery is not possible. The client driver attempted to recover connection one or more times and all attempts failed. Increase the value of ConnectRetryCount to increase the number of recovery attempts. (Microsoft SQL Server)
Cannot open database “mydatabasename” requested by login. The login failed. Login failed for user ’myusername’. (Microsoft SQL Server, Error: 4060)
Unusual resolution: I tried to restore the bacpac to an existing database. This attempt naturally failed with error “database already exists. Try to restore into a new database”. After that I put a name of the saved database and this time bacpac was restored successfully (it took ~1 hour again )
July 11, 2016
Posted by on
here is a snip from Redmond Mag, just for memory.
I set up ASR to protect my VMWare-based VM and tried to use “Test-Failover” to verify the machine can be successfully restored.
The “Test-Failover” wizard has only one question – what Virtual Network use to restore the VM (it is not recommended to use a Production networks since this is the test).
so I selected my ASR-failover-test network and start the Test Failover.
When the VM was restored and started I assigned a RDP endpoint (another surprise, even though the machine is created endpoints are not set by default).
When I RDPed to the VM I found assigned IP is from a random 100.x.x.x range, not from the VNet I indicated.
From several troubleshooting attempts I opened a case with Microsoft.
For unknown reasons, after you set up a Protection Group and add a VM to protect to this group you need to go to Configuration Tab in Properties of that VM and set up ANY Microsoft Azure Vnet there manually (by default it is set to “Not Connected”
Save the settings and wait for operation to complete.
After that if you select a VNET in “Test Failover” Wizard that VNET will be assigned properly and a VM will get a proper IP.
Thank you Microsoft for the help.
January 7, 2016
Posted by on
A customer asked me to create a GPO for IE11. One of the requirements was to lock a home page to local Intranet site, but allow users to add their own secondary home pages in new tabs.
With IE11 GPO ADM installed we have two ways to set up home page
1. Using Internet Explorer settings from ADM:
and a similar policy for the secondary page.
The issue here – if we lock the home page a user won’t be able to add secondary home page – the settings will be greyed out
2. Using IE10 preference (IE10 preference are compatible with IE11+ as per
DO NOT FORGET to press F5 after you add a site name in home page field!
In this situation the primary home page will be enforced and the user will be able to add secondary page, BUT the user settings will be saved until GPO refresh which will revert everything to the state set in Preferences
I left both IE Settings and preferences in ‘Not Configured’ state and created a custom Registry preference to populate ‘Start Page’ value under HKCU\Software\Microsoft\Internet Explorer\Main key with URL of the Intranet site. That will enforce primary home page and leave custom secondary pages unchanged.
Here are the IE settings on a Client machine: