IT Consultant Everyday Notes

Just some problems/solutions storage

Azure: How to configure MFA when Classic Portal is not available

My company provides CSP Azure subscription for our Customers. To make life more exciting Microsoft remove Classic Portal support from CSP. So we can use new and shiny ARM-based portal only.

When time come to configure Azure AD fun begins. Azure AD node is available in the new portal as ‘preview’ and miss some features from the old portal. Recently I had fun with license assigning, today I needed to assign MFA to accounts. Fun, fun, fun….

Anyway, as in the first case office.portal.com helped. This portal is available for CSP and have some missing features of the classic portal. For example to add MFA to a user:

 

1. start office.portal.com

2. goto Users->Active Users

3. Click ‘More’

image

4. Click “Setup Azure Multi-factor auth’ That will open MFA portal for you

5. Configure MFA for a user or users in bulk

Advertisements

Azure: Use SAS token as a parameter

I recently bumped into an issue trying to pass a Shared Access Signature (SAS) token to my ARM template to be able to connect sub-templates securely. Even though SAS token looked perfectly fine in Powershell New-AzureRMDeployment cmdlet failed with the following error: Error: Code=InvalidTemplate; Message=Deployment template validation failed: ‘The provided value for the template parameter ‘_artifactsLocationSasToken’. I tried both securestring and string- no luck. A colleague of mine Jules Ouellette helped me with a solution – the token is generated as an object and must be converted to a string before passing as a Parameter: _artifactsLocationSastoken = $artifactslocationsastoken.toString()  After that conversion the token was successfully accepted as a parameter. 

SCCM: SUP is not working due to WSUS crash

Interesting case – WSUS built for SCCM SUP crashed regularly. It started from once in a month, after that more and more often and finally WSUS application pool could not stay and hour. Recommended solution was to recycle WSUS application pool. But that was not really a solution since permanent monitoring is required.

It turned out to be a known issue for SCCM 2012 (looks like SCCM CB is affected too) and Microsoft recommends to enlarge App Pool private memory to 4 (or in some cases to 8!) GB. Sounds a bit crazy for me but at least WSUS is up and running now.

More technical details in the following article: https://blogs.technet.microsoft.com/configurationmgr/2015/03/23/configmgr-2012-support-tip-wsus-sync-fails-with-http-503-errors/

SCCM: Clean encrypted drive before TS start

One of my Customers happens to have a McAfee encrypted drives on Laptops and Desktops he plans to migrate to Windows 10. Unfortunately McAffee version was not cooperative with SCCM and he was ok to clean the drives.

To achieve that I added a file called diskpart.txt on my file server (where my Network Access Account has access)

The file contains two lines:

Select disk 0
Clean

After that I customized the boot image by adding a pre-start command and pointing the boot image to the shared folder containing my configuration file:

image

The script is invoked after you press ‘Next’ on OSD dialog logon page but before you select any Task Sequence.

Did the trick for me.

SCCM: MDT boot image update failed: “Unable to mount the WIM, so the update process cannot continue”

Today I bumped into the abovementioned issue. I added some TS’ in my MDT 2013 Update 2, tweak settings for the boot image, tried to rebuild it and voila – the error.

Fortunately the fix was easy enough – I started Deployment Workbench ‘as Administrator” and this time the image was re-built successfully.

SCCM: OSD UDI – UI++ issue

I am not a big fan of SCCM/MDT integration and decided to use a little tool from MVP Jason Sandys. UI++

The tool provides a UDI interface for pure SCCM Task Sequences.

I configured XML file the tool is used and tried my TS. Dialog boxes popped up and I was able to select the applications, but when SCCM tried to installed the selected apps the TS failed with

No matching policy assignments received.
Policy download failed, hr=0x80004005

It turned out I forgot to allow Application installation without being advertised. I checked the box and the Application is installed as expected now…

image

Azure: Azure Database bacpac import failed with “The connection is broken and recovery is not possible.”

One of my Customers asked me to implement Azure PAAS database for PoC. I am not a SQL guru and when the database was set I went to google to see how to migrate data.

 

Microsoft recommends to use export/import data using bacpac file.

So we exported db to bacpac file (took 1.5 hour for a small 500MB DB). , copy it to azure VM and after that I tried to use SQL Management Studio to import the bacpac into the new Azure database as described here: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-cloud-migrate-compatible-import-bacpac-ssms

 

The attempt miserably failed with the following error:

“An Exception occured while executing a Transact-TSQL statement or batch (Microsoft.SqlServer.ConnectionInfo)

Additional Information:

The connection is broken and recovery is not possible. The client driver attempted to recover connection one or more times and all attempts failed. Increase the value of ConnectRetryCount to increase the number of recovery attempts. (Microsoft SQL Server)

Cannot open database “mydatabasename” requested by login. The login failed. Login failed for user ’myusername’. (Microsoft SQL Server, Error: 4060)

 

Unusual resolution: I tried to restore the bacpac to an existing database. This attempt naturally failed with error “database already exists. Try to restore into a new database”. After that I put a name of the saved database and this time bacpac was restored successfully (it took ~1 hour again Smile )

SCCM: How to convert Package to Application using Package Conversion Manager (PCM) on SCCM CB

PCM does not support SCCM Console newer than SCCM 2012 SP1. Jason Sandys published and article for SCCM R2. I used the same approach for SCCM CB (1607) and it seems to be working fine.

 

Step-by-step from Jason is here: http://blog.configmgrftw.com/package-conversion-manager-and-configmgr-r2-sp1-or-sp2/

SCCM: WSUS re-installation

I recently found a badly broken 2012 R2 WSUS in one of my Clients environment. After some troubleshooting I decided to re-install WSUS to save time.

Here are several points to remember during re-installation.

1. Not everything will be uninstall with WSUS

– Windows Internal Database (should be unchecked in Feature List during uninstallation or uninstalled using directions: https://technet.microsoft.com/en-us/library/dd939818(v=ws.10).aspx)

– Content of C:\Windows|WID should be cleared before the new install (otherwise you may have an error message “Synchronization in progress. Please cancel synchronization and rerun postinstall again.”  after the new WSUS will be installed

– you may decide to clean \WSUS folder created for the old WSUS

2. If you will use PowerShell for WSUS installation and wsusutill won’t be able to configure WSUSContent folder for you you may have an error saying Content folder cannot be accessed. In this case you may decide to add the content folder location to XML configuration script, the process is described here: https://gyorgybalassy.wordpress.com/2013/08/10/installing-wsus-on-windows-server-2012/

Unfortunately in my case postinstall failed regardless giving me weird: “System.InvalidOperationException — Client found response content type of ‘text/html; charset=utf-8’, but expected ‘text/xml’”. I tried to unistall MMC cache for WSUS, uninstall WID and WSUS, nothing helped.

Finally I uninstalled WSUS, WID, IIS, cleaned abovementioned directories, reboot the server and installed the WSUS back (enabled HTTP Activation under WCF for .Net 4.5 and  patched the server with the latest WSUS Updates). This time it successfully started.

SCCM: Windows 10 changes Default Application set for Adobe .pdf files

I am helping to create/deploy a Windows 10 image in one of my Customers environment. There is a requirement to have Adobe Reader DC in a Gold Windows 10 image.

I am preparing the Gold Image with MDT 2013 Upd 2 and deploy it with SCCM (build 1606).

One of issues we faced is a Software Association for Adobe Reader .pdf files: Even though Adobe Reader setup was customized with Customization Kit and Adobe Reader was set as default Application for PDF files after imaging we observe Microsoft Edge set itself as a default app for PDFs . Sad smile

I googled the issue and found I am not alone… Unfortunately the most common advice is to start Reader and configure it as default app in GUI (for example here is Adobe guide: https://helpx.adobe.com/acrobat/kb/not-default-pdf-owner-windows10.html). Work fine I guess for non-enterprise environment, but not suitable for my case. In addition it will set association for the current user only (http://www.winhelponline.com/blog/edge-hijack-pdf-htm-associations/)

Assoc command described here: https://support.microsoft.com/en-us/kb/184082 does not seem to be working in Windows 10. I mean even though assc .pdf  shows correct association Edge is still the default app Smile

I finally found a way to manipulate association with DISM command (https://technet.microsoft.com/en-us/library/hh824855.aspx)

So, here is the solution I am using:

1. On a reference machine with Adobe Reader installed (but not set as a default App for PDF) export default application configuration to a .XML file using dism command: “DISM.exe /Online /Export-DefaultAppAssociations >your.xml

2. Open the XML file in Notepad and delete unnecessary lines before XML header

3. Browse the XML to see association for .pdf

4. Here is a trick. You need aplicationID of Adobe Reader to be able to replace ApplicationID of EDGE you have in the XML. I right-clicked a PDF document and selected Open With. I see the prefered App is Edge, but the Reader is just after that. So in the XML file I copied the first ID from “OverwriteOfProgIdIs” parameter to ProgId parameter. Hopefully the explication is clear. Anyway, my line for .pdf association looks like:

<Association Identifier=”.pdf” ProgId=”AppX86746z2101ayy2ygv3g96e4eqdf8r99j” ApplicationName=”Adobe Reader” ApplyOnUpgrade=”true” OverwriteIfProgIdIs=”AppXk660crfh0gw7gd9swc1nws708mn7qjr1″ />

After that I I import the XML file back to Windows using:

Dism.exe /Online /Import-DefaultAppAssociations:your.xml

Please note, even that won’t change association for the current user. But, all new users will get it set properly.

So I created an additional application in my MDT to import the pre-created XML and inserted the Application Deployment step in my TS and re-generated the image. As soon as the image is deployed all domain users should have Adobe Reader as a default app for PDFs.

Note: I guess I could use offline servicing to inject XML into the image during the image creation and it would help with association for “Administrator”, but I guess online approach  is easier and cleaner.

 

You can also try a per-user GPO as described here: https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/pdfviewer.html