Sunday, 19 June 2022

We can't activate Windows on this device

I encountered this problem recently while carrying out Windows 10 Autopilot testing on a customer site. My test device would step up from Windows 10 Professional to Enterprise but would not activate.

I could see the error: We can't activate Windows on this device as we can't connect to your organization's activation server. Error code 0x8007232B.

Running slmgr /dli on the device showed me that the currently installed operating system was expecting to be activated using volume licensing (MAK key). This isn't expected when provisioning devices directly from the vendor through Autopilot. However this was a test device so I figured it was re-imaged in the past.

Running wmic path SoftwareLicensingService get OA3xOriginalProductKey from a command prompt gave me what I needed. This displays the Windows product key embedded in the computer’s firmware. This is the original Windows key that shipped with the device.

I selected Change Product Key at the Activation window.

I entered the original product key and clicked Next.

I clicked Activate.

Windows was activated with a digital license. We wouldn't normally expect to see this problem with devices shipped directly from a vendor. However it could come in handy during customer testing in order to validate the process.

Until next time....

Wednesday, 1 June 2022

BitLocker waiting for activation

This is a quick blog post describing an annoying issue I encountered while developing a Windows 10 Autopilot process for a customer. My BitLocker policy (MEM > Endpoint Security > Disk encryption) reported as Succeeded and the recovery key was escrowed to Azure Active Directory. 

However, all was not well in the BitLocker Drive Encryption applet in Control Panel. I had the yellow exclamation warning icon with the message "Windows (C:) BitLocker waiting for activation".

The event log gave me an idea where to look. "Failed to enable Silent Encryption. Group Policy settings require the creation of a recovery key". This was Azure AD only so the Group Policy reference didn't make much sense. However it made me look for anything related to creating a recovery key in my BitLocker policy.

I found it here. I had set Recovery key file creation to Required.

What does this do? According to the tooltip "Setting this to Allow will allow an admin user to create a 256-bit recovery key file manually. Setting this to Require will require an admin user to create a 256-bit recovery key file manually. Setting this to Deny will disallow any admin user from creating a 256-bit recovery key file manually. BitLocker silent enablement requires this setting configured as Deny or Allow". I didn't want this to be required.

Changing this setting to Allowed did the trick and the device was encrypted successfully.

I hope this helps.

Until next time.......

Monday, 14 March 2022

Intune policy not applicable

This is a quick follow up to my recent post where I discussed an issue my customer was having with an unwanted reboot. We narrowed this down to Microsoft Defender Application Control in Microsoft Endpoint Manager, "Application control code integrity policies" being set, even to Audit Only. 

I referred my customer to Peter van der Woude's post, where Peter talks about creating a custom code integrity policy using OMA-URI and the Application Control CSP. I had previously tested the solution successfully was I was quite happy to recommend it. My customer also successfully tested the solution in their lab but ran into difficulty when implementing in a production pilot. The policy status for the pilot devices was "Not applicable". 

This was a little unusual but it was obvious when I figured out why. All testing was carried out in an Intune only environment. However, these devices were co-managed with the following settings.

The Endpoint Protection workload had been moved to Intune pilot. That worked well for Microsoft Defender policies. However the new policy (as per Peter's post) was a device configuration profile. This workload was still set to ConfigMgr and therefore the policy was not applicable to the devices. This was easily solved by moving the device configuration workload slider to Intune. Then the Intune policy applied as expected.

The only thing we had to worry about was that the customer was using some ConfigMgr configuration baselines and still wanted them managed by ConfigMgr. 

Luckily Microsoft provides a solution for that. We selected "Always apply this baseline even for co-managed clients".

I hope this helps if you encounter a similar situation.

Until next time......

Sunday, 20 February 2022

Microsoft Defender Application Control and the unwanted reboot

I came across this issue again this week on a customer site. Windows 10 computers were being rebooted without warning. 

You’re about to be signed out 

Windows will shut down in 10 minutes

I narrowed this down to Microsoft Defender Application Control in Microsoft Endpoint Manager, "Application control code integrity policies" being set, even to Audit Only. 

This is created as a Windows 10 configuration profile, choosing the Endpoint Protection template, then selecting the Microsoft Defender Application Control.

If you use the tooltip and follow the "Learn more" link, you are directed to the Applocker CSP page, so clearly that's what is in use here. 

According to the Microsoft docs, prior to Windows 10 version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). Interestingly, this is the only AppLocker setting that causes a reboot. It's well documented on the Applocker CSP page. 

"The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI".

I can verify that the reboot occurs when you apply the policy but also when you remove it.

Some of my colleagues have suggested ways to avoid the reboot. 
  • Peter van der Woude talks about creating a custom code integrity policy using OMA-URI and the Application Control CSP.
  • Rudy Ooms talks about the WDAC wizard.
  • You can read about creating a new base policy in the official docs using the WDAC wizard. 
This reboot is not a problem when you configure the same setting with ConfigMgr.

In ConfigMgr, the WDAC wizard allows us to de-select the check box to enforce the required reboot.

I hope this helps.

Until next time.......

Software updates issue - access denied

We encountered this problem recently on a customer site. The customer uses ConfigMgr to patch their Windows 10 estate. They've not had any major issues for quite some time but then the January CU for Windows 10 v1909 (KB5009545) started to fail with the Access is denied error (0x80070005).

We could see the error in the UpdatesHandler.log file.

WSUS update (92c58401-7a51-4e9d-9457-ca1a93c3e3d9) installation result = 0x80070005, Reboot State = NoReboot

Update execution failed.

But what did that mean? Nothing had changed so why all of a sudden was access denied? What specifically was being denied access?

We found the answer in the CBS.log file. CBS refers to Component-Based Servicing. Some components might be installed or uninstalled during Windows updates, and CBS.log is a file that includes details of these components. This file logs detailed information from your most recent Windows installed updates, and thus it can be used for troubleshooting issues related to your updates.

This log file is located in %windir%\Logs\CBS\ folder. There were several errors like this repeating over and over

2022-02-08 19:32:05, Info                  DPX    DpxMoveFileExW failed, source: \\?\C:\Windows\SoftwareDistribution\Download\55d2d88ec6c8540e1de4d959136d1809\inst\_Windows10.0-KB5009545-x64.cab_\$dpx$.tmp\4f76f8be37b84846a53e298df591e679.tmp, destination: \\?\C:\Windows\SoftwareDistribution\Download\55d2d88ec6c8540e1de4d959136d1809\inst\_Windows10.0-KB5009545-x64.cab_\amd64_microsoft-windows-e..-unifiedwritefilter_31bf3856ad364e35_10.0.18362.449_none_f216a3681960d832\r\uwfservicingscr.scr, hr 0x80070005

We could see similar issues using Procmon

8:51:31.2419935 PM  TiWorker.exe  10516  SetRenameInformationFile C:\Windows\SoftwareDistribution\Download\7998dad7da209654d66a9b53acb8a555\inst\_Windows10.0-KB5010345-x64.cab_\$dpx$.tmp\8bdd9ac34e21374c8fe95160faa8a43e.tmp        ACCESS DENIED            ReplaceIfExists: True, FileName: C:\Windows\SoftwareDistribution\Download\7998dad7da209654d66a9b53acb8a555\inst\_Windows10.0-KB5010345-x64.cab_\x86_microsoft-windows-photoscreensaver_31bf3856ad364e35_10.0.18362.1316_none_1d493b2302fc0b6b\r\photoscreensaver.scr

This error referred to TiWorker.exe which is the TrustedInstaller process and suggested that it did not have Full Control or Full Access to all the folders or sub-folders within the directory named SoftwareDistribution (C:\Windows\SoftwareDistribution). This didn't make much sense as nothing had changed in the environment.

We noticed that all the files that were blocked had a .SCR extension. These were screensaver files that were being updated by the January CU. Then we discovered that there was a McAfee access protection rule in place to block access to .SCR files. 

The fix was then straightforward. We excluded the TiWorker.exe process from the Block all SCR rule and the updates started to install.

I hope this helps if you find yourself in a similar situation. CBS logs and Procmon are your friends 😀

Until next time........