SCCM – CTRL-ALT-DEL does not work on Remote Control Host

email me

Cause

This problem happens if the Secure Attention Sequence or SAS policy has not been configured or is set to Disabled. This policy setting controls whether or not software can simulate SAS, or…the control alt delete.


Resolution

Set reg key

Key:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Type: REG_DWORD

Value: SoftwareSASGeneration

Data: 3

 

Or group policy…

  1.   Open gpedit.msc
  2.   Select Computer Configuration\Administrative Templates\Windows Components/Windows Logon Options
  3. Select Disable or enable software Secure Attention Sequence
  4.   Set to Services and Ease of Access applications

Windows – Block Windows Updates

email me

#1 Restricted Sites

One method to block Windows Updates, is just to add MS Updates URLs to Restricted sites.

1 – Click the Start button, click Control Panel, type Internet options in the search box, and then click Internet Options.

2 – Click the Security tab, click Restricted sites and then click Sites.

3 – To add a site, type the URL into the Add this website to the zone box, and then click Add.

 

Snapshot

 

URLs

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
http://go.microsoft.com
http://mp.microsoft.com
http://ws.microsoft.com

 

Notes

#2 Host File

URLs can also be blocked by adding redirect addresses in your host file (C:\Windows\System32\drivers\etc).

Example:

127.0.0.1    windowsupdate.microsoft.com


#3 Windows Settings

Enabling Metered Connection

  • Select Start  > Settings  > Network & Internet > Wi-Fi  > Manage known networks.

  • Select the Wi-Fi network > Properties > enable Set as metered connection.

 

#4 Group Policy

gpedit.msc > Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > Turn off access to all Windows Update features > Select “Enabled” > Click Apply

gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates > Select “Disabled” in Configured Automatic Updates > Click Apply

 

#5 Services

services.msc > Windows Update >  Select “Disabled” > Click Apply

 

Disable the Windows Store

gpedit.msc > Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > “Turn off access to the Store” > Select “Enabled” > Click Apply

 

C++ Show X Amount of a Character

email me
#include "stdafx.h"
#include <iostream>
#include <sstream>
#include <string>

using namespace std;

int main() {

// initialize variables
string str;
int num;
int count = 1;
bool sur = true;

// user input
cout << "Enter how many stars: "; getline(cin, str); stringstream(str) >> num;

// test for null
if (str.length() < 1) { num = 0; };

// make sure number is positive
num = abs(num);

cout << '\n';

if (num) {
while (count != 0) {
for (int i = 1; i <= count; i++) {
cout << char(42);
}
cout << "\n";

if (count == num) {
sur = false;
}
if (sur == true) { count++; }
else { count--; }
}
}
else { cout << "Invalid number!"; }

// wait
// getchar();
system("pause"); // for visual studio
return 0;
}

Output


 
 
Notes

#include "stdafx.h"
#include <iostream>

using namespace std;

int main() {

// input
cout << "Enter depth of pyramid: \n";
int n;
cin >> n;

cout << "\n";

// ascending
for (int i = 1; i <= n; i++) {
for (int j = 0; j <i; j++)
cout << "*";
cout << endl;
}

// descending
for (int i = n - 1; i >0; i--) {
for (int j = i; j > 0; j--)
cout << "*";
cout << endl;
}

// wait
system("pause");

return 0;
}

SCCM – Cannot Image Machine – Failed to Run Task Sequence (0x8007000F) (0X80070032)

email me

Either boot to a bootable device that will give you access to a command prompt, or press F8 before selecting the Task Sequence and run:

diskpart

select disk 0

clean

create partition primary

assign letter=c

format quick fs=NTFS

Exit

 

A reboot may be required to use the Task Sequence.

Why does this error occur? The TS is looking for an NTFS drive. If the TS fails to find an NTFS drive, an access error is returned. This will often happen when the drive has BitLocker enabled on it. If you want to examine the details of the task sequence failure, look into the smsts.log file.

 

Notes

SCCM: How to copy SMSTS.log when a Task Sequence fails

Phase Location
Windows PE
(Before the hard disk are formatted)
x:\windows\temp\smstslog\smsts.log
Windows PE
(After the hard disk are formatted)
x:\smstslog\smsts.log and copied to c:\_SMSTaskSequence\Logs\Smstslog\smsts.log
Windows Operating System
(Before the SCCM client is installed)
c:\_SMSTaskSequence\Logs\Smstslog\smsts.log
Windows Operating System
(After the SCCM client is installed)
c:\windows\ccm\logs\Smstslog\smsts.log
Windows Operating System
(When the Task Sequence is complete)

TPM 2.0

UEFI

C++ Build Multiplication Table

email me
#include "stdafx.h"
#include <iostream>
#include <iomanip>

using namespace std;

int main() {
int i, j, table;
cout << "Enter multiplication table number: "; cin >> table;
cout << "\n";
getchar();
i = table;
j = table;

cout << "    ";
for (i = 1; i <= table; i++) {
for (j = 1; j <= table; j++) {
cout<<i*j<<setw(5);}
cout<<endl;
}
getchar();
return 0;
}

Output

Skype for Desktop – 8.34.0.78

email me

New Skype for Desktop (Windows) is available here:

https://go.skype.com/windows.desktop.download  mirror

 

Silent Install

setup.exe /VERYSILENT /SP- /NOCANCEL /NORESTART /SUPPRESSMSGBOXES /NOLAUNCH -ms

 

Uninstall

Reg Keys

“HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Skype_is1”

Command

“C:\Program Files (x86)\Microsoft\Skype for Desktop\unins000.exe” /SILENT

 

Notes

Disable Skype auto updates

Google Chrome – 70.0.3538.102

email me

New Chrome browser is available here:

https://enterprise.google.com/intl/en_version/chrome/chrome-browser/   mirror

 

Product Code

{6B4AAD8F-8925-3AAA-A393-53D28FD8A90B}

 

Silent Install

setup.msi /quiet /norestart

 

Release Notes

Chrome Browser updates

  • Sign-in policy change
    Starting in Chrome 70, the BrowserSignin policy will control the Allow Chrome sign-in setting for your users on Chrome Browser. It allows you to specify if the user can sign in with their account and use account-related services, such as Chrome Sync.If the policy is set to “Disable browser sign-in”, then the user cannot sign in to the browser and use account-based services. In this case, account-bound features, such as Chrome Sync, cannot be used and will be unavailable.If the policy is set to “Enable browser sign-in”, then the user can sign in to the browser, but they’re not forced to do so. The user can’t disable signing in to the browser. To control the availability of Chrome Sync, use the SyncDisabled policy.If the policy is set to “Force browser sign-in”, then the user has to sign in to Chrome before using the browser. The default value of BrowserGuestModeEnabled will be set to false. Existing profiles that are not signed in will be locked and inaccessible after enabling this policy.

    If this policy is not set, then the user can decide if they want to enable the browser sign-in option and use it as they see fit.

  • Cookie behavior change
    With Chrome 70, when a user clears cookies in Chrome Browser, Google’s authentication cookies will be deleted along with all other cookies, except for the cookie used for the Chrome Sync account. Users are automatically signed out of all accounts not being used for Chrome Sync. Users will still be signed in to any account used for Chrome Sync so they can delete their browsing data from other devices as well.
  • Reduce Chrome crashes caused by third-party software
    Third parties can inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third party injects code.Here’s the warning users see on their computers if the ThirdPartyBlockingEnabled policy is enabled:
    Disable third-party software blocking notificationThe following blocking feature was previously scheduled for M68 and M69, but is now launching in Chrome 70.

    In Chrome 70, third-party code is now blocked by default for consumer users of Chrome. However, there is a different default behavior for enterprises. If you (the admin) do not block third-party code, third-party code will not be blocked for domain-enrolled enterprise users in Chrome 70.

    In Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users.

    To prepare for this change, if you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

    To test Chrome’s third-party software warning and blocking features on Windows, see these instructions, which will walk you through how to use the diagnostic tool at chrome://conflicts.

  • Deprecate trust in remaining legacy Symantec PKI infrastructure
    Following previous announcements, Chrome 70 marks the final stage of distrusting the Symantec legacy PKI certificates.Beginning with Chrome 70:

    • All certificates, regardless of issuance date, issued from the Symantec legacy PKI are distrusted in the Canary and Dev release channels.
    • Trust in the Symantec legacy PKI has begun phasing out for the Beta and Stable release channels.
    • Temporary periods of distrust, increasing in length, will identify any outstanding breakages caused by sites that have not replaced their TLS certificates. Complete and final distrust can occur regardless of Chrome release dates. You are strongly encouraged to replace affected certificates as soon as possible to avoid site breakage.

    What you need to do:

    • Determine if your site is affected and replace your TLS certificate with one unaffected by the change. To find out if your site is affected, see the instructions in our blog post on the deprecation.
    • Enterprises with a critical dependency on Symantec TLS certificates can configure temporary trust in the Symantec legacy PKI. This policy is a temporary measure and will expire January 01, 2019. For details, see the EnableSymantecLegacyInfrastructure policy.
  • Update to TLS 1.3
    We shipped draft 23 of TLS 1.3 in Chrome 65. In Chrome 70, we are now updating to the final revision. For details, see TLS 1.3 and Chromium.org. We will not be shipping anti-downgrade protections in Chrome 70 due to bugs in several middlebox vendor’s TLS implementations. Administrators of Cisco®Firepower® devices can update to Firepower version 6.2.3.4 to avoid incompatibilities with a future Chrome version. If needed, admins can use the SSLVersionMax policy to control TLS 1.3.
  • New UI support for WebAuthn
    Chrome 70 comes with a new UI for WebAuthn and FIDO authenticators. Developers no longer have to implement these user authentication flows themselves. In Chrome 70, when a user invokes WebAuthn, Chrome will guide the user through their FIDO-compatible authenticator, such as a security key.
  • Form autofill policy changes
    The AutoFillEnabled policy is deprecated. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled policies (details below).
    Autofill policies
    The AutofillAddressEnabled and AutofillCreditCardEnabled policies allow users to enter address and credit card information in web forms using previously stored information or information from their Google Account.

    If AutofillAddressEnabled is disabled, address information is not suggested or filled in. Additional address information that’s entered in web forms by the user will not be saved.

    If AutofillCreditCardEnabled is disabled, credit card information is not suggested or filled in. Additional credit card information that’s entered in web forms by the user will not be saved.

    If either the AutofillAddressEnabled or AutofillCreditCardEnabled setting is enabled or has no value, the user will be able to control autofill for addresses or credit card information, respectively.

Chrome OS updates

  • Native SMB file share support
    SMB file shares (Windows file shares) are now supported natively on Chrome OS. Remote paths can be mounted as a root in the Files app. Supported authentication methods include Kerberos, Microsoft® Active Directory®, and NTLM version 2. To initiate an SMB file share:

    1. Open a Chrome Browser window and at the top right, click More and thenSettings.
    2. Next to Network file shares, click Add File Share.
    3. Enter the required information and click Add.
    4. Open the Files app and browse the shared folder.SMB file share in Chrome OS
  • Camera app updates
    The Camera app has a refreshed UI. Photos and videos taken with the Camera app are now stored in the Downloads folder in the Files app.
  • Enable key remapping for external keyboards
    Users can now remap the Search, Command, and Windows keys on external keyboards in the keyboard settings. If an Apple® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.
  • Floating virtual keyboard
    For touch-enabled Chrome devices, you can use a floating keyboard to enter text with one finger. You can use this keyboard on a touchscreen, similar to how you use a smartphone keyboard.
  • Restriction policy for native CUPS printing
    Admins can restrict users to color or black-and-white printing with CUPS printing. Users will not be able to manually change the setting on the device. Details are coming in Manage local and network printers.

Admin console updates

  • Manage sign-ins in Chrome Browser and Chrome OS
    In the Google Admin console, you can restrict which domains users can use to access Google products, such as Gmail. The setting applies in Chrome Browser and on Chrome OS devices. For example, you might want to prevent employees from signing in to their personal Gmail accounts on a corporate-owned Chromebook. The setting combines the AllowedDomainsForApps and SecondaryGoogleAccountSigninAllowed policy.
  • Improved developer tools policy
    You can use the new DeveloperToolsAvailability policy to allow developer tools except for force-installed extensions. This behavior is the new default and is useful for organizations that want to allow the general use of developer tools, but prevent tampering with force-installed extensions. For details, see the DeveloperToolsAvailability policy.
  • Auto-updates over LTE policy control
    You can use the DeviceUpdateAllowedConnectionTypes policy to control which connection types a device can receive automatic updates over. There is now an option to enable automatic updates over all connection types, including LTE, as opposed to only WiFi and Ethernet. For details, see the DeviceUpdateAllowedConnectionTypes policy. This feature will be rolled out over the coming weeks in the Admin console under Device management and then Chrome management and then Device settings and then Device Update Settings and then Auto Update Settings.
  • Lock screen control
    After a defined idle time, you can now set a lock screen on users’ devices running Chrome OS. This setting is in the Google Admin console under Device management and then Chrome management and then User settings and then Security and then Idle Settings.

Deprecations

  • AutoFillEnabled policy deprecation
    The AutoFillEnabled policy is deprecated in Chrome 70. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled instead (see Form autofill policy changes above).
  • Gmail Offline app discontinued
    In December 2018, the Gmail Offline app will be removed from the Chrome Web Store. You can now get offline functionality in Gmail. For details, see Use Gmail offline.
  • CRX2 deprecation
    Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted.Starting with Chrome 75, this restriction will also apply to force-installed extensions. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.If your organization is force-installing privately hosted extensions packaged in CRX2 format and you do not repackage them, they will stop updating in Chrome 75. New installations of the extension will fail.Why is this change happening?

    CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is computationally feasible, so an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm without this risk.

Coming soon

Note: The items listed below are experimental or planned updates. They may be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

  • Change to using PAC scripts to configure proxy settings in Chrome Browser
    If you’re using a Proxy Auto Config (PAC) script to configure Chrome’s proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of HTTPS URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution.In Chrome OS version 71, this policy will change the default value from FALSE to TRUE to improve security. If you already set this policy to TRUE, there will be no impact. If you set it to FALSE, there will be no immediate impact. If you have not set this policy and are relying on the default, you should test this change to see how your PAC scripts operate.Note: This policy will be removed in a future release when PAC stripping becomes the default for Chrome OS.
  • CRX2 deprecation
    For details on what’s happening with CRX2-packaged extensions in Chrome 75, see CRX2 deprecation (above).

Upcoming Chrome OS features

  • Android 9.0 Pie
    Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices have not yet been announced. We will include more information in future release notes when it comes available.
  • Always-on VPN for managed Google Play
    Admins can already install Android VPN apps on Chromebooks. However, users have to start the VPN app manually. Soon, admins can set a VPN app to start a connection when a device is turned on and direct all traffic through that connection. If the connection fails, all traffic is blocked until the VPN connection is reestablished.

Upcoming Admin console features

  • Native printer-management improvements
    Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.
  • Managed guest session support for managed Google Play
    Soon, there will be a setting in the Google Admin console that allows Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Azure – Bulk Enrollment and Computer Name

email me

{last update 12/11/2018}

When creating a provisioning package to perform bulk enrollment, one of the first steps is to Set up device, which includes providing a naming convention for computer names.

This is what it looks like in WCD:

Draw your attention to %SERIAL% and %RAND%.

Using built-in environmental variables are great, if you’re creating new machine names in Azure, or you’re using autopilot to aid in the setup and AAD enrollment process. Assigning provisioning packages to groups, and then pairing those groups with the autopilot feature is quite an efficient way to perform remote setups.

BUT….the big but, what if you have existing machines, and you want the current computer name to be the computer name in Azure? Provisioning can’t help you with that. 🙁

What? Why not? According to Microsoft, you MUST use the conventions provided, i.e., %SERIAL% or %RAND% to generate computer names. Well, that’s not very friendly…or practical.

After digging around in the advanced areas of the Windows Configuration Designer, sure enough, there was no way to use the current computer name. Just for fun, I did try %COMPUTERNAME%, %PCNAME%, and %DEVICENAME%, just to see if there was perhaps some undocumented method; those did not work.

So, it got me thinking, how could I get around this? If you decide to rename the computer once the machine has been enrolled into Azure, guess what? The machine name doesn’t change in Azure! You have to reenroll. If you use the provisioning package method, you’re back at square one again—with the machine name using %SERIAL% or %RAND%. If you do a manual enrollment, using the Connect to work or school option, that works. But, let’s say you have hundreds, or even thousands of computers. That just isn’t a viable option. The last thing you need is for users being required to follow some step by step instructions, to complete some enrollment process. Microsoft, just no.

Soooo, let’s get to it. I figured out how to get around the forced naming convention.

The normal provisioning process works like this:

1 – Run provision package.

2 – Package adds some reg keys.

3 – Renames machine.

4 – Forces a reboot….all within a 60 second window.

5 – When the machine restarts and is back at the logon window, Sign in to: Your work or school account is now visible.

Workgroups

The trick is to get between steps 3 and 4, and rename the machine yourself, before it reboots. That’s right! Using some simple scripting techniques—batch, PowerShell, VBScript—whatever you like,

1 – Create a scripted package.

2 – Store current computer name in a variable.

3 – Run the provisioning package (you now have 60 seconds to work).

4 – Using the variable, rename computer back to original name.

The provisioning package will force the reboot, but….this time instead of %SERIAL% or %RAND% being used, it will apply the original computer name. BAM! Do note, this was tested on workgroup computers. If you want to do this for domain computers, make sure you launch the package with a domain user that has the appropriate rights to rename a domain computer (otherwise, you’ll blow up the domain computer account—not great).


Workgroup Solution

on error resume next

set wshShell = CreateObject("WScript.Shell")

strComputerName = wshShell.ExpandEnvironmentStrings("%COMPUTERNAME%")

strComputer = "."

Set objWMIService = GetObject("winmgmts:" &amp; "{impersonationLevel=impersonate}!\\" &amp; strComputer &amp; "\root\cimv2")

Set colComputers = objWMIService.ExecQuery ("Select * from Win32_ComputerSystem")

'add provisioning package here
wshShell.Run "enroll.ppkg",0,false

WScript.Sleep 30000

For Each objComputer in colComputers

err = objComputer.Rename(strComputerName)
Next
WScript.Quit(0)

Domains

Now, something even more experimental, I also figured how to get around the domain machine name issue, where the domain computer account will have a disassociated trust after the above computer rename (if done without a domain user). This is the scenario: You want to deploy the PPKG under the security context of System Account from SCCM, or other desktop management software. But, if you do that, the AD computer account issue pops up, and Azure sometimes goes sideways, and just names the machine Azure-SERIAL anyways. Arrrg.

The solution: Rename the computer AND apply the registry keys that get altered by the PPKG during enrollment (before the reboot). How did I figure that out? I used procmon by SysInternals, of course.

See the steps below. These will take care of domain machines—installing a PPKG, under the security context of System Account (great for SCCM/LANDesk deployment).


Domain Solution

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
::Step 1 – Grab Current Device Name
set PCName1=%computername%

::Step 2 – Install PPKG
c:\windows\system32\provtool.exe enroll.ppkg /quiet

::Step 3 – Rename Machine
WMIC ComputerSystem where Name="%computername%" call Rename Name="%PCName1%"

::Step 4 – Apply Reg Keys with Original Device Name

reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName" /v ComputerName /t REG_SZ /d "%PCName1%" /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters" /v HostName /t REG_SZ /d "%PCName1%" /f

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v "NV Hostname” /t REG_SZ /d "%PCName1%" /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\1" /v ExpectedValue /t REG_SZ /d "%PCName1%" /f /reg:64

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability” /v LastComputerName /t REG_SZ /d "%PCName1%" /f /reg:64

reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{FC5B1177-F053-4F20-A47F-063553C16BED}" /v Hostname /t REG_SZ /d "%PCName1%"

* This does require appropriate timing; remember the 60 second window for the PPKG during enrollment.

* Tested with build 16299.785 and newer (older builds have issues with Intune)

Notes

from Microsoft, Bulk enrollment for Windows devices

Windows 10 Update – KB4462933 (OS Build 17134.376)

email me

Applies to: Windows 10, version 1803


Improvements and fixes

This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addresses an issue that sometimes prevents documents from appearing in the Microsoft Edge DevTools debugger.
  • Addresses an issue that sometimes prevents Microsoft Edge extension scripts from appearing in Microsoft Edge DevTools.
  • Addresses the redenomination of local currency that the Central Bank of Venezuela implemented to enter the Bolivar Soberano into circulation.
  • Addresses additional issues with updated time zone information.
  • Addresses an issue that causes sysprep /generalize to fail in audit mode because of a race condition while deleting certain registry keys.
  • Addresses an issue with legacy Bluetooth® Basic Rate (BR) device inbound pairing.
  • Addresses an issue that causes the audio service to stop working or become unresponsive while using call control, controlling volume, and streaming music to Bluetooth audio devices. Error messages that appear include:
    • Exception error 0x8000000e in btagservice.dll.
    • Exception error 0xc0000005 or 0xc0000409 in bthavctpsvc.dll.
    • Stop 0xD1 BSOD error in btha2dp.sys.
  • Addresses an issue that causes the OS to stop working when a Bluetooth device is accidently removed.
  • Addresses an issue that causes the Event Log service to stop responding and degrades reliability in various areas of the operating system until you restart. This occurs when the Event Log is full and you selected Do not overwrite events (Clear logs manually) in Log Properties–System > When maximum event log size is reached:.
  • Addresses an issue to support Microsoft Office events in the “Limit Enhanced” Group Policy setting list.
  • Addresses an issue that makes it impossible to disable TLS 1.0 and TLS 1.1 when the Federal Information Processing Standard (FIPS) mode is enabled.
  • Addresses an issue in which applications on systems with more than 4 GB of memory receive Access Denied error code “0x5” when calling CreateProcessWithLogonW().
  • Addresses an issue in which the AccountName in the Event Log entry for the Microsoft-Windows-Kerberos-Key-Distribution-Center source and Event ID 7 sometimes appears corrupted.
  • Addresses an issue in which applications have handle leaks when using client authentication certificates with the TLS protocol. This issue occurs when the FreeCredentialsHandle call occurs before the DeleteSecurityContext call in the application code.
  • Addresses an issue that might cause TCP connections opened for an application running on Windows Container to fail sporadically. This occurs when the container runs on a Network Address Translation (NAT) Network provided by Windows Network Address Translation (WinNAT). A SYN timeout occurs after reaching the maximum SYN Retransmit count.
  • Addresses an issue with a warning message that appears when using Microsoft Edge to print some PDFs.
  • Addresses an issue that causes the printing of PDF files from SharePoint Online to fail with the error, “Couldn’t open PDF”.
  • Addresses an issue that can cause App-V packages to fail because of a missing file or DLL error.
  • Addresses an issue that may cause container snapshot restoration to fail because of a missing file error.
  • Addresses an issue that prevents the deletion of Immediate Tasks when their deletion timer occurs, such as when you configure Group Policy preferences for Immediate Task actions.
  • Addresses an issue that causes Scheduled Tasks to remain in a queue and not execute until the first user logs on to a Windows 10, version 1803 device. Some affected scenarios include:
    • Scheduled Tasks that are defined in the last phase of setup won’t execute.
    • “Auto-enroll” computer certificates and “root and intermediate” certificates are missing.
  • Addresses an issue that prevented the launch of Windows Defender Application Guard (WDAG) on Windows 10N (Europe) devices after servicing.
  • Addresses an issue that incorrectly implies that user policies have not been applied after configuring a user rights Group Policy setting. Reporting tools, such as RSOP.MSC or Gpresult.exe /h, do not show the user rights policies or display a red “X” instead.
  • Addresses an issue in which connection group folders are not properly merged.
  • Addresses an issue in which Scheduled Tasks configured to run on a specific day of the week don’t execute at the expected time.
  • Addresses an issue that prevents the clock and date flyout from appearing when the region format is Spanish (Spain) and the sorting method is Traditional.
  • Addresses an issue in which the System.Security.Cryptography.Algorithms reference was not correctly loaded on .NET Framework 4.7.1 after the July 10, 2018 and August 14, 2018 patches.
  • Addresses an issue that may cause the system to stop working during the shutdown of some Windows Presentation Foundation (WPF) apps because of TaskCanceledException. Apps that are vulnerable to this issue perform work involving weak events or data binding after the Application.Run() function returns values.
  • Addresses a race condition in temporary files and some antivirus scanners that causes .NET Framework applications to stop working. The error message is, “The process cannot access the file <name of temp file>”.
  • Updates the .NET Framework’s support for the formatting of Japanese dates for the first year in the eras. When the format pattern is “y年”, the year format will use the symbol 元 and not use year number 1. Additionally, the .NET Framework will support dates that include 元. For more information, see KB4469068.
  • Updates Venezuela currency information. This will affect the culture of “es-VE” as follows:
    • The currency symbol is “Bs.S”.
    • The English currency name is “Bolívar Soberano”.
    • The local currency name is “bolívar soberano”.
    • The International Currency Code is “VES”.
  • Addresses an issue that may cause an application that has a child window to stop processing mouse inputs. This issue occurs when a precision touchpad triggers a WM_MOUSEWHEEL event.
  • Addresses an issue that may cause some applications to stop working after unplugging a tablet.
  • Addresses an issue in which application titles that were unexpectedly long were not predictably displayed using ellipses (…). In some cases, the text truncations that appear may confuse users.
  • Addresses an issue that causes the Windows 8.1 app to stop working when it calls the ProjectionManager.StartProjectingAsync API. The error code is 0x80070057.
  • Addresses an issue with Windows Text Input Framework. A layout request may cause some application text input elements to stop responding.
  • Addresses an issue in which users cannot enter East Asian text when prompted to create password hints during the upgrade process.
  • Addresses a multi-monitor issue that may incorrectly render an application that is in full-screen mode after changing the display mode.
  • Addresses an issue with leaks of window-related Graphics Device Interface (GDI) objects during window destruction.
  • Addresses an issue that occurs when typing in a text box of a Windows Presentation Foundation (WPF) application using the on-screen keyboard. If you select one of the predictive text suggestions, that word appears to be entered, but will disappear when you select a different control.
  • Addresses an issue that prevents applications from displaying a pop-up window or dialog box when the applications are in full-screen mode. For example, in a full-screen game, attempting to alter settings such as Multisampling Antialiasing (MSAA) will fail because the confirmation dialog does not appear. The dialog is hidden behind the application.
  • Addresses an issue that causes navigation across eras to stop working in the Japanese Calendar view. For more information, see KB4469068.
  • Addresses an issue related to the date format for the Japanese era calendar. For more information, see KB4469068.
  • Addresses an issue that causes the GetCalendarInfo function to return a wrong value for the Japanese era. For more information, see KB4469068.

If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.

Known issues in this update

(Added 11/2)

Symptom Workaround
Developer Tools (F12) may fail to start in Microsoft Edge. Using Administrator permissions, delete the following files and restart Developer Tools:

On an x64 machine: C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\microsoft.system.package.m etadata\Autogen\JSByteCodeCache_64

On an x86 machine: C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\microsoft.system.package.m etadata\Autogen\JSByteCodeCache_32

Microsoft is working on a resolution and will provide an update in an upcoming release.

After you install the August Preview of Quality Rollupor September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception. For more information about this issue, see the following article in the Microsoft Knowledge Base:

4470809 SqlConnection instantiation exception on .NET 4.6 and later after August-September 2018 .NET Framework updates

Microsoft is working on a resolution and will provide an update in an upcoming release.
[ADDED 11/8] After installing this update, some users cannot set Win32 program defaults for certain app and file type combinations using the Open with… command or Settings > Apps > Default apps.

In some cases, Microsoft Notepad or other Win32 programs cannot be set as the default.
In some cases, attempting to set application defaults again will succeed.

Microsoft is working on a resolution and estimates a solution will be available in late November 2018.

How to get this update

Before installing this update
Windows cumulative updates require that you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). This helps to mitigate potential issues while installing the LCU. For more information, see Servicing stack updates.

If you are using Windows Update, the latest SSU (KB4456655) will be offered to you automatically.

To get the stand-alone package for the latest SSU, go to the Microsoft Update Catalog.

Install this update
This update will be downloaded and installed automatically from Windows Update.

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

File information

For a list of the files that are provided in this update, download the file information for cumulative update 4462933.

Source: https://support.microsoft.com/en-us/help/4462933

Direct download links for KB4462933 MSU file from Microsoft Update Catalog:

 Download KB4462933 MSU for Windows 10 v1803 32-bit (x86) – 437.9 MB

 Download KB4462933 MSU for Windows 10 v1803 64-bit (x64) – 782.3 MB

Azure – PowerShell – Import BitLocker

email me

The PowerShell command to import BitLocker data into Azure. After you run this command on a client machine—if the machine has been joined to AAD and BitLocker is enabled—the BitLocker data will appear under the device properties in Azure:

$BITLOCKER = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BITLOCKER.KeyProtector[1].KeyProtectorId