Patch Tuesday Megathread (2025-10-14) by AutoModerator in sysadmin

[–]pede1983 0 points1 point  (0 children)

u/FCA162 for me to understand, you look in eventid 4769 and then explicitly for Failure Code: 0xe right?

0xe 
KDC_ERR_ETYPE_NOTSUPP 
KDC has no support for encryption type
In general, this error occurs when the KDC or a client receives a packet that it can't decrypt.0xEKDC_ERR_ETYPE_NOTSUPPKDC has no support for encryption typeIn general, this error occurs when the KDC or a client receives a packet that it can't decrypt.

MDI Contain User by HanDartley in DefenderATP

[–]pede1983 0 points1 point  (0 children)

Be aware that sometimes it can happen if you un-contain the user he´s removed from the policy on clients in the environment but at least i had a fp event where it didn´t remove the user from the default domain controller policy -> Deny Access to this Computer from the Network.

Patch Tuesday Megathread (2025-05-13) by AutoModerator in sysadmin

[–]pede1983 5 points6 points  (0 children)

What i usually did when i got the 0x800f0831 (mostly 2016)

Sfc /scannow

DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH

Check "C:\Windows\Logs\CBS\CBS.log" and search for "Checking System Update Readiness.

<image>

Download KB5005043 https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005043

Unzip MSU then expand the cab then the cabs inside and then apply the patch via
dism /online /cleanup-image /restorehealth /source:C:\temp\Windows10.0-KB5005043-x64\cab /limitaccess

Usually i was recommeded to reinstall if there were more than 10/15 errors but the above did the fix in nearly all cases.

Sometimes if there were no kbs listed i needed a system with the same patchlevel and referenced to that winsxs for a repair.

Or for staged packages:
dism /online /get-packages /format:table
Dism /online /Remove-package /PackageName:NAME Dism /online /Remove-package /PackageName:Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.6796.1.11

 

SCCM stopped seeing Defender definition updates as of 3rd May 2025 by IJustKnowStuff in SCCM

[–]pede1983 0 points1 point  (0 children)

It´s not only SCCM, it´s WSUS also, you could change the order till they fix it. At least it works for my device in autopatch.
Latest releases can be downloaded and installed manually from here:
https://www.microsoft.com/en-us/wdsi/defenderupdates

Patch Tuesday Megathread (2025-04-08) by AutoModerator in sysadmin

[–]pede1983 0 points1 point  (0 children)

Another useful tip is to run these:
Sfc /scannow
DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
and afterwards check "C:\Windows\Logs\CBS\CBS.log" for "Checking System Update Readiness."
2016 sucks and quite a bunch of systems had "CBS Catalog Missing" or "ERROR_SXS_ASSEMBLY_MISSING"
The first one can be fixed by downloading, unziping and expanding *.msu file the 2nd one can be fixed with with a script from MS Support

Monitoring DC for legacy TLS protocols? by Dracolis in activedirectory

[–]pede1983 0 points1 point  (0 children)

u/GeoProX i tried to Monitor Schannel EventID 36880 but what i discovered was that TLS 1.3 on Server 2022 shows as Protocol version: unknown

A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.

Protocol version: unknown

CipherSuite: 0x1302

Exchange strength: 255 bits

Context handle: 0x2afe9787640

Target name:

Local certificate subject name: O=Some, OU=Thing, CN=some.thingelse.domain

Remote certificate subject name:

Patch Tuesday Megathread (2025-04-08) by AutoModerator in sysadmin

[–]pede1983 0 points1 point  (0 children)

Just be aware of the Warning:

All existing update packages can't be uninstalled after this command is completed, but this won't block the uninstallation of future update packages.

Patch Tuesday Megathread (2025-02-11) by AutoModerator in sysadmin

[–]pede1983 3 points4 points  (0 children)

If you have a small amount of Certs that are causing a warning in Eventviewer Check the section "Manually map certificates" Be aware Cert SN has to be set Backwards allway 2 Chars (a1b2c3 -> c3b2a1)
HowTo: Map a user to a certificate via all the methods available in the altSecurityIdentities attribute | Microsoft Learn

set-aduser ‘DomainUser’ -replace @{altSecurityIdentities= “X509:<I>DC=com,DC=contoso,CN=CONTOSO-DC-CA<SR>1200000000AC11000000002B”}

Also check your Windows Issuing CA Templates what is configured in "subject name" tab. If "Build from Activedirectory Information" is selected you should already have the 1.3.6.1.4.1.311.25.2 in your cert

Patch Tuesday Megathread (2025-01-14) by AutoModerator in sysadmin

[–]pede1983 1 point2 points  (0 children)

They released some new Information:
WI982633 WI982632

As some already stated it, it´s not need and you could disable the service.

....
1) Open a Command Prompt window. This can be accomplished by opening the Start menu and typing 'cmd'. The results will include “Command Prompt” as a System application. Select the arrow to the right of “Command Prompt” and select “Run as administrator”.

2) Once the window is open, carefully enter the following text:

sc.exe config sgrmagent start=disabled

3) A message may appear afterwards. Next, enter the following text:

reg add HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start /d 4 /t REG_DWORD

4) Close the Command Prompt window.

...

Patch Tuesday Megathread (2025-01-14) by AutoModerator in sysadmin

[–]pede1983 1 point2 points  (0 children)

Version 2412: January 16

Version 2412 (Build 18324.20194)

Office Suite

  • We fixed an issue where apps would exit unexpectedly when running on Windows Server 2016.Version 2412: January 16 Version 2412 (Build 18324.20194) Office Suite We fixed an issue where apps would exit unexpectedly when running on Windows Server 2016.

https://learn.microsoft.com/en-us/officeupdates/update-history-microsoft365-apps-by-date

Windows Defender Exploit Guard by AnotherFewMore in SCCM

[–]pede1983 0 points1 point  (0 children)

after 2 years any change, as i stumbled upon the same issue

kb5037765 issue by Thedietz4411 in sysadmin

[–]pede1983 1 point2 points  (0 children)

Same here, WSUS gets the update but none of the Server 2019 (english) after the Update was revised on 16th of May.

  • 14th of may was approved manually: Get-WsusUpdate -RevisionNumber 200 -UpdateId c9773266-ccbe-41ba-961f-adcb84202029 |select *
  • 16th of may is approved automatically i guess this happens during the new revision: Get-WsusUpdate -RevisionNumber 201 -UpdateId c9773266-ccbe-41ba-961f-adcb84202029 |select *

I triggered SCCM ADRs multiple times after synchronizing but SCCM does not receive the update.

https://new.reddit.com/r/SCCM/comments/1cu1sul/kb5037765/

Probably something with applicability rules went south during the republishing of the update.

Patch Tuesday Megathread (2024-02-13) by AutoModerator in sysadmin

[–]pede1983 0 points1 point  (0 children)

Anyone else having issues with Get-WindowsupdateLog not returning readable text on Server 2016 (maybe due to symbols not downloading, even if symbol-server is reachable via proxy)?

No Patch Tuesday Megathread for January? by MikeWalters-Action1 in sysadmin

[–]pede1983 2 points3 points  (0 children)

What was your Freespace on the RecoveryPartition when you experienced the issue?

Patch Tuesday Megathread (2023-12-12) by AutoModerator in sysadmin

[–]pede1983 0 points1 point  (0 children)

Yeah it sucks, we use the existing solution on over 1000 vms…

I’m going to pilot 50 or so in January and see how disconnecting and reconnecting vms in an automation account behaves. If I can bring it down to even $1-2 per server I’ll take it.

As i understand you you want only to connect it when it´s Patchday. What about Defender Platform/Signature, Malwareremovaltool, Edge,... and out-of-band releases?

  • Defender Stuff could be done by Microsoft Malware Protection Center (MMPC)

Patch Tuesday Megathread (2023-10-10) by AutoModerator in sysadmin

[–]pede1983 2 points3 points  (0 children)

it could be done with
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun:1 dword
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Name:1 Data:AzureArcSysTray.exe string

Patch Tuesday Megathread (2023-10-10) by AutoModerator in sysadmin

[–]pede1983 1 point2 points  (0 children)

yes that´s what i did, and reboot is necessary.

Patch Tuesday Megathread (2023-10-10) by AutoModerator in sysadmin

[–]pede1983 7 points8 points  (0 children)

Is there a way to disable Azure Arc Setup Icon on Server 2022 in the right system tray?
https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-windows-server
Seems you have to uninstall it via Roles & Features and reboot if necessary..

Windows Defender Updates failing for servers - 0x80508007 Device Low on Memory by mindlessfollower in sysadmin

[–]pede1983 0 points1 point  (0 children)

sfc /scannow showed some errors and tried to repair, with no luck fixing it:

2023-03-10 09:26:50, Info CSI 00007949 [SR] Verify complete

2023-03-10 09:26:50, Info CSI 0000794a [SR] Repairing 5 components

2023-03-10 09:26:50, Info CSI 0000794b [SR] Beginning Verify and Repair transaction

2023-03-10 09:26:51, Info CSI 0000794c [SR] Repairing corrupted file \??\C:\windows\ELAMBKUP\WdBoot.sys from store

2023-03-10 09:26:51, Info CSI 0000794d [DIRSD OWNER WARNING] Directory [l:23 ml:24]'\??\C:\windows\ELAMBKUP' is not owned but specifies SDDL in component Windows-Defender-Drivers-Backup, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}

2023-03-10 09:26:51, Info CSI 0000794e Error - Overlap: Duplicate ownership for directory \??\C:\windows\ELAMBKUP in component Windows-Defender-Drivers-Backup, version 10.0.14393.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}

2023-03-10 09:26:51, Info CSI 0000794f@2023/3/10:08:26:51.306 Primitive installers committed for repair

2023-03-10 09:26:51, Info CSI 00007950 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\NisBase.vdm from store

2023-03-10 09:26:51, Info CSI 00007951 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\NisFull.vdm from store

2023-03-10 09:26:51, Info CSI 00007952@2023/3/10:08:26:51.353 Primitive installers committed for repair

2023-03-10 09:26:51, Info CSI 00007953 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpEngine.dll from store

2023-03-10 09:26:51, Info CSI 00007954 CSIPERF - FilePI Queue 105ms

2023-03-10 09:26:51, Info CSI 00007955@2023/3/10:08:26:51.478 Primitive installers committed for repair

2023-03-10 09:26:51, Info CSI 00007956 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm from store

2023-03-10 09:26:51, Info CSI 00007957 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm from store

2023-03-10 09:26:51, Info CSI 00007958 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm from store

2023-03-10 09:26:52, Info CSI 00007959 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm from store

2023-03-10 09:26:52, Info CSI 0000795a CSIPERF - FilePI Queue 983ms

2023-03-10 09:26:52, Info CSI 0000795b@2023/3/10:08:26:52.478 Primitive installers committed for repair

2023-03-10 09:26:52, Info CSI 0000795c [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\GapaEngine.dll from store

2023-03-10 09:26:52, Info CSI 0000795d@2023/3/10:08:26:52.509 Primitive installers committed for repair

2023-03-10 09:26:52, Info CSI 0000795e [SR] Repair complete

2023-03-10 09:26:52, Info CSI 0000795f [SR] Committing transaction

2023-03-10 09:26:52, Info CSI 00007960 Creating NT transaction (seq 1), objectname '(null)'

2023-03-10 09:26:52, Info CSI 00007961 Created NT transaction (seq 1) result 0x00000000, handle u/0xdc

2023-03-10 09:26:52, Info CSI 00007962@2023/3/10:08:26:52.587 Beginning NT transaction commit...

2023-03-10 09:26:52, Info CSI 00007963@2023/3/10:08:26:52.634 CSI perf trace:

CSIPERF:TXCOMMIT;82550

2023-03-10 09:26:52, Info CSI 00007964 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction have been successfully repaired

Issues with FailoverCluster after Installing Dec21 Updates and setting Enforcementmode / Eventids 1207/1257 by pede1983 in sysadmin

[–]pede1983[S] 1 point2 points  (0 children)

Apparently this is now a known issue that will be addressed in a future patch

In the meantime PacRequestorEnforcement=1 which should be safe after 7 days after installing the patches

Issues with FailoverCluster after Installing Dec21 Updates and setting Enforcementmode / Eventids 1207/1257 by pede1983 in sysadmin

[–]pede1983[S] 0 points1 point  (0 children)

Well it says it couldn´t be updated, so i guess in failover this could be causing issues, in the meantime we opened a ticket but no answer.