"Incorrect Function" at logon windows 10

This seems to be caused by setting "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to a low number like 1. You will receve the Incorrect Function error if you are attempting to login to an existing account but it was not the last account logged onto.

Windows Update Failure Server 2016 SCCM + PXE Point

The Setup:

• Server 2016 Hyper-V guest
• SCCM 
• PXE Distribution point

The Error:

Anytime windows update attempted to install any update later than KB4487026 it would fail at 72% with the following error in the CSI log:

2019-04-09 23:21:59, Info                  CSI    000002b2 Begin executing advanced installer phase 31 index 0 (sequence 0)
    Old component: [l:0]''
    New component: [l:0]''
    Install mode: delta
    Smart installer: TRUE
    Installer ID: {a111f280-5923-47c0-9a68-d0bafb577901}
    Installer name: 'Network Drivers'
2019-04-09 23:21:59, Info                  CSI    000002b3 Begin NetSetup servicing operation
2019-04-09 23:21:59, Info                  CSI    000002b4 Begin loading the binding engine
2019-04-09 23:22:00, Info                  CBS    Progress: UI message updated. Operation type: Update. Stage: 1 out of 1. Percent progress: 72.
2019-04-09 23:26:59, Info                  CSI    000002b5 Exception: AI base address @0x7ffbc8eb0000
2019-04-09 23:26:59, Info                  CSI    000002b6 Exception: API address of NetSetupCommit @0x7ffbc8e81390
2019-04-09 23:26:59, Info                  CSI    000002b7 Exception: Frame @0x7ffbe8bd1a39
2019-04-09 23:26:59, Info                  CSI    000002b8 Exception: Frame @0x7ffbe5264078
2019-04-09 23:26:59, Info                  CSI    000002b9 Exception: Frame @0x7ffbe69fbab2
2019-04-09 23:26:59, Info                  CSI    000002ba Exception: Frame @0x7ffbe8c39bc3
2019-04-09 23:26:59, Info                  CSI    000002bb Exception: Frame @0x7ffbc8eb63bc
2019-04-09 23:26:59, Info                  CSI    000002bc Exception: Frame @0x7ffbc8eb629b
2019-04-09 23:26:59, Info                  CSI    000002bd Exception: Frame @0x7ffbc8eb6308
2019-04-09 23:26:59, Info                  CSI    000002be Exception: Frame @0x7ffbc8eb5152
2019-04-09 23:26:59, Info                  CSI    000002bf Exception: Frame @0x7ffbdce8f31e
2019-04-09 23:26:59, Info                  CSI    000002c0 Exception: Frame @0x7ffbdce8f0a1
2019-04-09 23:26:59, Info                  CSI    000002c1 Exception: Frame @0x7ffbdce76751
2019-04-09 23:26:59, Info                  CSI    000002c2 Exception: Frame @0x7ffbdce9be1d
2019-04-09 23:26:59, Info                  CSI    000002c3 Exception: Frame @0x7ffbddcc73bd
2019-04-09 23:26:59, Info                  CSI    000002c4 Exception: Frame @0x7ff7e7bf3c88
2019-04-09 23:26:59, Info                  CSI    000002c5 Exception: Frame @0x7ffbe6b08263
2019-04-09 23:26:59, Info                  CSI    000002c6 Exception: Frame @0x7ffbe6b6bc0d
2019-04-09 23:26:59, Info                  CSI    000002c7 Exception: API address of NetSetupCommit @0x7ffbc8e81390
2019-04-09 23:26:59, Info                  CSI    000002c8 Exception: Frame @0x7ffbc8ebcb0f
2019-04-09 23:26:59, Info                  CSI    000002c9 Exception: Frame @0x7ffbc8ebbf44
2019-04-09 23:26:59, Info                  CSI    000002ca Exception: Frame @0x7ffbc8eb52cb
2019-04-09 23:26:59, Info                  CSI    000002cb Exception: Frame @0x7ffbc8eb63bc
2019-04-09 23:26:59, Info                  CSI    000002cc Exception: Frame @0x7ffbc8eb629b
2019-04-09 23:26:59, Info                  CSI    000002cd Exception: Frame @0x7ffbc8eb6308
2019-04-09 23:26:59, Info                  CSI    000002ce Exception: Frame @0x7ffbc8eb5152
2019-04-09 23:26:59, Info                  CSI    000002cf Exception: Frame @0x7ffbdce8f31e
2019-04-09 23:26:59, Info                  CSI    000002d0 Exception: Frame @0x7ffbdce8f0a1
2019-04-09 23:26:59, Info                  CSI    000002d1 Exception: Frame @0x7ffbdce76751
2019-04-09 23:26:59, Info                  CSI    000002d2 Exception: Frame @0x7ffbdce9be1d
2019-04-09 23:26:59, Info                  CSI    000002d3 Exception: Frame @0x7ffbddcc73bd
2019-04-09 23:26:59, Info                  CSI    000002d4 Exception: Frame @0x7ff7e7bf3c88
2019-04-09 23:26:59, Info                  CSI    000002d5 Exception: Frame @0x7ffbe6b08263
2019-04-09 23:26:59, Info                  CSI    000002d6 Exception: Frame @0x7ffbe6b6bc0d
2019-04-09 23:26:59, Info                  CSI    000002d7 Exception: Frame @0x7ffbe6a968f9
2019-04-09 23:26:59, Info                  CSI    000002d8@2019/4/9:13:26:59.533 CSI Advanced installer perf trace:
CSIPERF:AIDONE;{a111f280-5923-47c0-9a68-d0bafb577901};(null);300181877us
2019-04-09 23:26:59, Info                  CSI    000002d9 End executing advanced installer (sequence 0)
    Completion status: 800106d9 [Error,Facility=(0001),Code=1753 (0x06d9)]

2019-04-09 23:26:59, Info                  CSI    000002da Performing 1 operations as follows:
  (0)  LockComponentPath: flags: 0 comp: {l:16 b:68f708e9d7eed401de0200008007ac07} pathid: {l:16 b:68f708e9d7eed401df0200008007ac07} path: [l:115]'\SystemRoot\WinSxS\x86_microsoft.windows.s..ation.badcomponents_31bf3856ad364e35_10.0.14393.0_none_09e78f632173f4c5' pid: 780 starttime: 131992895724459066
2019-04-09 23:26:59, Error      [0x01805b] CSI    000002db (F) Failed execution of queue item Installer: Network Drivers ({a111f280-5923-47c0-9a68-d0bafb577901}) with HRESULT 800106d9 [Error,Facility=(0001),Code=1753 (0x06d9)].  Failure will not be ignored: A rollback will be initiated after all the operations in the installer queue are completed; installer is reliable[gle=0x80004005]

The temporary solution:

Remove the PXE distribution point from SCCM. Allow SCCM to remove WDS wait a few minutes reboot and try to update again. 

WPAD and Microsoft's NCSI

One of my 2017 goals is to remove as much NTLM authentication as is possible. The big one  at this site was the Squid Proxy.

After implementing the new proxy with the only change being the removal of the NTLM authentication mechanism I started seeing users complain that they had no internet...

That can't be right I tested the crap out of this... 

The conversation would generally go something like this.

User: Everything is broken?

Me: What are you having trouble with?

User: There is a yellow exclamation mark over the wifi, I CANT DO ANYTHING!

Me: Can you try to access google for me.

User: That worked, Thanks for fixing it.

Me: Just ignore the yellow exclamation mark, I will fix that soon.

Unsure of why this is now a problem I look at what has changed.

• I have changed the WPAD file to point to the new server. 
• I have a newer version of SQUID.
• I have changed the way authentication works in SQUID.

After reading up on Microsoft NCSI (here, here and here). I get down and dirty in WireShark trying to figure out what could be causing this.

Outbound port 80 and 443 are blocked so it is stopping the inital handshake to www.msftncsi.com or msftconnecttest.com, But this has always been the case port 80 and 443 have been blocked for the last 15 years and it's only happend after changing to this new proxy. 

As part of the squid config I have a rule that allowes both www.msftncsi.com and msftconnecttest.com to bypass all authentication but looking at the loggs there has not been any requests to either of these domains... Strange.

I have an alternative proxy at this site that does not need any auth but has a heavily restricted whitelist of sites that are allowed through including the NCSI sites. If i change the wpad.dat file to point to the other proxy the exclamation mark goes away! Looking at the logs on this other server the NCSI request come through like normal.

10.x.x.x TCP_MISS/200 471 GET http://www.msftncsi.com/ncsi.txt - FIRSTUP_PARENT/123.x.x.x text/plain

Looking at wireshark the client still attempts to make a request to the ip's directly but after a few seconds they attempt through the proxy like they should.

So looking at the WPAD file I just changed I am referencing the alternative proxy by IP not FQDN. I change my wpad to point to the new proxy by ip address and what do you know it works but obviously kerberos won't work unless I am using the FQDN...

So i add this and it seems to works.

// If the hostname matches, send direct.

    if (dnsDomainIs(host, "www.msftconnecttest.com")||

dnsDomainIs(host, "www.msftncsi.com"))

        return "PROXY 10.x.x.x:8080";

I don't know why after changing proxy this issue has arisen as the old proxy also was referenced by FQDN...

I hope this can help others as there is not a huge amount of documentation on Microsofts NCSI.

Have Fun. 

Security Ramblings

Adblock Plus

So I have been using Adblock Plus personally for many years, 3 years ago we started automatically installing Adblock Plus to Chrome using Group Policy, Ad Blocking has become just another layer of defense to help us protect our users from Junkware, Malware and Ransomware. As a byproduct we reduced our malware infections by a good 30%-40% over the following year. The remaining is hard to combat as it was users engaging in high risk activities online (Free Minecraft, Malicious links from Social Media, etc).

cfhdojbkjhnklbpkdaibdccddilifddb;http://clients2.google.com/service/update2/crx?response=redirect&x=id%3Dcfhdojbkjhnklbpkdaibdccddilifddb%26lang%3Den-US%26uc

System Center Endpoint Protection PUA

We recently activated the PUA protection from microsoft as part of the the System Center Endpoint Protection suite for Windows 10 and so far it is working great. No more infections of Search Protect from Utorrent as Utorrent is blocked because it bundles software with it (lol).

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "1" /f

Ublock Origin

As we are always looking for better security and business continuity we are trialing Ublock Origin to replace Adblock Plus. So far our small test group reports are positive and I expect us to deploy it to a larger group of users in the next few days.

cjpalhdlnbpafiamejdnhcphjbkeiagm;http://clients2.google.com/service/update2/crx?response=redirect&x=id%3Dcjpalhdlnbpafiamejdnhcphjbkeiagm%26lang%3Den-US%26uc

OSX Printer Profiles and PPD's

So you want to specify a PPD file for use by your printer so that you have some more features than the ones that are provided by the default PPD.

If you add the following line to your configuration for your printer

and you can add this line if you want authentication to work better against a windows server. so that it looks like this.

OSX Black screen after upgrade. PolicyBanner.rtfd

So I have a small fleet of mac laptops and desktops that are mixed in with 500+ windows devices that I look after. Occasionally there is a issue that comes up along the lines of my laptop wont turn on... I did nothing.

So the symptoms are laptop boots like normal you hear the sound but after it may just flash a apple logo for 1/2 a second then you can only see the mouse moving on a black screen.

I have found that if you rename the PolicyBanner.rtf as to disable it using single user mode then reboot the mac will come back to life.

To test this fix is easy.

1. Turn off the offending mac.
2. Boot while holding Command key and S.
3. when you see the command line type "/sbin/mount -uw /"
4. "cd /Library/Security"
5. "mv PolicyBanner.rtfd/ PolicyBanner.rtfd-old
6. "reboot"

Now it should be working if you problem was the same that has been effecting my macs on and off for the last year. 

If it does fix you mac just run the process again and name you PolicyBanner.rtfd-old back to PolicyBanner.rtfd and your mac will continue to work. 

Done. :)

Error: Connection failed to the directory server. (2100)

Problem

So i have been having issues with Apple Open Directory on OS X mavericks 10.9.2, Issues that range from computers losing their bindings and not applying login scripts to complete inability to reimage machines with Deploystudio.

Errors

After getting a error message's such as.

Error: Connection failed to the directory server. (2100)

or

DS Error: -14006(eDSCannotAccessSession) LDAPv3/zeta.curric.lhsc.edu.vic.gov.au node is unavailable, new attempt in 10 seconds

or 

the Ip address of the open directory server is missing in Server Under the Open Directory Tab.

Diagnostic

After Running this command from the command line on Open Directory Server we get some clues on where to look for what is going on. 

$sudo serveradmin settings dirserv

dirserv:treeConfiguration:odTree:_array_index:0:PrimaryMaster = "zeta.curric.lhsc.edu.vic.gov.au" dirserv:treeConfiguration:odTree:_array_index:0:IPaddresses = _empty_array
dirserv:treeConfiguration:odTree:_array_index:0:GUID = "369E6792-929E-467C-8311-187D6B371315"
dirserv:treeConfiguration:odTree:_array_index:0:ReplicaName = "Master" dirserv:treeConfiguration:odTree:_array_index:0:treeSource = "PrimaryMaster" 
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:IPaddresses = _empty_array 
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:GUID = "369E6792-929E-467C-8311-187D6B371315" 
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:ReplicaName = "zeta.curric.lhsc.edu.vic.gov.au" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:Replicas:_array_index:0:GUID = "E3BFD0E9-07A3-452C-ABBE-43169C6FF597" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:Replicas:_array_index:0:ReplicaName = "geta.curric.lhsc.edu.vic.gov.au" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:IPaddresses:_array_index:0 = "10.129.64.123" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:GUID = "E3BFD0E9-07A3-452C-ABBE-43169C6FF597" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:ReplicaName = "geta.curric.lhsc.edu.vic.gov.au" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:Replicas:_array_index:0:GUID = "369E6792-929E-467C-8311-187D6B371315" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:Replicas:_array_index:0:ReplicaName = "zeta.curric.lhsc.edu.vic.gov.au"



Fix

I have highlighted the thing that immediately stands out as not quite right. Where are the ip addresses of the OD Master. So after much faffing around with google and everyone saying it is a DNS issue and telling people to backup there LDAP database and restore it on a newly built server. The solution to this is simply to go into network settings and change your ip address to something else. i change my one from x.x.x.111 to x.x.x.180 and then back again and lo and behold it is fixed. 

dirserv:treeConfiguration:odTree:_array_index:0:PrimaryMaster = "zeta.curric.lhsc.edu.vic.gov.au" dirserv:treeConfiguration:odTree:_array_index:0:IPaddresses = "x.x.x.111" 
dirserv:treeConfiguration:odTree:_array_index:0:GUID = "369E6792-929E-467C-8311-187D6B371315" dirserv:treeConfiguration:odTree:_array_index:0:ReplicaName = "Master" dirserv:treeConfiguration:odTree:_array_index:0:treeSource = "PrimaryMaster" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:IPaddresses= "x.x.x.111" 
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:GUID = "369E6792-929E-467C-8311-187D6B371315" 
dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:ReplicaName = "zeta.curric.lhsc.edu.vic.gov.au" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:Replicas:_array_index:0:GUID = "E3BFD0E9-07A3-452C-ABBE-43169C6FF597" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:0:Replicas:_array_index:0:ReplicaName = "geta.curric.lhsc.edu.vic.gov.au" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:IPaddresses:_array_index:0 = "10.129.64.123" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:GUID = "E3BFD0E9-07A3-452C-ABBE-43169C6FF597" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:ReplicaName = "geta.curric.lhsc.edu.vic.gov.au" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:Replicas:_array_index:0:GUID = "369E6792-929E-467C-8311-187D6B371315" dirserv:treeConfiguration:odTree:_array_index:0:Replicas:_array_index:1:Replicas:_array_index:0:ReplicaName = "zeta.curric.lhsc.edu.vic.gov.au"

I hope this helped.