Wednesday, 6 September 2017

Windows 10 roaming profiles cause Edge and other packaged applications to fail loading

Windows 10 roaming profiles cause Edge and other packaged applications to fail loading
The cause of this seems to be that when a user logs out from Windows 10 sets some essential registry keys to read only. When they logon again these keys are in the wrong state and packaged applications including Edge fail to load. But this seems to be on of the causes, while MS has no fix released since version 1511.
The below is a walkthrough for working this out.


Make sure your WKS has all latest updates.
Connect to your DC and open the group policy editor
Create a WMI filter for Windows 10 and put the following
Namespace (should be already there):            root\CIMv2
Query:   select * from WIN32_OperatingSystem WHERE Version LIKE '10.0.%'
You may get the following message, ignore it.


Create a group policy for your domain users called “User-Windows10RoamingProfileFix”. This will be targeted to Windows 10 computers using the WMI filter we created in the previous step.
On the new policy Right Click> Enforced
Right Click > Edit > User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) >  Double Click on Logon > PowerShell Scripts > Add
Click on Browse

Inside the browse popup menu create a new txt file and rename it to
Make sure you have file extensions on and the file is a ps1 extension (powershell) and not a txt!
Copy paste the following inside the file:
#!PowerShell. De pilo pendet.

#(c) Christian Ullrich
# copied by James Bayley 2016/01/25

function MakeACE() {

# The self-documenting NTAccount type results in an object that "cannot be translated".
$id = New-Object System.Security.Principal.SecurityIdentifier("S-1-15-2-1")
New-Object System.Security.AccessControl.RegistryAccessRule($id,


function GrantRequiredAccess($key) {

$acl = Get-Acl $key
Set-Acl $key $acl


# All Windows 10, since Microsoft apparently managed to break build 10240 as well in December 2015, after having shipped 10586 broken from the start.
#New-EventLog –LogName Application –Source “LogonScript”
#Write-EventLog -LogName Application -Source LogonScript -EntryType Information -EventId 1 -Message "In LoginScript to fix roaming profiles"
if ([Environment]::OSVersion.Version.Major -eq 10) {
# Write-EventLog -LogName Application -Source LongScript -EntryType Information -EventId 1 -Message "Windows 10 detected"
GrantRequiredAccess "HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe"
GrantRequiredAccess "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\"


“ExcludeProfileDirs” Registry Tweak

1. Continue Editing the above mentioned GPO.
2. Navigate to: User Configuration > Preferences->Windows Settings->Registry, new registry item. Put the following information

The key path is:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (don’t copy-paste it, navigate yourself to it!!!!)

On the Value data field you should include the following to support Windows 10 version 1703.

AppData\LocalLow;$Recycle.Bin;OneDrive;WorkFolders;AppData\Local\Comms;AppData\Local\ConnectedDevicesPlatform;AppData\Local\Google;AppData\Local\GroupPolicy;AppData\Local\Mozilla;AppData\Local\Packages;AppData\Local\Publishers;AppData\Local\PeerDistRepub;AppData\Local\Temp;AppData\Local\VirtualStore;AppData\Local\Winternals;AppData\Local\Adobe;AppData\Local\Apple;AppData\Local\AppleComputer;AppData\Local\Autodesk;AppData\Local\Chromium;AppData\Local\CrashDumps;AppData\Local\NVIDIA;AppData\Local\NVIDIACorporation;AppData\Local\Skype;AppData\Local\WebEx;AppData\Local\Foxit Reader;AppData\Local\Macromedia;AppData\Local\Microsoft_Corporation;AppData\Local\Real;AppData\Local\DropBox;AppData\Local\Vmware;AppData\Local\Windows Live;AppData\Local\CrashDumps;AppData\Local\Citrix;AppData\Local\Microsoft\AppV;AppData\Local\Microsoft\Credentials;AppData\Local\Microsoft\Feeds;AppData\Local\Microsoft\Feeds Cache;AppData\Local\Microsoft\GameDVR;AppData\Local\Microsoft\Group Policy;AppData\Local\Microsoft\InputPersonalization;AppData\Local\Microsoft\InstallAgent;AppData\Local\Microsoft\Internet Explorer;AppData\Local\Microsoft\Media Player;AppData\Local\Microsoft\OneDrive;AppData\Local\Microsoft\PenWorkspace;AppData\Local\Microsoft\PlayReady;AppData\Local\Microsoft\Vault;AppData\Local\Microsoft\Windows Live;AppData\Local\Microsoft\Windows Sidebar;AppData\Local\Microsoft\WindowsApps;AppData\Local\Microsoft\Windows\UPPS;AppData\Local\Microsoft\Windows\1033;AppData\Local\Microsoft\Windows\ActionCenterCache;AppData\Local\Microsoft\Windows\Application Shortcuts;AppData\Local\Microsoft\Windows\Burn;AppData\Local\Microsoft\Windows\GameExplorer;AppData\Local\Microsoft\Windows\History;AppData\Local\Microsoft\Windows\IECompatCache;AppData\Local\Microsoft\Windows\IECompatUaCache;AppData\Local\Microsoft\Windows\INetCache;AppData\Local\Microsoft\Windows\INetCookies;AppData\Local\Microsoft\Windows\Notifications;AppData\Local\Microsoft\Windows\OfflineFiles;AppData\Local\Microsoft\Windows\PowerShell;AppData\Local\Microsoft\Windows\PRICache;AppData\Local\Microsoft\Windows\Ringtones;AppData\Local\Microsoft\Windows\RoamingTiles;AppData\Local\Microsoft\Windows\Safety;AppData\Local\Microsoft\Windows\SchCache;AppData\Local\Microsoft\Windows\SettingSync;AppData\Local\Microsoft\Windows\Shell;AppData\Local\Microsoft\Windows\WebCache;AppData\Local\Microsoft\Windows\WER;AppData\Local\Microsoft\Windows\Explorer;AppData\Local\Microsoft\CLR_v4.0;AppData\Local\Microsoft\CLR_v4.0_32


Continue editing the above group policy for the Applocker part.
Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged App Rules > Right Click and create Default rules.


You should now force the group policy update on the problematic WKS (using gpupdate /force via cmd), log off and log on a few times. We had cases that we had to remove the roaming profile and reissue it again for this to work.
The above workaround is a merge of various articles and blog outputs we found on the web, while trying to solve an issue like this. The solution came after applying all of the above, and not one or the other.
Credits and references go to:

Friday, 17 February 2017

DNS publishing over COSMOTE, is not any more supported?

The past few months COSMOTE, a Greek ISP started providing VDSL access in our country. Right after being very happy about it, we started noticing changes affecting many of our customer services, including proper Domain Name Services data exchange.
The Domain name Service, supports hosting of a domain name zone, servicing clients requesting host A or other records from this DNS, while DNS transfer is a process which enables the Domain Name Zone transfer in a set of prior selected and configured DNS servers.
Our tests, described below, involve both of the above functions.
Test NumberTest descriptionRequest InitiatorRequest ReceiverTest Outcome
1Nslookup from a Cosmote Internet fed client to a zone hosted on Cosmote served serverServer AServer BSuccess
2Nslookup from a Cyta Internet fed client to a zone hosted on Cosmote served serverServer CServer BFailure
3Nslookup from a Cosmote Cell Internet fed server to a Cosmote served serverServer BCServer BFailure
4Nslookup from a Wind Internet fed server to a Cosmote served serverServer WServer BFailure
5Nslookup from a Forthnet Internet fed server to a Cosmote served serverServer FServer BFailure
6Nslookup from a Vodafone Internet fed server to a Cosmote served serverServer VServer BFailure
As it appears on Test 3, the mobile network of Cosmote cannot access a zone hosted on a private server internet fed by the terrestrial Cosmote network. That’s weird, but understandable since the merging between the two is only a few months old.
Ok now let’s see what else is “weird” now. Suppose we have the following 4 servers:
SERVER A: is internet fed by Cosmote ADSL
SERVER B: is also internet fed by Cosmote ADSL
SERVER C: is internet fed by Cosmote VDSL
SERVER D: is also internet fed by Cosmote VDSL
A few more tests described below:
Test NumberRequest InitiatorRequest ReceiverTest Outcome
7Server AServer BSuccess
8Server AServer CFailure
9Server AServer DFailure
10Server DServer AFailure
11Server CServer AFailure
12Server BServer ASuccess
13Server BServer CFailure
14Server BServer DFailure
15Server CServer BFailure
16Server CServer DSuccess
17Server DServer CSuccess
18Server DServer BFailure
I will make it a bit less confusing for you. VDSL fed servers communicate with each other. ADSL cannot access the VDSLs and vice versa. The weird things is that both the ADSL and VDSLs are provided by the same ISP, which in all our cases is COSMOTE.
We should note, that all the above servers have Business accounts (connex @ Work).
As IT professional we can tolerate with:
  • VPN connections dropping every 3 minutes, with no reason.
  • Cosmote routers having their firmware updated, whenever the provider asks, using their CPL
  • SIP ports being occupied for Cosmote future VOIP usage.
What we cannot tolerate is the DNS protocol and especially when there is no previous notification regarding such a service ban.
I really do wonder, what is next? The SMTP?
Thank you Cosmote for protecting us, but I guess we will protect ourselves and change all our customers to non Cosmote ISPs.
We take as:
Failure: the timeout of DNS query (using nslookup) pointed on a working DNS server (server [ip]) and on an existing well shaped dns zone.
Success: a successful dns query (using nslookup) presenting back all dns records of the requested zone (set q=all/ set q=any)
17/2/17 UPDATE: The above started happening with port 25 (SMTP) randomly.

Tuesday, 14 February 2017

Msg 8152, Level 16, State 10 String or binary data would be truncated. The statement has been terminated.

It appears that when you want to "insert into" data from an nvarchar(max) field to another nvarchar(max) field, and the table has a lot of data the ms sql query is terminated giving you the error
Msg 8152, Level 16, State 10 String or binary data would be truncated The statement has been terminated.
After narrowing down data fields and understanding which field is the problematic one, and given that the source field is nvarchar(max) and so is the destination, you need to go on troubleshooting this.
Suppose I have the following query:
INSERT INTO ServiceJournal
(PriorityID, TechnicianID, ServiceTaskID, ClientID, ServiceDate, ProblemReportDateTime, EventTypeid, ReminderID, CustomerSiteID, DetailedProblemDescription)
SELECT        3 AS Expr1, Customers.EmployeeResponsibleID, 16 AS Expr2, Customers.CustomerID, GETDATE() AS Expr3, GETDATE() AS Expr4, 2 AS Expr5, 2 AS Expr6, 1 AS Expr7, Customer_Tasks.TaskDescription
FROM            Customer_Tasks INNER JOIN
Customers ON Customer_Tasks.CustomerID = Customers.CustomerID
WHERE        (Customer_Tasks.IsMaintenance = 1)
The field DetailedProblemDescription is the one producing the problem.
I tried creating a new field on the destination table ServiceJournal, called test as nvarchar(max) and changed my query to
INSERT INTO ServiceJournal
(PriorityID, TechnicianID, ServiceTaskID, ClientID, ServiceDate, ProblemReportDateTime, EventTypeid, ReminderID, CustomerSiteID, test)
SELECT        3 AS Expr1, Customers.EmployeeResponsibleID, 16 AS Expr2, Customers.CustomerID, GETDATE() AS Expr3, GETDATE() AS Expr4, 2 AS Expr5, 2 AS Expr6, 1 AS Expr7, Customer_Tasks.TaskDescription
FROM            Customer_Tasks INNER JOIN
Customers ON Customer_Tasks.CustomerID = Customers.CustomerID
WHERE        (Customer_Tasks.IsMaintenance = 1)
The script inserts a number of rows, as it should!
I tried to rename the problematic field to DetailedProblemDescription2 and retry. It does not work.
I backed up the field data to another field and deleted the field. This is where I started losing the table integrity. I had to take the data with an export script, drop and recreate the table (taken from a backup) and restore the data.
Need to mention that concatenating the DetailedProblemDescription field with cast (DetailedProblemDescription as nvarchar(4000)) or other data type, did not work as well.
To make a long story short, I overcame the insert into problem by putting
As long as the "problematic" field characters don't go over 4000 characters, no problem occurs. I will need to test it with more in the next months.
Have no time to investigate this further, but worth's writing it down and sharing:)
Till next time!

Wednesday, 9 March 2016

How to Upgrade or Change OS of PCs with Preinstalled Windows 8.1 & Windows 10

There are times that moving personal computers to corporate environments, without applying a BYOD policy, drive us to replace the preinstalled OS of our computer. For instance there is the need to upgrade our OS from Home to Professional edition in order the computer to join a domain.
For Windows Up to the 8 edition, that was done, by formatting the computer and reinstalling by using the purchased Retail or other license of the desired Windows OS version. The upgrade was a rather hectic process and the older the OS, the more problems you had.
Things are different now with Windows 8.1 and 10!

You purchase a new laptop with a Windows 10 Home OEM license from your local distributor and you get down to upgrade to Professional. Bad luck! You can’t! Even if you totally wipe your HDD and put your legitimate Windows 10 Pro media and install, after the installation you pc will still boot on Windows 10 Home!

Let’s ask the experts….we called Microsoft, as partners and asked! Here’s the story.
Microsoft’s new policy for OEM computers that come with preinstalled Windows 8.1 and Windows 10 is to hardcode the OS Version and License Key within the computer’s chipset! This policy is applied by all computer manufacturing companies, therefore there is no way even by formatting the hard drive to install a different OS or even an alternate Version of the same OS.  Microsoft’s “safety” mechanism will come forth and will install the same OS Version  as the OEM (e.g Home) even if you try to install another Version of the same OS (e.g. Pro) via DVD or USB.  If you try to install a complete different OS (e.g Windows 10) than the OEM (e.g Windows 8.1) then hardcoded OS License Key conflicts with the OS License Key that you installed and renders your OS as not Genuine. The same applies even if you just swap the OEM HDD with a preinstalled HDD that has a different OS version than the OEM.

Fortunately there is a workaround regarding this matter. The following steps show the way.

Let’s assume for this example that you purchased a laptop that came with preinstalled Windows 10 Home and you want to upgrade it to Windows 10 Pro.
By using your newly purchased laptop or a different computer you need to download the MediaCreationTool.exe from HERE .

This tool will guide you to download a Windows 10.iso file that is suitable for your computer.
After you download the ISO file, open it with an ISO editing application (Ultra ISO or a similar).

Then you need to create two files that will allow the new OS to be installed.

For the first file create a .txt file and copy in it the following:


Save it as EI.cfg .

P.S. In channel type RETAIL if the OS License Key is a retail acquired license.  

For the second file create a .txt and copy in it the following:

VALUE= type_in_your_windows_license_key

Save it twice, one as PID.txt and one as PID.cfg

Copy the three files (EI.cfg, PID.txt and PID.cfg) to the Sources folder of the iso file that you downloaded.
Recompile or save the .iso file and either burn it into a bootable DVD or create a bootable USB stick.

Restart the computer and boot either from your media.
Complete formatting the HDD and enjoy your new upgraded OS.

Cheers, till next time!

Sunday, 7 February 2016

How to create Microsoft HyperV cluster


We will need:
  • An ISCSI enabled Network Attached storage, like QNAP.
  • 2 PC/Server with equal number of NICs (4+ NICs needed) /RAM and CPU type
  • A working active directory domain on Windows 2012 R2
For proper HyperV operation you will need n+1 NICs where n is the number of vms hosted on the hypervisor.
For the cluster we are about to build we need 3 NICs on each node of the cluster, plus n NICs for the n number of VMs we are about to host.
Make a good sketch of your solution, in order to have nic ips/configuration handy at all times during the installation or troubleshooting.
On the sketch above you will identify that each of the nodes (node03/node04) have 3 nics configured (the rest NICs are virtual switched on the HyperV and therefore have no part on this sketch)
  • 1x NIC for each node connected to network switch (that's the interface we will use for joining the pc/server on our domain. On our scenario NODE03 has the ip and NODE04
  • 1x NIC for each node connected to the RSO/NAS (directly or via switch). On our scenario NODE03 has the ip and NODE04
  • 1x NIC for each node connected to each other (no need for a cross cable if auto mdix is applicable on your NICs-it's a standard nowadays. We call this the heartbeat cable, where each cluster node gets the status of its partner node. On our scenario NODE03 has the ip and NODE04

Join all on the same domain

Ensure all nodes (hyper –V servers ) and Qnap are joined to the same Active Directory Domain.

Organise and name your nodes NICs

Configure Network cards NICs for Failover Cluster: Rename all Network cards and make names identical on both servers in order to save yourself from auto moving questions of resources. Be very cautious on identifying the physical location of each NIC.

a. Rename all Network cards


b. Rename the Domain Network NIC as Production and deselect unnecessary protocols and features

IPv6 is up to the installers hand to enable or disable. Proceed according to your internal network specs.
IPv6 should be unchecked.
Make sure Register this connection's address in DNS is checked,
Check option “Register this connection’s addresses in DNS”.
At WINS tab Enable NetBIOS over TCP/IP option.

c. Configure the RSO NICs as RSO and deselect unnecessary protocols and features

IPv6 was deselected on our scenario in order to avoid IPv6 communication failures.

d. Configure the HeartbeatNICs as Heartbeat and deselect unnecessary protocols and features

Uncheck IPv6
Watch it now! Put the heartbeat ips with no Gateways, no DNS servers.
Make sure Register this connection's address in DNS is NOT checked,
and make sure NetBIOS over TCP/IP is NOT checked!
Your Heartbeat NIC properties should look like this

e. Set the Network Priority (arrange binding order)

Navigate to Advanced Settings, though Network and Internet ->Network connections.
Open your network connections and click Advanced>Advanced Settings
Arrange the adapter binding order as follows:
  1. Production
  2. Storage
  3. Heartbeat
This is very importart to how each node responds and reacts to network requests. If you ommit this step latencies in cluster behaviour related to network access or interoperability with other network resources may occur.

Configure NAS/RSO

We assume you have already configured your Raid. (Best results we have achieved on COTs systems are Raid 10 and Raid 6). On our scenario we used a QNAP with 5 HDD RAID6 array.

a. Configure Shared Storage (iSCSI Target)

Fire up your ISCSI configuration wizard and enable iSCSI target service on its 3260 default port.
Enable iSCSI Target Service at port 3260
Through iSCSI Storage’s Configuration Wizard,
Select to create iSCSI Target with a mapped LUN(Logical Unit Number).
Create a new iSCSI target with a mapped LUN
“Target Name” and “Target Alias” should be Quorum.
Clustering access to iSCSI target from multiple initiators must be “Enabled”.
Name it Quorum. That's the most important shared storage resource of the cluster since the cluster configuration is exchanged between nodes through it.
Make sure you check the Enable clustering access to the iSCSI target from multiple initiators in order to avoid data corruption, occuring on simitaneously iSCSI connections and prepare this part of the storage for CSVFS.
Don't use chap authentication, unless needed.12
Don't use more than 1GB for the Quorum, since you will never exceed it.
Allocate space from your storage pool.
For performance purposes we select “Allocate space from a storage pool as an iSCSI LUN”. On the other hand the disk space is pre-allocated making it your Cluster storage more secure in cases of rapid data deployment in the rest of its free disk space.
Proceed making the above steps again 2 times. Each for the following names:
  1. ClusterDisk1, with allocated space as prefered
  2. ClusterDisk2, with allocated space as prefered
You need at least one Cluster Disk, in case you need more resources prepare more.
At the iSCSI target list you will see the iSCSI targets you just created.
Quorum and Cluster Disks should appear as “Ready” after the initialization of the iSCSI storage.
After finishing with our NAS configuration, we proceed with NODES.

b. Connect to iSCSI targets from both Nodes

Both Nodes must be connected to our Storage using iSCSI Initiator (though Server management Tools). 
From your server manager, select tools iSCSI initiator. A message will come up informing you that the iSCSI initiator service will start automatically next time windows loads.
On the discovery tab hit Discover portal
Be rather cautious to put the ip of the RSO belong to the nodes RSO network, eg. on our example
Discovery should find the IP address and Port of your iSCSI target (make sure your cluster nodes RSO nics and iSCSI RSO are on the same switch or VLAN.
Following that, though Targets tab, you should be able to see your disks (including Quorum) as “Inactive”.
Proceed connecting them. Go back on the targets tab, hit refresh and when the list is populated hit connect.
Do the above on both nodes

c. Initialize disks

On the first node open Disk Management console. Right click on each of the new hard disks appearing and select online.
Initialize the disk2324
and create a new simple volume25
Assign the drive letter Q for Quorum, we don't care what you put on the rest.
Format it as NTFS and name it Quorum
Proceed with the same process for ClusterDisk1 and 2, put whatever drive letter you like. At the end of the process you will see the below.
Launch disk management on the second node and "online" the already made HDDs.

HYPER-V installation on both Nodes

Though Manage Tab, select ”Add Roles and Features”.
From Server Roles, select the Hyper-V role and proceed.
Include management tools and proceed adding the feature.

Create Virtual Switch (Production) on both Nodes

On your Hyper-V Manager console select the Virtual Switch Manager action on the right.
Create a New Virtual Network Switch. Type: EXTERNAL. Make sure you don’t select ANY of your RSO or Heartbeat NICS!
Name the Virtual switch, assign appropriate NIC and check the option “Allow management operating system to share this network adapter”.
Do the same on both nodes.

Install Failover Cluster Roles Features on both Nodes

Through the “Add Roles and Features” we proceed to “Features.


Select the “Failover Clustering” and proceed.


Do the same on both nodes.

Validate the cluster configuration

Pick up one of the two Nodes and run the Cluster Validation configuration tool.
Next steps shown below will be performed to validate cluster’s failover configuration.
Since all nodes are “Validated” we can proceed creating the Failover Cluster.

Create the Hyper-V Failover Cluster

We proceed to create cluster through Failover Cluster Manager.
Make sure all required servers have been selected (separated by a comma “,”).
Provide the cluster name, revise that addresses are correct for each network that is part of the Failover Cluster.
Your Cluster has completed, revise again summary.
Rename Cluster Networks for easy understanding and mapping to the physical node NICs.
Through Failover Cluster Manager, we configure networks’ names and communication permissions.
Specifically, at Heartbeat network we ONLY allow cluster network communication.
At production Network, we allow cluster network communication AND also allow clients to connect through.
At Storage network we DO NOT allow any cluster network communications.
Also through the above steps, we have the chance to check one again that subnets have been assigned correctly.

Enable Cluster Shared Volumes

Following cluster’s networks configuration, we are ready to ADD storage disks to our cluster.
Through Failover cluster manager -> Storage -> Disks, we should see our Cluster Disks marked as “AVAILABLE STORAGE”. Selecting one by one we proceed adding them to “Cluster Shared Volumes”.
At the end of process all added disks should be marked as “Assigned to Cluster Shared Volume”.
Create a VM and Configure for High Availability or make an Existing VM Highly Available
Test the Failover Cluster by shutting down the node having the VM resources. If you see VMs moving to other node you are ready to start serving clients. Further tests should be made regarding the VMs functionality.