On a couple of occasions I have run into the following error/message and I see many others have done so based on dozens of posts:

OneDrive can’t be run using full administrator rights.

In my case both machines had been upgraded from Windows 7 with the problem being one is unable to set up OneDrive app and sync locally with Windows Explorer.

The issue is exactly as described by the error. To resolve: Locate OneDrive.exe, the default location is C:\Users\username\AppData\Local\Microsoft\OneDrive then right click on it, choose properties, and under the Compatibility tab uncheck “Run this program as an administrator”

You cannot install a standard version of Office on an RDS server.  Prior to Office 365 you had to buy Enterprise licenses for each user which are quite expensive.  I understand Enterprise licenses are still available and I assume they will still work but you may already have a suitable Office 365 subscription, or you can upgrade to one that will.   Your Microsoft 365 license must include Office Pro Plus, a Business Standard license will not work.  There is an Office Pro Plus license or an E3 or higher license includes Office Pro Plus.  With Office/Microsoft 365 you can use your current licenses but have to download a special installation version and jump through a few hoops.  This method is supported by Microsoft.

(Oct 2020 update: Microsoft has changed the naming of it’s Office 365 subscriptions to new Microsoft 365 names. I believe the minimum license level now is Microsoft 365 Business Premium but be sure to confirm with your vendor. The following is a Sept 2020 article referencing the install with the new licenses https://docs.microsoft.com/en-us/deployoffice/deploy-microsoft-365-apps-remote-desktop-services#:~:text=If%20you%20use%20Remote%20Desktop%20Services%20%28RDS%29%20to,installation.%20The%20following%20are%20two%20common%20RDS%20scenarios%3A )

Note: when installing apps on terminal servers in the past you had to put the server in “Install mode” by running from an elevated command prompt 

  •    Change User /Install
  • and to exit Install mode run
  •    Change User /Execute

Though this is still recommended, I tried it without doing so and it worked, but make sure you are an administrator of the machine (local or domain) and all other users are logged out. I recommend a clean reboot before starting.

Create a shared folder such as \\RDS\O365 pointing to C:\Temp\O365  

Download the Office deployment tool from the link below and extract to your shared folder  \\RDS\O365

https://www.microsoft.com/en-us/download/details.aspx?id=36778

Create an .xml configuration file for the download and save to the same folder. I named DownloadConfig.xml 

<Configuration> 
  <Add SourcePath="\\RDS\O365" OfficeClientEdition="64"> 
   <Product ID="O365ProPlusRetail" > 
     <Language ID="en-us" />      
   </Product> 
   </Add> 
</Configuration>

Download the custom version of Office.  To do so open an elevated command prompt, change to the directory containing the .xml file  C:\Temp\O365\MayBeSubfolder and run the following command.

setup.exe /download DownloadConfig.xml

This may seem like it hangs, but wait.  I believe it took about 15 minutes with my connection.

Create another .xml configuration file for installation and save again to the same folder. I named InstallConfig.xml

<Configuration>
  <Add SourcePath="\\RDS\O365"
       OfficeClientEdition="64" 
       Channel="Monthly">
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
    </Product>
  </Add>
  <Display Level="None" AcceptEULA="True" /> 
  <Property Name="SharedComputerLicensing" Value="1" />
  <Logging Level="Standard" Path="C:\Temp" />
</Configuration> 

Deploy Office using:  \\RDS\O365\setup.exe /configure  \\RDS\O365\InstallConfig.xml

Note: you must use the full path

Again it may appear to hang, but be patient

If you ran Change User /Install before starting, run Change User /Execute

Microsoft has more detailed information and options to customize the xml files at:

https://docs.microsoft.com/en-us/deployoffice/deploy-microsoft-365-apps-remote-desktop-services

https://docs.microsoft.com/en-us/deployoffice/office2019/deploy

Sage Many Redirected Printers

If you remote into a PC to run Sage, sometimes your local printer does not connect. To resolve this you need to open the Windows printers console on the computer running Sage and look for the appropriate printer and the “redirected #”. Then in Sage under Report & Form Options, choose the items you wish to print and beside them select the printer with the redirected # that matches the printer in the Windows printers console, as in the image below.

On many systems each time you reconnect to the remote computer a new redirected connection is created such that there are so many it can be near impossible to locate the appropriate redirected printer. See image below as an example.

To clear all these excess printers you can edit the registry. (As usual, back up the registry or at least the key before deleting and if not comfortable doing so, do not proceed as registry changes can corrupt your machine) To clean up the list of printers, on the computer running Sage, locate the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Window Nt\Currentversion\Printerports
Delete all printer ports showing (redirected #). Do not delete those without (redirected #)
Reboot the computer running Sage, reconnect, and select the newly redirected printer.

Outlook fails to start

Immediately after Windows updates today on 2 different systems, so far, you cannot open Outlook.  As soon as you open it closes.  Next time you open you get the Open Outlook In Safe mode popup, which also doesn’t work.  After looking at commonalities in the two systems and trouble shooting it seems the issue was the July 14th ‘Patch Tuesday’ update “Cumulative Update for Windows 10 Version 1909 for x64-based Systems (KB4565483)”.  The update includes multiple features but among them is “Updates to improve security when using Microsoft Office products.” Uninstalling the update immediately resolved the issue.

If unfamiliar with doing so go to Control Panel, click on “Programs and Features”, then “View installed updates”, locate the (KB4565483) Update, right click and choose uninstall.  As always you should have a backup of your system before adding or removing updates.

I have also selected “pause updates for 7 days” in case it tries to reinstall before Microsoft has a fix.

Update: It seems this does not always work. Instead you need to roll back Office, however Microsoft has apparently realized the problem and is pushing out the fix.  To enforce, just close Outlook and re-open.  This worked on the latest machine with which I had a problem and there was a message in Outlook about the issue when it did open.  It may not be pushed out to all machines yet so waiting a couple of hours may be necessary.  See the following link from Microsoft regarding details: https://support.microsoft.com/en-us/office/active-investigation-into-outlook-crashing-on-launch-9c59ad4b-813c-432a-afdc-f14717a4528d?ui=en-us&rs=en-us&ad=us

When you enable multifactor authentication in Microsoft 365 (formerly Office 365) with an existing tenant, Outlook starts asking for a password and will not accept your current Microsoft 365 password.  You then need to use app passwords for Outlook, rather than standard MFA with your password and a second option such as the Microsoft Authentication app, Txt, E-mail, or call.  Those options work fine with access to Web and other Office Apps but not Outlook. See the following link to manage App Passwords; https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords#:~:text=To%20create%20app%20passwords%20using%20the%20Office%20365,password%2C%20and%20then%20select%20Next.%20More%20items…%20

You can however enable standard MFA methods for Outlook using powershell.  The credit for most of the instructions below goes to; https://www.petri.com/enable-modern-authentication-exchange-online

Instructions to enable MFA with Exchange On-line (paraphrased)

When asked for credentials, you need to use an O365 admin account that does not have MFA enabled.  I create one without an Office license just for this.

I use the PowerShell ISE but I suspect standard PowerShell run as admin will work as well

Connect to an Exchange PowerShell session by running the following 2 lines

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

This is not in the Petri link above, but you need to run the following line to allow running scripts

Set-ExecutionPolicy RemoteSigned

Test if MFA is already enabled.  Will return “false” if not enabled

Get-OrganizationConfig | ft name, *OAuth*

Assuming not enabled run

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

Then run the following again to confirm now enabled, i.e. “True”

Get-OrganizationConfig | ft name, *OAuth*

Close session

Remove-PSSession $Session

I find it takes 30-60 minutes before the policy is applied and changes in use

On several machines after the automatic installation of Windows updates KB4561600 and KB4560960, printing to some, but nit all, printers no longer works. It seems when you try to print, the application closes immediately and printing does not take place. The simple solution is to locate the most recent drivers, delete the existing printer and re-install using the new drivers.

Remote Access

Many years ago I wrote numerous blog articles relating to VPNs, and primarily PPTP VPNs. Hits on those blog pages are up 300% since the Coronavirus outbreak due to people looking for ways to work from home. I wanted to warn PPTP is an old solution and is considered to be “broken” and very insecure. Please consider other options.

Rather than creating new articles explaining how to configure various remote access methods I thought I would provide some suggestions and links as it has all been written before by very talented IT folk.

Firstly VPNs. I would always recommend using a VPN appliance/router over the server itself. It is more secure, authenticates at the network perimeter not the server itself, and allows more control. Cisco, Sonicwall, Juniper, Watchguard, and others provide very good solutions . However one concern with any VPN solution is the fact that though it is a secure tunnel, it also allows any and all traffic between an unmanaged remote client computer and the corporate network. Viruses can travers the VPN tunnel, should the client PC be hacked the hacker has direct access to the corporate network, and the remote user can easily copy/steal corporate data that they maybe should not. In addition VPNs occasionally just do not work due to network addressing, slow ISP service, or blocked protocols by ISPs.

If you do want to set up a VPN on a windows server, I would recommend SSTP.  Thomas Maurer has a great configuration guide:https://www.thomasmaurer.ch/2016/10/how-to-install-vpn-on-windows-server-2016/

Perhaps a better option than a VPN is a terminal server, now called a remote desktop server (RD Server). I have never seen the RDP protocol blocked, performance is usually better than a VPN, and all data stays on the corporate network. If set up correctly it uses the Remote Desktop Gateway service and SSL which is very secure. You can, if you like, also use this within your VPN tunnel and if using a business class VPN solution restrict traffic to RDP.

Another alternative if you don’t want to set up an RD Server is to configure the RD Gateway service on your server and allow users to connect securely to their own desktops PCs with the same level of performance. This was a built in feature of SBS and Server Essentials 2016 and earlier.  Mariette Knap has a excellent article on configuring the RD Gateway service, specifically on Server 2019 Std:https://www.server-essentials.com/support/setup-rds-gateway-as-a-replacement-for-access-anywhere-from-the-essentials-experience-role

Regardless of what method you use, as soon as you allow any remote access, make sure you configure Group Policy to enforce strong passwords and to lock accounts after ‘X’ wrong password guesses.  (I use 5, and lock out for 30 minutes). You can set this on the server for domain wide deployment or on an individual PC using GPedit.msc. For both it is located under Computer Configuration |Windows Settings | Security Settings | Account Policies .

The other alternative of course is to use cloud based services such as Microsoft’s Office 365 which you can from any where, at any time.  If dong so, make sure you enable multi-factor authentication for security.

I hope this is of some help and please stay safe n these uncertain times.

 

 

 

Hyper-V Missing VMs

Over the past 6 months I installed 4 Server 2019 Hyper-V hosts for various clients. After several months with no problems, following a reboot, all running VM’s completely disappeared from the Hyper-V management console and were not accessible from the network using management tools, file shares, remote desktop, or even pings. Oddly, shut down or saved VM’s were present.

When this first happened I was shocked. The VHDX files were all present so I could create a new VM, but that didn’t seem practical. Googling showed that this can happen if the Hyper-V Virtual Machine Management service did not start, but in my case it had. I tried restarting the service, the VM’s instantly reappeared, and were in a running state with boot up almost complete.

This issue over the coming months started happening on other 2019 servers and after every reboot, planned or due to a power outage, I had to connect to the host and restart the Hyper-V Virtual Machine Management service.

Further Googling this issue brings up suggestions of corrupt VM configuration files, granting “NT Virtual Machine\Virtual Machines” the “logon as a service right”, doing the same with group policy, and other suggestions, but where restarting the service would resolve in every case I assumed there was not a configuration issue.

In the end setting the Hyper-V Virtual Machine Management service start up type to “Automatic (delayed start)” resolved the problem on all machines, though it resulted in a slightly longer boot time for the VMs.

All of thee servers worked fine for a few months so I assume the problem was due to a Windows update but to date I have found no actual cause. Also, I can confirm this only occurs on my 2019 Hyper-V hosts. There are no issues with Server 2016 or earlier servers.

Hyper-V restart

Update: Oct 2020. I had another server with the same issue. O/S had been installed 8 months prior and no updates applied in recent months. Setting the service as delayed start did not resolve. I had to create a scheduled task to run 10 minutes after boot up. 5 minutes did not work. The scheduled task simply pointed to a batch file with the following. (the ping command just delays the process to be sure Net Stop completes before the next line).

Net Stop VMMS
ping -n 10 127.0.0.1
Net Start VMMS
Exit

Recently found on 3 two month old HP computers users could not open Office documents that were received as attachments to e-mails within Outlook. After troubleshooting, discovered it was due to an HP add-on utility “HP Single Click” a security app provided with many HP PCs. This can simply be uninstalled from Programs and Features, however any open apps that use it must be closed. A reboot will insure this. Also a reboot is required after uninstalling. Presumably this was caused by a windows or HP update as it had not been a problem in the past. Perhaps more recent updates have resolved the problem.

Intro to PowerShell

For those not knowing where to start with learning PowerShell, Netwrix is offering a free 47 page document “Windows PowerShell Tutorial for Beginners” which includes numerous simple, common, tasks.  One of the best intros I have seen.

https://try.netwrix.com/powershell-tutorial

Tag Cloud