It seems recently many users are receiving an error logging into Remote Desktop Servers (Terminal Servers) from off-site. The error reads:
An authentication error has occurred.
The function request is not supported.
Remote computer <ServerName>
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660
This is a result of a March 13th update. The previous error message was shorter, but an Apr 17 update elaborated the error message to read as above.
The link explains how to resolve using group policy but the simple fix, as of May 8th, is to apply the KM4103725 monthly rollup update. This will require a reboot on most servers, but should resolve the problem once complete.
The past 8 or more years most of us have managed PC updates using WSUS (Windows Server Update Service) and Group policy. However, the structure of the modern office has changed to a large percentage of mobile employees who never ‘touch down’ at headquarters. If these devices do not connect to the domain they do not have updates applied.
A client who has not returned to the office in 18 months, and likely will not for the life of their laptop, recently asked how they could update their machine manually. Currently they were not able to do so as Windows Update showed “settings are managed by your system administrator”, in other words, by WSUS
It is quite simple to disable WSUS management in the registry, however remember if the device is reconnected to the domain, the WSUS policies will be reapplied. Therefore you may want to move the device to an OU not linked to the WSUS policy or remove the device in the policy under security filtering.
Disclaimer: Be aware making incorrect registry changes can have disastrous effects to the health of the device. Be sure to backup the registry before editing. To do so see the following Microsoft article; “How to back up and restore the registry in Windows” http://support.microsoft.com/kb/322756
- Open the registry editor, by entering Regedit in the Start / Run box, and browse to: HKLM\Software\Policies\Microsoft\Windows\
- Locate the WindowsUpdate Key and delete it
- Reboot the PC (may take 2 reboots)
- Now you can manually update and configure Windows updates to automatically check for and install updates directly from the Microsoft Update site
You may want to consider using a newer service such as Windows Intune to manage your computers, especially mobile devices. http://www.microsoft.com/en-us/server-cloud/products/windows-intune/
In troubleshooting an issue with the SBS user creation wizard, I wanted to know what was set as the default Organizational Unit in which users would be placed. Though the following works with any server version which is domain functional level Server 2003 or newer, SBS defaults to placing users in the MyBusiness\Users\SBSUsers OU and I wanted to verify this was set appropriately. There are 100 articles explaining how to change the default users OU using the command “Redirusr”, or “Redircmp” for computers, but it was difficult to find a link explaining how to locate the current defaults. There are a few links explaining where the information is stored, which is in the “wellKnownObjects” attribute of the properties of the domain, in Active Directory Users and Computers.
However when you click on “View”, to inspect the settings for that attribute, you get a popup warning; “There is no editor to handle this attribute”, and the same happens when using ADSI Edit.
Thanks to a tip by Alex Verboon, using Microsoft’s (Sysinternal’s) Active Directory Explorer will allow you to see the settings of this attribute. Download AD Explorer, run the app, on a single domain server you can live all fields blank and click OK.
Click on your domain, then in the right hand window right click on wellKnownObjects”, and choose properties.
In the resulting window you can review the current settings for the default OU’s for Computers and Users