Problem

You’ve noticed that one of the vCenter settings of a VMware Horizon View desktop pool displays is highlighted in red:

Clicking into the vCenter Settings tab displays the following error message:

Cannot find host or cluster for this desktop pool.

Clicking on the Browse… button for the Host or cluster setting displays the following error message:

Solution

The reason why the pool exhibits this behavior is because the configured vCenter settings no longer match the vCenter currently hosting the virtual desktops. A common issue I’ve come across in environments is when the Datacenter or the Cluster object has been renamed and no longer matches what was originally configured and reference within VMware Horizon View. Logging onto the vCenter hosting the virtual desktops show the following:

Putting the vCenter and View configuration tab side by side shows how the vCenter Datacenter object is now named Wellesley House while the one in View is named Wesley House:

The quickest way to resolve this issue is to rename the object in vCenter to match VMware Horizon View’s configuration but if this is going to be a permanent change then the alternative is to edit the VMware Horizon View ADAM database to correct the issue as demonstrated in the following KB:

Provisioning a pool on VMware View generates error: Resource Cluster 'vcenter/host/clustername/Resources' not found for pool (2127993)

https://kb.vmware.com/s/article/2127993

Begin by logging onto one of the VMware Horizon View connection server and launching ADSIedit then click on Action and Connect to…:

Fill in the fields in the Connection Settings as such:

Name: View ADAM Database

Select or type a Distinguished Name or Naming Context: dc=vdi,dc=vmware,dc=int

Select or type a domain or server: localhost:389

Navigate into the database and select the OU=Server Groups object to list the desktop pools:

Right click on the desktop pool and select the properties option:

Locate the following attributes:

pae-VmTemplateName< this is the Template configuration

pae-VmPath< this is the VM folder configuration

pae-VmResourcePool< this is the Resource pool configuration

pae-VmDatastore< this is the Datastores configuration

Next, manually type in the correct string mapping to the objects in vCenter (do not simply clear them as you will not be able to load any of the settings for the pool):

With the configuration updated, the pool should no longer display an error message:

Problem

You attempt to use the Exchange Admin Center (EAC) to activate a mailbox database in a DAG cluster but noticed that one of the nodes fails with the error:

Mailbox G to L
An Active Manager operation failed. Error: The database action failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error:

         exchdr01:
         Server 'exchdr01.contoso.com' is not up according to the Windows Failover Cluster service.
          [Database: Mailbox G to L, Server: exchprod01.contoso.com]

You log onto the server exhibiting this problem and notice that the services console indicate the Cluster Service is Disabled and not started.

Solution

This error through me off for a bit of time as the node was added to the cluster for a few days and the process did not throw any errors.  It was not until I decided to make modifications to the DAG configuration when I received the following error message that made me realize the node wasn’t added to the DAG properly:

[PS] C:\>Set-DatabaseAvailabilityGroup -Identity DAG15 -DatacenterActivationMode DagOnly
The following servers have been added to the database availability group but not to the cluster: drexch01. This is
usually the result of an error during membership change. Removing and re-adding the servers can correct the issue.
     + CategoryInfo          : InvalidArgument: (:) [Set-DatabaseAvailabilityGroup], DagTaskServersInAdNotInCluster
     + FullyQualifiedErrorId : [Server=exchprod01,RequestId=f9520afa-3fce-4cd2-9e22-648339c8eca5,TimeStamp=3/17/2019 8:05
    :23 PM] [FailureCategory=Cmdlet-DagTaskServersInAdNotInCluster] 86538C81,Microsoft.Exchange.Management.SystemConfi
   gurationTasks.SetDatabaseAvailabilityGroup
     + PSComputerName        : exchprod01.contoso.com

[PS] C:\>

Simply removing the mailbox database copies on the problematic node, remove the node from the DAG and re-adding it corrected the problem of the cluster service as well as database activation.

I received a call from a client a few weeks ago to look at an issue he had with all the computers in the domain where the security tab for Internet Explorer 11 displayed a lock key icon for Internet, Local intranet, Trusted sites, and Restricted sites zones.

He indicated that he had recently implemented a GPO policy to adjust the settings for each site and had reverted back but noticed the settings were still persistent. Reviewing the icons showed that each zone was completely locked preventing the user from clicking on the Sites or Custom level icon:

After going through all the policies in the domain and unable to locate any reference to the configuration causing this, I navigated to the registry key that contains the settings for each zones and noticed that the keys appear to be missing values:

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\

I then attempted to use the Internet Settings in the Preferences configuration to reset all the zones to the default level:

The REG_DWORD values came back but various settings such as Flags and Icon did not get recreated:

I then decided to manually create the Flags key within the GPO:

With the Flags configuration reconfigured, I am now able to click on the Sites button:

Other registry entries were still missing:

So I compared it with another fully functional Windows 10 desktop (Not the Description, DisplayName, and Icon values):

From here I proceeded to add the missing keys to the GPO:

With all of the settings configured, I was now able to see the site icons as well as edit them:

It is a bit labour intensive to create all of these keys manually so I would suggest creating a .reg file to import into the user’s profile when they log in.

I recently had to assist a client with configuring a GPO to add sites in Internet Explorer 11’s trusted zones and disabling "Require server verification (https:) for all sites in this zone" so I thought I’d write this blog post to outline the registry keys required for the settings.

Note that this post will only demonstrate configuring the registry for HKEY_CURRENT_USER and it is also possible to apply the changes HKEY_LOCAL_MACHINE.

Enabling or Disabling "Require server verification (https:) for all sites in this zone"

The registry key that controls the Require server verification (https:) for all sites in this zone setting is the REG_DWORD setting named Flags located in the following registry + the # representing the zone (we’ll use zone 2 which represents Trusted Sites):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\

The value to enable the configuration is:

Hex: 47

Decimal: 71

The value to disable the configuration is:

Hex: 43

Decimal: 67

You can use Group Policy preferences to configure this for the user:

Adding URLs of Trusted Sites

The registry path for adding URLs of trusted sites is:

Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

Adding http://www.msn.comwould look as such:

Notice how the site URL www.msn.com is an actual key under the Domains key:

To add the msn.com and all of its subdomain, you can add the following key:

Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com

Problem

You’ve noticed that the Skype for Business client displays the following message:

Your chat room access may be limited due to an outage.

Persistent Chat rooms are no longer accessible but all other functionality appears to be functioning.

Reviewing the Lync Server event logs on the front-end server reveals the following error logged:

Log Name: Lync Server

Source: LS Protocol Stack

Event ID: 14428

Level: Error

User: N/A

TLS outgoing connection failures.

Over the past 359 minutes, Skype for Business Server has experienced TLS outgoing connection failures 15 time(s). The error code of the last failure is 0x800B0101(CERT_E_EXPIRED) while trying to connect to the server "contbmlyncpc.contoso.com" at address [10.34.30.79:5041], and the display name in the peer certificate is "contbmlyncpc.contoso.com".
Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
Resolution:
Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

You proceed to log into the Persistent Chat server and confirm that the certificate has expired and therefore none has been assigned to the service:

You continue by requesting and assigning the new certificate to the Persistent Chat service:

You attempt to start the Skype for Business Server Persistent Chat service but notice that it starts and quickly stops:

Reviewing the Lync Server logs on the Persistent Chat server reveal the following error logged:

Log Name: Lync Server

Source: LS Persistent Chat Server

Event ID: 53503

Level: Error

Skype for Business Server 2015, Persistent Chat could not start due to the following exception:

at

System.IdentityModel.Tokens.SecurityTokenException: Certificate verification failed.

Server stack trace:

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.CustomX509CertificateValidator.Validate(X509Certificate2 certificate)

at System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)

at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)

at System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.ValidateRemoteCertificate(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)

at System.Net.Security.SecureChannel.VerifyRemoteCertificate(RemoteCertValidationCallback remoteCertValidationCallback, ProtocolToken& alertToken)

at System.Net.Security.SslState.CompleteHandshake(ProtocolToken& alertToken)

at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)

at System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)

at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)

at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper)

at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)

at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)

at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)

at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)

at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)

at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)

at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.IPublisher.IsAlive()

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.PeerWrapper.ExecuteWithRetry(Action action)

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.WCFService.CreatePeerWrapper(Int32 peerId, Uri peerServiceUri)

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.WCFService.GetPeerWrapper(Int32 peerId, PeerWrapper& peerWrapper)

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.WCFService.SubscribeToPeerImpl(Int32 peerId)

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.WCFService.SubcribeToPeers()

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.PeerTransport.Connect(IWCFService service)

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.PeerServerManager.Connect(IPeerFinder peerFinder, ReceiveConduitMessageCallback callback)

at Microsoft.Rtc.Internal.Chat.Server.Channel.Server.ChannelServer.OnStart()

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.ServerBase.Start()

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.MgcServiceBase.startServer()

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.MgcServiceBase.createAndStartServer().

Solution

One of the common reasons why the Persistent Chat server would exhibit this behavior is if there is a second Persistent Chat server in the environment, which also has the certificate used for the service expired.  This environment in this example had a second persistent chat server for disaster recovery purposes so proceeding to reissue a valid certificate on the server then restarting the services corrected the issue:

Problem

You attempt to use the SEFAUtil.exe executable in the Lync Server Resource Kit Tools to configure call forwarding on a Lync Server 2013 server but it immediately fails with:

SEFAUtil.exe has stopped working

Description:

Stopped working

Problem signature:

Problem Event Name: CLR20r3

Problem Signature 01: sefautil.exe

Problem Signature 02: 4.0.0.0

Problem Signature 03: 4cc149b9

Problem Signature 04: SEFAUtil

Problem Signature 05: 4.0.0.0

Problem Signature 06: 4cc149b9

Problem Signature 07: 1

Problem Signature 08: 7

Problem Signature 09: System.IO.FileNotFoundException

OS Version: 6.3.9600.2.0.0.272.7

Locale ID: 2057

Read our privacy statement online:

http://go.microsoft.com/fwlink/?linkid=280262

If the online privacy statement is not available, please read our privacy statement offline:

C:\Windows\system32\en-US\erofflps.txt

Closing the pop-up window then displays the following output:

PS C:\Program Files\Microsoft Lync Server 2010\ResKit> .\SEFAUtil.exe /server:contuklse03.contoso.com tluk@contoso.com /enablefwdimmediate /setfwddestination:marmstrong@contoso.com

Unhandled Exception: System.IO.FileNotFoundException: Could not load file or ass

embly 'Microsoft.Rtc.Collaboration, Version=4.0.0.0, Culture=neutral, PublicKeyT

oken=31bf3856ad364e35' or one of its dependencies. The system cannot find the fi

le specified.

File name: 'Microsoft.Rtc.Collaboration, Version=4.0.0.0, Culture=neutral, Publi

cKeyToken=31bf3856ad364e35'

at SEFAUtil.SefaTool.Execute()

at SEFAUtil.Program.Main(String[] args)

WRN: Assembly binding logging is turned OFF.

To enable assembly bind failure logging, set the registry value [HKLM\Software\M

icrosoft\Fusion!EnableLog] (DWORD) to 1.

Note: There is some performance penalty associated with assembly bind failure lo

gging.

To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fus

ion!EnableLog].

PS C:\Program Files\Microsoft Lync Server 2010\ResKit>

You document the Trusted Application and Trusted Application Pool, remove and recreate it but the error still persists.

Solution

One of the things I noticed for this environment was that the ResKit was installed in the Microsoft Lync Server 2010\ResKit directory so I initially reran the ResKit install (https://www.microsoft.com/en-us/download/details.aspx?id=36821) to see if it would upgrade it but the window I was presented with was to either repair or remove. I ended up choosing repair but this did not correct the issue. After not having any luck with other troubleshooting steps, I went ahead and uninstalled the 2010 tools and reinstalled into the Microsoft Lync Server 2013\ResKit and this corrected the issue. It appears the ResKit installer does not identify whether the existing install was for 2010 or 2013.

The following is the successful output:

PS C:\Program Files\Microsoft Lync Server 2010\ResKit> .\SEFAUtil.exe /server:contuklse03.contoso.com tluk@contoso.com /enablefwdimmediate /setfwddestination:marmstrong@contoso.com

User Aor: sip:tluk@contoso.com

Display Name: Terence Luk

UM Enabled: True

Simulring enabled: False

Forward immediate to: sip:marmstrong@contoso.com

PS C:\Program Files\Microsoft Lync Server 2013\ResKit>

I’ve recently had the opportunity to deploy Skype for Business Server 2019 on Windows Server 2019 in a Skype for Business Server 2015 environment and decided to capture the process so I can write this blog post demonstrating what the deployment process looks like.

Before I proceed, the deployment guide I will be using can be found here:

Skype for Business Server 2019
https://docs.microsoft.com/en-us/skypeforbusiness/skype-for-business-server-2019

Prerequisites

Forest and Domain Functional Level

Verify that the forest and domain functional level is at one of the following levels:

• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 R2
• Windows Server 2012

Windows Roles and Features

Install the required roles and features with the following PowerShell cmdlet:

Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, Telnet-Client

Skype for Business Server 2015 Coexistence

I could not find any documentation identifying which CU a legacy SfB 2015 environment needs to be in order for coexistence to work properly as the following article is the only section I found in the document:

https://docs.microsoft.com/en-us/skypeforbusiness/migration/apply-updates

I ended up going with the latest January 2019 (CU8) for the environment I was installing SfB 2019 in and have not had any problems.

Preparing Install for Skype for Business Server 2019

Launch the Setup.exe executable as administrator:

Those who have installed SfB 2015 would find that the interface hasn’t changed much:

As there is already a Skype for Business Server 2015 deployment in the environment, I would not need to run the Prepare first Standard Edition server. I’ve also noticed that the Prepare Active Directory step already had a Complete check mark beside it, which most likely because there hasn’t been any changes from SfB 2015.

Installing Administrative Tools

Proceed to run Install Administrative Tools:

Defining Skype for Business Server 2019 Topology

Launch the Topology Builder from the start menu and download the existing topology:

Begin by defining a file store for the new Skype for Business Server 2019 environment by navigate to Shared Components> File stores then right click and select New File Store…:

Fill in the FQDN (make sure you use the FQDN and not the short server name) of the file server that will host the SfB files and the share name:

With the file store defined, proceed to create the new standard front-end server by navigating to Skype for Business Server 2019> Standard Edition Front End Servers then right click and select New Front End Pool..:

Enter the FQDN of the server name that the front-end services will be installed onto:

Select the appropriate features required for the front-end server:

As this is a standard edition deployment, a local SQL Server Express will be installed:

Select the previously defined file store:

**Note that the path in the screenshot below should be the FQDN of the server.

Fill in the external URL for the Web Services URL:

Associate the existing or new Office Web Apps Server if one exists in the environment:

The new front-end server should now be created:

Proceed to publish the topology:

Review the warnings to ensure that they are not deployment impacting.

For those who are interested, the required security permissions for the file store that was defined earlier are automatically configured after publishing the topology:

Installing Skype For Business Server 2019 Front-End Server

Proceed and run Install or Update Skype for Business Server System:

Run the Install Local Configuration Store:

Proceed to run the Setup or Remove Skype for Business Server Components:

With the components successfully installed, proceed to request, install and assign the certificates:

Note that the OAuthTokenIssuer already had a certificate issued because there is an existing SfB 2015 deployment in the environment.

Depending on the way you’ll be publishing the Web services external service, you may want to assign a certificate issued by a public Certificate Authority but for the purpose of this demonstration, we’ll create a certificate for all 3 services from an internal Microsoft Enterprise CA:

Proceed to leave the Assign this certificate to Skype for Business Server certificate usages checked and click Finish:

Assign the certificate to the services:

All of the services should now have a check mark beside them:

Start Skype for Business Server 2019 Services

Scroll down to the Start Services section:

Click on the Run button for Service Status (Optional) to bring up the Services console:

Run the Start-CsWindowsService cmdlet in the Skype for Business Server Management Shell to start all of the services:

Confirm that all the services start:

Launch the Skype for Business Server 2019 Control Panel to confirm accessibility:

You can now continue with any other migration tasks such as moving pilot users over to verify functionality and/or migrate over services over.

Problem

You’ve just completed deploying a new Skype for Business Server 2019 server into an environment but noticed that the Skype for Business Server Front-End service remains stuck at the Starting status and never completes to Running or stops:

Executing the cmdlet Get-CsWindowsService displays the following:

Reviewing the Lync Server logs show the following entries:

Log Name: Lync Server

Source: LS User Services

Event ID: 32174

Level: Warning

Server startup is being delayed because fabric pool manager has not finished initial placement of users.

Currently waiting for routing group: {63BB8586-A9D8-5AF2-83FF-B5CE680594C0}.

Number of groups potentially not yet placed: 1.

Total number of groups: 1.

Cause: This is normal during cold-start of a Pool and during server startup.

If you continue to see this message many times, it indicates that insufficient number of Front-Ends are available in the Pool.

Resolution:

During a cold-start of a large Pool it can take up to an hour for the placement process to finish as it needs to populate all the Front-End databases with data from the Backup Store. If the Pool is running and the Front-End is just started, this is normal for some time. If this repeats for a long time, ensure that all the Front-Ends configured for this Pool are up and running. If multiple Front-Ends have been recently decommissioned, run Reset-CsPoolRegistrarState -ResetType QuorumLossRecovery to enable the Pool to recover from Quorum Loss and make progress.

Scrolling upwards from the warning displays the following error:

Log Name: Lync Server

Source: LS MCU Infrastructure

Event ID: 61029

Level: Error

In the past 30.0093507983333 minutes the process RtcHost(6756) received 1 invalid certificates. The last one was from server: contsfbstd01.contoso.com, IP Address: 10.198.40.152:60873, with subject: CN=contsfbstd01.contoso.com, OU=IT, O=contoso Re, L=Hamilton, S=Hamilton, C=BM, issued by: CN=contoso-CA, DC=contoso, DC=com. Validation error code was: 800B0109.

Resolution:

Please check the remote server and ensure that the certificate is valid. Also ensure that the full certificate chain of the Issuer is present in the local machine. If the remote certificate and chain appear to be valid and error code is 0x800B0109 (CERT_E_UNTRUSTEDROOT), check that the ROOT certificate store on the local machine does not contain any intermediate certificates (certificates with different values in 'Issued To' and 'Issued By' fields do not belong to the ROOT store and cause client certificate validation errors in HTTP.SYS)

The following warning is also logged:

Log Name: Microsoft-Service Fabric/Admin

Source: Microsoft-Service Fabric

Event ID: 4097

Level: Error

ignore error 0x80092013:certificate revocation list offline

You attempt to navigate to the directory:

C:\Program Files\Skype for Business Server 2019\Server\Core

… and edit the file:

ClusterManifests.Xml.Template

Changing the flag:

<Parameter Name="CrlCheckingFlag" Value="%CRLCHECKINGFLAG%" />

… to:

<Parameter Name="CrlCheckingFlag" Value="0" />

… which should disable CRL Checking for the certificates but this does not correct the issue.

Solution

The solution to this problem can actually be found in the previous error log:

Note the following text highlighted in red:

In the past 30.0093507983333 minutes the process RtcHost(6756) received 1 invalid certificates. The last one was from server: contsfbstd01.contoso.com, IP Address: 10.198.40.152:60873, with subject: CN=contsfbstd01.contoso.com, OU=IT, O=contoso Re, L=Hamilton, S=Hamilton, C=BM, issued by: CN=contoso-CA, DC=contoso, DC=com. Validation error code was: 800B0109.

Resolution:

Please check the remote server and ensure that the certificate is valid. Also ensure that the full certificate chain of the Issuer is present in the local machine. If the remote certificate and chain appear to be valid and error code is 0x800B0109 (CERT_E_UNTRUSTEDROOT), check that the ROOT certificate store on the local machine does not contain any intermediate certificates (certificates with different values in 'Issued To' and 'Issued By' fields do not belong to the ROOT store and cause client certificate validation errors in HTTP.SYS)

The reason why the front-end service is unable to start is because there is a certificate stored in the Trusted Root Certification Authority that isn’t actually a Root certificate.  To check this, load the local computer’s certificate store (certlm.msc) and review the certificates in the Trusted Root Certification Authority ensuring that the Issued To matches the Issued By word for work.

The following is a screenshot of the offending certificate I found in the Trusted Root Certification Authority where the Issued To is arersa01.domain.com while the Issued By is RSA root CA for arersa01.domain.com:

Opening the properties of this certificate will show that it is actually an Intermediate Certification Authority certificate:

Either removing the certificate or placing it in the appropriate datastore will correct the issue.

Note that having improperly placed certificates in certificate stores are known to cause service start and replication issues.  The following are a few of my older posts of Skype for Business / Lync Server environments:

Lync Server Access Edge service fails to start with: “… service-specific error code -2146762487”
http://terenceluk.blogspot.com/2013/05/lync-server-access-edge-service-fails.html

Lync Server 2013 Edge server replication issues on Windows Server 2012
http://terenceluk.blogspot.com/2013/04/lync-server-2013-edge-server.html

I’ve recently been tasked to create a script that would remotely uninstall Adobe Flash on all desktops on the network and after not having any luck with PowerShell, I reverted to the wmic (Windows Management Interface Command) command I have used in the past.  While this isn’t the best way to guarantee the removal of the application in any environment it can be used in situations where you need a method that requires very little time.

The first step in the process is to obtain a list of computer names that you would like to remotely uninstall the application from and put it into a txt file with each name on a separate line.  If you intend on running it against all the computers in Active Directory then you can use the following PowerShell cmdlet to export the list in CSV format:

Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion | Export-CSV AllWindows.csv -NoTypeInformation -Encoding UTF8

The above command would generate a CSV file as such:

You won’t need all the columns so simply copy the column with the computer names and paste it into a txt file then save it as computers.txt.

The command you’ll run with the reference to the computers.txt file will be the following:

wmic /failfast:on /node:@"computers.txt" product where "name like 'Adobe Flash%'" call uninstall /nointeractive

Note that the % sign is a wildcard and the following output will be displayed if the application is found and uninstalled on the remote computer:

Problem

You attempt to run sysprep on a Windows 10 operating system by manually navigating to C:\windows\system32\sysprep to execute the sysprep.exe:

… but receive the following error:

System Preparation Tool 3.14

A fatal error occurred while trying to sysprep the machine.

You navigate to the directory:

C:\windows\system32\sysprep\Panther

.. and find the following the content in the setuperr.log file:

2019-03-14 07:29:46, Error [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f

2019-03-14 07:29:46, Error [0x0f00ae] SYSPRP WinMain:Hit failure while processing sysprep cleanup external providers; hr = 0x8007001f

Solution

One of the first items to check is that the rearm limit has not been reached by executing slmgr.vbs /dlv to review the Remaining Windows rearm count (the desktop I was working on has not reached 0):

If the Remaining Windows rearm count hasn’t been exceeded then proceed to check the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus\

Verify that the CleanupState registry key is set to 2:

Verify that the GeneralizationState is set to 7 (the desktop I was working on had the value of 3):

Uninstall and reinstall the MSDTC with the following commands:

msdtc -uninstall

msdtc –install

Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\

Verify that the SkipRearm key has the value of 1:

Rerunning the sysprep.exe executable to start the sysprep process should work as expected now:

Problem

You attempt to configure a new VMware SRM protection group but receive the following error:

ERROR

Operation Failed Task completed with error CompositeException Unable to protect VM '<virtualMachineName>' due to unresolved devices Unable to protect VM '<virtualMachineName>’ due to unresolved devices Unable to protect VM '<virtualMachineName>' due to unresolved devices

Operation ID: 33a8561f-c6b5-4868-b2f7-01453d762ad6

Solution

This error is usually thrown due to components of SRM not being completely configured. The following are a few common items:

1. Network Mappings
2. Folder Mappings
3. Resource Mappings

There will be times when the administrator has configured the mappings the configuration in the mapping may not be correct and the best way to identify exactly what is preventing the protection group from being configured is to navigate to the Virtual Machines tab and review the Protection Status output, which would explicitly display the problem. In the case of this example, the network mappings were configured but various port groups and cluster mapping for these VMs were not configured:

The configuration for the Protection Groups should successfully complete once the missing mappings are configured:

I was recently asked by a client to troubleshoot an issue with their Lync Server 2013 environment where users connecting remotely via the Edge server are unable to establish voice calls. A user would be able to successfully authenticate as well as see the call come in but when they pick up with their handset, they would not hear any audio and the call would disconnect within 10 seconds. Using the Skype for Business client would show the call in the Connecting call… status then disconnect:

While this type of issue can be caused by many reasons, this environment I had to troubleshoot the issue in had 3 contributing misconfigurations:

#1 – A/V Edge service NAT was not configured

The Edge server’s external interface IPs were all NAT-ed but the topology for the environment did not have the external IP address configured:

#2 – The DNS record of the Edge server’s internal interface was not correct

The Edge server for this environment was recently moved with the internal interface’s IP address was changed and since the server is not joined to the domain, the internal DNS A record which servers such as the front-end server uses to reach the Edge server was not updated.

#3 – Port 5062 was not opened between the Edge server and FE / SBA servers

The internal interface of the Edge server was in a secured network and TCP port 5062 used for authentication of A/V users was not opened. The following TechNet article provides more detail about the purpose of this port:

Edge Server environmental requirements in Skype for Business Server
https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/edge-server-deployments/edge-environmental-requirements

----------------------------------------------------------------------------------------------------------------------------

Note that other than discovering audio does not work, the Remote Connectivity Analyzer tool that Microsoft provides can help with identifying such an issue: https://testconnectivity.microsoft.com

The following is the output from a test ran against the environment:

Testing remote connectivity for user tluk@domain.com to the Microsoft Lync server.
      Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
        Tell me more about this issue and how to resolve it

     
Additional Details
      Couldn't sign in. Error: User failed to get response from MRAS server.
SIP service request to MRAS server failed.
Error Message: A 504 (Server time-out) response was received from the network and the operation failed. See the exception details for more information..
Error Type: PublishSubscribeException.
Fault Code: .
Response Code: 504.
Response Text: Server time-out.
Diagnostic Header: ErrorCode=1038,Source=UKSBA03.contoso.COM,Reason=Failed to connect to a peer server,fqdn=ukles03.contoso.com:5062,peer-type=InternalServer,winsock-code=10060,ip-address=192.168.34.10,winsock-info=The peer did not respond to the connection attempt
Microsoft.Rtc.Signaling.DiagnosticHeader


Elapsed Time: 12486 ms.

Problem

You attempt to upgrade an Exchange Server 2016 environment at CU8 to CU12 but the process fails at Step 2 of 18: Stopping Services with the error:

Error:

The following error was generated when "$error.Clear();

& $RoleBinPath\ServiceControl.ps1 -Operation:DisableServices -Roles:($RoleRoles.Replace('Role','').Split(',')) -SetupScriptsDirectory:$RoleBinPath;

& $RoleBinPath\ServiceControl.ps1 -Operation:Stop -Roles:($RoleRoles.Replace('Role','').Split(',')) -IsDatacenter:([bool]$RoleIsDatacenter)

" was run: "Microsoft.PowerShell.Commands.ProcessCommandException: Cannot stop process "fms (1428)" because of the following error: Access is denied ---> System.ComponentModel.Win32Exception: Access is denied

at System.Diagnostics.ProcessManager.OpenProcess(Int32 processId, Int32 access, Boolean throwIfExited)

at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)

at System.Diagnostics.Process.get_HasExited()

at Microsoft.PowerShell.Commands.StopProcessCommand.ProcessRecord()

--- End of inner exception stack trace ---".

Solution

This error is typically caused by the account used for running the install does not have Debug programs permission.  To verify this, launch the Local Computer Policy with GPEDIT.msc, navigate to Computer Configuration> Windows Settings> Security Settings> Local Policies > User Rights Assignment> Debug program:

The environment this error was thrown had a group policy that defined accounts with permissions to Debug programs and therefore overwrote the default local computer Administrators group which any administrative account would have been a part of:

A workaround I typically do is simply put the Exchange server computer object in the sub OU of the OU it is currently in and block the group policy inheritance allowing me to temporarily move the Exchange server that is being patched into an OU that reverts back to the default settings as shown in the screenshot below:

Another alternative is to add the user into a group or directly into the GPO that defines the permissions for Debug programs but I prefer the previous workaround as the latter potentially affects many other computer objects. 

You may also notice that the installer may not work properly even after the chances where you’ll see the following Check for Updates page:

Then briefly the Downloading Updates page, which would quickly disappear:

If the installer exhibits this issue then simply use the command line to install the CU12 update:

Setup.exe /Mode:Upgrade /IAcceptExchangeServerLicenseTerms

Problem

You’re attempting to patch an Exchange Server 2016 CU8 environment to the latest CU12 and one of the prerequisites is to install .NET Framework 4.7.1 so you proceed to download the offline installer executable, run the install but notice that it remains stuck at:

File security verification:

All files were verified successfully.

Solution

You’ll notice that even attempting to hit the Cancel button to cancel the install would present the rollback status indefinitely.  What I ended up doing was restart the server to stop the installer and the solution to upgrading the .NET Framework 4.6 to the required 4.7.1 is to download the MSU packages at the following URL:

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4033369

Run the two MSU files:

Then use the following cmdlet to verify the version of .NET Framework after a server restart:

Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" | Format-List

Before upgrade:

After upgrade:

.NET Framework Version Table:

Problem

You’re attempting to patch an Exchange Server 2016 CU8 environment to the latest CU12 and one of the prerequisites is to install .NET Framework 4.7.1 so you proceed to download the offline installer executable but notice that it never completes.

Solution

As with my previous blog post:

Installing .NET Framework 4.7.1 on Windows Server 2012 as a prerequisite for patching Exchange 2016 CU8 to CU12 remains stuck at: “File security verification: All files were verified successfully.”
http://terenceluk.blogspot.com/2019/04/installing-net-framework-471-on-windows.html

… you need to upgrade the .NET Framework 4.6 to the required 4.7.1 by downloading and installing the MSU packages at the following URL:

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4033393

Run the two MSU files:

Then use the following cmdlet to verify the version of .NET Framework after a server restart:

Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" | Format-List

Before upgrade:

After upgrade:

.NET Framework Version Table:

I was recently involved in an Exchange 2013 to 2019 migration where the client had a KEMP load balancer providing load balancing services for the Exchange services.  The KEMP configuration was handled by another engineer and all the internal and Test Remote Connectivity tests appeared to be in good working order after the configuration but then users started noticing certificate warnings on their smartphones:

iPhones:

Connection Warning

Your mail server certificate is invalid.

Would you like to log in anyways?

Androids:

Certificate not secure

The certificate isn’t from a trusted authority.

If you continue with this certificate, your emails and account may be at risk.

I was reluctant to reach out to the engineer who configured the KEMP load balancer since it was a weekend and I had a hunch that perhaps the intermediate certificate wasn’t installed so I logged on to the load balancer to check the configuration.  The KEMP interface is much simpler than the Citrix NetScalers I’m used to and I immediately located the menu for Intermediate Certificates confirming that intermediate issuing certificate was not installed:

Proceeding to install the certificate onto the KEMP load balancer corrected the issue.

Problem

You attempt to move a user from a Skype for Business Server 2015 to 2019 pool but notice that it fails with:

Failed while updating destination pool.

Solution

This has been a common issue in the previous SfB and Lync environments where a user’s user object has Inheritance disabled.  If this is the case, enabling it will correct the issue.

Problem

You’ve just completed deploying a new Skype for Business 2019 Edge but notice that when you review the replication status with the cmdlet Get-CsManagementStoreReplicationStatus, the UpToDate field never changes to True.  Executing the cmdlet Invoke-CsManagementStoreReplication to initiate replication doesn’t change this either.

Reviewing the System logs on the Edge server reveal several Schannel errors:

Log Name: System

Source: Schannel

Event ID: 36882

Level: Error

User: NETWORK SERVICE

The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The TLS connection request has failed. The attached data contains the server certificate.

The following errors are also found in the Lync Server logs:

Log Name: Lync Server

Source: LS Protocol Stack

Event ID: 14366

Level: Error

User: N/A

Multiple invalid incoming certificates.

In the past 1 minutes the server received 1 invalid incoming certificates. The last one was from host 10.198.40.152.

Cause: This can happen if a remote server presents an invalid certificate due to an incorrect configuration or an attacker.

Resolution:

No action needed unless the number of failures is large. Contact the administrator of the host sending the invalid certificate and resolve this problem.

Log Name: Lync Server

Source: LS Protocol Stack

Event ID: 14366

Level: Error

User: N/A

TLS outgoing connection failures.

Over the past 1 minutes, Skype for Business Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x800B0109(CERT_E_UNTRUSTEDROOT) while trying to connect to the server "contsfbstd01.contoso.com" at address [10.198.40.152:5061], and the display name in the peer certificate is "contsfbstd01.contoso.com".
Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
Resolution:
Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

Log Name: Lync Server

Source: LS Web Conferencing Edge Server

Event ID: 41987

Level: Error

User: N/A

Web Conferencing Server connection failed to establish.

Over the past 1 minutes Skype for Business Server has experienced incoming TLS connection failures 1 time(s). The error code of the last failure is 0x80090325(SEC_E_UNTRUSTED_ROOT) and the last connection was from the host "".

Cause: This can occur if this box is not properly configured for TLS communications with remote Web Conferencing Server.

Resolution:

Check your topology configuration to ensure that both this host and remote Web Conferencing Server can validate each other TLS certificates and are otherwise trusted for communications.

Solution

This error is typically associated with the Edge server not trusting the certificate presented by the Front-End server because the internal services is using a certificate generated by an internal Microsoft Certificate Authority and since the Edge server is not joined to the domain, it does not trusted the issuing authority by default.  To correct the problem, simply export the CA that issued the certificate for the front-end server and import it into the Trusted Root Certification Authorities store on the Edge server:

The following event will be logged in the Lync Server logs once replication succeeds:

Log Name: Lync Server

Source: LS Web Conferencing Edge Server

Event ID: 41999

Level: Information

User: N/A

Web Conferencing Server connected successfully

Web Conferencing Server with FQDN contsfbstd01.contoso.com connected successfully

Get-CsManagementStoreReplicationStatus should show that replication has succeeded:

As some of you may know, the Office Online Server is the updated replacement for Office Web Apps Server to enable PowerPoint presentation sharing and I’ve recently had the opportunity to deploy Skype for Business Server 2019 and thought I’d write a quick post demonstrating the deployment process.

The following is the guide I used for the deployment:

Deploy Office Online Server
https://docs.microsoft.com/en-us/officeonlineserver/deploy-office-online-server

One of the common questions I’ve been asked in the past for the Office Web Apps server was where do you actually download it because it was once publicly available but Microsoft changed that and now requires it to be obtain from portals such as the Microsoft Volume Licensing Service Center under, where most people probably would never look, the OfficeProfessional Plus product.

Prerequisites

With the Office Online Server installation package downloaded, begin with installing the server roles and features with the following PowerShell cmdlet:

Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,NET-Framework-Features,NET-Framework-45-Features,NET-Framework-Core,NET-Framework-45-Core,NET-HTTP-Activation,NET-Non-HTTP-Activ,NET-WCF-HTTP-Activation45,Windows-Identity-Foundation,Server-Media-Foundation

Download the following packages and install it onto the Windows Server 2016 server:

.NET Framework 4.5.2
https://go.microsoft.com/fwlink/p/?LinkId=510096

Windows Server 2016 already has this package so attempting to install it as the deployment guide suggests will indicate it is already installed.

Visual C++ Redistributable Packages for Visual Studio 2013
https://www.microsoft.com/download/details.aspx?id=40784

Visual C++ Redistributable for Visual Studio 2015
https://go.microsoft.com/fwlink/p/?LinkId=620071

This package also appears to already exist on a Windows Server 2016 server so the installation will fail.

Microsoft.IdentityModel.Extention.dll
https://go.microsoft.com/fwlink/p/?LinkId=620072

Installing Office Online Server

Launch the Office Online Server installation by executing setup.exe:

Install the application:

Import Certificate for Office Online Server

Proceed by importing the certificate that will be used for the Office Online Server and make a note of the friendly name as you will need to reference that later:

Create Office Online Server (Office Web Apps) Farm

The command for creating the Office Online Server farm is the same as the one previously used for Office Web Apps.  Execute the following cmdlet while customizing the appropriate parameters:

New-OfficeWebAppsFarm -InternalUrl "https://oos.domain.com" -ExternalUrl "https://oos.domain.com" -CertificateName "OOS Certificate Friendly Name"

Note that I prefer to use the same URL for both external and internal URLs.

You should be able to navigate to the following URL and receive a similar output once the cmdlet has successfully completed:

https://oos.domain.com/hosting/discovery

Creating and Assigning Office Web Apps Server in Skype for Business Server 2019

Launch the Skype for Business Server 2019 Topology builder, navigate to SharedComponents> Office Web Apps Server then right click and select New Office Web AppsServer…:

Enter the URL into the Office Web Apps Server FQDN and the field for Office Web Apps Server discovery URL will automatically be filled:

You should see the new Office Web Apps Servers object created:

Assign the new Office Web Apps Server object to the Skype for Business server:

Proceed to publish the topology:

You should see the following event logged on the Skype for Business server’s Lync Server logs after a few minutes:

Log Name: Lync Server

Source: LS Data MCU

Event ID: 41032

Level: Information

Web Conferencing Server Office Web Apps Server (WAC) discovery has succeeded

Office Web Apps Server internal presenter page: _https://oos.contoso.com/m/Presenter.aspx?a=0&e=true&
Office Web Apps Server internal attendee page: _https://oos.contoso.com/m/ParticipantFrame.aspx?a=0&e=true&
Office Web Apps Server external presenter page: _https://oos.contoso.com/m/Presenter.aspx?a=0&e=true&
Office Web Apps Server external attendee page: _https://oos.contoso.com/m/ParticipantFrame.aspx?a=0&e=true&

As noted in one of my previous posts:

Configuring a custom shell launcher with VMware Horizon View Client on a Dell Wyse 7020 Windows 10 IoT device
http://terenceluk.blogspot.com/2019/03/configuring-custom-shell-launcher-with.html

I was recently involved with building a base image for a Dell Wyse 7020 Windows 10 IoT device that was non-domain joined and used a customized VMware Horizon View shell without access to the desktop for users to log into their virtual desktops.  The build is not quite complete in the way I want it to be due to the time constraint I had to work with but the steps outlined in this blog post should provide a good set of steps as a start.

Base Operating System Image

Windows 10 IoT Maintenance Release

Download the latest Dell provided Windows 10 IoT Enterprise Maintenance Release at the following URL:

https://www.dell.com/support/home/us/en/04/product-support/product/wyse-7020/drivers

Security Patches

Download and install the latest security patches from the following URL:

https://www.dell.com/support/home/us/en/04/product-support/product/wyse-7020/drivers

Base Applications

Remove Unused Applications

TightVNC

Remove the pre-installed TightVNC with the following commands:

cd\
"C:\Program Files\TightVNC\tvnserver.exe" -remove
rmdir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TightVNC" /s /q
rmdir "C:\Program Files\TightVNC" /s /q

Ericom Connect Client

Remove the pre-installed Ericom Connect Client software with the following command:

wmic product where name="Ericom Connect Client" call uninstall

Ericom PowerTerm InterConnect for Thin Clients

Remove the pre-installed Ericom PowerTerm InterConnect for Thin Clients
software with the following command:

wmic product where name="Ericom PowerTerm InterConnect for Thin Clients" call uninstall

Lync VDI Plugin

VMware Horizon View now utilizes a gen 2 Skype for Business Server integration that is built directly into the Horizon View Client so there is no need to have the Lync VDI plug-in installed onto the thin client.  Remove the plug-in by creating the follow XML file:

<Configuration Product="Lyncvdi">
<Display Level="none" CompletionNotice="no" SuppressModal="yes" AcceptEula="yes" />
<Setting Id="SETUP_REBOOT" Value="Never" />
</Configuration>
Then executing this command:
"C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Setup.exe" /UNINSTALL Lyncvdi /config D:\TMRUK-7020\UninstallLync.xml

Then executing this command:

"C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Setup.exe" /UNINSTALL Lyncvdi /config D:\TMRUK-7020\UninstallLync.xml

Operating System Customizations

Remove Unused

Enabled Firewall

Enable the Windows firewall on the Windows 10 IoT operating system.

Disable Display Last User Name

Disable remember credentials for Windows which would also cause the Horizon View client to not remember the previous login via the registry key:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000001

Disable VMware Horizon View Client Shade

Disable the shade of the VMware Horizon View client via the registry key for the User account:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\VMware, Inc.\VMware VDM\Client]
"EnableShade"="false"

**Note that this is added to the local user account’s HKCU.  The HKCM configuration never worked during my testing.

Force Num Lock On

Create the following registry key file (.reg) and import the configuration to force Num Lock on for all profiles.

Windows Registry Editor Version 5.00
[HKEY_USERS\.DEFAULT\Control Panel\Keyboard]
"InitialKeyboardIndicators"="2"
"KeyboardDelay"="1"
"KeyboardSpeed"="31"

Configure Power Plan

The preparation of the image for capture does not retain the Power Plan settings but it is still good to configure it in case future versions of the script does.

Set Power Plan to High Performance

Execute the following command to configure the power plan as High performance:

powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

Turn off Display

Execute the following command to configure the high performance power plan to turn off the display after 15 minutes:

powercfg -x -monitor-timeout-ac 15

Computer Sleep Mode

Execute the following command to configure the high performance power plan to never put the computer to sleep:

powercfg -x -standby-timeout-ac 0

Change Admin and User account credentials

Change the default DellCCCvdi credentials for both the Admin and User account.

Update Credentials for Auto Logon

Update the credentials used for auto logging on the User account:

Configuring Custom Shell for User Account

Refer to one of my earlier posts here:

Preparing Image for Capture

Execute the Build_Master.cmd in the C:\Windows\Setup folder on the thin client to start the capture wizard:

Fill in the appropriate settings and select the Enable local account credential changes under the Configure local account credentials heading to configure the password for the admin and user account.

Note the following settings that do not end up getting retained after the image preparation:

1. The name of the Windows OS does not change
2. The Power Scheme configuration will be reverted back to defaults (monitor and computer would go to sleep)

More information about the Custom Sysprep tool can be found here: https://www.dell.com/support/manuals/us/en/04/wyse-7020/wie10_th_mr4/running-custom-sysprep-tool?guid=guid-5bd77921-f2e6-4c84-b55f-dbffddc1a89f&lang=en-us

Post Image Operation

Customizations

Configure and reconfigure the following customizations that does not get retained after customization.

Configure Computer Name

Configure a unique name for the Windows 10 IoT operating system.

Set Power Plan to High Performance

Execute the following command to configure the power plan as High performance:
powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

Turn off Display

Execute the following command to configure the high performance power plan to turn off the display after 15 minutes:

powercfg -x -monitor-timeout-ac 15

Computer Sleep Mode

Execute the following command to configure the high performance power plan to never put the computer to sleep:

powercfg -x -standby-timeout-ac 0

Prevent User from launching Internet Explorer

Configure the following AppLock rules for the local computer policy to prevent the user from launching Internet Explorer.  Note that this may be able to be bundled into the prebuild but I was not able to test to see if this is retained after the image prep process.

Launch GPEdit.msc and navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules > Create New Rule…:

Configure the local User with the Action as Deny:

I haven’t had any luck using Path as the Condition so select Publisher:

Click on the Browse button and locate the 32 or 64-bit version of Internet Explorer:

There will not be a need for Exceptions so proceed to the next page:

Leave the name as the default and complete the creation:

Select Yes to create the default rules:

**Repeat the same for the 32 or 64-bit Internet Explorer.

Proceed and create the default rules for the Packaged app Rules:

Force the Application Identity service to automatically start by editing the following registry key (if this isn’t started then AppLocker will not work:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppIDSvc]
"Start"=dword:00000002

Note that would receive an Access is denied error if you attempt to manually configure this in the services console:

Having the above configured will prevent users from launching IE via the About VMware Horizon Client window:

Notes

Limitations

The following are items that need to be highlighted as the build can be improved on but were left out due to the amount of time available for the initial build.

Host name generation

The feature Host Name calculation is supposed to generate a new name for the Windows 10 IoT OS but it does not:

Power Scheme Settings

It should be possible to place the power scheme commands in the scripts that are executed at the end of the preparation but this requires time to identify and test.

Preparation Finalization

The initial build of the image does not complete automatically because the final steps requires the Windows shell but the customization of the User account to be shell-less means the administrator needs to manually log into the thin client as the admin account so the finalization can complete.

AppLocker Configuration

The AppLocker configuration can be included into the base image but due to time constraints, it was not added in.

Further Security Lockdown

AppLocker can be further configured to disable other applications that may be able to be launched within the shell but will require additional time.