• mcbsys

    mcbsys

    @mcbsys

    Viewing 15 replies - 1 through 15 (of 200 total)
    Author
    Replies
    • in reply to: MS-DEFCON 3: Cleanup time #2766038

      When I did my (granted single box test) where I had installed March removed the inetpub and then installed the April updates, it didn’t put the inetpub folder back.  I need to test more. At least the preview to release behavior was confusing.

      I see both Windows Central and Bleeping Computer providing this workaround to recreate a mistakenly deleted inetpub folder:  enable IIS, reboot, disable IIS (if you don’t need it):

      https://www.bleepingcomputer.com/news/security/microsoft-windows-inetpub-folder-created-by-security-fix-dont-delete/

      I would think that a short script could recreate the folder with proper permissions, but IIS is the “official” way to fix it.

       

    • in reply to: MS-DEFCON 3: Cleanup time #2766018

      I’ve seen domain-recognition NLA issues for many years. A registry fix for Server 2022 no longer works with Server 2025. There is some indication that Microsoft is working on a fix (see this thread).

      I found “Restart-NetAdapter *” a bit of a sledgehammer, so with help from Google Gemini, I wrote a script to only restart adapters with a Public policy, and to document the change in the Event Viewer. I use a scheduled task to run that one minute after reboot on my Server 2025 machines. Blogged here:

      Server 2025 Domain Controller Not on Domain
      https://www.mcbsys.com/blog/2025/03/server-2025-domain-controller-not-on-domain/

    • in reply to: 7000002 Blocking new Outlook from installing #2756491

      I installed the linked ADMX files. The group policy setting you show is under User Configuration > Administrative Templates > Microsoft Outlook 2016 > Miscellanous > Disable web add-in installation on migration to new Outlook for Windows. The description says in part, “This policy setting allows you to disable installation of web add-in equivalents of COM add-ins on the switch to new Outlook… COM add-ins do not work in new Outlook for Windows. By default, users in the organization will get the option to install available web add-ins, in place of COM add-ins, when they move from classic Outlook for Windows.” So, this setting is about add-in migration, not about blocking New Outlook.

      There is a group policy to hide the new Outlook toggle switch (HideNewOutlookToggle):

      User Configuration > Administrative Templates > Microsoft Outlook 2016 > Outlook Options > Other, Hide the ‘Try the new Outlook’ toggle in Outlook

      I am not seeing a way in group policy to implement the equivalent of the BlockedOobeUpdaters registry key.

      I see that I have New Outlook installed on most machines now. I’m going to block the toggle so users don’t accidentally migrate. I did load it on one of my machines. I could probably adjust to the UI, but am worried about limitations on PST files, which are an important migration/management tool.

    • in reply to: Unvoluntary update to Windows 11 24H2 #2756419

      If they installed N-able N-sight Patch Management (an optional feature) and their patch policy approved the Win11 upgrade, I would say it could be related. I went through an extensive support case last fall trying to track down a Win11 upgrade that I did NOT approve in policy. In the end, N-able said the logs were inconclusive and I would need to duplicate the issue.

      The almost-smoking gun IMO are entries in QueryManager.log like this showing that N-able N-sight manipulates the registry keys I mentioned in my previous post. In other words, they intentionally override the group policy settings so they can control the updates:

      [11] 2024-09-11 03:26:30,573 DEBUG RestoreRegKey => restoring registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ProductVersion] with data [Windows 10]
      [11] 2024-09-11 03:26:30,573 DEBUG RestoreRegKey => restoring registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetReleaseVersion] with data [1]
      [11] 2024-09-11 03:26:30,573 DEBUG RestoreRegKey => restoring registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetReleaseVersionInfo] with data [22H2]

      1 user thanked author for this post.
    • in reply to: Unvoluntary update to Windows 11 24H2 #2753472

      1. The group policy should appear like this in the registry of each desktop.

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

      WUTarget

      How does it look in the machines that did and didn’t upgrade?

      2. Are you using a third-party patching tool? I had this happen on one machine when N-able RMM incorrectly overrode those registry settings and forced an upgrade.

    • in reply to: Epson EcoTank update #2745101

      Thanks for the follow-up article and for citing my “deal-breaker” re. two-sided scanning.

      I’m curious if others will echo your comment, “it’s an upscale feature that most people don’t need.”

      I’m 99% paperless, which in practical terms means that I have to scan all the paper I receive before I recycle it. Most vendors, insurers, and governments these days, if they still mail paper, are sending two-sided paper to save trees and postage. When was the last time you received a single-sided Explanation of Benefits or cable TV bill? IMHO, two-sided scanning is a requirement because two-sided documents are ubiquitous. It’s an essential feature that most people need.

      BTW in part because of this article, I bought an Epson EP-2850 with only a flatbed scanner. Then I bought a standalone duplex desktop scanner.

    • in reply to: KB5048239 for WinRE – here we go again #2739145

      I just bumped “I have the same question” to 201. Apparently an endless loop:  I watched it download and install successfully twice in a row on a Win10 22H2 machine with the WinRE already at build 5125, which according to the KB article means it will not be offered.

    • in reply to: Am I part of the attack bot? #2729926

      Such a meaty article. THIS is why AskWoody is so worth it–detailed, actionable info on small business computing.

      I ran the PowerShell command on my Exchange mailbox. The “-IncludeHidden” flag only adds the (default and expected) “Junk E-mail Rule”, Priority 0. If this Compass Security blog post from 2018 is correct, hiding a rule requires using a MAPI client, so maybe not too common. They report that -IncludeHidden is only for MS internal use. That verbiage in the Help has been replaced with “This parameter works only in on-premises Exchange.” Huh.

      I like Michael Horowitz’s links to check your IP’s open ports. You can also test common ports, or specific ports, on-demand using Steve Gibson’s Shields Up! https://www.grc.com/shieldsup. And MXToolBox can check if your IP is acting as an SMTP server or open relay, which it shouldn’t be unless you host your own mail server https://mxtoolbox.com/SuperTool.aspx?action=smtp.

      Re. router brands and updates, I’ve switched all businesses to UniFi. Updates are almost too frequent. If I had a home network to configure, I’d probably want to try their new-ish Cloud Gateway Ultra (no Wi-Fi built in) or UniFi Express (includes a Wi-Fi 6 AP). That said, if these use the same interface as the Dream Machine, that’s a pretty advanced setup. I have a colleague here that uses Synology routers even for small businesses.

      UniFi is made in China, Vietnam and Taiwan. Synology is made in Taiwan. We’ll see if either comes onto the naughty list.

      1 user thanked author for this post.
    • in reply to: Windows file systems #2722192

      I had a Win10 23H2 machine happily managing a secondary ReFS drive. After upgrading to Windows 11 24H2, the ReFS drive was no longer accessible. Apparently Windows 11 can’t read ReFS version 3.4, although Windows 2022 can, and will update it to version 3.7.

      I booted from a Win10 ISO to retrieve the data (RoboCopy to another drive), then reformatted the “bad” ReFS drive as NTFS.

      More details:

      https://techcommunity.microsoft.com/discussions/windows11/refs-volume-inaccessible-after-update-from-windows-10-22h2-to-windows-11-23h2/3999414

    • in reply to: MS-DEFCON 4: Holiday patching #2720545

      A small client had five older Windows 10 PCs in what I call “secondary uses,” little used but still needed. I had already upgraded all of them to use SSDs, so they run Windows 10 fine. I was worried about having to replace all of these next year—a budget strain loomed. This Ars Technica article inspired me to try upgrading them:

      What I learned from 3 years of running Windows 11 on “unsupported” PCs

      All of them support Secure Boot and all have a TPM, so it was mostly the older i5 processors that were incompatible with the upgrade. Long story short, with the registry workaround, I was able to upgrade all of them in place to Windows 11. I did have an odd problem with one machine, a Lenovo TS140 server:  the Win11 23H2 media kept causing a blue screen, but Win11 24H2 worked.

      Bottom line, if your PC was made in the last 7 years or so, there’s a good chance you can upgrade it to Windows 11.

      1 user thanked author for this post.
    • in reply to: Epson EcoTank printers #2718535

      Even better: I also got an Epson ES-400 II color document scanner for under $300.

      Nice tip. I’d like to replace my bulky B&W Brother MFC with something that does color. Maybe instead of looking for a single replacement, I should add an ES-400 for bulk scanning + an inexpensive ink tank printer for the 10 pages I print per week. I already have an Epson V600 scanner for those rare times I need a large flatbed.

    • in reply to: Patching that video card #2718387

      I hit the SSH issue on a couple servers. My solution was to adjust permissions from the GUI. The thing to keep in mind is that if you double-click on the C:\ProgramData\ssh\logs folder from Windows Explorer, you’ll be asked if you want to “permanently get access to this folder.” Of course you do, because you’re trying to read the logs! But that will add your user to the ACL and break SSH. I posted this with a screen shot here:

      https://serverfault.com/a/1166891/166311

    • in reply to: Epson EcoTank printers #2718386

      I did quite a bit of research on laser and ink  tank printers last year for a business client. Although they wound up going with HP LaserJets, the ink tank printers were an attractive option. I appreciate this deep dive on the ET-5150.

      As I said, I wish that HP would adopt the refillable ink bottle model.

      HP’s ink bottle printers are called “Smart Tank.” Haven’t tried them but perhaps worth a look. I believe the $420 HP 7301 is close to the Epson ET-5150 in specs, but the higher-end HP 7602 with Wi-Fi and fax is currently on sale for $350:

      https://www.hp.com/us-en/shop/mdp/printers/smart-tank-plus

      I do a lot more scanning than printing to maintain a “paperless office.” A deal-breaker for me on the ET-5150 would be the lack of duplex scanning. For that, you have to go to the ET-5800. And even that higher-end model only has letter-size scanner glass. The ADF accepts legal size, so probably it can scan legal if it fits in the feeder.

      Current U.S. price on the ET-5150 is $400 (on sale). The ET-5800 is $800 (not on sale).

      1 user thanked author for this post.
    • in reply to: Servers getting upgraded to 2025? #2715724

      Well that would be a nasty surprise. @AndrewMRQuinn posted a follow-up early this morning. It looks like MS has removed 2025 as an optional update, at least for now. I checked for updates today on a 2022 machine and no upgrade was offered.

      https://x.com/AndrewMRQuinn/status/1854457797699686671

      Has there ever been an update ever offered through Windows Update, on any OS, that was a chargeable event, i.e. one that breaks your current license? I am certainly conditioned to expect patches on the Windows Updates screen to be free.

    • Microsoft’s Samriddhi Chaturvedi has replied in the Microsoft thread. His advice is to find alternatives to Essentials RWA.

    Viewing 15 replies - 1 through 15 (of 200 total)