Error 0x803100B7 Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device

I Purchased few weeks ago the Microsoft Surface Pro tablet, its a very nice production tablet that really enables remote users to run their production applications and workloads. There are still some room of improvement to get promoted as the number one choice of tablets for business users. From my point of view the three main things that need improvement are the Battery Life, 3G/4G connectivity option and better Camera.

Surface Pro comes with windows 8 Professional which is very nice and allows you to join your corporate network however it lacks a great feature which is Direct Access ! So I decided to turn it to fully productive device and install windows Enterprise on it. Its very simple as if you are building a new normal fresh computer.

I formatted the Surface drive however I kept the recovery image (for any future need), after finishing Windows Enterprise I installed the latest Surface Pro Firmware and Driver Pack http://www.microsoft.com/en-eg/download/details.aspx?id=38826

Finally I got my DirectAccess working on my Surface. That was really an exciting moment. Th next challenge was joining my domain MBAM/Bitlocker policy. Our MBAM / Bitlocker policy requires the use of a PIN while booting the computer. When the MBAM encryption wizard started I got the error 0x803100B7 Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device and by checking the event viewer the following details were provided as per attached image

To Fix this issue we need to change/enable few settings in the Surface Local Policy.

Note: In order to use the Pre-authentication you need to have a Keyboard attached to the surface during the boot, You may use the Surface Touch/Type Keyboard or any external Keyboard connected to the USB port.

1. Type GPEDIT.MSC in the Run bar to access the local Group Policy Editor
2. Drill down to Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives
3. Enable both "Require Additional Authentication at Startup" and "Enable use of BitLocker authentication requiring preboot keyboard input" - Check below image.

After that restart the Bitlocker Management Client Service to kick in back the MBAM wizard which should complete normally without any problem. 







Read More

Enable Auto Enrollment to Avoid Expiring Certificates

Its common that sometimes few admins miss the renewal of some key certificates in their Microsoft internal PKI (Public Key Infrastructure), this is due to the fact that its a bit of manual task and you need to set manually some Outlook reminders (My favorite method) or run schedules tasks to remind you before the Certificate expiration date.

However if you a user that logs frequently on this CA (Certificate Authority) server we can enable Auto Enrollment for this user. After configuring it, we don’t need to worry about the expiring certificates as long as the specific user still logs onto the CA.

To Enable Auto Enrollment you need to do the following:

1. Right click on the Certificate Template where you need to enable the Auto Enrollment feature
2. On the Security Tab (Check below image), add a specific user or grant an existing user the Auto Enroll permission (In my case i picked a normal low privileged service account that connects periodically on the server at least each month for maintenance and installing latest windows updates.)                                                                                                                                                                                                                                                                      
   
                                                                                                                                                            
3. Publish the Template and issue the needed certificate.
4. Open the Group Policy Management (On your Domain Controller) and either create a new Group policy or simply edit the Default Domain Policy
5. Navigate to User Configuration - Policies - Windows Settings - Security Settings - Public Key Policy and enable Autoenrollment as shown below. 

This user with the Autoenroll feature enabled when logged in on the CA server will get notified and the certificate will get enrolled and the Certificate won't get expired.

Read More

The Validity Period of an Issued Certificate is Shorter than Configured

I recently passed with couple of scenarios where one of the issued Certificates in Microsoft PKI infrastructure solution has validity period shorter than the period already configured on the template of this certificate. The main reason of changing and increasing the validity period/years for several specific certificates is to avoid frequent renewal process. 

The scenario i passed by recently was when a user duplicated one of the templates and changed the Validity from the default 2 Years to 4 Years and issued the new Certificate however the issued certificate still reads 2 Years. This can be due to one of two reasons

1. The CA certificate period /Remaining Period (CA cannot issue a certificate that is longer than its own CA certificate) is less than the user certificate period. You cannot issue a user certificate which is 10 Years valid if your Root CA is 5 years only.
2. The default Validity Period that is allowed by CA (defined in CA reg)

To check for the CA Certificate period/Duration, you need to do the following

1. Open the CA Console
2. Right Click on the CA - Properties
3. From the General TAB click View Certificate and check the duration.

If the CA Remaining duration is less than the required user certificate duration then you need to increase the CA value and renew the CA certificate as follows:

1. Configure CAPolicy.inf that directly controls CA certificate.
2. Go to C:\Windows Folder, find the file CAPolicy.inf
3. Change the "RenewalValidityPeriodUnits" value to the appropriate period (10 or 15 Years)
4. Restart the CA Service
5. Renew the CA Certificate (Right Click on the CA - All Tasks - Renew CA Certificate)

If the CA Period/Duration is fine and longer than the user certificate need then we need to check the default Validity Period in the CA Registry by doing the following:

1. Open Admin CMD on the CA server and type certutil -getreg ca                                                                                                                                                                                    
2. Check the ValidityPeriodUnits which refers to the maximum period that this CA can issue. You can define this value according to your own requirements, but it won’t exceed the lifetime of CA.
3. From the Same CMD run certutil -setreg ca\ValidityPeriodUnits 5 (This will increase the validity to 5 years)
4. Stop and restart CA service.

Now try again to Enroll certificate again from client to check the validity period.

Read More

How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub

Its highly recommended when building your Microsoft PKI (Public Key Infrastructure) to have your Root CA offline after issuing the Enterprise Sub CA certificates. Its recommended to minimize the access to the Offline Root CA as possible. The Root CA is not a domain joined machine and can be turned off without any problem.

One of the Key issue is the CRL generated from the Root CA, you need to set the CRL interval for a large value so that we don’t need to copy the CRL to an online location frequently and do not implement delta CRLs, because the publication of each delta CRL would require access to the offline root CA in order to copy the delta CRL to an online publication location. In order to change the CRL interval you need to:

1. Turn on the Offline Root CA and login with Admin account
2. Open the Certification Authority Console
3. Right Click on the "Revoked Certificates" and click Properties.
4. Set “CRL Publish interval” to a large value (Default is 26 Weeks) and  uncheck “Publish Delta CRL” check-box.

In order to Publish a new CRL from the offline Root CA to the Enterprise Sub CA you need to do the following:

1. Publish a new CRL on the Root CA, this can be done by Right Click the "Revoked Certificates" - All Tasks - Publish                                                                                                                                                                                                                                                          
   
                                                                                                                                                                    
2. Copy the CRL file from the Root CA located under %systemroot%\system32\certsrv\certenroll to the Sub CA Server
3. Turn off the Root CA
4. Copy the above file to the InetPub folder (HTTP Path) in the Sub CA server which is by default located under the C:\inetpub\wwwroot\Certdata
5. Open an Admin Command Prompt and run the following command to publish it to the Active Directory (LDAP Path).                                                                                           certutil -f -dspublish " C:\Inetpub\wwwroot\certdata\RootCA.crl

This process of renewing the CRL and publishing a new one is manually done since the Root CA is offline and thats why its better to make the CRL publish interval more than the default value so you won't do it frequently. You may also want to set an automated reminder before the next renewal date.

Read More

How to Manually Delete Old/Empty WSUS computer Group from Database

Recently i was trying to delete/Remove one of the old computer groups under WSUS Console - Computers - All Computers. This Group was an old group with no members/Clients or any pending approvals any more. I tried removing it from the GUI by Right licking the object and Delete but the server hanged and i got connection error as shown below.

This problem might occur in WSUS servers utilizing the internal DB which has several limits and with the huge number of updates and many groups you can face such issue.

To solve this problem and manually remove this Group you will need to work it from the database and edit couple of tables as follows:

1. Make Sure to take a backup from your WSUS server and WSUS DB.
2. Use SQL Management Studio to connect to Windows internal database \\.\pipe\MSSQL$Microsoft##SSEE\sql\query
3. We will mainly remove the old records from tbtargetgroupand tbflattenedtargetgroup tables
4. Run “select * from tbtargetgroup” to get the list of groups.
5. Identify the TargetGroupID of one of the groups that you want to delete
6. Run delete from tbflattenedtargetgroup where TargetGroupID = ‘<TargetGroupID for the group which is to be removed>’
7. Run delete from tbdeployment where targetgroupid = ‘<Previous step ID>’
8. Run delete from tbtargetgroup where TargetGroupID = ‘<Previous same ID>’

This should take care of the deletion of these groups. Again its always required to ensure you have full backup from your DB.

Read More

How to Clean Microsoft WSUS Content Folder from Old and unneeded Products

Microsoft WSUS administrators sometimes tend to select all given Products (Options - Products and Classifications) and by time the WSUS content folder grows dramatically till it fill all disk space. If the WSUS administrator tries to uncheck or deselect unneeded products later on, this won't save or minimize the current space.

So how do the WSUS updates gets downloaded/Propagated on the WSUS server ?

1. WSUS server contacts the Microsoft Update servers and will only downloads the metadata (Not complete Full Update Package)
2. The Binaries or the actual downloads are only downloaded when you approve them manually or if there is an Auto approval rule configured.

In order to clean the WSUS content folder from old/unneeded  or unused products you have to do the following:

1. Under Options - Update Files and Languages, Remove the check box for download Express Installation files (This is optional recommendation depending on your environment).
2. In the Options - Products and Classifications, select only the needed products.
3. On WSUS console- decline all approved updated which were either installed or not applicable.
4. Delete the WsusContent Folder.
5. Navigate to the C:/program files/updates services/tools on the WSUS server
6. Run WSUSutil.exe Reset

On the next download cycle it will download only the updates which have been listed in products and classifications and which have not been declined.

Also Its recommended to install all Latest WSUS updates and hotfixes.

Read More

Windows 7 UAG Direct Access Clients Cannot RDP Server 2012 Domain Controllers

After upgrading our domain Controllers, DNS and DHCP servers to the latest Windows Server 2012, I noticed that our Windows 7 UAG DirectAccess clients are not able to RDP (Remote Desktop/MSTSC) to the new Server 2012 Domain Controllers. The same client can ping the 2012 Domain Controller and 2012 DNS server without any problem however all RDP traffic fails.


The weird thing was that at the same time these clients (Windows 7 DirectAccess UAG clients) can ping and RDP/MSTSC any other Windows 2012 member server without any problem at all.

I did some intensive checks and research on the Internet but could not find anything regarding Server 2012 domain controllers issues with UAG based Direct Access, As per Microsoft Escalation team recommendation we did a full tracing scenario on both the UAG and Windows 7 client. 

I tried to reproduce the problem while turning simultaneous capture on both the client and the UAG server using the below Scenario

Netsh wfp capture start

netsh trace start scenario=directaccess capture=yes report=yes

Tried both RDP and Ping to the Problematic Windows server 2012 domain Controller

Netsh trace stop

Netsh wfp capture stop

After Analyzing the captured logs, it was noticed that the DA client is using an Expired Security Association when it cannot access the 2012 server. Tracing from UAG server showing the RDP traffic dropped on UAG Server due to the following error. 

“STATUS_IPSEC_WRONG_SA”

Resolution:

This problem was fixed by installing the hotfix for IKEEXT.dll on the UAG 2010 DA server and on the Windows 7 DA client. It should be noted that this fix is only for 2008R2 servers and Windows 7 Clients

2801453-Delay during IPsec renegotiation on a computer that is running Windows 7 or Windows Server 2008 R2

http://support.microsoft.com/kb/2801453/EN-US

After installing this fix on both the UAG server and Windows 7 client, i was able to RDP/MSTSC the 2012 Domain Controller/DNS without any problems.

Read More