Markus Lassfolk – A Geeks World

RemoteFX Warning – how to disable RemoteFX in Windows 10

If you get this Dialog box on your Windows 10 client(s).

RemoteFX Warning

You are currently using the RemoteFX 3D Video Adapter. We no longer support this adapter and continued use may expose your machine to security risks. Learn more (https://go.microsoft.com/fwlink/?linkid=2131976)

You can see in the linked KB article that RemoteFX has been deprecated due to some security flaws and that there are better features that can be used. But it doesn’t really say how to disable RemoteFX.

To disable RemoteFx;

Open a Powershell Prompt as Administrator (elevated).
Run this command

Get-VMRemoteFXPhysicalVideoAdapter | Disable-VMRemoteFXPhysicalVideoAdapter

All in one line. Easy as that.

How to disable NVIDIA Display Port High Definition Audio

Edit 2018-07-15: Updated Script at the bottom:

Each time I update my NVIDIA Graphics drivers no matter if it’s via Windows Update or via Geforce Experience or manually (ok, manually I’m able to choose to NOT install the audio driver so a kind of workaround), it’s also reinstalling the NVIDIA Audio Driver so randomly one of my displayport connected monitors will be the new and default audio output rather than my Headphones.

Making it look like this, a long list with monitors (I’ve got 5 connected) and audio playback devices I don’t want to use.

nvidia audio driver showing all monitors as playback devices.

I’m then manually selecting the Headset and making it the default device for Playback and Communication. And most of the times also disabling all the other playback devices by right clicking them. It works but feels a bit annoying.

It’s also possible to disable the NVIDIA High Definition Drivers in Device Manager, which is once again manual work.

And next time the Graphics Driver is updated, the audio driver is reinstalled so the devices that were previously disabled are now enabled again.

Luckily, it’s possible to automate the task with Powershell.

Get-PnpDevice -Class Media | where FriendlyName -like "*NVIDIA High Definition Audio*" | where Status -eq "OK" | ForEach-Object { 
    Disable-PnpDevice -instanceid $_.instanceid -Confirm:$false 
}

Get-PnpDevice -Class Media | where FriendlyName -like "*NVIDIA High Definition Audio*" | where Status -eq "OK" | ForEach-Object {

Disable-PnpDevice -instanceid $_.instanceid -Confirm:$false

}

Easy as that, we use Powershell to disable the NVIDIA High Definition Audio driver so the result is like this;

And my headphones are now the default device again.

To take this one step further I’ve also automated the script to be executed automatically at computer startup with the help of a Scheduled Task. So each time the driver is updated and I reboot, the audio settings are back to how I want them to be.

Save the above Powershell script in a file called “C:\temp\disablenvidiaudio.ps1”
Download and unpack this file: Disable Nvidia Audio (It’s my Exported Scheduled Task settings).
Important Settings if you want to create the task manually else ignore step 3 and go to step 4.
Optional, manually create the scheduled task.
1. run as System (an Admin Account will work too but as I wanted it to be easy for anyone to import it, i choose System).
2. Run whether user is logged on or not
3. Triggers: At Startup
4. Action: Start Program
  1. program: cmd
  2. argument: /c powershell.exe -executionpolicy bypass -file C:\temp\disablenvidiaudio.ps1
Open ‘Task Scheduler’ from Windows Start Menu (search for it if needed).
Select menu item “Action” and then “Import Task…”
Select the extracted file from Step 2.
Modify any settings as you see fit.
Click OK
Problem Solved

Edit 2018-07-15

After writing this post I did find a very useful Powershell Module here: https://github.com/frgnca/AudioDeviceCmdlets it gives us some options to work with the Audio Devices, so I’ve modified my disablenvidiaudio.ps1 script to look like this;

# Need to be run as Administrator (Elevated) 

Get-PnpDevice -Class Media | where FriendlyName -like "*NVIDIA High Definition Audio*" | where Status -eq "OK" | ForEach-Object { 
    Disable-PnpDevice -instanceid $_.instanceid -Confirm:$false 
}


If (! (Get-Module -Name "AudioDeviceCmdlets" -ListAvailable)) {
#    The version in Powershell Gallery is currently Broken so need to do a manual download/install

#    Install-Module -Name AudioDeviceCmdlets -Force -Verbose  
#    get-module -Name "AudioDeviceCmdlets" -ListAvailable | Sort-Object Version | select -last 1 | Import-Module -Verbose

    $url='https://github.com/frgnca/AudioDeviceCmdlets/releases/download/v3.0/AudioDeviceCmdlets.dll'
    $location = ($profile | split-path)+ "\Modules\AudioDeviceCmdlets\AudioDeviceCmdlets.dll"
    New-Item "$($profile | split-path)\Modules\AudioDeviceCmdlets" -Type directory -Force

    [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
    (New-Object System.Net.WebClient).DownloadFile($url, $location)
}

If (! (Get-Module -Name "AudioDeviceCmdlets")) {
    get-module -Name "AudioDeviceCmdlets" -ListAvailable | Sort-Object Version | select -last 1 | Import-Module -Verbose
}

# Set my "Logitech G933 as Default Playback and Recording Device in Windows" 
if ( (Get-Module -Name "AudioDeviceCmdlets") ) {
    Get-AudioDevice -List | where Type -like "Playback" | where name -like "*Logitech G933*"  | Set-AudioDevice -Verbose
    Get-AudioDevice -List | where Type -like "Recording" | where name -like "*Logitech G933*"  | Set-AudioDevice -Verbose
}

# Need to be run as Administrator (Elevated)

Get-PnpDevice -Class Media | where FriendlyName -like "*NVIDIA High Definition Audio*" | where Status -eq "OK" | ForEach-Object {

Disable-PnpDevice -instanceid $_.instanceid -Confirm:$false

}

If (! (Get-Module -Name "AudioDeviceCmdlets" -ListAvailable)) {

# The version in Powershell Gallery is currently Broken so need to do a manual download/install

# Install-Module -Name AudioDeviceCmdlets -Force -Verbose

# get-module -Name "AudioDeviceCmdlets" -ListAvailable | Sort-Object Version | select -last 1 | Import-Module -Verbose

$url='https://github.com/frgnca/AudioDeviceCmdlets/releases/download/v3.0/AudioDeviceCmdlets.dll'

$location = ($profile | split-path)+ "\Modules\AudioDeviceCmdlets\AudioDeviceCmdlets.dll"

New-Item "$($profile | split-path)\Modules\AudioDeviceCmdlets" -Type directory -Force

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

(New-Object System.Net.WebClient).DownloadFile($url, $location)

}

If (! (Get-Module -Name "AudioDeviceCmdlets")) {

get-module -Name "AudioDeviceCmdlets" -ListAvailable | Sort-Object Version | select -last 1 | Import-Module -Verbose

}

# Set my "Logitech G933 as Default Playback and Recording Device in Windows"

if ( (Get-Module -Name "AudioDeviceCmdlets") ) {

Get-AudioDevice -List | where Type -like "Playback" | where name -like "*Logitech G933*" | Set-AudioDevice -Verbose

Get-AudioDevice -List | where Type -like "Recording" | where name -like "*Logitech G933*" | Set-AudioDevice -Verbose

}

How to set DPM Azure Throttling with Powershell

When you set the System Center DPM setting for Azure throttling via GUI, you have to do the full wizard and also enter the azure passphrase to save the settings.

If you happen to not have the key handy or for some other reason want to do it via Powershell, here is the command.

$Cloud = get-DPMCloudSubscriptionSetting
$Cloud.ThrottlingSetting
Set-DPMCloudSubscriptionSetting -WorkDay Monday, Tuesday, Wednesday, Thursday, Friday -StartWorkHour "07:00:00" -EndWorkHour "19:00:00" -WorkHourBandwidth (256*1024) -NonWorkHourBandwidth (1024*1024*500) -SubscriptionSetting $Cloud 
Set-DPMCloudSubscriptionSetting -SubscriptionSetting $Cloud -Commit -Verbose
(get-DPMCloudSubscriptionSetting).ThrottlingSetting

$Cloud = get-DPMCloudSubscriptionSetting

$Cloud.ThrottlingSetting

Set-DPMCloudSubscriptionSetting -WorkDay Monday, Tuesday, Wednesday, Thursday, Friday -StartWorkHour "07:00:00" -EndWorkHour "19:00:00" -WorkHourBandwidth (256*1024) -NonWorkHourBandwidth (1024*1024*500) -SubscriptionSetting $Cloud

Set-DPMCloudSubscriptionSetting -SubscriptionSetting $Cloud -Commit -Verbose

(get-DPMCloudSubscriptionSetting).ThrottlingSetting

Easy as that, but I couldn’t find any examples on Microsoft Docs, just how to disable throttling. The script sets the settings as in the screenshot above, you might want to adjust the bandwidth etc, it’s defined in bits.

Use DHCP Scope info to build DNS Reverse Lookup Zones and configure DNS with Powershell

I had a customer with more than 60 DHCP Scopes but all DNS Reverse Lookup Zones were unfortunately not created, configured and/or consisted of a lot of old invalid static records. And in addition both the Primary and Reverse Zones were containing a lot of old Name Servers.

Here is the scripts I ran to fix the issues. Just remove the -whatif to actually make it do stuff.

In this case, our Name Servers had the name standard ADM-V-ADDS…. so the script will remove all other name servers. Obviously, modify to fit your environment!

# Create Reverse Lookup Zones for all DHCP Scopes 
foreach ($scopeid in Get-DhcpServerv4Scope | where subnetmask -eq "255.255.255.0" | select -ExpandProperty scopeid)
{
    Try {
        Add-DnsServerPrimaryZone -NetworkId "$scopeid/24" -ReplicationScope Domain -ErrorAction Stop
        Write-Output "Reverse zone $scopeid created"
        }
    Catch [Microsoft.Management.Infrastructure.CimException]
        {
        Write-Warning "Reverse zone for $scopeid already exists"
        }
}


# Make all Reverse Lookup Zones configured the same way and remove all Static Records (devices will simply re-register themselves). 
Get-DnsServerZone | where ZoneName -like "*.arpa" | where ZoneName -notlike "127.in-*" | where ZoneName -notlike "0.in-addr.arpa" | where ZoneName -notlike "255.in-addr.arpa" | %  {

    $Name = $_.zonename ; 

    Set-DnsServerZoneAging -Name $_.ZoneName -Aging $true -NoRefreshInterval "7.00:00:00" -RefreshInterval "7.00:00:00" -WhatIf
    Set-DnsServerPrimaryZone -Name $_.ZoneName -ReplicationScope Domain -WhatIf
    Set-DnsServerPrimaryZone -Name $_.ZoneName -DynamicUpdate Secure -WhatIf

    Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "NS" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf 
    Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "WINS" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf
    Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "WinsR" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf
    Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "Ptr" | ? { $_.Timestamp -eq $null } | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf

}


# Set some settings on the normal Zones too plus fix Name Servers. 
Get-DnsServerZone | where ZoneName -notlike "*.arpa" | where ZoneName -notlike "TrustAnchors" | %  {

    $Name = $_.zonename ; 

    Set-DnsServerZoneAging -Name $_.ZoneName -Aging $true -NoRefreshInterval "7.00:00:00" -RefreshInterval "7.00:00:00" -WhatIf
    Set-DnsServerPrimaryZone -Name $_.ZoneName -ReplicationScope Domain  -WhatIf
    Set-DnsServerPrimaryZone -Name $_.ZoneName -DynamicUpdate Secure  -WhatIf
    Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "NS" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf
}

# Create Reverse Lookup Zones for all DHCP Scopes

foreach ($scopeid in Get-DhcpServerv4Scope | where subnetmask -eq "255.255.255.0" | select -ExpandProperty scopeid)

{

Try {

Add-DnsServerPrimaryZone -NetworkId "$scopeid/24" -ReplicationScope Domain -ErrorAction Stop

Write-Output "Reverse zone $scopeid created"

}

Catch [Microsoft.Management.Infrastructure.CimException]

{

Write-Warning "Reverse zone for $scopeid already exists"

}

# Make all Reverse Lookup Zones configured the same way and remove all Static Records (devices will simply re-register themselves).

Get-DnsServerZone | where ZoneName -like "*.arpa" | where ZoneName -notlike "127.in-*" | where ZoneName -notlike "0.in-addr.arpa" | where ZoneName -notlike "255.in-addr.arpa" | % {

$Name = $_.zonename ;

Set-DnsServerZoneAging -Name $_.ZoneName -Aging $true -NoRefreshInterval "7.00:00:00" -RefreshInterval "7.00:00:00" -WhatIf

Set-DnsServerPrimaryZone -Name $_.ZoneName -ReplicationScope Domain -WhatIf

Set-DnsServerPrimaryZone -Name $_.ZoneName -DynamicUpdate Secure -WhatIf

Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "NS" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf

Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "WINS" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf

Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "WinsR" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf

Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "Ptr" | ? { $_.Timestamp -eq $null } | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf

}

# Set some settings on the normal Zones too plus fix Name Servers.

Get-DnsServerZone | where ZoneName -notlike "*.arpa" | where ZoneName -notlike "TrustAnchors" | % {

$Name = $_.zonename ;

Set-DnsServerZoneAging -Name $_.ZoneName -Aging $true -NoRefreshInterval "7.00:00:00" -RefreshInterval "7.00:00:00" -WhatIf

Set-DnsServerPrimaryZone -Name $_.ZoneName -ReplicationScope Domain -WhatIf

Set-DnsServerPrimaryZone -Name $_.ZoneName -DynamicUpdate Secure -WhatIf

}

Failover Cluster – An error was encountered while loading the network topology

Sharing and friendly reminder for myself as I will for sure run into this problem again in the future.

When creating a Windows Failover Cluster, you get this error message (btw, did you know you can Ctrl+C copy the text from a dialog box and paste like this);

[Window Title]
Error

[Main Instruction]
The operation has failed.

[Content]
An error was encountered while loading the network topology.

[Expanded Information]
Error Code: 0x80070005
Access is denied

[Window Title]

Error

[Main Instruction]

The operation has failed.

[Content]

An error was encountered while loading the network topology.

[Expanded Information]

Error Code: 0x80070005

Access is denied

Solution: In this case I had to remove the User Account from AD’s “Protected Users” group because Failover Cluster is still using NTLM and CredSSP. Relogon and it’s now possible to create the cluster, and then just add the user back into the Protected Users Group.

Using Azure DNS for Dynamic DNS with PowerShell

I’ve been using DynDNS and other Free DNS Services for some time, but as they are getting harder and harder to use for free. Like you need to remember to logon and click a button once a month and what not. I figured it was time to migrate to Azure DNS instead. Being able to use PowerShell to handle my DNS together with everything I’ve already automated makes my life so much easier. And as I’ve already got a couple of domains and some Azure subscriptions there was more or less no increased cost for me. As you can see in the picture, Azure DNS Pricing is really cheap.

I’ve used Task Scheduler to scheduled the script below to run at Computer Startup on one of my Hyper-V Hosts at home, and then every hour. That guarantees that if there is a power failure and I get a new IP from my ISP, when the server boots, the external DNS pointers will be updated at once and just to be sure check every hour.

In short, the script checks your External IP and compares that to the IP of the hostname you want updated. If they are not identical, it will logon to Azure and update the hostname with your current IP.
Simple as that.

In my case, I’ve setup a UserName in AzureDNS who has access to just that DNSZone and are using that UserName in the script.

# Author Markus Lassfolk @ TrueSec 
# www.isolation.se   
# with some 'inspiration' from other scripts. 
#
# You need to have AzureRM modules installed to run this script
# https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps
# install-module AzureRM 
#
# Set your ZoneInfo and Azure settings 
$ZoneName = "isolation.se"
$HostName = "home" 

$azurelogin ="username@azureAD.onmicrosoft.com"
$azurepassword = "password"
$azureResourceGroup = "ResourceGroup"


# Don't modify below this
#
Import-Module AzureRM 
Import-Module AzureRM.Dns 

function get-myexternalip() {   
    $urls = "http://whatismyip.akamai.com",  
            "http://b10m.swal.org/cgi-bin/whatsmyip.cgi?just-ip",  
            "http://icanhazip.com",  
            "http://www.whatismyip.org/"; 
 
           $RxIP = "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"; 
           $ip = "Unknown"; 
           Foreach ($address in $urls) { 
               try { 
                    $temp = wget $address; 
                    $www_content = $temp.Content; 
                    if ( $www_content -match $RxIP ) { 
                        $ip = ([regex]($rxip)).match($www_content).Value 
                        break 
                    } 
               } catch { continue } 
           } 
    return $ip 
}
 

# Set the expected IP Address. Obtain this from a DNS query or set it statically.
$EI = [System.Net.Dns]::GetHostAddresses($HostName +"."+ $ZoneName) | Select-Object -ExpandProperty IPAddressToString

# Obtain the IP Address of the Internet connection.
$CheckNetwork = Test-NetConnection -CommonTCPPort HTTP freegeoip.net
if ($CheckNetwork.TcpTestSucceeded -eq $True) { 
    $ExternalIP = get-myexternalip
$IP = $ExternalIP


# If the external IP is not the same as for the HostName 
If ($IP -ne $EI) {

    $accountName = $azurelogin
    $password = ConvertTo-SecureString $azurepassword -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential($accountName, $password)

    # Login to Azure
    Login-AzureRmAccount -Credential $credential 
    Select-AzureRmSubscription -SubscriptionObject $(Get-AzureRmSubscription)

    # Set IP for the HostName 
    New-AzureRmDnsRecordSet -Name $HostName -RecordType A -ZoneName $ZoneName -ResourceGroupName $azureResourceGroup -Ttl 600 -DnsRecords (New-AzureRmDnsRecordConfig -IPv4Address "$($IP)") -Overwrite -Confirm:$false

}
Else {
    Write-Output "Dynamic address ($IP) and DNS address ($EI) match."
}

}

# Author Markus Lassfolk @ TrueSec

# www.isolation.se

# with some 'inspiration' from other scripts.

# You need to have AzureRM modules installed to run this script

# https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps

# install-module AzureRM

# Set your ZoneInfo and Azure settings

$ZoneName = "isolation.se"

$HostName = "home"

$azurelogin ="username@azureAD.onmicrosoft.com"

$azurepassword = "password"

$azureResourceGroup = "ResourceGroup"

# Don't modify below this

Import-Module AzureRM

Import-Module AzureRM.Dns

function get-myexternalip() {

$urls = "http://whatismyip.akamai.com",

"http://b10m.swal.org/cgi-bin/whatsmyip.cgi?just-ip",

"http://icanhazip.com",

"http://www.whatismyip.org/";

$RxIP = "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})";

$ip = "Unknown";

Foreach ($address in $urls) {

try {

$temp = wget $address;

$www_content = $temp.Content;

if ( $www_content -match $RxIP ) {

$ip = ([regex]($rxip)).match($www_content).Value

break

}

} catch { continue }

}

return $ip

}

# Set the expected IP Address. Obtain this from a DNS query or set it statically.

$EI = [System.Net.Dns]::GetHostAddresses($HostName +"."+ $ZoneName) | Select-Object -ExpandProperty IPAddressToString

# Obtain the IP Address of the Internet connection.

$CheckNetwork = Test-NetConnection -CommonTCPPort HTTP freegeoip.net

if ($CheckNetwork.TcpTestSucceeded -eq $True) {

$ExternalIP = get-myexternalip

$IP = $ExternalIP

# If the external IP is not the same as for the HostName

If ($IP -ne $EI) {

$accountName = $azurelogin

$password = ConvertTo-SecureString $azurepassword -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential($accountName, $password)

# Login to Azure

Select-AzureRmSubscription -SubscriptionObject $(Get-AzureRmSubscription)

# Set IP for the HostName

New-AzureRmDnsRecordSet -Name $HostName -RecordType A -ZoneName $ZoneName -ResourceGroupName $azureResourceGroup -Ttl 600 -DnsRecords (New-AzureRmDnsRecordConfig -IPv4Address "$($IP)") -Overwrite -Confirm:$false

}

Else {

Write-Output "Dynamic address ($IP) and DNS address ($EI) match."

}

You obviously need to migrate an existing or register a new DNS Zone to Azure and use Microsoft’s NameServers for this to work.

How to solve EVENT ID 1202 SceCli 0x57 Parameter is incorrect

Customer is repeatedly getting this Event ID on all Servers and Clients, especially on the Domain Controllers being logged every 5 minute.

Warning	1/26/2018 3:08:15 PM	SceCli	1202	None

Log Name:      Application
Source:        SceCli
Date:          1/26/2018 3:08:15 PM
Event ID:      1202
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SERVERNAME
Description:
Security policies were propagated with warning. 0x57 : The parameter is incorrect.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="SceCli" />
    <EventID Qualifiers="32768">1202</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-01-26T14:08:15.607182700Z" />
    <EventRecordID>147038</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SERVERNAME</Computer>
    <Security />
  </System>
  <EventData>
    <Data>0x57 : The parameter is incorrect.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".</Data>
  </EventData>
</Event>

Warning 1/26/2018 3:08:15 PM SceCli 1202 None

Log Name: Application

Source: SceCli

Date: 1/26/2018 3:08:15 PM

Event ID: 1202

Task Category: None

Level: Warning

Keywords: Classic

User: N/A

Computer: SERVERNAME

Description:

Security policies were propagated with warning. 0x57 : The parameter is incorrect.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Event Xml:

<Channel>Application</Channel>

<Computer>SERVERNAME</Computer>

</System>

<Data>0x57 : The parameter is incorrect.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".</Data>

</EventData>

</Event>

Searching for that Error gives thousands of results, most less helpful.The way I solved this problem was like this.

On one of the servers having the problem, run RSOP.MSC
Resultant Set of Policies showed a Warning on the Computer policies. Selecting properties there showed the same error as in our Event Log.
Browsing the Tree showed that there were a problem in the Password Policy section, from the Default Domain Policy.
Which were also visible in GPMC (Group Policy Management Console)
By modifying the Default Domain Policy and fixing the bad entries (no clue how they got there). The Error message (and problem) is now gone.

KB4048953 and KB4049065 fails to install (hungs). How to fix it.

We had a server which failed to install Windows Server / Windows 10 Service Update and November 2017 updates with the names KB4049065 and KB4048953 through Windows Update. The installation simply never completed and it looked like it hung.

Rather than go through all the various (failed) steps I did to troubleshoot it, I’ll just tell how to solve it.

Start by downloading the packages from Microsoft Update Catalog to c:\temp;
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4049065 http://www.catalog.update.microsoft.com/Search.aspx?q=KB4048953 (Cumulative Update)

Then expand the MSU files (using wusa.exe to install them failed for me) by doing this in a command prompt:

C:\Temp>md kb4048953

C:\Temp>expand -f:* windows10.0-kb4048953-x64_6fccbf0ed11c9dfbc8d13e50d81ccfe97d1e2b82.msu .\kb4048953
Microsoft (R) File Expansion Utility
Copyright (c) Microsoft Corporation. All rights reserved.

Adding .\kb4048953\WSUSSCAN.cab to Extraction Queue
Adding .\kb4048953\Windows10.0-KB4048953-x64.cab to Extraction Queue
Adding .\kb4048953\Windows10.0-KB4048953-x64-pkgProperties.txt to Extraction Queue
Adding .\kb4048953\Windows10.0-KB4048953-x64.xml to Extraction Queue

Expanding Files ....
Progress: 1 out of 4 files
Expanding Files Complete ...
4 files total.

C:\Temp>md KB4049065

C:\Temp>expand -f:* windows10.0-kb4049065-x64_f92abbe03d011154d52cf13be7fb60e2c6feb35b.msu .\KB4049065
Microsoft (R) File Expansion Utility
Copyright (c) Microsoft Corporation. All rights reserved.

Adding .\KB4049065\WSUSSCAN.cab to Extraction Queue
Adding .\KB4049065\Windows10.0-KB4049065-x64.cab to Extraction Queue
Adding .\KB4049065\Windows10.0-KB4049065-x64-pkgProperties.txt to Extraction Queue
Adding .\KB4049065\Windows10.0-KB4049065-x64.xml to Extraction Queue

Expanding Files ....

Expanding Files Complete ...
4 files total.

C:\Temp>

C:\Temp>md kb4048953

C:\Temp>expand -f:* windows10.0-kb4048953-x64_6fccbf0ed11c9dfbc8d13e50d81ccfe97d1e2b82.msu .\kb4048953

Microsoft (R) File Expansion Utility

Adding .\kb4048953\WSUSSCAN.cab to Extraction Queue

Adding .\kb4048953\Windows10.0-KB4048953-x64.cab to Extraction Queue

Adding .\kb4048953\Windows10.0-KB4048953-x64-pkgProperties.txt to Extraction Queue

Adding .\kb4048953\Windows10.0-KB4048953-x64.xml to Extraction Queue

Expanding Files ....

Progress: 1 out of 4 files

Expanding Files Complete ...

4 files total.

C:\Temp>md KB4049065

C:\Temp>expand -f:* windows10.0-kb4049065-x64_f92abbe03d011154d52cf13be7fb60e2c6feb35b.msu .\KB4049065

Microsoft (R) File Expansion Utility

Adding .\KB4049065\WSUSSCAN.cab to Extraction Queue

Adding .\KB4049065\Windows10.0-KB4049065-x64.cab to Extraction Queue

Adding .\KB4049065\Windows10.0-KB4049065-x64-pkgProperties.txt to Extraction Queue

Adding .\KB4049065\Windows10.0-KB4049065-x64.xml to Extraction Queue

Expanding Files ....

Expanding Files Complete ...

4 files total.

C:\Temp>

You should now have two folders with files like this;
As this is a Windows Server 2016 (or Windows 10) we can use Powershell rather than Dism to install the cab files into Windows.
Open Powershell with elevated permissions (as Admin).

To install both packages do this, and have patience. It took more than 4 hours for them to install on my server and it looked like the installation hung for a long time around 15%.

cd C:\temp\KB4049065
Add-WindowsPackage -Online -PackagePath "Windows10.0-KB4049065-x64.cab" -norestart -Verbose -LogLevel WarningsInfo
cd C:\temp\kb4048953
Add-WindowsPackage -Online -PackagePath "Windows10.0-KB4048953-x64.cab" -norestart -Verbose -LogLevel WarningsInfo

cd C:\temp\KB4049065

Add-WindowsPackage -Online -PackagePath "Windows10.0-KB4049065-x64.cab" -norestart -Verbose -LogLevel WarningsInfo

cd C:\temp\kb4048953

Add-WindowsPackage -Online -PackagePath "Windows10.0-KB4048953-x64.cab" -norestart -Verbose -LogLevel WarningsInfo

When the installation has completed reboot the server and you are done!

WSUS Maintenance script for TechDays audience

Function Invoke-Exe{
    [CmdletBinding(SupportsShouldProcess=$true)]

    param(
        [parameter(mandatory=$true,position=0)]
        [ValidateNotNullOrEmpty()]
        [string]
        $Executable,

        [parameter(mandatory=$false,position=1)]
        [string]
        $Arguments
    )

    if($Arguments -eq "")
    {
        Write-Verbose "Running $ReturnFromEXE = Start-Process -FilePath $Executable -ArgumentList $Arguments -NoNewWindow -Wait -Passthru"
        $ReturnFromEXE = Start-Process -FilePath $Executable -NoNewWindow -Wait -Passthru
    }else{
        Write-Verbose "Running $ReturnFromEXE = Start-Process -FilePath $Executable -ArgumentList $Arguments -NoNewWindow -Wait -Passthru"
        $ReturnFromEXE = Start-Process -FilePath $Executable -ArgumentList $Arguments -NoNewWindow -Wait -Passthru
    }
    Write-Verbose "Returncode is $($ReturnFromEXE.ExitCode)"
    Return $ReturnFromEXE.ExitCode
}

#Setup
$RunningFromFolder = $MyInvocation.MyCommand.Path | Split-Path -Parent 
$WsusDBMaintenanceFile = "$RunningFromFolder\WsusDBMaintenance.sql"
#Connect to DB
#For Windows Internal Database, use $WSUSDB = '\\.\pipe\MICROSOFT##WID\tsql\query'
#For SQL Express, use $WSUSDB = '\\.\pipe\MSSQL$SQLEXPRESS\sql\query'
$WSUSDB = '\\.\pipe\MICROSOFT##WID\tsql\query'

if(!(Test-Path $WSUSDB) -eq $true){Write-Warning "Could not access the DB";BREAK}
if(!(Test-Path $WsusDBMaintenanceFile) -eq $true){Write-Warning "Could not access the WsusDBMaintenance.sql, make sure you have downloaed the file from https://gallery.technet.microsoft.com/scriptcenter/6f8cde49-5c52-4abd-9820-f1d270ddea61#content";BREAK}

Write-Output "Running from: $RunningFromFolder"
Write-Output "Using SQL FIle: $WsusDBMaintenanceFile"
Write-Output "Using DB: $WSUSDB"

#Get and Set the WSUS Server target
$WSUSSrv = Get-WsusServer -Name $env:COMPUTERNAME -PortNumber 8530
Write-Output "Working on $($WSUSSrv.name)"

# Choose Languages
$WSUSSrvCFG = $WSUSSrv.GetConfiguration()




# Synchronization
$WSUSSrvSubScrip = $WSUSSrv.GetSubscription()
$WSUSSrvSubScrip.StartSynchronization()
While($WSUSSrvSubScrip.GetSynchronizationStatus() -ne 'NotProcessing') 
{            
    Write-Host "Still syncing"            
    Start-Sleep -Seconds 5            
} 


#$SuperSeededUpdates = Get-WsusUpdate -Approval Declined -Classification All -Status Any | Where-Object -Property UpdatesSupersedingThisUpdate -EQ -Value 'None' -Verbose
#$SuperSeededUpdates | Approve-WsusUpdate -Verbose
#$SuperSeededUpdates | where Classification -ne "Drivrutiner" | Approve-WsusUpdate -Verbose -Action Install -TargetGroupName "All Computers"

Write-Output "Deny SuperSeeded Updates"
$SuperSeededUpdates = Get-WsusUpdate -Approval AnyExceptDeclined -Classification All -Status Any | Where-Object -Property UpdatesSupersedingThisUpdate -NE -Value 'None' -Verbose
$SuperSeededUpdates | Deny-WsusUpdate -Verbose

Write-Output "Get All Updates except Declined"
$AllUpdates = Get-WsusUpdate -Approval AnyExceptDeclined -Classification All -Status Any
Write-Output "Decline Itanium Updates"
$ItaniumUpdates = $AllUpdates | where { $_.update.Title -like "*Itanium*" -or $_.update.Title -like "*IA64*"} 
$ItaniumUpdates | Deny-WsusUpdate -Verbose

Write-Output "Decline ARM64 Updates"
$ARMUpdates = $AllUpdates | where { $_.update.Title -like "*ARM64*" } 
$ARMUpdates | Deny-WsusUpdate -Verbose

Write-Output "Decline Windowx XP-Windows 8.1 Client Updates and Windows Server 2008 + 2012 Updates"
$WinClientUpdates = $AllUpdates | where { $_.update.Title -like "*Windows 7*" -or $_.Update.Title -like "*Windows 8*" -or $_.Update.Title -like "*Windows XP*" -or $_.Update.Title -like "*Windows Vista*" -or $_.Update.Title -like "*Windows Server 2008*" -or $_.Update.Title -like "*Windows Server 2012*" } | where { $_.update.Title -notlike "*Windows Server 2012 R2*" } | where { $_.Update.Title -notlike "*Windows Server 2016*" } | where { $_.Update.ProductTitles -notcontains "Windows Server 2016" -and $_.Update.ProductTitles -notcontains "Windows Server 2012 R2" -and $_.Update.ProductTitles -notcontains "Windows 10" }
$WinClientUpdates | Deny-WsusUpdate -Verbose

Write-Output "Decline Preview Updates"
$PreviewUpdates = $AllUpdates | where { $_.update.Title -like "*förhandsversion*" -or $_.update.Title -like "*preview*"} 
$PreviewUpdates | Deny-WsusUpdate -Verbose

Write-Output "Decline Wind0 x86 and Feature on Demand Updates"
$Otherupdates = $AllUpdates | where { $_.update.Title -like "*Windows 10 Version * for x86-based Systems*" -or $_.update.Title -like "*Feature*On*Demand*"} | where { $_.update.Title -notlike "*X64*" } | where { $_.update.Title -notlike "*AMD64*" } 
$Otherupdates | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.Title -like "*Language*Feature*On*Demand*" } | Deny-WsusUpdate -Verbose

Write-Output "Decline Beta Updates"
$AllUpdates | where { $_.update.Title -like "*Beta*" } | Deny-WsusUpdate -Verbose

Write-Output "Decline Other Updates"
$AllUpdates | where { $_.update.PublicationState -like "Expired" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.Title -like "*Sharepoint*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.Title -like "*Multipoint*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.Title -like "*Windows 10*N,*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.Title -like "*Windows 10*N version*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.Title -like "*Windows 10 Education,*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.Title -like "*InfoPath*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.UpdateClassificationTitle -like "*Upgrades*" -and $_.Update.Title -like "*Windows 10*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.ProductTitles -like "*MS Security Essentials*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.ProductTitles -like "*Security Essentials*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.ProductTitles -like "*Forefront Endpoint Protection*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.ProductTitles -like "*Forefront Client Security*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.ProductTitles -like "*SQL Server*" -and $_.Update.Title -like "*Books*"} | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.ProductTitles -like "*Silverlight*" }| Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.ProductTitles -like "*Dictionary*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.ProductTitles -like "*Windows Embedded*" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.ProductFamilyTitles -eq "Forefront" }| Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.ProductFamilyTitles -like "Windows" } | where { $_.Update.ProductTitles -contains "Windows XP" -or $_.Update.ProductTitles -contains "Windows Server 2008" -or $_.Update.ProductTitles -contains "Windows Vista" -or $_.Update.ProductTitles -contains "Windows 7" -or $_.Update.ProductTitles -contains "Windows 8.1" -or $_.Update.ProductTitles -contains "Windows 8" } | where { $_.Update.ProductTitles -notcontains "Windows Server 2016" -and $_.Update.ProductTitles -notcontains "Windows Server 2012 R2" -and $_.Update.ProductTitles -notcontains "Windows 10" } | Deny-WsusUpdate -Verbose
$AllUpdates | where { $_.Update.ProductFamilyTitles -eq "Microsoft Application Virtualization" } | Deny-WsusUpdate -Verbose





#Cleanup WSUS
Write-Output "Cleanup Obsolete Computers"
$CleanupObsoleteComputers = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -CleanupObsoleteComputers
Write-Output $CleanupObsoleteComputers

Write-Output "Decline Expired Updates"
$DeclineExpiredUpdates = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -DeclineExpiredUpdates
Write-Output $DeclineExpiredUpdates

Write-Output "Decline Superseded Updates"
$DeclineSupersededUpdates = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -DeclineSupersededUpdates
Write-Output $DeclineSupersededUpdates

Write-Output "Cleanup Obsolete Updates"
$CleanupObsoleteUpdates = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -CleanupObsoleteUpdates
Write-Output $CleanupObsoleteUpdates

Write-Output "Cleanup Unneeded Content Files"
$CleanupUnneededContentFiles = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -CleanupUnneededContentFiles
Write-Output "Diskspace Freed: $([Math]::Round($(($CleanupUnneededContentFiles).Split(":")[1]/1GB),2)) GB"


Write-Output "Compress Updates"
$CompressUpdates = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -CompressUpdates
Write-Output $CompressUpdates


[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer("$ENV:ComputerName",$False,8530)
$updates = $wsus.GetUpdates()
$license = $updates | Where {$_.RequiresLicenseAgreementAcceptance}
$license | Select Title
$license | ForEach {$_.AcceptLicenseAgreement()} 



#Cleanup the SUDB
Write-Output "Defrag and Cleanup DB"
$Command = "sqlcmd.exe"
$Arguments = "-E -S $WSUSDB /i $WsusDBMaintenanceFile"
Invoke-Exe -Executable $Command -Arguments $Arguments

Write-Output "Done"

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

Function Invoke-Exe{

[CmdletBinding(SupportsShouldProcess=$true)]

param(

[parameter(mandatory=$true,position=0)]

[ValidateNotNullOrEmpty()]

[string]

$Executable,

[parameter(mandatory=$false,position=1)]

[string]

$Arguments

)

if($Arguments -eq "")

{

Write-Verbose "Running $ReturnFromEXE = Start-Process -FilePath $Executable -ArgumentList $Arguments -NoNewWindow -Wait -Passthru"

$ReturnFromEXE = Start-Process -FilePath $Executable -NoNewWindow -Wait -Passthru

}else{

Write-Verbose "Running $ReturnFromEXE = Start-Process -FilePath $Executable -ArgumentList $Arguments -NoNewWindow -Wait -Passthru"

$ReturnFromEXE = Start-Process -FilePath $Executable -ArgumentList $Arguments -NoNewWindow -Wait -Passthru

}

Write-Verbose "Returncode is $($ReturnFromEXE.ExitCode)"

Return $ReturnFromEXE.ExitCode

}

#Setup

$RunningFromFolder = $MyInvocation.MyCommand.Path | Split-Path -Parent

$WsusDBMaintenanceFile = "$RunningFromFolder\WsusDBMaintenance.sql"

#Connect to DB

#For Windows Internal Database, use $WSUSDB = '\\.\pipe\MICROSOFT##WID\tsql\query'

#For SQL Express, use $WSUSDB = '\\.\pipe\MSSQL$SQLEXPRESS\sql\query'

$WSUSDB = '\\.\pipe\MICROSOFT##WID\tsql\query'

if(!(Test-Path $WSUSDB) -eq $true){Write-Warning "Could not access the DB";BREAK}

if(!(Test-Path $WsusDBMaintenanceFile) -eq $true){Write-Warning "Could not access the WsusDBMaintenance.sql, make sure you have downloaed the file from https://gallery.technet.microsoft.com/scriptcenter/6f8cde49-5c52-4abd-9820-f1d270ddea61#content";BREAK}

Write-Output "Running from: $RunningFromFolder"

Write-Output "Using SQL FIle: $WsusDBMaintenanceFile"

Write-Output "Using DB: $WSUSDB"

#Get and Set the WSUS Server target

$WSUSSrv = Get-WsusServer -Name $env:COMPUTERNAME -PortNumber 8530

Write-Output "Working on $($WSUSSrv.name)"

# Choose Languages

$WSUSSrvCFG = $WSUSSrv.GetConfiguration()

# Synchronization

$WSUSSrvSubScrip = $WSUSSrv.GetSubscription()

$WSUSSrvSubScrip.StartSynchronization()

While($WSUSSrvSubScrip.GetSynchronizationStatus() -ne 'NotProcessing')

{

Write-Host "Still syncing"

Start-Sleep -Seconds 5

}

#$SuperSeededUpdates = Get-WsusUpdate -Approval Declined -Classification All -Status Any | Where-Object -Property UpdatesSupersedingThisUpdate -EQ -Value 'None' -Verbose

#$SuperSeededUpdates | Approve-WsusUpdate -Verbose

#$SuperSeededUpdates | where Classification -ne "Drivrutiner" | Approve-WsusUpdate -Verbose -Action Install -TargetGroupName "All Computers"

Write-Output "Deny SuperSeeded Updates"

$SuperSeededUpdates = Get-WsusUpdate -Approval AnyExceptDeclined -Classification All -Status Any | Where-Object -Property UpdatesSupersedingThisUpdate -NE -Value 'None' -Verbose

$SuperSeededUpdates | Deny-WsusUpdate -Verbose

Write-Output "Get All Updates except Declined"

$AllUpdates = Get-WsusUpdate -Approval AnyExceptDeclined -Classification All -Status Any

Write-Output "Decline Itanium Updates"

$ItaniumUpdates = $AllUpdates | where { $_.update.Title -like "*Itanium*" -or $_.update.Title -like "*IA64*"}

$ItaniumUpdates | Deny-WsusUpdate -Verbose

Write-Output "Decline ARM64 Updates"

$ARMUpdates = $AllUpdates | where { $_.update.Title -like "*ARM64*" }

$ARMUpdates | Deny-WsusUpdate -Verbose

Write-Output "Decline Windowx XP-Windows 8.1 Client Updates and Windows Server 2008 + 2012 Updates"

$WinClientUpdates = $AllUpdates | where { $_.update.Title -like "*Windows 7*" -or $_.Update.Title -like "*Windows 8*" -or $_.Update.Title -like "*Windows XP*" -or $_.Update.Title -like "*Windows Vista*" -or $_.Update.Title -like "*Windows Server 2008*" -or $_.Update.Title -like "*Windows Server 2012*" } | where { $_.update.Title -notlike "*Windows Server 2012 R2*" } | where { $_.Update.Title -notlike "*Windows Server 2016*" } | where { $_.Update.ProductTitles -notcontains "Windows Server 2016" -and $_.Update.ProductTitles -notcontains "Windows Server 2012 R2" -and $_.Update.ProductTitles -notcontains "Windows 10" }

$WinClientUpdates | Deny-WsusUpdate -Verbose

Write-Output "Decline Preview Updates"

$PreviewUpdates = $AllUpdates | where { $_.update.Title -like "*förhandsversion*" -or $_.update.Title -like "*preview*"}

$PreviewUpdates | Deny-WsusUpdate -Verbose

Write-Output "Decline Wind0 x86 and Feature on Demand Updates"

$Otherupdates = $AllUpdates | where { $_.update.Title -like "*Windows 10 Version * for x86-based Systems*" -or $_.update.Title -like "*Feature*On*Demand*"} | where { $_.update.Title -notlike "*X64*" } | where { $_.update.Title -notlike "*AMD64*" }

$Otherupdates | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.Title -like "*Language*Feature*On*Demand*" } | Deny-WsusUpdate -Verbose

Write-Output "Decline Beta Updates"

$AllUpdates | where { $_.update.Title -like "*Beta*" } | Deny-WsusUpdate -Verbose

Write-Output "Decline Other Updates"

$AllUpdates | where { $_.update.PublicationState -like "Expired" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.Title -like "*Sharepoint*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.Title -like "*Multipoint*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.Title -like "*Windows 10*N,*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.Title -like "*Windows 10*N version*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.Title -like "*Windows 10 Education,*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.Title -like "*InfoPath*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.UpdateClassificationTitle -like "*Upgrades*" -and $_.Update.Title -like "*Windows 10*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.ProductTitles -like "*MS Security Essentials*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.ProductTitles -like "*Security Essentials*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.ProductTitles -like "*Forefront Endpoint Protection*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.ProductTitles -like "*Forefront Client Security*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.ProductTitles -like "*SQL Server*" -and $_.Update.Title -like "*Books*"} | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.ProductTitles -like "*Silverlight*" }| Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.ProductTitles -like "*Dictionary*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.ProductTitles -like "*Windows Embedded*" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.ProductFamilyTitles -eq "Forefront" }| Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.ProductFamilyTitles -like "Windows" } | where { $_.Update.ProductTitles -contains "Windows XP" -or $_.Update.ProductTitles -contains "Windows Server 2008" -or $_.Update.ProductTitles -contains "Windows Vista" -or $_.Update.ProductTitles -contains "Windows 7" -or $_.Update.ProductTitles -contains "Windows 8.1" -or $_.Update.ProductTitles -contains "Windows 8" } | where { $_.Update.ProductTitles -notcontains "Windows Server 2016" -and $_.Update.ProductTitles -notcontains "Windows Server 2012 R2" -and $_.Update.ProductTitles -notcontains "Windows 10" } | Deny-WsusUpdate -Verbose

$AllUpdates | where { $_.Update.ProductFamilyTitles -eq "Microsoft Application Virtualization" } | Deny-WsusUpdate -Verbose

#Cleanup WSUS

Write-Output "Cleanup Obsolete Computers"

$CleanupObsoleteComputers = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -CleanupObsoleteComputers

Write-Output $CleanupObsoleteComputers

Write-Output "Decline Expired Updates"

$DeclineExpiredUpdates = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -DeclineExpiredUpdates

Write-Output $DeclineExpiredUpdates

Write-Output "Decline Superseded Updates"

$DeclineSupersededUpdates = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -DeclineSupersededUpdates

Write-Output $DeclineSupersededUpdates

Write-Output "Cleanup Obsolete Updates"

$CleanupObsoleteUpdates = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -CleanupObsoleteUpdates

Write-Output $CleanupObsoleteUpdates

Write-Output "Cleanup Unneeded Content Files"

$CleanupUnneededContentFiles = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -CleanupUnneededContentFiles

Write-Output "Diskspace Freed: $([Math]::Round($(($CleanupUnneededContentFiles).Split(":")[1]/1GB),2)) GB"

Write-Output "Compress Updates"

$CompressUpdates = Invoke-WsusServerCleanup -UpdateServer $WSUSSrv -CompressUpdates

Write-Output $CompressUpdates

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")

$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer("$ENV:ComputerName",$False,8530)

$updates = $wsus.GetUpdates()

$license = $updates | Where {$_.RequiresLicenseAgreementAcceptance}

$license | Select Title

$license | ForEach {$_.AcceptLicenseAgreement()}

#Cleanup the SUDB

Write-Output "Defrag and Cleanup DB"

$Command = "sqlcmd.exe"

$Arguments = "-E -S $WSUSDB /i $WsusDBMaintenanceFile"

Invoke-Exe -Executable $Command -Arguments $Arguments

Write-Output "Done"

Get GeoLocation with PowerShell and set NTP Server in a GPO

Using Powershell to locate your Geographical Location with the help of GeoLocation (IP-Address) is quite easy, cool and useful!

When we build Private and Hybrid Clouds across the globe in various countries and continents I want to make sure the Active Directory PDC Emulator is using a valid time source based on that location.

So with this small script (it’s using multiple WebServices to cycle through until it gets an answer) we can get a rough location for where we are and in my case it’s usually enough to know what country the datacenter is in.

function get-myexternalip() {   
    $urls = "http://whatismyip.akamai.com",  
            "http://b10m.swal.org/cgi-bin/whatsmyip.cgi?just-ip",  
            "http://icanhazip.com",  
            "http://www.whatismyip.org/"; 
 
           $RxIP = "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"; 
           $ip = "Unknown"; 
           Foreach ($address in $urls) { 
               try { 
                    $temp = wget $address; 
                    $www_content = $temp.Content; 
                    if ( $www_content -match $RxIP ) { 
                        $ip = ([regex]($rxip)).match($www_content).Value 
                        break 
                    } 
               } catch { continue } 
           } 
    return $ip 
}


$CheckNetwork = Test-NetConnection -CommonTCPPort HTTP freegeoip.net
if ($CheckNetwork.TcpTestSucceeded -eq $True) { 
    $ExternalIP = get-myexternalip
    [XML]$GeoLocation = Invoke-RestMethod -Method Get -Uri http://freegeoip.net/xml/$ExternalIP 
    $NTPGeolocation = $GeoLocation.Response.CountryCode.ToLower()
}
$GeoLocation.Response

function get-myexternalip() {

$urls = "http://whatismyip.akamai.com",

"http://b10m.swal.org/cgi-bin/whatsmyip.cgi?just-ip",

"http://icanhazip.com",

"http://www.whatismyip.org/";

$RxIP = "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})";

$ip = "Unknown";

Foreach ($address in $urls) {

try {

$temp = wget $address;

$www_content = $temp.Content;

if ( $www_content -match $RxIP ) {

$ip = ([regex]($rxip)).match($www_content).Value

break

}

} catch { continue }

}

return $ip

}

$CheckNetwork = Test-NetConnection -CommonTCPPort HTTP freegeoip.net

if ($CheckNetwork.TcpTestSucceeded -eq $True) {

$ExternalIP = get-myexternalip

[XML]$GeoLocation = Invoke-RestMethod -Method Get -Uri http://freegeoip.net/xml/$ExternalIP

$NTPGeolocation = $GeoLocation.Response.CountryCode.ToLower()

}

$GeoLocation.Response

That can then be used as you see fit. Though for me, I’m using it to update the Group Policy being applied to the PDC Emulator to point to the country specific NTP Pool with the generic pool as backup value.

$NTPPool = "pool.ntp.org"
if ($NTPGeolocation -ne $Null) { $NTPPool = "$NTPGeolocation"+".pool.ntp.org,0x09 "+"$NTPPool"+",0x0a" } 
get-gpo -all | where DisplayName -like "*PDC*" | set-GPRegistryValue -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\Parameters" -ValueName NTPServer -Value "$NTPPool" -Type String

$NTPPool = "pool.ntp.org"

if ($NTPGeolocation -ne $Null) { $NTPPool = "$NTPGeolocation"+".pool.ntp.org,0x09 "+"$NTPPool"+",0x0a" }

get-gpo -all | where DisplayName -like "*PDC*" | set-GPRegistryValue -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\Parameters" -ValueName NTPServer -Value "$NTPPool" -Type String

That’s how easy it’s to modify a Group Policy object.

Please share any solutions using GeoLocation in the comments. It might give me some nice new ideas too!