Archive for the ‘Consulting’ Category

Procedures for joining workgroup PCs to remote Server Essentials domain

First step with new computer setup: Create Local user on workstation – skip the OOBE, do not use Hotmail account to create user, instead select limited or no internet and then create local user account – say pcadmin.  Set password and continue on till you get to the desktop.

Connecting PC to the Essentials Server:

  1. Go to to download the connector tool to the workstation PC1
  2. Run connector software – what this does is install the certificate and the VPN connection to site which connects to the foo.local domain.
  3. The connector then joins the domain or at least once you’re connected, you can open: sysdm.cpl and join the domain manually.
  4. After joining the domain manually, DO NOT REBOOT.  The reason is because you want to cache the new user1 credentials onto the workstation before rebooting and “losing” the remote connection.  So you do two things 1) add user1 to local administrators group and 2) logon with user1 to workstation before you reboot – yes it will work.
    1. Open elevated cmd prompt.
    2. Type:  net localgroup administrators foo\user1 /add   – this adds user1 to Administrators group on PC1
    3. Type: runas /user:foo\user1 cmd.exe  <enter key>  – then type in password for user1
    4. This opens CMD prompt under user1 credentials which thereby creates user1 profile.
  5. Now you’re still connected to the VPN network so you can switch user and logon to PC1 with user1 creds
  6. Click start, then go to admin account and choose switch user.
  7. At logon prompt type foo\user1 with password – this will finish with user profile creation and cache password.  Also, best once at desktop to lock workstation and unlock again with password.
  8. Then reboot computer
  9. Try logging on with user1 to foo domain.
  10. If it fails, then go back to local Admin account on PC1 and reconnect the remotewebaccess VPN
  11. Then switch user again and proceed to setup rest of items – like outlook, files etc.

    Error code 80090016 TPM has malfunctioned

    Every once in a while you will encounter this error message when trying to activate a users’ office 365 license. The window that pops up doesn’t always point you in the right direction.

    Typical Error message when entering creds to activate o365 license.

    Researched many sites and each had many different solutions. However it seems one hit the nail on the head. First though here are other options I tried:

    1. Rename this folder to something else – have to first logon (after reboot) with admin account to machine. Rename C:\users\$dir\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy to same folder with .old at end of it. Note – doing this didn’t work for me but it did for others.
    2. Get access to this folder and clear the NGC folder: C:∖Windows∖ServiceProfiles∖LocalService∖AppData∖Local∖Microsoft∖; Link for this:; However in my case, there wasn’t anything in NGC folder – so yeah well not a solution.
    3. Reset – and or Clear TPM from windows. Did this and while it didn’t fix, for a time I couldn’t reboot the computer into windows. Removed UEFI boot/set to legacy boot – No joy. Multiple tries, shutdowns, unplug device, drain all power from system and then booting back and setting UEFI boot back and boom goes the dynamite!! – it booted back into Windows. Some days… Link for doing this procedure:
    4. Last and final attempt which happened to solve this riddle. Tried this one after performing #3. This link – under 3 post by Binod Shrestha, he shows to just open Device Manager, open Security Devices and Uninstall the “Trusted Platform Module 2.0 (or 1.1.2) from the PC.

    After that reboot, log back in as the user with o365 issues, try opening up any Office app and now it just works, Office is activated and user config for OneDrive is all correct and no further problems. That’s just crazy!!

    Hope this helps you the next time you run into such an error. Frustrating!!! again, thank you Microsoft!! <Rant>Seriously have to disconnect Office licensing from TPM and from Hotmail/live accounts </Rant).

    Datto (Autotask) RMM Agents showing previous AV endpoint after removing from Agent endpoint.

    Recently I switched from using two separate endpoint AV solutions (ESET and Webroot) to using Windows 10 Defender and Huntress labs scanning agent. The cost difference was significant enough and have found that Huntress has found infections that previous AV software missed/didn’t report on.

    In order to make this all happen successfully, one needs to uninstall the AV endpoints (ESET/Webroot/Sentinel1,others) first. My Datto RMM had several uninstallers built-in and I even added some that went through and purged the Endpoint from registry after doing a manual uninstall of the endpoint using the MSI file on the systems. The problem arose when looking at the devices in my RMM console, the display still showed either Endpoint as the primary AV product. Subsequent calls to ESET, Webroot and others, proved that re-installing and re-uninstalling had no effect.

    I even tried deleting the RMM agent from system and re-installing figuring it as something in the RMM agent software – NOPE!

    I connected via Chat to Datto community and the engineer there suggested I run this powershell command: Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

    Results showed this:

    __GENUS : 2
    __CLASS : AntiVirusProduct
    __DYNASTY : AntiVirusProduct
    __RELPATH : AntiVirusProduct.instanceGuid=”{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}”
    __DERIVATION : {}
    __NAMESPACE : ROOT\SecurityCenter2
    __PATH : \ODIN\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid=”{D68DDC3A-831F-4fae-9E44-DA132C1A
    displayName : Windows Defender
    instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    pathToSignedProductExe : windowsdefender://
    pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
    productState : 397568
    timestamp : Thu, 17 Mar 2022 18:24:07 GMT
    PSComputerName : XXXXX

    __GENUS : 2
    __CLASS : AntiVirusProduct
    __DYNASTY : AntiVirusProduct
    __RELPATH : AntiVirusProduct.instanceGuid=”{885D845F-AF19-0124-FECE-FFF49D00F440}”
    __DERIVATION : {}
    __NAMESPACE : ROOT\SecurityCenter2
    __PATH : \ODIN\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid=”{885D845F-AF19-0124-FECE-FFF49D00
    displayName : ESET Security = > this is what showed in the RMM Console.
    instanceGuid : {885D845F-AF19-0124-FECE-FFF49D00F440}
    pathToSignedProductExe : C:\Program Files\ESET\ESET Security\ecmds.exe
    pathToSignedReportingExe : C:\Program Files\ESET\ESET Security\ekrn.exe
    productState : 266240
    timestamp : Tue, 14 Sep 2021 19:43:46 GMT
    PSComputerName : XXXXXX

    The Datto support tech then said to run same powershell command but with delete option to delete all wmi objects for the Security Center:

    Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object{$_.Delete()}

    The result cleared all objects for Security Center and in the RMM console, the computers showed Windows Defender – the required result. No reboots necessary.

    Hope this proves helpful for those with similar types of RMM console trouble when switching AV products.

    Categories: Remote Monitoring

    Remotewebaccess VPN disconnects (Error 829)

    Client told me he couldn’t access the vpn to the office.  Would connect and disconnect and or any connection would only last a few seconds before disconnecting. Event log errors include Error 829.

    At first I thought it could be the server needed a reboot. Nope, wasn’t it.

    Looked at the RWA certificates on the server and did notice that the one that was being used expired today. Hmmm. So I checked IIS and looked at the Bindings for the Default Website – but the server had already bound the new RWA certificate to it. Still clients couldn’t connect.

    Looking further at the client event logs this is example of one of error messages:

    CoId={3AE1BD1D-CF91-4B7B-A93F-7A59705A1EF5}: The user WIN10TEST\username dialed a connection named which has terminated. The reason code returned on termination is 829. All this means is a disconnected session. Great no help there.

    Searched the web and found this bit of information:

    The RWA certificate set in IIS is also used by Routing and Remote Access Server Configuration – not for authentication but for maintaining secure TLS connection. So even though the IIS cert was updated, RRAS console doesn’t upgrade it automatically :(.

    Solution: Go to Routing and Remote Access snap-in, right-click on the properties of your router (MACHINE-NAME (local) properties in the tree-view to the left) select the Security Tab; you will be warned that there’s no TLS certificate selected (the previous has expired in my case) and select the certificate that has the next year’s expiration date – can select and then view them prior to saving. This will force a RRAS service restart. Thereafter clients can connect and remain connected :).

    Datto RMM Agent Browser lost in Chrome extensions

    A few days ago I noticed that after some updates or whatever on my laptop, that the Agent Browser for Datto (Autotask) RMM wasn’t opening when trying to access a client’s machine. I could do the web access but anything requiring the Agent Browser to open, failed. Rather than uninstalling I dug into what was going on between a working machine and a non working machine. Plus found something on the web that described similar issue with other application.

    Long story short, this is because the Agent Browser setting got lost in the Chrome Setting Preferences file. The file is located here:
    c:\users\\appdata\local\google\chrome\user data\default\preferences

    Look for Excluded_Schemes and if not found, add the information below back to the preferences file and save. then close out of Chrome and re-open. Thereafter when you want to connect to client’s desktop using the Agent Browser, it will be called upon.

    Look for this area of preferences:

    Add section in italics to the file, hit save and reopen chrome.

    hope this helps MSP’s out there in need of this relief!

    You cannot turn on Network Discovery in Network and Sharing Center in Windows Server

    Assume that you try to turn on Network Discovery on a computer that is running any version of Windows Server. To do this, you change the Advanced sharing settings in Network and Sharing Center. However, the changes are not saved. Therefore, you cannot turn on Network Discovery, and you experience the following issues:

    • You cannot browse or find any network share.
    • You cannot view shared folders on a local network.

    This issue occurs for one of the following reasons:

    • The dependency services for Network Discovery are not running.
    • The Windows firewall or other firewalls do not allow Network Discovery.

    To resolve the issue, follow these steps:

    1. Make sure that the following dependency services are started:
    2. DNS Client
    3. Function Discovery Resource Publication
    4. SSDP Discovery
    5. UPnP Device Host


    Configure the Windows firewall to allow Network Discovery. To do this, follow these steps:

    1. Open Control Panel, click System and Security, and then click Windows Firewall.
    2. In the left pane, click Allow an app or feature through Windows Firewall if you are running Windows Server 2012. Or, click Allow a program or feature through Windows Firewall if you are running Windows Server 2008 or Windows Server 2008 R2.
    3. Click Change settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
    4. Select Network discovery, and then click OK.


    Configure other firewalls in the network to allow Network Discovery.

    Turn on Network Discovery in Network and Sharing Center.

    Deleting directory with long names inside

    When you want to completely delete a directory and it has file with long names inside it, Robocopy does a VERY good job.  The type of folders in this case could be Favorites with URLs that are really long.  When this happens the folder/file path becomes too long for Windows to delete properly.

    Open Cmd.exe prompt as administrator.

    Type the following commands:

    1. mkdir “empty_dir”
    2. robocopy “empty_dir” “the_dir_to_delete” /s /mir
    3. rmdir “empty_dir”
    4. rmdir “the_dir_to_delete”



    Windows Server 20xx Essentials cannot connect to O365.

    I found this cheat to reset the connection between the Essentials Server Dashboard and O365.

    First check the log to find out why it’s failing.  Log file is found here:

    C:\ProgramData\Microsoft\Windows Server\Logs\SharedServiceHost-EmailProviderServiceConfig.log

    If log looks something like the below, then follow steps to fix:

    BecWebServiceAdapter: Connect to BECWS failed due to known exception : System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused


    To fix:

    Open Regedit and navigate to the following key:

    HKEY_Local_Machine\Software\Microsoft\Windows Server\Productivity\O365Integration\Settings

    Delete the BecEndPointAddress key.

    Close Regedit and re-open the Essentials Dashboard.  Re-attempt to integrate with O365 and this time it should work.

    Reference Link:;

    Resetting local Admin password for any Windows machine.

    It’s kinda crazy how easy it is to crack a user’s workstation without ever logging onto the machine.  It really means we should keep track of our local Admin passwords on our workstations and servers and after that lock down the BIOS so no one can re-arrange the boot order to be able to boot off a USB stick.  When I worked at Microsoft, we developed a secured workstation that severely locked down the BIOS such that only the hard drive could boot – the key here was putting a password in the BIOS to prevent unauthorized changes.

    However, there is at times a need to crack/reset the local Admin account password.  This happened to me this week when I took over a client from another colleague of mine but the passwords for the Admin accounts were lost and since the users were just users (not admins) they couldn’t install anything nor make any system changes.

    This procedure is out on the web too but thought I’d add my two cents.

    1.  Bootable USB stick – with Windows OS install or something else that will at least get you to a cmd prompt.
    2.  Access to BIOS to change boot order and allow USB to boot first prior to Operating System.

    Setup BIOS to boot from USB first:
    1.  Boot up computer/server and use whatever Function keys to access the Bios.
    2.  Change menu option till you select BOOT.  Then use keys to move USB boot to top of the line.
    3.  Save and reboot computer.

    Change SETHC application to open cmd.exe application:
    1.  Insert bootable USB tool into port in computer.
    2.  System should select USB to boot first – if it didn’t try again and if still not, recheck BIOS settings to ensure Boot order has right USB set at top.
    3.  When setup screen comes up from USB, hit Shift+F10 to open cmd.exe prompt.
    4.  Locate the Drive C: or whichever drive letter has the operating system on it.
    5.  Change directories to get to c:\windows\system32 directory.
    6.  Type: copy c:\windows\system32\sethc.exe c:\sethc.exe  * Note this makes a copy of executable file so you can copy it back after procedure is done.
    7. Type: Copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe – This copies cmd prompt exe on top of sethc.exe (sticky keys application).
    8. Reboot computer and remove USB from computer.

    Change Admin Password:
    1. At logon screen of computer, hit the Shift key a bunch of times, sometimes holding it down will do the same.   The result will be a cmd.exe prompt running under the system context which gives access to reset passwords and do a host of other things.
    2. To look for users type:  net user  – this will dump out list of users.
    3. To reset password for say Admin account type:  net user Admin password (substitute password for the real password.  Should get a result of completed successfully.
    4. Make sure the account you just reset password is active, to check type: net user Admin – it will show full status of account – look for attribute: Active  – if says No… then you need to activate/enable it in order to use it.
    5.  To make active: net user Admin /Active:yes;  Then check attributes again to ensure it’s active.
    6.  Now you can reboot back and access the machine using the admin account with password you just set,  but you also have to go back with the USB utility to change the exe of sethc.exe back to it’s original function.

    Reset System back to normal:
    1. Reboot computer with USB inserted.
    2. At setup screen, hit Shift+F10 to open cmd.exe prompt.
    3. Change directory to c:\windows\system32
    4. type: Copy c:\sethc.exe c:\windows\system32\sethc.exe  – This returns original sethc.exe to copy over cmd application named sethc.exe.
    5.  exit and reboot computer and go back into BIOS to change boot order again to where Drive is primary (or whatever you would like).



    Autotask Endpoint Mgmt splashtop remote tool fails to open from Agent Browser

    I’ve been using Autotask Endpoint Management to monitor and manage my clients’ systems. Today I had a problem where my laptop was actually a part of another Autotask account and the change over to my account was pretty gnarly!

    There should be a procedure for how to do such things but so far there isn’t.
    Steps to take:
    1. Remove account from instance of Autotask (one you’re leaving) delete the account and let it take it’s course in uninstalling on the client machine.
    2. Should the second part not work, go to appwiz.cpl (short for Programs and Features) old Win95 reference to Add/remove programs. From there remove the Centrastage application.
    3. Once all that is cleared up you should be able to install the new client agent from the new AEM Site.
    Here’s where things went amiss.

    I did all the above, not necessarily in the same order but got it done.
    However upon step #3, the agent (system tray) would not start. Took a while to figure out that my AV/Firewall was blocking the application from starting.. Or another option is access to the c:\programdata\centrastage folder – but after checking Perms – they all seemed good and my account and System had Full Control.

    Found a tidbit to run C:\Program Files (x86)\CentraStage\Gui.exe from a command prompt to let it run through it’s paces to get the Centrastage Tray working. With FW turned off and after running this the tray application could start.

    However even with it running, I could not manage my client machines – the tool wouldn’t start the agent browser where you can then look at and open remote console tools…ugh
    So decided to uninstall again and rip out all other parts of Centrastage application:
    rmdir or just type: rd /S /Q “C:\Program Files (x86)\CentraStage”
    rd /S /Q “C:\Windows\System32\config\systemprofile\AppData\Local\CentraStage”
    rmdir /S /Q “C:\Windows\SysWOW64\config\systemprofile\AppData\Local\CentraStage”
    rd /S /Q “C:\Users\%%f\AppData\Local\CentraStage”
    rmdir /S /Q “%ALLUSERSPROFILE%\CentraStage”
    reg delete “HKCR\cag” /f
    reg delete “HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run” /v CentraStage /f

    After, reinstalled everything and still not able to manage my client systems from the laptop.

    Next decided to remove all the above again, and then remove all instances of Splashtop remote agents.
    – Uninstalled Splashtop Streamer
    – Uninstalled Splashtop Business Tool
    Manually removed all splashtop folders found:
    rd /q /s “C:\Program Files (x86)\Splashtop”
    rd /q /s C:\programdata\splashtop
    rd /q /s c:\%userprofile%\appdata\local\splashtop

    Searched Registry for Splashtop items and removed things there as well (too many to list).

    Did all that, and re-installed CentraStage application which in turn installed splashtop…
    From there I was able to run the Agent Browser to connect to a device but when connecting to said machine using the splashtop plugin, Received a prompt asking which application to use to open the ST-Centrastage application… uh What? The only choice it gave you was to search the Microsoft Store… again What? What did I do to cause this behavior.

    See picture:

    The prompt states: You’ll need a new app to open this st-centrastage
    with option to only look in the Store…

    After much searching for st-centrastage and other… I was stumped and filed a ticket with Autotask folks.

    Later in the day, decided to take a clean machine, join it to my AEM account and try to connect to a device using Splashtop. Before it could connect it prompted me stating it was missing the Splashtop Remote agent.. hmmm, said yes install it and then watched appwiz.cpl to see what application got installed – Sure enough MSP Remote Support by Splashtop was installed.
    Went back to laptop and found the application was there but it couldn’t be uninstalled because I previously deleted all the Splashtop folders. Doh!

    There are very few references on line for how to install this tool, there are plenty for uninstalling it but that doesn’t help when all the files are gone.

    Ended up searching the registry for “MSP Remote” – started to delete all instances here as well so the connection program would later prompt me to re-install like on clean system above. As I ran through and found all the instances and deleted them, I came across one that showed the installer msi file used to install the application: LocalPackage – C:\windows\installer\43aee708.msi (different for every machine). So on laptop, went to that directory and ran the install. Rebooted and whoo hoo! success!

    In a nutshell, to resolve transitioning from one AEM Instance to another
    – Remove everything
    – including the MSP application,
    – then go back and remove the directories like above.
    – then install the new AEM agent and attempt a remote connection (splashtop) if it fails with attached picture, search for the MSP Remote Support by Splashtop in registry to find the msi installer file to run and re-install this. without it you’ll go crazy looking for the solution. :).

    Hope this helps.