Recent Discussions
Turning Off Tamper Protection on Workstations
How do I turn off Tamper Protection on a domain-joined Windows 11 workstation? The problem is a workstation has Windows Defender in Passive Mode instead of being in Not Running mode after installing a 3rd party antivirus. Windows Defender is making running network applications from the servers much slower because it's still real-time scanning. I also suspect Tamper Protection is also preventing network drive exclusions from working on this workstation and on the ones that use Windows Defender without a 3rd party antivirus. I've tried adding every registry entry, Group Policy, and PowerShell command on the local workstation I could find to disable Windows Defender, but nothing works. I'm assuming this is due to Tamper Protection ignoring everything? This is an on-premises domain and doesn't use Microsoft Intune or Microsoft Endpoint Configuration Manager.
AOVPN / Reasoncode 16
We have an always on vpn configuration. This worked fine till few months ago, users can't get connected anymore. After reboot of NPS server, all works fine for some time (random, sometimes 1 day, 2 days, 1 week), till the users can't get connected again. Reboot of nps server solves it. When users can't connect, I see an event on NPS server with reason code 16 Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: xxx Account Name:xxx Account Domain: xxx Fully Qualified Account Name: xx Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: x.x.x.x Calling Station Identifier: x.x.x.x NAS: NAS IPv4 Address: x.x.x.x NAS IPv6 Address: - NAS Identifier: server-VPN01 NAS Port-Type: Virtual NAS Port: 14 RADIUS Client: Client Friendly Name: server-VPN01 Client IP Address: x.x.x.x Authentication Details: Connection Request Policy Name: Virtual Private Network (VPN) Connections Network Policy Name: Virtual Private Network (VPN) Connections Authentication Provider: Windows Authentication Server: server-NPS01 Authentication Type: PEAP EAP Type: Microsoft: Smart Card or other certificate (EAP-TLS) Account Session Identifier: 33373834 Logging Results: Accounting information was written to the local log file. Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect. As said, reboot of nps solves issues temporary. Already installed new nps server but same issue. Any suggestions where to check ?
Cache drive reconfiguration in Server 2025 Storage Spaces Direct cluster
We have a three node S2D cluster running Server 2025, with the storage in a 3 way mirror, running Hyper-V VMs. Each node has 4 x NVMe drives that are currently being used as cache drives, but which are connected to a RAID controller (in HBA mode), so in the S2D configuration they appear as SSD drives rather than NVMe drives. We've purchased the required cables and drive bays to be able to reconfigure the NVMe drives so that they're attached directly to the PCIe bus, so they'll show up as NVMe drives and hopefully give us a performance boost, so I'm just trying to plan the reconfiguration. I was hoping it would be a relatively simple process of shutting everything down, reconfiguring the storage and bringing everything back online, but ChatGPT suggests things won't be that easy and that a complete reconfiguration of the storage would be required. So in a nutshell, can the cache drives be reconfigured without a complete rebuild of the S2D storage ? Cheers, Rob
Unable to use a certificate from my Windows CA
I am trying to use my own certificate signed by my CA, instead of the self-signed SSL certificate it offers by default. In fact, with the self-signed SSL certificate, WAC runs on HTTPS: However, when I switch to the certificate I have generated in my CA: When I try to access the link, it returns me: So if I switch back to self-signed SSL certificate: The WAC console is working properly again: What I doing wrong when I generate that certificate?
Unable installing extensions from a different feed
I added a new feed from a path, and WAC is telling me it can't read the feed or update the corresponding catalog. I followed the instructions in this link: "https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/using-extensions#installing-extensions-from-a-different-feed". In fact, since my network isn't connected to the internet, I also followed the instructions in this other link: "https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/using-extensions#installing-extensions-on-a-computer-without-internet-connectivity". Regarding adding a file share as a source, it must meet the criteria outlined in this link: "https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/using-extensions#installing-extensions-from-a-different-feed". However, I'm getting these error messages and therefore don't have any extensions available to add:
SystemSettings. exe on Windows server 2025 crashes after installing Xbox game
I installed the Microsoft App Store on Windows Server and installed Minecraft. However, entering the system>display>graphics tab in the settings will cause the settings to crash.I tested both Bedrock and Java and found this issue. I think any Xbox game in the Microsoft Store should be able to reproduce this issue. + System - Provider [ Name] Application Error [ Guid] {a0e9b465-b939-57d7-b27d-95d8e925ff57} EventID 1000 Version 0 Level 2 Task 100 Opcode 0 Keywords 0x8000000000000000 - TimeCreated [ SystemTime] 2025-12-04T08:55:23.2042032Z EventRecordID 27146 Correlation - Execution [ ProcessID] 10988 [ ThreadID] 20000 Channel Application Computer WIN-JSD290TH0EL - Security [ UserID] S-1-5-21-868965638-952098041-1598110278-1002 - EventData AppName SystemSettings.exe AppVersion 10.0.26100.7019 AppTimeStamp f88449de ModuleName Windows.Gaming.Preview.dll ModuleVersion 10.0.26100.7019 ModuleTimeStamp 8e7f4dfa ExceptionCode c0000005 FaultingOffset 000000000003aadd ProcessId 0x1230 ProcessCreationTime 0x1dc64fbb631455a AppPath C:\Windows\ImmersiveControlPanel\SystemSettings.exe ModulePath C:\Windows\System32\Windows.Gaming.Preview.dll IntegratorReportId f2340132-82be-40d6-9c76-ec8fcbb9d19e PackageFullName windows.immersivecontrolpanel_10.0.8.1000_neutral_neutral_cw5n1h2txyewy PackageRelativeAppId microsoft.windows.immersivecontrolpanelWindows 11 automatically restarting after install security Update — With GPO and WSUS.
Hi everyone, I’m facing a strange behavior with Windows 11 devices that receive updates through WSUS and are fully managed via Group Policy. Here’s the scenario: We have a GPO configured as follows: -Configure Automatic Updates → 4 (Auto download and schedule the install) -Scheduled installation every day at 10:00 -Install during automatic maintenance → disabled -Active Hours configured -Turn off auto-restart for updates during active hours → Enabled -Update deadlines set to 0 (to avoid any forced restart) -No other restart-related policies set in the domain Even with this configuration, after updates are installed, Windows 11 shows the following message: “Your organization manages update settings. We will restart and install this update at X minutes.” And then the device automatically restarts, even when: -a user is logged in -it is outside Active Hours -deadlines are disabled -no-auto-restart is enabled This behavior does not happen on Windows 10 — only on Windows 11.
Windows Admin Center Preview - 2511 English [MSI Corrupt]
When attempting to launch the WindowsAdminCenterPreview_2511.msi, I received an error message (See Below). In addition, when I test the MSI using 7zip, the archive fails to validate. This occurred downloading the installer package twice over a two-day period. My system info is below.Allow VMs attached to internal switch on hyper-V win2k19 access Internet
Hi, I have 4 VMs attached to an internal switch with IPs 10.10.0.*, assigned 10.10.0.1 to the switch. One of the NICs on the host has the 192.168.1.70 which I shared its connection with the internal switch but I am not able to browse internet from the VMs. What can be missing? ThanksWINGET is not recognized as a commandlet on win 2k19 server fresh setup
I have setup a new win2k19, I followed the instructions Install-PackageProvider -Name NuGet -Force | Out-Null Install-Module -Name Microsoft.WinGet.Client -Force -Repository PSGallery | Out-Null Repair-WinGetPackageManager When I try anu winget command I get winget is not recognized as a commandletAllow Hyper-V VM attached to Internal Switch access internet and host folders
I have Created an internal switch and attached it to 4 VMs (for a lab setup) on a win2k19 hyper-V host. The hyper-V is in the my local home subnet 192.168.0.1. The 4 VMs are configured with following IPs and gateway. VM1 10.10.0.10 -DefaultGateway 10.10.0.1 VM2 10.10.0.11 -DefaultGateway 10.10.0.1 VM3 10.10.0.12 -DefaultGateway 10.10.0.1 VM4 10.10.0.13 -DefaultGateway 10.10.0.1 In the lab document, it is not indicated how/where to assign the 10.10.0..1 IP? When I check the vEthernet (Private Network), It has "DHCP" for IP and got my local DNS IP. Checking its status, I see DHCP Enabled: Yes Autoconfiguration IPv4 Address: 169.254.32.39 IPv4 Subnet Mask: 255.255.0.0 IPv4 Default Gateway: Not sure where this 169.254.... IP comes from? I tried assigning the IP 10.10.0.1 to this but it fails. In fact I need to allow VMs to access some host folders as well as internet to download some Microsoft tools. Thanks for your help
Securing ldap in WIndows AD
Hello everyone. I would like to secure the use of LDAP within an Active Directory domain. My domain has three Windows 2022 DCs. Searching online, I found these suggestions: Enforce LDAPS (LDAP over SSL/TLS) Disable Plain-text LDAP Bindings Block or Restrict Port 389 (Optional but Recommended) Enable Channel Binding Tokens (CBT) Does it make sense to only allow certain users to browse LDAP? Could limiting LDAP browsing to certain users cause problems? ThanksBreaking Certutil changes in WS2025
I noticed yesterday that a certutil command I thought I could always rely on no longer works in Server 2025: >certutil -cainfo xchg CertUtil: -CAInfo command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) CertUtil: The parameter is incorrect. Executing certutil -cainfo xchg was a handy command which would ask the local certificate authority to output it's current CA Exchange certificate in Base64 format. If the CA didn't have a valid exchange cert at the time, it would immediately create a new one. Think of a CA Exchange certificate as a short-lived TLS cert which the CA provides clients when they need to upload private key material for archival. Anyway, looking at the help for certutil, the command still exists, however, it requires a new parameter: xchg [Index] -- CA exchange cert So, I figured [Index] had to refer to the CA certificate index. When you initially deploy an ADCS certification authority, the CA's initial certificate is at index 0. When you renew/re-key the CA, the new CA cert is at index 1. I tried using 0 for the [Index] parameter. No dice: >certutil -cainfo xchg 0 CertUtil: -CAInfo command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) CertUtil: The parameter is incorrect. I can't think of what else that parameter would be. Has anyone been able to successfully used this command on WS2025? If so, please share how!
Question About MAK Windows Activation
Hello everyone. The question is the following. We have a customer with a subscription for Windows Server 2025 Standard - 8 Core License Pack 1 Year quantity 3 (from partner portal). From the servers that the key have been assign i see that the key is on MAK channel. The question is, if i remove the key with dism i will get back a activation? I mean at this time we have 0 activation remaining, if i remove the key the remaining activation number will increase to 1 from 0? I cant found a solid answer on the web so please help. Thanks. Best Regards SGVolume Activation role questions
We have a DC, running Server 2016 to decommission (call it old server). One of the roles it had was Volume Activation (VA). This is Active Directory based and the keys AD holds are both for clients (Win11) and servers (2016/19/22/25). I have removed the VA role from the server and tested with a server which I added to the domain and the OS activated successfully, so it looks like it is working. I noticed the _vlmcs SRV DNS record was not deleted and is still pointing to the old server. Since the old server is no longer having the VA role, is it safe to delete the DNS record for the _vlmcs SRV record? What else do I need to take into account? Thanks in advanceLAPS: Meaning of Setting - Short words with unique prefixes
The update to LAPS for Windows 11 24H2 and Windows Server 2025 introduced new configuration options including the ability to use passphrases rather than passwords. Operationally this is add some benefits. However, the official documentation - https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts-passwords-passphrases#passphrase-word-lists doesn't provide a very good explanation for the setting "Short words with unique prefixes" The examples in the documentation and observations from implementation do not align with the short description. For example, from implementation: IodineIslandNectarRagweedCivilianZillion The word phrases are not exactly short; 6+6+6+7+8+7 = 40 characters, and nor is their a unique prefix. Does anyone have a better explanation as to the meaning of passwordcomplexity setting 8 in LAPS (post 24H2)? Cheers Paul P.S. the LAPS password above is no longer valid as it has been rotated.
Recent Blogs
- 5 MIN READWe’re thrilled to announce the arrival of Native NVMe support in Windows Server 2025—a leap forward in storage innovation that will redefine what’s possible for your most demanding workloads. Modern ...Dec 15, 2025
- Great news for IT pros managing the next generation of Windows devices! Windows Admin Center now supports Arm-based Copilot+ PCs, bringing the powerful, browser-based management experience you rely o...Dec 12, 2025
