Management
355 TopicsServer 2025 - Forced Upgrade
There have been reports in the IT press in the past week about Server 2022 being forcible upgraded to 2025 without the user knowing or agreeing to it. However, these reports indicated that it only happened with third party updating services and was because Microsoft had misclassified the upgrade as a security update. I manage a number of 2022 servers (mostly VMs plus a few physical installs). Most of these use WSUS for updating, but there is one physical server which has local accounts and isn't domain joined, and updates directly from the Windows Update service (no update management system is in use). I logged into this one to check something yesterday, and while I was in there checked that it wasn't showing Server 2025 as pending, which it wasn't. It also wasn't even showing it as optional. Logged into it again this morning, and it has forcible upgraded itself to Server 2025. So it's now unlicensed, and I don't know whether the software on it will work properly on Server 2025 (the server was well down my list for an upgrade, so I've not even researched it yet). There doesn't seem to be a roll back option. I could reinstall it, but there seems little point when it will probably just upgrade itself again. I have tried to replicate the unwanted upgrade behaviour using a test VM, and I can't - that stays on 2022, and doesn't offer 2025 as even an optional upgrade. And I've just received a response fro the supplier of the main software installed on this server, saying that Server 2025 is not yet supported. Great. Anyone else experienced this?2.2KViews2likes2CommentsServer 2019 reporting wrong build via PowerShell
Hi, I've had this issue both this month and also in September. Both times, after installing the patch Tuesday update, my management tool is providing the wrong build for Windows Server 2019 due to a very strange issue. When manually looking in the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" I see that the build (for November) is 6532. However, when I retrieve the exact same data using PowerShell, it report back with build 6530? Does anyone know why these builds are different? Is this just a Microsoft issue? I've only ever had this issue these two specific months, never before...26Views0likes0CommentsFrequent Event Log errors related to GPO
We currently have 3 different versions of Server in our environment. 2016 2019 2022 All the 2016's and 2019's have multiple Application event log errors with the following: "Security policies were propagated with warning. 0x57 : The parameter is incorrect." When I launch RSOP.MSC on the system with the error, I can see that there is a warning under “Computer Configuration”. Going into the properties it tells me that the Warning is within the Security Settings. Drilling down into Security Settings, I can see that the Password Policy has some issues. The 2022's don't have this issue. All systems use the same "Default Domain Policy" When I enable winlogon.log via the registry settings, I can see it's logging an error but it's not really giving me a clear indication what the actual problem is. Any advice how to proceed next would be greatly appreciated. Thanks!225Views0likes1CommentStrange problem on windows 2022 server standard
hi all we same 2 administrators in our server 2022 with IIS. one of them is default user administrator which is used by me. the other one is my padawan's account. in this configuration we created some web sites under different domains. every site is using different nt user. everything seems ok. but with this configuration then I test the user settings of a site under basic settings I got the error below but site is working. The user name or password is incorrect. (Exception from HRESULT: 0x8007052E) my padawan does the same .. now it says ok. why is this is happening in 2 admin setting. we've another server exact same configuration but only with default admin, everything works as it should be. I tested the issue with another server ... everything was perfect until I created the second admin and start doing things with. samething replicated with windows 2019 too. while Im getting these errors websites are working flawlessly in all occasions. any one has an idea about whats going on... ???222Views0likes1CommentForce a specific default lock screen and logon image
Dear, I currently have a DC deployed on Windows Server 2019. i want to configure a specific default image on lock screens on Windows 10 pro clients via group policy. Is this possible or is it only compatible with Enterprise or Education editions? Thanks in advance,159Views0likes2CommentsBLOG: Windows Server Installation guidance / M365 Support on Windows Server
Windows Server 2025 will probablybe released later this year. At least signs / stars seem to align.🙂 Starting with this Windows Server release, Microsoft 365 Apps for Enterprise are supported within the mainstream support of the OS. That means 5 years peace of mind, after the release of the next Windows Server OS. For more information review the official matrix. Windows Server 2025, should be included after release. The latest Office Support Matrix can be obtained here Windows Server 2025 will be released this year with load ofsignificant improvements over 2022 or earlier versions. Please check thisannouncement + comments, and find morehere in the Windows Server 2025 AMA. Feel invited to join the Windows Server Summit and if you cannot attend, learn what's new watching the recorded sessions. This announcement and rich improvments, will make any migration plans worthwhile, noted Windows Server 2016 is already in Extended Support. Will outline later why this isn't a good thing for most. Windows Server 2019 just entered Extended Support this month. Obtaining and maintain Software Assurance for Windows Server through Volume Licensing or CSP Subscription (SA equivalency) makes sense for you this year in several ways for the adoption of the new Windows Server 2025 release Significant cost reduction through Azure Hybrid Benefits, among others for all licensed cores under SA or SA equivalency. This is not a licensing advice post, rather presents you common examples. For details hold on to Product Terms, as conditions may change. free Windows Server Datacenter OS licenses (even if on-prem only Standard licensed) in Azure. For Details hold on to Product Terms, conditions may change. free Azure Stack HCI usage for licensed cores free of charge access to the Windows Server Datacenter Azure Edition VM or ISO within Azure and when running on Azure Stack HCI, granting you exclusive features, but will also appear with Windows Server 2025. Hotpatching SMB over QUIC(fast and VPN-free access to on-prem authorized SMB shares / file server shares). per VM licensing on-premises on Azure Stack HCI and in Azure (currently with a minimum 8 cores per VM (vOSE)) dynamic licensing with Windows Server 2025* *SA or equivalent not required Use Microsoft (server) products, within mainstream support wherever possible especially, when production critical. Some (german) software manufacturers also specify that the Windows Server OS must be in mainstream support in order for their software to be supported. Microsoft 365 joins this chorus now. Caveat: Microsoft Exchange Server on-premises is currently only available in Extended Support (MS Exchange Server 2016 / 2019). So only the OS (WS 2022) can be kept in Mainstream support at the moment. Reasons against operating products in Microsoft Extended Support: support comes at extra costs hard to obtain / not immediately available, especially in emergencies there is no guarantee of solution or workaround Microsoft sometimes removes or replaces documentation of products outside of mainstream support Extended Security Updates are costly (free on Azure Stack HCI on-prem / and when running in Azure) Install Windows Server always in english language (en-us), if necessary use Language Packs (LP) / LIPs Reasons and pain points from the field: Microsoft’s / own PowerShell scripts or modules may be language dependent, e.g. Windows Features, local security groups etc. mass evaluation in Server Manager or PowerShell are hindered, as Eventlogs, Roles & Features and Windows services descriptions are language dependent. For example this renders full text search in Server Manager unhelpful. some roles are language dependent and therefore cannot be (easily) migrated (e.g. DHCP, AD CS) Documentation and error messages are easier to find and understand in English (crude translation) + operational bonus for Microsoft CoPilot in Edge, possibly replacing Dr. Google (Mechanical Doctor) when searching for solutions 🙂 way easier collaboration with Microsoft Support proven fewer problems with Windows Admin Center GPO Search Engine only exists in English. The translation of GPOs is very arbitrary. Direct in-place upgrade to Windows Server Azure Edition possible, when switching to Azure Stack HCI Windows Server 2022 and 2025 Support dynamic user based language packs (LIPs). Internet connection is required for download and updates. Bonus: You can leverage group policy to assign OS language, keyboard and regional settings based on user, or AD group membership. Choose / prefer to install Windows Server as Core option where possible This will enhance your "need" to adopt RBAC and Remote Management without RDP. Possible usecases: Domain Controller, Exchange, SQL (GUI Setup exists), FileServer etc. Remote Management via Privileged Admin Workstation (PAWS :paw_prints:) / Windows Server VM (RDSH) + Tools Windows Admin Center Server Manager DSAC and other RSAT tools sconfig Install Windows Server only as UEFI / GPT Windows Server 2022 and 2025 support VBS and Secured Coresettings. GPT / UEFI is a prerequisite for this. Windows Server 2022 / 2025 can use vTPM for Bitlocker and other things like Windows 11. GPT / UEFI is a prerequisite for this. easier migration paths VMware <> Hyper-V / Azure Stack HCI. These VMs are deployed as Gen 2 Hyper-V. Gen 1 VMs or VMware BIOS VMs are no longer preferred, see above. Keep the WinRE partition behind the OS partition easier maintenance of the OS in an emergency Uninstall of defective Windows Updates before the boot process (starting with Windows 2022) Re-Partitioning / Resizing using 3rd party tools possible via VHD(X) / VMDK mounting in another VM if required. You can find more information on WinRE and WinRE patching considerationsin this guidance. As you've made it to the end of this lengthy and hopefully helpful post, here's your bonus material / extended edition: Windows Server Upgrade guidance. Thanks for reading and adopting changes to your environment and strategy!2.2KViews2likes1CommentBLOG: Guidance for Windows Recovery partition (WinRE) patching and why you would need it
This is an extended blog, which continues in comments. pardon for the inconvenience. Windows Client and Server should have this WinRE Partition. You want to enlarge the C (OS Partition) in a VM and WinRE partition is in the way. The most common advice is to delete the WinRE partition. And this is a bad advice imho. The WinRE partition enables you for different to access different options including uninstalling Updates *pre-boot* that prevent a system startup. This doesn't happen very often but it can happen. This feature has been added to WinRE starting with Windows Server 2022, and Windows 10 22H2 / Windows 11 22H2, or newer. It is quite unknown, though. You can do more like direct UEFI access, and troubleshooting GPT / UEFI required and recommended anyway for both Windows Server and Client. Proper location and number of WinRE partitions on a physical disk 1. WinRE should located right hand side to the C partition If you find that your WinRE it is located left of the OS boot drive (C) it has been installed by a bugged release (old ISO). I am sure it was Windows Server 2019 when we noticed that. Aka Windows 10 1809. See below why the certainty. When installing Windows or especially Windows Server always use the lastest ISO for fixes like this or for in-place upgrades. There is no such updated ISO for Windows Server 2016, very unfortunately. They started patching them on a monthly basis with Windows Server 2019. You can access your latest ISOs either via my.visualstudio.com (Dev / Test use only), or admin.microsoft.com for VLSC or CSP production use. 2. There could be more than two WinRE partitions to the right hand side of the C partition This often happened when the existing could not be enlarged during in-place upgrade. Maybe also a Bug. Haven't seen this long time. It was common before Windows 10 1809. It is common though if you are using more than one Windows Installation on one physical disk. This is known as side-by-side installation or more commonly "Windows OS multi-boot". Each OS will create and maintain its own WinRE Partition (by design). Multi-boot is common for people that use designated Windows Installation for specific use cases, like Windows Insiders to test different Insider branches on one physical machine and disk. More information can be found in the comment below. Patching Windows RE is important There is a 2024 CVE that needs to addressed. Please find more information in the comments below on the "How-to".patching the WinRE CVE and remediate the 01-2024 LCU failing. More information on how to actually fix this can be found in this comment below Relocate WinRE partition A WinRE Partition left of C (OS Partition) makes no sense as Windows still may not move partitions to the right or left (while technical possible).Windows can only shrink Partitions As such I don't get how one can at all shrink C (to the right only). Mind that if you change / delete WinRE partitions you need to inform Windows about it viareagentc.exe These are tools you have at hands: Windows Diskpart Settings App > Storage Settings > Advanced Storage Settings > Disks and Volumes Windows 10 22H2 / Windows 11 22H2 / Windows Server 2022 or newer. diskmgr.mmc all legacy OS Windows Key + X > Disk Management Trusted 3rd party tool for Home Use (Windows 10 / 11) or paid for Windows Server use: Minitools Partition Wizard (Free) Formerly recommended Minitools Partition Wizard but they now have a paywall. If you are ok I would still recommend it.These can do everything! Acronis Partition Wizard isn't nice too old code and slow. Not optimized for SSD / NVMe. Both recommendable tools are available through winget. Bonus: Use Paritioning tools for Windows Server / Expanding WinRE / Resize OS Drive Create a PAWS VM Client or Server on Azure Stack HCI, Azure, Hyper-V, VMware etc. Buy the Tool (aquire a license, required for Windows Server) Install the license on the PAWS Shutdown affected VM Attach affected virtual disk to the PAWS VM, do the resize job Attach modified disks back to the original VM Pro: easy and licensing costs savyy Cons: Downtime and manual task Hope this is helpful to you. Appreciate your likes, spreading the word.16KViews2likes5CommentsWhy can't I run Enable-ClusterS2D more than once per windows installation?
I have been trying to setup this bloody cluster storage spaces direct configuration for over a month and have re-installed everything on the server more than a dozen times. Every time I get to running the command for the first time, it makes some configuration that is not what I want and there is absolutely no way that I can undo the changes or fix them in any way, shape, or form except by completely wiping the server and reinstalling the entire operating system. I have tried to run Disable-ClusterS2D and then re-run the Enable-ClusterS2D and it will hang on "Waiting until all physical disks are reported by clustered storage subsystem". I try to completely detach the entire pool and wipe it manually and reclaim the disks and recreate the pool, and guess what, "Waiting until all physical disks are reported by clustered storage subsystem". I wipe the entire cluster configuration and recreate the cluster from scratch. Did that work? Of course not, "Waiting until all physical disks are reported by clustered storage subsystem". This has happened on both Windows Server 2022 and 2025, Datacenter editions. Why can I not run the command more than once per operating system??? If I need to replace a disk, am I just supposed to wipe the whole operating system??? Isn't this **bleep** thing supposed to be enterprise grade and just work???695Views0likes0CommentsActive directory security remediation items - seeking advise
Hi Active Directory Brain Trust, We're aiming to implement following security restrictions as part of a AD security remediation. If anyone have implemented, consulted on these in the past, could I please seek your advise on how to implement these (which objects to target to begin with, what implications they may introduce for operations, how to phase out the implementation etc..). some useful info to ready plus your advises are highly appreciated !! Deny Log On Through Remote Desktop Services Deny Log On Locally Deny log on as a service Deny access to this computer from the network359Views0likes1CommentBLOG: Volume Licensing Center is silently gone - welcome admin.cloud.microsoft
Trivia After an unexpected extended time of transition, severely delayed by COVID-19, the old VLSC portal is gone and replaced by admin.cloud.microsoft for most of all Volume Licensing customers. I've noticed this final change today, when I was looking to edit permissions on licensing contracts for a customer. *.cloud.microsoft new domain for portals formerly on microsoft.com. Find more inofficial guidance here: https://msportals.io/ Credits Adam Fowlerand community, for this amazing Portals overview Where to find VLSC now? The old webpage is still around and some few customer types are not moved yet. It also gives you brief pointers where you are heading to . View on VLSC webpage - no longer giving you access to a Vista like User Experience The new and vastly improved experience of VLSC is to be found in: admin.cloud.microsoft > Billing > Your Products example in admin.cloud.microsoft for permissions on contracts Understanding "products" and licenses". Aren't they the same ?! These products include access to following licensing programs MPSA, EA, Open Value, Open, Open Value subscription, commonly known as "VL" or Volume Licensing. While there is also Licenses. admin.cloud.microsoft > Billing > Licenses The Licenses in contrary to products contains all MCA licenses. This program is called Microsoft Customer Agreement or more commonly known as CSP. These can be subscription licenses or CSP based perpetual licenses.Mind this, in case you have or will be buying such. I cannot see any licenses there, while I used VLSC in the past - and a small rant You will see your licenses in admin.cloud.microsoft, granted you did the VLSC to Azure Portal transition in time, around 2022 through late 2023 and have obtained your permissions correctly. Very often, this included a process to transfer permissions from personal accounts, so called "Microsoft Accounts" (MSA), which are the ones you are using to login into home services, including Windows 11, Office 365 for Home, OneDrive, Skype, Xbox, to a Microsoft Business or School account (MBA), which is Entra AD and Azure powered. To make things worse, Microsoft initially allowed creation of a MSA with your business email back then in VLSC. Later, if your business went on with M365, Exchange Online, good luck to distinguish both having the "visually same UPN", while no longer being technically the same account. Many customers failed to realize they were using a home MSA for a business use case (here licenses), eventually when they changed their passwords for one of each. If you have not made this transition (properly), you need to call the Microsoft VLSC support for assistance. To make this super clear: I will NOT grant support in this thread. This is purely a commnunity contribution and informational. What I can share, that this transition was not simple and consumed hours of my lifetime with customers. Some of them had one or even more so called "shadow tenants" in Azure. No fun to eliminate them and permissions in VLSC. But if you eventually mastered this maze, fueled with unclear documentation back then, you are good to go. Remember: Only Microsoft Business or School accounts are allowed. Does every customer with former volume licensing now have an Entra AD / Azure tenant? - A friendly security advice! A clear yes! The new portal works only with Business or School accounts only. These are powered by Entra AD, which includes an Azure Tenant, no matter you are using Azure or even M365 services or not. Security considerations with the VLSC move Clearly this does not mean you have to own an Azure Subscription, but the framework is the same and requires and deserves to be well protected! (MFA enforcement incoming!) In worst case the main user of former VLSC Business or School account used for VLSC is now a Global Admininistrator of your tenant or still a shadow tenant. Every shadow tenant takeover will inherit the first user as a Global Administrator. With all its consequences for security. What's improved with the new portal experience? Any downsides? Pros: it is fast, fast, and fast we got rid of a clunky UX in a vista theme, that did not match with any design language and UX of Microsoft at all. It was always like a time travel, including the performance you can search for items / contracts / licenses full text ISO downloads are no longer clunky and slow Easy access to licensing keys it is so much easier to handle Software Assurance and expiration you can easily export license information and dependency reports. Dependency reports are useful if you know you have a product or a contract but not where they fit together. setting up permissions does not eventually take up to 24hours or days to be effective permission editior has multiple steps, so mind the warnings like "not completed" but then it is also super easy and way smarter. You can add permissions independently from contracts and bulk actions are a breeze Microsoft teams must be happy to nearly eliminated one of their legacy systems without compromising the whole "on-premises" licensing. And from all talks with Licensing support, it was highly anticipated, too. Cons: Requires more thinking about security now that is interweb with Entra ID identities MFA is required for good communication for this transition and finish was everything but good and transparent. Also communication in VLSC portal was not sufficient, as users / admins don't hang around there often. Unfortunately ppl once DL an ISO for a Windows Server version and then do not open this for next 5-10 years, instead of grabbing a patched ISO everytime they need it (this is highly recommended). Feedback time The new experience and permission editor is a breeze! Hats off Microsoft teams working on this. It must be nothing but stressful to migrate this legacy bits of code into something useful. As per customer reports, most of this change went unnoticed. While there was communication via email for the beginning of transition and "to do" to setup "marry" VLSC with a business account, nothing less than Entra and Azure, this change of the end of service was not communicated. Later found it was quite well known in the licensing community (SAM), but didn't catch much attention at customers or IT pros outside this bubble. FAQs provided by Microsoft Volume Licensing Team https://learn.microsoft.com/en-us/licensing/vlsc-faqs-home-page https://learn.microsoft.com/en-us/licensing/work-school-accounts-migration-faq Appreciate your like if you found this guidance helpful.1.7KViews1like2Comments