Wsus console fails to launch after windows updates/eventid 7053/the wsus administration console has encountered an unexpected error. This may be a transient error, try restarting the administration console.

Inrecently encountered an error on wsus server running on OS 2012 R2.  The KB3159706 was the cluprit. There are some manual configuration agter installing this update.

Go to c:\program files\update services\tools\wsusutil.exe postinstall /servicing. Wait for a few minutes.

Restart wsus service

Remove wsus from %appdata%\microsoft\mmc

The wsus console should now be working.

This solved the issue for me. Hope this helps someone. 

Installing & Configuring URLScan on windows servers

Download and install URLScan. Installation is straightforward. You do not need to consult any document.

Two main files (Urlscan.dll and Urlscan.ini) that we need for configuring URLScan is by default located in the folder C:\Windows\System32\Inersrv\urlscan\

By default after installation, URLScan will be configured as a global filter, ie in IIS on the top level. So the filter will be applied on all sites created in IIS. 

The other way is to apply URLScan 3.1 filter on individual site level. In that way you can configure urlscan filter for individual sites. 

For example you have 2 sites, site1 and site2 under IIS.

Open IIS and on the right hand side, open feature “ISAPI Filters”. You will see URLScan 3.1. Remove the filter.

Copy URLScan.ini and URLScan.dll from c:\windows\system32\inetsrv\urlscan\

Now right click site1 and select “browse” and paste URLScan.ini and URLScan.dll. Edit URLScan.ini according to your hardening requirements.
Now open ISAPI filter for site1 and add urlscan filter. Name : URLScan and path: path-to-site1 and move it to the top of the list. You can select ordered list and use up arrow to move urlscan to top pf list.

Restart IIS. 

Similarly you can do it for site2.

You can edit URLScan.ini to point a log directory, so that any failed url’s will be registered.

Advanced audit policy in windows using auditpol.exe

Its preferred to set the advanced audit policy through command prompt/powershell other than GUI. It has to be noted that even after you apply the settings through command, in the gui it might not reflect. But that is not an issue. Thats as far as i know.

Open gpedit.msc/secpol.msc 

  • Computer configuration-security settings-security options
  • Set the policy “Audit:Force audit policy subcategory settings (windows vista or later) to override audit policy category settings” to “Enabled”.

To get full information of advanced audit policy on a server, use the command

  • Auditpol.exe /get /category:*

In that you can see categories and sub categories listed with the status success/failure/not configured.

Few examples below :

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable /failure:enable

The below command will enable only success

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable 

The below commmand will set credential validation to “no auditing”

  • Auditpol.exe /set /subcategory:”credential validation” /success:disable /failure:disable

You can group all of them and save it as a power shell script or a bat h file and run it on required machines.
Please refer to the microsoft link for detailed info : https://technet.microsoft.com/en-us/library//dd408940(v=ws.10).aspx

Windows Server update services – Troubleshooting

  1. Telnet wsus server on port 80 (default) or other as per your environment.
  2. Check windows update log in the location c:\windows\windowsupdate.log
  3. Check if the group policy is correct , gpedit.msc – Local Computer Policy – Computer Comfiguration – Administrative Templates – Windows Components – Windows update –  a)check “specify intranet microsoft update service location” – It should point to your wsus server and the port number should be correct b) Check if “client-side targeting is enabled” (If enabled, the computer will appear under the group name mentioned in wsus server, if not enabled ignore).
  4. Check the proxy settings.
  5. Check firewall.
  6. Delete the software distribution folder from the location c:\Windows\SoftwareDistribution and run the command wuauclt.exe /detectnow.

Move local users from Windows Server 2003 to windows server 2008R2/Windows Server 2012R2

Unfortunately to move local user accounts from windows server, we cannot use USMT.

AIM: 

To move local user accounts and the groups associated with each user account.
Source : Windows server 2003 sp2
Destination : Windows Server 2012 R2

HOW TO:

In 2012 server, install the feature ” windows server migration tools”
browse to c:\windows\system32\servermigrationtools\
Execute the below command
.\smigdeploy.exe /package /architecture x86 /os WS03 /path c:\deploy

Now copy the c:\deploy to 2003 server

In the 2003server, open command prompt, browse to c:\smt_ws03_x86 and execute the below command
smigdeploy.exe
Wait till it opens a powershell window.

In the powershell window, run the below command
export-smigserversetting -user all -group -path c:\win2k3users

Copy c:\win2k3users folder to 2012 server.

In 2012 Server
Open server manager – Tools – Windows Server Migration Tools – Windows Server Migration Tools – This will open a powershell window

Run the below command
Import-SmigServerSetting -User All -Group -Path c:\win2k3users –Verbose

Now all users are imported.
After import, all user accounts will be disabled.All the user accounts migrated will have no password associated. You can login without any password . Remember to enable password for all required accounts.

Find serial number of windows PC

To find serial number of PC running on windows OS , just open powershell and run the below command

get-wmiobject win32_bios

OR

gwmi win32_bios