• DST Reminder for this weekend…

    Hello Folks!  This mornings post is a friendly reminder that DST (Spring forward) is kicking in this weekend (March 8th at 2:00AM – US).  Hopefully by now you are prepared and have the latest DST cumulative patch installed:

    December 2014 cumulative time zone update for Windows operating systems

    This particular update includes changes for Russia time zones, Fiji Standard time, and Cape Verde Standard time.  Per the More information section, “This is a cumulative update rollup that includes all previous Windows time zone changes.”


    Additional Resources


  • Step by Step instructions for installing RDS Session Deployment using PowerShell in Windows Server 2012 R2

    Hello AskPerf Readers! Dhiraj here from the Windows Performance team to talk about deploying RDS using Windows PowerShell on Windows Server 2012 R2.

    As you know, PowerShell has been around for quite a few years now (November 2006 to be exact). Over the past 8 years, we have seen PowerShell become an integral part of Windows. One such example is deploying RDS within your environment. In this blog, we are going to walk you through setting this up. With that, let’s get rolling!

    Before we begin though, we need to import the RDS module using the Import-Module cmdlet:

    Import-Module RemoteDesktop


    We will use the New-SessionDeployment cmdlet to begin with the installation. Below is the syntax for this cmdlet:

    New-SessionDeployment [-ConnectionBroker] <string> [-WebAccessServer] <string> [-SessionHost] <string[]>

    Note If you are installing the Session Host on the Connection Broker, then you need to run this cmdlet on a remote server, as running it on the connection Broker will give you the following error:


    The Session Host role needs a reboot after the install, and we received the above error as PowerShell cannot resume the deployment after a reboot. However, this will work in the GUI if you do the same process.

    In this deployment, we will use 3 servers for the deployment:

    • – RD Connection Broker, RD Web Access, and RD Session Host
    • – Second RD Session Host
    • – RD license server

    We will need to add RDSH01 and DC01 to All Servers pool on RDCBWA before we start the deployment.


    Now we run the below cmdlet on RDSH01 to install RD Connection Broker, RD Web Access and RD Session Host on RDCBWA:

    New-SessionDeployment –ConnectionBroker –WebAccessServer –SessionHost

    During the install, we’ll see the following progress meters:

    1. Validation begins:


    2. Deployment begins:


    3. Connection Broker is installed:


    4. RD Web Access role is installed:


    5. RD Session Host role is installed:


    6. After all roles are installed, the server is restarted:


    Once the PowerShell setup finishes, we now go to and verify the installation. As you can see from the screenshot below, everything except the RD Gateway and Licensing server have been installed. We will now add another session host and a Licensing server.


    First, let’s add the second RD Session Host server to our deployment. We will use the Add-RDServer cmdlet and run it on the Connection Broker this time.

    Add-RDServer -Server -Role RDS-RD-SERVER -ConnectionBroker

    When you run the above command, you will see the following progress:




    clip_image029 is now rebooted:


    We can now verify the addition of the second Session Host server in Server Manager:


    We are now ready to add our Before proceeding, let’s configure RD Licensing server.for our deployment. To install RD licensing role, we use the below cmdlet:

    Add-RDServer -Server -Role RDS-LICENSING -ConnectionBroker

    You will now see the below progress messages:





    We now need to activate our License server and install CALs via the Licensing Manager GUI on the License server. I have activated the License Server and installed PerUser CALs.

    Let’s configure our deployment for licensing. We use the below cmdlet for this:

    Set-RDLicenseConfiguration -LicenseServer -Mode PerUser -ConnectionBroker

    Running the above cmdlet requires confirmation:


    Select yes and continue.

    When finished, it will return to the next line:


    To confirm that licensing is configured, run the following cmdlet:



    We can now confirm everything in Server manager:



    We are halfway done here and have completed the installation of our roles. We now need to configure RDS to make Desktop Sessions and RemoteApps available to users.

    This takes us to the next step: creating a new collection using PowerShell.

    We will create two collections here consisting each of the RDSH servers, with one for Desktop Sessions and the other for RemoteApps.

    To create a new collection, we use the below cmdlet:

    New-RDSessionCollection –CollectionName SessionCollection –SessionHost –CollectionDescription “This Collection is for Desktop Sessions” –ConnectionBroker

    This also shows a progress bar and summary when it finishes:



    We can verify this set up in Server Manager. As this collection is for Desktop Sessions, nothing else needs to be done.


    Let’s go ahead with creating the second collection for RemoteApps:

    New-RDSessionCollection –CollectionName RemoteAppCollection –SessionHost –CollectionDescription “This Collection is for RemoteApps” –ConnectionBroker

    When it completes, we see the summary and collection in Server Manager:



    As we will use this collection for publishing RemoteApps, Let’s go ahead with adding RemoteApp’s to it:

    New-RDRemoteapp -Alias Wordpad -DisplayName WordPad -FilePath "C:\Program Files\Windows NT\Accessories\wordpad.exe" -ShowInWebAccess 1 -CollectionName "RemoteAppCollection" -ConnectionBroker

    Summary progress below:



    Server Manager shows the RemoteApp added:


    And with that, you are done! Users can now access the Desktop Session and Remote App Collections.


    Windows Server 2012 R2 comes with enormous amount of PowerShell cmdlets. In this article we’ve only seen a few of them. We may dive deeper into the power of PowerShell for managing RDS for Server 2012 R2 in future posts.

    If you are interested in setting up a VDI deployment using PowerShell, please check the link below:

    Setting up a new Remote Desktop Services deployment using Windows PowerShell


  • KMS Activation High Level Overview

    Hello, folks!

    This blog is aimed to provide a high level overview of the Key Management Server (KMS) technology.

    You may have found a lot of dispersed activation information available elsewhere on the Internet, but I’m going to try and pull it all together for you in a concise format that I hope you’ll find is easy to digest.

    First, make sure you can meet the initial KMS requirements for deployment:

    1. By default, the following ports are required for activation:

    • 80
    • 443
    • 1688

    2. Activation requests are fulfilled after meeting the corresponding product count minimum.

    • Workstation OS: 25
    • Server OS: 5
    • Office: 5

    3. Activated products require a connection to the corporate network at least once every 180 days.

    Next, let’s take a look at the basic KMS infrastructure:


    KMS host machines distribute activation signals, whereas KMS clients are machines that needs to be activated (they can be either servers or workstations).

    KMS host or client machine roles can be distinguished through the type of keys used. KMS Host Key directs host machine to create a SRV record (_VLMCS) in DNS. To obtain a host key, visit here. KMS Client Key directs client machines to look for a SRV record in DNS which points to the KMS host machine. Obtain a client setup key here.


    Office Volume Activation:

    The Microsoft Office Volume License Pack is required on Office KMS host. Obtain the license packs here:

    Microsoft Office 2013 Volume License Pack
    Microsoft Office 2010 KMS Host License Pack

    After installing the license pack, it will prompt you to install Office KMS host key. If nothing goes wrong with that process, your Office KMS should be all set.


    For your reference, here are TechNet guides for setting up Office KMS activation.

    Prepare and set up the Office 2013 KMS host
    Set Up an Office 2010 KMS Host


    Additional Tool:

    Volume Activation Management Tool (VAMT) is a free utility that is very helpful to apply product keys and manage activation status.

    Download and Installation

    • This tool is part of the Windows Assessment and Deployment Kit (ADK), available here.
    • The latest version of VAMT is 3.1 as of this writing, and supports OS’s up to Windows 8.1 and Server 2012 R2.
    • VAMT Requirements:
    • The .NET Framework is required and is installed automatically with the ADK.
    • SQL Server Express is required and you should choose to install it as a feature when going through the ADK setup wizard.
    • More Information:

    There are a couple of best practices to keep in mind when using KMS, and a few common mistakes you’ll want to avoid.


    Best Practices

    1. KMS OS host and KMS office host can be the same server
    2. Keep roaming users on MAK key (roaming users are those who would not be connected to the company domain at least once every 180 days)


    Common KMS Mistakes

    1. Installing a KMS host key on clients.
    2. The KMS host key does not match the host machine OS
    3. The latest patches have not been applied to the host machine.


    And now on to some common KMS commands you’ll want to keep on tap.

    Install a product key on the KMS Host

    • slmgr /ipk <KMS Host Key>

    Activate a product key:

    • slmgr /ato

    Display OS License Information:

    • slmgr /dlv

    Display All License Information (including office activation status):

    • slmgr /dlv all

    Note: The popup window for this command doesn’t scroll, so run the following command to write the output to a text file.

    cscript.exe c:\windows\system32\slmgr.vbs /dlv all > c:\temp\dlv.txt

    I hope this has been a helpful high-level overview of our KMS technology and wish you all the best!

    Kind regards,
    Sophie Fei Xu
    Support Escalation Engineer
    Microsoft Global Business Support

  • Highly Available RDS 2008 R2 License Servers

    Hello AskPerf! My name is Matt Graham and today I want to address some questions surrounding the setup of highly available licensing servers. Anyone setting up a RDS infrastructure wants to ensure that it will keep working if a license server goes down. In Termial Services (2003) the recommended way of setting up highly available license servers was as follows:

    1. Deploy two activated license servers
    2. Either place all active licenses on single server or split between two servers. Typically you would install all licenses on a single license server in the case of a user-mode license scenario.
    3. Ensure that both license servers are discoverable

    In the scenario where you place all licenses on a single license server, when that license server goes down, the secondary server will hand out temporary licenses until you are able to build another license server or install licenses on the secondary server. This, however could be complicated depending how you have your session hosts discover your license servers.

    Server 2008 R2

    Server 2008 R2 is similar, but there are some features that work differently. For example, the Auto Discovery feature that helped TS servers find the license server is no longer available in 2008 R2 ( By design, you tell your session hosts how to find your license server via RD Licensing Manager, GPO, or the registry (

    It's important to keep in mind that the session host checks to see if a license is even needed before making a request to the license server for a CAL. So in most cases, even if your license server fails, most clients should still be able to connect to your session hosts. A new license will not be requested unless a new client tries to connect or a license has expired on a specific client. What that means is that in most environments, the failure of a license server does not mean that all of your clients that try to connect will be unable to connect.

    With that in mind, some people will still want to setup a backup license server in case their main license server fails.

    Configuration for Multiple License Servers (Per User Licensing)


    As before, you setup two license servers. In most cases, you would install some of your CAL's on one license server and install the rest of them on another license server. You then configure half of your session hosts to point first to license server 1 and secondarily to license server 2. The other half of your session hosts should point to license server 2 as the primary license server and to license server 1 as the secondary server.

    In this scenario, RDSH01 will first try to pull licenses from RDSL01. If it doesn't have licenses, it will pull from RDSH02. Likewise, RDSH01 will first try to get licenses from RDSL02 and if there aren't any available licenses, it will pull licenses from RDSL01. So you should be able to utilize all of your licenses even though different session hosts are pointed to different primary license servers.

    NOTE: You will need take into consideration how many users / computers will be connecting to which session hosts. For example, if RDSH02 is going to have twice as many users connecting to it, you will want to install more CAL's on RDSL02 as it is serving as the primary licensing server for that session host.

    Configuring Session Hosts to Point to License Servers

    If you configure your session hosts through GPO, you go to the following:

    Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing


    In this case, the session host will first look to RDSL01 for licenses and if it can't find a license it will look to RDSL02 for a license. You can also set this via the session host configuration manager. This can be done in the following way.

    1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
    3. In the Edit settings area, under Licensing, double-click Remote Desktop license servers.
    4. On the Licensing tab of the Properties dialog box, click Add.
    5. In the Add License Server dialog box, select a license server from the list of known license servers, and then click Add. If the license server that you want to add is not listed, in the License server name or IP address box, type the name or IP address of the license server that you want to add, and then click Add.
      You can add more than one license server for the RD Session Host server to use. The RD Session Host server contacts the license servers in the order in which they appear in the Specified license servers box.
    6. Click OK to close the Add License Server dialog box, and then click OK to save your changes to the licensing settings.

    This is a basic setup for a highly available license server in Server 2008 R2.


  • MS15-010 causing font/text issues…

    Hello Folks.  Wanted to send out a quick note on an emerging issue we are seeing in Support after installing MS15-010.  If your fonts/text are distorted on the following Operating Systems…

    • Windows Server 2008 Service Pack 2 (SP2)
    • Windows Server 2003 SP2
    • Windows Vista SP2

    …then you can download/install the following fix:

    Fix for text quality degradation after security update 3013455 (MS15-010) is installed

    Please see this link for more information.

    Additionally, this fix will be including in March’s patch cycle.

    -Krishnan Ayyer & Susan Buchanan

  • Help! My Scheduled Task does not run…

    Good morning/afternoon/evening AskPerf! Blake here with a post I’ve been meaning to write/publish for a year or so now. Here in on the Performance Team, we support a wide range of technologies, with Task Scheduler being one of them. More often than not, the number one Scheduled Task issue we encounter is as follows:

    “In Windows 2003/XP, my scheduled tasks ran with no problems. Since we’ve upgraded to Windows 2008/2008-R2/Win7/Win8/2012/2012-R2, our tasks no longer run.”

    With that, we explain that Task Scheduler was completely re-written in 2008/Vista, with one of the main changes being in Security. Here is a snippet from a Technet Article published back on March 3, 2006:

    Windows Vista Task Scheduler

    Security. In the Windows Vista Task Scheduler, security is vastly improved. Task Scheduler supports a security isolation model in which each set of tasks running in a specific security context starts in a separate session. Tasks executed for different users are launched in separate window sessions, in complete isolation from one other and from tasks running in the machine (system) context. Passwords are stored (when needed) in the Credentials Manager (CredMan) service using encryption interfaces. Using CredMan prevents malware from retrieving the stored password, tightening security further.

    In Windows Vista, the burden of credentials management in Task Scheduler has lessened. Credentials are no longer stored locally for the majority of scenarios, so tasks do not "break" when a password changes. Administrators can configure security services such as Service for Users (S4U) and CredMan, depending on whether the task requires remote or local resources. S4U relieves the need to store passwords locally on the computer, and CredMan, though it requires that passwords be updated once per computer, automatically updates scheduled tasks configured to run for the specific user with the new password.

    Enter the new world of Session 0 Isolation.

    Prior to Vista/2008 Server, all services ran in the same session as the first user who logged onto the console - this is Session 0. Well, running user apps and services in this session posed a security risk because services run at elevated privileges and can be targets for malicious code.

    Enter the new and improved Task Scheduler that uses Session 0 isolation. In Vista/2008 and higher, we mitigate this security risk by isolating services in Session 0, and making it non-interactive. Only system processes and services now run in Session 0. The first user who logs onto a machine does so in Session 1. Subsequent users log into Session 2, 3, 4, etc. Doing this isolation protects services and system processes from tasks ran in this session.

    So, how does this isolation prevent my task from running?

    • There is no active Shell (explorer.exe)
    • If a process/service tries to display a message box, the task will not complete
    • Non-interactive
    • Apps creating globally named objects
    • Possible network communication failures

    For more information about Session 0 Isolation, please see the link above.

    At this point, we need to determine if there is a simple workaround to get your task to run, or determine if the application vendor needs to be engaged.

    Typically, I start with making the following Security changes to my Scheduled Task:

    “Run only when user is logged on”


    With this option selected, my task will only run if I am logged on with my WillyP account. I can now test and confirm to see that Task Scheduler properly launches/runs my task. Selecting this option also runs my task interactively in my session.

    You will see notepad.exe running in the same session as my logged on user – Session ID 2.


    Now, let’s look at the behavior when I have the other Security option selected.

    “Run whether user is logged on or not”

    With this option selected, I am telling Task Scheduler to run my task whether I am logged on or not – aka Session 0 isolated. Let’s see how this looks when my Willyp user is logged off and I schedule a task to run.


    As you can see, notepad.exe is running in Session 0. The other process, taskeng.exe, is the Task Scheduler Engine process that started my task.

    So, you may be asking yourself, would if I am logged on with this account, and the “Run whether user is logged on or not” is selected - will it be interactive? No, as Session 0 is a non-interactive session, therefore you will not see your Action even if you are logged on as the running user account.

    Now, how do we troubleshoot this and get your task to run? Well, in troubleshooting these issues, I’ve come across multiple ways to fix them. You may have to experiment to see which of the following works for you in your scenario.

    • If your Task requires UAC Elevation, select the “Run with highest privileges” option under Security on the General tab
    • If you are launching a Batch script (.vbs/.cmd/.bat/.ps1), modify your script to add some type of logging to see where it may be failing – see the following blog for examples: Two Minute Drill: Quickly test Task Scheduler
    • Try creating a new task, but select the Configure for: option to be “Windows Server 2003, Windows XP, or Windows 2000” – this will create an XP/2003 fashioned task
    • If running a .vbs / .ps1 script, try launching it from a .cmd / .bat script – for example: “cscript.exe myscript.vbs” would be in my .cmd/.bat script, and I would then launch it from my Scheduled Task
    • Check your scripts for environmental issues – when we run a script, we default to the “%SystemRoot%\System32” folder unless specified in the script (i.e. CD C:\Scripts\Test)
    • If you are running nested scripts/programs within one script, try breaking them out as multiple Actions – for example:


    So, when script1.cmd finishes, script2.cmd will be launched. Then when script2.cmd completes, script3.cmd will run.

    • If running a 3rd party app/script, engage the app vendor to check if their app/process will run correctly in a non-interactive session
    • Try running your script with the SYSTEM account
    • Check the History tab for clues as to why your task is not running
    • If all else fails, your only choice may be to “Run only when user is logged on”

    As we come across different issues/fixes, I will add them to the bulleted list above.

    Play around with the options above and see if you can get your Scheduled Task to run. If you come across a different fix not mentioned above, let us know in the comments below.


  • DFSR: Limiting the Number of Imported Replicated Folders when using DB cloning

    Hello! Warren here to talk about a very specific scenario involving the new DB cloning feature added to DFSR in Windows Server 2012 R2. The topic is how to limit or control which RFs you import on the import server in a DB cloning scenario. Ned Pyle has more
  • Loss of "ssh" via VIP following the assignment of IP addresses to Linux VM's with multi-nic

    Problem: When creating a VM with multi nic and multiple subnets the Guests "Defualt Gateway" is not automatically set. This can cause loss of "ssh" connectivity as the "Default Gateway" is not assigned to the correct NIC more
  • How to use Dumpchk.exe to check your dump files…

    Hello AskPerf!  Today’s post is a quick one that points to one of Bob' Golding's Windows Troubleshooting videos.  He talks about how to download/run Dumpchk.exe on your dump files to check for corruption.  Check it out below:

    DumpCheck – youtube video

    DumpChk – MSDN Link to more info



  • Free Webcasts from Microsoft’s US Central Marketing Organization (USCMO)

    The US Central Marketing Organization (USCMO) here at Microsoft is putting on a new and improved webcast and I wanted to put them up for those who wish to view them.  Each webcast will stream live with interactive Q&A and will be made available on demand.  These webcasts run for about 30-60 minutes.  Please feel free to register at any time.

    Protect Your Business Against Online Fraud
    January 20, 2015
    In recent years the online fraud epidemic has become a reality.  Is your business secure?

    Social in the Enterprise
    January 21, 2015
    FOX Business Network anchor Maria Bartiromo, the first journalist ever to report live from the floor of the NY Stock Exchange, shares why a good social strategy is crucial. Social networking expert and best-selling author Gary Vaynerchuk shares the secrets to social success in the enterprise. Charlene Li, renowned author and leadership and social consultant, provides concrete recommendations for how organizations can build effective networks to become leaders in the digital era. Andy Sernovitz, leader of the word of mouth movement, explains how building internal communities increases productivity and effectiveness. And host Alex Bradley, Microsoft Office, presents new, innovative social solutions. 

    Windows Server 2003 Migration: Hardware Modernization
    January 22, 2015
    With the Pending End of Support in July 2015, organizations must understand their rationale for migration from WS03.  This is not just a support issue but importantly an opportunity to enlist the power and flexibility of modern infrastructures running platforms like Windows Server 2012 and Azure.  Migrating simply sets your infrastructure up to harness you Enterprise Cloud strategy both on and off premise.  You want to make sure that you hardware keeps pace with these dynamic technologies.  This webcast covers some of the most important aspects of upgrading the workloads on modern hardware.

    It’s a New Year, Be Ready to Adapt
    January 22, 2015
    It’s a new year, be ready to adapt. Every New Year brings both the promise and the challenge of a quickly changing business environment. Staying ahead of the curve! Whether it’s your customers’ needs, security risks or compliance that require instant access to the data that will support good decisions.

    HIPAA Compliant Cloud Solutions with Microsoft BAA
    January 23, 2015
    Join us for this important webcast on January 23rd at 11:00AM PST to learn about Microsoft’s HIPAA Business Associate Agreement (BAA). This discussion will help you to better understand how healthcare organizations with a Microsoft BAA can move toward a contemporary plan for using Microsoft’s cloud services. This webcast will show how the Microsoft BAA provides healthcare organizations with the opportunity to use cloud solutions to improve patient outcomes while maintaining compliance with the privacy and security regulations that are outlined in HIPAA.

    Announcing the Enterprise Cloud Suite
    January 26, 2015
    With Enterprise Cloud Suite (ECS), Microsoft is now able to offer a comprehensive solution to customers that provides:
    • End-to-End Productivity: provide users with tools to collaborate and stay in sync anytime, anywhere
    • Data Protection: enable strong authentication, encryption and access controls across devices
    • Device Management: manage devices and applications across PCs, smartphones and tablets
    • Unified IT environment: leverage existing investments for identity and device management across on-premises software and cloud services
    • Pricing: ECS provides the best pricing through built-in suite discounts vs. buying components separately

    Get a fresh start in 2015 with new Windows devices
    January 28, 2015
    Celebrate the New Year and get more productive in 2015 with the latest technology powered by Windows 8.1. Whether you’re looking for laptops, 2-in-1 devices, or tablets, there is definitely a lot to choose from. Join us on January 28th to check out a broad range of Windows 8.1 devices and special offers. In the meantime, visit the Windows for Business ( website to stay up to date!

    Need fast AND affordable? Why not try SQL Server?
    January 29, 2015
    Why did RSI Retail Solutions, Lifetime Products, and Havas Media migrate to SQL Server? SQL Server runs mission critical workloads, provides top-of-the-line security features, and enables customers to leverage existing assets and knowledge base – without costing a fortune. By switching or adding new workloads to SQL Server 2014, you can improve your data platform performance and your bottom line on your terms.  Join Marcello Benati, Microsoft Solution Specialist, to learn how to easily migrate existing and new mission-critical workloads to SQL Server 2014.

    Mobile Productivity in the Modern Workplace
    February 4, 2015
    Mobility is changing our personal and professional lives.  People are bringing their personal devices and apps to work. Employees expect more dynamic work environments to take advantage of mobile capabilities and work from anywhere. Apps, including productivity tools, need to work well on mobile devices and in the business scenarios these devices are used. To get work done from anywhere, mobile devices with basic services, like email, aren’t enough. In this webcast you will learn how Microsoft provides the richest productivity solution across any device, for any type of worker, in a secure, enterprise-grade way.

    Windows Server 2003: Most Common Application Migration Concerns
    February 5, 2015
    Build your migration plan - do it yourself, collaboration with a partner, or use a service.  Find out about your options whether moving your applications to the cloud or keeping in your infrastructure. 

    Enabling Customer Insights Using Business Analytics
    February 12, 2015
    Business analytics is about capturing that information in real-time and empowering people to put it to use, by combining data in new ways, to generate new insights. Hear from Pier 1 on how they use business analytics to drive their business.

    Windows Server 2003: Security Risk and Remediation
    February 18, 2015
    With Windows Server 2003 support ending on July 14, 2015,  many organizations find themselves in the situation where legacy, mission critical workloads and applications are running on a soon to be unsupported platform. Some organizations may be considering alternate security strategies – like ring-fencing their existing Windows Server 2003 servers –as a way to delay migration. This webinar examines the viability of common risk remediation tactics for Windows Server 2003-- and makes the case for migration is ultimately the best option.

    The Connected Workforce
    February 18, 2015
    The world has become a giant network, with people connecting in new ways using social and mobile technologies. Has your company adapted to this networked world? By delivering seamless social experiences across familiar work applications on an enterprise-grade platform, Microsoft helps over 400,000 companies worldwide engage, inform and connect employees. During this webcast you will learn how Microsoft can help your company connect, inform, and engage employees using enterprise social technologies.

  • We Are Hiring Windows Escalation Engineers in Munich, Germany

    Would you like to join the world’s best and most elite debuggers to enable the success of Microsoft solutions?   As a trusted advisor to our top customers you will be working with to the most experienced IT professionals and developers in the industry more
  • Case of the blank print jobs

    Hello Askperf! Anshuman here again with an interesting issue I worked a few weeks ago.

    The following pop-up appeared on my workstation intermittently:


    I then realized that I had the Send To OneNote printer set as my default printer.

    The next time this occurred, I paused the print queue and noticed that the “Remote Desktop Redirected Printer Doc” document was getting spooled under my account. This was interesting because I had several remote desktop sessions opened to different machines from my workstation, and did not send any prints jobs from them.


    So two questions came to mind:

    1. Which RDS session is this coming from?

    2. What was sending this print job?

    I then thought to myself, “when in doubt, run Process Monitor!”

    My first challenge was to figure out which server session this job was generated from. For this, I ensured that all the RDS sessions I established were using the command line option of of mstsc.exe (mstsc /v:servername). Next, I started process monitor on my workstation with a specific filter of “Process Name is mstsc.exe” and “Path contains .spl”. Since this issue was intermittent, I checked the “Drop filtered events” option. I also ensured that the Backing File option under File menu was pointing to a file, instead of Virtual Memory (pagefile). After a while the issue occurred, and procmon captured the following events:


    One of the first things I noticed was the CloseFile operation immediately after the CreateFile operation. Typically, you will see a WriteFile operation in between these two operations. So mstsc is connecting to which server? That was easily found by examining the Command Line entry of mstsc captured in the pml file:


    I logged into the problem server and launched procmon, ensuring that the Backing file option was set to point to a .pml file on a drive with enough space, and “Drop filtered events” was selected. Next I set up a filter “Path Contains tsclient” as well as “Path Contains RdpDr”. I then established an RDS session to the server from my work station and waited for the mysterious 0Kb print job. Once it happened, I had the following events in the pml file from the ProblemServer:


    So there was an addon service that got installed on the printer server with a print driver. Disabling this ensured that those mysterious 0kb jobs ceased to occur.


  • How to migrate local ports when doing print migration

    Hello Askperf! My name is Tingu, and today I’m going to talk about an interesting print migration issue I had a few weeks ago.

    We had a case where an application server was running on Windows 2003, where more than 400 print queues were created. The port was created as a local port to forward the print job in case of a failure as noted in the “Transfer documents to another printer” Technet article.

    The port was configured as \\printservername\printer.  See example screenshot below:


    Here, we were trying to move the application to a 2012 R2 server and wanted to migrate all the print queues to the new server. We used printbrmto migrate all of the local printers.  But the problem we ran into is that it did not migrate the local ports.

    When we started the migration, we did not see the local ports listed:


    Additionally after the migration, the port was not present:


    We tried to add the port manually, but gave us the error “port already exists”.  Additionally, the registry shows that the printer is set to use the forwarder.


    We really needed to get the local ports migrated as it can be a tedious task to re-create all the ports and map to their respective print queue. 

    We created a test lab and saw the same issue while migrating.  It did not matter from/which OS we were migrating.  During the migration, we saw an event ID 81 on the 2012 R2 server. (This event is not triggered if you are migrating to 2003 or 2008R2):

    Log Name:      Microsoft-Windows-PrintBRM/Admin
    Source:        Microsoft-Windows-PrintBRM
    Date:          12/25/2014
    Event ID:      81
    Task Category: Restore
    Level:         Error
    Keywords:      Print Queue
    User:          Joe
    Computer:      12345

    Printbrm.exe (the Printer Migration Wizard or the command-line tool) failed to restore print queue test. The restore process will continue, skipping this queue. Error: 0x80070057 which is “invalid parameter”
    Error: 0x80070057 which is pointing to “invalid parameter”

    So what we determined is that when you use printbrm for migration, it will not migrate the local ports.  The reason is that the local port is specific to the server, and it may cause conflicts or not work if you migrate it to a different server.  But in our case it’s a forwarder, and we need it to be migrated.

    Further testing revealed that if a local port to which the printer is mapped is already present on the destination server, then the migrated printers will use that local port for the printers.

    For example: on the source server you have a printer mapped to LPT1, and the destination server has LPT1 port available; then after the migration, the printer will be set to use that port. We created a forwarder on the destination server for a test printer before migration, and after importing the printer, we see that the port is mapped accordingly.

    Now the question is, how do we migrate multiple local ports at a time?

    Here is what we did…

    From the print management on a 2012 R2 server, we added the 2003 server.  Then we exported the list of ports to a .csv file:


    This gave us the list of all ports needing to be migrated.  We then created a script to add the ports to the destination server.  As in our case, the destination server was Windows 2012 R2 server, so we used the powershell command Add-PrinterPort.

    We copied all of the required ports into notepad, and saved it as a .ps1 file:


    We ran the .ps1 file as admin, and all of the ports got created on the destination server!


    Note If you have already tried the migration before creating the ports on the destination server, it may give you the error ‘port already exists’ while running the powershell command.  You may need to delete the printers migrated and restart the spooler and then retry the powershell command to complete the port creation.

    After that, we followed the normal migration procedureand all printers got mapped to the correct port.

    I hope this information will come in handy the next time you are working through a printer migration. 


  • How to make your existing Bitlocker encrypted environment FIPS complaint

    Hello, my name is Mayank Sharma and I am a Technical Advisor here at Microsoft. In this blog, I will discuss FIPS compliance with Bitlocker. Microsoft's solution for completely encrypting data inside laptops, desktops and removable drives. So let’s get started...

    FIPS stands for Federal Information Processing Standard and is United States Government standards that provide a benchmark for implementing cryptographic software. It basically means that if a software is approved by one of the labs that do the testing for FIPS compliance, the software meets the government standard for cryptography. Thus can be commonly used by US Federal government and organizations around the world. There is a lot that can be written about FIPS. Better I route you to the following link:

    FIPS Compliance

    To enable FIPS on a computer, i.e. tell it you have to be complaint with the government policies, we need to alter the following group policy

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

    The name of the policy is following:

    System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

    Now that we know what FIPS is and what it does, let’s focus our attention back on Bitlocker, Microsoft’s security solution for protecting data across laptops and desktops. Bitlocker uses multifactor authentication to ensure Bitlocker encrypted drive(s) will always remain in good hands. To accomplish this task, it uses multiple protectors to protect a volume. While some are ‘primary’ protectors which will be used most of the times, namely TPM, TPM and PIN, Password etc., some will be used when Bitlocker senses something has changed and goes in a lockdown mode. During a lockdown mode, it will ask user to prove that user is genuine. Examples of protectors include recovery password, recovery key, Data recovery agent, etc.

    Now here comes the tricky part. Whether or not Bitlocker is FIPS complaint is decided by if one of the cryptographic keys that protector is using is indeed FIPS compliant. Password protectors for the operating system drive/fixed data drive are not complaint with FIPS specification, so does the recovery password until Windows 8.  The below article discusses this in more detail:

    The recovery password for Windows BitLocker is not available when FIPS
    compliant policy is set in Windows Vista, Windows Server 2008, Windows 7
    and Windows Server 2008 R2

    Let’s say there is a ‘happy go lucky’ organization that uses TPM+PIN protectors to authenticate the OS drive of user’s laptop running Windows 7 and storing recovery passwords in MBAM database. If a user gets locked out, Helpdesk will provide the information of recovery password to the user to unlock the machine. This is the happy ending of the story until one day FIPS were to be mandatorily implemented.

    a. Will this happy go lucky Organization be FIPS complaint? No, as it is using recovery password as a protector which is not FIPS complaint.
    b. Does this means while infrastructure needs to be rebuilt from scratch? Of course not!

    Steps to make this environment FIPS complaint;

    Step 1:

    We need to get rid of the recovery password which is making the infrastructure non FIPS complaint. First thing would be to delete the associated recovery password with this Windows 7 machine. Run the following from an elevated command prompt:

    manage-bde -protectors -get c:

    This lists all the protectors

    Volume C: [OSDisk]
    All Key Protectors

        TPM And PIN:
          ID: {161941A3-8CB3-439C-8FC6-1642D0C97C8D}
          PCR Validation Profile:
            0, 2, 4, 11

        Numerical Password:
          ID: {C6DF1E74-467F-4BE8-9C59-C9A9F345B9A0}

    Note the ID of the Numerical password protector and to delete it run the following command:

    manage-bde -protectors -delete c: -id {C6DF1E74-467F-4BE8-9C59-C9A9F345B9A0}

    This will delete the recovery password protector.

    Step 2:

    Now, imagine if the user forgot the PIN or because of any other reasons gets locked out. We should need to have a way to break back into machine. So we need to add some protectors that will help us in lockdown situations. Fortunately, we still have a choice to make here. We can add any of the two protectors which are FIPS compliant.

    a. Data recovery agent

    How to use Bitlocker Data Recovery Agent to unlock Bitlocker Protected Drives

    b. Add a recovery key to the volume, this is as simple as running the command where e: is the destination drive where you want to store the .BEK file.

    manage-bde -protectors -add c: -rk e:

    Just save this file in a safe place.  If a machine gets locks out, copy it over to a USB drive.  More information can be found  here:

    What is a BitLocker recovery key?

    Step 3:

    Though not mandatory, once we will enable the group policy for FIPS, it will not allow creation of FIPS. We can additionally disable the creation of any more recovery passwords. Just disable the policy like I did below under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.


    As "Password" is not a FIPS complaint protectors, you cannot use it with fixed data drive either. We can either use a smart card protector or a DRA… And happy go lucky should be happy again!

    As stated above, this is specifically meant for Windows 7/Vista and Windows Server 2008/2008R2. Had the company been proactive in moving along to a newer version of Windows (i.e. Windows 8/8.1, Windows Server 2012/2012R2), it would not have any effect on them. The recovery password is FIPS compliant for Windows 8 and above operating systems.

    So this is pretty much it. Keep your machines encrypted until next time.

    I thank Himanshu Singh for taking time out to go through this blog.

    Mayank Sharma
    Technical Advisor
    Windows Deployment Services

  • Troubleshooting Windows activation failures on Azure VMs

    If you are experiencing Windows activation failures on an Azure VM, please try the following steps to resolve the issue. An example of an error message you may see is: Error(s): Activating Windows(R), ServerDatacenter edition Error: 0xC004F074 The Software more
  • Disk Performance Internals

    Abstract: Storage is the slowest component of most computer systems. As such, storage is often a performance bottleneck. This article discusses the disk performance kernel provider, partition manager.  By understanding how the disk performance provider more
  • Driver Object Corruption Triggers Bugcheck 109

    My name is Victor Mei, I am an Escalation Engineer in Platforms Global Escalation Services in GCR.  Some customers I worked with have strong interests in debugging; but usually they got frustrated when I told them “To find the cause from this dump more
  • Recovering Azure VM by attaching OS disk to another Azure VM

    If you are unable to administer an Azure VM because of RDP or SSH failures, in many cases rebooting or resizing the VM may resolve the issue. You can troubleshoot the VM by attaching the OS disk as a data disk to a different Azure VM using the steps more
  • Surface Pro 3 Hibernation Doesn’t Occur on Enterprise Install

    Hi my name is Scott McArthur and I want to call out a recently published KB article:

    Surface Pro 3 doesn't hibernate after four hours in connected standby

    If you are deploying an image to Surface Pro 3, you are missing out on the feature where after 4 hours in Connected Standby the device will hibernate. This is a key feature related to battery life so I would recommend that all Enterprise customers install KB2955769 and incorporate these PowerCfg commands into your deployment.

    If you use Microsoft Deployment Toolkit 2013 for your deployments this is super easy. Here are the steps

    1. Under Packages, import KB2955769


    2. Create PowerCfg_Sp3.batthat contains the following commands:

    REM sets CS battery saver time-out to four hours:
    powercfg /setdcvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 7398e821-3937-4469-b07b-33eb785aaca1 14400
    powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 7398e821-3937-4469-b07b-33eb785aaca1 14400

    REM sets CS battery saver trip point to 100:
    powercfg /setdcvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 1e133d45-a325-48da-8769-14ae6dc1170b 100
    powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 1e133d45-a325-48da-8769-14ae6dc1170b 100

    REM sets the CS battery saver action to hibernate:
    powercfg /setdcvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f c10ce532-2eb1-4b3c-b3fe-374623cdcf07 001
    powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f c10ce532-2eb1-4b3c-b3fe-374623cdcf07 001

    powercfg /setactive SCHEME_CURRENT

    3. Save PowerCfg_Sp3.bat to your Deploymentshare\Scriptsfolder

    4. Open up the task sequence you use to deploy Windows and add a custom task in the state restore phase called PowerCfg-SP3


    5. In the properties of this task sequence step, edit the following:


    6. Click the Options tab and add conditional for “Task Sequence variable model equals Surface Pro 3”


    Note:This ensures this only runs on Surface Pro 3 devices using the model variable

    Hope this helps with your Surface deployments and keep eye on this blog for more tips and tricks for Surface

    Scott McArthur
    Senior Support Escalation Engineer

  • Your technical answers and automated solutions via

    Hello folks,

    One of our Engineering PMs that supports our Diagnostics and Automated solutions published a blog regarding Bing and how you can use it to answer your technical questions and provide automated solutions.  Here is a brief overview:

    Bing Technical Instant Answers provide concise answers to technical questions directly within search results and hopefully answer your question (or help you solve an issue) without you having to actually visit the web pages linked within the answer. The answers are triggered by specific search phrases, and they try to provide a unique benefit either by precisely matching your intent or by providing additional content related to your intent. In some cases, the instant answer will link to an automated fix or troubleshooter that you can run directly from the Bing search results. Microsoft will constantly be adding new technical answers, so if you have a technical problem with a Microsoft product or service try asking Bing to see if we have an instant answer for you!

    Go check out his blog via the link below:

    Using Bing for technical instant answers and automated solutions


  • Cross Post: Using Bing for technical instant answers and automated solutions

    This is a cross post from William Keener’s Support Diagnostics and Automated Solutions blog that we wanted to add to our site.  It relates to Bing and instant answers about Microsoft Products/Technologies/Support issues and here on the AskCore site, we are all about getting this type of information out there.  Any comments made should be made on the originating post so it can be properly seen, heard, or answered.


    Using Bing for technical instant answers and automated solutions

    Bing has been providing factual instant answers (and translation instant answers) for some time now, but recently they added "technical" instant answers for questions about Microsoft products and technologies or technical support issues. My previous team built the content management system that our internal content delivery teams are now using to add technical instant answers to Bing. Here's an example technical instant answer for the "Cortana" search term: 

    Now that I'm working on support diagnostics and automated solutions again, I have been working with the Bing and content delivery teams to get some instant answers created with links to some of our automated solutions.

    And I'm happy to announce that the first one is live! So you can now search for "Windows Update Troubleshooter" (or a variety of related terms and error messages) and the first result will be a technical instant answer with a link to download and run our automated troubleshooter to fix problems with Windows Update.

    When you click the link in step 3, you will be prompted to open (or run) or save the troubleshooter.

    Just click Open (or Run) to launch the troubleshooter.

    The content delivery teams will be constantly adding more technical instant answers, and we hope to have more live with automated solutions soon!

    Note that technical instant answers are also available in the Bing app on Windows Phone. To see the phone experience, tap Search and then type or say "cortana" on your Windows Phone. Then click the "See More" link at the bottom of the second result (after the ad - "Meet Cortana on Windows Phone 8.1") and swipe left or right to view the content on each of the tabs.

  • Understanding ATQ performance counters, yet another twist in the world of TLAs

    Hello again, this is guest author Herbert from Germany. If you worked an Active Directory performance issue, you might have noticed a number of AD Performance counters for NTDS and “Directory Services” objects including some ATQ related counters. In this more
  • Unable to restart server due to registry bloat over 2GB

    Hello AskPerf!  Pushing up a blog today to discuss the registry bloat issue that has been recently addressed in the following KB:

    Computer cannot be restarted if the registry hives are larger than 2 GB


    • You have a computer that is running the x64-based version of Windows 8.1, Windows Server 2012 R2, Windows 8, or Windows Server 2012.
    • The registry hives for the computer are larger than 2 gigabyte (GB).

    This problem occurs because of the 2 GB size limit of the registry hives in x64-based version of Windows.

    Install this patch to resolve the issue.


    When you get into this state, you may experience one of the following issues:

    1. You can boot to a stop error.
    2. You can boot and not be able to log in due to the RQL (Registry Quota Limit).
    3. You can boot and be logged in with a temp profile and not be able to install any software due to the RQL.

    If this happens, KB2978366 should be installed.

    With that, the following questions may come to mind:

    • How does this issue occur?
    • How do I prevent this issue in the first place?
    • How do I fix this issue once the hotfix is installed?
    • What happens if I see this problem on another OS version?
    • Are there any tools I can use to troubleshoot this issue?

    Question: How does this issue occur?

    Answer: There are many reasons that cause registry hives/keys to bloat.  Some of the ones we have seen are related to KB2871131, which refers to the “..\Printers\DevModes2” key bloat.  This hotfix does not “fix” the issue, but prevents it from occurring in the first place.  You still have to clean the keys first.  Additionally, there is a known issue with SQL Server 2012 SP1 that can cause the registry to hit the 2GB limit and put the machine in a no-boot state.  Please see KB2793634 for more details on this.

    Question: How do I prevent this issue in the first place?

    Answer: There really is no good answer for this outside of installing the hotfixes noted above, and keeping a close eye out on your registry hives.  You can use Performance Monitor however to monitor the “System\ % Registry Quota In Use” counter.  If this counter gets over 50 %, then you should start investigating what registry keys/hives are growing.


    % Registry Quota In Use is the percentage of the Total Registry Quota Allowed that is currently being used by the system.  This counter displays the current percentage value only; it is not an average.

    NOTE The following Registry hives point to their corresponding files:

    • HKLM\BCD00000000 - \Boot\BCD
    • HKLM\COMPONENTS - %windir%\System32\config\Components
    • HKLM\SAM - %windir%\System32\config\SAM
    • HKLM\SECURITY - %windir%\System32\config\SECURITY
    • HKLM\SOFTWARE - %windir%\System32\config\SOFTWARE
    • HKLM\SYSTEM - %windir%\System32\config\SYSTEM
    • HKU\.DEFAULT - %windir%\System32\config\DEFAULT
    • HKCU - %userprofile%\NTUSER.DAT
    • HKLM\HARDWARE - This is dynamic and gets built with the OS boots (volatile hive)
    • HKLM\CLUSTER - %windir%\Cluster\CLUSDB
    • HKU\<SID of local service account> - %systemroot%\ServiceProfiles\LocalService\Ntuser.dat
    • HKU\<SID of network service account> - %systemroot%\ServiceProfiles\NetworkService\Ntuser.dat
    • HKU\<SID of username> - \Users\<username<\Ntuser.dat
    • HKU\<SID of username>\Classes - \Users\<username>\AppData\Local\Microsoft\Windows\Usrclass.dat

    Question: How do I fix this issue once the hotfix is installed?

    Answer:  After installing the hotfix, you may need to copy your Registry file to another machine that includes the hotfix.  After you have cleared out the bloated entries (whitespace will remain), then simply load the hive up, and then unload it.  This process will shrink your registry key back down pre-bloat. If a system is unbootable due to registry bloat install the hotfix on another system. Boot the problem system from DVD, copy the bloated registry hive to external storage, put on system with hotfix and use regedit to remove the bloated registry info and whitespace. The hive can then be copied back to problem system to allow it to boot normally.

    Question: What happens if I see this problem on another OS version?

    Answer:  Simply copy your hive over to a Win 8/ Server 2012 machine that has this hotfix installed, then follow the steps above.

    Question: Are there any tools I can use to troubleshoot this issue?

    Answer:  Coming Soon


    How to Compress "Bloated" Registry Hives


  • RDP Fails with Event ID 1058 & Event 36870 with Remote Desktop Session Host Certificate & SSL Communication

    Hello AskPerf!  Sanket here from the Windows Platforms team here to discuss an issue with Remote Desktop Services where RDP does not work when you try to connect from a remote machine.  With that, let’s get started!

    I’m sure most of you have come across the following message when connecting to a machine via RDP:

    Remote Desktop Connection

    This computer can't connect to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.

    This is a generic that can be caused by numerous varying reasons.  We have a fairly detailed troubleshooting KB article that talks about this error and what to do to fix it:

    Remote Desktop disconnected or can’t connect to remote computer or to Remote Desktop server (Terminal Server) that is running Windows Server 2008 R2

    Assumptions are that most of you have followed this KB and resolved your issue.  However, there could other reasons that could cause RDP to fail as well.

    I recently worked an issue with same error where RDP from a remote machine was not connecting to a Windows 2012 Server.  NOTE the same error can occur on previous OS versions as well.

    There was a mystery as to what was changed on the server that could have caused this start.  Possible assumptions were user intervention, or some application may have changed/removed certain permissions.

    During the course of troubleshooting, we double-checked the KB article noted above, and noted the following Error events in the System Log:

    Log Name:      System
    Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
    Date:          7/27/2014 12:16:59 AM
    Event ID:      1058
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      XXXXXXX
    Description: The RD Session Host Server has failed to replace the expired self-signed certificate used for RD Session Host Server authentication on SSL connections.
    The relevant status code was Access is denied.

    This error indicates that there is already a Certificate in place, however there is no sufficient permissions, and/or the default permissions on “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys” may have been modified.
    Log Name:      System
    Source:        Schannel
    Date:          --
    Event ID:      36870
    Task Category: None
    Level:         Error
    User:          SYSTEM
    Computer:      XXXXX
    Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D.
    The internal error state is 10001.

    There was a fatal error accessing the Private Key for secure communications.

    At this point, I decided to capture a Process Monitor (Procmon) log on the destination server where the connection was going to.  As you may already know, Procmon allows us to monitor/record real-time file system, Registry and process/thread activity on Windows Workstations/Servers.

    Per the Procmon log, we found an “Access Denied” error to the following path:


    The above cert key f686aace6942fb7f7ceb231212eef4a4_xxx is associated with RDS, and this GUID like number is the pair key for both the computer and user.

    If you use the certutil -key command, you would see this Cert key with TSSecKeySet1:

    f686aace6942fb7f7ceb231212eef4a4_xxxxxxxxxx: AT_KEYEXCHANGE

    From the Procmon Logs:
    12:39:53.5364585 AM lsass.exe 588 CreateFile C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxx ACCESS DENIED Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N/A, Share Mode: Read, Allocation Size: N/A,
    12:40:24.3692803 AM lsass.exe 588 CreateFile C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxx ACCESS DENIED
    Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, Share Mode: Read, Allocation Size: n/a, Impersonating: NT AUTHORITY\SYSTEM
    12:40:23.9265708 AM svchost.exe 1012 CreateFile C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxx ACCESS DENIED
    Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, Share Mode: Read, Allocation Size: n/a
    So, what are the default permissions?  Well, you can use icacls to find this:
    C:\>icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
    Everyone :(R,W)
    BUILTIN\Administrators :(F)
    BUILTIN\Administrators ::(R)

    In case if you want to grant permission using icals you can provide the same using following command :
    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxxx /grant " NT AUTHORITY\NETWORK SERVICE :( R)
    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxxx /grant " NT AUTHORITY\SYSTEM :(F)
    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_xxxxx /grant " NT AUTHORITY\NETWORK SERVICE :(R )

    Fig 1.1 (Permission in Windows Explorer)

    As you can see above, the SYSTEM accounts needs the proper permissions.  If these permissions have been changed, then they need put back to defaults.  The certs under this key should be inheriting the above permissions from the parent folder MachineKeys.

    You can restore permissions, grant the permissions back using icacls, or use the Windows Explorer GUI.  Correcting the default permission on the cert should allow RDP to now work correctly.

    Considering if this would have been easily reproducible, there is always an option to enable the Auditing on the cert key f686aace6942fb7f7ceb231212eef4a4_xxxxx under “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys”.  This can be done using the Security Tab on Properties of the cert key as seen in the screenshot below:

    NOTE Adding Auditing on this object will log Events to the Security Event Logs.  You will want to keep this enabled until you are able to reproduce the connection issue.

    Hope you find this information helpful.

    Additional Resources

  • Updating Surface Pro 3 firmware (Cross Post)

    Hi this is Scott McArthur and I just wanted to call attention to a blog that I worked on with some of our PFE engineers that just posted related to Surface. 

    How to Update the Surface Pro 3 Firmware Offline using a USB Drive

    This blog shows you how you can update firmware from a Bootable WindowsPE USB flash drive.  This is useful for some scenarios where you need updated firmware BEFOREyou do a deployment to the device.  Hope it helps with your Surface deployments

    Scott McArthur
    Senior Support Escalation Engineer