Hyper-V and Windows Server 2012 R2 with Update – Cannot find License Terms Error

I thought 512 Mbyte is enough for an IIS web server on a Windows 2012 R2 with Update Server Core, so I choose that amout of memory and started up the VM to install the OS. But then, I got the following error: “Windows cannot find the Microsoft Software License Terms. Make sure the installation sources are valid and restart the installation.”

image

So firstly I checked the Hash value of the ISO but that wasn’t the problem. Furthermore I followed some guides from the internet with not choosing the ISO while setting up the VM and adding it afterwards (Parallels and VMware issues), but that wasn’t the solution either.

After some research I came to the conclusion that you need to assign a minimum of 576 Mbyte for the VM to bypass this error.

Posted in Computer und Internet | Tagged , | Leave a comment

Hardening Internet Explorer and Java 6 #infosec

java-icon

As an IT guy you would always like to upgrade to the latest patched version of an OS/Framework/App etc. to be more secure in this Wild Wild West Internet thing. But what if your business still uses the Internet Explorer 8 or 9 and your business apps stuck at Java 6, so Java 6 Update 45 is your highest possible version (insecure, really insecure –> Hackers target Java 6 with Security Exploits)? I made some research and these Registry settings should mitigate the attack surface of the Internet Explorer in combination with Java 6 Update 45 on the Internet while still be able to run Java on INTRANET sites:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

“1C00″=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

“1C00″=dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA}\iexplore\AllowedDomains\*]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8AD9C840-044E-11D1-B3E9-00805F499D93}\iexplore\AllowedDomains\*]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]

“iexplore.exe”=dword:00000000

The first two prevents IE from starting up an Internet Zone Java Applet but still keep Intranet Zone Java Applets open.

Internet Zone Java Applet example: http://www.natice.noaa.gov/ims/loop/nhem-1mo-loop.html

The last three ones remove the trusted domains for Internet Java Objects calls and prevent users to add domains to be “Allowed”, but still keep Intranet Zone Java Objects calls open:

Internet Zone Java Object example: http://deletethis.net/dave/qbp/

The first two are easy to be embed into an OS Image process but the last three ones only as a user GPO/Script.

Some sites that helped me out resp. interesting stuff for further reading:

Controlling Java in Internet Explorer, Securing the Java plug-in in Internet Explorer, How to use Java in the Enterprise while Limiting Exposure with IE Trusted Sites

Posted in Computer und Internet | Tagged , , , | Leave a comment

VMware ESXi 5.x onto a Dell OptiPlex 9020 (Intel I217-LM)

You would like to setup a VMware Lab but don’t have the budget for a real server? What about using a Desktop like a Dell OptiPlex 9020? “I would”, you say, “but I know that standard Desktops are not supported by VMware and that there are mostly issues with the NIC drivers.” You are right, the NIC and SATA drivers can cause issues on so called ‘White boxes’. But luckily, someone on the wide, wide Internet made already all the hard work and created some great tools/resources to help out.

So, every ‘white box’ is different but I will show you here how to get ESXi (in this case ESXi 5.1.0) running onto the Dell OptiPlex 9020:

1.) Download the ESXi-Customizer

2.) Download the net-e1000e-2.3.2.x86_64.vib file for the onboard Intel NIC card here (see also here)

3.) Start the ESXi-Customizer and choose the options like here:

image

4.) You will get a message that existing drivers will be replaced – this is OK resp. this is what we want:

image

5.)  Check the ESXi-Customizer.log (it’s in the working directory – in my example C:\VMware\Work) if everything went fine.

6.) Burn the ISO ESXi-5.x-Custom.iso (it’s in the working directory – in my example C:\VMware\Work) onto a CD or create a USB Stick with a tool like UNetbootin.

DONE!

Some additional resources which helped me here: vm-help.com, Home IT Lab, ivobeerens.nl, VMware Front Experience

Posted in Uncategorized | Tagged | 1 Comment

Microsoft Lync 2010: Unable to search for contacts

Sometimes the contact list may be corrupted (example: invalid character in an “out of office” message), so it happens that you cannot search for contacts within Lync 2010 and a restart of the application, the whole PC system etc. don’t help out either.

So what can you do?

Firstly close Lync and Outlook!

Then delete the following local user centric Lync 2010 databases and caches within the folder %localappdata%\Microsoft\Communicator\sip_<sign-in name=””></sign-in>

  • Galcontacts.DB
  • galcontacts.DB.IDX
  • CoreContact.cache
  • ABS_<sign-in name=””></sign-in>.Cache
  • Mfugroup.Cache
  • PersonalLISDB.cache
  • PresencePhoto.cache

Usually it takes a random time after Lync 2010 starts to sync the address book, so add this registry entry and it will start syncing immediately:

reg add HKLM\Software\Policies\Microsoft\Communicator /v GalDownloadInitialDelay /t REG_DWORD /d 0 /f

Start Lync 2010 now and you should be able to search for contacts nearly immediately.

You can find some more insights about “Updating the Lync 2010 Address Book” here.

Sources: (1), (2)

Posted in Computer und Internet | Tagged , , | Leave a comment

BitLocker–MBAM–Error

Here are some error/solutions findings about rolling out the MBAM (Microsoft BitLocker Administration and Monitoring) Agent.

Problem 1 – “Error checking whether TPM chip is ready”:

image

Solution 1:

Check if the driver for the TPM Chip is loaded correctly. If the drivers couldn’t be loaded, uninstall the device (incl. the existing drivers) from the Device Manager and reboot. After the reboot the TPM chip device should be loaded correctly.

 

 

Problem 2 – “Error taking ownership of the TPM”:

image

Solution 2:

This issue occurs when the TPM Endorsement Key is missing. The following VBS code helps you out by setting the TPM Endorsement Key:

=============== Script Text ===============

Set objWMIService = GetObject(“WinMgmts:{impersonationLevel=impersonate,AuthenticationLevel=pktprivacy}//” & “.” & “\root\CIMV2\Security\MicrosoftTpm”)

Set objItems = objWMIService.InstancesOf(“Win32_Tpm”)

For Each objItem In objItems

‘rvaluea = objItem.IsEnabled(A)

‘rvalueb = objItem.IsActivated(B)

‘rvaluec = objItem.IsOwned(C)

rvalued = objItem.IsEndorsementKeyPairPresent(D)

‘If A Then

‘WScript.Echo “TPM Is Enabled: ” & A

‘Else

‘WScript.Echo “TPM Is Enabled: ” & A

‘End If

‘If B Then

‘WScript.Echo “TPM Is Activated: ” & B

‘Else

‘WScript.Echo “TPM Is Activated: ” & B

‘End If

‘If C Then

‘WScript.Echo “TPM Is Owned: ” & C

‘Else

‘WScript.Echo “TPM Is Owned: ” & C

‘End If

‘If D Then

‘WScript.Echo “TPM Is EndorsementKeyPairPresent: ” & D

‘Else

If Not D Then

‘WScript.Echo “TPM Is EndorsementKeyPairPresent: ” & D

‘WScript.Echo “CreateEndorsementKeyPair… Please Wait”

rvaluee = objItem.CreateEndorsementKeyPair(E)

‘WScript.Echo “CreateEndorsementKeyPair… Returns:” & rvaluee & ” and E=” & E

If (rvaluee <> 0) Then

WScript.Quit -1

End If

End If

Next
WScript.Quit 0

=============== Script Text ===============

Source: http://support.microsoft.com/kb/2640178

 

 

Problem 3 – “Encryption failed – BitLocker could not encrypt one or more drives on this computer”

image

manage-bde –on c: comes up with the Error Code 0×80310004

Solution 3:

Sometimes Acronis (or other Imaging tools maybe too) modifies the MBR and that stops BitLocker from proceeding.

So, you need a Windows 7 DVD or a System Repair Disc to get into the Windows Recovery Environment – Command Prompt repair console and execute these commands:

bootrec.exe /fixmbr

bootrec.exe /fixboot

See also: http://support.microsoft.com/kb/927392/en-us

 

 

Problem 4 – “Error code 0×80310018”

manage-bde –on c: comes up with the Error Code 0×80310018 resp. Not Owned

Solution 4:

Manage-bde –tpm –o Test_Password (<- choose something random)

See also: COM Error Codes (TPM, PLA, FVE)

Posted in Computer und Internet | Tagged , , | Leave a comment

Windows KMS/Volume Activation troubleshooting

What to do when Windows 7 comes up with a message that the Windows Activation Status is ‘not available’ (START->RUN..-> control /name Microsoft.System), not genuine (text at the right bottom corner on your desktop background) or a key icon comes up at the bottom right notification area? Maybe you say: “What? I have an KMS/Volume Activation setup! I shouldn’t care…”.

But also in a KMS/Volume Activation environment this error can occur!

So what to do now?

Firstly, check if you have a intranet connection and if you are able to reach the Volume License Server: Make a PING onto the system listed in DNS under “Forward Lookup Zones/Domain name/_tcp/_VLMCS” (see also –> http://technet.microsoft.com/en-us/library/ff793405.aspx).

Secondary, check if the Software Protection Service is running –> START->RUN..-> services.msc –> image

If that is the case but you still have no correct Activation status, do the following:

1.) Open an Command Prompt with administrative rights

2.) Type slmgr.vbs /dli and see if you get a product ID

If you get a error that a product cannot be listed, you need to provide a KMS setup key first and activate the KMS client manually (http://technet.microsoft.com/en-us/library/ff793409.aspx):

Setup key: slmgr.vbs /ipk  33PXH-7Y6KF-2VJC9-XBBR8-HVTHH (example for Windows 7 Enterprise)

Activate manually: slmgr.vbs /ato

Here are some additional resources/tools for more help or to get a better background understanding

Windows Volume Activation (Microsoft Main Page)–> http://technet.microsoft.com/en-us/windows/dd197314.aspx

Troubleshooting Activation Issues with Windows 7 and Windows Server 2008 R2 (Webcast) –> http://bit.ly/yrlHDC

Genuine Diagnostics tool –> http://go.microsoft.com/fwlink/?linkid=52012

How to troubleshoot Volume Activation error codes on Windows 7, Windows Server 2008 and Windows Vista-based computers –> http://support.microsoft.com/kb/938450/en-us

Windows Volume Activation in Cambridge –> http://www.ucs.cam.ac.uk/support/winsuptech/volact/windowsva

Posted in Uncategorized | Tagged , , | 1 Comment

Beyond Google Reader

Google Reader ends today and you need to switch to an other Cloud RSS service.

So what can (should) you do?

1.) Download your RSS data through Takeout:

image

2.) Save ALL your data with this Python tool called ‘Reader is Dead’ to backup everything you have/had within your Google Reader account:

Reader is Dead

So now you backed up your data, what now?

There are several RSS Cloud alternatives out there but I looked only onto the ones with good ‘backbones’ resp. they will highly possible survive the current RSS rush.

Here are my findings:

I tested AOL, Digg and Feedly and I need to say that each of them are worth trying.

AOL and Digg are still in BETA and it’s a shame that they didn’t brought up the final setup/versions before Google Reader ends because users who switched once from one RSS Cloud service to an other will highly possible don’t do it often again….

So how is the current status of each service (1st July 2013):

AOL Reader (BETA)

Pro: As a web app it supports responsive webdesign and looks good, have Tags support , keyboard shortcuts and you are able to share your posts to external social platforms:

image

Contra: No Feed Search, advertisements on the right pane, no native iOS/Android Apps and you can’t export your data.

Digg Reader (BETA)

Pro: iOS 6 App available, keyboard shortcuts, supports Read Later services:

image

Contra: No Feed Search, don’t support every web browser/platform, no Android App, no Tags, no export, you can only share to Facebook and Twitter

Feedly

Pro: native apps and extensions for several platforms/browsers, Tags, keyboard shortcuts, basic export capabilities, sharing to many social platforms,

image

Contra: No Feed Search

Out of this three Google Reader alternatives, Feedly is the fully matured one but still lack in Feed search and that was THE FEATURE of the Google Reader…

Posted in Uncategorized | Tagged | Leave a comment