How To Fix “CredSSP” Error When Remoting into Windows Server 2012 R2 and Other Versions

Had to set up a new Windows Server 2012 R2 virtual machine. I’d run into this problem before but it cleared up on its own after updates. This fix works on other versions of Windows as well. I won’t go into specific details because the firewall configuration varies for each version of Windows whether it is Server or a Desktop version.

The issue is that at least on virtual machines, Server 2012 won’t let you RDP into the box. This is true even if Remote Desktop access is enabled either manually or by group policy. Your first step is to let RDP through the firewall.

Allow Remote Desktop Access Through Windows Firewall

I don’t have steps for this yet, but it’s fairly simple. Get into Windows Firewall through the control panel. Under whatever sort of network you’re connected to there are rules for letting applications and protocols though the firewall. Just enable all of them labeled “Remote Desktop”. There were two on my Server 2012 R2 box.

Fix CredSSP Error After Enabling Firewall Access

I’ve had this happen a few times. The specific error is something like this (I copied from Microsoft).

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. 

https://support.microsoft.com/en-us/help/4295591/credssp-encryption-oracle-remediation-error-when-to-rdp-to-azure-vm

The problem usually clears up on its own after updates. The specific update you need to install is KB4103725 to fix the issue. You can get this update through Microsoft’s Update Catalog.

If you aren’t trying to fix Server 2012 R2, here’s a link to a Microsoft article with the version of the update you need. It’s very specific and I tried installing the 2012 non-R2 version on mine twice before realizing there was a separate update for R2.

https://support.microsoft.com/en-us/help/4295591/credssp-encryption-oracle-remediation-error-when-to-rdp-to-azure-vm

How to Fix Windows Cannot Check For Updates Because Service is Not Running

No screenshots for this one. If anyone has a screen shot for this particular error, send it over, I’ll credit you in the notes. Just fill out the contact form and I’ll get in touch with you.

Had a customer with some machines that needed re-imaged. Image was kind of old and had this problem. There’s a lot of information about the .NET Framework service not running information on the Microsoft Forums. There’s also some information about a particular hotfix that needs installed. After doing some digging I found that this isn’t the issue at least after a re-image, or OS corruption.

Microsoft has quick fix for this issue, but it’s so easy to fix I am not going to both to link to it. This applies to Windows 7 but I suspect the fix applies to other versions of Windows as well.

How to Fix Windows Update Error: Cannot Check for Updates Because Windows Update Service is Not Running

Step 1: Log into Windows as an Administrator. Preferably as a local administrator.

Step 2: Open Services. The easiest way is to click the Start Button and type “services.msc”. You can also just type “services” and click the option that is labeled “Services” with an icon that looks like gears.

Step 3: Scroll down the list of services until you find “Windows Update”. Click on it.

Step 4: On the left side of the screen click the “Stop” link. You can also right click on Windows Update and click “Stop” or it might be under “All Tasks” then click “Stop”.

Step 5: Open File Explorer and navigate to C:\Windows

Step 6: Rename the folder “SoftwareDistribution” to “SoftwareDistributionOLD”. You can also just delete it. I’ve done it both ways with no ill effects.

Step 7: Reboot the computer.

Notes: For step 7, Microsoft seems to imply you can just start the Windows Update service and it will work. I’ve done this on five or six machines now and it has not worked until after a reboot. I have also been able to reboot without starting the service and it has worked just fine. It still gives the red error indicating your computer needs security updates, but when you click the check for update button it works just fine.

Outlook Shared Calendars Showing “Cannot Be Updated”

This is a running issue in certain places where Microsoft Exchange is hosted on site.  A user will share their calendar and the recipient won’t be able to see it because the calendar will show “cannot be updated” or some similar message on the Calendar tab.

There are a lot of fixes for this out there that might work. One is to set Outlook in Cached Mode, or take it out of Cached Mode and put it back. Sometimes this works, sometimes it doesn’t.

What I was able to track down was that the account doing the sharing sometimes gets corrupted on the Exchange server itself. The default calendar’s sharing permissions get messed up somehow and must be set back to defaults.

How to Fix Outlook Shared Calendars Showing “Cannot Be Updated”

Step 1 – Log into your Exchange Server and Open the Exchange Management Shell. It’s the Powershell with the orange icon behind it.

Step 2 – Enter the following command:

Get-MailboxFolderPermission -Identity username:\calendar

You should get a readout that looks something like this:

RunspaceId : 18b6bb25-14bf-40cc-9843-c76c4d2f5116
FolderName : Calendar
User : Default
AccessRights : {AvailabilityOnly}
Identity : Default
IsValid : True

There might be a bunch of other stuff on there but the first group should be the default. What you’re looking for is the “Access Rights” row. If it says {None}, there’s a good chance that’s part of your problem. If it says LimitedDetails or AvailabilityOnly, you probably have another problem.

Note – username could be the person’s windows login name, an email address or an alias, you might need to experiment a little to figure out what it is for your environment.

Step 4 – Once you’ve determined whether this is your problem or not type the following:

Set-MailboxFolderPermission -Identity username:\calendar  -User Default -AccessRights AvailabilityOnly

Note- I noticed that on Microsoft’s site there was a space between :\ and calendar. I was given an error when I typed it like that, but not when I excluded the space. The article was for Exchange 2010, so I’m not sure what the problem was. Also the article I referenced this code from used an email address as the Identity, that did not work for me with either Get or Set Mailbox Folder Permissions. I suspect it is different depending on environment. I also do not know if “Default” should be capitalized, I suspect not.

You can also change the “AvailabilityOnly” to “LimitedDetails”, that’s just the default on all the Exchange Servers I work with.

This seems to fix some of the weirder cases of this problem. The recipient user may need to close Outlook, re-add the calendar, wait a while, or reboot but it does seem to work.

If this doesn’t correct the problem, it will at least correct a permission issue that isn’t obvious on your server.

 

How To Fix Outlook 2016 Freezing on Loading Profile

I haven’t found a permanent fix for this problem in all cases. So consider this article “ongoing” for now. I’ve noticed that sometimes that Outlook 2016 will freeze on the “Loading Profile” screen on Windows 10 computers. This seems fairly specific to machines connected to an Exchange account of some kind.

The first few times I encountered it the below fix resolved it completely after one time. I have seen a few computers where, it still does this despite a local profile wipe (which on Windows 10 is not the best idea apparently). It usually happens after the user reboots. If anyone knows what actually causes this problem, and an actual fix, rather than the below “band-aid” I’d love to hear it and will give credit in an addendum to the article.

Fix Outlook 2016 Freeze on “Loading Profile” Screen

Step 1 – Either close Outlook or have the user do it. You can kill the task remotely or just close the load screen window. It isn’t really frozen, it’s just stuck most of the time.

Step 2 – Navigate to the following directory on the user’s machine: C:\Users\[user profile name]\AppData\Local\Microsoft\Outlook

Tip: You can do this remotely by navigating to \\[user’s PC hostname]\C$\Users\[user profile name]\AppData\Local\Microsoft\Outlook

Step 3 – Look for a file in that directory called “useremailaddress@domain.com.ost”. Delete it.

Step 4 – Have the user re-open Outlook.

This seems to resolve the problem. The issue seems to stem from a corrupted OST file or something. Sometimes this will keep happening when the user reboots the computer or the computer updates. Most of the time not though.  I’ve tried the following to fix the issue on the machines where this recurs with no luck:

  • Making a new Mail Profile and re-setting up Outlook
  • Doing a full Profile Wipe on the local computer
  • Doing a Windows 10 “restore”
  • Repairing Office.

I haven’t tried taking Office completely off and putting it back on, may try that next and see if it’s just a corrupted Office installation, nor have I tried removing the affected user’s Inbox at the Exchange level and see if that fixes it. I tend to think it’s a problem on the local machine as only certain PC’s have the problem.

I’ve read a few Technet articles and had very little luck with that either.

It could, in theory be some other file that’s corrupted, I have a hard time believing Outlook would repeatedly corrupt an OST file, I have not tried removing the entire Outlook Folder to see if that fixes the issue.

If anyone has any ideas please let me know!

How To Schedule Remote Restarts For Windows PC’s In A Specific OU – Server Basics

Restarting a local server once after hours is a pretty neat trick but sometimes you need to restart an entire Organizational Unit of computers. There’s a few ways to do this. You can do it with the shutdown command by hostname and keep a little batch script updated. Or you can use a PowerShell Script.

I’d like to credit Jack McCarty for this command. He came up with most of this either on his own or from stuff he found various places on the internet.

 

How To Remotely Restart Computers In A Specific OU With Powershell

This is one of several methods and, honestly it’s pretty slow but it works pretty well, and the advantage is you can just add machines to the OU you want to restart. This is a pretty flexible command/script and can be modified to do other things instead of restarting computers. Also, please note this forces the restart.

Step 1 – Open up your favorite script editor on your server. I like Notepad++ personally. The Powershell ISE is pretty good as well.

Step 2 – Copy and paste the code snippet below into your code editor and change it. The appropriate place to modify is the string after -searchbase. You’ll need to change “OU=Lab, OU=Workstations, DC=workendtech, DC=local” to fit your environment. If your domain is say, Example.com and you wanted to reboot everything in the Computers CN you’d change it to something like “CN=Computers, DC=Example, DC=com”.

get-adcomputer -filter * -searchbase "OU=Lab, OU=Workstations, DC=workendtech, DC=local"|Select * ,@{n='computername';e={$_.name}} |restart-computer -force

Step 3 – Save the file as a plain text file with a .ps1 file extension. Some code editors will have a Save As “PowerShell Script” file type that will do this do you.

Step 4 – Run the script through Powershell. You can also run the command directly without saving it as a script.

Scheduling A Powershell Script in Task Manager

There’s not much to scheduling a powershell script in task manager.

Step 1 – Create your Task as normal

Step 2 – In the Actions Window/Tab type “powershell” (without the quotes) in the ‘program/script’ box. In the arguments type “-file ” in the arguments box. You can also add the path to your script in the “Start In”  box.

Note: Some scripts may need a few extra arguments. Testing the command in your command prompt will usually help you figure that out. The one above seems to work just fine with just “-file”.