All other updates apply. 

Readiness tool no errors, only access denied as below. Does anybody have any suggestions on what to do or what else could I check?? help please

2019-07-29 00:01:20, Info                  CBS            INSTALL index: 0, phase: 1, result 5, inf: netrndis.inf
2019-07-29 00:01:20, Info                  CBS    DriverUpdateInstallUpdates failed [HRESULT = 0x80070005 - E_ACCESSDENIED]
2019-07-29 00:01:20, Error                 CBS    Doqe: Failed installing driver updates [HRESULT = 0x80070005 - E_ACCESSDENIED]
2019-07-29 00:01:20, Info                  CBS    Perf: Doqe: Install ended.
2019-07-29 00:01:20, Info                  CBS    Failed installing driver updates [HRESULT = 0x80070005 - E_ACCESSDENIED]
2019-07-29 00:01:20, Error                 CBS    Startup: Failed while processing non-critical driver operations queue. [HRESULT = 0x80070005 - E_ACCESSDENIED]
2019-07-29 00:01:20, Info                  CBS    Startup: Rolling back KTM, because drivers failed.
2019-07-29 00:01:20, Info                  CBS    Setting ExecuteState key to: CbsExecuteStateStageDrivers | CbsExecuteStateFlagRollback | CbsExecuteStateFlagDriversFailed
2019-07-29 00:01:20, Info                  CBS    Progress: UI message updated. Operation type: Update. Stage: 1 out of 1. Rollback.
2019-07-29 00:01:20, Info                  CBS    Progress: UI message updated. Operation type: Update. Stage: 1 out of 1. Rollback.
2019-07-29 00:01:20, Info                  CBS    Doqe:   q-unstage: Inf: netrndis.inf, Ranking: 2, Device-Install: 0, Key: 1, Identity: netrndis.inf, Culture=neutral, Type=driverUpdate, Version=6.1.7600.17233, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=amd64, versionScope=NonSxS
2019-07-29 00:01:20, Info                  CBS    Perf: Doqe: Unstaging started.
2019-07-29 00:01:20, Info                  CBS    Doqe: [Rollback] Unstaging driver updates, Count 1
2019-07-29 00:01:20, Info                  CBS            UNSTAGE index: 0, phase: 1, result 0, inf: netrndis.inf
2019-07-29 00:01:20, Info                  CBS    Perf: Doqe: Unstaging ended.
2019-07-29 00:01:20, Info                  CBS    Setting ExecuteState key to: CbsExecuteStateFailed
2019-07-29 00:01:20, Info                  CBS    Removed poqexec from Cbs key.
2019-07-29 00:01:20, Info                  CBS    Removed CCP impactful-commit disabling value.
2019-07-29 00:01:20, Info                  CBS    Doqe: Enabling Device installs
2019-07-29 00:01:20, Info                  CSI    00000006 Cancelling transactions: [1:[79]"TI4.30754199_3348658021:3/Package_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2"[1]"]"

2019-07-29 00:01:20, Info                  CSI    00000007 Creating NT transaction (seq 1), objectname [6]"(null)"
2019-07-29 00:01:20, Info                  CSI    00000008 Created NT transaction (seq 1) result 0x00000000, handle @0x22c
2019-07-29 00:01:20, Info                  CSI    00000009@2019/7/28:23:01:20.638 CSI perf trace:
CSIPERF:TXCOMMIT;57287
2019-07-29 00:01:20, Error                 CBS    Doqe: Marked package Package_6_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2 as failed. [HRESULT = 0x00000000 - S_OK]
2019-07-29 00:01:20, Info                  CBS    Clearing HangDetect value
2019-07-29 00:01:20, Info                  CBS    Saved last global progress. Current: 1, Limit: 1, ExecuteState: CbsExecuteStateFailed
2019-07-29 00:01:20, Info                  CBS    Doqe: Unlocking driver updates, Count 1
2019-07-29 00:01:20, Info                  CBS    WER: Generating failure report for package: Package_6_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2, status: 0x80070005, failure source: DOQ, start state: Staged, target state: Installed, client id: WindowsUpdateAgent
2019-07-29 00:01:20, Info                  CBS    Failed to query DisableWerReporting flag.  Assuming not set... [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2019-07-29 00:01:20, Info                  CBS    Failed to add %windir%\winsxs\pending.xml to WER report because it is missing.  Continuing without it...
2019-07-29 00:01:20, Info                  CBS    Failed to add %windir%\winsxs\pending.xml.bad to WER report because it is missing.  Continuing without it...
2019-07-29 00:01:20, Info                  CBS    Startup: Changing logon timeout to a static timeout: 10800000
2019-07-29 00:01:21, Info                  CBS    Failed to parse CSI error string. [HRESULT = 0x80070057 - E_INVALIDARG]
2019-07-29 00:01:21, Info                  CBS    Failed to get AI/GC error details from raw error details. [HRESULT = 0x80070057 - E_INVALIDARG]
2019-07-29 00:01:21, Info                  CBS    Did not send SQM reports for pending package: Package_6_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2 [HRESULT = 0x80070057 - E_INVALIDARG]
2019-07-29 00:01:21, Info                  CBS    Startup: Package: Package_6_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2 completed startup processing, new state: Staged, original: Staged, targeted: Installed.  hr = 0x80070005
2019-07-29 00:01:21, Info                  CBS    WER: Generating failure report for package: Package_for_KB2807986_RTM~31bf3856ad364e35~amd64~~6.1.1.2, status: 0x80070005, failure source: DOQ, start state: Staged, target state: Installed, client id: WindowsUpdateAgent
2019-07-29 00:01:21, Info                  CBS    Failed to query DisableWerReporting flag.  Assuming not set... [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2019-07-29 00:01:21, Info                  CBS    Failed to add %windir%\winsxs\pending.xml to WER report because it is missing.  Continuing without it...
2019-07-29 00:01:21, Info                  CBS    Failed to add %windir%\winsxs\pending.xml.bad to WER report because it is missing.  Continuing without it...
2019-07-29 00:01:21, Info                  CBS    Failed to parse CSI error string. [HRESULT = 0x80070057 - E_INVALIDARG]
2019-07-29 00:01:21, Info                  CBS    Failed to get AI/GC error details from raw error details. [HRESULT = 0x80070057 - E_INVALIDARG]
2019-07-29 00:01:21, Info                  CBS    Did not send SQM reports for pending package: Package_for_KB2807986_RTM~31bf3856ad364e35~amd64~~6.1.1.2 [HRESULT = 0x80070057 - E_INVALIDARG]
2019-07-29 00:01:21, Info                  CBS    Startup: Package: Package_for_KB2807986_RTM~31bf3856ad364e35~amd64~~6.1.1.2 completed startup processing, new state: Staged, original: Staged, targeted: Installed.  hr = 0x80070005
2019-07-29 00:01:21, Info                  CBS    WER: Generating failure report for package: Package_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2, status: 0x80070005, failure source: DOQ, start state: Staged, target state: Installed, client id: WindowsUpdateAgent
2019-07-29 00:01:21, Info                  CBS    Failed to query DisableWerReporting flag.  Assuming not set... [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2019-07-29 00:01:21, Info                  CBS    Failed to add %windir%\winsxs\pending.xml to WER report because it is missing.  Continuing without it...
2019-07-29 00:01:21, Info                  CBS    Failed to add %windir%\winsxs\pending.xml.bad to WER report because it is missing.  Continuing without it...
2019-07-29 00:01:21, Info                  CBS    Failed to parse CSI error string. [HRESULT = 0x80070057 - E_INVALIDARG]
2019-07-29 00:01:21, Info                  CBS    Failed to get AI/GC error details from raw error details. [HRESULT = 0x80070057 - E_INVALIDARG]
2019-07-29 00:01:21, Info                  CBS    Did not send SQM reports for pending package: Package_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2 [HRESULT = 0x80070057 - E_INVALIDARG]
2019-07-29 00:01:21, Info                  CBS    Startup: Package: Package_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2 completed startup processing, new state: Staged, original: Staged, targeted: Installed.  hr = 0x80070005
2019-07-29 00:01:21, Info                  CBS    Startup: Package: Package_2_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2 completed startup processing, new state: Staged, original: Staged, targeted: Staged.  hr = 0x800f0826
2019-07-29 00:01:21, Info                  CBS    Startup: Package: Package_3_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2 completed startup processing, new state: Staged, original: Staged, targeted: Staged.  hr = 0x800f0826
2019-07-29 00:01:21, Info                  CBS    Startup: Package: Package_5_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2 completed startup processing, new state: Staged, original: Staged, targeted: Staged.  hr = 0x800f0826
2019-07-29 00:01:21, Info                  CBS    Startup: Package: Package_7_for_KB2807986~31bf3856ad364e35~amd64~~6.1.1.2 completed startup processing, new state: Staged, original: Staged, targeted: Installed.  hr = 0x800f0826
2019-07-29 00:01:21, Info                  CBS    Startup: Package: Package_for_KB2807986_SP1~31bf3856ad364e35~amd64~~6.1.1.2 completed startup processing, new state: Staged, original: Staged, targeted: Staged.  hr = 0x800f0826
2019-07-29 00:01:21, Info                  CBS    Setting ExecuteState key to: ExecuteStateNone
2019-07-29 00:01:21, Info                  CBS    Setting RollbackFailed flag to 0
2019-07-29 00:01:21, Info                  CBS    Clearing HangDetect value
2019-07-29 00:01:21, Info                  CBS    Saved last global progress. Current: 0, Limit: 1, ExecuteState: ExecuteStateNone
2019-07-29 00:01:21, Info                  CBS    CBS has signaled TrustedInstaller that a reboot is required.
2019-07-29 00:01:21, Info                  CBS    Startup: Retry delayed by pending reboot; making sure we remain auto-start and don't clean up the package store.
2019-07-29 00:01:21, Info                  CBS    Startup: received notification that startup processing completed and a restart has been initiated.
2019-07-29 00:01:21, Info                  CBS    Startup: Processing complete. [HRESULT = 0x80070bc2 - ERROR_SUCCESS_REBOOT_REQUIRED]
2019-07-29 00:01:21, Info                  CBS    Restored system sleep block state: 0x80000000

Hi,

I am trying to get BitLocker Network Unlock feature to work, but with no luck. Client computer allways asks for PIN.

Symptoms on the client side are simple: Event with ID 24645 saying Bootmgr failed to obtain the BitLocker volume master key from the network key protector occures on every boot.

Symptoms on server side (WDS) are more specific:

When the server starts, it logs several events with ID 24577 covering NKPPROV initialization that is successful. There is only one warning with ID 32770

[WDSServer/WDSPXE/NKPPROV] Could not find the configuration file section corresponding to the specified certificate thumbprint. No subnet restrictions will apply to this certificate. Certificate thumbprint = 59FAB93B3986D7CBCB848CAFB720C608097F583C, HRESULT = 0x80070002.

Than WDS logs repeatedly event with ID 32769 [WDSServer/WDSPXE/NKPPROV] Change notification callback found no NKP configuration file changes. 

When client boots, WDS logs two events with ID 32769

[WDSServer/WDSPXE/NKPPROV] Received NKP IPv4 request. Remote address: 10.10.64.100:68, Packet length: 573.

followed by

[WDSServer/WDSPXE/NKPPROV] NKP request processing succeeded. Remote address: 10.10.64.100:68, Reply packet length: 316.

There is nothing more related to BitLocker Network Unlock in WDS logs.

I´ve set up the whole thing with help of this TechNet article: https://technet.microsoft.com/en-GB/library/jj574173.aspx

As mentioned in that article, or in other discussions, I´ve checked:

UEFI Network stack on client is enabled

Client can boot to UEFI PXE to the same WDS (pressing F12 during boot and enter into WDS menu)

SecureBoot is enabled and CSM is disabled - client can boot only by UEFI

Manage-bde -protectors -get C: on the client with result:

Volume C: []
All Key Protectors

    Numerical Password:
      ID: {5FD95464-29ED-4B04-9EB0-8B2C3D5758F4}
      Password:
        {PASSWORD}

    TPM And PIN:
      ID: {34405DBF-B49E-4836-9898-1FAFEF7B962F}
      PCR Validation Profile:
        0, 2, 4, 11

    External Key:
      ID: {C4B47A8F-FC53-485E-98D4-A3C9B0D216CD}
      External Key File Name:
        C4B47A8F-FC53-485E-98D4-A3C9B0D216CD.BEK

    Network (Certificate Based):
      ID: {69EC0722-A8F9-4185-9315-DAAC4D0386DF}
      PCR Validation Profile:
        0, 2, 4, 11
      Certificate Thumbprint:
        59fab93b3986d7cbcb848cafb720c608097f583c

BitLocker logs in API log on the client also warning with ID 813: BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid.and event with ID 834: BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

Certutil -verifystore FVENKP on WDS server with result

FVENKP "BitLocker Drive Encryption Network Unlock"
================ Certificate 0 ================
Serial Number: 3e00000003db4cae7e034cbb0b000000000003
Issuer: CN=Internal CA
 NotBefore: 14.02.2017 15:50
 NotAfter: 14.02.2019 15:50
Subject: CN=BitLocker Network Unlock Certificate for domain
Non-root Certificate
Template: BitLockerNetworkUnlock, BitLocker Network Unlock
Cert Hash(sha1): 59 fa b9 3b 39 86 d7 cb cb 84 8c af b7 20 c6 08 09 7f 58 3c
No key provider information
  Provider = Microsoft Software Key Storage Provider
  Simple container name: te-BitLockerNetworkUnlock-c393e00f-96dc-46b8-8d7b-e4a13a8a7eba
  Unique container name: 7b916d8b5ba7dd1d829dda5fcd7f0e11_e7b28bda-a4b3-4265-bf49-b1de94b42c9d
  ERROR: missing key association property: CERT_KEY_IDENTIFIER_PROP_ID
Encryption test passed
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.4.1.311.67.1.1 BitLocker Network Unlock
Certificate is valid
CertUtil: -verifystore command completed successfully.

So I cannot figure out why network unlock fails. WDS logs says it successfuly processed the request, but I can´t find why client doesn´t use it. 

George

Trying to find out how I would go about creating a custom event log for when the employeeNumber attribute is changed in AD so it would log who, when, where it was changed.

I have tried to find out the reason behind 'Windows automatically assign a network interface to public even after I explicitly change it to private' but with no success.

Can anyone tell me why Windows change a network interface to Public even though I had explicitly set it to Private, always after a restart?

I checked many domain-joined computers, even on the same subnet, they have different network location, some are 'domain', many are 'public'. The problem with this inconsistency is that the Windows Firewall is always set to block all incoming on 'public' and allow SMB on 'private' or 'domain', whenever some computer after a restart change its network to 'public', they become inaccessible through SMB.

Our environment is a 'closed network' there is no Internet connection, so I believe it is not possible that Windows detects Internet and decides to turn the network into 'Public.'

Valuable skills are not learned, learned skills aren't valuable.

Hi every body

While studying on PKI, now I am working on a scenario in which every subscriber has to pay for his/her digital certificate, and each time one subscriber pay for the certificate a unique number is generated for the payment by the bank. I want to use this number as a part of subject distinguished name but I do not know which attribute is the most appropriate one for this purpose. could you please help me? 

Hi,

Recently got a SSL certificate from a Windows 2012 R2 Enterprise CA. I don't see the Private key in the certificate. I generated the CSR on the same server where I am importing the certificate. 

So to bring back the Private key, I tried running certutil -repairstore my 'serial number' in a elevated command prompt and it prompts me to insert a smart card. There is no smart card as such. 

If I cancel that, the command fails with Access denied error. 

did a lot of online search but I don't see a valid solution. 

Please help!

Hi

I need s/mime certificate for email sign/encryption in my organization, mu question is

1- how to get S/MIME certificate from our Microsoft CA?

2- how to we create CSR file for this scenario?

Thanks

Hi to everyone

I'm trying to understand what actually involves setting PASSW_NOTREQD  @ True in computer object in AD; can someone explain it to me  an what are the safety azards involved?

Thanks

Diego

Hi,

Password expiry date can be changed using the Reset-AdmPwdPassword and using LAPS UI Tool.

Reset Admin Password has to be restricted for certain users. Please help on how this can be restricted

Regards, Boopathi

Hi,

1. Event logs 4662  are generated about who read the password when read the LAPS password of the computer from DC. But event logs are not captured in DC if it read from workstation

example : i installed LAPS UI tool in my computer and I read the password of a computer in LAPS UI and Powershell. But it is not captured in event logs.

Please help if any thing to be done

2. I am asked for a report about who have read the password. How can the report generated from DC? Is there any report builder

Regards, Boopathi

Hi!

An application is having compatibility problems with the subject of the CA certificate. The issue seems to be because the subject of the CA certificate is containing an email attribute E that the application doesn't like.

I know that is possible to renew the CA certificate, but the renew procedure always takes the same Distinguished Name that was set during role installation.

Is there any way to renew or issue a new CA certificate, containing a different Distinguished Name, without the need of reinstalling the CA role? 

The CA is running on Windows Server 2012 R2, and the PKI infrastructure is not fully used yet, but it has root and 3 subordinates for different purposes.

Cristian L Ruiz

I have a CSR for an MS subca that has keyusage marked as critical however the MS root CA does not set the CA cert to have keyusage as critical once issued.

I have tried "certutil -setextension 5 2.5.29.15 1 long" which appears to work when I look at the pending request, however the certificate once issued again does not have the keyusage set to critical. What is going on here? Anyone know?

Greetings,

I'm trying to renew certificate for my Enterprise Issuing CA (I have offline standalone root CA). I create new certificate request from issuing CA, import it to root, issue new certificate and then export it to .cer file. After that I'm importing it to my issuing CA. Everything works perfect but one thing: new issuing CA certificate's private key is not exportable any more (initially, when I've installed subordinate CA there was a checkbox on the installation process to make key exportable). I do really need to renew subordinate CA certificate leaving option to export private key. Do you have any ideas?

My Certificate Authority server has stopped issuing certificates and all of the existing certificates have expired. I presume this is because the main certificate has expired? I am new to managing this system as the previous technician left, could someone please give me an idiots guide to renewing this certificate? preferably using the command line or rsats tools as the server is running 2016 core edition.