ISATAP failing with error 0x490

ISATAP can be very useful if you need to manage out from a machine with an IPv4 address to a machine with an IPv6 address. This is commonly used where DirectAccess has been deployed as all DA clients will be using IPv6. Being able to RDP to them or use the SCCM Remote Control feature from a machine inside your network is very helpful for the IT support staff – it’s as if the user was just working from their desk like usual!

One time I was configuring an ISATAP interface on a server and I got the follow error in the event log:

Unable to update the IP address on ISATAP.yourdomain.com. Update type: 1. Error Code: 0x490

I scratched my head over this for quite a while – setting up an ISATAP interface should be easy! After a while I remembered that there was a history of disabling the IPv6 components on servers via GPO. It turns out that even though the GPO had been removed, the setting to disable IPv6 had been tattooed on the servers it had once been applied to.

To check this I had a look in the following location in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters\DisabledComponents

The value was set to 0xFFFFFFFF (it may instead be set to 0xFF). This disables enough of the IPv6 components to prevent an ISATAP interface from being able to be created.

Simply delete the DisabledComponents key and restart the server. So long as everything else is set up correctly you will have your ISATAP interface when you next log in.

Automatically enable BitLocker and set a PIN during an SCCM Task Sequence

Getting your operating system deployment one step closer to being zero touch is always a good goal, so with that in mind here is how to automatically enable BitLocker during OSD using a PIN that you define in a variable at the beginning of the Task Sequence.

The first thing to do is add the OSDBitlockerPIN variable to the collection you advertise your OSD Task Sequences too. This is very likely the All Unknown Computers collection. Right click on it and select Properties. Navigate to the Collection Variable tab and click New. The name is OSDBitlockerPIN and you should untick “Do not display this value in the Configuration Manager console”.

Capture

Next up open your Task Sequence and add the Enable BitLocker step. This can be placed anywhere after the Setup Windows and ConfigMgr step.1 Make sure Current operating system drive is selected and then select TPM and PIN. You can then enter anything into this field as it will be overwritten by what you enter into the OSDBitlockerPIN variable when you start the Task Sequence.

Capture

Finally, go ahead boot your client into the WinPE environment. Select your Task Sequence and click next and you will be presented with the Edit Task Sequence Variables step. You may already use the OSDComputerName variable in which case you will already be familiar with this! Double click on OSDBitlockerPIN and enter the PIN you wish to use for this machine.

Capture

Click Next and the Task Sequence will run and complete. BitLocker will be enabled and the PIN will be set. Now you don’t have to configure BitLocker after the operating system has been deployed!

1I would add the Enable BitLocker step at the very end of your Task Sequence, otherwise you will have to enter the PIN each time the machine reboots after applications or updates are installed. You could suspend BitLocker before each reboot, but why go to the extra effort.

Windows 7 client failing to connect to RD Web resources

Here is an issue you might encounter on Windows 7 if you are trying to connect to Remote Desktop Web Access (RD Web) or use Remote Desktop Connection with a gateway that is hosted by a Windows Server 2012 (R2) server.

You browse to the RD Web URL, log in and click on the application you want to launch. It appears to start connecting, but then prompts you for credentials. You put them in, click OK and wait a while… it appears to be connecting… and then the credentials box appears again. This continues forever in a loop.

Similarly if you try to RDP to a machine inside your corporate network with a RD Gateway server set, you enter the computer name and your username and click Connect. You are prompted for a password, enter it and click OK, but a few moments later the credentials box appears again.

This is likely being caused by the version of the Remote Desktop Protocol you are running being version 7.0 (Windows 7 RTM) or 7.1 (SP1 onwards). To connect to RD Web or use a gateway being hosted by a Windows Server 2012 (R2) server you must be running Remote Desktop Protocol 8.0 or 8.1. This is achieved by installing the following three updates (in order):

KB2574819
KB2592687
KB2830477

To check what version of the Remote Desktop Protocol you are running open up an Remote Desktop Connection window and click on the title bar icon, select About and the version is presented in the last line (mine says “Remote Desktop Protocol 8.1 supported.”)

Scan failed with error 0x80244021 with WinHTTP proxy configured

While trying to update one particular server using SCCM 2012 R2 I discovered that it was not updating, with the following error was appearing in WindowsUpdate.log and UpdatesHandler.log:

Scan failed with error = 0x80244021

In my case this issue was occurring because a proxy server was configured but no exception was in place for the WSUS / SCCM server. This meant that the server was trying to access the WSUS server through the proxy! To see what my proxy settings were I opened an elevated CMD prompt and entered the following command:

netsh winhttp show proxy

The following information was returned:

Proxy Server(s): ProxyServer.local
Bypass List :

As you can see, the bypass list is empty. In order to create an exception for the WSUS server, enter the following command:

netsh winhttp set proxy ProxyServer.local "https://WSUSServer.local" 1, 2

This sets the proxy and sets the WSUS server as an exception. Re-running netsh winhttp show proxy will now show you the following output:

Proxy Server(s): ProxyServer.local
Bypass List : https://WSUSServer.local

As you can see the WSUS server is now part of the bypass list, meaning that attempts to access this website will not go through the proxy.

Restart the WindowsUpdate service and re-run the Windows Update scan. You should no longer see scan error 0x80244021.

1Whether you use HTTP or HTTPS for your WSUS server depends on your WSUS or SCCM configuration.

2If you need to add multiple exceptions enter the first one, followed by a comma, followed by the next one and so on.

The clients that didn’t know they were on the corporate LAN

I recently came across an issue where all of the Windows 10 clients in a particular remote site were unable to access network resources when connected to the local LAN. The strange thing? This LAN was part of the corporate network.

After searching around I found a number of people reporting similar issues with clients configured to use DirectAccess, usually being caused by things such as a corrupt Name Resolution Policy Table (NRPT) or other issues with the DirectAccess configuration. This led me to try exporting the NRPT registry keys  from a working client and importing them on one of these clients that was not working. But… that did not fix the problem. And anyway, there were devices in other offices that worked when they were connected to DA and the corporate LAN. This problem was limited to this particular office, so I started to dismiss DirectAccess as being the problem.

A little more troubleshooting and I discovered something else. When connected to the LAN these clients could not ping the IP address of any internal server hostname I tried pinging. Any time I tried to use ping on an internal server I just got back "Ping request could not find host hostname.local. Please check the name and try again." They could be pinged by IP address though. So perhaps a DNS issue? Perhaps not, as I discovered that nslookup did work.

Checking the Application log in Event Viewer I found the following three critical errors repeating every minute or so:

NETLOGON | Event ID 5719
There are currently no logon servers available to service the logon request.

DNS Client Events | Event ID 8015
The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

The reason the system could not register these RRs was because the update request it sent to the DNS server timed out. The most likely cause of this is that the DNS server authoritative for the name it was attempting to register or update is not running at this time.

Time-Service | Event ID 129
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

This led me to think there was something wrong with these clients ability to contact DNS, which eventually led me back to DirectAccess. As noted previously, these clients did work when connected via DirectAccess. So I thought, if I remove the DirectAccess configuration, will that make any difference to this broken-when-on-the-corporate-LAN situation? As I couldn’t just remove the DirectAccess client from the DirectAccess security group (because the client could not contact the domain controller to receive the policy change) I had to find the DirectAccess configuration in the registry and delete it there. It resides under HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DNSPolicyConfig. I my case there were 4 entries underneath this key, composed of DA-{GUID}. I deleted these keys,  restarted the client and found, to my delight, that it was now functioning correctly on the LAN. For good measure I re-added the DirectAccess configuration (this time by simply adding the client back into the DirectAccess security group) and confirmed that with the DirectAccess configuration back in place, the client was broken again on the LAN.

So what was going on? Eventually the following article from Microsoft led me to the answer: Network Location Detection. This article details the process Windows goes through to determine whether or not it is on the corporate network. When a network adapter status change is detected Windows attempts to access the URL that is stored in the registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity\DomainLocationDeterminationUrl. The URL in this key will have been configured by whoever originally set up DirectAccess in your organisation. If Windows does not receive a valid HTTP response (HTTP status 200 OK) it believes you are not connected to the corporate LAN and attempts to connect to DirectAccess. During this process the entry in the NRPT table that governs what DNS server to use when connected to DirectAccess is used and, because you are not actually connected to DirectAccess, name resolution problems start to occur.

What about a fix? Why couldn’t the client access the network location detection URL? This goes back to the way DirectAccess is configured. Best practise states that your DirectAccess servers should have two network adapters; one internal and one external. Only the external adapter should be configured with a default gateway to prevent routing issues. Internal routing has to be done via static routes.

And that was the key. This was a small remote site that had only recently been connected to the corporate network and there was no static route between the DirectAccess server and the IP subnet being used by this site. After hours of investigating, this issue was resolved in a single moment by issuing the following Powershell command:

New-NetRoute -InterfaceAlias InternalAdapterName -DestinationPrefix Subnet/Mask -NextHop GatewayAddress

I went back to my broken client, opened my browser and entered the network location detection URL and was presented with the Microsoft IIS splash page. I restarted all the clients onsite and they correctly detected that they were on the corporate LAN.