Chris Stauffer at

You want me to do What?



Links to blogs i like


I am happy to announce that version 2.0 of my deployment wizard is released. I also put out new directions and setup instructions. Hope this tool is as helpful to others as it has been for me. After releasing is tool at work about 3 weeks ago my call volume and email volume for windows 7 deployments and domain cleanup have drastically dropped.


Here is what the new site can do:


This site was created to allowing any system admin to deploy the Windows 7 image at their own speed.

This website is still a work in progress so new features will be added as I has time. New features would be released with new version numbers.

Windows Deployment Wizard 2.0 has the following features:

  1. Deploy Windows 7 to an existing SCCM Client
    1. Deploy X86 with data recovery (USMT)
    2. Deploy X64 with data recovery (USMT
    3. Deploy X84 without data recover
    4. Deploy X64 without data recovery
  2. Deploy Windows 7 to a bare Metal Machine or a machine that does NOT exist in SCCM
    1. Deploy X84 without data recovery
    2. Deploy X64 without data recovery
  3. Delete a Machine from AD and SCCM
    1. This will check AD and SCCM then let you know where it exists
    2. Once you click delete it will email you that the machine is deleted along with the Domain Cleanup exchange group of your choosing.
      1. We use this as a way to let our other security teams know that a machine has been removed and they need to cleanup assets as well.

The whole site was recoded in The website is considered ASP.NET 2.0 with HTML 4-5 and CSS3. This gives us the ability to use tracing and email for audit trails. It also allows for more code growth in the future.



Note: I’ve also maintained version 1.0 for anybody that didn’t want all this new power Smile

I’ve been doing a lot of work with the client install lately. At MMS 2011 Mike Schultz did a presentation on MCS secrets and tips. During that presentation he released a spreadsheet and pivot table to parse the ccr.retry inbox. Below is a list of common error codes that he provided. I’ve updated and/or added about 8-10 errors that I was seeing.

Hope this helps others. You can find the scripts that Mike uses on the MMS 2011 DVD’s.


Note: Error 53 has lots of reasons. The reasons I provided below are based on the machine being turned on. You can also get an error 53 if you run an AD system discovery and a machine no longer exists but is still in AD and DNS. To remedy this turn on DNS scavenging.

Error Code Reason

  • 2 - The system cannot find the file specified.
  • 5 - Access denied.
  • 52 - You were not connected because a duplicate name exists on the network. Make sure there is not a duplicate name in DNS and that 2 machines don't have the same IP in DNS.
  • 53 - Unable to locate - - cannot connect to admin$ - Computer Browser not started - add File/print sharing to Exceptions in Firewall – turn file and print on.
  • 58 - The specified server cannot perform The requested operation
  • 64 - The specified network name is no longer available. Source: Windows
  • 67 - network name cannot be found.
    86 - network password is not correct? Machine Name <> resolved name.
  • 112 - Not enough disk space
  • 1003 - Cannot complete this function.
  • 1053 - The service did not respond to the start or control request in a timely fashion.
  • 1068 - The dependency service or group failed to start
  • 1130 - Not enough server storage is available to process this command. Source: Windows
  • 1203 - The network path was either typed incorrectly, does not exist, or the network provider is not currently available. Please try retyping the path or contact your network administrator.
  • 1208 - An extended error has occurred. Source: Windows
  • 1396 - Logon Failure: The target account name is incorrect. (NBTSTAT -a reverse lookup, duplicate IP address)
  • 1450 - Insufficient system resources exist to complete the requested service. Source: Windows
  • 2147749889 - Generic WMI failure (Broken WMI)
  • 2147749890 - not found - Source: Windows Management (WMI) - try repair WMI
  • 2147749904 - Invalid class - Source: Windows Management (WMI)
  • 2147749908 - Initialization failure - Source: Windows Management (WMI)
  • 2147942405 - Access is Denied (Firewall rule? / MacAfee-HIPS?)
  • 2147944122 - The RPC server is unavailable. (Dcom is miss-configured for security . )
  • 2148007941 - Server Execution Failed

I’ve been working on a way to deploy an OS with SCCM and Maik Koster’s webservices. I decided to Post it to CodePlex so that I could track it better. Please feel free to use this new tool and provide as much feedback as possible. I am not a Web developer so this code isn’t perfect but it is working Smile 


Let me know what you think:



I put this presentation together a few years ago and a topic of rebooting came up the other day so I thought I would post this presentation to better explain what happens when management decides “WE CANT REBOOT MACHINES”. I hope this helps others explain to management what happens when we patch and don’t reboot as needed.



Chris Stauffer <><

I’m finally getting back into ConfigMgr 2007 and Patch Management again so I wanted to update some of my existing reports and try to come up with some better ways to control my patches. Here is the fist updated report. Thanks Matt Broadstock for assisting with the code where I got stuck Smile

Each report will have to be hard coded so I created several of them but basically you enter the ScopeID and the Collection for the machines you want a status on.
In this example I want to see all XP workstations and I want to compare it against the Patch list I created for XP Security patches.

This report is broken into 4 parts:

Part 1 Show the title of the Scope ID

Part 2 Show the Collection ID for an OS and give me the headcounts

Part 3 Show the total Compliancy state for the machines in part 2

Part 4 Show me the total compliancy state for each machines in each of the sub collections I want to know more about


Presently I have to report on multiple office groups and each office group has its own IT staff, so I needed a report that would show management what things look like as a whole but at the same time tell us were issues are so we can address them separately. So I created a master collection and sub collections for each office group that contain only the machines from that office groups OU in AD.

This could probably be automated further or even be setup with variables but it has been 18+ months since i worked on SQL like this so i need to get my head wet again :-)
Not as fancy as the new SRS but my Boss is just as happy with the ASP reports still :-P



--The first two lines are just for quick reference so I know what Scopeid and collection I am using in the report

-- AuthListID=ScopeId_07303A0F-140E-4EB7-9D23-A333E0D085FC/AuthList_1BAE5B91-C218-4817-8CEC-13019EA83518

declare @CI_ID int; select @CI_ID=CI_ID from v_ConfigurationItems
where CIType_ID=9 and CI_UniqueID='ScopeId_07303A0F-140E-4EB7-9D23-A333E0D085FC/AuthList_1BAE5B91-C218-4817-8CEC-13019EA83518'
declare @CollCount int, @NumClients int; select @CollCount = count(*), @NumClients=isnull(sum(cast(IsClient as int)), 0)
from v_ClientCollectionMembers ccm
where ccm.CollectionID='SMS000ES'

-- Part 1

select distinct Title as Title
--, CI_UniqueID as AuthListID
  from v_AuthListInfo
  where CI_UniqueID ='ScopeId_07303A0F-140E-4EB7-9D23-A333E0D085FC/AuthList_1BAE5B91-C218-4817-8CEC-13019EA83518'

-- Part 2

    PComputers=convert(numeric(5,2), (@CollCount-@NumClients)*100.00 / isnull(nullif(@CollCount, 0), 1))
from v_Collection vc
where vc.CollectionID='SMS000ES'

-- Part 3

SELECT   v_Collection.Name
, sn.StateName AS Status, COUNT(*) AS "Number Of Computers"
, CONVERT(numeric(5, 2)
, ISNULL(COUNT(*), 0)* 100.00 / ISNULL(NULLIF (@CollCount, 0), 1)) AS "Percentage of Computers"
FROM         v_ClientCollectionMembers AS cm INNER JOIN
                      v_UpdateListStatus_Live AS cs ON cs.CI_ID = @CI_ID AND cs.ResourceID = cm.ResourceID INNER JOIN
                      v_Collection ON cm.CollectionID = v_Collection.CollectionID LEFT OUTER JOIN
                      v_StateNames AS sn ON sn.TopicType = 300 AND sn.StateID = ISNULL(cs.Status, 0)
WHERE     (cm.CollectionID = 'SMS000ES')
GROUP BY sn.StateName, v_Collection.Name
ORDER BY "Number Of Computers" DESC

-- Part 4

SELECT     v_Collection.Name
, sn.StateName AS Status
, COUNT(*) AS "Number Of Computers"
, CONVERT(numeric(5, 2)
, ISNULL(COUNT(*), 0)* 100.00 / ISNULL(NULLIF (@CollCount, 0), 1)) AS "Percentage of Computers"
FROM         v_ClientCollectionMembers AS cm
INNER JOIN v_UpdateListStatus_Live AS cs ON cs.CI_ID = @CI_ID AND cs.ResourceID = cm.ResourceID
INNER JOIN v_Collection ON cm.CollectionID = v_Collection.CollectionID
INNER JOIN v_StateNames AS sn ON sn.TopicType = 300 AND sn.StateID = ISNULL(cs.Status, 0) AND cm.CollectionID IN
                          (SELECT     subCollectionID
                            FROM          v_CollectToSubCollect
                            WHERE      (parentCollectionID = 00100030') )
WHERE cm.ResourceID in
(select ResourceID from v_ClientCollectionMembers where CollectionID = 'SMS000ES')        
GROUP BY sn.StateName, v_Collection.Name
ORDER BY v_Collection.Name Asc, Status Desc



More to come as I get more into reports again.

Posted by cstauffer | with no comments

Update: This also affects SP1 installs. MS actually published an article for it.


It was discovered this morning that KB982018 ( is causing an issue and making other patches installing with it fail to install.

 According to the KB this patch is only for Server 2008 R2 and Windows 7


Apparently from what we are seeing the following patches are failing on

server 2008 R2 and windows 7.











The cause of the problem is KB982018. If you install the other 3 patches

individually they install fine.

This is also causing SP1 to fail on install on Server 2008 R2 and Windows 7.




KB982018 is updating the usbstor.inf and the  usbstor.PNF.

If you locking down USB devices then these 2 files are explicitly denied access for the following groups:







If you change all of these to Full control then the patch will install.


The best solution is to apply a GPO to reverse the explicitly deny security

and give full control back to the above groups. Then apply the patch  then

re-apply the original GPO to lock things back down.


Hope this helps others

Thanks <><

Chris Stauffer

Wow what a week, I learn so much that my brain is tired. I picked up alot of new theories that I will be writing updated scripts and new automations for. Can't wait to dive in.

One of the best session was by Mike Schultz from Microsoft. He gave some great hints and tips and some suggestions (wink wink) incase you are not ready to head to Configuration Manager 2012 just yet.

More to come from that session.

I was part of the Twitter Army and well lets just say that a Zune HD (even though i love my Zune HD and would never get an crap pod) it was almost impossible to stay connected to twitter so my account is now deleted. But is was nice to have to know what was happening during the conferance. Wish there was a way to just watch the twitter treads without actually having an account.

There were so moany great sessions by MyITForum members Like Sherry Kissinger, Paul Thomson, Steve Thomson and many others that i got alot out of. I am so glad that we have so many MVP's in this community that are willing to share.

Anyway. Sitting the airport waiting to head home, bin a long week.

To the Cloud..

No really I am almost ready to fly hehe..

Posted by cstauffer | with no comments
Filed under:

Here are the party details

Incidentally – if you are even a tad bit frightened of crowds you still have until the end of this week to “donate” to to have a ticket reserved.  Donations for tickets will end March 11, 2011.

Posted by cstauffer | with no comments
Filed under:

I just spent the last 5 hours troubleshooting a new AD error, for me anyway…

The problem was that when a user tried to log on they got the following error on Windows XP SP3:


“The system could not log you on.  The server authenticating you reported an error (0xC00000BB).”


This error isn't very helpful, it points to the Server 2008 R2 DC certificate having an issue but that is about it.

I reviewed the certificate and it appeared to be fine. the interesting thing is that the certificate was fine when everybody came into work at 8am but by lunch time everybody was getting the above error as they returned from lunch.


I spent 4 hours going over the DC and not finding anything wrong. Everything seemed to check out ok and anybody that logged in with a username and password was ok.

But if you used a smart card and a pin you failed. with the above error code.


I finally stumbled upon an event ID 19 for Kerberos on the DC. Interestingly enough this error was only showing up once an hour so we missed it the first few times it popped up.


Event Details


Windows Operating System







Symbolic Name:



This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.

It turns out that something corrupted the certificate in such a way that it removed the smartcard portion of the cert but left the rest of it intact. The cert even passed a verification check when I ran this command: certutil -dcinfo verify

We finally found this Technet article and fixed the problem in about 2 minutes.


Hope this helps someone else out.

** Update**

After further inspection we found an error code ID 29

This points to the same process to fix the issue we had.

** Update **

After a few weeks of this issue it was discovered that if we restart the "Kerberos Key Distribution Center" service that this fixes the issue without the need to replace the server certificate. this works 99% of the time.

simply run


Rem Certificate fix bat

net stop kdc && net start kdc

even better you can just create a shortcut on the desktop to do the same command line

Still no cause of this issue but this will get you working again.


Chris Stauffer <><

Posted by cstauffer | with no comments

In order for systems to be accepted on our network it must be locked down very tight. This means that the security needs to be locked down to a certain level. This also means that sometimes things are set that should not be and a waiver should be submited because some setting actually break the OS.

Over the last 3 weeks i have been trying to get over 500 systems to install the client. These 500 have been real stuborn. In most cases what i have found is that someone (in good intent) attempted to make sure a system was up to the security standards and they over securied a system, the script below needs to be run on a system with Admin rights. At this point i am down to about 170 systems that still need fixed, but this script seems to be doing the trick.

Note: This should only be done if someone created good (FDCC Standards) gpo that will be reapplied once everything is cleared out.

The problem I found is that I can not get it (the script) to run as a startup script and since the admin shares are missing in most cases PSexec does not work to get this script run remotely. I also found that because of how these machines have been secured I can not remote desktop or use dameware to reach these machines.

But direct access to the pc and then Running this script fixes about 90% of the issues. Then I reboot the system and let the Health Check Script I am running do the rest.

We still see some machines that are so messed up that they are better off being reimaged but this is worth a shot.

Hope this helps others out.



@echo off
Rem This Script will fix some common problems found on systems that have been over stigged.
Echo Fix Admin Shares

reg Delete hklm\System\CurrentControlSet\Services\LanmanServer\Parameters\ /v autoshareserver /f
reg Delete hklm\System\CurrentControlSet\Services\LanmanServer\Parameters\ /v AutoShareWks /f
net stop Server /y
net start Server /y

Echo Fix Firewalls


echo Fix Dcom

Net stop msdtc
Msdtc -resetlog
Net start msdtc

Echo Fix WMI

net stop winmgmt /y
if exist %windir%\system32\wbem\repository.001 rmdir /s /q %windir%\system32\wbem\repository.001
rename %windir%\system32\wbem\repository repository.001
%windir%\system32\wbem\winmgmt /clearadap
%windir%\system32\wbem\winmgmt /kill
%windir%\system32\wbem\winmgmt /unregserver
%windir%\system32\wbem\winmgmt /reserver
%windir%\system32\wbem\winmgmt /resyncperf
regsvr32 /s %systemroot%\system32\scecli.dll
regsvr32 /s %systemroot%\system32\userenv.dll
mofcomp %windir%\system32\wbem\cimwin32.mof
mofcomp %windir%\system32\wbem\cimwin32.mfl
mofcomp %windir%\system32\wbem\rsop.mof
mofcomp %windir%\system32\wbem\rsop.mfl
cd \windows\system32\wbem
for /f %%s in ('dir /b /s %windir%\system32\wbem\*.dll') do regsvr32 /s %%s
for /f %%s in ('dir /b /s %windir%\system32\wbem\*.mof') do mofcomp %%s
for /f %%s in ('dir /b %windir%\system32\wbem\*.mfl') do mofcomp %%s
net start winmgmt
%windir%\system32\wbem\wmiprvse /regserver

Echo Re-register the MSI service
msiexec /regserver

Echo Reset GPO's
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose



Chris Stauffer <><

In ConfigMgr 2007 you may get an error when you run web reports because the default values are to small. You follow this blog to get them working, but if you are running Server 2008 (64bit) or Server 2008 R2 (64 bit) the locations have changed .

Yes I realize that SSRS is better and removes the limitations but my brain can only hold so much info at one time... (this is next on my list to learn)

Here are the things that need edited for the ConfigMgr 2008 Webreports buffers when running Server 2008 and Server 2008 R2

1.     Change the Following Reg Key

a.     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Reporting

                                                              i.      Add a Dword called Rowcount

1.     The maximum row count in decimal is 32767.

2.     If you need to return more than 32,767 records, you can set the row count to 0xffffffff hexadecimal, which will return all rows. However, this significantly increases the workload on the SMS site database.

2.     Open IIS manager, go to your site under the ASP section, find the Limit Properties.  Response Buffering limit item. 

a.     The ASPBufferingLimit defaults to 4mb

                                                              i.      So that is 4 x 1024 x 1024 = 4194304

b.     You want to have atleast 1 meg per 1000 entries

                                                              i.      To increase it to say 20 megs

1.     20x 1024 x1024 = 20971520

3.     Finally you'll likely need to adjust the Timeout values for running ASP Scripts. 

a.     Open IIS manager, go to your site under the ASP section, find the Script Timeout. 

                                                              i.      Default is 90 Sec or 00:01:30

                                                            ii.      Change to a higher value maybe 00:03:00

Note make sure you choose to apply your settings.

What an tiring Nerd smile week. I just spent the last 8 days at CED Solutions training for the MCITP: Server Administrator

These guys do a great job getting you ready for an exam.

After 2 days stuck in a hotel in Atlanta because they have no clue how to get ice off the roads and using brain cells I thought I killed off in the Army I sat 3 exams:


Exam 70-640

Exam 70-642

Exam 70-646


Wow boot camps are a crazy way to spend a week or 2…

But I am now certified as a MCITP: Server Administrator.

What certs will be next, unknown…


Glad to be going home Tomorrow.


Chris Stauffer <><

Posted by cstauffer | with no comments
Filed under: ,

I saw this video today and just had to share it. It speaks volumes to our men and women in the military.

Be safe and stay strong.

To thank a soldier click the “Soldiers Angels” link on the left side of my blog.

Thank you,

Chris Stauffer <><


Joe Brucato - Thank You soldier


Posted by cstauffer | with no comments
Filed under:

Wow I just spend the last week at CED Solutions training for the CompTIA Security + certification.

My brain hurts Nerd smile


BUT I PASSED.Smile with tongue out


Got in under the radar so one less exam to have to repeat every 3 years


Doing the happy Dance !!!

Posted by cstauffer | with no comments

Last week was a nightmare for me with problems. I have a major security inspection coming soon and we have certain standards that are required on our Domain controllers. So i spent the last month building a GPO for the Domain Controllers that was based on the security settings. The  old policy was not put together very well and wasn't secure by any means.

Anyway one May 1st 2010 I applied the policy to my first of many DC’s and everything went well. So 7 days later I added a few more DC’s. Everything was going well and i was about 10 days into the new policy without issues. We did a Retina scan and found a few patches and a few other security issues so i fixed them and rebooted the server. After rebooting the server i was not able to get to the network or the internet. My first though was that maybe something happened to the nic card or the port on the switch, so we did the following:

  • Replaced the network cable
  • changed the nic card the server was using
  • changed the switch port the server was using

We even checked the firewall logs and even tried pinging it from the switch. Nothing worked not response in or out of the server.

Next i rolled back all of the patches and fixes that i had applied and still nothing.

Next we disabled Mcafee AV and HIPS and still nothing. The weird thing was that we could ping the machine while it rebooted but as soon as it said applying policies the ping would stop. I reviewed the event logs and had several error codes 1085 and 8194 every 5 min but the error didn't make any sense so i didn't know what to do. I thought there was a policy issue but i had nothing to prove it, i even rolled the machine back to the old policy. There were NO IPSEC errors of any kind so i didn't mess with that. As far as i knew it was still disabled.

Nothing worked.

Oh and the other DC’s with the new Policy are all still running with out issue. So i didn't thing it was something in the new GPO but i rolled it back just in case.

After 5 hours of troubleshooting i went home for the night because Daddy needed to watch the kids so my wife could go to work and came in bright and early the next morning. I did some research from home that evening but i couldn’t work on the DC because i couldn’t connect to it. I posted to the guys on the SMS and AD GPO lists to see if any of the awesome minds their had any clue as to what the heck i did. I got to work at 6am and started working again, by 8AM my boss was in so I asked if we could contact MS because I was clearly over my head and drowning fast. He approved the request so I put in the ticket and waited for the call back cue. But like any good tech I continued to try and figure out if I could fix the issue and noted every step that I took, in hopes that I could some how fix this mess before the 6 hour call back wait.

Michael Hennessy on the SMS list suggested that he thought it sounded like an IPSEC issue and that I should have some error codes for the issues but I did not. He suggested several KB articles including this one . I reviewed it and though aw what the heck, I don't have the error but at this point i have nothing to loose so I will give it a shot. First thing it says is to delete the reg keys associated with the policy, well the keys were missing. That made me suspicious so I continued on. It had me re-register the polstore.dll. As soon as I did the internet and network started to work again. (FYI I am now 10 hours into troubleshooting and 3 hours into an MS ticket call cue). So I am ecstatic that i got the network working again but i needed to fix my policies that were now corrupt but I could not get GPUPDATE /force to work. I just kept getting  error codes 1085 and 8194 every 5 min. So back to Google were I found an entry that stated to delete 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History

So I backed it up and deleted it. Then ran GPUPDATE /force  again and the errors stopped.

So now it is about 24 hours after the issue and I got all of my issues fixed but still don't know what went wrong. I reapplied the patches and re enabled mcafee and hips. Everything is still working. Se we contacted MS who had not gotten to our call back yet (7 hours in to the cue) and asked for a root cause analysis.

Well i finally got a call back yesterday (6 days after the issue) i would say that is bad CS but we just had a problem matching up with MS and frankly I was fixed so I wasn’t in a hurry at that point.


Anyway I spoke with an MS Tech yesterday and here is the conclusion:

Something interrupted Server 2003 from writing the GPO settings to the registry during a GPO refresh (happens every 90 min), Our best guess would be HIPS protecting the registry, but we have no way to prove or disprove it. So i am not going to blame it but i still despise the product…

Something i didn't know was that every time your GPO is applied the system deletes all of the reg key  entries from the previous policies and re applies all the settings with fresh keys, but it happens so fast that you don't see the keys being erased and re-written. 

When this corruption occurred it caused the IPSec policy to be erased and put the server into a IPSec (built in firewall) LOCKDOWN (nothing in / nothing out). This is by Design and this is why KB912023 fixed the disconnection issue.

Apparently this corruption is a know issue and the MS Tech provided a hotfix that we should apply to all the DC's so it doesn't happen again: . This is a POST Server 2003 SP2 hotfix. Installing hotfix 951059 will cause the system to back up the registry and replay it if MS is interrupted during the policy wipe / re-write process.


So in conclusion i hope this blog entry helps someone else if they get locked out by IPSEC and have no clue what is happening.


Chris Stauffer <><

Posted by cstauffer | with no comments
More Posts Next page »