Windows Server Broken Update Fix

Updates can break on Windows Server for a number of reasons, so this is not an all encompassing fix. But over the years I have seen this occasionally. What happens is that the server does not update and when you attempt a manual update via the Windows Updates setting screen, the updates never download: the downloads are typically stuck at 0% complete. This is apparently due to a corruption of the files within the “C:\Windows\SoftwareDistribution” folder. Because the update process is hung, the update service also appears to be hung up so the process to repair the problem is slightly more involved that one would expect.

First, open the services control applet:

-Click the "Start" Button
-Type "services.msc"
-Set Windows Update to "disabled"
-Reboot the server

Once the server has re-started, verify that the Windows Update service is not running:

-Click the "Start" Button
-Type "services.msc"

Rename the SoftwareDistribution folder:

Rename C:\Windows\SoftwareDistribution to SoftwareDistribution.old

Reset the update service:

-Click the "Start" Button
-Type "services.msc"
-Set windows update to "manual"
-Start the service

Now manually run the updates and make sure they are downloaded and installed. Then perform the required server reboot.

Red Hat Registration and Subscriptions

I recently decided to spend some time refreshing my Red Hat knowledge because it has been a while since I have supported production Red Hat based servers. A lot has changed. You can signup for a developer license for free and get limited access to Red Hat products.

Registration, among other things, controls the repos that the server can use.  For instance, you cannot run ‘dnf update’ until the system is registered and attached to the available desired software repositories. The ‘subscription-manager’ command exists to handle various subscription configuration situations.

For a basic free developer subscription, the following will get things started from the command line.

Show the various commands available to the subscription manager command:

subscription-manager

Subscribe and configure the available repos. This can apparently be used with kickstart as well:

subscription-manager register --username --password --auto-attach

Update the system:

dnf update

There is a lot more to subscription manager based on workflows, hosted repositories, configurations, etc. Because of different workflows, registration can also be performed via the GUI, web console, automation, etc.

BitLocker – AD setup for BitLocker Recovery Key Management

Like most other posts in this blog, this is pieced together to make sense to me.

Especially in older domains, verify that the AD schema has the appropriate attributes using PowerShell window as administrator:

Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {name -like 'ms-FVE-*'}

On a domain controller, install the BitLocker Feature to display the BitLocker recovery information:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

To see the BitLocker tab containing the BitLocker recovery key from an admin workstation, the RSAT “BitLocker Drive Encryption Administration Utilities” needs to be installed on the workstation.

GPO Settings

On a domain controller: Server Manger>Tools>Group Policy Management

Edit the following:

Computer Configuration>Policies>Administrative Templates>Windows Components>BitLocker Drive Encryption

"Store BitLocker recovery information in Active Directory":
Select "Enabled"
Check "Require BitLocker backup to AD DS"
Select "Recovery passwords and key packages"


NOTE – At the bottom of the GPO “Help” it states that the TPM information also needs to be backed up. This, however, no longer appears to be the case after Windows 10 version 1607.

"Choose how users can recover BitLocker-protected drives":
        Select "Enabled"

Select “Operating System Drives”

"Choose how BitLocker-protected operating system drives can be recovered":
	Select "Enabled"

        Check "Save BitLocker recovery information to AD DS for operating system drives"
        Select "Store Recovery passwords and key packages"

        Check "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives"
			

Select “Fixed Data Drives”

"Choose how BitLocker-protected fixed data drives can be recovered":
        Select "Enabled"

        Check "Save BitLocker recovery information to AD DS for fixed data drives"
	Select "Backup recovery passwords and key packages"

        Check "Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives"