Windowsupdate.log is filled with GUIDs

Posted on by Glenn

Good afternoon. I found an interesting solution I wanted to share. I needed to collect the Windowsupdate.log file on a Windows 2016 server today. To do this I needed to run the PowerShell command Get-WindowsUpdateLog. The file is no longer continuously created as with previous Windows versions. This is all well and good, if the command worked 100% of the time. There have been some instances though where I ran that command and just get a file filled with GUIDs. See the example below.

1600/12/31 18:00:00.0000000 824 1056 Unknown( 10): GUID=638e22b1-a858-3f40-8a43-af2c2ff651a4 (No Format Information found).
1600/12/31 18:00:00.0000000 824 1056 Unknown( 11): GUID=bce7cceb-de62-3b09-7f4f-c69b1344a134 (No Format Information found).
1600/12/31 18:00:00.0000000 824 1056 Unknown( 11): GUID=638e22b1-a858-3f40-8a43-af2c2ff651a4 (No Format Information found).
1600/12/31 18:00:00.0000000 824 1056 Unknown( 50): GUID=6ffec797-f4d0-3bda-288a-dbf55dc91e0b (No Format Information found).
1600/12/31 18:00:00.0000000 824 1056 Unknown( 12): GUID=00497b4f-20f7-3ec8-96ab-8a593aa9824d (No Format Information found).

I have always wondered why this happened. I finally discovered the answer today. When I ran the PowerShell command I kept getting a popup about website security. I checked the box to not ask again and clicked OK. I then received a file full of nothing useful. I had a hunch that the command needed to grab information from the Internet to decode the GUIDs. Perhaps IE ESC (Internet Explorer Enhanced Security) was causing an issue with that process. I disabled IE ESC and re-ran Get-WindowsUpdateLog. Sure enough the file was created correctly.

So now you know. If you get a Windowsupdate.log file full of GUIDs there are two items to check. Verify the server has Internet connectivity and that IE ESC is turned off.

I hope you found this article informative. If you have anything to suggest or add to the content, please leave it in the comments below.

How to re-deploy VPN in 2016 Essentials with PowerShell

Posted on by Glenn

In my previous article I discussed an issue I see commonly with VPN in Essentials.  In that article I gave the fix for all versions of Essentials except 2016.  In this article I will cover the fix for 2016 Essentials.

As stated previously, 2016 Essentials uses PowerShell to configure the VPN.  Here is what the default configuration looks like:

RemoteAccess Default

If you try to manage it in the RRAS (Routing and Remote Access Server) console, you will see this:

legacy mode

The message would imply that you could turn on legacy mode.   This is true, but to turn on legacy mode requires clearing the configuration from RRAS.  Clearing the configuration must be done with PowerShell.  Re-deploying the VPN can be done with both PowerShell and the RRAS console.  Below are the PowerShell commands.

  1. Launch a PowerShell session as administrator.
  2. Run Uninstall-RemoteAccess.  Hit enter when prompted
  3. Run Install-RemoteAccess -VpnType Vpn -IPAddressRange 192.168.16.100,192.168.16.120
    Change the ip addresses to match the range you want to use.  In the command above the start IP address is 192.168.16.100 and the end IP is 192.168.16.120.
  4. It may be necessary to modify the SSL certificate.  To check this run Get-RemoteAccess.  If the SSL certificate matches the one installed by the Essentials anywhere wizard, then you are done.  If not, please proceed to the next step.
  5. Run Set-Location Cert:\LocalMachine\My; Get-ChildItem | Subject,Thumbprint
    You should see output similar to the following:
    certificate 1
  6. Make note of the Thumbprint for the certificate that was created in the anywhere access wizard.
  7. Next assign the certificate to the VPN with the following command:
    Get-ChildItem | ? Thumbprint -eq “C39ED8D5ADC2F73A05A909BE9C4692B43B963FB2” | Set-RemoteAccess
  8. Finally verify the correct certificate is assigned to the VPN with the command:
    Get-RemoteAccess
    RemoteAccess fixed

Clients should be able to connect and access resources via the VPN now.

I hope you found this article informative.  If you have any suggestions or comments please leave them below.

Using PowerShell to create a self signed certificate for longer than 1 year

Posted on by Glenn

Good morning.  It has been quite some time since I last posted.  I ran across this little gem this morning and figured I would share.

So you want to use a self-signed certificate for (RDS) Remote Desktop Services or maybe a custom website, but you want the certificate to be valid for longer than a year.  You can now use PowerShell to create a certificate for as long as you like.  Before we get into how to do this, let me emphasize this is not recommended by Microsoft.  It is much preferred to use a 3rd party trusted certificate.  Also the below command will only work in Windows Server 2016/Windows 10 and higher.

To create a self-signed certificate for a web server that is valid for 5 years:
New-SelfSignedCertificate -Subject “RDS.Contoso.local” -DnsName “RDS.Contoso.com”, “www.contoso.com” -CertStoreLocation “cert:\LocalMachine\My” -KeyAlgorithm RSA -KeyLength 2048 -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(5)