Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages


Engineering and troubleshooting by Directory Master!
MCM: Directory
April 20
Very slow RDP remote app start over Remote Desktop Gateway connections

I have just solved one interesting case. The customer has a great powerful RDP session-based application farm based on Windows 2012 R2. The farm runs several session collections with RemoteApps. The RDP RemoteApps are published through RDWeb and connected over RD Gateway when access from the internet. Everything is using trusted TLS/SSL certificates bought from a public CA such as GlobalSign or Symantec etc.

Everything worked smoothly and fast except for the application startup time when accessed from the internet. RDWeb itself was fast enough. But once you clicked an application it sometimes took even three minutes to start the application. After that, smooth play, no delays anymore. Apparently the RD Gateway was the problem because this didn't happen from LAN when you avoided the RD gateway, at least not that severely.

Digging deeper into the problem, both the RD Gateway and the RD Connection Broker were both had some of their own part in the problem.

The reason was certificate revocation checking which timed-out

The reason identified itself when I enabled auditing for windows firewall connections (the Filtering Platform Connection audit subcategory) and compared and correlated it with the events in the TerminalServices-Gateway/Operational event log. The Security event log showed repeated and frequent TCP connections to remote port 80 (HTTP apparently) started by system processes such as lsass.exe or svchost.exe. Weirdly the connections were going to public internet IP addresses.

And yes, when I checked the TLS/SSL certificate CRL paths and their URLs, these IP addresses showed to be the CRL distribution points of the public CAs which issued their RDP certificates.

Ok, it seemed like the system was trying to verify certificate revocation of its own server certificates (why the hell?) by downloading their respective CRL files. The problem was the farm servers didn't have internet access actually. So all the connections were only starting (SYN-SENT), then each was timing-out for 21 seconds (as is the standard TCP connection establishment timeout) and failed. And again and again with every client connection being established.

As it appears, the RDP gateway and sometimes even the RD connection broker servers are trying to verify its own server certificates revocation status by downloading CRLs.

The solution

The solution could be either to allow the servers download the public CRL files from internet over HTTP TCP 80 (if you need, you can configure them to use an HTTP proxy server with netsh winhttp commnad).

Or to make sure that they either cannot resolve their public DNS names at all.

Or if the servers must be able to resolve the public DNS names, then make sure that the following TCP connection fails immediatelly, instead of waiting for the 21 seconds timeout.

If you have a network firewall in place, you must change the blocked port setting from stealth or drop to reject. Or you can configure an explicit blocking Outbound Rule in the servers' Windows Firewall. The outbound blocking rules are good in this regard as they prevent the blocked TCP connection immediatelly and do not let the applications time-out.

March 31
Windows registry values (NoAutoMount) for forensic disk imaging

You may want to use disk imaging tools such as my favourite WinHex for capturing forensically sound disk images from arbitratily attached USB/SATA/mSATA/M.2/SAS/etc. harddrives even if you do not have a hardware based write-blocker device. In order to prevent the operating system from switching the just attached disks to Online mode and mounting any file systems, you should configure the following registry values:

  NoAutoMount = REG_DWORD = 1

  SanPolicy = REG_DWORD = 3

Note that the NoAutoMount value goes really directly into the mountmgr registry key, while the SanPolicy value must be set in the Parameters subkey of the partmgr driver.

If you have the registry configured this way, the newly attached disk drives remain in the default Offline mode which means that thay are read/only.

If you want to switch the disks to the writable Online mode, you can always do so with diskpart's command online disk. Note although that making disk Online means immediate mounting any respective filesystem even if no disk letter may be assigned yet.

If you wanted to mount any file system while keeping the disk in read/only mode, you can achieve this with diskpart's command attributes disk set readonly prior to switching the disk into the online mode.

Thus having the disk in the offline mode means always read/only, while having the disk in the online mode may mean read/only or writable, depending on the disk's attribute setting which you can change yet before making the disk online.

A sample DISKPART transaction may look like this:


  list disk
  REM :the previous command listed your disks, the newly attached disk should be offline, note its number

  select disk XX
  REM :select the number of your offline attached disk instead of typing XX

  attributes disk
  REM :the previous command should have displayed some attributes, mainly the fact that the disk is in read/only state

  attributes disk set readonly
  REM :we make the read/only setting permanent for the selected disk by storing this information in the local computer registry
  REM :note that this does not modify anything on the disk yet and note also that the setting stays in the local computer registry
  REM :and does not roam with the disk if unplugged and moved to another computer

  online disk
  REM :makes the disk online allowing file systems to be mounted, although the disk remains in read/only mode and thus the file systems
  REM :are read only as well. No disk letters assigned yet due to the NoAutoMount registry value

  REM :only now disk letters assigned, the disk and its file systems still remain in read/only mode

February 05
Once again, how to enable Secure Boot in UEFI BIOS configuration

I have already covered all the steps in a previous article about UEFI Secure Boot configuration and Windows 2016 installation from USB flash drive. Here I will just repeat what are the necessary steps to undertake in the UEFI BIOS in order to have the Secure Boot enabled in Windows 2016 or Windows 10. I have just experienced another motherboard which taught me it once again (it was Gigabyte H170-D3H motherboard with the original F4 and later with F20 and later with F21 BIOS update):

Basic requirements

  •  CSM disabled - the compatibilitu support mode (CSM) must be disabled or it would allow nonUEFI boot media and boot loaders to be started which would effectively make the secure boot a nonsense
  • require Administrator password to enter BIOS - this is another requirement as well. Without having the BIOS configuration password protected, secure boot is again without a logic
  • Windows 8/10 Features setting enabled - you have to enable either the Windows 8/10 or the Windows 8/10 WHQL setting for the Windows 8/10 Features configuration option (you will find it on the BIOS tab). For me, both options worked to boot into the Secure Boot. I was not able to find any documentation about any differences in the two of them. So select whichever you like more :-)
  • Secure Boot enabled - sure you have to change the setting to enabled :-) it is not enable by default
  • Intel TXT - if the option is not present in the BIOS at all, it seems like it is supported automatically. I didn't need to do anything regarding this so called trusted execution technology.

The crucial thing to enable the Secure Boot

You must always Provision Factory Default keys! Even if you have just received your machine from manufacturing, you have to do it yourself. This cannot be done if the Secure Boot Mode is set to Standard. So the crucial technique is to first enable the Customized mode for secure boot, then provision the factory default keys manually and only then switch back to the Standard mode:

  1. switch the Attempt Secure Boot to Enabled
  2. switch the Secure Boot Mode to Customized - it enables the Key Management submenu
  3. go into the Key Management sub menu
  4. switch the Provision Factory Default keys to Enabled
  5. go back up
  6. switch the Secure Boot Mode to Standard

And you are all done.

January 05
Display password (password reveal button) keyboard shortcut

We have the password reveal button (aka show password button) in most password entry GUIs since Windows 8. It is the small eye icon showing at the end of password entry edit boxes which, when you mouse-click onto it, reveals the currenlty typed password which would normally be hidden under the stars or dots. People like to lookup the value in order to prevent failed password attempts especially when the computer is configured with several national keyboards or just to be sure. Internet Explorer have had the button included since its version 8 regardless of Windows version.

Is there a keyboard shortcut that would allow you to display the password as you type instead of leaving the keyboard and scrabble around for the mouse? Moreover we server oriented geeks sometimes do not even have mouse available at all.

How to display the password using a keyboard shortcut

Yes there is. Only since Windows 10 and Windows Server 2016. But finally.


On the other hand, secure corporate environments may, according to some information security standards such as the ISO/IEC/EN/CSN 27001/27002, need to disable the password reveal button completelly. As people get accustomed to always showing their password for prior confirmation, they may forget about others watching. There are also survailence cameras etc.

How to disable the password reveal button

There is a Group Policy setting to disable this option available ever since the button exists (Windows 8 and latter). You will find it in a GPO (Group Policy Object) exactly here:

Computer Configuration
    Administrative Templates
      Windows Components
        Credential User Interface
          Do not display the password reveal button


Computer Configuration
    Administrative Templates
      Windows Components
        Internet Explorer
          Security Features
            Do not display the password reveal button

If you want to disable the show password button both in general user interface and in Internet Explorer you simply Enable both settings. It applies to the new Edge browser as well.

December 29
How to create UEFI bootable flash drive with installation media of Windows Server 2016

You may want to install Windows Server 2016 directly on a fully UEFI enabled system in order to be able to enforce the Secure Boot and make use of features such as Device Guard (Credential Guard) or the Hyper-V isolation and TPM virtual smart cards.

To have Secure Boot propagated the whole way up to a fully booted operating system, you have to clean install directly with all the UEFI support enabled (I have already covered some of it in a previous post about Secure Boot in Windows 10). On my current platform it does not work even if I only leave the CSM (compatibility support mode enabled) so what I need is a fully UEFI and Secure Boot enabled installation media which was not required on my previous trials with an older hardware and Windows 10. I plan installing from a pen flash drive. As it turns out, there some challenges though.

Requirements and challenges

Go into your BIOS (now called UEFI) and make sure you have:

  • CSM (compatibility support mode) disabled - this prevents booting anything else than correctly digitally signed UEFI Secure Boot operating system, in our case the Windows 2016 setup from the installation media.
  • all legacy OpROMs disabled
  • Administrator password for entering the BIOS enforced - without admin password Secure Boot does not work
  • Secure Boot enabled

The installation media based on USB pen flash drive must meet the following criteria:

  • be GPT (GUID partition table) formated - we cannot use MBR style harddisk format, UEFI requires the newer format called GPT
  • have a single partition formated with FAT32 - unless you are extremelly lucky, you cannot use NTFS. The UEFI BIOS needs to be able to read the contents of the partition and kind of logically they understand FAT32 only. You cannot create more partitions on the USB flash drive, because it is advertised as a removable media into operating system and thus it prevents you from creating more than a single partition. Some USB flash drives may have the option to flip the "removable bit" (also called RMB), but it is always kind of a hack for hours long fun during long winter nights.

And here comes the problem. Windows 2016 installation contains INSTALL.WIM file in the sources folder which is more than 4.3 GB long. Unfortunatelly FAT32 file system can accomodate files of size up to 4 GB only. So you cannot put such a big file on FAT32 while you cannot use NTFS for the source partition.

So we have to split the install.wim file into two .swm files with DISM command line utility and it will make do.

The procedure

  1. Obtain the Windows 2016 installation ISO and extract the files from it.
  2. Split the sources\install.wim file to several .swm files using the now built-in DISM tool:
    dism /Split-Image /ImageFile:sources/install.wim /SWMFile:sources/install.swm /FileSize:4000
  3. It will create at least two install.swm and install2.swm files, or even more of them, if you specified a smaller file size or have had a bigger original install.wim image.
  4. Delete the original sources\install.wim file from the sources folder and keep there or copy there the swm files that you just produced in the previous step
  5. Obtain a pen USB flash drive that you want to use for the installation media
  6. Start DISKPART command line as Administrator
  7. Identify your flash drive with the following command (in my case it showed as disk number 3):
    list disk
  8. Select the disk, clean it, convert to GPT and create the empty partition:
    list disk
    select disk 3
    convert gpt
    create partition primary
    format fs=fat32 quick
  9. Copy all the installation source files containing the split swm files which your prepared previously into the newly formated flash drive. You have to copy all the files from the ISO, including the sources, boot and efi folders as well

And go install, it should work :-) Note that such a drive should be displayed in the UEFI BIOS as a boot option. If it is not, the UEFI BIOS didn't recognize the drive or didn't recognize it can boot from it and it will not boot anyway.

December 18
The best way how to start PowerShell PS1 scripts

If you have a PS1 script file, it is sometimes difficult to start it. You can always right-click it and select Run with PowerShell. But this may fail without much information displayed if the computer's effective execution policy prevents the script from running. When you create a scheduled task or other kind of scheduled job, you also have to explicitly call the powershell.exe with the script file parameter instead of just typing the name of the PS1 file.

This is the reason for which I always create and distribute another BAT file with all my PS1 scripts. I always create the two files with the same name, because then you do not need to specify the exact name of the PS1 file inside the calling BAT file:

powershell -NoLogo -ExecutionPolicy Bypass -File "%~d0%~p0%~n0.p1" %*
exit /B %errorlevel%

The batch file calls PS1 with the same name as is its own filename. It also passes all its own command line parameters down to the powershell script. Finally it returns or forwards the exit code obtained from the powershell script.

I usually do not need to synchronize current directory to the parent folder of the script files, but if you like it, you can improve the batch slightly in this way:

cd /D "%~d0%~p0"
powershell -NoLogo -ExecutionPolicy Bypass -File "%~d0%~p0%~n0.p1" %*
exit /B %errorlevel%
December 18
PowerShell script to automatically correct the client list of DNS servers configured on network interfaces

Sometimes you have a requirement to change statically configured IP addresses of DNS servers (DNS resolvers) which are configured on network interfaces (NICs) of your computers. If you configure your servers or even workstations with a static list of DNS server addresses, you would have to go to all of them manually and change the IP addresses one by one. I have just hit an environment where all machines are configured statically and what if we rather change the hundreds of configurations automatically?

I created a simple PowerShell script which detects the network adapters that need reparations and sets the correct DNS server search order

# Note: we will reconfigure all the NICs that currently
#       contain at least one of the $currentPossibleDNSs DNS server IPs 
#       among the list of its configured DNS servers. We do not touch
#       any other NICs to be on the safe side agains WiFis and VPNs
$currentPossibleDNSs = @('', '')

# Note: we will configure the NICs with exactly the following
#       list of DNS server IPs which gets reset to this list in effect
$newDNS = @('', '', '')


[object[]] $nics = gwmi win32_networkadapterconfiguration | ? { $_.DNSServerSearchOrder.Count -gt 0 }

foreach ($oneNic in $nics) {

  [bool] $matches = $false

  foreach ($oneCurrentDNS in $currentPossibleDNSs) {
    if ($oneNic.DNSServerSearchOrder -contains $oneCurrentDNS) {

      $matches = $true

  if ($matches) {

    Write-Host ('One found NIC: ip = {0} | {1} | dns = {2}' -f ($oneNic.IPAddress -join ','), $oneNic.Description, ($oneNic.DNSServerSearchOrder -join ','))

    $res = $oneNic.SetDNSServerSearchOrder($newDNS)
    Write-Host ('Reconfigured: {0}' -f $res.ReturnValue)

    if ($res.ReturnValue -ne 0) {

      throw ('Cannot reconfigure search order on NIC: #{0} | error = {1}' -f $oneNic.InterfaceIndex, $res.ReturnValue)

You can either run the script from PowerShell command line manually or you can as well assing it to the computer as an Immediate Task by using the Group Policy Preferences - Scheduled Tasks feature.

December 17
How to match domain names in NPS logins

If you implement custom Connection Request Policy in an NPS server (network policy server) you may want to forward authentication requests to a remote RADIUS server group. You may base the forwarding decision on a number of request attributes comming from the RADIUS client (such as a VPN gateway or a WiFi access point) as well as those passed through from its access client (the actual VPN client or WiFi client).

One of the attributes that you can check is the user name or user login. You may want to match user login names against domain names and forward the RADIUS requests for authentication to different remote RADIUS server groups. When using the user name attribute for connection request policy matching, you specify a regular expression (regex) to match the domain name. The following are examples of how to do it depending on the format of the login used:

what login regex
match a NetBIOS domain name followed by backslash domainA\kamil ^domainA\\.+
match a FQDN domain name preceded by the at@ sign .+@domainB\.com$
longer fully qualified domain name kamil@ad.domainB.local .+@ad\.domainB.\local$
both NetBIOS and DNS domain names domainA\kamil or kamil@domainA.local (^domainA\\.+)|(.+@domain.\local$)

Note that the carret ^ chacter means begin of the string while the dollar sign $ means end of the string, dot-plus .+ means at least a single character and the dot and backslash must be escaped with another backslash. You can always verify the functionality from powershell just like in the following examples:

'domainA\kamil' -match '^domainA\.+'
'domainXXX\kamil' -match '^domainA\.+'
'' match '.+@domainB\.com$'

Wish you happy time with your NPS :-)

November 30
Two different Azure/Office365 PowerShell modules for IT professionals

I was just trying to Connect-MsolService which requires installation of some PowerShell module. There is a wide confusion even in google which of the modules or which of their versions should I download. It took me some time, so to clarify it for others, here it goes:

If you want to use the Connect-MsolService cmdlet to connect to Office365 (aka Microsoft online services - MSOL) and manage the Office 365 accounts and domains, you need the following two downloads:

  • Microsoft Online Services Sign-in Assistant for IT Professionals RTW:
    • which is in fact the msoidcli_64.msi package
    • after installation it appears as Microsoft Online Services Sign-In Assistant in the Programs and Features control panel
    • and represents itself as a Windows service called msoidsvc aka Microsoft Online Services Sign-In Assistant
  • Windows Azure Active Directory Module for Windows PowerShell version 1.0:
    • which is in fact the AdministrationConfig.msi package
    • also called Azure AD Module for PowerShell aka Office 365 Module for PowerShell aka Msol Module for PowerShell aka AAD Powershell aka Azure Active Directory Connection aka Azure AD Module for PowerShell
    • after installation it appears as Windows Azure Active Directory Module for Windows PowerShell in the Programs and Features control panel
    • this one has already some newer versions available ( as the newest release version and 2.0 as a public preview). These are updated and mentioned in the following article Microsoft Azure Active Directory PowerShell Module Version Release History but do not bother

This is the only method currently available for direct download which can be used to manage Office365 and use the MSOL powershell command lets.

If you want to manage other Azure services, you will need to download Azure Powershell from github. This comes in various versions, such as 1.7.0 or 2.2.0 or 3.2.0. It does NOT need the Msol Services Sign-In Assistant and does NOT contain the Connect-MsolService cmdlet so that I assume it cannot manage Office 365 at all.

October 23
Error 314 when creating new NLB cluster

If you get error 314 or error message Provider load failure on Windows Server 2016 when creating a new NLB cluster using GUI or using the New-NlbCluster cmdlet, note that you must have IPv6 enabled in order to create the cluster. You cannot even disable just the IPv6 tunnel adapters with registry value DisableComponents = 0x1. According to my testing, the DisabledComponents value must not be present in registry with any value.

1 - 10Next

 About this blog

Ondrej Sevecek 

Ondrej Sevecek is technical consultant, writer and speaker specialising in network security, PKI, identity management and Active Directory on Microsoft Windows platform. Ondrej is Microsoft Certified Master (MCM:Directory and MCSM:Directory) and the  Most Valuable Professional (MVP: Enterprise Security). He also maintains his CISA and CHFI:Computer Hacking Forensic Investigator and CEH:Certified Ethical Hacker certifications.

Ondrej is also MCT and gives lectures in the greatest of European training centers GOPAS.