C#, Programming and Scripting, RetroComputing

Space Invaders Part I

Gallery Leave a comment

I am not a developer by trade and any experience I have is of using C# and various iterations of Visual Basic in the distant (7+ years) past. I use PowerShell in my day-to-day but this can’t really be described as a genuine programming language. One of my ‘bucket list’ items for 2025 was to figure out how to write a Space Invaders game and something I have been procrastinating over for months. This was mainly a project in how do I write it but also served as a great way to learn or at least re-acquaint myself with a programming language I’d lost touch with. Since this was to be a fairly steep learning curve, I figured I should give myself a fighting chance by choosing a language that :

  1. I am somewhat familiar with
  2. Is suitable for such a project.

So for part 1, C# it was. I say part 1 because now I have a good idea of how to put the game together, I would like to take this further and write a version in another language and possibly even a recognizable version in PowerShell. This should give me some exposure to other languages I currently have little to no knowledge of (I’m looking at you, C++ and Python).

But you can get AI to write the whole thing, surely? Well, yes, true and I’m not going to lie, to some extent, using AI is almost unavoidable. When starting on a particular subroutine I almost fell out my chair with the way it read my mind about what I wanted to do next. Really. It’s not like I’m new to this (AI in general or looking for fixes to programming issues) but I’d start to type the name of a routine to make the saucer fly across the screen and it would largely write the thing for me before I’d finished typing the name of the sub. Blown away. That said, not everything was quite right and many times its assumptions weren’t what I wanted so going through the code to fix these issues wasn’t just ‘satisfying’ but necessary.

Then there were annoyances which I genuinely wanted AI to solve but try as it might, it just couldn’t. First versions occasionally left artifacts of the laser fire on the screen that wouldn’t go away. Co-Pilot kept making suggestions but either these didn’t work or worse still, broke the code. And it was during these frustrating times that my free access ran out and I was left to fend for myself (more or less). Back to Stack Overflow for fixes (in the end this solved itself when I was forced to adopt the OnPaint method for sprites – more on this later).

Eventually I had a working game on my desktop development machine which I was quite proud of. It looked just like the real thing and although I’d furnished it with a few more flourishes than I’d originally planned (my starting goal was to make a very basic game that could be ported easily from language to language) I was happy with it. Then I tried it on my laptop. Oh dear. Every time I fired a laser it slowed the game down. Sound was also hogging the UI thread too…my God, this computer must be several million times the speed (and memory) of my old Beeb that used to run this game, so why is it having such a hard time?

This called for a re-write to some extent. Quite a large extent, in fact. I had to put the main game loop on a background thread; the sound had to be pushed out onto a background thread too (this helped a lot but still isn’t perfect by any stretch). However the really big change was to replace the way the sprites were presented. My initial version had all graphics as a separate PictureBox – this was ideal as it was simple and would potentially make future versions eas(ier) to write. Unfortunately this proved incredibly resource-intensive and although it ran OK on my desktop machine, it really struggled on my laptop. Begrudgingly I had to bite the bullet and swap this for the OnPaint Method. Although the learning curve for this increased (dramatically in fact), this did have two main advantages:

  1. The OnPaint method is significantly more performant. Each PictureBox is a full windowed control, which means it has its own window handle (HWND) and processes system messages. For a game with lots of objects like aliens, bullets, and lasers, creating and managing a PictureBox for each one consumes substantial system resources and this led to poor performance and noticeable lag, esp on my laptop. In contrast, OnPaint performs a single, highly optimized drawing operation directly onto the form.
  2. Smooth Animation (Double Buffering): The OnPaint method works seamlessly with the form’s DoubleBuffered property. By setting this.DoubleBuffered = true;, all drawing operations within OnPaint are first rendered to an off-screen buffer and then drawn to the screen in a single operation. This improved animation noticeably.

There are other benefits to this too which I’ll leave out here for brevity’s sake and ultimately it was worth the effort to get the game working with this method instead. The PictureBox version can be found here and the OnPaint version here. Links to the full project are also at the end. I still think there is value in the PictureBox (and single threaded) version if only as the academic exercise of creating the game in it’s simplest* form.

*It’s not in it’s simplest form. I could have made it a lot simpler. As I said, I got a little carried away.

GAME FLOW

Although I won’t pretend I started out with a ‘design’ in mind, this is something that kind of presented itself as I got further into the project. I have used VS2022’s Mermaid Editor extension to help create a flow diagram of how the whole thing works:

Flowchart illustrating the game loop and events for a Space Invaders game, including game setup, player actions, collision checks, and game over sequences.

I have, somewhat lazily, embedded the flying saucer as a project resource and this is the only graphic in the project that remains as a PictureBox. So in short, this is on the form and not ‘created’ in code. The same can be said for the hi-score form which I have designed in the editor rather than created in code. I make no apologies for this and feel free to change and use what you like for your own project, should you wish to. All the graphic and sound files will, as a result, need to be in the same directory as the exe file (“EalingAttack.exe“). Oh yes and on that subject, I had various names for it throughout the project. It started with a reference to my road (BirkbeckInvaders) before eventually settling for EalingAttack (my borough in London). As such you’ll see references to these and they could do with cleaning up in an ideal world. Finally, I have added descriptions of what everything does throughout the code for anyone who’s interested.

I haven’t decided when the next installment will be yet but don’t hold your breath. Ideally I need to start spending some time with the family again :-). I promised a follow-up article on 6502 assembly as well which I still haven’t got round to yet. I’ll probably tackle that first though as it will be a shorter project but again, in my own time which could be whenever.

CONTROLS:

Oh and I forgot to add a controls screen so it’s:

Left/Right arrow for the turret movement and spacebar to fire. As alluded to above, sound is still an issue on some machines, particularly the background sound. If this noticeably affects gameplay, you can toggle it by pressing ‘S‘.

Finally – feel free to create your own upgrades and leave links in the comments.

GITHUB :

bondy666/Space-Invaders: Learn to program Space Invaders in multiple languages

Either clone it or for those who just want to play the game go to Code > Download zip, unpack and run the exe. I promise, there are no nasty surprises (apart from the bad coding).

SCCM

Fixing BitLocker Recovery Mode on HP Workstations

Gallery Leave a comment

I recently had an issue at work where we saw a not-insignificant number of our Z4G5 workstations regularly going into recovery mode after the weekly reboot. As far as we were aware at the time, they were configured no differently to any of our other computers, laptop desktop or mini-workstation, so this was confusing. What follows is what worked for us and depending on your environment, you might have other restrictions or security settings.

Following some digging, we discovered that these machines had a different PCR Validation Profile. Most of our machines are set to 7,11 whereas these were set 0,2,4,11. You can check the validation profile of a machine with the following command:

Manage-bde -protectors -get C:

Where C: is the drive letter.

SOLUTION:

We also noticed that Pre-Boot DMA Protection was turned off in the BIOS on these workstations. We turned this setting back on, cleared the TPM and restarted the machine. This reset the protectors back to 7,11 and the machines now continue to boot normally.

I appreciate there is an element missing here – why was it entering recovery mode in the first place? In many instances, 0,2,4,11 is a perfectly acceptable default. Truth is at the moment, this is still unclear and HP weren’t able to provide a good explanation here either but a clue might lie in the last paragraph in the link below (re ‘Secure Boot validation’).

FURTHER INFO:

Indices can be configured via registry/GPO policy. Briefly, the default PCRs used by BitLocker in the BIOS are 0, 2, 4, 8, 9, 10, 11:

  • PCR0: Dynamic Root of Trust, BIOS Code, Platform Extensions
  • PCR2: ROM Code
  • PCR4: MBR Code
  • PCR8: NTFS Boot Sector
  • PCR9: NTFS Boot Block
  • PCR10: NTFS Boot Manager
  • PCR11: BitLocker’s Volume Master Key (VMK) and its critical components

For a more detailed explanation of this and what the different indices relate to, see Configure TPM platform validation profile for native UEFI firmware configurations.

SCCM

Retro Computing – Writing ‘Hello World’ in BBC Micro 6502 Assembly Language

Gallery Leave a comment

I anticipate writing occasional posts about BBC Micro machine code as I do harbour a fascination with this from all those years back as a 12 year old. Let’s start with something basic (or rather machine code, ho ho).

I think I probably speak for everyone when I say my first introduction to BASIC was writing something along the lines of:

10 PRINT "Simon Rules!"
20 GOTO 10

…to be greeted with my message endlessly scrolling down the screen. Happy days. It makes sense then to create the same in assembly language as an introduction then, surely? 🙂

In the traditions of this site, I will try keep it concise and to the point but as you can see below, in ASM you really have to tell the machine exactly what you need it to do – no simple instructions to simply write what you choose. Don’t worry though, explanations will follow. Here is the exact equivalent in ASM of what we just did above in BASIC:

20 P%=&2000
30 [
35.helloworld
36 EQUS "Hello World!"
37 EQUB &A
38 EQUB &D
40.print
50 LDX #0
60.loop
70 LDA helloworld,X
80 JSR &FFEE
90 INX
100 CMP #&D
110 BNE loop
115 LDX #0
116 JMP loop
120 RTS
130]
140CALL print

EXPLANATION

Line 20: P% represents the place in memory where the program will be run from and refers to the ‘stack pointer’. This is a built in variable and we will be running the program from &2000 in this case. Note: ‘&’ is used to denote hexadecimal notation will follow – many other machines at the time (and to this day for that matter) use the ‘$’ for this.

Line 30 and 130: All assembly code on the Beeb needs to be encased in square brackets.

Line 35: .helloworld marks the start of the function we use to define our output.

Line 36: On the BBC Micro, EQUS stands for Equate String and essentially reserves a piece of memory containing the string specified.

Line 37: On the BBC Micro EQUB stands for Equate Byte and essentially reserves a piece of memory containing the byte specified. So what’s &A ? This translates to decimal ’10’ and is the ASCII for the newline character. This will be processed after ‘Hello World!’

Line 38: As above but what’s &D ? This translates to decimal ’13’ and is the ASCII for the Carriage Return character. This will be processed after newline above and these two additions ensure anything printed subsequently is on a new line.

Line 40: .print marks the start of the routine we use to loop through and print our output.

Line 50: This loads the X register with zero. In practice, this marks the start of a loop, like a FOR loop at character 0 “H” in ‘Hello World!’

Line 60: .loop – marks the start of the loop we will use to cycle through the ‘Hello World!’ string we defines from line 36.

Line 70: Loads the accumulator by referencing the helloworld function at line 34. The X reference is keeping tack of where we are in the loop as we’re displaying the characters one by one (starting at 0 as mentioned in line 50).

Line 80: JSR stands for ‘Jump to SubRoutine’ and is used to jump to an in-built machine code routine to OSWRCH (Operating System Write Character). This is used, as you might imagine, to write characters to the screen and is found on the BBC Micro at &FFEE.

Line 90: INX is ‘Increment X register’ and increments this by one on each pass. This is part of our loop which is printing each of the characters in the string .

Line 100: CMP stands for ‘Compare’ and we are comparing the character we are on in the string with that here. ‘&D’ is decimal 13 and equates to the CR we mentioned in line 38. Since this is the last ASCII ‘character’ to be printed we know that if this is found, the full string has now been displayed.

Line 110: BNE stands for Branch if Not Equal and will continue the loop if &D hasn’t been found, above.

Line 115: Reset the X register back to 0. We need to do this as we will be re-running the whole code again in an endless loop and need to reset to the start of the string.

Line 116: Jump back into the loop. This is effectively ‘GOTO 10’ in the above BASIC version.

Line 120: Return From Subroutine (RTS) because &D has been found by the Compare above and we’re happy that the string we’ve printed is now complete. In practice, this is never reached as we are in a continuous loop but this is where it should go! If we were to remove lines 115 and 116 the program would complete here (and ‘Hello World!’ would be displayed once and finish).

Line 140: Finally we use the BASIC command CALL to execute the machine code routine to print the message.

That’s it…relatively straightforward although the BASIC equivalent is obviously somewhat easier to understand! I will hopefully do something a little more interesting next time, maybe draw a square on the screen or something. Let’s see.

Boot Kit, OSD / SCCM / MDT, SCCM, Windows 10

KB5025885 (Black Lotus) – Making Everything Work After It Breaks

Gallery Leave a comment

The rumours about Microsoft’s enforcement of the Black Lotus boot kit mitigations have been around since May 2023 but so far Microsoft have (sensibly) held back enforcement. And with good reason – the mitigations, once applied, are known to cause all sorts of problems with booting, PXE boot, USB boot, CD, even SecureBoot. As you can imagine, this could become a support headache, especially when applied at enterprise level customers.

I have recently had the dubious pleasure of investigating this and assessing what impact this might have when it’s forcibly imposed in some future KB (incidentally, no concrete date set from what I have heard so far, but possibly Q1 2025 although this date keeps getting shunted forward).

In any case, I thought I’d share the benefit of my knowledge for those struggling to get stuff working, particularly PXE booting via WDS. In all likelihood, any machines you’re preparing for have already got the ‘payload’ in place – that is, it’s already present on your machines but just needs activation. This is achieved via several registry updates and reboots, the process of which can take the best part of half an hour. Quite a pain, but as I say, I would expect this to be taken care of in a more streamlined way in a future KB. Once the mitigations have been applied, there shouldn’t be any immediately noticeable issues with the machine, although there are reports by some of being unable to boot into the OS. If this happens, you may wish to temporarily disable SecureBoot or alternatively, apply a workaround in the linked article above. However I wouldn’t expect this to happen and I haven’t personally come across it yet.

However, you will start to notice problems when you attempt to PXE boot or boot off some other media. The reason for this is that the certificates in the UEFI BIOS have now been updated to 2023 from 2011 and fail the integrity check when booting using binaries with unmatched certs. There are three areas we have to update:

  • The Boot Image
  • The WDS/Native SCCM PXE Binaries
  • The OS Media

Boot Image

This should be the first port of call. When creating the image, make sure you have installed the ADK 10.1.26100.1 (May 2024) and in particular, the WinPE Add-On. This version contains all the latest certificates within the winpe.wim file and will ensure compatibility/bootability(!).

Windows Deployment Server

  1. Ensure the server has a recent (at least June 2024) KB update. This will ensure it has a copy of the binaries required to PXEboot containing the new certs available.
  2. Copy C:\Windows\System32\RemInst\boot_EX\x64\wdsmgfw_EX.efi E:\RemoteInstall\Boot\x64\wdsmgfw.efi
  3. Copy C:\Windows\System32\RemInst\boot_EX\x64\en-US\wdsmgfw_EX.efi.mui E:\RemoteInstall\Boot\x64\en-US\wdsmgfw.efi.mui
  4. Copy C:\Windows\System32\RemInst\boot_EX\x64\en-US\bootmgfw_EX.efi.mui E:\RemoteInstall\Boot\x64\en-US\bootmgfw.efi.mui
  5. Copy C:\Windows\System32\RemInst\boot_EX\x64\bootmgfw_EX.efi E:\RemoteInstall\Boot\x64\bootmgfw.efi

Strictly speaking, the mui’s aren’t necessary but…belt and braces. What we’re doing here is replacing the old binaries with the new 2023 binaries which were supplied in the latest KB. If you have more than one WDS server, obviously ensure all are updated appropriately. In our environment, we also had one or two hard-coded boot paths which caused further confusion but I wouldn’t expect that normally.

PXE via Native SCCM

If you use the native PXE responder in SCCM rather than WDS, follow the steps below:

  1. Download the Windows 11 24H2 Enterprise ISO and mount it. This contains the new binaries we need.
  2. Browse to <MOUNTPOINT>\sources and copy boot.wim to a new folder (D:\Updates).
  3. Mount the boot image, eg Dism /mount-wim /wimfile:D:\Updates\boot.wim /index:1 /mountdir:D:\Updates\MOUNT
  4. Copy the following files to your update directory: D:\Updates\MOUNT\Windows\Boot\EFI_EX\bootmgfw_EX.efi D:\Updates\MOUNT\Windows\Boot\PXE_EX\wdsmgfw_EX.efi
  5. Rename bootmgfw_EX.efi to bootmgfw.efi and wdsmgfw_EX.efi to wdsmgfw.efi
  6. Copy the renamed files to D:\SMS_DP$\sms\bin\SMSBoot\<PkgID\>\x64 on your PXE server (substitute for C: if necessary)
  7. You should be able to boot an updated machine now.

NOTE: wdsmgfw_EX.efi and bootmgfw_EX.efi can also be found on the boot image in the May 24 ADK. I had no luck trying the get the versions included there working correctly even though the certificates stated 2023, so it’s recommended you stick with the versions in the latest 24H2 ISO.

OS Media (Task Sequence)

So….we should now be working, right? Not so fast. You should now be in a position to be able to boot from WDS. However, if your OS media is out of date you will also be in trouble. If this is the case, you’ll find your task sequence failing once the OS has been laid down with bcdboot.exe failing to find the appropriate files it needs. From an OS media perspective you will need a minimum of the following:

  1. Windows 11 23H2 OS 22621.3737
  2. Windows 10 22H2 OS 19044.4529

If you ensure these or later versions are part of your task sequence, everything should be rosy.

OS Media (ISO Image)

Sometimes we need an ISO image to boot off. The instructions below should help when updating an ISO with the mitigations:

On SCCM – Upgrade to latest ADK and create a bootable ISO

Pre-Requisites On client machine ( eg win 11 )
Install Windows latest ADK (ADK 10.1.26100.1 (May 2024)) on your system, ensuring you include Deployment Tools.
Obtain the most recent Windows 11 23H2/24H2 installation media through your preferred distribution channel, such as the Volume Licensing portal.
This latest installation media contains the UEFI 2023 CA signed boot managers within the boot.wim file.

Once you have installed ADK, open Deployment and Imaging Tools Environment with administrative privileges.
Create the following directories:
mkdir C:\UpdateWinMedia\DVD
mkdir C:\UpdateWinMedia\Boot
mkdir C:\UpdateWinMedia\Mount

Mount the Windows installation ISO media on your system. In this example, the drive letter is F:

Copy the contents of the Windows installation media (F:) to C:\UpdateWinMedia\DVD
xcopy /s /h F:\ C:\UpdateWinMedia\DVD

Mount the Boot.wim file to extract updated boot files
Dism /mount-wim /wimfile:C:\UpdateWinMedia\DVD\sources\boot.wim /index:1 /mountdir:C:\UpdateWinMedia\Mount

xcopy /s /h C:\UpdateWinMedia\Mount\Windows\Boot C:\UpdateWinMedia\Boot
Dism /unmount-wim /discard /mountdir:C:\UpdateWinMedia\Mount

Create bootable DVD using oscdimg tool with the UEFI 2023 CA signed efisys.bin
oscdimg -m -o -u2 -udfver102 -pEF -b”C:\UpdateWinMedia\Boot\DVD_EX\EFI\en-US\efisys_EX.bin” C:\UpdateWinMedia\DVD C:\UpdateWinMedia\Windows11_UEFI2023.iso

Boot using the updated ISO and install Windows 11.

Hope the above is useful to someone, certainly cost me a good few hours of my life!

SCCM

Azure Site-To-Site VPN – Lab Setup

Gallery Leave a comment

In the fine traditions of this site, I am not going to go into the minutiae of every aspect of this or why we do it. The goal here is to get it up and running as quickly as possible with as few steps as possible. Whether I achieve this or not, you’ll have to be the judge, suffice to say there will be some basic steps I assume you will be able to do. So let’s get cracking.

1. Create a resource Group (eg RG_S2SVPN)
2. Create a VNet (eg vnet_s2svpn – 10.0.0.0/16)
3. Create a Subnet (eg Subnet1, 10.0.0.0/24)
4. Create a VM on the subnet you just created (this will be used for testing connectivity later)
5. Create a Gateway Subnet (eg GatewaySubnet, 10.0.1.0/29)
6. Create a VirtualNetworkGateway. This can be done manually in the portal as with anything else but it can no longer be done this way if you wish to use the basic SKU. If you wish to use the basic SKU update the code below if necessary and run this in Cloud Shell:

$location = "east us"
$resourceGroup = "RG_S2SVPN"
$VNetName = "vnet_s2svpn"
$VNGWPIPName = "s2svnetgw-ip"
$vnetgwipconfig = "vnetgwipconfig1"
$VNetGWName = "s2svnetgw-gw"
$vnet = Get-AzVirtualNetwork -name $VNetName -ResourceGroupName $resourceGroup
$subnet = Get-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet
$vnetgwPIP = New-AzPublicIpAddress -Name $VNGWPIPName -ResourceGroupName $resourceGroup -Location $location -Sku Basic -AllocationMethod Dynamic
$vnetgwIpConfig = New-AzVirtualNetworkGatewayIpConfig -Name $vnetgwipconfig -SubnetId $subnet.Id -PublicIpAddressId $vnetgwPIP.Id
New-AzVirtualNetworkGateway -Name $VNetGWName -ResourceGroupName $resourceGroup -Location $location -IpConfigurations $vnetgwIpConfig -GatewayType Vpn -VpnType RouteBased -GatewaySku Basic

  1. Create a Local Network Gateway (eg OnPremGateway, IP = <Physical Internet Router IP> – hint:What’s my IP in Google), Address Space = , eg 192.168.0.0/24)
    1. Create local VPN router (typically on a server OS VM on your home network)
      – ‘Configure and enable Routing and Remote Access’
      – Custom Configuration
      – Select ‘VPN’ and ‘LAN routing’
      – Start Service
      – Click Network Interfaaces | New Demand-Dial Interface
      – Configure:
      Name (‘AzureS2S’)
      Connect using VPN
      IKEv2
      Public IP of your VPNGW in Azure
      Route IP packets on this Interface
      Static route w/metric of your azure subnet, eg 10.0.0.0 / 255.255.255.0 / Metric (eg 5)
      No need to specify any credentials
      – Click new connection (AzureS2S)|Options|Persistent Connection
      |Security|Specify a password for the Pre-sharedKey
    2. You will need to create a static route on your physical network/broadband router, pointing to the software router you created above. Different routers will have slightly different options but you should aim to provide the information below:
      – On WAN options, you will need to select port forwarding
      – Enable this, add ports 500/1701/4500 (UDP)
      – For the internal IP address, give the IP of the router you created in (8)
    3. In the portal, search for ‘connections’
      – Basics: Create Site to Site (IPSec), bi-direction connectivity, name and region
      – Settings: Select the virtual and on prem gateways and preshared key from above. Leave defaults, Create
    4. From the local VPN router you set up in (8) right click the connection you created and click ‘connect’. If all is well ‘connection state’ should now change to ‘connected’ after a few seconds. The Azure portal connection should also now show a ‘connected’ status after a refresh.
    5. Now you have the connection in place, log into your azure VM. For the purposes of testing, turn off the firewall (or at least let ICMP traffic through). You should be able to ping the VM on it’s local network IP (eg 10.0.0.4) from the router computer.
    6. In order to be able to communicate to your Azure VM from other machines on your local (‘on prem’/lab) you will need to create a static route from those machine(s):
      • On the local machine in question, get an admin cmd prompt up
      • ROUTE ADD 10.0.0.0 255.255.255.0 metric 5

Try pinging the VM again…it should now be able to communicate to your azure VM. You can browse shares on it if you want, drop files etc just as you would on a machine on your local network/lab (you’ll need to provide the appropriate credentials, obvs).

SCCM

Relaxing Intune Bitlocker policy for removeable disks

Gallery Leave a comment

A quick post about an issue I ran into today whilst trying to create an OSDCloud USB stick (BTW anyone interesting in cloud imaging, I thoroughly recommend checking out David Segura’s site : OSDCloud.com).

Anyway I created a new image on my Intune-managed laptop and as you might typically expect, we have bitlocker policies for drive encryption. However by default, this will also ask the user to either encrypt the drive to allow writing to it or not do so but open it in a read-only mode. Given that I needed a bootable USB drive the encryption option wasn’t going to work for me. Digging through the policy settings, I eventually came to a setting called Deny write access to removable drives not protected by BitLocker which needed to be set to disabled. After several minutes/syncs and a few restarts later (yes, I’m impatient) The previously greyed out ‘paste’ option when I selected the drive appeared and for all intents and purposes I figured all would now be well. Unfortunately not.

At this point I was scratching my head a bit until I noticed a file on my desktop called WriteAccessUSB.reg. I guess I must have run into a similar issue in the past and this did the trick. Open regedit and browse to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE

Add/change the following setting:

"RDVDenyWriteAccess"=dword:00000000

Finally just remove and replace your USB drive (no need to restart) and it should be readable.

SCCM

Generic exception : ImportUpdateFromCatalogSite failed. Arg = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. Error =The underlying connection was closed: An unexpected error occurred on a send.

Gallery Leave a comment

I recently rebuilt my WSUS/SUP server and after running a sync, was presented with a sea of red giving me an error for each and every update it tried to sync.

Transpires this is a result of the (relatively) recent enforced strengthening of the TLS protocol by Microsoft. The fix is pretty simple though. Jump onto your WSUS server and just run the commandline below to configure .NET Framework to support strong cryptography:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1

Now resync your updates and all should be well.

NB

I also ran into an issue after this whereby the wsyncmgr.log ‘synchronized’ all the updates (well appeared to do so) but no meta data appeared in the console. To fix this I unchecked all products and categories, sync’d again, then rechecked those I needed. I ran the sync once again and they all appeared.

ConfigMgr Current Branch, SCCM

SCCM Content Distribution Broken – WMI?

Gallery Leave a comment

There can of course be many reasons for broken ConfigMgr content distribution – lack of space, physical security on disks and many, many others. This is one possibility though – can the site server actually reach the DP though WMI? If not, then this will undoubtedly cause problems.

This happened to my infrastructure, I suspect, through a patch deployment. See here for more information. Anyway, to test if this is an issue, run up a session of WBEMTEST and connect to the DP in question from your site server via:

\\<ConfigMgr DP>\root\CimV2

Assuming you’re getting ‘Access Denied’ (typically with an 80004005 error) this may well be the fix you’re looking for. You will also see the following in the SYSTEM eventlog of the DP:

The server-side authentication level policy does not allow the user XXX from address XXX to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

You’ll likely see the following in Distribution Manager status messages:

SOLUTION:

In REGEDIT, browse to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat

Create a DWORD value:

RequireIntegrityActivationAuthenticationLevel

Give this a value of 0, then restart the machine.

You should now be able to successfully connect via WMI, as will your site server.

SCCM

Configuration Manager can’t connect to the administration service

Gallery Leave a comment

The configuration manager console can’t connect to the site database through the administration service on server

I am looking to test out one or two features which rely on MECM’s Administration Service so was somewhat disappointed when I got the error above whenever I clicked on the respective nodes. Mine is a fully PKI environment and my initial suspicion was that it was certificate-related. Having spent several hours tinkering with the certificates and messing with IIS and getting nowhere I decided to sleep on it…

The first thing I noticed was that the SMS_REST_PROVIDER.log hadn’t logged anything for over a month so something must be broken. I went to the SMS_REST_PROVIDER component on the server with the SMS Provider role and noticed I was unable to query/start the component. Looking at the status messages, it was constantly trying to reinstall and failing. A little more detective work and I found a possible lead to DCOM security, so I opened DCOMCNFG, expanded Component Services, expanded Computers, and then expanded My Computer. First red flag I saw was that there was clearly an error ‘bang’ on the My Computer icon. Anyway, I persevered and right-clicked it and selected MSDTC whereby I got an error:

“The remote server has been paused or is in the process of being started.”

This lead me to another post which was talking about a cluster configuration which was receiving the same error message. This got me thinking…I don’t have a cluster, what’s this on about? Anyway, I went back and checked the MECM box and it transpired I did have an old cluster I’d set up ages ago which I’d forgotten about and had since deleted one of the nodes! This was no longer required, so I simply ran a couple of Powershell commands:

Remove-Cluster -force

Remove-windowsFeature failover-clustering -restart

After restarting. I checked DCOMCNFG and the My Computer icon no longer had the bang in place. Nice. Looked at the console but still no joy. It was still telling me the Admin Service was unavailable 🙁

I nonetheless sensed I was close. I went back to the DCOMCNFG applet and went down to the Distributed Transaction Coordinator node, under which there is another node called Local DTC. I right-clicked this and went to the security tab. I was interested to see whether the DTC logon account was correct. Unfortunately, it was (it should be NT AUTHORITY\NetworkService by the way). Another dead end. This time however I tried selecting the Network DTC Access check box. and opened up the MECM console again. I clicked on the Console extensions node and this time there was a short pause and everything appeared!

One weird thing I noticed. I was able to uncheck the Network DTC Access check box and my admin service seems to remain in place without error. I will monitor this but seems that it just needed temporary access here from my observations at present.

UPDATE:

Following the above, I found that a remote console I was using kept crashing. I had to add the Network DTC Access check box before it would load correctly. Further, it appears this checkbox should be kept checked as the console will begin to crash again when opened without it over time.

SCCM

XML Parsing Error at line XXXXX char : Operation Aborted: MaxXMLSize constraint violated

Gallery Leave a comment

Been a while since I last posted but ran into an issue today that had everyone confused as it quite a tricky one to track down. There had been a number of changes in the environment over the last few weeks so each and every one one of them was examined in microscopic detail. Let me explain…

We started to see a few hundred or so machines start to fail on a certain application (actually it was just a simple Powershell script packaged as an application) during the OSD build task sequence. As it happens this app was part of a nested TS but this is probably irrelevant. In any case, some machines were fine, others were failing. Nobody had touched the app in any way for several months.

After much digging and many red herrings, tucked away in the SMSTSLOG.log was the following message :

XML Parsing Error at line 473689 char 52: Operation Aborted: MaxXMLSize constraint violated.

The cause of this error was down to ‘too much policy’. Basically the affected machines had a lot of Defender Updates deployed to them and it was essentially too much for the machines to handle. Once removed everything started to work again.

If you’re pulling your hair out and can’t figure out why something is failing, then there are thousands of possibilities, admittedly. But it might be worth a quick search for the words XML Parsing Error.

Headaches of an SCCM Admin.