How to fix error 80240016 while Upgrading to Windows 10

While upgrading to Windows 10, if you ever got the famous 80240016 Windows update error message saying that “Windows 10 couldn’t be installed” (as the screnshot below shows), don’t worry at all as it needs a small fix:1

All you need to do is to open Windows Defender by searching for it in Control Panel (on Windows 7) or in the start screen (on Windows 8/8.1) -> open the Settings tab -> uncheck “Turn on real-time protection (recommended)”

2

The rest is a piece of cake then. Just re-try the upgrade process and you will see it will never fail on you again:

3

If you still had issues upgrading to Windows 10, please let me know in the comments section and I will try my best to help you.

Step-by-Step Guide to Configure Group Managed Service Accounts

Important Points about Group Managed Service Accounts

Group Managed Service accounts are perfect identity solutions for services running on multiple hosts and using group them password management requires no administration overhead as password management is handled automatically using Windows Server 2012/2012 R2 across multiple hosts. It also supports offline hosts which are not connected to network for a period of time, and when they go back online, the password is synchronized on the service running on them and the service can start successfully. It is also important to take note that failover clusters currently do not support gMSAs but the services running on top of clusters can support them if they are a Windows service, an App pool, a scheduled task or they natively support gMSA.

Please also take note that you can only configure and administer group managed service accounts on Windows Server 2012/2012 R2 but you can still have other domain controllers running earlier versions of Windows Server operating system. There are very important points to take into consideration when configuring managed service accounts:

  • Managed service accounts can work across domain boundaries as long as the required domain trusts exist.
  • A managed service account can be placed in a security group.
  • Managed service accounts can be stored anywhere in Active Directory, nevertheless there is also a specific container for them.
  • Passwords are automatically created for managed service accounts and are refreshed every 30 days. You can change a password manually.

Continue reading

A Complete Guide on Active Directory Certificate Services in Windows Server 2008 R2

Windows Server 2008 R2 includes a built-in Certificate Authority (CA) technology that is known as Active Directory Certificate Services (AD CS). The first iteration of AD CS emerged with Windows Server 2008, though previous versions of the technology were simply known as Certificate Services. AD CS can be used to create certificates and subsequently manage them; it is responsible for ensuring their validity. AD CS is often used in Windows Server 2008 R2 if there is no particular need to have a third-party verify an organization’s certificates. It is common practice to set up a standalone CA for network encryption that requires certificates only for internal parties. Third-party certificate authorities such as VeriSign are also extensively used but require an investment in individual certificates.
Note

Although the term Active Directory has been incorporated into the name of the Windows Certificate Services function, it should be understood that AD CS does not necessarily require integration with an existing Active Directory Domain Services (AD DS) forest environment. Although this is commonly the case, it is important to understand that AD CS has independence over AD DS forest design.
Windows Server 2008 R2 introduced a few additions to AD CS features, including the following:

Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service— This is the most significant improvement, essentially allowing certificates to be enrolled directly over HTTP, enabling non-domain or Internet-connected clients to connect and request certificates from a CA server.

Improved support for high-volume CAs used for NAP— AD CS in Windows Server 2008 R2 improves the database performance when high-volume scenarios such as NAP are utilized.

Support for cross-forest certificate enrollment— AD CS in Windows Server 2008 R2 allows for CA consolidation across multiple forests.

Continue reading

Securing Registry by using Permissions

In this short note, I’d like to talk a little about Windows registry and how you can secure it using permissions. Basically registry is composed of six hives that are described as below:

HKEY_CURRENT_USER = It stores information about the profile of the user who is logged into the system now.

HKEY_USERS = It has subkeys about all the users’ local profiles.

HKEY_CLASSES_ROOT = It contains file associations and information about COM registration

HKEY_LOCAL_MACHINE = It contains the configuration of the operating system and applications

HKEY_CURRENT_CONFIG = It includes the current hardware profile used now

HKEY_PERFORMANCE_DATA = It has information about performance counters

 

When the system is up and running, the registry is loaded into memory and when the system is shut down, the values in the registry are written into the hard disk. Below is the location for some registry hives:

HKEY_LOCAL_MACHINESYSTEM =          %systemroot%system32ConfigSystem

HKEY_LOCAL_MACHINESAM =                %systemroot%system32ConfigSam

HKEY_LOCAL_MACHINESECURITY =      %systemroot%system32ConfigSecurity

HKEY_LOCAL_MACHINESOFTWARE =   %systemroot%system32ConfigSoftware

HKEY_CURRENT_USER =               %systemdrive%Documents and Settings<username>Ntuser.dat

HKEY_USERS =  %systemdrive%Documents and Settings<username>Local SettingsApplication DataMicrosoftWindowsUsrclass.dat

HKEY_USERSDEFAULT =              %systemroot%system32ConfigDefault

 

Just like NTFS permissions on files and folders, we also have permissions on registry container objects. Individual registry value inherits its security permissions from its parent object. We generally have two types of permissions for registry objects: Read and Full-Control permissions. Apart from that, we also have special permissions on registry objects which are as follows:

Permission Description
Query Value Allows the value of the registry key to be read
Set Value Allows the value of an existing key to be written
Create Subkey Allows the creation of subkeys
Enumerate Subkeys Allows the enumeration of subkeys
Notify Required to request change notifications for a registry key or for subkeys of a registry key
Create Link Reserved for use by the operating system
Delete Allows the key to be deleted
Write DACL Allows the modification of the DACL
Write Owner Allows the modification of the owner
Read Control Allows the SACL to be read

In order to set permissions on a container in registry, you just need to right click on that and click Permissions:

That’s it for today friends 🙂

All the best 🙂