“You need to install additional updates” error message when you try to start Lync 2013

The above error is fairly well documented by Microsoft but thought I would post about it anyway just in case someone comes across the same issue as me.  I had pushed updates out to machines through SCCM and then started getting a handful that Lync/Skype for Business started reporting that Lync had become Skype for Business and that KB3039779 needed to be installed.  Evidently, a few machines we had received a newer update which upgraded them but didn’t have this older update.  Simply pushing out the missing KB3039779 to the machines missing the update resolved the issue.  Update is located here for anyone curious https://www.microsoft.com/en-us/download/details.aspx?id=47056

Filtered GPO’s are broken

I was updating a logon script today and realized that for some reason it wasn’t applying to the machine.   I ran rsop and gpresult but neither one showed the policy or the logon script.  The gpo was filtered to a specific group of users and the user was clearly a member of the group so I was befuddled what was going on.  I finally found a Security update KB 3159398 for Group Policy that came out in June that while fixing a dangerous man-in-the-middle attack breaks filtering if Domain Computer group does not have read permissions to the OU.  Follow the below steps to fix and your gpo will be working like normal.

  1. Open up the gpo in group policy management and click the delegation tab.
  2. Click Add and type in domain computers.capture
  3. Set permissions to read as is the default.capture2
  4. Enjoy your fixed GPO’s!

Link to Microsoft Security update and known issues below.





NVMe drivers

Just a quick note incase someone else is having this issue.  I was working on using SCCM to image a Dell 7710 laptop and it has a Samsung M.2 PCIe NVMe SSD which I couldn’t seem to ever find  the right storage drivers to get it to see the hard disk.  It was a one time deal so I resorted to having the onsite tech manually load the machine (which was an endeavor in itself as he had to find the right storage driver to load windows 10 and if you wanted to do windows 7 you had to have USB 3.0 drivers slipstreamed into the windows installer). Upon trying to image another machine pxe would stop part way and display the below error message.

File: \Windows\system32\DRIVERS\nvme.sys

Status: 0xc0000359

Info: Windows failed to load because a critical system driver is missing, or corrupt

Turned out just like it says nvme drivers I had loaded caused it to completely not load the pxe boot image which I hadn’t seen occur before in adding drivers to a boot image.  Pretty straight forward but figured it might help someone that gets this error especially if you didn’t add the drivers or forgot that you had added them.

Mail-enable already created distribution group.

Today I had an AD administrator create a distribution group and add all the members to it in Active Directory.  They needed it enabled in Exchange so I thought easy just go into the EAC (Exchange Administrative Center) and add an existing group.  This was the case in Exchange 2007 and 2010 but not in 2013.  In order to add an existing group so you don’t have to recreate it from the EAC and add all the users back you go into EMC (Exchange Management Console).  Then once in Powershell type in the command belowmail-enable.

Enable-DistributionGroup -Identity “groupnameinAD” -Alias “groupname”
-DisplayName “displayname"



Creating a scheduled task without being administrator

Good morning, I was working on a scheduled task that would run on a user’s PC and start a particular application when the user logged into their machine and it had to run as the user in particular logging in.  What I discovered was that if the user wasn’t administrator on the box I would get an access denied in both PowerShell and schtasks.


What I figured out was that if you choose to run the task at logon (I assume this probably applies to at startup as well) it requires administrative rights but if you schedule the task as an hourly, daily, weekly, etc. task it doesn’t require administrative rights to create it.  Now this requires that what the task is running itself doesn’t need administrative rights but in my case it does not.


Now you may be asking yourself why didn’t he simply create a scheduled task through group policy.  Well, the reason for that is I wanted it to target a specific computer collection in SCCM that targeted only laptops.  I could have done it with a GPO and even filtered the GPO with WMI filtering and accomplished the same thing but the application is pushed out through SCCM and I wanted everything that went with it targeted to that collection.  Maybe slightly more work on my part but good to know nonetheless.

Quickly fix Windows is not Genuine from different Windows versions.

I had an issue today with an old KMS server that some machines had been talking to getting shut down and then the machines months later complaining that they couldn’t find the KMS server.  I  then removed the KMS server’s DNS entries and prevented it from publishing them to dns which had been missed before.  That isn’t the purpose of this post though so if you need more info the below two links help out a lot.

How to remove a KMS Server from your Infrastructure

Additional info for Server 2008 only.

Back to the purpose of my post was when I get tickets for activations (as I have over the past few days) I wanted an easy script to run slmgr, remove the product key, input, and activate the new key.  We use MAK keys in our environment so just for the few machines that were set up for KMS a simple script sounded like an easy way to take care of them. Problem is I run Windows 10 and the machines I was trying to fix were Windows 7. SLMGR.vbs is version specific so although I probably could have copied one off a windows 7 machine I came up with the below solution to work on any version of Windows.  To accomplish this I used our old friend psexec which creates a session runs each slmgr command locally on their machine and outputs the result after prompting for a machine name.  A really simple script but maybe someone will find this useful.  Don’t forget to put psexec in the same directory you run the script from.  Happy Friday 🙂

set /p machinename=Input the PC Name:%=%
PsExec.exe \\%machinename% cscript %SystemRoot%\System32\slmgr.vbs /upk
PsExec.exe \\%machinename% cscript %SystemRoot%\System32\slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
PsExec.exe \\%machinename% cscript %SystemRoot%\System32\slmgr.vbs /ato



Outlook additional mailboxes and from functionality

This is an old issue that I haven’t encountered lately but I was reminded of the other day when adding a shared mailbox for a user and felt a post might help someone else out. Previously I got a request that when sending from a mailbox that had been added as additional mailboxes the from is always sent from the default mailbox not from the additional mailbox unless you go up to options and click the from button to enable the from field and change the from address as shown below.snip_20160602101231

As it is easy to forget to change the from field and kind of a pain to change every time I went on the hunt for an answer to my dilemma.  I can’t seem to find this functionality in Microsoft’s documentation anywhere, but if you add the mailbox as a new email account instead of an additional mailbox the from address will change based on what mailbox you are in when you click new email.  As in the screenshot below you can accomplish this by  going to the file tab and account settings.


To add the mailbox click new on the email tab, then click next.  Then type in the mailbox name and the email address.  The password can be left blank since aslong as you have full access and sendas permissions delegated to the user in Exchange.  Then just click next through the rest of the prompts and finally click finish.


The only caveat to this is that automapping in Exchange adds as an additional mailbox so you might end up with duplicate entries of the same mailbox.  To fix this you will need to add the mailbox permissions through EMC (Exchange Management Console).  Microsoft has instructions on how to add the permissions without automapping in this Technet Article but the command for the EMC is also below.

Add-MailboxPermission -Identity JeroenC -User 'Mark Steele' -AccessRight FullAccess -InheritanceType All -Automapping $false

If you want to fix existing auto-mapping behavior for all the permissions on a particular mailbox the below commands will do the trick.

$FixAutoMapping = Get-MailboxPermission sharedmailbox |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}
$FixAutoMapping | Remove-MailboxPermission
$FixAutoMapping | ForEach {Add-MailboxPermission -Identity $_.Identity -User $_.User -AccessRights:FullAccess -AutoMapping $false}

So there you have it, a simple fix for someone using a shared mailbox that needs to be able to send from the shared mailbox.
The articles I posted are from Exchange 2010 and Outlook 2010 but I have confirmed the functionality is the same in Outlook 2013 and Exchange 2013.