deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5840 from MicrosoftDocs/v-gmoor-fix-pr-5593

Browse Source 
Multiple fixes for layout and presentation
This commit is contained in:
Gary Moore 2021-10-14 20:35:16 -07:00 committed by GitHub
commit 00a063d0c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
windows/client-management/manage-device-installation-with-group-policy.md
View File

@ -342,8 +342,8 @@ Getting the right device identifier to prevent it from being installed:
> ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}\ > ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}\
> This class includes printers. > This class includes printers.
> [!NOTE] > [!NOTE]
> As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system. > As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system.
Creating the policy to prevent all printers from being installed: Creating the policy to prevent all printers from being installed:
@ -376,9 +376,9 @@ Creating the policy to prevent all printers from being installed:
1. If you have not completed step #9 follow these steps: 1. If you have not completed step #9 follow these steps:
- Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
- For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app. 1. For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app.
- You should not be able to reinstall the printer. 1. You should not be able to reinstall the printer.
2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use. 2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use.

6
windows/client-management/mandatory-user-profile.md
View File

@ -68,7 +68,7 @@ First, you create a default user profile with the customizations that you want,
1. At a command prompt, type the following command and press **ENTER**. 1. At a command prompt, type the following command and press **ENTER**.
```dos ```console
sysprep /oobe /reboot /generalize /unattend:unattend.xml sysprep /oobe /reboot /generalize /unattend:unattend.xml
``` ```
@ -100,11 +100,11 @@ First, you create a default user profile with the customizations that you want,
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
![Example of Copy profile to.](images/copy-to-path.png) ![Example of Copy profile to.](images/copy-to-path.png)
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
![Example of Copy To UI with UNC path.](images/copy-to-path.png) ![Example of Copy To UI with UNC path.](images/copy-to-path.png)
1. Click **OK** to copy the default user profile. 1. Click **OK** to copy the default user profile.

42
windows/client-management/troubleshoot-tcpip-port-exhaust.md
View File

@ -39,7 +39,7 @@ You can view the dynamic port range on a computer by using the following netsh c
The range is set separately for each transport (TCP or UDP). The port range is now a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of **49152** through **65535**. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows. The above command sets the dynamic port range for TCP. The range is set separately for each transport (TCP or UDP). The port range is now a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of **49152** through **65535**. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows. The above command sets the dynamic port range for TCP.
```cmd ```console
netsh int <ipv4|ipv6> set dynamic <tcp|udp> start=number num=range netsh int <ipv4|ipv6> set dynamic <tcp|udp> start=number num=range
``` ```
@ -58,7 +58,7 @@ Since outbound connections start to fail, you will see a lot of the below behavi
- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work. - Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
![Screenshot of error for NETLOGON in Event Viewer.](images/tcp-ts-14.png) :::image type="content" alt-text="Screenshot of error for NETLOGON in Event Viewer." source="images/tcp-ts-14.png" lightbox="images/tcp-ts-14.png":::
- Group Policy update failures: - Group Policy update failures:
@ -82,32 +82,32 @@ If you suspect that the machine is in a state of port exhaustion:
2. Open event viewer and under the system logs, look for the events which clearly indicate the current state: 2. Open event viewer and under the system logs, look for the events which clearly indicate the current state:
a. **Event ID 4227** 1. **Event ID 4227**
![Screenshot of event id 4227 in Event Viewer.](images/tcp-ts-18.png) :::image type="content" alt-text="Screenshot of event ID 4227 in Event Viewer." source="images/tcp-ts-18.png" lightbox="images/tcp-ts-18.png":::
b. **Event ID 4231** 1. **Event ID 4231**
![Screenshot of event id 4231 in Event Viewer.](images/tcp-ts-19.png) :::image type="content" alt-text="Screenshot of event ID 4231 in Event Viewer." source="images/tcp-ts-19.png" lightbox="images/tcp-ts-19.png":::
3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. 3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
![Screenshot of netstate command output.](images/tcp-ts-20.png) ![Screenshot of netstate command output.](images/tcp-ts-20.png)
After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
>[!Note] >[!Note]
>Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. >Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
> >
>Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. >Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
> >
>Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more. >Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
4. Open a command prompt in admin mode and run the below command 4. Open a command prompt in admin mode and run the below command
```cmd ```console
Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl
``` ```
@ -119,15 +119,15 @@ The key is to identify which process or application is using all the ports. Belo
### Method 1 ### Method 1
Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below Powershell command to identify the process: Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below PowerShell command to identify the process:
```Powershell ```powershell
Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending
``` ```
Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports. Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports.
For Windows 7 and Windows Server 2008 R2, you can update your Powershell version to include the above cmdlet. For Windows 7 and Windows Server 2008 R2, you can update your PowerShell version to include the above cmdlet.
### Method 2 ### Method 2
@ -157,7 +157,7 @@ Steps to use Process explorer:
File \Device\AFD File \Device\AFD
![Screenshot of Process Explorer.](images/tcp-ts-22.png) :::image type="content" alt-text="Screenshot of Process Explorer." source="images/tcp-ts-22.png" lightbox="images/tcp-ts-22.png":::
10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app. 10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
@ -165,7 +165,7 @@ Finally, if the above methods did not help you isolate the process, we suggest y
As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands: As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands:
```cmd ```console
netsh int ipv4 set dynamicport tcp start=10000 num=1000 netsh int ipv4 set dynamicport tcp start=10000 num=1000
``` ```
@ -176,7 +176,7 @@ This will set the dynamic port range to start at port 10000 and to end at port 1
For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend. For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend.
``` ```console
@ECHO ON @ECHO ON
set v=%1 set v=%1
:loop :loop