Quick tip: subnet and ConfigMgr boundary for Direct Access clients

I’ve seen this morning the following blog post about boundaries in Configuration Manager for Direct Access clients.

I’d like to add more info on this topic because I’ve done the same in my environment a few days ago.

Gerry Hampson shows that he gets the ipv6 prefix directly in the properties of a Configuration Managment client in the ConfigMgr Admin console.
He made here an assumption. Having IPv6 addresses reported in Configuration Manager assumes that you have an IPv6 based DNS server where AAAA records are created for your Direct Access clients.
When you don’t have an IPv6 DNS server, you don’t have this info in the ConfigMgr client properties:

Where do I get the client ipv6 prefix ?

You can get it on your Direct Access server(s) with the following cmdlet

Get-RemoteAccess | select  ClientIPv6Prefix

Easy, isn’t it? 😎

Don’t forget! It may seem pretty obvious but…
Before adding the IPv6 prefix as a ConfigMgr boundary, add it first to your Active Directory Sites and Services subnets.
This way your Direct Access clients will immediately know with what Global Catalog and Domain controllers they should talk to.

Fix the infamous 0x800f0906 or ‘the source files could not be downloaded’ error

In September 2014, Microsoft released MS14-046 that would prevent you from enabling the .Net Framework 3.5 on Windows Server 2012 R2, 2012, Windows 8 and 8.1.

It was reported by this blog post:

…and was recently updated to tell us that there’s a hotfix available now on http://support2.microsoft.com/kb/3005628

What’s the problem?

You cannot enable the .Net Framework either from Windows Update source or any other local sources (WSUS, the Sources\SXS folder of your Windows ISO image).
And you get the infamous 0x800f0906 or ‘the source files could not be downloaded’ error 😦

What caused it

How to fix the problem (official guidance)

At the end of the blog post, there’s an extra recommendation you could follow. (Remember, it’s not the first time that we get the 0x800f0906 error when enabling .Net Framework3.5)

Let’s see some PowerShell based tips to see how to troubleshoot and fix this 🙂

Is .Net 3.5 installed on Windows Server 2012 R2 ?

Get-WindowsFeature | Where Name -match "Net-Frame"

Is .Net 3.5 installed on Windows 8.1 ?

Get-WindowsOptionalFeature -Online | 
Where FeatureName -match "^NetFx(3|4-)"

Is the offending MS14-046 update installed on my system ?

# For Windows 2012R2 and Windows 8.1
Get-HotFix | Where HotfixID -match  "2966828"
# For Windows 2012 and Windows 8
Get-HotFix | Where HotfixID -match  "2966827"

If there’s no result, it means that it’s not installed (good news).

How can I reproduce the issue on my Windows Server 2012 R2 ?

# Either install from local sources\sxs folder
Mount-DiskImage -ImagePath .\en_windows_server_2012_r2_vl_with_update_x64_dvd_4065221.iso
dir D:\
Install-WindowsFeature -Name NET-Framework-Core -Source D:\sources\sxs -Restart:$false -Verbose
# or from Windows Update
Install-WindowsFeature -Name NET-Framework-Core -Source "Windows Update" -Restart:$false -Verbose

What can I see in the logs

"dism","cbs" | foreach {
 sls -Pattern "0x800f090(e|6)" -Path "$($env:systemroot)\logs\$($_)\$($_).log"

NB: sls is the alias of the select-string cmdlet (grep for Windows 😀 )

Uninstall the offending update using wusa.exe

 wusa /uninstall /kb:2966828 /quiet /norestart
Get-WinEvent -MaxEvents 3 -LogName Setup |
Select -Expand Message

NB: no reboot is required 🙂

Uninstall the offending update using DISM cmdlets

Get-WindowsPackage -Online |
Where 'PackageName' -match "2966828" |
Remove-WindowsPackage -Online -Verbose -NoRestart

Next steps?

  • Enable the .Net Framework 3.5 feature
  • # Install from local sources\sxs folder
    Install-WindowsFeature -Name NET-Framework-Core -Source D:\sources\sxs -Restart:$false -Verbose

  • Install all security updates required for .Net Framework 3.5 including the offending update previously uninstalled
  • $UpdatesFromMU = Get-WindowsUpdate -FromMU:$true
    $UpdatesFromMU | Select Title,@{
        l='Category';e={$_.Categories | Where { -not($_.Parent) } | Select -Expand Name}
    } | Where Category -match "Security" | Out-GridView

    NB: I’ve used the Get-WindowsUpdate function from this post