Author: Bob Lin

Situation: A user reports he can’t access www.evernote.com with this message: This site can’t be reached or Web Page Blocked.

Troubleshooting: Login PA firewall and check MONITOR>URL Filtering. We find block-url policy blocks www.evernote.com because of medium-risk.

This is the definition of medium-risk Palo Alto networks.

If the user really needs it, he can download it from his home computer or WiFi without PA firewall.

Situation: The domain administrator has corrected one user’ first. Everything including Outlook shows correct user first name except Teams. Sign out and re-sign in Teams doesn’t fix the problem.

Resolution: Quoted from Microsoft:

This behavior is by design.
Teams has a caching scheme that is designed for capacity and performance optimization. The Teams service caches general user information for up to three days. The Teams client also caches general user information locally. Some data, such as display name and telephone number, can be cached up to 28 days in the client. Profile photos can be cached up to 60 days.

To clear the cache and receive updated information, sign out of Teams, and then sign back in. Or, manually Clear Teams cache
Clear Teams cache in Windows
1. If Teams is still running, right-click the Teams icon in the taskbar, and then select Quit.
2. Open the Run dialog box by pressing the Windows logo key +R.
3. In the Run dialog box, enter %appdata%\Microsoft\Teams, and then select OK.
4. Delete all files and folders in the %appdata%\Microsoft\Teams directory.
5. Restart Teams.

Situation: The client can’t ping their remote server after a Windows update (2023-01 Cumulative Update KB5022286).

Troubleshooting: We find Event ID 7001 related to this issue.
Event ID: 7001
Description:
The Windows Defender Antivirus Network Inspection Service service depends on the Windows Defender Antivirus Network Inspection System Driver service which failed to start because of the following error:
The dependency service or group failed to start.

Resolution 1: Start the Windows Defender Antivirus Firewall Service.

Resolution 2: In one case, we do see the Windows Defender Antivirus keeps stopping every one or two hours. Uninstalling the KB5022286 and wait for next update. To uninstall it, use this command: wusa /uninstall /kb:5022286

Resolution 3: Install Security Intelligence Update for Microsoft Defender Antivirus – KB2267602 (Version 1.381.2465.9) fix the problem.

Resolution 4: In other case, we find Event ID 7001 Description:
The Network Connectivity Assistant service depends on the Base Filtering Engine service which failed to start because of the following error:
After starting, the service hung in a start-pending state.
Ans then we find:

Event ID: 7022 – Description:
The Network Connectivity Assistant service depends on the Base Filtering Engine service which failed to start because of the following error:
After starting, the service hung in a start-pending state.

How to Fix Base Filtering Engine Service Startup Problems – https://www.winhelponline.com/blog/fix-base-filtering-engine-service-startup-problems/

Situation: The client can’t login their remote server after a Windows update (2023-01 Cumulative Update KB5022286).

Troubleshooting: We find Event ID 7001 related to this issue.
Event ID: 7001
Description:
The Windows Defender Antivirus Network Inspection Service service depends on the Windows Defender Antivirus Network Inspection System Driver service which failed to start because of the following error:
The dependency service or group failed to start.

Resolution 1: Start the Windows Defender Antivirus Firewall Service.

Resolution 2: In one case, we do see the Windows Defender Antivirus Firewall Service keeps stopping. You can uninstall the KB5022286 and wait for next update. To uninstall it, use this command: wusa /uninstall /kb:5022286

Resolution 3: We find the Microsoft release another update which may fix this problem: Security Intelligence for Microsoft Defender Antivirus – KB2267602 )Version 1.381.2465.0)

Situation: The user as a problem to add CRM add-ins. Whenever she tries to enable it, it disappears when you back to File>Options>Add-ins.

Troubleshooting: We ask her to check the Windows update. She comes back saying it is Update. However, when we check the Windows update, it shows there is Windows update for version 22H2.

After installing the update and restarting, she can add the CRM add-ins.

Situation: The client can’t start his Dell Desktop. Dianostics find error code 0161.

Troubleshooting: We can see the Hard Disk from the BIOS by press F2.

Resolution 1: Take the hard disk to different desktop to test it.

Resolution 2: Remove Optane Module

I was able to resolve it. And it seems that Optane module was the one that failed because after I removed it I was able to use the disk.

So here are the steps:
1) Remove Optane Module
2) Set disk working as ACHI in BIOS (was set to RAID).
3) Format HDD. I was not able to do that from Windows boot USB but once I put it in external box, another laptop can do that from Admin Command Line with using diskpart tool.
4) After that HDD is recognized by Windows boot USB and Windows can be installed back.

Step 3: Add a Hard Drive and install Windows OS. Then check the original hard disk.

Situation: A WFH user can’t login his computer which joins a domain remotely because the password has been expired.

Troubleshooting: We need to reset password and re-sync the laptop with the DC with VPN.

1. Login local admin account on the laptop.
2. Establish the VPN to connect to the Office DC.
3. To test and force the new password to sync, you can use net use command, for example net use \\sharedservername. Then enter the username and password. If it is successful, you are good to login remotely.

Situation: The client sends a new Laptop to their new user. However, the user can’t login preset domain credentials because the password (we test it by login office.com and local network PC).

Troubleshooting: We need to reset password and re-sync the laptop with the DC with VPN.

1. Login local admin account on the laptop.
2. Establish the VPN to connect to the Office DC.
3. To test and force the new password to sync, you can use net use command, for example net use \\sharedservername. Then enter the username and password. If it is successful, you are good to login remotely.

In a case, you can’t login PA firewall because the MFA doesn’t work. What can you do or how do you disable MFA?

Resolution 1: Disable or change Authentication Profile on PA Firewall

1. Login PA Firewall from a back door (a local user without MFA enabled account).
2. Go to DEVICE>Administration. Disable or change the Authentication Profile?

Resolution 2:  Disable MFA (multi-factor authentication) and 2FA (two-factor authentication) on your security app or access tools

In this post we use DUO as example.

1. Login duo.com
2. Click Users on the left pane.

3.  Click on the user who has a problem to login PA firewall.

4. Switch from Active to Bypass.

5. Click Save Change. Now, try to login again.

Situation: After client configures DUO MFA on their Palo Alto Firewall, one of users has a problem to login the firewall with this message:

Failed authentication for user ‘username’.
Reason: Invalid username/password. auth profile
‘DUO Authentication’, vsys ‘shared’, server profile
‘DUO Radius Profile’, server address ‘10.0.0.11’,
auth protocol ‘PAP’, reply message
‘Invalid username or password’ From: 10.0.0.11.

Troubleshooting: Make sure Duo Mobile app is not deactivated. Also make sure the account of DUO-PROTECTED had not been disabled on the DUO app.

Please refer to this post:

• Fixing Palo Alto Firewall Authentication Issues: Timeout

Also please refer to this post:

• How to install or Activate DUO app