Author: Bob Lin

Situation: When setup iPhone to use Office 365 email with MFA enabled, you may receive this message:

iOS Accounts

You can’t access this application

iOS Accounts needs permission to access resources in your organization that only and admin can grant. Please ask an admin to grant permission to this app before you can use it.

Resolutions: 1. The best way to access Microsoft Office 365 email is using Outlook app. You can download it from Apple store.

2. If you want to use both business email and personal email in the Apple mail app, you may download Microsoft Authentication app.

3. Or set it up using Configure manually option. You will see this option after you enter domain account password. You have two options: Login admin or configure manually. When using Configure Manually, you enter all information manually including server: outlook.office365.com.

4. Enable user access to Enterprise apps. From your Office 365 Admin portal, go to Admin Centers > Azure AD > Users and Groups > User Settings then make sure “Users can consent to apps accessing company data on their behalf” is enabled. And

5. admin_consent

You will then be redirected to an Microsoft login page where the user should enter a password. On the bottom from that page you have the option to send the URL to a user. Instruct the user to send that URL to one Office 365 administrator. The URL should look like the following:

3g.) Once you get the URL, open a browser (and login into the Office Admin Center with an global admin account). Now you need to modify the URL you got.

3h.) Change the section “prompt=login” to “prompt=admin_consent”

3i.) remove the “login_hint=blocks@contoso.onmicrosoft.com&” section

3j.) now copy the modified URL and past it into the browser you have open

3k.) You will now be prompted to accept that.

3l.) Once done the browser try to redirect you to the iOS device, however on your PC this will fail, but the needed action is performed.

6. Users or groups may be assigned access to the Read&Write application

•Navigate to Azure Admin Settings -> Azure Active Directory -> Enterprise Applications -> All Applications -> Read&Write.

•Select Users and Groups -> Add User/Group.

7. A Global Administrator must give consent on behalf of users

• Using an administrator account, use this consent link to sign-in to Office 365. 
• You will be prompted to consent for the read permissions that the Read&Write application needs
• After consenting, you’ll be directed to the Read&Write login page https://www.login.texthelp.com. Please allow a short period of time for the Read&Write Application to be added to your catalog.

After completing these steps, non-admin users should be able to access Read&Write for Windows!

Situation: After a windows update, the client’s Windows 10 computer can’t access website using IE and Microsoft Edge. However, Chrome and Firfox

Troubleshooting: Disabling Symantec Endpoint Protection fixes the problem. then re-enable it.

Situation: 1. A WSUS server within your network may have been decommissioned.

2. A WSUS client has a problem to sync with the WSUS Server.

3. WSUS has a problem to push updates to a WSUS client.

Resolution: Remove the registry entries on WSUS client and reset the Windows Update to defaults. Please refer to this how to:

How to remove a computer from WSUS

Situation: The client has SEP in his Windows 10 machine. He keep receive this essage:

[APPLICATION] has changed since the last time you used it

Troubleshooting: upgrade SEP latest version may fix the problem.

or Work around:

1. Open SEP client GUI
2. Choose [Change Settings] 
3. Click [Configure Settings] for Network and Host Exploit Mitigation.
4. In [Firewall] tab, enable [Enable network application monitoring] once then push OK.
5. Click [Configure Settings] for Network and Host Exploit Mitigation again.
6. disable [Enable network application monitoring] then push OK.
7. Close SEP client GUI.

Situation: The client has two WiFi networks in his home. Randomly, he has a problem to print.

Cause: The two WiFi routers make two different networks. When the computers and printers are in the different network, he can’t print.

Resolution:

The resolution is keep only one wifi network and we may have these options.

1. Get rid of D-link router and use ARRIS only
2. Get rid of ARRIS and use D-link only.
3. Combine ARRIS and D-link into one WiFi.
4. Or setup the WiFi using different passwords so that printer always connects to one wifi.

Situation: the cline has Windows 10 computer with SEP. He can’t access the network shared drives. If he uninstalls the SEP, he can access those network drives.

Cause: The SEP firewall may block network traffic that the network application requires to function properly

Resolution: 1. re-configure SEP firewall.

2. Disable the SEP firewall.

3. Create allow rule on SEP.

Situation: After the user setup a new computer. When opening a word merge document, he may see this screen popup. After he clicks Yes and merge a word document, the merge doesn’t work.

Troubleshooting: Copy Winword folder from old PC.

Situation: The client is running WSUS on their Windows 2012 R2. Many computers have failure with this message: Unable to Find Resource

Troubleshooting: 1. Try add MIME Type:

•Check that the KB3159706 for decryption of ESD content is installed

•Checked that the prerequisites for KB3095113 are all installed

•Checked that the KB3095113 for WSUS support for Windows 10 feature upgrades.

•Set the MIME type on the IIS Server for the .esd file and .msu file types(which the above update should have sorted).

•Removed the Windows Update cache from the machines, stopped the BITS/Windows Update services and restarted.

•Restarted IIS Website

•Rebooted WSUS server

•Checked Windows Firewall status (disabled on Server)

•Asked the Windows 10 machine to get updates from Windows Updates rather than WSUS (this appeared to download and install OK) so this makes me think it’s an issue with our WSUS server.

•Installed the Windows 10 ADMX templates and set the “Download Mode” in GPO to both “Bypass” and “HTTP only”.

•Set WSUS to download express installation files

2. If the 1703 upgrade is synced into WSUS before KB3159706 was installed, then after performing the necessary update of KB3159706 and its post-installing servicing (link), we still need to follow the instructions here:https://social.technet.microsoft.com/Forums/en-US/b1165b9d-bad3-4ce3-9fc1-0fe3876df5c6/0xc1800118-with-1506301703171834rs2esd-after-kb3159706-manual-steps-the-decryptionkey-in?forum=winserverwsus.

There are basically 4 steps to be performed:

1 – Remove packages synced before KB3159706 is installed. Via WSUS server’s powershell:Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq “Upgrades”} | Set-WsusClassification -Disable$s = Get-WsusServer$1703Updates = $s.SearchUpdates(“version 1703”)$1703Updates | foreach { $_.Decline() }$1703Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq “Upgrades”} | Set-WsusClassification.

2 – Delete from WSUS databse the bad contents about upgrade 1703, run from database. Mind: remove the trailing semi-colon from the SQL script in the post. They might result in the error of “table variable not declared”declare @NotNeededFiles table (FileDigest binary(20) UNIQUE)insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like ‘%15063%.esd’ except select FileDigest from tbFileForRevision)delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)`

3 – Restart syncing by WSUS GUI or powershell command, on WSUS server.$s = Get-WsusServer$sub = $s.GetSubscription()$sub.StartSynchronization().

4 – Repair client computers that has the error, on client computer: Control Panel->Troubleshooting->Windows Update->Try troubleshooting as an administratorDuring all these activities, no reboot is required. Then, retry and good-luck!

•Build a different Windows Server 2012 R2 machine, updated Windows Update GPO policy and got machines checking in, but download of this one update does still not happen.

3. Modify Group Policy

It sounds like you need to change Group Policy settings; that’s usually how clients are pointed at the WSUS server in the first place, instead of Microsoft for updates.Edit GP and look in Comp Config -> Admin Temp -> Win Comp -> Win Update. Start by making sure Specify Intranet… is disabled. Disabled == clients will look to MS for updates.If GP isn’t specifying an intranet updates server, then perhaps someone manually configured the clients’ reg keys. Check a client’s HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate to confirm.

4. Add .esd

1. In Products/Classifications, make sure to check off the Upgrades box or Windows 10 will not be available to deploy. 2. You also will need to add a MIME type for *.esd as application/octet-stream at the top level in IIS. To do this: Open IIS Manager > Select the server name > From the “IIS” section in the centre of IIS Manager, open “MIME Types” > Click “Add…” > File Mame Extention: = .esd MIME type: application/octet-stream

Q: What’s different Windows black screen and blue screen?

A: In most cases, Windows blue screen is hardware, drivers and system files issues. The resolutions could be 1) unplug the hardware; 2) upgrade the drivers; 3) Restore system files.

Windows black screen could be registry issue, for example the registry files or setting has been damaged and modified. please refer to this article to troubleshoot it.

Windows OS goes to black screen after Windows update

Situation: After a Windows update, the client’s Outlook doesn’t work with trying to connect shown right blow corner.

Fix: Disable the Symantec Endpoint Protection and then re-enable it.