Category Archives: Uncategorized

Error: DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.

Severity: Error
DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.
BPA - Error DHCP Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server

What does this mean?

If you have the DHCP service installed on your domain controller without a service account configured, by default, DNS registrations from DHCP clients will be prevented from being registered and will log event 1056 in event viewer.

Solution: Complete the following steps below to change the credentials of the service account used for DHCP.

  1. Before beginning, make sure you have a service account you can use to set the DHCP Server to run as.  This account should be a domain account (not a local account) and should not have any fancy privileges (standard user account, not an administrator).
  2. Open up Server Manager
    Server 2012 R2 - Server Manager
  3. Click Tools and select DHCP
    Server Manager - Tools - DHCP
  4. Expand your DHCP server and right click on the IPv4 service and select Properties
    DHCP - IPv4 - Properties
  5. Select the Advanced tab and then click the Credentials... button
    DHCP - IPv4 Properties - Advanced - Credentials...
  6. Enter in the User name, domain, password, and confirmation password to the user and click OK
    DNS dynamic update credentials
  7. Click OK on the IPv4 Properties screen
  8. Repeat this step on each of the DHCP servers in your domain.  It is recommended to use the same service account on each of the machines.

Notes: The official KB article from Microsoft on this subject can be found here: http://technet.microsoft.com/en-us/library/ee941181(v=ws.10).aspx
Another very good Technet article written by karammasri on this subject can be found here: http://blogs.technet.com/b/stdqry/archive/2012/04/03/dhcp-server-in-dcs-and-dns-registrations.aspx

Warning: Short file name creation should be disabled

Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.

Severity: Warning
Short file name creation should be disabled
Short file name creation should be disabled

What is short file name creation?

Back in the good ol' days of windows, filenames were limited to a format of 8 characters for the name, a period, and then 3 characters for a file extension.  The filename was limited by FAT formatted partitions.  Unless running very old legacy applications, this can be safely turned off to help with performance.

Solution: Complete the following steps below to disable short file name creation.

  1. Open up an elevated powershell console
    Server 2012 - PowerShell - Run as Administrator
  2. Execute the following command
    1. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name NtfsDisable8dot3NameCreation -Value 1
      Set-ItemProperty HKLM-SYSTEM-CurrentControlSet-Control-FileSystem
  3. Optionally, you can open up registry viewer and confirm the value has been changed.
    Registry Editor - HKLM-SYSTEM-CurrentControlSet-Control-FileSystem

Notes: An official KB article from Microsoft on this topic can be found here: http://technet.microsoft.com/en-us/library/ff633453(v=ws.10).aspx

Warning: Enable Receive Side Scaling (RSS) on a network adapter

Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.

Severity: Warning
Enable Receive Side Scaling (RSS) on a network adapter
Server Manager - Best Practices Analyzer - Warning - Enable Receive Side Scaling RSS on a network adapter

What is Receive Side Scaling (RSS)?

Per Microsoft's website, Virtual Receive-side scaling (RSS) is a feature in Windows Server® 2012 R2 that allows the load from a virtual network adapter to be distributed across multiple virtual processors in a virtual machine.

Solution: Complete the following steps below to enable Receive-side scaling (RSS) on a network adapter.

  1. Open up an elevated command prompt
    Elevated Command Prompt
  2. Execute the following command
    1. netsh interface tcp set global rss=enabled
      command prompt - netsh interface tcp set global rss enabled
  3. At this point, Receive Side Scaling should be enabled.  Optionally, you can verify this in the Windows GUI.  Follow the steps below for verification.
    1. Execute the following command to open up device manager
      1. DEVMGMT.msc
        command prompt - devmgmt
    2. Expand Network adapters, right click on your adapter and select Properties
      device manager - network adapters - properties
    3. Select the Advanced tab and find Receive Side Scaling.  Set this to Enabled if it isn't already.
      Network Adapter Properties - Advanced - Receive Side Scaling

Notes:
An official KB article on this issue can be found here: http://technet.microsoft.com/en-us/library/gg162712(v=ws.10).aspx
An official KB article about Receive Side Scaling can be found here: http://technet.microsoft.com/en-us/library/dn383582.aspx

Warning: All OUs in this domain should be protected from accidental deletion

Symptom: When running the Microsoft Best Practices Analyzer on Server 2008 - Server 2012 R2, you receive the following warning:

Severity: Warning
All OUs in this domain should be protected from accidental deletion
Server Manager - Best Practices Analyzer - Warning - All OUs in this domain should be protected from accidental deletion

What is accidental deletion?

By protecting all OUs in the domain from accidental deletion, you will prevent yourself from being able to simply right click and delete an organizational unit in Active Directory Users and Groups.  By enabling accidental deletion on all OUs, you will have to take an extra step to delete the OU (which can be nice, as you don't want to accidentally delete an OU with important users or groups in it).

Solution:

Complete the steps below to enable protect all OUs in the domain from accidental deletion.

  1. Open up Server Manager
    Server 2012 R2 - Server Manager
  2. Click Tools and select Active Directory Module for Windows PowerShell
    Server Manager - Tools - Active Directory Module for Windows PowerShell
  3. Optional Step: Execute the following command to see which OUs are not currently protected from accidental deletion
    1. Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft DistinguishedNameList unprotected OUs from Accidental Deletion PowerShell
  4. Execute the following command to protect all OUs in the domain from accidental deletion
    1. Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $trueProtect OUs from Accidental Deletion PowerShell

Notes: An official KB article from Microsoft on this subject can be found here: http://technet.microsoft.com/en-us/library/dd723677(v=ws.10).aspx

Warning: DNS: The DNS server should have scavenging enabled

Symptom: When running the Microsoft Best Practice Analyzer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2, you receive the following recommendation/warning:

Severity: Warning
DNS: The DNS server should have scavenging enabled.
Server 2012 - BPA - The DNS server should have scavenging enabled

What is DNS scavenging?

Per Microsoft: Scavenging automates the deletion of old records. When scavenging is disabled, these records must be deleted manually or the size of the DNS database can become large and have an adverse effect on performance.

Solution: Complete the following steps below to enable scavenging of DNS records.

  1. Click Start (right click Start if in Server 2012), and select Run
    Server 2012 - Run
  2. Type dnsmgmt.msc and click OK
    Run - dnsmgmt-msc
  3. Right click on your server and select Properties
    DNS Manager - Properties
  4. Click on the Advanced tab and check Enable automatic scavenging of stale records
    DNS Manager - Properties - Advanced - Enable automatic scavenging of stale records
  5.  Click OK

Notes: The official KB article from Microsoft can be found here: http://technet.microsoft.com/en-us/library/ff807390(v=ws.10).aspx

Enabling SSL on Windows Server Update Services (WSUS)

Here are the steps to configure SSL on your servers running the Windows Server Update Services.  This guide was written using Server 2012 R2, however it should be the same steps for Windows Server 2008 R2 as well.  This guide also assumes you have a working instance of WSUS installed and configured, using default ports.

  1. Login to your WSUS server
  2. Open up Server Manager
    Server 2012 R2 - Server Manager
  3. Select Tools -> Internet Information Services (IIS) Manager
    Server Manager - Tools - Internet Information Services IIS Manager
  4. Generate a SSL certificate
    1. Click on your Server and select Server Certificates
      Internet Information Services (IIS) Manager - Server Certificates
    2. If you have your own PKI environment, follow these steps, if not, jump to step three
      1. Click Create Domain Certificate on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Create Domain Certificate
      2. Fill in the requested information on the Distinguished Name Properties page and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Distinguished Name Properties
      3. Select your certificate authority and enter a friendly name (this can be anything), and then click Finish
      4. Internet Information Services (IIS) Manager - Server Certificates - Create Domain Certificate - Online Certification Authority
    3. If you need to submit a certificate request to an external certificate authority like Goaddy, Verisgn, Comodo; follow these steps
      1. Click Create Certificate Request on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Create Certificate Request
      2. Fill out the Distinguished Name Properties and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Distinguished Name Properties
      3. Change the Bit length to 2048 and click Next
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Crytographic Service Provider Properties
      4. Select a location on where to place the CSR file that will be generated by the wizard and click Finish
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - File Name
      5. At this point, send the request to your certificate authority (like GoDaddy, Verisign, or your own internal certificate authority). You should receive back a .cer file once the claim has been fulfilled.
      6. Click on Complete Certificate Request on the right side
        Internet Information Services (IIS) Manager - Server Certificates - Complete Certificate Request
      7. Select the .cer file that your public certificate authority provided you, type in a friendly name (this can be anything), select Web Hosting for the certificate store, and click OK
        Internet Information Services (IIS) Manager - Server Certificates - Request Certificate - Specify Certificate Authority Response
  5. Next, we need to bind the SSL certificate to your network adapter.
    1. Expand your server, expand Sites, and select WSUS Administration
      IIS - Sites - WSUS Administration
    2. Select Bindings... on the right side
      IIS - Bindings
    3. Select the https site and hit the Edit... button
      Site Bindings - Port 8531
    4. Select https for the type, select the SSL certificate you created above, and click OK
      IIS - Edit Site Binding - WSUS
    5. Click Close on the Site Bindings window
      IIS - Site Bindings - https
  6. Next, we need to enforce SSL encryption on the following virtual roots
    • ApiRemoting30
    • ClientWebService
    • DSSAuthWebService
    • ServerSyncWebService
    • SimpleAuthWebService

    1. Expand WSUS Administration and foreach of the directories above, complete the following steps
      1. Select the virtual site
        IIS - WSUS Administration
      2. Double click on SSL Settings
        IIS - WSUS Administration - SSL Settings
      3. Check Require SSL and leave client certificates to ignore
        IIS - WSUS Administration - SSL Settings - Require SSL
      4. Click Apply in the top right corner
        IIS - SSL Settings - Apply
  7. Next, we need to execute a command to tell WSUS to use ssl
    1. Open up an elevated command prompt
      Server 2012 - Administrative Command Prompt
    2. Navigate to your WSUS installation folder
      1. cd "c:\Program Files\Update Services\Tools"
        cmd - program files - update services - tools
    3. Execute the following command (replace your server with the correct FQDN)
      1. WSUSUtil.exe configuressl myserver.mydomain.local
        wsusutil configuressl
  8. Restart the WSUS server to make sure all changes take effect.  You should be able to bring up the WSUS management console if all went well.
  9. Configure your clients to connect via SSL to the WSUS server via Group Policy
    1. Login to your domain controller
    2. Open up Server Manager
      Server 2012 R2 - Server Manager
    3. Open up Group Policy Management
      Server Manager - Tools - Group Policy Management
    4. Right click on the policy you want to edit and select Edit
      Edit GPO
    5. Expand Computer Configuration -> Polices -> Administrative Templates -> Windows Components -> Windows Update
    6. Double click on Specify intranet Microsoft update service location
      Specify intranet Microsoft update service location
    7. Change the intranet update service url to https and specify port 8531 and then click Apply.
      Specify intranet Microsoft update service location - options

That should do it!  Try doing a gpupdate /force on your local machine and the check for windows updates.  If windows successfully completes checking for updates, you should be good to go! 🙂

Notes: Official documentation from Microsoft in regards to using SSL and WSUS can be found here: http://technet.microsoft.com/en-us/library/hh852346.aspx#consswsus

Windows Update Services - Multiple Errors in Event Viewer - Event ID 12052,12042, 12022, 12032, 12012, 12002,13042

Symptom: When browsing through the event viewer logs on your Windows Update Services server, you notice the following Event IDs with a Level of Error in the following order: 12052, 12042, 12022, 12032, 12012, 12002, 13042.

Event Viewer - WSUS Errors

Log Name: Application
Source: Windows Server Update Services
Event ID: 12052
Task Category: 9
Level: Error
Description: The DSS Authentication Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 12042
Task Category: 9
Level: Error
Description: The SimpleAuth Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 12022
Task Category: 9
Level: Error
Description: The Client Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 12032
Task Category: 9
Level: Error
Description: The Server Synchronization Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 12012
Task Category: 9
Level: Error
Description: The API Remoting Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 12002
Task Category: 9
Level: Error
Description: The Reporting Web Service is not working.

Log Name: Application
Source: Windows Server Update Services
Date: 10/3/2013 4:53:26 AM
Event ID: 13042
Task Category: 6
Level: Error
Description: Self-update is not working.

Additionally, you can recreate these events by running the following command: wsusutil.exe checkhealth

Solution: Reconfigure the WSUS server via the wsusutil.exe command.

  1. Login to the WSUS server
  2. Open up a command prompt with Administrative rights
    cmd as Administrator
  3. Navigate to the Update Services\Tools directory.
    1. By default you can find it on your C drive by executing the following command
      1. cd "c:\Program Files\Update Services\Tools"
        cmd Update Services - Tools
  4. Execute one of the following commands
    1. If updates are configured for port 80 execute this command
      1. wsusutil.exe usecustomwebsite false
    2. If updates are configured for port 8530 execute this command
      1. wsusutil.exe usecustomwebsite true
    3. wsusutil usecustomwebsite
  5. Execute the following command to verify the WSUS service is running correctly
    1. wsusutil.exe checkhealth
      wsusutil checkhealth
  6. You should see Event ID 10000 in event viewer confirming all is wellWSUS is working correctly

Tutorial - How to setup a KMS server for a Windows Domain

Copied from Microsoft, here is what we can achieve by configuring a KMS server on our local network for a windows domain: http://technet.microsoft.com/en-us/library/ff793434.aspx

KMS activates computers on a local network, eliminating the need for individual computers to connect to Microsoft. To do this, KMS uses a client–server topology. KMS client computers can locate KMS host computers by using Domain Name System (DNS) or a static configuration. KMS clients contact the KMS host by using remote procedure call (RPC). KMS can be hosted on computers that are running the Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 operating systems.

  1. Go to the volume licensing center and grab a copy of the KMS key for your server OS
    1. Navigate to https://www.microsoft.com/Licensing/servicecenter/home.aspx
    2. Login
    3. Select Downloads and Keys
      Volume Licensing Service Center - Downloads and Keys
    4. Select Windows Server
      Volume Licensing Service Center - Windows Server
    5. Finder your server version and click Key
      Volume Licensing Service Center - Windows Server - Key
    6. Copy the KMS type key
  2. Login to the server you want to setup as the KMS server.
  3. Open up a command prompt as an administrator.
  4. Ensure you are in the system32 folder of Windows
    1. cd c:\Windows\System32
      windows - System 32
  5. Execute the following command to setup your license key
    1. cscript slmgr.vbs /ipk WINDOWS-KMS-LICENSE-KEY-HERE
      cscript slmgr ipk
  6. Execute the following command to activate the host
    1. cscript slmgr.vbs /ato
      Activating Windows
  7. Execute the following command to verify the host has the Key Management Service enabled
    1. cscript slmgr.vbs /dlv
      cscript slmgr dlv
  8. Next, we need to open the firewall for the server to accept activation requests
    1. Open up Windows Firewall with Advanced Security
      Windows 8 - Windows Firewall with Advanced Security
    2. Right click on Inbound Rules and select New Rule...
      Windows Firewall with Advanced Security - New Rule
    3. Select Port and click Next >
      New Inboud Rule Wizard - Port
    4. Check TCP, check Specific Local Ports and enter port 1688, click Next >
      New Inboud Rule Wizard - Specific local ports
    5. Check Allow the connection and click Next >
      New Inboud Rule Wizard - Allow the connection
    6. Check Domain and click Next >
      New Inboud Rule Wizard - Domain
    7. Enter a name for the rule and click Finish
      New Inboud Rule Wizard - Rule Name

Congrats!  Your KMS server should now be ready to accept activation requests!

Notes: Here is a full listing of the commands/switches you can execute using the Software Licensing Management Tool.

C:\Windows\System32>cscript slmgr.vbs
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Invalid combination of command parameters.

Windows Software Licensing Management Tool
Usage: slmgr.vbs [MachineName [User Password]] [<Option>]
MachineName: Name of remote machine (default is local machine)
User: Account with required privilege on remote machine
Password: password for the previous account

Global Options:
/ipk <Product Key>
Install product key (replaces existing key)
/ato [Activation ID]
Activate Windows
/dli [Activation ID | All]
Display license information (default: current license)
/dlv [Activation ID | All]
Display detailed license information (default: current license)
/xpr [Activation ID]
Expiration date for current license state

Advanced Options:
/cpky
Clear product key from the registry (prevents disclosure attacks)
/ilc <License file>
Install license
/rilc
Re-install system license files
/rearm
Reset the licensing status of the machine
/upk [Activation ID]
Uninstall product key

/dti [Activation ID]
Display Installation ID for offline activation
/atp <Confirmation ID> [Activation ID]
Activate product with user-provided Confirmation ID

Volume Licensing: Key Management Service (KMS) Client Options:
/skms <Name[:Port] | : port> [Activation ID]
Set the name and/or the port for the KMS computer this machine will use. IPv6 address must be specified in the format [hostname]:port
/ckms [Activation ID]
Clear name of KMS computer used (sets the port to the default)
/skms-domain <FQDN> [Activation ID]
Set the specific DNS domain in which all KMS SRV records can be found. This setting has no effect if the specific single KMS host is set via /skms option.
/ckms-domain [Activation ID]
Clear the specific DNS domain in which all KMS SRV records can be found. The specific KMS host will be used if set via /skms. Otherwise default KMS auto-discovery will be used.
/skhc
Enable KMS host caching
/ckhc
Disable KMS host caching

Volume Licensing: Token-based Activation Options:
/lil
List installed Token-based Activation Issuance Licenses
/ril <ILID> <ILvID>
Remove installed Token-based Activation Issuance License
/ltc
List Token-based Activation Certificates
/fta <Certificate Thumbprint> [<PIN>]
Force Token-based Activation

Volume Licensing: Key Management Service (KMS) Options:
/sprt <Port>
Set TCP port KMS will use to communicate with clients
/sai <Activation Interval>
Set interval (minutes) for unactivated clients to attempt KMS connection. The activation interval must be between 15 minutes (min) and 30 days (max) although the default (2 hours) is recommended.
/sri <Renewal Interval>
Set renewal interval (minutes) for activated clients to attempt KMS connection. The renewal interval must be between 15 minutes (min) and 30 days (max) although the default (7 days) is recommended.
/sdns
Enable DNS publishing by KMS (default)
/cdns
Disable DNS publishing by KMS
/spri
Set KMS priority to normal (default)
/cpri
Set KMS priority to low
/act-type [Activation-Type] [Activation ID]
Set activation type to 1 (for AD) or 2 (for KMS) or 3 (for Token) or 0 (for all).

Volume Licensing: Active Directory (AD) Activation Options:
/ad-activation-online <Product Key> [Activation Object name]
Activate AD (Active Directory) forest with user-provided product key
/ad-activation-get-iid <Product Key>
Display Installation ID for AD (Active Directory) forest
/ad-activation-apply-cid <Product Key> <Confirmation ID> [Activation Object name]
Activate AD (Active Directory) forest with user-provided product key and Confirmation ID
/ao-list
Display Activation Objects in AD (Active Directory)
/del-ao <Activation Object DN | Activation Object RDN>
Delete Activation Objects in AD (Active Directory) for user-provided Activation Object

Enabling TLS 1.2 on IIS 7.5 for 256-bit cipher strength

So strangely enough, I always thought submitting a 2048bit CSR to my CA and receiving a 256-bit SSL cert would automatically force connections to use a 256-bit cipher strength over the established SSL connection, however it turns out that most connections will stay at 128-bit unless you tell your server to utilize TLS 1.2.  In this tutorial, we will go over how to enable TLS v1.2 for IIS to increase the cipher strength to 256-bits.

Here is what a certificate's connection info looked like before the tutorial

SSL Cert Info - 128-bit

Here is what a certificate's connection info looks like after the tutorial

SSL Cert Info - 256-bit

  1. Execute the following commands via an elevated PowerShell command prompt to enable TLS v1.2:
    Elevated Powershell

    1. # Create keys in registry (not created by Windows out of the box)
      md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
      md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
      md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
      # Enable TLS 1.2 for client and server SCHANNEL communications
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
      new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
      PowerShell TLS 1.2 Registry Edits
    2. Registry before powershell commands
      Registry - Before TLS v1.2
    3. Registry after powershell commands
      Registry - After TLS v1.2
  2. Next, we need to edit the server to default the use of the 256-bit ciphers
    1. Click Start->gpedit.msc
      Start -> gpedit.msc
    2. Expand Computer Configuration -> Administrative Templates -> Network and select SSL Configuration Settings
      Group Policy Editor - SSL Configuration Settings
    3. Double click SSL Cipher Suite Order and check Enabled
      SSL Cipher Suite Order 128-bit
    4. Copy the text from the SSL Cipher Suites and paste it into notepad.
      SSL Cipher Suite Order
    5. Move the following to the beginning of the text document: TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA (Note: here you could remove lower strength ciphers from the order to prevent the server from accepting those connections).
      TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA Cipher Suite order
    6. Paste the Cipher Suites back into the SSL Cipher Suites box in Group Policy and click OK
      SSL Cipher Suite Order 256-bit
    7. Restart the server for the changes to take effect

References:

Changing the order of the Cipher Strengths:
http://social.technet.microsoft.com/Forums/forefront/en-US/ec033ff6-091d-441d-8ad3-7ea411100009/ssl-with-256bit-strength

Original source I found for the quick powershell commands to enable TLS v1.2:
http://www.derekseaman.com/2010/06/enable-tls-12-aes-256-and-sha-256-in.html

Code 80243004 - Windows Update encountered an unknown error.

When trying to install Windows Updates, you receive the following error:

Code 80243004 - Windows Update encountered an unknown error.

Code 80243004 - Windows Update encountered an unknown error

This used to be a documented issue by Microsoft prior to them replacing the page with a fixit installer.  The solution is a super weird workaround.  Please follow the steps below for updates to continue installing.

  1. Right click on the taskbar and select Properties.
    Code 80243004 - Properties
  2. Click the Customize... button on the Taskbar and Start Menu Properties window.
    Code 80243004 - Customize
  3. On the Notification Area Icons window, make sure Always show all icons and notifications on the taskbar is checked and click OK.
    Always show all icons and notifications on the taskbar
  4. At this point, try running Windows Update again and the updates should begin to install properly.

Not sure why this fixes the issue, but it worked for me on a couple of virtual machines running in a VMware environment.  An additional thing I noticed is you can see the tray has "null icons", where they are blanks of open applications; once you hover over them, they disappear/close.  Not sure if this is a bug with Windows and VMware VMs, but just thought it was a weird coincidence.  If you have had this same issue, could you please drop a comment below stating whether or not you received the same issue in a virtual environment?