Ask a question

How can we help you today?

Ask Question

After 24H2 Update Client PCs Show Offline in Server Essentials Dashboard

Server 2016 Essentials and 2016 Standard. Both have Essentials Dashboard.

Windows 11 clients updated automatically to 24H2. Once done all showed Offline under Devices. Checked the clients and they all showed they had connection to server, but Network no longer showed any of the other PCs on the Network. Network files were still available from each client.

Searched for a solution and found a number of users having similar issues with Network connection. Only solution was to Roll Back each client to 23H2 and set Group Policy to only allow updates to 23H2. This worked but Devices now show Updates needed for each. When run Updates manually on Clients no updates found.

Not a long-term solution as should be able to update to 24H2 as any new clients will have that version.

Windows Server 2016 Standard

asked11/25/2024 17:01

396 views

Add Comment

Hello Kent,

This issue likely pertains to TLS. I've attached a zipped PowerShell script. Running it from an elevated PowerShell prompt will provide an overview of the TLS settings on your server. Could you share the output here?

Attached Files

Get-TLS1.zip

PS C:\Users\Admin\Desktop\Get-TLS1> C:\Users\Admin\Desktop\Get-TLS1\Get-TLS.ps1

Path                                                                                       Name                         Value
----                                                                                       ----                         -----
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                          SystemDefaultTlsVersions         1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                          SchUseStrongCrypto               1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319                              SystemDefaultTlsVersions         1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319                              SchUseStrongCrypto               1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                          SystemDefaultTlsVersions         1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                          SchUseStrongCrypto               1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727                              SystemDefaultTlsVersions         1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727                              SchUseStrongCrypto               1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client Enabled                          1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault                0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server DisabledByDefault        Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client Enabled                  Not Found
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client DisabledByDefault        Not Found

PS C:\Users\Admin\Desktop\Get-TLS1>

replied 11/25/2024 18:17

It's unusual to find that 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' is set to 1 while the others are not configured. I suggest downloading Nartac Software - IIS Crypto and following the steps shown in the screenshots. Start by creating a backup, then reset to defaults. Afterwards, you'll need to reboot the server. Revisit the Dashboard to see if there's any improvement. If not, open a browser and navigate to 'http://servername/connect' to reinstall the Connector.

replied 11/25/2024 18:45

Thank you. Will try this tonight after business hours and let you know.

replied 11/25/2024 18:53

Ran the program twice and rebooted. No change in the values other than Not Found changed to und.

Path                                                                                       Name                     Val
                                                                                                                     ue
----                                                                                       ----                     ---
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                          SystemDefaultTlsVersions   1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                          SchUseStrongCrypto         1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319                              SystemDefaultTlsVersions   1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319                              SchUseStrongCrypto         1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                          SystemDefaultTlsVersions   1
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                          SchUseStrongCrypto         1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727                              SystemDefaultTlsVersions   1
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727                              SchUseStrongCrypto         1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled                  und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisabledByDefault        und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled                  und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisabledByDefault        und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Enabled                  und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server DisabledByDefault        und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client Enabled                    1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault          0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled                  und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisabledByDefault        und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled                  und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisabledByDefault        und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server Enabled                  und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server DisabledByDefault        und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client Enabled                  und
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client DisabledByDefault        und

replied 11/26/2024 03:26

I have attached a zipped registry file containing the default settings for Windows Server 2016 Essentials. While I am skeptical it will resolve the issue, feel free to attempt it. Alternatively, execute the following script to temporarily disable TLS 1.2, then proceed to reinstall the Connector software. Keep in mind, should you choose to reinstall the Connector, a reboot is required after uninstallation before attempting a new installation.

If (-Not (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'))
{
    New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '0' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'))
{
    New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '0' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'))
{
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'))
{
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '1' -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.2 has been disabled. You must restart the Windows Server for the changes to take affect.' -ForegroundColor Cyan

The issues with the Dashboard, the Anywhere Access wizard, and Windows 11 clients using the Connector software are all related to a mismatch in the expected TLS versions. At present, it is necessary to completely disable TLS 1.0 and 1.1 and enforce TLS 1.2 to successfully run the Access Anywhere wizard, as it connects to a Microsoft server that only permits TLS 1.2. However, this action causes client computers to encounter failures when installing the Connector or appearing in the dashboard, as the Connector requires TLS 1.0 or 1.1 to be enabled.

However, I have the Essentials dashboard and the latest version of Windows 11 operating in my lab, so there is a solution to this issue; we just need to discover it.

Attached Files

backup-tls-wse2016.zip

replied 11/26/2024 07:05

Thank you. I'll be waiting for weekend to do this. Will keep you posted.

replied 11/26/2024 15:31

Found a solution. Did the following on each Win 11 PC. After making the changes uninstalled the connector, left the domain back to Workgroup. Updated to Win 11 24H2. Once updated reran the Connector and rejoined the Domain. Before doing this, I did setup a Test client with Policy fix in place. It connected without an issue.

From another source:

"What we found was an Encryption policy during GPO assignment was not deploying to devices.

The policy in question is located under the following location:

Local Computer Policy - Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options.

Policy is called Network Security: Configure Encryption types allowed for Kerberos. And we then enabled the following options to be applied from GPO:

RC4_HMAC_MD5

AES128_HMAC_SHA1

AES256_HMAC_SHA1

Future encryption types

Also, a good idea to check the following on the client side that is not joining and updating the reg key provided for it to receive the policy.

Also, a good idea to test this policy first before deploying to all devices.

On the client side

If a policy is specifying a kerberos encryption key, then you will need to change the following in the registry
The key will not be present if a policy is not applied
Faulty entry in registry

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Sofware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\

Value Name: SupportedEncryptionTypes

Type: REG_DWORD
Value: 1, 2, or 3 are a finding.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Sofware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\

change to Value Name: SupportedEncryptionTypes 7ffffffc
Pc will need to restarted.
Run a gpupdate /force to enforce the new policies"

Our functional Domain Level is Server 2016

Only one PC did not have the correct Registry Value.

replied 11/30/2024 17:29

I will look into this but at first thought I see security related issues.

replied 11/30/2024 18:17

Local Policy and Kerberos Encryption Types

When you configure local policies related to Kerberos encryption types, you are setting parameters that affect which encryption algorithms are supported for Kerberos authentication. This can be done by modifying registry settings directly or using tools like secpol.msc to manage the local security policy.

Local Policy Change (Enabling RC4): If a local policy has been set to enable RC4, it will enable the RC4-HMAC encryption type for Kerberos on that machine. This means that Kerberos authentication can use RC4 (a weaker encryption type) as one of the options for encrypting tickets and communications.

Modifying the SupportedEncryptionTypes Registry Value

When you change the SupportedEncryptionTypes registry value to 7FFFFFFC, you are directly modifying the Kerberos encryption types that are allowed. The specific value 7FFFFFFC corresponds to a bitmask that:

Enables AES128 (0x10) and AES256 (0x80).
Disables RC4 and other weak encryption algorithms.

What Happens with These Changes?

Local Policy Change Enabling RC4:
- If the local policy was set to allow RC4 for Kerberos encryption, it would typically modify the SupportedEncryptionTypes registry value (among other things) to enable RC4. In this case, RC4-HMAC would be enabled as one of the encryption options.
Registry Change to 7FFFFFFC:
- When you manually modify the SupportedEncryptionTypes registry value to 7FFFFFFC, this overrides the local policy setting for Kerberos encryption types.
- The value 7FFFFFFC explicitly disables RC4 and RC4-HMAC, and only enables AES128 and AES256 as the supported encryption types for Kerberos.
Breakdown of the 7FFFFFFC Bitmask:
- RC4 (0x1): Disabled
- AES128 (0x10): Enabled
- AES256 (0x80): Enabled
- Other weak ciphers (like DES and DES3) are also disabled.
Effect of the Registry Change:
- The registry change to 7FFFFFFC will immediately disable RC4 and enforce the use of AES128 and AES256 for Kerberos authentication.
- RC4 will no longer be available as an encryption method, and the system will use only the stronger AES algorithms.
What Happens Next:
- No further changes will be made by Group Policy, as you are modifying local policy and directly adjusting the registry. However, if any Group Policy is applied later on, it would take precedence over local settings, but since you are dealing with a local policy, this won't be an issue unless there's something else in the domain that is forcing a policy update.

Conclusion: What Do These Changes Cause?

The first change (local policy enabling RC4) would allow RC4 encryption for Kerberos.
The second change (modifying SupportedEncryptionTypes to 7FFFFFFC) overrides the local policy setting and disables RC4, while enabling only the more secure AES encryption types (AES128 and AES256).

In short, RC4 will no longer be used after the registry change to 7FFFFFFC, and only AES128 and AES256 will be allowed for Kerberos authentication. This is generally a good idea since RC4 is considered weak and vulnerable to cryptographic attacks.

I find it hard to believe that this alone will resolve the issue. It's far more likely that applying the changes I suggested earlier, along with uninstalling and reinstalling the connector, will actually fix it.

replied 11/30/2024 18:37

There were 5 Win 11 PCs that no longer showed Online in the Dashboard once they originally updated to 24H2. During my new upgrade process only 1 did not already have \Sofware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ set to SupportedEncryptionTypes 7ffffffc.

I do have another server running 2016. It was updated from Essentials to Standard so the Dashboard is still active.

If I use your Default Registry file on this server will that be OK?

Is the Script to be run on the Server or Clients? If on the Server do I uninstall the Connector on all the affected PCs first or ok to do after.

Thanks for all this. I know I'm not the only one having issues.

replied 11/30/2024 23:38

The default registry file contains the default settings on each hive but it does not remove settings that were added manually. IISCrypto from Nartac Software - Download has an option to restore defaults on your server(s), that is what I would do. After resetting defaults I would uninstall the connector, reboot and install the connector. Pls, do not unjoin because that is not needed.

I never have these issues with the Connector.

replied 12/02/2024 05:44

Hello I tried all off this , but still no luck , windows 11 24h2 not correctly connecting to sbs 2016 , cant see in dashboard nor can i connect with anywhere access

replied 03/19/2025 17:22

Giorgio, Windows Server 2016 Essentials is no longer supported since Jan 11, 2022. I think something has changed in Windows 11 24H2 that makes this fail. I would migrate to Windows Server 2022 or 2025. Anything that could be done with the Essentials dashboard can be done with the native tools or Windows Admin Center. All our technician migration kits include a chapter on Windows Admin Center.

replied 03/19/2025 19:11

Last Activity 03/19/2025 19:11

No answers found

Add an Answer

Ask a question

How can we help you today?

After 24H2 Update Client PCs Show Offline in Server Essentials Dashboard

Local Policy and Kerberos Encryption Types

What Happens with These Changes?

Conclusion: What Do These Changes Cause?

No answers found

About server-essentials.com

Cookie Settings

Cookie Policy

Strictly Necessary Cookie

Cookies Used

Performance Cookie

Cookies Used

Functional Cookie

Cookies Used

Targeting Cookie

Cookies Used