LS Data MCU error on Lync 201x & SfB 2015 after May 2017 OS patching

Update 23/05/2017 23:12 - Official confirmation should appear under https://support.microsoft.com/en-gb/help/4023993 within 24 hours. Product Group have Development Resource assigned so looks like a CU will be coming to fix this.

Seeing multiple customers on Lync 2010, Lync 2013 and Skype for Business server 2015 front ends:

Front End event log every minute, Event ID 41026 followed by 41025:




"No connectivity with any of Web Conferencing Edge Server, External Skype for Business clients cannot use Web Conferencing modality

On the Edge server seeing the following:


"Web Conferencing Server connection failed to establish

Over the past 3 minutes Skype for Business Server has experienced incoming TLS connection failures 1 times(s). The error code of the last failure is 0x80072746 and the last connection was from the host ""."

After trying disabling IP 6 on FE and Edge:

and “On FE you can change IIS Web sites bindings to IPv4 IP address instead of all unassigned.”


The fix so far was to uninstall the May Security and Quality rollup for the .Net Framework 4.5.2, reading the release notes this hardens TLS communications for EKU so seems to fit with the error messages being shown

Server 2012: https://support.microsoft.com/en-gb/help/4014513

Server 2012 r2: https://support.microsoft.com/en-gb/help/4014597

Logged with Microsoft as ticket 117051115723411

Update 21:54 (changed title as well):

Confirmed by Microsoft as known issue and public KB is being prepared:

"This update adds an additional check on Enhanced Key Usage (EKU), since all Lync/ SfB Server usually use the Web Server template they will only have the Server Authentication in the EKU."

Issue has been reproduced on Lync 2010, Lync 2013 and Skype for Business 2015 on all supported server versions (2008r2, 2012, 2012r2).

Current Workarounds:

1 - Request new Edge Internal certificate with the Client and Server Authentication.

OR

2 - On the Front Ends disable the check for the Web Conferencing Service. Please note that these registry keys are for the default install locations.

Lync Server 2010:

reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\System.Net.ServicePointManager.RequireCertificateEKUs /v "C:\Program Files\Microsoft Lync Server 2010\Web Conferencing\DataMCUSvc.exe" /t REG_DWORD /d 0 /f

Note: Lync Server 2010 still uses the .NET 3.5 this is why we have the v2.0.50727.

Lync Server 2013:

reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs /v "C:\Program Files\Microsoft Lync Server 2013\Web Conferencing\DataMCUSvc.exe" /t REG_DWORD /d 0 /f

Skype for Business Server 2015:

reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs /v "C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe" /t REG_DWORD /d 0 /f

After adding the registry key simply restart the Web Conferencing service

Thanks to David Paulino (Twitter) at Microsoft for the update.

Update 22nd May 2017 11:07
Seeing different items broken in different environments from the following list: Q and A, Screen Share, Whiteboard, PowerPoint sharing via OWAS/WAK/OOS (Thanks Py7h0n and others for reporting).

Windows Server 2012 Windows Update taking ages

There's a known issue at the moment with server patching when you have the Desktop Experience feature installed (which means Lync/Skype for Business FE's).

Running check now results in the never ending progress bar:



and looking in the WindowsUpdate.log file we never see any progress.

Speaking to Microsoft support this is due to a bug in Adobe Flash and its interaction with the WU client. If you look at your processor usage you can see that the Windows Update process is running, it's just that you are getting no feedback.

On one server I started this process running on 23rd April and it finally finished with patches available on the 6th May:


So if you have the time to wait then this does work (no need to try to kick it by deleting stuff, re-registering DLL's, or performing any of the voodoo that you can find suggested in the TechNet forums!).

If you don't have this time then the advice I had from Microsoft was:
  1. Install MS17-005: Security update for Adobe Flash Player: February 21, 2017 (Use the Microsoft Update Catalog) :-
    https://support.microsoft.com/en-us/help/4010250
    Reboot
  2. Install MS17-023: Security update for Adobe Flash Player: March 14, 2017 (Use the Microsoft Update Catalog) :-
    https://support.microsoft.com/en-us/help/4014329
    Reboot
  3. Check for updates (should be back to normal speed).
If that doesn't work then:

Remove the Desktop experience feature and then check for updates. To remove do the following:

  1. Open Server Manager on the machine.
  2. Click on Manage>> Remove Roles and Features.
  3. We have to then be on the features tab and then under "User Interfaces and Infrastructure" uncheck "Desktop Experience" and the click next and finish











Modality Systems CustomInvite tool AD/GPO deployment an (almost) step by step

Working for Modality Systems has been a blast for the last 18 months and for the last few I was helping to look after internal IT while we recruited for a new IT Manager (Welcome Dan!) PS - we're always on the look out for top talent to join us.

One of the reasons that we are Partner of Year (Communications) is our vibrant dev team who have publically released some brilliant tools over the years such as SuperToast (which I was pushing back in 2012!!), and the Business Applications suite. This is alongside the tons of custom development work that they do for customers (I'd love to blog about this but our Dev MVP Tom Morgan will have beaten me to it!).

Our newest public release is CustomInvite. This is not a post about how good the software is (it is very cool), instead this is about how I deploy versions to staff machines so we can dogfood drink the champagne of our award winning tool.

As yet we are not using System Centre Configuration Manager to deploy software through the Modality estate so I had to go back to good old system startup scripts (advantage - FREE!). Our users have domain joined machines in the main with Direct Access back to the corp network so this method would work for the majority of users. We have a mixed estate of both Office 2013 and 2016 and a mixed "bitness" of Office of both 32 and 64 bit. Most third party addins like CustomInvite are only designed for 32 bit Office but our dev team have made sure 64 bit is treated like a first class citizen too!

First part of the deployment is to get the files into AD. We have 4 files that come from CustomInvite and then another two files that we are going to create manually.

The first two files to deploy are the GroupPolicy Template files that need do be dropped onto a domain controller:

File Location
CustomInvite.admx C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
CustomInvite.adml C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US


Now we have these files in AD (wait for replication) its time to setup your policy for your templates. The pre-requisites for this is that you have your RTF templates stored on a UNC share somewhere (or you know where that will be). Now you can create a Group Policy Object like so:


  1. The name of the default template that CustomInvite should load
  2. Your license code
  3. How often CustomInvite should look for new templates in.....
  4. ......this UNC location
Note that this is a Computer Configuration and that the User Configuration is disabled.

Next part is to create the GPO that installs CustomInvite. I separate this out into a second GPO so that I can have multiple versions of the GPO to target different teams with different installs.

This GPO simply has a Computer Startup Script that does the actual install:

  1. The script file that will run
  2. Forcing the PC to wait for the network (otherwise the script may not be found).
Note that this is a Computer Configuration and that the User Configuration is again disabled.

Note that the script is a simple batch file and the run time for a PC connected over home broadband is about ~5 seconds:


The contents to the batch file is as follows:

------------

REM --------------------------------------------------------------------------------------------------------------------
REM  Installs CustomInvite
REM --------------------------------------------------------------------------------------------------------------------

REM --------------------------------------------------------------------------------------------------------------------
REM  Changelog
REM
REM 20170130 - DLL looked for changed from "Modality.LyncAppointmentAddin.dll" to "Modality.CustomInvite.dll"
REM 20170207 - Added in variable names to make future updates easier
REM --------------------------------------------------------------------------------------------------------------------

REM --------------------------------------------------------------------------------------------------------------------
REM  How to use
REM  Ensure you have the two install files in the same directory as this script file.
REM  Install files need to have the name "CustomInvite_Outlookx##_?.??.msi"
REM  Where "#" is the bitness of the version file (86 or 64)
REM  and ?.?? is the version number.
REM  Once you have these then you can amend the variables below

REM --------------------------------------------------------------------------------------------------------------------
REM  Variables
REM

Set _CustomInviteVersion=2.20
Set _32BitCustomInviteVersion=2.20.6247.28084
Set _64BitCustomInviteVersion=2.20.6247.28179
Set _OUFolderName={C0B66EA0-1F62-4977-A716-8AAEE5996CF8}

REM --------------------------------------------------------------------------------------------------------------------
REM  SHOULDN'T NEED TO AMEND ANYTHING PAST THIS LINE
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM 
REM   Seriously - here be dragons!
REM --------------------------------------------------------------------------------------------------------------------

SET WMICCommand="WMIC Path CIM_DataFile WHERE Name='C:\\Program Files (x86)\\Modality Systems\\CustomInvite\\Modality.CustomInvite.dll' Get Version"
FOR /F "skip=1" %%X IN ('%WMICCommand%') DO (
IF %%X == %_32BitCustomInviteVersion% GOTO :foundCustomInviteX86
)


SET WMICCommand="WMIC Path CIM_DataFile WHERE Name='C:\\Program Files\\Modality Systems\\CustomInvite\\Modality.CustomInvite.dll' Get Version"
FOR /F "skip=1" %%X IN ('%WMICCommand%') DO (
IF %%X == %_64BitCustomInviteVersion% GOTO :foundCustomInviteX64
)
echo %date% %time% - WARN - CustomInvite %_CustomInviteVersion% NOT found on %computername% >> \\mk-dc-01\SoftwareDistribution\CustomInvite\log\Install.txt


REM --------------------------------------------------------------------------------------------------------------------
REM  Check Registry for Outlook Bitness
REM --------------------------------------------------------------------------------------------------------------------

SET BN_VALUE="?"
FOR /F "TOKENS=3 SKIP=2" %%A IN ('REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\ClickToRun\Configuration" /v Platform') DO (SET BN_VALUE=%%A)
if %BN_VALUE% EQU x64 goto x64CTR
if %BN_VALUE% EQU x86 goto x86CTR

FOR /F "TOKENS=3 SKIP=2" %%A IN ('REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook" /v Bitness') DO (SET BN_VALUE=%%A)
if %BN_VALUE% EQU x64 goto x64Office2016
if %BN_VALUE% EQU x86 goto x86Office2016

FOR /F "TOKENS=3 SKIP=2" %%A IN ('REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\15.0\Outlook" /v Bitness') DO (SET BN_VALUE=%%A)
if %BN_VALUE% EQU x64 goto x64Office2013
if %BN_VALUE% EQU x86 goto x86Office2013

if %BN_VALUE% EQU "?" goto OutlookNotFound


REM --------------------------------------------------------------------------------------------------------------------
REM  Log Outlook Bitness
REM --------------------------------------------------------------------------------------------------------------------

:x86CTR
echo %date% %time% - INFO - Office ClickToRun x86 found on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto InstallX86

:x64CTR
echo %date% %time% - INFO - Office ClickToRun x64 found on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto InstallX64

:x86Office2016
echo %date% %time% - INFO - Office 2016 x86 found on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto InstallX86

:x64Office2016
echo %date% %time% - INFO - Office 2016 x64 found on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto InstallX64

:x86Office2013
echo %date% %time% - INFO - Office 2013 x86 found on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto InstallX86

:x64Office2013
echo %date% %time% - INFO - Office 2013 x64 found on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto InstallX64




REM --------------------------------------------------------------------------------------------------------------------
REM  Install X86 Version
REM --------------------------------------------------------------------------------------------------------------------

:InstallX86
Echo %date% %time% - INFO - Attempting install of CustomInvite %_CustomInviteVersion% x86 on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
C:
MD c:\ModalityCustomInvite
CD c:\ModalityCustomInvite
Copy \\DOMAINNAME\SysVol\DOMAINNAME\Policies\%_OUFolderName%\Machine\Scripts\Startup\CustomInvite_Outlookx86_%_CustomInviteVersion%.msi c:\ModalityCustomInvite
MSIEXEC /passive /i CustomInvite_Outlookx86_%_CustomInviteVersion%.msi 
del CustomInvite_Outlookx86_%_CustomInviteVersion%.msi
SET WMICCommand="WMIC Path CIM_DataFile WHERE Name='C:\\Program Files (x86)\\Modality Systems\\CustomInvite\\Modality.CustomInvite.dll' Get Version"
FOR /F "skip=1" %%X IN ('%WMICCommand%') DO (
IF %%X == %_32BitCustomInviteVersion% GOTO :InstalledCustomInviteX86 
)
Echo %date% %time% - FAIL - CustomInvite %_CustomInviteVersion% x86 Failed to install on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto End


REM --------------------------------------------------------------------------------------------------------------------
REM  Install X64 Version
REM --------------------------------------------------------------------------------------------------------------------

:InstallX64
Echo %date% %time% - INFO - Attempting install of CustomInvite %_CustomInviteVersion% x64 on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
C:
MD c:\ModalityCustomInvite
CD c:\ModalityCustomInvite
Copy \\DOMAINNAME\SysVol\DOMAINNAME\Policies\%_OUFolderName%\Machine\Scripts\Startup\CustomInvite_Outlookx64_%_CustomInviteVersion%.msi c:\ModalityCustomInvite
MSIEXEC /passive /i CustomInvite_Outlookx64_%_CustomInviteVersion%.msi 
del CustomInvite_Outlookx64_%_CustomInviteVersion%.msi
SET WMICCommand="WMIC Path CIM_DataFile WHERE Name='C:\\Program Files\\Modality Systems\\CustomInvite\\Modality.CustomInvite.dll' Get Version"
FOR /F "skip=1" %%X IN ('%WMICCommand%') DO (
IF %%X == %_64BitCustomInviteVersion% GOTO :InstalledCustomInviteX64
)
Echo %date% %time% - FAIL - CustomInvite %_CustomInviteVersion% x64 Failed to install on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto End


REM --------------------------------------------------------------------------------------------------------------------
REM  Found Correct Custom Invite x86 Version
REM --------------------------------------------------------------------------------------------------------------------
:FoundCustomInvitex86
echo %date% %time% - INFO - CustomInvite %_CustomInviteVersion% x86 found on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto end

REM --------------------------------------------------------------------------------------------------------------------
REM  Found Correct Custom Invite x64 Version
REM --------------------------------------------------------------------------------------------------------------------
:FoundCustomInvitex64
echo %date% %time% - INFO - CustomInvite %_CustomInviteVersion% x64 found on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto end


REM --------------------------------------------------------------------------------------------------------------------
REM  Installed Correct Custom Invite X86 Version
REM --------------------------------------------------------------------------------------------------------------------
:InstalledCustomInviteX86
echo %date% %time% - GOOD - CustomInvite %_CustomInviteVersion% X86 Installed on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto end

REM --------------------------------------------------------------------------------------------------------------------
REM  Installed Correct Custom Invite X64 Version
REM --------------------------------------------------------------------------------------------------------------------
:InstalledCustomInviteX64
echo %date% %time% - GOOD - CustomInvite %_CustomInviteVersion% X64 Installed on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto end

REM --------------------------------------------------------------------------------------------------------------------
REM  Outlook not found
REM --------------------------------------------------------------------------------------------------------------------
:OutlookNotFound
echo %date% %time% - FAIL - Outlook not found on %computername% >> \\SERVERNAME\SoftwareDistribution\CustomInvite\log\Install.txt
goto end


REM --------------------------------------------------------------------------------------------------------------------
REM  Finish
REM --------------------------------------------------------------------------------------------------------------------
:end



-----------

NOTE: Even thought the script says "SHOULDN'T NEED TO AMEND ANYTHING PAST THIS LINE" you'll need to change "DOMAINNAME" to your domain name and "SERVERNAME" to the server name where the log file is going to be written too.

In essence the script does the following:

  1. Sets some variables for the version of CustomInvite we are installing
  2. Checks to see if that version is installed (first 32 then 64 bit) - if found > LOG > END
  3. Checks the bitness of the installed version of Outlook > LOG (if not found LOG > END)
  4. Installs (or updates) the correct bitness of CustomInvite and tests if installed > LOG (if install fails LOG > END)

In future when a new version of CustomInvite is released you can simply update this one script file or copy the GPO and create a new version for each install (that's the "Variables" bit in the script!)

A copy of the script file is hosted here too.

Once you have amended the file to fit your environment and downloaded the files you should end up with a Group Policy Object folder that looks like the following:



You'll also need a network share that has READ/WRITE access for the log file to be written too:


Hopefully this is enough to help you get up and running with CustomInvite. If you would like some adhoc support on this process please comment and I'll do my best to reply :-)