PowerShell failed to invoke ‘New-FederationTrust’: Unable to access the Federation Metadata document from the federation partner

We were in the process of migrating mailboxes on-premise Exchange 2013 running on Windows Server 2012 to office 365  and while installing the Hybrid Configuration Wizard we were getting the following error.

PowerShell failed to invoke ‘New-FederationTrust’: Unable to access the Federation Metadata document from the federation partner. Detailed information: “The underlying connection was closed: An unexpected error occurred on a receive

After some troubleshooting and collecting logs, we found out that the reason we were getting that error is that a few years ago and to comply with PCI requirements, we disabled SSL and weaker TLS encryptions and enabled TLS 1.1 and 1.2 on the Exchange server.  We only did the HTTPS part.   The Hybrid Configuration was invoking .NET that was trying to use those disabled protocols and therefore the Hybrid Configuration Wizard was failing.  In Registry we forced .NET to use the new TLS protocols not the disabled ones.

Added the following Registry values






Exchange mailbox move – Unable to open message store. hr=0x80040111, ec=-2147221231

When trying to move a mailbox from one Exchange server 2008/2010/2013 to another or from Database to another you get the error message below.  Fixing it is easy if you have used ASDIEdit before.  Basically you are going to reset the Exchange Mailbox Move Values…

Sample Error:

Data migrated:
Migration rate:
Error: MigrationTransientException: Failed to communicate with the mailbox database. –> Failed to communicate with the mailbox database. –> MapiExceptionLogonFailed: Unable to open message store. ‎(hr=0x80040111, ec=-2147221231)‎

Diagnostic context: Lid: 55847 EMSMDBPOOL.EcPoolSessionDoRpc called [length=132] Lid: 43559 EMSMDBPOOL.EcPoolSessionDoRpc returned [ec=0x0][length=272][latency=0] Lid: 52176 ClientVersion: 15.0.1395.10 Lid: 50032 ServerVersion: 14.3.442.0 Lid: 23226 — ROP Parse Start — Lid: 27962 ROP: ropLogon [254] Lid: 17082 ROP Error: 0x80040111 Lid: 26937 Lid: 21921 StoreEc: 0x80040111 Lid: 27962 ROP: ropExtendedError [250] Lid: 1494 —- Remote Context Beg —- Lid: 26426 ROP: ropLogon [254] Lid: 44215 Lid: 60049 StoreEc: 0x8004010F Lid: 49469 Lid: 65341 StoreEc: 0x8004010F Lid: 56125 Lid: 47933 StoreEc: 0x8004010F Lid: 32829 Lid: 49213 StoreEc: 0x8004010F Lid: 48573 Lid: 64957 StoreEc: 0x8004010F Lid: 59409 Lid: 45073 Lid: 11173 StoreEc: 0x80040111 Lid: 22970 Lid: 8620 StoreEc: 0x80040111 Lid: 1750 —- Remote Context End —- Lid: 26849 Lid: 21817 ROP Failure: 0x80040111 Lid: 26297 Lid: 16585 StoreEc: 0x80040111 Lid: 32441 Lid: 1706 StoreEc: 0x80040111 Lid: 24761 Lid: 20665 StoreEc: 0x80040111 Lid: 25785 Lid: 29881 StoreEc: 0x80040111
Report: User@domain.com Download the report for this userLast successful sync date:

Status:Queued duration:
In-progress duration:
Synced duration:
Stalled duration:




Once launch, right click on ADSI Edit on the left pane and choose “Connect to” and when the “Connection Settings” open , CLick OK which will open the default naming context.

On the left double-click on default naming context and that should start drilling down on sub items that (otherwise would have stayed hidden).  Double click on the domain.  You should see OUs structure like AD.

Find the user.  Right click and choose Properties

Under Attribute Editor click on Filter and check off option to Show only attributes that have values (this way you filter out empty fields.)

Find all msExchangeMailboxMoveXXXXXXX values and reset them to blank.  In my case I had:


To reset them to blank, you can’t just remove the values, you should highlight the value and click Edit and then Clear.  I would write down what those values are before clearing them (I don’t believe you need them going forward but why not recording them).

Click OK then try moving that mailbox again.

–use-spdy%3Doff’s server IP address could not be found –disable-http2

When you click on a web/html link in email Google Chrome or the default Internet Browser opens up the link plus two tabs.  The two tabs would say:

“—use-spdy%3Doff’s server IP address could not be found”


“—disable-http2’s server IP address could not be found”



Your Windows PC is infected with a malware.

Download MalwareBytes and run it.


Then download and run AdwCleaner from the same site.

That should clean it up and remove it.

There are blocking issues for the physical-to-virtual conversion, there is no BCD boot…

There are two traditional ways to move physical machines to Hyper-V virtual machine using Microsoft Tools.

1- Microsoft Virtual Machine Converter

When you try to convert a Windows server 2012 for example from physical to a VM, you might get the following error:

Microsoft Virtual machine Converter encountered an error while attempting to convert the virtual machine

There are blocking issues for the physical-to-virtual conversion, there is no BCD boot device found in the source machine, noticing that conversion of an EFI boot machine is currently not supported.

2- Disk2VHD

Another tool is Disk to VHD and if you try to convert the physical machine using Disk2VHD tool, then try to boot the VHD disk in Hyper-V manager you get the following error in Hyper-V Manager:

Boot Failed.  EFI SCSI Device

Boot Failed.  EFI Network

No Operating System was loaded.  Press a key to retry boot sequence



Use Disk2VHD to convert the physical machine to a disk.  Before you do that map the boot partition on the source machine to a drive so when you run the Disk2VHD that partition will get captured.

To do that, go to command line and type:

mountvol V: /S

That will mount the boot partition to a drive called V: drive (you could choose any other available drive if you want).  Now run Disk2VHD.  That will convert the server’s partitions and disks including the boot to VHD.  Copy to the Hyper-V machine and boot the new VM with that disk.


The ACE doesn’t exist on the object

When attempting to remove permissions from Exchange server mailbox using Exchange Management Shell… Powershell

Remove-MailboxPermission -identity….

You get the following error

WARNING: Can’t remove the access control entry on the object… because the ACE doesn’t exist on the object.

There is abundance of articles on the Internet on to deal with this… mostly confusing and convoluted.

The easiest way we’ve succeeded in resolving this issue is be removing the mailbox from the user and adding it again.  That doesn’t mean you will delete anything..

In Exchange 2013 Admin Center if you go to that user under Recipient and then Mailboxes then disable the user (that will remove the mailbox from the user profile).  You can then go back to and select “connect a mailbox” and connect that mailbox back to the same user account.  This way you will have reset permissions on the mailbox to default.   Issue was resolved for us this easy way.


Windows Server 2016 Evaluation fails to activate 0xc004f050

If you are running a Windows Server 2016 standard 180 days evolution copy that you downloaded off Microsoft Website and try to activate the installation with a product key that you purchased for Microsoft Server 2016, you might get an error message saying that it can’t activate, or that you entered a product key that can’t be used to activate Windows with error 0xc004f050, here how you can activate it.

Go to Command Line and type:

Dism /online /Set-Edition:ServerStandard /AcceptEula /ProductKey:xxxxx-xxxxx-xxxxx-xxxx-xxxxx

Where xxxxx-xxxxx-xxxxx-xxxx-xxxxx is the product key you purchased

Press Enter.

Process might get stuck at 10% for a little while, give it time. After it is done, you will be asked to reboot. Windows will be all good and permanently activated after it comes back up.

SonicWALL – Can not access the appliance for Security. Please contact administrator

When you try to access SonicWALL SMA (Secure Mobile Appliance) using NetExtender you get

“SonicWALL – Can not access the appliance for Security. Please contact administrator”


Make sure you type the domain correctly in the NetExtender and with the right case.

The domain is Case Sensitive.  So if your domain on the SMA is configured as Domain1.com, then you need to enter as is; Domain1.com, NOT domain1.com or Domain1.Com

Can’t RDP to Windows 7 machine – Remote Desktop

Can’t remote desktop into a Windows 7 – RDP

Run registry editor, regedit, and make sure PortNumber under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP

is 3389 in Decimal


httpCookies httpOnlyCookies=”true” requireSSL=”true” – PCI vulnerability

If you have a Microsoft Exchange Server running OWA that failed a PCI vulnerability scan because of the following:

<httpCookies httpOnlyCookies=”true” requireSSL=”true”/>

Here what we can do to remediate it on the Windows server.

Schedule a brief downtime for the Exchange Server while IIS restarts below.

Launch IIS on the Exchange server, go to Default Web Site, expand and click on “owa” Virtual Directory

On the right and under Management, double click on Configuration Editor.

On the bottom make sure you click on “Features view” as opposed to “Content View“.  On the top click on the drop-down after “Section“.  Select “system.web” and expand it then select “httpCookies“.

Change both httpONLYCookies and RequireSSL to True

Restart IIS by going to command line and typing IISReset

Disabling TLS 1.0 Windows Server 2008-2012 – Exchange – PCI 3.1 Scan


If you have to comply to recent PCI standards, a PCI scan on your Exchange server might reveal that it’s no longer compliant because TLS 1.0 is still enabled on it and you need to disable TLS 1.0 to pass test.  This applies to Exchange 2010, 2013 and 2016.  Not sure about 2007…

Tried the following on two implementations and had no issues.  Has been running fine for a while.

To pass PCI 3.1 test you need to disable TLS 1.0 on Windows server.  If you disable it, Outlook on Windows 7/8 machines will not work, it will show disconnected.  You might not be able to delete items, Auto-discover won’t work….This applies to Outlook on Windows server 2008, 2008 r2 and 2012.

In short this is what this article will have you do, you will have to disable TLS on the Windows server running exchange (done through registry setting – the tool below will do it for you), make sure your Windows 7/8 has a certain update installed, that came out in 2016 (obtained through Windows Updates) and it also applies to servers 2008 and 2012.  The update adds support for TLS 1.1 and 1.2 but doesn’t enable them automatically, and lastly make changes to the registry on those client machines to enable TLS 1.1 and 1.2.  Very straight forward as will explain below.

Windows 10 clients don’t need any updates or changes since TLS 1.1 and 1.2 is supported and enabled out of the box.

Here are the details:

Before you start:

1- Apply latest Windows updates to Windows server including Updates for Exchange server.  As of this article, Cumulative Update 20 (CU 20) for Exchange 2013 is available.  You don’t need to be at CU 20, but I usually cover all bases in case I overlook updates.

2- You should update Windows 7/8 machines and Server 2008, 2008 R2 and Server 2012 – Windows Updates.  There is an update that came out in 2016 that added support for TLS 1.1 and TLS 1.2 – chances are you do already have it unless you never updated Windows or never checked.


3- As always have a good back up of your server..


Disable TLS 1.0 on the Windows server running Exchange.  There is a tool called IISCrypt, download it.


Run it on the Exchange server.  Under Templates choose PCI 3.1.  Apply and reboot your Exchange.  Now Exchange has TLS 1.0 disabled and if you run the PCI 3.1 scan you should pass on TLS 1.0

BUT with disabling TLS 1.0 on that server, you won’t be able to remote/RDP into it from Windows 7/8 machines (You will however be able to do that from Windows 10 machines) Outlook on Windows 7/8 machine won’t connect.  To make it work do the following:

Copy the following text (marked in bold) into a notepad and save it as something like “EnableTLS1.1-1.2.reg“.


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]


Double click on this file on the Windows 7/8 machines and it should add all necessary registry keys to enable TLS 1.1 and 1.2.

Reboot Windows 7/8.  Outlook should work normally now.

You don’t need to do anything for Windows 10 machines.

You might have issues with older smart phones and Email.

Make sure you don’t have any third party applications that communicate with Exchange with TLS 1.0.  Look for applications updates.  Consult third party support.