Frequently Asked Questions (FAQ)

SCCM Deployment: The computer restarted unexpectedly or encountered an unexpected error


Operating system deployment fails with the following error:

 "The Computer Restarted unexpectedly or encountered an unexpected error. Windows Installation cannot proceed. To install Windows, click "OK" to restart the computer, and then restart the installation."


On the screen with the error message above try the following steps:

  1. Hold down "Shift + F10" to open the command prompt
  2. On the command prompt type "regedit" with no quotes to open the Registry Editor
  3. Go to:- HKLocal machine -> System ->Setup ->Status -> ChildCompletion
  4. Highlight ChildCompletion and on the right you will see "setup.exe"
  5. Double click "setup.exe" and verify the value is set to "1"
  6. Change the value to "3"
  7. Close the registry editor and close the command prompt.
  8. Click OK on the error message and now the installation process should complete.

Applies to:

How to push out Proxy Settings for Windows XP Clients

The Problem

Legacy Windows XP clients run at best Internet Explorer 8. You may experience problems when trying to push out Proxy and Homepage settings through Internet Explorer Group Policy Preferences, or Internet Explorer Maintenance (Policies > Windows Settings > Internet Explorer Maintenance). The settings may not apply and an error message may not be logged in the system event log.

This can be caused by:

Reminder: The Group Policy Preferences client is an optional extra for Windows XP SP2 and Windows XP SP3. If this client is not installed on Windows XP all Group Policy preferences are automatically ignored.


A sample registry file and script is attached. Edit the registry file with Notepad to add your proxy settings and change your Homepage.

Note: Always test Policy changes against a test OU and a test user account first. When confident that the setting is working as desired, then gradually roll out the change, ensuring that you test that the setting is working as desired with no detrimental effects.

This method is designed for Windows XP however it may also work for Windows 7 clients. If attempting to use this with Windows 7, please test thoroughly and again ensure that you have only one method applied to make the change (including both user and computer settings).

If you need to use separate methods for Windows XP and Windows 7 machines for this user based method, then you will need two policies, one for Windows XP and one for Windows 7. Each policy will then need a WMI filter applied to filter the right policy to the right machines.

Applies to:

How Do I Configure my Server to use an Internet Time Service?

Using a Reliable Time Source

A reliable time source is especially important if you use Windows Servers with Active Directory (AD). All servers and systems in an AD environment should be running on exactly the same time.

We recommend that you use an internet time source on your first Domain Controller, otherwise known as the PDC emulator. You can also use this setting on additional domain controllers.

Sections in this article:

Tip: One common mistake in a virtual server environment is for your virtual servers to get the time from the physical Host servers. In this situation, we recommend that your domain controllers are NOT configured to get time from the hosts but are instead configured to use an internet time source. You may need to edit the virtual domain controllers settings on the host to stop time services being presented.

How To Configure Time Services to Use an Internet Time Server

Run the following command from an Administrative command prompt, on your Domain Controller(s).

net stop w32time

w32tm /config /syncfromflags:manual /manualpeerlist:""

w32tm /config /reliable:yes

net start w32time

w32tm /resync

Note: The commands above tell Windows to use two public NTP time servers from Your internet service provider may have their own NTP servers and may prefer that you use those. Use the w32tm /resync command to make sure the new settings are work - ensure that you get a message that this completed successfully.

How to Configure Time Services to Use Domain Controller Time

PCs and member servers in a domain should automatically use time from domain controllers. If they do not, and appear to be using or other default time settings, use the commands below.

net stop w32time
w32tm /config /syncfromflags:DOMHIER
net start w32time
w32tm /resync /nowait

How To Check the Time Server Settings

Use the following commands:

w32tm /query /configuration - This enables you to see what NTP settings you are using.

w32tm /query /status - This enables you to see the current performance of the time service, including its connection to the NTP server.

Troubleshooting Steps

If the w32tm /resync command faults, or the w32tm /query /status shows that the system is still using a CMOS clock, then the NTP server is likely blocked.


How to Turn off Virtual Machine Host Time Integration / Synchronisation Under Hyper-V

Untick the Time Synchronisation option under Integration Services, in the virtual machines settings.

Applies to:

Outlook clients report a Certificate name Mismatch after an SSL Certificate is added to an Exchange Server


"The name on the security certificate is invalid or does not match the name of the site"

This message appears frequently, usually within a few moments of opening Outlook.


The cause is that Outlook clients are passed the certificate by the server, and have noted that the webmail address of the certificate does not match the internal name of the server.

For example:

Internal Server name: exchange.local

Webmail address:


Certificates are now usually not available which reference domains which companies do not own. For example, you will likely not be able to purchase a certificate that contains your webmail address (a domain which you own) and your internal addressing scheme (for example, .local) which you do not own.

One solution to this is to use an internal addressing scheme which matches the domain that you own. For many companies, this is not practical without an entire forest migration.


The solution is to modify settings within the Exchange server so that Outlook clients reach the resources that they need to using the external address.


Tip: You can use the "get" version of the commands, for example get-ClientAccessServer -Identity exchange to see what the current setting is, and make a note of it first.

Set-ClientAccessServer -Identity exchange -AutodiscoverServiceInternalUri 

Set-WebServicesVirtualDirectory -Identity "exchange\EWS (Default Web Site)" -InternalUrl

Set-OABVirtualDirectory -Identity "exchange\oab (Default Web Site)" -InternalUrl

This last command is not required on Exchange 2010:

Set-UMVirtualDirectory -Identity "exchange\unifiedmessaging (Default Web Site)" -InternalUrl


Always test changes immediately, ensuring that both Outlook clients and webmail clients function correctly.

If you require additional informatin please contact Stone support. A range of support services are available to assist customers.

Applies to:

How Do I Update Hyper-V Integration Services?


When you run Windows Update on a Microsoft Windows Server with Hyper-V - the "host" - this may update the virtual server components within Windows. This may then require that you update the virtual tools, software and drivers that run inside the Virtual machines running on that Host. These tools, software and drivers are known as the "Integration Services".

In this article:


​Considerations Before Updating Hyper-V Integration Services

How to Check If an Update is Required

How to Upgrade the Integration Services

Note: Upgrading the Integration Services inside a virtual machine requires that the virtual machine is rebooted afterwards. This means that you need to plan for downtime or a maintenance window for each virtual machine.


Applies to:

How to Deploy a Computer Startup Script via Group Policy

Use the method below to push out a computer startup script via Group Policy. Computer startup scripts are a useful way of making changes that need to happen regardless of which user is logged on.

This article is intended for system administrators who are new to using group policies.

The example below deploys the LANPWR.VBS script to disable a LAN or wireless LAN adapter's power management.

Recommendation: Always test network changes on a small group of machines before deploying the improvement. Where possible, implement the change room by room or department for department and monitor the situation for any unexpected side effects.

Things to Remember

Applies to:

How to Delete Old User Profiles on Workstations Across a Network

How to Delete Old User Profiles on Workstations Across a Network

Old user profiles can consume large amount of space on shared network computers. This can be critical on some machines with relatively small Solid State hard drives.

Its a good idea to delete old user profiles from shared network Windows PCs to ensure that the drives do not run out of space. A number of methods have been around for some time, however recent changes to Windows 10 have broken a lot of these.

The attached Powershell script can be deployed via Group Policy as either a scheduled task, or a Computer Startup script.

# Delete old User Profiles
# Andrew Sharrad 14/5/2020, 17/5/2021, 09/03/2022

# Please test before widescale deployment

#The list of accounts, for which profiles must not be deleted
$ExcludedUsers ="Public","Default","itadmin"
$RunOnServers = $false
[int]$MaximumProfileAge = 120 # Profiles older than this will be deleted

$osInfo = Get-CimInstance -ClassName Win32_OperatingSystem

if ($RunOnServers -eq $true -or $osInfo.ProductType -eq 1) {
    New-EventLog -LogName Application -Source "Stone Profile Cleanup" -ErrorAction SilentlyContinue

    $obj = Get-WMIObject -class Win32_UserProfile | Where {(!$_.Special -and $_.Loaded -eq $false )}
    #$output = @()

    foreach ($littleobj in $obj) {
        if (!($ExcludedUsers -like $littleobj.LocalPath.Replace("C:\Users\",""))) {
            $lastwritetime = (Get-ChildItem -Path "$($littleobj.localpath)\AppData\Local\Microsoft\Windows\UsrClass.dat" -Force ).LastWriteTime
            if ($lastwritetime -lt (Get-Date).AddDays(-$MaximumProfileAge)) {
                $littleobj | Remove-WmiObject
              #  $output += [PSCustomObject]@{
              #      'RemovedSID' = $littleobj.SID
              #      'LastUseTime' = $litteobj.LastUseTime
              #      'LastWriteTime' = $lastwritetime
              #      'LocalPath' = $littleobj.LocalPath
              #  }

#$output | Sort LocalPath | ft
#$output | Sort LocalPath | ft * -AutoSize | Out-String -Width 4096 | Out-File -filepath "C:\MyOutput.TXT" -append -Encoding Unicode
    Write-EventLog –LogName Application –Source "Stone Profile Cleanup" –EntryType Information –EventID 1701 -Category 2 -Message ("Profiles older than $MaximumProfileAge days have been cleaned up")

Note: Always test this script before wide-scale deployment.

Applies to:

Windows 8.1 / Windows Server 2012 R2 - Group Policy User Login Scripts are Delayed by Default

Group Policy User Login Scripts

This type of login script has long been used to assign resources or settings to users which cannot easily be deployed through other group policy settings. Traditionally, group policy user login scripts are run as soon as the user logs in.

User Login Script Example

Starting with Windows 8.1 and Server 2012 R2, Group Policy login scripts run at default 5 minutes after login. This means that if your login script carries out essential user environment preparation work, the client may be unable to use their session as intended for 5 minutes.


Deploy a Group Policy Computer setting to override the delay. You will need to be running Server 2012 R2 to easily deploy this policy.

The policy is located in: Computer Configuration > Policies > Administrative Templates > System > Group Policy - Configure Login Script Delay. Set this to Disabled to eliminate the delay.

Example below.

Note: This problem does not apply to user login scripts defined on the users active directory account Profile tab.

Applies to:

How to Create a PFX Certificate File from a PEM File

How to Create a PFX Certificate File from a PEM File


Some certificate authorities (such as Let's Encrypt) only supply certificate in the form of a PEM file, which is not usable by many Windows services.

In the case of Let's Encrypt, the PEM file may not have been generated as a part of a certificate signing request.

How to Convert PEM to PFX

.\openssl pkcs12 -export -out result.pfx -inkey mypemfile.pem -in mypemfile.pem

.\openssl pkcs12 -export -out result.pfx -inkey mycsrkeyfile.crt -in mypemfile.cer

Also see here.

Applies to:

How Do I Remove a User's Profile from the PC and the Server?

The User Profile

In some situations it may be necessary to delete a user's network profile. This may be required when the profile has been corrupted. When roaming profiles are used, when a user logs onto a machine, their profile is downloaded from the server to the local machine. This means that when the profile needs to be deleted, it is recommended to delete the profile from the network server and the local machine. Otherwise, on the next login, the user will may be given the cached local copy of the profile and this will be copied back up to the server when the log out.

Deleting the Profile from the Server

The user profile path above shows that the profile is stored on the server "master" and the share name is profile$.

Note: If you have multiple users sharing the same profile, this is likely a mandatory profile and not a roaming profile. You should not need to delete a mandatory profile and should seek further advice if you are experiencing profile corruption.

Deleting the Profile from the User's PC

We recommend that after deleting the profile from the server that you delete the users cached profile on their PC.

Applies to:

How to Remove Public Libraries from User Profiles


Libraries are a feature of Windows 7 and later which allow multiple locations to be grouped together for the user to save or find documents.

On a managed networks some of the default library locations allow users to save content to the local machine's C drive even when the Document folders have been redirected, and even when access to the local C drive has been hidden. The default library locations include the user's redirected document locations etc., and also the machines Public library locations such as C:\Users\Public.

Users could inadvertently save content to the local machine's C drive if either the network location becomes unavailable, or by selecting the incorrect library as the default save location. If the users then switches machine, the content they saved will become unavailable to them. Additionally, the content they saved may become available to other users.

Typical Default Library Results

How to Remove Public Libraries

To prevent users from saving to Public library folders, some system administrators have used group policy registry hacks to turn off Windows 7 library features altogether. This is not recommended as Windows needs library features to use search and indexing properly, and also turning Public libraries back on after using this method is not easy.

Instead, a better method is to use the Microsoft SHLIB utility to remove the Public library from the users profile, using a user login script deployed using group policy.

An example script is attached to this article; you will need to modify the batch file to show where you have placed a copy of SHLIB on the network.

The public library location may be available on the users first logon only, until the setting is removed from their profile. Subsequent logons shouldn’t have the public library locations.

The file is also available here.


Note: This solution has not been tested on Windows 8 / Windows 8.1


Applies to:

Third Party Products -> Windows Server -> Frequently Asked Questions (FAQ)