Azure AD and Windows Hello: SSO to on-premise resources

One of the main reasons people might choose a hybrid Azure AD joined configuration for their devices is that they still want to be able to access on-premises resources, for example a file server, or printers. In my opinion, hybrid join should be avoided and it is usually worth the extra work required on the infrastructure to support your devices being Azure AD joined and having no relationship to the AD domain.

In this post I’ll look at how SSO to on-premise resources actually works, when you are logged on to an Azure AD joined device, with a user account which is synced from your on-premise AD. I’ll also look at how you can configure this so that users logging on using Windows Hello for Business can also SSO. Continue reading “Azure AD and Windows Hello: SSO to on-premise resources”

PS: Remotely updating devices

I recently had to force a collection of PCs to update – they were configured using Windows Update for Business, all the policies and settings were telling them when to update and how, yet they just hadn’t – whether there was something on the UI that the primary user was just ignoring, I’m not sure. Anyway they were stuck on Windows 10 2004, and on the July update.

As they’re all configured for WUfB there wasn’t anything I could realistically do through Config Manager, besides maybe run these steps as a PowerShell Script and push out that way. Instead I decided to look at PSWindowsUpdate. In this post I’ll go through what I did, and share the scripts I used. My aim here was to get the rogue devices patched and updated to 21H1. I did still use Config Manager to help with this task – to wake devices using either the Client Notification > Wake, or the Recast Right Click Tools Wake on LAN feature. I’m not going to go into all the features of PSWindowsUpdate in any detail, there are plenty of good posts on the Internet about this already which can be found with a quick search.

The first step here was installing the PSWindowsUpdate module on the device I wanted to manage things from. While you can pass a Credentials parameter to these commands I found it much easier to just run the PowerShell window as an admin user (which has admin privileges on all target devices). I’ve assumed that in the scripts and not included a Credential parameter. We also need an array of computers that we wish to update. Continue reading “PS: Remotely updating devices”

Intune: 802.1x Wi-Fi, NPS and user PKCS certificates

One of the things I dislike the most about Azure AD joined devices on our enterprise wireless (using NPS on Windows Server for authentication) is that having to put my credentials in whenever I connect is poor usability compared to, say, a traditional domain joined device which can authenticate by device, or user, seamlessly. While there isn’t really a way to replicate device based authentication with Azure AD joined devices (to cut a long story short – there is no computer object in AD for NPS to look for), you can configure things so that you can use a user certificate.

There’s a few pre-requisites for this:

  • Wireless network using WPA2-Enterprise (or any flavour that uses 802.1x)
  • Active Directory domain already set up
  • AD Certification Authority already set up (Enterprise CA)
  • User accounts synced to Azure AD
  • NPS installed and configured
  • Devices Azure AD joined and enrolled in Intune

As part of this process we will be configuring a certificate template, installing the Intune Certificate Connector for Intune onto a server of your choosing and creating some configuration profiles. Continue reading “Intune: 802.1x Wi-Fi, NPS and user PKCS certificates”

Teams: Recover deleted team memberships

We recently had to perform the year-end tasks in Teams/SchoolDataSync which should be easy really – run through the cleanup process to archive all of last year’s teams, then update the SDS profiles with the new term dates, and resume syncing with the new data. Unfortunately ours messed up and removed all members from the archived teams – presumably as I forgot to hit “Reset Sync” before feeding it the new year’s data.

Luckily there’s a solution to get these memberships back – we need to go and search the Azure AD audit log for group membership removal events. Head to theĀ Compliance Admin Centre > Audit > Audit Search, and search for the activity “Azure AD group administration: Removed member from group”. Put the date range in, and click Search. You should hopefully get some results, all performed by the ServicePrincipal account. If you click onto one of these results and examine the data, you’ll notice we can discover the username, team name and the team’s group ID, which is all contained in the JSON formatted data associated with the log entry. Continue reading “Teams: Recover deleted team memberships”

PHP: Implement Azure AD login to your site

A while ago I wrote some code to enable one of my PHP projects to log in via authentication with ADFS. I’ve recently updated this to talk directly with Azure AD, and have split this off into a separate project which I’ll share here.

Basically this works using oAuth2, browser sessions, a database and a couple of scripts, and on the Azure AD side you need to create an App Registration. Within this sample project the following flow happens:

  • User lands on index.php. If they do not have a session key cookie, one is generated, and this is stored in the database along with the page the user was attempting to access. They are redirected to login.microsoftonline.com to authenticate.
  • If you allowed authentication from any tenant, and used the common endpoint (rather than your specific tenant ID), the user may be asked to allow your app to access their account. If they are on their home tenancy, you will have already approved this for all users.
  • The user is redirected to the oauth.php file, where a background request is made back to login.microsoftonline.com to obtain a token. Once this has been successful, the user is redirected back to their original destination.
  • If the user lands on index.php and their session key cookie already exists, and exists in the database, and has not expired, they will be allocated that token’s data.
  • If the user lands on index.php with a session key cookie, but it is going to expire in the next 10 minutes, we will perform a refresh request in the background.
  • If the user lands on index.php with a session key cookie, but it’s expired, they are redirected back to login.microsoftonline.com – which may automatically log them back in, or may prompt, depending on their settings.

Continue reading “PHP: Implement Azure AD login to your site”

Windows 365 Cloud PC

Windows 365 Cloud PC

Windows 365 Cloud PC is Microsoft’s latest addition to the VDI scene. Announced at Inspire back in July, and then released General Availability on 2nd August 2021. On a basic level, you provision a Windows 10 (or 11) VM to a user, and it’s dedicated to that user – so effectively the same as a standard PC in that you’re not sharing resources in a multi-user environment as you may do with Azure Virtual Desktop. Licensing is made simple as it’s a fixed price per user, per month, regardless of how much usage they make. There’s a variety of different SKUs which correspond to different VM specifications.

Windows 365 comes in two versions – Business and Enterprise. Business is limited to 300 users and designed to be much simpler to set up and configure. Enterprise does not have a user limit and integrates with Endpoint Manager (Intune). The core difference here is Business could be implemented by anyone at the company, Enterprise will most likely require an IT department to manage it.

This does not replace Azure Virtual Desktop – it runs along side it. Azure Virtual Desktop requires more technical expertise to set up and manage, and can be more expensive or less expensive than Windows 365 depending on your host sizes, whether you share devices with Windows 10 multi-user, and whether you shut them down or not. Windows 365 is a fixed price with no knowledge of Azure Virtual Desktop and RDS required.

I’m going to look at the setup process for Business and Enterprise and give my thoughts.

Continue reading “Windows 365 Cloud PC”

CM: Deployment Requirements

I was recently asked about how to deploy a single application but with varying installation command line parameters, using Configuration Manager. Luckily we can do this fairly easily using the Requirements screen on your Application Deployment Type.

In this scenario we were installing a school classroom management program, and needed to provide a different string in the install command line depending upon what kind of PC it was going to – e.g. setup.exe /template=TEACHER or setup.exe /template=TECHNICIAN. The PCs were already organised by Organisational Unit in Active Directory so that was the obvious target. The other way we could have done this was to create multiple device collections in Config Manager, and then multiple applications, and deploy to each of them – but we wanted to keep all this within a single application.

The basic concept behind this is to create multiple deployment types within the single application, and optionally a fallback entry at the end if you want the software installing where none of the requirements have been met, perhaps with a generic template passed via command line.

In this example I’ve created a simple program which just drops a text file onto the C drive, with the content of the command line string, as proof of concept but this technique should work for most use cases – depending on device OU, registry setting values, or even CPU speed, RAM, Disk space. I’ve targeted device OU here, and split my VMs into two OUs – Azure and Garage (for Azure hosted VMs, and those running off a Hyper-V server in my garage).

Continue reading “CM: Deployment Requirements”

Fixing a broken Windows Recovery partition

We’ve got a few Surface Go which I re-imaged using a Config Manager task sequence – this deletes all partitions and just sets up a basic recovery partition along with a big C partition, and installs Windows 10 Education. This is fine for our desktops and shared devices which can come in for another go through the task sequence if they need resetting. Moving forwards to personal devices, managed by Intune only and Azure AD joined (not hybrid, therefore no relationship with the Active Directory domain) I like features such as Wipe in Intune/Autopilot to work (along with the equivalent screen in Settings – Reset This PC). In this setup, Reset This PC does not work as the recovery partition doesn’t contain the correct files.

I had a look at how to fix this, and getting the re-built devices to reset into their original Windows 10 edition (Pro) with their original device embedded key. This worked quite well and I’ll go through what I had to do in this post.

You’ll need a second device where you’ve not messed up the recovery partition – in my case this was an identical Surface Go – and a way to copy files from one to another.

Continue reading “Fixing a broken Windows Recovery partition”

WUfB and Update Compliance

Windows Update for Business (WUfB) is a free service which allows you a level of control over Windows Update on certain SKU of Windows 10 – Pro/Enterprise/Education/Pro for Workstation – basically everything except Home edition. You can select which types of updates you would like – Feature updates, Quality (security) updates, Driver updates and Microsoft Product updates. Product updates are for other Microsoft products, but not Office if you used the Click-to-Run installer.

Whilst you don’t approve/deny each update as you’d have done in the past with WSUS, you can specify update deferral periods. For Quality updates this is 30 days or less, and for Feature updates it’s 365 days or less. You can create multiple policies, for example one targeting a pilot group with 0 day deferral, one with 5 day for a wider group, and a 10 day deferral for the rest of your devices. If you find an issue with an update installed by the pilot group, you can pause updates for up to 35 days on the other policies. The devices should then resume at the end of the 35 days and skip the missed update, moving on to the next cumulative update.

Device driver updates are enabled by default, but can be turned off, and Microsoft Product updates are disabled by default, but can be turned on. I tend to leave these at the default settings – as the trend with recent Microsoft products has been for them to look after the updating process themselves (e.g. Office 365 Click-to-Run, Edge etc) rather than using Windows Update.

You don’t need Intune or Config Manager for this, and you don’t need your devices to be Azure AD joined – it can even be a PC in a workgroup – although it’s a lot easier to manage if you have some central control over the client side settings.

Continue reading “WUfB and Update Compliance”

Azure Cloud Shell

Azure Cloud Shell is a great feature which gives you a PowerShell (or Bash) window in the browser. Whilst you can’t access on-premise resources from the shell you can manage anything cloud based. By default there’s a huge selection of Azure modules loaded, plus things like Teams.

There’s no specific licensing for using the Cloud Shell – however you will need an Azure subscription and a storage account. This is required for it to store any settings, plus you can store your own scripts in this storage if you like.

The Cloud Shell is available from some of the admin portals, including:

  • Azure Portal
  • Office 365 Admin Centre
  • Exchange Admin Centre (new version)

Continue reading “Azure Cloud Shell”