All Posts
Certificate mapping for AAD Devices with AD accounts
Katy Nicholson, 31 August, 2024
Device certificate authentication to NPS (e.g. an 802.1x wireless network) requires the device to have a computer object in the on-premises Active Directory. This can be done using a script to get all Autopilot registered devices, and create an account in the local AD (see SysManSquad - Working around NPS limitations for AADJ Windows Devices) however the thumbprint of the device certificate needs to be added to the computer object's altSecurityIdentities attribute. While this can be ran as an hourly task, there is the risk of a device being unable to connect for up to an hour. Luckily through configuring auditing and a scheduled task triggered by an event being raised, we can perform this mapping immediately after certificate issue.
Intune: Managing Promethean OPS-A (Android) Devices
Katy Nicholson, 28 August, 2024
Newer Promethean screens can be fitted with compute devices, OPS-M (Windows) and OPS-A (Android). There is very little documentation around configuring these Android devices with Intune in order to restrict access to settings. In this post I go through how enrolling these as corporate-owned dedicated devices, and retaining the pre-installed Promethean apps.
Restricting printing to specific devices or device types
Katy Nicholson, 13 October, 2023
Device Control Printer Restriction has been around for a while and can be configured using a couple of CSP entries to block the use of "non-corporate printers", and a list of USB hardware IDs can be specified to be allowed through the block. This has been a good solution for locking down printing on devices which leave the office, however the definition of "corporate printers" does not include Universal Print. Luckily there is a new version of this policy, confusingly it's got the same name but uses Defender's device restriction mechanism. Using this new method we can define groups of devices and create a list of rules to apply.
Silently enable BitLocker with PIN during Autopilot
Katy Nicholson, 24 September, 2022
BitLocker is Microsoft's disk encryption system and the only supported silent configuration involves the TPM only. There are other options such as also requiring a start-up PIN or a physical key (USB drive containing the key), or both - whether you think you need the extra security at the risk of PIN re-use/being written down is an exercise left to the reader. However I wanted to find a way to enable BitLocker with a PIN required at start-up on a device deployed through Autopilot, without the user having to do anything to enable the protection. While there are configuration profiles which can configure BitLocker to require a PIN and to require the device encryption, this won't actually prompt the user to encrypt the device if you're requiring additional authentication to unlock the drive. Looking forward it would be nice to see this supported - as a step in the OOBE process or on the Enrolment Status Page, asking the user for a PIN and enabling the encryption. But for now, we have to come up with our own solutions - my solution involves a PowerShell script which enables the encryption using the device serial as the key. The user can then be given instructions to change this once logged on.
Windows Autopatch
Katy Nicholson, 12 August, 2022
Windows Autopatch is a service which takes care of updates to Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams across your devices. It is marketed as taking the mundane tasks of managing updates away from IT staff, leaving them free to work on other things. Autopatch uses various policies and profiles through Intune to set the update configuration on the client devices, Windows Update for Business to deliver the updates, and reporting is also done through Intune (or the Update Compliance Log Analytics solution). Autopatch uses four rings to phase updates across your devices - test, first, fast and broad - where test gets the updates as soon as they become available, broad gets them with a 9 day delay, so that any issues are caught in the test or first rings and further deployment can be paused.
App Protection Policies
Katy Nicholson, 31 July, 2022
Corporate devices can be fully managed and secured using Mobile Device Management (MDM) such as Intune. But what about securing personally owned devices? This is where Mobile Application Management (MAM) steps in. For iOS and Android devices, MAM in Intune is implemented through App Protection Policies. With these policies, we can segregate corporate data on personal devices and also put restrictions in place - for example, don't allow copy/paste between the corporate apps and the rest of the device, or requiring PIN or biometric unlock before the data can be accessed. In this post I'm going to go through how to create an App Protection Policy and cover the differences between iOS and Android.
Azure AD Terms of Use
Katy Nicholson, 23 July, 2022
Azure AD's terms of use feature allows us to present information to users which they need to accept/acknowledge before being permitted access to a service. The feature supports multiple languages and essentially you upload a PDF for each supported language for your Terms of Use policy. You can create multiple policies if needed. Possible use cases for this include for users enrolling their personal Windows device through Access work or school, where they can be presented with some rules before their device will give them access, or even when accessing specific services such as Microsoft Forms in the browser, if you wanted to display some usage guidance for using Forms in your organisation.
MFA - Why should I use it?
Katy Nicholson, 21 May, 2022
Surely by now everyone has turned on Multi-Factor Authentication (MFA) as part of their identity protection strategy. Not necessarily - I regularly come across people who have not enabled this crucial feature, usually through the company/institution's management thinking it is not necessary or not worth the hassle. Usually this is followed up with a compromised account sending thousands of emails in an attempt to gather credentials from contacts of the compromised user. I've previously written about Azure Conditional Access and MFA, this post is a more general look at MFA and also covers some of the new Azure MFA features.
Importing Group Policy Objects into Intune
Katy Nicholson, 23 April, 2022
This has to be one of the most requested features for Intune - importing Group Policy Objects. It's now a feature! Currently in public preview, so should be available on most tenants. The way this works is that you export your GPOs from Group Policy Management Console, import them into the Group Policy Analytics and it will determine whether they will work as Intune configuration profiles - by trying to map the GPO settings to the corresponding Configuration Service Provier (CSP) setting, if one exists. You'll be shown a report detailing how much of your policies will be transferable, and which individual settings will or won't work.
Moving the Blog to Azure App Service
Katy Nicholson, 27 February, 2022
I recently moved this blog from WordPress to its current form - a custom PHP site running on Azure App Service. At the back end I decided to store the blog posts as Markdown, as it's relatively easy to edit in any text editor, and I did not want to re-create a rich editor like WordPress has. I also wanted the site to be easy to deploy, if I need to move it or scale up multiple servers, so I decided it should be a (private, for now) GitHub repository. I've already created a template site which is used with my Redirect Tool and Certificate Expiry Tool projects, so it would make sense to extend this.
Intune Remote Help
Katy Nicholson, 21 February, 2022
Remote Help is a new feature of Intune which allows you to remotely help a user. It is based on the Quick Assist tool found in Windows 10 and 11, but with several improvements - both parties need to be logged in with an Azure AD account in your tenant, and the helper can run elevated commands. There is also a RBAC role for controlling what level of access helpers have - e.g. view only or full control, whether they can interact with elevated windows.
Analysing Azure AD Logs with Log Analytics
Katy Nicholson, 14 February, 2022
Log Analytics is part of Azure and is a great solution for analysing and interrogating logs across a huge assortment of Azure services. In this post I am going to demonstrate redirecting Azure AD logs to Log Analytics, and then build a dashboard showing various data from those logs. You will need to have Azure AD P1 or P2 licensing in order to redirect the Azure AD logs, and an Azure subscription to create the workspace.
Microsoft Certification Exams
Katy Nicholson, 29 January, 2022
Certifications are an essential way of proving your abilities and there are plenty of Microsoft certifications to aim for. In this post I will be talking through what resources are available, the method I use when studying for a certification exam, and also what the exam process is like.
AVD: Applications
Katy Nicholson, 27 January, 2022
Applications can be installed onto Azure Virtual Desktop Session Hosts in multiple ways. In this post I briefly look at the traditional methods, and have a detailed look at MSIX App Attach.
MSIX: Packaging
Katy Nicholson, 16 January, 2022
MSIX is a modern packaging solution designed to separate application and system states, and to be easy to cleanly uninstall. Some of this is performed by redirecting read/write to certain locations to a per-user/per-package folder, which can then cleanly be removed. In this post I will go through creating an MSIX package and how it can be deployed.
Intune: Bypassing iOS activation lock on supervised devices
Katy Nicholson, 6 January, 2022
Occasionally while working with MDM and iOS devices you'll reset a device and discover the user left an activation lock. I look at how to bypass that for devices which have, at one point in their life, been attached to MDM.
MSIX: Creating a Code Signing certificate on AD CA
Katy Nicholson, 2 January, 2022
MSIX packages need to be signed for them to be any use. You can get a code signing certificate from various certificate vendors, but if your package is only going to be used on company-managed devices you could use your Active Directory Certification Authority instead. The pre-requisites for this are that you already have AD CA set up, and your CA root certificate is present as a trusted root certificate on all the devices you want to use your MSIX packages on.
Project: Short Link Creator
Katy Nicholson, 25 December, 2021
A PHP based web project for creating and managing short links on custom domains.
AVD: Getting Started with Azure Virtual Desktop
Katy Nicholson, 24 December, 2021
Azure Virtual Desktop (previously named Windows Virtual Desktop) is exactly as it sounds - a Virtual Desktop solution in Azure! While many of us are familiar with Windows Server Remote Desktop roles, and if we think back far enough - Terminal Services, AVD is an exciting cloud based take on this. So the first question I think we should tackle is "Why do I need this?" - Why can't we just use some Server 2022 VMs in Azure running the standard RDS roles - Session hosts, brokers, gateway etc? Well - you can do that if you want, but you're then paying compute costs for your session hosts, brokers and gateways, setting up a public IP address and opening ports. With AVD the broker and gateway are provided on Azure and they're free - all you pay is the cost of the Session Host VMs. Another point here is that with AVD you can use Windows 10 (or 11) Multi-session edition, designed for virtual desktops. No more trying to shoehorn Server with Desktop Experience into place.
Removing Teams Chat from Windows 11
Katy Nicholson, 16 December, 2021
As you've probably already noticed, Windows 11 comes with a Teams client baked in. It's the shiny new Edge WebView2 client! Hooray no more Electron! Unfortunately it only supports personal accounts at the moment - so it's anything from a nuisance to added confusion on any sort of managed desktop. Luckily there are a few ways to get rid of it and I'll run through them here. It doesn't matter if you're on-prem, hybrid or pure Azure AD as there's a GPO setting and Intune policy setting to achieve this, as well as a Policy CSP/OMA URI if you want to use that instead.
Intune: Setting Client Registry Keys
Katy Nicholson, 9 December, 2021
Traditionally you would use something like Group Policy Preferences or use Config Mgr to set registry keys on a client device. In this post I look at a way to do this using Intune.
Intune: Updating to Windows 11
Katy Nicholson, 4 December, 2021
A look at how we can force our devices to update to Windows 11 using Intune.
Project: Certificate Expiry Notification Tool
Katy Nicholson, 18 November, 2021
A PHP web based system to notify you of expiring certificates. This project automatically monitors Azure AD App Registration certificates and secrets, along with Intune enrolment tokens and associated certificates, and allows the user to add custom items to monitor, e.g. a website SSL certificate.
Intune: Managing Android Devices
Katy Nicholson, 31 October, 2021
Love them or hate them, you will probably have to manage Android devices at some point. In this post I look at the enrolment profile types for Anrdoid devices on Intune.
Azure AD and Windows Hello: SSO to on-premises resources
Katy Nicholson, 10 October, 2021
A look at how a hybrid user logged into an Azure AD Joined device can SSO to on-premises resources, whether they logged on with a password or using Windows Hello for Business.
PS: Remotely updating devices
Katy Nicholson, 5 October, 2021
Remotely updating devices using PowerShell and the PSWindowsUpdate module
Intune: 802.1x Wi-Fi, NPS and user PKCS certificates
Katy Nicholson, 23 September, 2021
It's annoying having to enter your credentials whenever you connect to an 802.1x wireless network. We can use Intune to push out certificates to enable password-free network connection. This post looks at Intune managed Azure AD joined devices, an 802.1x wireless network using NPS for authentication, and Active Directory Certificate Services to issue the certificates to the users.
Teams: Recover deleted team memberships
Katy Nicholson, 27 August, 2021
How to bulk recover deleted team memberships using PowerShell. I had over 8,000 group membership actions to undo and luckily this is possible through examining the Azure AD Audit log export and some PowerShell.
PHP: Implement Azure AD login to your site
Katy Nicholson, 8 August, 2021
A PHP Project for integrating Azure AD login to your website/project.
Windows 365 Cloud PC
Katy Nicholson, 4 August, 2021
Windows 365 Cloud PC is an exciting new product from Microsoft. Split into two SKUs, Business and Enterprise, I have a look at the differences and how to configure Windows 365.
CM: Deployment Requirements
Katy Nicholson, 29 July, 2021
I was recently asked about how to deploy a single application but with varying installation command line parameters, using Configuration Manager. Luckily we can do this fairly easily using the Requirements screen on your Application Deployment Type.
Fixing a broken Windows Recovery partition
Katy Nicholson, 3 July, 2021
We've got a few Surface Go which I re-imaged using a Config Manager task sequence - this deletes all partitions and just sets up a basic recovery partition along with a big C partition, and installs Windows 10 Education. This is fine for our desktops and shared devices which can come in for another go through the task sequence if they need resetting. Moving forwards to personal devices, managed by Intune only and Azure AD joined (not hybrid, therefore no relationship with the Active Directory domain) I like features such as Wipe in Intune/Autopilot to work (along with the equivalent screen in Settings - Reset This PC). In this setup, Reset This PC does not work as the recovery partition doesn't contain the correct files. I had a look at how to fix this, and getting the re-built devices to reset into their original Windows 10 edition (Pro) with their original device embedded key. This worked quite well and I'll go through what I had to do in this post.
Windows Update for Business (WUfB) and Update Compliance
Katy Nicholson, 23 June, 2021
Windows Update for Business (WUfB) is a free service which allows you a level of control over Windows Update on certain SKU of Windows 10 - Pro/Enterprise/Education/Pro for Workstation - basically everything except Home edition. You can select which types of updates you would like - Feature updates, Quality (security) updates, Driver updates and Microsoft Product updates. Product updates are for other Microsoft products, but not Office if you used the Click-to-Run installer.
Azure Cloud Shell
Katy Nicholson, 18 June, 2021
Azure Cloud Shell is a great feature which gives you a PowerShell (or Bash) window in the browser. Whilst you can't access on-premise resources from the shell you can manage anything cloud based. By default there's a huge selection of Azure modules loaded, plus things like Teams.
Intune: Introducing Filters
Katy Nicholson, 9 June, 2021
Endpoint Manager/Intune Filters is a new feature which gives you advanced targeting for things like compliance policies, configuration profiles and app assignment by adding filters.
Endpoint Analytics
Katy Nicholson, 19 May, 2021
Endpoint Analytics is a component of Intune and is used to provide you with insights as to how your devices are performing. Which take forever to log on? Which apps crash frequently? You can also run proactive remediation scripts to enforce settings or fix issues.
Intune: Manage non-DEP iOS devices via AC2 DEP enrolment
Katy Nicholson, 31 March, 2021
Sometimes you may be given iOS devices which have been purchased by another department - or ad-hoc - and thus you do not have the details to have the supplier add these to DEP/Apple School/Business Manager. In this post I look at how we can add these devices using Apple Configurator 2, and pull these into Intune.
Raspberry Pi Server Temperature Monitor
Katy Nicholson, 25 March, 2021
Back in 2015 I was looking for a cheap way to monitor the temperature in our server racks and also for a project with my new Raspberry Pi Model B. I've recently had a photo from this pop up in my Facebook memories so decided I'd dig out the write-up I did and post it on my blog.
Intune: Windows Hello for Business
Katy Nicholson, 12 March, 2021
Windows Hello is Windows 10's biometric authentication system which allows users to sign into their device using facial recognition (if the device has an IR camera), fingerprint (if the device has a fingerprint reader) and PIN. The data for these is stored on the device itself rather than transmitted to the authentication provider (i.e. Azure AD) so is more secure than a password as an attacker would need the device as well as the face/finger/PIN of the person they are trying to impersonate. In this case a PIN is more like a password, as we can define the minimum and maximum length, and allow/forbid/require lower case, upper case and special characters. The default setting permits numbers, lower and upper case letters but does not allow special characters.
Azure: Conditional Access and MFA
Katy Nicholson, 5 March, 2021
Multi-factor authentication is a must in this day and age, with phishing techniques becoming more and more sophisticated and more difficult to detect/block. Azure MFA can be used to secure your Office 365 workload (and, if you're using it as the authentication method for other services, they can be secured too).
Shift to the Cloud: Moving a school to OneDrive and Teams
Katy Nicholson, 1 March, 2021
I tell the story of how we moved a school from traditional on-premises file storage and e-mail to Office 365, Exchange Online, SharePoint and Teams
Intune: Endpoint Protection
Katy Nicholson, 26 February, 2021
Whilst Endpoint Protection can be suitably managed for traditional Active Directory-joined devices using Group Policies, you'll need an alternative to protect your Azure AD joined devices. Luckily Intune can do this for us by way of a device configuration profile.
Azure AD password protection
Katy Nicholson, 19 February, 2021
Azure AD Password Protection is part of Azure Active Directory and helps prevent users from picking poor/easily guessable/compromised passwords. Microsoft maintain a "global banned passwords" list which stores passwords which are "deemed too common". Obviously this list is not published, but by using Azure AD Password Protection you can have password changes run against it for both cloud and on-premises users. You can also create a custom banned password list, of up to 1000 entries, containing easily guessable things about your organisation, e.g. product names.
Backing up my Azure workload to Azure
Katy Nicholson, 13 February, 2021
I've looked at using Azure to back up on-premises workloads in a previous post (Azure Backup, I think it's time I looked at backing up workloads that are already running from Azure. I'm going to look at backing up Virtual Machines and storage accounts - there's not much more I store in Azure that would need backing up. I'm going to take a quick look at the options for storage accounts, virtual machines and databases. So the first question must be "Where do we back this up to?" - you could make a case for backing it up to an on-premise backup server, or even to a competing cloud provider, using one of many products designed for "backing up your Azure and Office 365 data". I see backups as having three purposes really - to get you up and running again after a disaster (such as losing your on-premise servers, or in this case your Azure workload being irreversibly lost), to recover from user error, and finally (becoming more and more important these days) to recover from ransomware/encryption based attacks. I back up my Azure workload to Azure because I feel the way it is configured - with availability zones, geo-redundant data etc - that it's highly unlikely that my backup will disappear along with my workload. I'd also think there's much more chance of something going wrong with my backup if it was stored on-premise rather than in Azure.
Automatically syncing Teams/SharePoint libraries
Katy Nicholson, 9 February, 2021
There's been a Group Policy setting to sync Team/SharePoint libraries for a while although last time I looked at it the functionality didn't actually work yet - I think it was meant to be available from Windows 10 1909 but didn't quite make it. Besides the fact that the setting didn't do anything, all the documentation claimed it could take "up to 8 hours" for the library to appear in the user's sync client/Explorer - clearly this is no use especially if you're in an environment where people hot desk and share machines. I've had another look at it to see if it's any better now, and also demonstrate a method to sync libraries using PowerShell logon scripts.
MEM: iOS Wireless Profile with embedded credentials
Katy Nicholson, 5 February, 2021
Sometimes you have no option but to use a wireless network with a username and password, which you want to set on devices with a Configuration Profile. While there is no option to do this with the built in Wi-Fi profile, you can create a custom one on Apple Configurator 2 and import this into Intune.
Cool Edge features
Katy Nicholson, 3 February, 2021
You must have heard about the new Edge by now - based on Chromium, replacing legacy Edge (and IE11). If not, have you been living under a rock?! I'm going to take a look at some of the neat features in Edge, at time of writing v89 is current. (Updated April 2021)
Azure AD Application Proxy
Katy Nicholson, 29 January, 2021
Azure AD Application Proxy is a really neat tool for publishing internal applications without exposing your servers to the Internet. If your applications require authentication for users to access them you can get Azure to handle all this for you, and it supports single sign on. Alternatively if you've got an old or obscure application that can't cope with Azure SSO you can configure it to use passthrough authentication, where the internal application remains responsible for this task.
WAC: Hyperconverged Hyper-V Cluster with S2D
Katy Nicholson, 23 January, 2021
Last year I replaced a 3 node VMWare+SAN cluster with a 2 node hyperconverged Hyper-V cluster. I've been quite impressed with it so far so thought I'd write how I did it - especially considering I did the bulk of the work through Windows Admin Centre.
WAC: Azure Backup
Katy Nicholson, 22 January, 2021
If you've connected Windows Admin Centre to Azure you'll find a section called Azure Backup. This will allow you to back up your on-site workloads to Azure using the Microsoft Azure Recovery Services agent. It's ideal for backing up physical servers or individual virtual machines. In this post I'm going to look at configuring and backing up a server through Windows Admin Centre, and then at how to recover the data - both for a partial failure (such as some files being deleted but the server still boots) and a total failure.
Getting the thumbprint of an installed SSL certificate
Katy Nicholson, 16 January, 2021
If you're installing something that won't let you browse for certificates and instead asks for a thumbprint - e.g. Windows Admin Centre - you can get this using either the management console or PowerShell.
Windows Admin Centre
Katy Nicholson, 16 January, 2021
Windows Admin Centre is a web based server (and desktop) administration package which, eventually, should replace the majority of the work currently done through MMC consoles and snap-ins. If you've ever opened Server Manager on a Windows 2019 machine you'll have seen the popup telling you to "Go get Windows Admin Centre!". Whilst it's not there yet, it is constantly being updated and improved and I find it really useful. It's a lot more than just managing a couple of systems - when I set up our hyperconverged Hyper-V cluster I primarily did this from within WAC (post to follow on this if I get chance to write it up) - and it integrates nicely with a lot of Azure services (including any Azure VMs you might have)
Intune: Managing iOS devices
Katy Nicholson, 13 January, 2021
In this part of the Intune series of posts I'm looking at getting iPads enrolled and managed, and deploying apps. In my case I'm looking to migrate some iPads from an existing MDM into Intune, so I'm assuming you already have an Apple ID set up to create the push certificates and already have Apple School Manager (or Business Manager) set up.
Hybrid Cloud Print
Katy Nicholson, 8 January, 2021
Hybrid Cloud Print is a solution to allow users to print to on-premise printers from their devices without needing to be on site or even have VPN connectivity - they just need Internet access. It is however fairly complicated to set up and requires multiple app registrations in Azure, and an Application Proxy server setting up. In this post I go through the steps on how to set it up and print from an Intune managed device. It has been replaced with Universal Print, however you can still set it up and use it if needed.
Universal Print
Katy Nicholson, 8 January, 2021
Universal Print is the new way to cloud print from your devices. It replaces Hybrid Cloud Print and is a lot easier to set up and manage. You'll need your devices to be connected to Azure AD (either domain joined or hybrid joined, or registered).
Intune: Deploying Applications
Katy Nicholson, 6 January, 2021
In this post I cover deploying applications to devices through Intune - Microsoft 365 Apps, Microsoft Store apps, Web Apps and Win32 Applications.
Intune: Getting Started with Autopilot
Katy Nicholson, 20 December, 2020
In this post I take a first look at Intune and Autopilot and go through importing devices, creating enrolment profiles, configuration profiles and deploying the device.
FTTC VDSL on a Cisco 897VA
Katy Nicholson, 9 December, 2020
I've recently changed broadband to Fibre-to-the-cab (FTTC) VDSL connection. As I have a small data cab in the house I wanted a rack mount router instead of the ISP provided one, and I had a spare Cisco 897VA hanging around which is perfect for the job. Unfortunately there isn't a web based config on this router so I've had to configure via terminal/SSH but it's not too difficult to get running on your VDSL connection.
Active Directory CA certificates for HPE iLO
Katy Nicholson, 19 October, 2020
I've recently replaced my servers with some nice HPE ProLiants with iLO 4 Advanced. One of the first steps I wanted to get sorted was replacing the self-signed SSL certificates so I don't have to sit through the warning messages every time I open the web interface. I've already got an Active Directory Certification Authority set up so thought I'd use that, given that the root CA certificate is already installed and trusted on all devices.
Active Directory: Recovering Deleted Items
Katy Nicholson, 7 September, 2020
A while ago we accidentally deleted a leaving staff member's account instead of disabling it - and pure bad luck means this particular member of staff came back a week later to cover a staff illness. Not wanting to have to re-create the account I discovered that the Active Directory Recycle Bin had not been enabled in the forest - oh no! Luckily we can still get the account back. Objects deleted in AD are tombstoned for 180 days (by default).
Analysing BSOD Memory Dumps
Katy Nicholson, 5 September, 2020
We had re-imaged all devices to Win 10 Edu 2004, after testing everything worked in a couple of rooms. All good, then the first day with teachers back and we get multiple calls about computers crashing with BSOD while the interactive whiteboards are being used. Whilst the user reported multiple crashes, when I went in person I wasn't able to cause it to crash so couldn't just look at the "What failed" bit on the Win 10 BSOD screen. A quick look at the system event log on one of the computers in question shows nothing useful - just "the computer has rebooted from a bugcheck". You can get the error code here too but no pointer as to what actually caused this.
CM: Deploying Apps from the Windows Store
Katy Nicholson, 31 August, 2020
There's a lot of apps in the Windows Store, and one of the best bits about them is we don't have to worry about managing their updates. Luckily we can deploy these through Config Mgr and it is fairly easy to do. You will need a subscription which creates an Azure tenancy (e.g. Office 365) to link Config Mgr with the Microsoft Store for Business (or Microsoft Store for Education) - the Business and Education versions are pretty much the same just with different phrasing in places.
Automating Teams School Data Sync - iSAMS
Katy Nicholson, 29 August, 2020
I don't like things that can't be automated. I started looking at School Data Sync (SDS) last year, however the templates provided by iSAMS, which is our school Management Information System, just gave a set of CSVs and you had to manually click to get them, then click to upload them into SDS. Since iSAMS has an API, I thought this was a bit of a silly way of doing things - who wants to go through a manual process every time a pupil changes class? So instead I wrote my own powershell to pull the data through the iSAMS API, then run through the New-Team cmdlet to create a team per class, and populate it with teachers and students. As we're a school we need our new teams to be running the Edu_Class template, but the template parameter on New-Team only exists in the preview (and in Graph, on the beta endpoint) where it has much harsher limitations on how often and fast you can call it - a nightmare trying to call it in a loop. Anyway with the addition of "Start-Sleep 30" in the loop I eventually got them all created. However this time I am having another look at SDS and using Power Automate (previously known as Flow) to make the process completely automatic.
Creating a VPN from your on-site network to Azure
Katy Nicholson, 26 August, 2020
If you are moving any of your local network services into Azure it's likely you don't want to have to access them over the Internet and would rather have a VPN, and "private" IP addresses assigned to each of your Azure Virtual Machines. Here I go through how to set this up using my home lab and Azure tenancy as an example.
In-place OS upgrade of Azure Virtual Machines
Katy Nicholson, 24 August, 2020
In-place upgrade of Windows 2016 Azure VMs to Windows 2019 is not officially supported but still something we occasionally need to do. While I'd recommend you spin up a new 2019 VM and migrate your workload if at all possible, it's a bit long winded but you can do an in-place upgrade. If you're lucky it's as simple as copying the files off the ISO and running through the upgrade wizard, however if it brings up any prompts or messages you need to connect to the console to view you'd not get very far with a service like Azure where you cannot view the console, and this is one of the reasons why it is unsupported directly on Azure.
Wireless Guest Account Management
Katy Nicholson, 24 August, 2020
One of my C# projects is an application to create guest accounts for the school wireless network. The wireless network is set up with 802.1X authentication, so we can log in using Active Directory user accounts.
Edge Chromium perfect configuration
Katy Nicholson, 21 August, 2020
So I've been trying to get the new Edge to open, sign in automatically with the current user's Azure AD credentials and then turn on sync, without any screens to click through or anything like that. I had got about as close as is possible - user opens the browser, it signs them in and asks if they want to sync or not. From version 86 there is a new GPO setting to force sync without prompting the user. Hooray!
Hybrid Azure AD Domain Join using Client-side targeting
Katy Nicholson, 20 August, 2020
The standard method to configure hybrid domain join is to open up Azure AD Connector and follow the wizard. However this isn't suitable for every environment - for a start it needs to write forest-level configuration data, create a Service Connection Point (SCP), and if you want to link multiple tenancies to a single AD forest you're in for a hard time. Luckily we can hybrid join with some registry settings on the client devices, and don't need to set up the forest level SCP. Here's how I've managed it on my network.
CM: Enabling BitLocker
Katy Nicholson, 19 August, 2020
Config Mgr comes with a Bitlocker Management section (under Endpoint Protection), however as far as I can tell this just allows you to set the Bitlocker policy but not force drives to be encrypted - at least I couldn't get it to do anything on devices it claimed were compliant. I've got an OS deployment task sequence which installs Windows, and has a few BitLocker steps - however I forgot to set a variable telling it to use the TPM chips without additional PIN/password/keys for Bitlocker - so my computers built without Bitlocker being enabled.
CM: Delving into the "Last PXE Advertisement" flag
Katy Nicholson, 17 August, 2020
This post has actually come from having a look at the search queries coming up in my blog visit stats - "all active pxe flag deployements" - which seems like a good thing to look into. If you're trying to make a device collection you'll find the LastPXEAdvertisement doesn't appear to be available through the query builder UI. Here I'll look into getting the data through PowerShell and then also putting it into a Device Collection within MEMCM.
PHP: Mailing through Office 365 using the Graph API
Katy Nicholson, 17 August, 2020
A while ago I needed to update my PHP applications mail handing scripts, as Microsoft are disabling basic authentication and they connected using EWS with basic authentication. I took the opportunity to update them to use the Microsoft Graph API instead. My systems generally run mail as a background process, e.g. sending/receiving mail to the helpdesk mailbox, so this article is written in that vein. If you wanted to access mail in an interactive way (so the user is sat in front of the browser at the time mail is accessed) you'd need to switch to Delegated rights, rather than Application, and the user would log in rather than the script logging in. I've not looked at this so not able to say much more about it.
UEFI Network Boot Across Subnets
Katy Nicholson, 15 August, 2020
A few years ago when UEFI became much more common on new PCs I wanted to use the UEFI network boot, rather than the old style PXE boot, for imaging machines. This worked fine for computers sat on the same subnet and VLAN as the server, but getting this to work when the client device is in a different subnet took a bit of work.
Wake on LAN revisited
Katy Nicholson, 15 August, 2020
A couple of years ago I wrote about the pain of getting Wake on LAN to work on HP switches. While this got some of my machines to work, there was still quite a large proportion (about 60%) that weren't playing ball. I've finally had a bit of time to look into this, so here's everything I've gone through to get a lot more of the PCs powering up on command. Of course there will always be some PCs which just refuse to work (we have some Gigabyte H81M based machines where they just don't Wake on LAN - whatever you do the LAN link drops when the power is turned off), and some older H61M based machines that are a bit hit and miss.
Environment variables
Katy Nicholson, 14 August, 2020
As I've been configuring a bit of folder redirection in group policies, I often forget what environment variables there are (there's a lot more than you ever realise!) So I thought I'd list some environment variables that may be useful when editing GPOs or registry settings, and what they resolve to by default (assuming I'm logged in to the domain contoso.com as CONTOSO\Katy from contoso-wk-1), with my home drive set to map N: to \\file.contoso.com\users\katy
Automated shutdown of devices
Katy Nicholson, 11 August, 2020
In a drive to reduce power usage, I've tried a few times over the years at a way to shutdown computers but not if they are in use. I've tried using scheduled tasks set to only run when idle - in reality this doesn't really work as we tend to have quite a lot of mice that move ever so slightly on their own, so the PCs never think they are idle. Even wrote a client/server application where the client reports when someone logs on, logs off, or switches user and when prompted to shutdown by the server, the client asks the logged on user if they want to go a head or cancel. This worked fine for a while but when we updated to Windows 10 it stopped working and needed a lot of time spent on working out what had changed. So I moved away from that method. My current method is two scheduled tasks. It'd be easy to just do a scheduled task that shuts down the computer, but what if somebody is working on it? Equally we could do a script which only shuts down if there are no active sessions, running if the computer has been idle for 10 minutes - but does a locked (but not switch user) screen count as active? (Yes it does) What if the mouse moves itself? With just this method a lot of PCs were never shutting down.
CM: Support Centre
Katy Nicholson, 10 August, 2020
I'm not sure how long it's been around, but one of the neat things I discovered lately is the Support Centre. The installer for this can be found on your Config Mgr server, in the installation directory\tools\SupportCenter. The Support Centre contains a variety of tools to help troubleshoot all things Config Mgr. I'm just going to do a very brief look at it here so the best thing to do is install it and have a look for yourself!
CM: Run Task Sequences using bootable USB media
Katy Nicholson, 7 August, 2020
If you've had to deploy any laptops recently you'll have noticed that it's very difficult to find smaller (lower budget) devices with onboard LAN any more. We recently replaced two trolleys of laptops and the only choice to keep within budget was sacrifice the network port. While this isn't a problem for their day to day use (as we have full site wireless coverage), when it comes to deploying and updating them... not so great. Well it's MEMCM to the rescue again with bootable media. If you have a look in Software Library\Operating Systems\Task Sequences, you may have noticed a button called "Create Task Sequence Media". This will let us pick from a range of media types, in this case we are interested in the first two - Stand-alone media, and Bootable media. You'll need a few USB pen drives handy, and make sure you insert the drive before launching the wizard or it'll not appear as an available device.
PaperCut Print Release using RFID cards
Katy Nicholson, 7 August, 2020
A couple of years ago we replaced our copier fleet and moved to PaperCut MF, with a single print queue for the entire site and users had to go to their nearest copier and enter their code to release their printing. Almost perfect setup but people struggle to remember 5 digit codes, so I had a look at using their existing student/staff ID cards instead. We already sync Active Directory to PaperCut so the ideal solution would be storing the RFID codes in Active Directory, and using that data as the user's login code in PaperCut.
Locking down the Win+X menu
Katy Nicholson, 5 August, 2020
Whilst the Win+X menu is really useful for sys admins, there's quite a lot of items on there that I'd rather not have pupils clicking on (even if they'd not get anywhere due to not having access rights). It's possible to customise this menu and remove items you don't want from it. The shortcuts are stored (per user) in %LOCALAPPDATA%\Microsoft\Windows\WinX in three folders - Group1, Group2 and Group3. I don't think it's possible to add custom shortcuts however deleting them will remove the corresponding item from the WinX menu.
CM: Deploying the new Edge (Edgium!)
Katy Nicholson, 4 August, 2020
I've been following the new Edge browser for a while, using the Dev version as my main browser for almost a year now. Now that it's been released I want to update my network to replace the old Edge with the new one - which I call Edgium. What better way to do this than using the built in Edge management section which appeared recently when I updated my Config Mgr installation?
Powershell Printer Script
Katy Nicholson, 4 August, 2020
Over the last 15 years I've tried pretty much every method of adding printers at logon there is - KIXTART script, VBS, Group Policy Preferences and Powershell. As part of speeding up logon, and investigating a weird issue with Windows 10 printers, I moved away from GPP and to Powershell shortly after we upgraded from Windows 8.1 to Windows 10. The issue being - roughly 5% of the time, on random user/computer combinations, printers would take a long time adding and then fail to add, with a non-specific error message. My first go at this was a basic powershell script which had a hard coded list of location/printer mapping, and it would run the "add printer" command repeatedly until the error went away. (It always added fine on the 2nd go). The problem with this is that it's a complicated script for technicians to update, and being a single threaded script the nice form it displays showing people what's happening would freeze while it was working in the background. My new script does the bulk of the work in background jobs - so printers add quicker (as it can do more than one at once), and the UI doesn't lock up and freeze. More importantly, it uses Group Policy Preferences by reading the XML file generated and applies that - so technicians have the familiar interface for adding/removing printers from the script.
CM: Scripts and updating the client Windows edition
Katy Nicholson, 2 August, 2020
We took delivery of 5 Surface Go tablets a while ago, as we are trialling a Surface Go paired up with a Microsoft Wireless Display adapter on the projector, to replace the traditional PC + interactive whiteboard. They came with Win 10 Pro pre-installed and I didn't fancy re-imaging them (given at the time I didn't have any Surface Docks, so no way to plug into the network). This post covers creating and running Powershell scripts through MEMCM as well as the script required to bump up the Windows edition.
Windows 10 and Super fast logon times
Katy Nicholson, 31 July, 2020
I've been working at really cutting down the initial logon times - started last year, and again with me rolling out Windows 10 2004 I've had to struggle to remember what I actually did, one of the main reasons for my blog is helping out future Katy as she is very forgetful :) This has always been something that has bugged me, as I remember in 2003 at university there was a Windows 2000/XP network with some sort of NetWare back end. The Windows 2000 PCs (libraries etc mostly) logged on in about 2 minutes, nice and speedy, but in the computing labs they ran XP and it was a 13 minute logon (literally 13 minutes as I timed it). Subsequent logons were also 13 minutes. Extremely frustrating, yet means I've always been dismissive of people complaining of a 90 second logon time.
Removing Windows User Profiles
Katy Nicholson, 13 July, 2020
Just a quick one for today. I'm going through a bunch of laptops which have loads of old directories in C:\Users, in the form of Username, Username.Domain, Username.Domain.000, 001 etc. Most of these don't exist as profiles if you query CIM for win32_userprofile (and aren't in the registry at the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList. So I've knocked up a script which goes through the "official" profile list, deletes everything that isn't System/LocalService/NetworkService or the user running the script, and then goes through clearing anything that is left on disk (excluding the above plus the Public folder).
Hive Active Heating and a "proper" network
Katy Nicholson, 18 March, 2020
So I received a 35% off code from British Gas to get Hive Active Heating. As my boiler works off a time clock only (no thermostat) I decided this'd be great as I'd no longer have to guess how long I need to turn it on to get the temperature up on a weekend, and then forget to turn it off and have it wasting gas while I'm at work during the week. They say it has to plug directly into the router, etc etc. Well as my ISP provided router is in modem mode, this wouldn't work.. it'd either not get an IP address, or take the IP address assigned to my actual router and break the rest of the network.
Schrodinger's Network Location - Direct Access client is both inside and outside corporate network at the same time?!
Katy Nicholson, 18 March, 2020
I'm currently working from home and managed to get myself locked out of a PC (Long story involving Bitlocker). Only way out from this was to re-install Windows and then rejoin to the domain. Re-install is easy as I have WDS configured on my home network. Re-joining the domain is easy, I could either do an offline domain join with Direct Access policies embedded, or just connect the FortiGate VPN and join the domain and run gpupdate. I went with the latter as it seemed like it'd be the easier option. As I'd used WDS, the PC was now part of my home network domain, so I removed it from the domain, renamed and rebooted. I then went and connected it to the work domain and ran gpupdate, all fine, and restarted the PC. That's when it got weird.
Applying Teams Policies to a group
Katy Nicholson, 13 March, 2020
I've recently needed to apply a PolicyPackage to a group of users (well 2 packages to 2 groups) using PowerShell - as the Teams Admin centre only allows you to apply to users by typing in all the names one at a time and pressing Add and discovered the New-CsGroupPolicyAssignment cmdlet, which looks good - however this applies a policy to a group, but I want to apply a policy package.
OneDrive - "The Specified View is Invalid" Error
Katy Nicholson, 10 June, 2019
So I had a user whose OneDrive for Business had stopped working in the browser (but worked OK via the sync client). They were receiving an error 'The Specified View is Invalid'
Powershell Remoting
Katy Nicholson, 28 February, 2019
I recently discovered one of my deployment scripts does not work on Win 10 1809 any more (it ran dism to install the dot Net Framework 3.5 - just errors out) however that the powershell version (Add-WindowsCapability) works fine. Had to get this rolled out to a handful of PCs ASAP in order for a legacy application to successfully run. As time was of the essence, I ended up running round the 24 PCs like an idiot, logging on and running the command, but I thought "Why don't I just enable PS Remoting, then I could at least do this from my desk scripted". Obviously the ideal solution would be to deploy the Netfx3 install via SCCM but PS Remoting will still be handy.
The Missing PXE Advertisement
Katy Nicholson, 19 February, 2019
Today I had "The Case of the Missing PXE Advertisement" with a PC. Bit of background - I've an OSDeploy device collection which has a zero touch MDT Task Sequence deployed to it, advertised to PXE and Media only, and set to always rerun program. So anything in this collection will automatically get the deployment. Infinite loops are prevented by the "PXE Deployments" flag that is automatically set on computer objects once they have started a PXE deployment. To re-image a PC I just drop it back in the collection and clear the flag. I've also got one which prompts for the computer name, advertised as optional to all Unknown Computers. New kit I boot to this and put the name in and off it goes.
Classroom Queue in Papercut MF
Katy Nicholson, 13 September, 2018
We've recently switched from Ringdale FollowMe to PaperCut MF and I wanted to bring over our classroom queues. Unfortunately the supplier said this couldn't be done, so I did some experimenting and worked out how myself. The idea behind the classroom queue is that a second printer is listed on each PC in the room, so for room 10 the PCs would all show the "PaperCut" printer and also "Room 10". Print to PaperCut and you use your personal code to release, print to Room 10 and you use the room code. This way a class of 24 pupils can all print their work to the Room 10 queue, then the teacher (or a single pupil) can go and release all 24 documents in one go. Loads quicker than a queue forming at the device. To do this I did the following:
Wake on LAN across subnets with HP switches
Katy Nicholson, 10 June, 2018
As part of setting up Config Mgr I wanted to get all PCs to wake-on-LAN to enable truly zero touch deployment. I'm using mostly HP v1910/1920 edge switches with a HP 5406zl core switch. To send WoL packets while testing I'm using a tool from http://magicpacket.free.fr/ (once all set up Config Mgr will be doing the wake on LAN packets).
Office 365 Automated Signature Generator
Katy Nicholson, 9 June, 2018
I've been looking for a while at a way to automate email signatures for everybody using OWA on Office 365. The new layout we want for our signatures includes images and everywhere I've read says it's impossible to embed images in a signature set using PowerShell. (Note I want them embedded rather than hotlinked). The solution I came up with takes details from the Active Directory user account - I'm using the description field to insert the person's name (to allow things like "Mrs Blah" rather than just outputting firstname surname), fields like title (job title), telephone, mobile and also using a few of the extensionAttributes for the Twitter/Facebook links. All of these are standard fields so no need to mess with the AD schema.
Windows 10, UEFI and PXE booting
Katy Nicholson, 8 June, 2018
I recently set up System Centre Configuration Manager to take over from MDT for imaging PCs. The end result I'm after is that all PCs attempt PXE boot when powered up, and then automatically image if there's a task deployment waiting for them. (Bonus points is getting wake-on-lan to work with Win 10 so they'll power themselves up too). Thought this would be easy - surely just set network as the first boot device - only to discover that (on a UEFI booted system) part of Windows setup adds "Windows Boot Manager" and sets it as the first device in the boot list, no way to stop it. I've come up with a powershell script which uses bcdedit to mess with the boot order - first it looks for an entry containing "IP4", grabs its ID then sets this as the default. For some reason just being default doesn't mean it's the first in the list - so it then changes the boot order to network followed by Boot Manager.