This device cannot use a Trusted Platform Module – Windows 10 1909 Virtual Machines

This device cannot use a Trusted Platform Module – Windows 10 1909 Virtual Machines

When testing BitLocker encryption on the new Windows 10 1909 release using my VMWare environment. I ran into the following error;

This device cannot use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at start-up” policy for OS volumes.

Go to your Local Group Policy

Locate the following setting under Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption –> Operating System Drives

Require additional authentication at startup

We will now need to edit this policy to enable the required settings, please use the below screenshot as your guide.

Once the policy has been enabled with the required settings, re-run BitLocker Drive Encryption and this time it’ll be more successful.

Regards
The Author – Blogabout.Cloud

Install-Module : The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file, or operable program

Install-Module : The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file, or operable program

Recently, I was trying to use Install-Module cmdlet to install a required module for some testing on a client machine however I ran into the following error

Install-Module: The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1Install-Module MSOnline. CategoryInfo : ObjectNotFound: (Install-Module:String) [], CommandNotFoundException FullyQualifiedErrorId : CommandNotFoundException

The error looks like below:

Install-Module : The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file, or operable program

The error usually comes, if your PowerShell is not upto date. The major version of PowerShell should be equal or greater than 5. You can run the below cmdlets to check the PowerShell version.


1
$PSVersionTable.PSVersion

My PowerShell major version was 4.

To solve the error the following steps was taken to resolve the issue.

Download Windows Management Framework 5.1

Here make sure to choose Win8.1AndW2K12R2-KB3191564-x64.msu if you have Windows server 2012 or 2012 R2 machine.

Install-Module : The term 'Install-Module' is not recognized as the name of a cmdlet, function, script file, or operable program
Install-Module : The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file, or operable program

Download and install Download Windows Management Framework 5.1, then it will ask to restart the machine-like below:

The term 'Install-Module' is not recognized as the name of a cmdlet
The term ‘Install-Module’ is not recognized as the name of a cmdlet

Regards
The Author – Blogabout.Cloud

Merging on-premise AD User Objects with existing Azure AD user Objects.

Merging on-premise AD User Objects with existing Azure AD user Objects.

This post will explain how to merge an on-premise AD user objects with an already existing Azure AD user using hard-match with the sourceAnchor/immutableID property. I have recently experience this issue with a customer who was merging their contoso.com addresses to their fabikam.com Azure AD account.

As you can imagine this isnt a simple process but with the power of PowerShell and good old fashion “I can” attitude, this merger was a complete success.

Before we continue I would like to state that there are two methods that Azure AD Connect will use to match existing users;
– Soft-Match
– Hard-Match

When you install Azure AD Connect and you start synchronizing, the Azure AD sync service (in Azure AD) does a check on every new object and try to find an existing object to match. There are three attributes used for this process: userPrincipalName, proxyAddresses, and sourceAnchor/immutableID.

Soft-Match

Soft-Match will use the properties userPrincipalName and proxyAddresses to match existing users.

Hard-Match

Hard-Match will use the property sourceAnchor/immutableID. You can only select which property is used as sourceAnchor during the installation of Azure AD Connect as described in their documentation.

If the selected sourceAnchor is not of type string, then Azure AD Connect Base64Encode the attribute value to ensure no special characters appear.

Important Note

By default, Azure AD Connect (version 1.1.486.0 and older) uses objectGUID as the sourceAnchor attribute. ObjectGUID is system-generated.

So we only have to set the immutableID property of the existing user in our Azure AD to the Base64 encoded string of the ObjectId of the user in our on-premise AD. If you already synchronized your Active Directory then you probably have two users with the same name in your Azure AD. Just follow the following steps to finally merge these users:

You have to execute the following PowerShell commands on the machine with your on-premise AD and the Azure PowerShell commands via the Azure Cloud Shell.

In my scenario, I had a customer that the Email Address on the Active Directory Account didn’t match the PrimarySMTPAddress in Azure AD, however, the PrimarySMTPAddress in Exchange was correct. So I need to match both objects using the PrimarySMTPAddress from Exchange And Azure to set the ImmutableID. I create a PowerShell to gather PrimarySMTPAddress from Exchange along with the required information from Active Directory

1. Get ObjectId from All AD Users


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$reportoutput=@()
$users = Get-ADUser -Filter * -Properties *
$users | Foreach-Object {

    $user = $_
    $exchange = Get-Mailbox $user.Name
    $immutableid = [System.Convert]::ToBase64String($user.ObjectGUID.tobytearray())

    $report = New-Object -TypeName PSObject
    $report | Add-Member -MemberType NoteProperty -Name 'DisplayName' -Value $user.DisplayName
    $report | Add-Member -MemberType NoteProperty -Name 'PrimarySMTPAddress' -Value $exchange.PrimarySMTPAddress
    $report | Add-Member -MemberType NoteProperty -Name 'UserPrincipalName' -Value $user.UserPrincipalName
    $report | Add-Member -MemberType NoteProperty -Name 'ImmutableID' -Value $immutableid
    Write-Host ('INFO: The following user {0} has the Immutable of {1}' -f $user.name,$immutableid)
    $reportoutput += $report
}
 # Report
$reportoutput | Export-Csv -Path $env:USERPROFILE\desktop\immutableid.csv -NoTypeInformation -Encoding UTF8

2. Remove duplicated Azure AD User

If you have synced users and have duplicate accounts you will need to remove these before looking at continuing. A simple way of doing this changing the OU you have synced which has caused the duplicate or you can use the Azure Portal

Deleted Users

But if you love PowerShell the following command is also possible as well.


1
Remove-AzureADUser -ObjectId <objectid>

3. Get Azure AD User ObjectID

One of the key requirements for this post is that we require the ObjectID of the Azure Active Directory account we are looking to match against. The following PowerShell command prints a list of all users with their ObjectId and exports to your desktop.


1
Get-AzureADUser | export-csv $env:userprofiles\desktop\AzureADUser.csv

4. Matching my CSV Files

So I ended up with two CSV files

– Export of AD with PrimarySMTPAddress from Exchange
– Export of Azure AD with ObjectID and PrimarySMTPAddress.

A few months ago I came across a little gem in the PowerShell world called ImportExcel which is a PowerShell module I have discussed in the past.

Once you have a single pane of glass with your ObjectID and ImmutableID matched within a csv, you will now be able to set all the ImmutableID for all your Azure AD Objects.

5. Set immutableId for Azure AD User in Bulk

Run the following script against Azure AD using PowerShell.


1
2
3
4
5
6
7
8
9
10
11
12
13
$Filepath1 = $env:USERNAME\desktop\immutableid.csv
$csv1 = Import-Csv -Path $filepath1

#endregion

Start-Transcript $env:USERPROFILE\desktop\PilotUser.csv

foreach($user in $csv1){

    Set-AzureADUser -ObjectID $user.ObjectId -ImmutableID $user.ImmutableID
    Write-Host $user.PrimarySMTPAddress,"with ObjectID"$user.ObjectId," has been set with ImmutableID",$user.ImmutableID
}
Stop-Transcript

6. Start AD Sync

You can now resync the OUs which had all the user accounts and hard matching will be completed using the newly set ImmutableID.


1
Start-ADSyncSyncCycle -PolicyType Delta

Regards
The Author – Blogabout.Cloud

Microsoft Teams Roadmap Announcements for October 2019

Microsoft Teams Roadmap Announcements for October 2019

The following post contains the new features and updated features from October 2019. This post enables you to quickly glance at the Microsoft Teams Roadmap based on the latest information provided by Microsoft.

One thing I have included in this month’s round-up is Microsoft Bookings as it now integrates with Skype and Teams.

New Features

New Features Current Status
Users can pin apps to the Teams left rail In Development
Microsoft Teams – teams auto-renewal In Development
Microsoft Teams – Phone System Administration Enhancements In Development
Microsoft Teams – Silent Login In Development
Microsoft Teams – Support for Google as an Identity Provider In Development

Updated Features

Updated Current Status
Microsoft Teams: Music on Hold Launched
Microsoft Teams – Secondary Ringer and Answer From Anywhere Launched
Microsoft Teams – Reverse Number Lookup Rolling Out
Microsoft Teams – Dynamic Emergency Calling for Calling Plans Launched
Microsoft Teams – Cloud Voicemail Enhancements Launched
Microsoft Teams – Location Based Routing Rolling Out
Microsoft Teams – Direct Routing Enhancements In Development
Microsoft Teams desktop app rolls to existing installs of Office 365 ProPlus and Microsoft/Office 365 Business/Business Premium (for the mothly channel only) Launched
Microsoft Teams – Delegation Enhancements Launched
Microsoft Teams – Channel Cross Posting Launched
Microsoft Teams – Dynamic Emergency Calling for Direct Routing In Development

Remember if you would like to receive all the Microsoft Roadmaps updates to your Teams Client, check out this post.

Regards
The Author – Blogabout.Cloud

Microsoft Intune Developments from the Office 365 Roadmap for October 2019

Microsoft Intune Developments from the Office 365 Roadmap for October 2019

The following post contains the new features and updated features from October 2019. This post enables you to quickly glance at the Office 365 Roadmap that directly targets Microsoft Intune based on the latest information provided from Microsoft.

New Features

No new features announced this month

New Features Current Status

Updated Features

Updated Current Status
Microsoft Intune management of Windows Defender Firewall rules Launched
Outlook for Android: App configuration support without Microsoft Intune integration with Apple’s volume purchase program (VPP) for macOS Launched
Microsoft Intune support for Managed Home Screen app on kiosks Launched
Microsoft Intune support for fully managed Android Enterprise devices
Launched
Microsoft Intune support for derived credentials on iOS Launched
Microsoft Intune administration evolves with Microsoft 365 Device Management center Launched
Microsoft Intune mobile threat defense for applications without enrollment Launched

Remember if you would like to receive all the Microsoft Roadmaps updates to your Teams Client, check out this post.

Regards
The Author – Blogabout.Cloud

Using Azure Blob Storage for your Intune applied Lock Screen and Desktop Backgound

Using Azure Blob Storage for your Intune applied Lock Screen and Desktop Backgound

Leveraging your Azure subscription for Microsoft Intune massively reduces the requirements for on-premises infrastructure. In this post I will show you how to use Azure Blob Storage to provide the Lock Screen and Desktop background all with the power of the Microsoft Cloud.

First up you will need to create a storage account within your Azure subscription.

Create Storage Account

Specify the following;
– Resource Group
– Storage Account Name
– Location (Europe) UK South

Specify settings

Once the storage account has successful created, you will need to go to the resource

Go to resource

Go to “Containers”
Create new “Container”
Specify the name of the Container
Specify the Public Access level as “Blob”
Then click ok

Specify settings

Click on your new “Container”

Created Container

Click Upload
You will need to upload your required .jpg file

Click on the uploaded file and you will be provided a URL which can be used

Provide the URL into your required destination for example Lock Screen as shown below

As you can see from below my Lockscreen and Desktop backgrounds are what I have specifed.

Image for Lockscreen
Lockscreen
Image for Desktop
Desktop

Regards
The Author – Blogabout.Cloud

Enabling Windows Information Protection

Enabling Windows Information Protection

Enterprise organizations today are becoming more and more security conscious of where the corporate resides. If you have come across Windows Information Protection yet, check out the below video from Microsoft.

Right let us jump right into it

Windows Information Protection is configured via the Microsoft Intune portal. Browse to Client Apps –> App protection policies –> Required settings

Windows Information Protection mode

Windows Information Protection mode

  • Block: Block enterprise data from leaving protected apps
  • Allow overrides: User is prompted when attempting to relocate data from a protected to a non-protected app. If they choose to override this prompt, the action will be logged.
  • Silent: User is free to relocate data off of protected apps. No actions are logged.
  • Off: User is free to relocate data off of protected apps. No actions are logged.

You will need to specify your corporate identity, if you have multiple identities you will need to “Protected Domains” under “Advanced settings” –> “Add network boundary”

Protected domains

Once you have selected the Windows Protection mode, we need some applications to protect.

Protected Apps

This step is definitely one of the easiest to do, as Microsoft has already generated a list of all the default applications and all you need to do is go to “Protected Apps” and “Add apps”.

For the purpose of this blog, I have missed out the Cloud Resources as shown below.

This detail can be found via the following url

Now you are good to go to protect your corporate information

Regards
The Author – Blogabout.Cloud

Autopilot – Provisioning information could not be located. Contact the customer IT admin to troubleshoot

Autopilot – Provisioning information could not be located. Contact the customer IT admin to troubleshoot

I have recently been running into the following issue where using white-glove experience for Windows Autopilot. The error already occurs around the 14-minute mark when “Registering the device for mobile management”.

Device prepartion
Windows Autopilot Configuration

This issue is cause by multiple MDM enrollment applications defined within the Mobility (MDM and MAM) window within your Azure Active Directory

Once I had remove Microsoft Intune Enrolment, Windows Autopilot provisioing was able to successful complete.

Regards
The Author – Blogabout.Cloud

Deploying Cloud App Security

Deploying Cloud App Security

I have been recently investigating Cloud App Security how it can benefit organizations already paying for this functionality without even knowing. Do you already pay for the following Microsoft licenses?

  • Microsoft Cloud App Security
  • Microsoft Cloud App Security + Enterprise Mobility & Security E3 (EMS E3)
  • Enterprise Mobility & Security E5 (EMS E5)
  • Microsoft 365 E5 Security
  • Microsoft 365 E5
  • Microsoft 365 Education A5
  • Office 365 E5
  • Azure AD Premium 1

If yes, you are licensed to enable Cloud App Security for your organization

For more information about the licensing requirements

Click on the following URL
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2NXYO
Starting with Cloud App Security

Cloud App Security – Dashboard

Getting started with Cloud App Security

Log process flow: From raw data to risk assessment

The process of generating understanding the risk within your organisation from a Cloud Securtity starts here with the following. You can upload data to Cloud App Security and the process takes between a few minutes to several hours depending on the amount of data processed.

  • Upload – Web traffic logs from your network are uploaded to the portal.
  • Parse – Cloud App Security parses and extracts traffic data from the traffic logs with a dedicated parser for each data source.
  • Analyze – Traffic data is analyzed against the Cloud App Catalog to identify more than 16,000 cloud apps and to assess their risk score. Active users and IP addresses are also identified as part of the analysis.
  • Generate report – A risk assessment report of the data extracted from log files is generated.

Note

Continuous report data is analyzed twice a day.

Supported firewalls and proxies

Cloud App Security support data uploads from the following Firewalls and Proxies.

  • Barracuda – Web App Firewall (W3C)
  • Blue Coat Proxy SG – Access log (W3C)
  • Check Point
  • Cisco ASA with FirePOWER
  • Cisco ASA Firewall (For Cisco ASA firewalls, it’s necessary to set the information level to 6)
  • Cisco Cloud Web Security
  • Cisco FWSM
  • Cisco IronPort WSA
  • Cisco Meraki – URLs log
  • Clavister NGFW (Syslog)
  • Digital Arts i-FILTER
  • Forcepoint
  • Fortinet Fortigate
  • iboss Secure Cloud Gateway
  • Juniper SRX
  • Juniper SSG
  • McAfee Secure Web Gateway
  • Microsoft Forefront Threat Management Gateway (W3C)
  • Palo Alto series Firewall
  • Sonicwall (formerly Dell)
  • Sophos SG
  • Sophos XG
  • Sophos Cyberoam
  • Squid (Common)
  • Squid (Native)
  • Stormshield
  • Websense – Web Security Solutions – Investigative detail report (CSV)
  • Websense – Web Security Solutions – Internet activity log (CEF)
  • Zscaler
Create Cloud Discovery snapshot report
Sample Report

Automatic Risk Assessment

Cloud App Security also enables organizations to automatically discovery the Cloud Apps in use via actives on your firewall logs. This is done via Log Collectors that allows organizations upload logs to Cloud App Security. Every single long is automatically transfers to the portal, there is 2 different behaviours if you are using FTP or Syslog

FTP Uploads

FTP logs are uploaded to Microsoft Cloud App Security after the file finished the FTP transfer to the Log Collector

SysLog Uploads

The Log Collector writes the received logs to the disk. Then the collector uploads the file to Cloud App Security when the file size is larger than 40 KB

However, you may what to check that the data being used for Automatic upload is in a valid format. Check out this link for more information. https://docs.microsoft.com/en-us/cloud-app-security/create-snapshot-cloud-discovery-reports#using-traffic-logs-for-cloud-discovery-

App connectors

App connectors use APIs from cloud app providers to integrate the Cloud App Security cloud with other cloud apps. App connectors extend control and protection. They also give you access to information directly from cloud apps, for Cloud App Security analysis.

To connect an app and extend protection, the app administrator authorizes Cloud App Security to access the app. Then, Cloud App Security queries the app for activity logs, and it scans data, accounts, and cloud content. Cloud App Security can enforce policies, detects threats, and provides governance actions for resolving issues.

So how does the look from the portal?

List of Connected Apps available today

Lets connect Office 365 for the purpose of this post.

Connect Office 365
Select the components you would like to monitor and connect the app
Success

Conditional Access App Control protection

Microsoft Cloud App Security Conditional Access App Control uses reverse proxy architecture to give you the tools you need to have real-time visibility and control over access to and activities performed within your cloud environment. With Conditional Access App Control, you can protect your organization:

  • Avoid data leaks by blocking downloads before they happen
  • Set rules that force data stored in and downloaded from the cloud to be protected with encryption
  • Gain visibility into unprotected endpoints so you can monitor what’s being done on unmanaged devices
  • Control access from non-corporate networks or risky IP addresses
Conditional Access App Control protection

With Conditional Access App Control protection you can define you want to Monitor what is being accessed or block.

Conditional Access Policies

When configured you will notice the below appear for all access control applications

Policies

Once you have configured the basics above the next steps is to enable policies you would like run within your environment. Out of the box you will receive a number policies deemed appropriate from Microsoft but there may be additions ones you would like for example;

In my environment I have created a policy that check for OneDrive Documents shared outside my business to specific domains

This policy also has the power to remove the external user to prevent access and this is where Cloud App Security really comes into its own. As it allows organisations and IT Administrators to the power to real take control of corporate data.

I hope you found this run through helpful

Regards,
The Author – Blogabout.Cloud

Windows Information Protection with Enrollment

Windows Information Protection with Enrollment

After a bit of recent investigate App Protection policies I have noticed a large chunk of information missing from Microsoft resources and other blog posts. I have recently experienced an issue where network boundaries were not configured correctly and I had to ensure that all applications that were being protected do not experience any issues access corporate resources.

It is recommended to use the following when adding a network boundary.

TypeNameValue
Cloud ResourcesOffice 365portal.office.com|tasks.office.com|protection.office.com|meet.lync.com|teams.microsoft.com
Cloud ResourcesOutlook Onlineoutlook.office.com|outlook.office365.com
Cloud ResourcesAppCompat/*AppCompat*/
Cloud ResourcesSharePointcontoso.sharepoint.com|contoso-my.sharepoint.com|contoso-files.sharepoint.com
Neutral ResourcesNeutrallogin.windows.net,login.microsoftonline.com
Cloud ResourcesYammerwww.yammer.com|yammer.com|persona.yammer.com
Intune App Protection – Advanced settings

This will provide all the required boundaries relevant to most Microsoft deployments.

Regards
The Author – Blogabout.Cloud