Testing Device Registration Connectivity for Microsoft Intune

Testing Device Registration Connectivity for Microsoft Intune

I have been recently working with a customer where we was experiencing issues with connectivity to relevant Microsoft urls. While looking at potential solutions I came across a PowerShell script which tested for the following URLs

login.microsoftonline.com
device.login.microsoftonline.com
enterpriseregistration.windows.net

However this script didnt take into account “Single Sign On” and its required URL.
autologon.microsoftazuread-sso.com

I have made the necessary modifications which now allow for it test autologon.microsoftazuread-sso.com, as shown above.

Download the script

Test-DeviceRegConnectivity (11 downloads)

Regards
The Author – Blogabout.Cloud

Microsoft Teams Roadmap Announcements for November 2019

Microsoft Teams Roadmap Announcements for November 2019

The following post contains the new features and updated features from November 2019. This post enables you to quickly glance at the Microsoft Teams Roadmap based on the latest information provided by Microsoft.

New Features

New Features Current Status
Teams Sharing Integration with OneDrive In Development
Pending teams In Development
Microsoft Whiteboard integration in Microsoft Teams In Development
Sensitivity labels for Teams, Office 365 Groups, and SharePoint Sites (public preview) In Development
SharePoint and Teams – pages and lists improvements Launched
SharePoint – OneDrive – Teams – file upload limit up to 50GB In development
Microsoft Teams – “Colleague joined Teams” notifications In Development
Microsoft Teams – New location for New Chat button, Recent, and Contacts tabs in Chat app In Development
Teams for Linux client In Development
Class Insights in Teams In Development
Mute meeting chats in Teams In Development
Media optimization for Microsoft Teams Calling and Meetings for Citrix VDI In Development

Updated Features

Updated Current Status
Microsoft Teams – Sensitivity Labels In Development
Microsoft Teams -Private channels Rolling out
SharePoint and Microsoft Teams: new Files experience In Development
Microsoft Teams – Secure private channels In Development
Microsoft Teams – Presenter and Attendee roles for Meetings In Development
Microsoft Teams – Meet now Rolling Out
Pending teams In Development
SharePoint – OneDrive – Teams – file upload limit up to 100GB In Development
New Calendar App replaces Meetings App In Teams Launched
Microsoft Teams – Meet now Launched
Microsoft Teams – Screen sharing in Teams/Skype for Business interop Launched

Remember if you would like to receive all the Microsoft Roadmaps updates to your Teams Client, check out this post.

Regards
The Author – Blogabout.Cloud

Making your PowerShell script require a particular version of PowerShell to be installed.

Making your PowerShell script require a particular version of PowerShell to be installed.

A common mistake made in a lot of PowerShell scripts is that not all cmdlets are supported across all installed versions of PowerShell.

So how do you ensure that the script you have created can only be executed on a machine that supports the cmdlets? Simple!!!

By using one of the below will ensure that the client must met that version or be high;
#Requires -Version 3.0
#Requires -Version 4.0
#Requires -Version 5.0

So here is an example of a cmdlet that is only supported in version 5, it provides a horrible error message which doesn’t help the end-user.

And heres is an example of the same cmdlet but with #Requires -version 5.0

With this simple line you can prevent your scripts from being executed against machines that dont have the require PowerShell version installed.

Regards
The Author @ Blogabout.Cloud

Hybrid Azure AD Tip – The device object by the given id (ID of machine) is not found.

Hybrid Azure AD Tip – The device object by the given id (ID of machine) is not found.

Recently when working with a customer I was troubleshooting why their devices were showing up as Azure AD Registered in the Azure portal in Azure Active Directory when they should be Hybrid Azure AD joined. These were Windows 10 1809 devices.

When running “dsregcmd /status” on one of the machines, it would show as AzureAdJoined : NO. When it is Hybrid Azure AD joined, it should still say Yes.

If you run the command as admin, you will see there is Diagnostic Data section. On my devices, it said:

Client ErrorCode : 0x801c03f2
Server ErrorCode : DirectoryError
Server Message: The device object by the given id (guid) is not found.

This is because the device(s) has not been synced to Azure AD by Azure AD Connect. Make sure that the OU’s that the computer objects are in is set to sync to Azure AD. In my customer’s configuration, they had additional filtering where the users and computer objects needed to be in a Security Group to be synced to Azure AD.

Once the Azure AD Connect sync had completed successfully, and the device registration task had run again on the client, the machine now shows as Hybrid Azure AD joined in the Azure portal.

Regards,
Author @ Blogabout.Cloud

This device cannot use a Trusted Platform Module – Windows 10 1909 Virtual Machines

This device cannot use a Trusted Platform Module – Windows 10 1909 Virtual Machines

When testing BitLocker encryption on the new Windows 10 1909 release using my VMWare environment. I ran into the following error;

This device cannot use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at start-up” policy for OS volumes.

Go to your Local Group Policy

Locate the following setting under Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption –> Operating System Drives

Require additional authentication at startup

We will now need to edit this policy to enable the required settings, please use the below screenshot as your guide.

Once the policy has been enabled with the required settings, re-run BitLocker Drive Encryption and this time it’ll be more successful.

Regards
The Author – Blogabout.Cloud

Install-Module : The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file, or operable program

Install-Module : The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file, or operable program

Recently, I was trying to use Install-Module cmdlet to install a required module for some testing on a client machine however I ran into the following error

Install-Module: The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1Install-Module MSOnline. CategoryInfo : ObjectNotFound: (Install-Module:String) [], CommandNotFoundException FullyQualifiedErrorId : CommandNotFoundException

The error looks like below:

Install-Module : The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file, or operable program

The error usually comes, if your PowerShell is not upto date. The major version of PowerShell should be equal or greater than 5. You can run the below cmdlets to check the PowerShell version.


1
$PSVersionTable.PSVersion

My PowerShell major version was 4.

To solve the error the following steps was taken to resolve the issue.

Download Windows Management Framework 5.1

Here make sure to choose Win8.1AndW2K12R2-KB3191564-x64.msu if you have Windows server 2012 or 2012 R2 machine.

Install-Module : The term 'Install-Module' is not recognized as the name of a cmdlet, function, script file, or operable program
Install-Module : The term ‘Install-Module’ is not recognized as the name of a cmdlet, function, script file, or operable program

Download and install Download Windows Management Framework 5.1, then it will ask to restart the machine-like below:

The term 'Install-Module' is not recognized as the name of a cmdlet
The term ‘Install-Module’ is not recognized as the name of a cmdlet

Regards
The Author – Blogabout.Cloud

Merging on-premise AD User Objects with existing Azure AD user Objects.

Merging on-premise AD User Objects with existing Azure AD user Objects.

This post will explain how to merge an on-premise AD user objects with an already existing Azure AD user using hard-match with the sourceAnchor/immutableID property. I have recently experience this issue with a customer who was merging their contoso.com addresses to their fabikam.com Azure AD account.

As you can imagine this isnt a simple process but with the power of PowerShell and good old fashion “I can” attitude, this merger was a complete success.

Before we continue I would like to state that there are two methods that Azure AD Connect will use to match existing users;
– Soft-Match
– Hard-Match

When you install Azure AD Connect and you start synchronizing, the Azure AD sync service (in Azure AD) does a check on every new object and try to find an existing object to match. There are three attributes used for this process: userPrincipalName, proxyAddresses, and sourceAnchor/immutableID.

Soft-Match

Soft-Match will use the properties userPrincipalName and proxyAddresses to match existing users.

Hard-Match

Hard-Match will use the property sourceAnchor/immutableID. You can only select which property is used as sourceAnchor during the installation of Azure AD Connect as described in their documentation.

If the selected sourceAnchor is not of type string, then Azure AD Connect Base64Encode the attribute value to ensure no special characters appear.

Important Note

By default, Azure AD Connect (version 1.1.486.0 and older) uses objectGUID as the sourceAnchor attribute. ObjectGUID is system-generated.

So we only have to set the immutableID property of the existing user in our Azure AD to the Base64 encoded string of the ObjectId of the user in our on-premise AD. If you already synchronized your Active Directory then you probably have two users with the same name in your Azure AD. Just follow the following steps to finally merge these users:

You have to execute the following PowerShell commands on the machine with your on-premise AD and the Azure PowerShell commands via the Azure Cloud Shell.

In my scenario, I had a customer that the Email Address on the Active Directory Account didn’t match the PrimarySMTPAddress in Azure AD, however, the PrimarySMTPAddress in Exchange was correct. So I need to match both objects using the PrimarySMTPAddress from Exchange And Azure to set the ImmutableID. I create a PowerShell to gather PrimarySMTPAddress from Exchange along with the required information from Active Directory

1. Get ObjectId from All AD Users


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$reportoutput=@()
$users = Get-ADUser -Filter * -Properties *
$users | Foreach-Object {

    $user = $_
    $exchange = Get-Mailbox $user.Name
    $immutableid = [System.Convert]::ToBase64String($user.ObjectGUID.tobytearray())

    $report = New-Object -TypeName PSObject
    $report | Add-Member -MemberType NoteProperty -Name 'DisplayName' -Value $user.DisplayName
    $report | Add-Member -MemberType NoteProperty -Name 'PrimarySMTPAddress' -Value $exchange.PrimarySMTPAddress
    $report | Add-Member -MemberType NoteProperty -Name 'UserPrincipalName' -Value $user.UserPrincipalName
    $report | Add-Member -MemberType NoteProperty -Name 'ImmutableID' -Value $immutableid
    Write-Host ('INFO: The following user {0} has the Immutable of {1}' -f $user.name,$immutableid)
    $reportoutput += $report
}
 # Report
$reportoutput | Export-Csv -Path $env:USERPROFILE\desktop\immutableid.csv -NoTypeInformation -Encoding UTF8

2. Remove duplicated Azure AD User

If you have synced users and have duplicate accounts you will need to remove these before looking at continuing. A simple way of doing this changing the OU you have synced which has caused the duplicate or you can use the Azure Portal

Deleted Users

But if you love PowerShell the following command is also possible as well.


1
Remove-AzureADUser -ObjectId <objectid>

3. Get Azure AD User ObjectID

One of the key requirements for this post is that we require the ObjectID of the Azure Active Directory account we are looking to match against. The following PowerShell command prints a list of all users with their ObjectId and exports to your desktop.


1
Get-AzureADUser | export-csv $env:userprofiles\desktop\AzureADUser.csv

4. Matching my CSV Files

So I ended up with two CSV files

– Export of AD with PrimarySMTPAddress from Exchange
– Export of Azure AD with ObjectID and PrimarySMTPAddress.

A few months ago I came across a little gem in the PowerShell world called ImportExcel which is a PowerShell module I have discussed in the past.

Once you have a single pane of glass with your ObjectID and ImmutableID matched within a csv, you will now be able to set all the ImmutableID for all your Azure AD Objects.

5. Set immutableId for Azure AD User in Bulk

Run the following script against Azure AD using PowerShell.


1
2
3
4
5
6
7
8
9
10
11
12
13
$Filepath1 = $env:USERNAME\desktop\immutableid.csv
$csv1 = Import-Csv -Path $filepath1

#endregion

Start-Transcript $env:USERPROFILE\desktop\PilotUser.csv

foreach($user in $csv1){

    Set-AzureADUser -ObjectID $user.ObjectId -ImmutableID $user.ImmutableID
    Write-Host $user.PrimarySMTPAddress,"with ObjectID"$user.ObjectId," has been set with ImmutableID",$user.ImmutableID
}
Stop-Transcript

6. Start AD Sync

You can now resync the OUs which had all the user accounts and hard matching will be completed using the newly set ImmutableID.


1
Start-ADSyncSyncCycle -PolicyType Delta

Regards
The Author – Blogabout.Cloud

Microsoft Teams Roadmap Announcements for October 2019

Microsoft Teams Roadmap Announcements for October 2019

The following post contains the new features and updated features from October 2019. This post enables you to quickly glance at the Microsoft Teams Roadmap based on the latest information provided by Microsoft.

One thing I have included in this month’s round-up is Microsoft Bookings as it now integrates with Skype and Teams.

New Features

New Features Current Status
Users can pin apps to the Teams left rail In Development
Microsoft Teams – teams auto-renewal In Development
Microsoft Teams – Phone System Administration Enhancements In Development
Microsoft Teams – Silent Login In Development
Microsoft Teams – Support for Google as an Identity Provider In Development

Updated Features

Updated Current Status
Microsoft Teams: Music on Hold Launched
Microsoft Teams – Secondary Ringer and Answer From Anywhere Launched
Microsoft Teams – Reverse Number Lookup Rolling Out
Microsoft Teams – Dynamic Emergency Calling for Calling Plans Launched
Microsoft Teams – Cloud Voicemail Enhancements Launched
Microsoft Teams – Location Based Routing Rolling Out
Microsoft Teams – Direct Routing Enhancements In Development
Microsoft Teams desktop app rolls to existing installs of Office 365 ProPlus and Microsoft/Office 365 Business/Business Premium (for the mothly channel only) Launched
Microsoft Teams – Delegation Enhancements Launched
Microsoft Teams – Channel Cross Posting Launched
Microsoft Teams – Dynamic Emergency Calling for Direct Routing In Development

Remember if you would like to receive all the Microsoft Roadmaps updates to your Teams Client, check out this post.

Regards
The Author – Blogabout.Cloud

Microsoft Intune Developments from the Office 365 Roadmap for October 2019

Microsoft Intune Developments from the Office 365 Roadmap for October 2019

The following post contains the new features and updated features from October 2019. This post enables you to quickly glance at the Office 365 Roadmap that directly targets Microsoft Intune based on the latest information provided from Microsoft.

New Features

No new features announced this month

New Features Current Status

Updated Features

Updated Current Status
Microsoft Intune management of Windows Defender Firewall rules Launched
Outlook for Android: App configuration support without Microsoft Intune integration with Apple’s volume purchase program (VPP) for macOS Launched
Microsoft Intune support for Managed Home Screen app on kiosks Launched
Microsoft Intune support for fully managed Android Enterprise devices
Launched
Microsoft Intune support for derived credentials on iOS Launched
Microsoft Intune administration evolves with Microsoft 365 Device Management center Launched
Microsoft Intune mobile threat defense for applications without enrollment Launched

Remember if you would like to receive all the Microsoft Roadmaps updates to your Teams Client, check out this post.

Regards
The Author – Blogabout.Cloud

Using Azure Blob Storage for your Intune applied Lock Screen and Desktop Backgound

Using Azure Blob Storage for your Intune applied Lock Screen and Desktop Backgound

Leveraging your Azure subscription for Microsoft Intune massively reduces the requirements for on-premises infrastructure. In this post I will show you how to use Azure Blob Storage to provide the Lock Screen and Desktop background all with the power of the Microsoft Cloud.

First up you will need to create a storage account within your Azure subscription.

Create Storage Account

Specify the following;
– Resource Group
– Storage Account Name
– Location (Europe) UK South

Specify settings

Once the storage account has successful created, you will need to go to the resource

Go to resource

Go to “Containers”
Create new “Container”
Specify the name of the Container
Specify the Public Access level as “Blob”
Then click ok

Specify settings

Click on your new “Container”

Created Container

Click Upload
You will need to upload your required .jpg file

Click on the uploaded file and you will be provided a URL which can be used

Provide the URL into your required destination for example Lock Screen as shown below

As you can see from below my Lockscreen and Desktop backgrounds are what I have specifed.

Image for Lockscreen
Lockscreen
Image for Desktop
Desktop

Regards
The Author – Blogabout.Cloud