Hybrid Azure AD Tip – The device object by the given id (ID of machine) is not found.

Hybrid Azure AD Tip – The device object by the given id (ID of machine) is not found.

Recently when working with a customer I was troubleshooting why their devices were showing up as Azure AD Registered in the Azure portal in Azure Active Directory when they should be Hybrid Azure AD joined. These were Windows 10 1809 devices.

When running “dsregcmd /status” on one of the machines, it would show as AzureAdJoined : NO. When it is Hybrid Azure AD joined, it should still say Yes.

If you run the command as admin, you will see there is Diagnostic Data section. On my devices, it said:

Client ErrorCode : 0x801c03f2
Server ErrorCode : DirectoryError
Server Message: The device object by the given id (guid) is not found.

This is because the device(s) has not been synced to Azure AD by Azure AD Connect. Make sure that the OU’s that the computer objects are in is set to sync to Azure AD. In my customer’s configuration, they had additional filtering where the users and computer objects needed to be in a Security Group to be synced to Azure AD.

Once the Azure AD Connect sync had completed successfully, and the device registration task had run again on the client, the machine now shows as Hybrid Azure AD joined in the Azure portal.

Regards,
Author @ Blogabout.Cloud

This device cannot use a Trusted Platform Module – Windows 10 1909 Virtual Machines

This device cannot use a Trusted Platform Module – Windows 10 1909 Virtual Machines

When testing BitLocker encryption on the new Windows 10 1909 release using my VMWare environment. I ran into the following error;

This device cannot use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at start-up” policy for OS volumes.

Go to your Local Group Policy

Locate the following setting under Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption –> Operating System Drives

Require additional authentication at startup

We will now need to edit this policy to enable the required settings, please use the below screenshot as your guide.

Once the policy has been enabled with the required settings, re-run BitLocker Drive Encryption and this time it’ll be more successful.

Regards
The Author – Blogabout.Cloud

Windows 10 Azure AD – Something went wrong

Windows 10 Azure AD – Something went wrong

So I have been recently cleaning up my test lab Azure Active Directory and accidentally removed a device which I was still actively using within my tenant. I received the following error;

“Your organization has deleted this device. To fix this, contact your system administrator and provide error code 700003”

When trying to access organizational resources

In order to resolve this issue, you need to complete the following steps

– Remove the Work account from the Windows 10 device under your account –> Access Work or School and remove the account
– Open command line or PowerShell windows with Admin rights
– Enter the following command;
dsregcmd /leave

dsregcmd /leave

Enter command: “dsregcmd /status” to check if the system is now left the Azure AD

dsregcmd /status

You will now been able to register your device and access your organisation once again.

Regards
The Author – Blogabout.Cloud

Applying your Windows 10 Start Layout using Microsoft Intune.

Applying your Windows 10 Start Layout using Microsoft Intune.

One of the many cool things about Microsoft Intune is the granular configuration of Windows 10 devices using the native functions available us today. In this little post we will look at just how easy is it to create a corporate Windows 10 layout and publish to all of your client desktops automatically.

The general prerequisites for this feature is that your Windows 10 desktops are synchronized and present in Azure Active Directory.

Export the Start Layout

When you have the Start screen layout that you want your users to see, use the Export-StartLayout cmdlet in Windows PowerShell to export the Start screen to an .xml file.

  1. From Start, open Windows PowerShell.
  2. At the Windows PowerShell command prompt, enter the following command:

1
Export-StartLayout –path $env:userprofile\desktop\StartLayout.xml

PowerShell Cmd

Applying a Start layout

Once you have an exported Start Layout you can use the XML file to apply this start layout to your entire organization using Microsoft Intune. Browse to your Intune Portal and go to Device Configuration –> Profile

Hopefully you may already have a Windows 10 – Device Restriction Profile.

If not, dont worry you will just have to create a new profile for Windows 10 and Device Restrictions.

Device Configuration Profiles

Once in the profile properties, go to Settings and look for “Start” as at this point you can upload your Windows 10 start menu layout. If you may chose you will also be able to affect the look of the start menu by blocking or hide elements on the menu. For example you can block Fast Switching and hide File Explorer from the Start.

Device Restriction Profile for Start Menu Settings

Once you have saved your configured and your Windows 10 device has checked in, it will receive your new and improved Start Menu

New Windows 10 Start Menu

Regards
The Author – Blogabout.Cloud

Installing and Managing Google Chrome with Microsoft Intune

Installing and Managing Google Chrome with Microsoft Intune

As the power of Microsoft Intune grows with great force, in this blog post we are going to look at how to install Google Chrome and manage via Microsoft Intune. I have been recently looking how to leverage Microsoft Intune for more than just Microsoft based tooling and Google Chrome can be installed and managed for Windows 10 desktop estate.

Installing Google Chrome

Download Google Chrome Package

Visit the following url to download Google Chrome for Enterprise
https://cloud.google.com/chrome-enterprise/browser/download/

Microsoft Intune

First of all, we need to log into your Azure Portal and go to the following location;

  • Microsoft Intune
  • Client Apps
  • Add
Microsoft Intune –> Client Apps –> Add
  • Line-of-business app
App Type

Now we need to select the GoogleChromeStandaloneEnterprise msi located within the zip file package

Google Chrome Enterprise Package
App package file

You will now need to populate a bit of information under App information field below App package files before being able to assign Google Chrome to all your enterprise or selected security groups.

As you can see from the image below I have targeted several security groups within my personal tenant and make the app required for all users / all devices.

Make sure you save you configured as you exit this configuration.

Managing Google Chrome

Import Google Chrome ADMX Templates

  • Download the Chrome ADMX templates.
    • You would have already completed this step when downloading the Google Chrome Msi.
  • Sign in to the Microsoft Azure portal.
  • Go to Intune  Device configuration  Profiles.
  • Next to Devices configuration – Profiles, click Create profile.
  • Enter the following text in these fields:
FieldText to enter
Name Windows 10 – Chrome configuration (or use any descriptive name)
Description Enter a description (optional)
Platform Windows 10 and later
Profile type Custom
Settings Custom (select from drop-down list)

Selecting Custom in the step above opens a new menu for OMA-URI settings. Click Add to add specific policies you can configure and enter the following text:

FieldText to enter
Name Chrome ADMX Ingestion
Description Enter a description (optional)
OMA-URI /Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
Data type Profile type String (select from drop-down list)
  • Once you select String, a Value text field opens below. On your computer, go to
  • Copy the text from chrome.admx.
  • In the Value field, paste the chrome.admx text.
  • Click OK and OK again to save the Custom OMA-URI settings.
  • Click Create to create a new profile.

Configure Google Chrome Policy

  • Go to Intune –> Device Configuration –> Profile
  • Click the Windows 10 – Chrome configuration profile you created previous
  • Select Properties –> Settings –> Configure to open Custom OMA-URI setting
  • Click Add to a row
  • Enter text into the fields, following the examples below for the type of policy you’re implementing.

Example A: Disable Password Manager

FieldText to enter
Name Chrome – ADMX – PasswordManagerEnabled
DescriptionDisable Password Manager
OMA-URI ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabled
Data typeString
Value
1
<disabled/>

List of all Google Chrome Configurations

The below tables provides all the settings that are available for delivery using Microsoft Intune

PolicyOMA-URIData typeExample value
Chrome – ADMX – AllowOutdatedPlugins./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AllowOutdatedPluginsstring<disabled/>
Chrome – ADMX – AudioCaptureAllowedUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AudioCaptureAllowedUrlsstring<enabled/> <data id=”AudioCaptureAllowedUrlsDesc” value=”1&#xF000;[*.]example.com“/>
Chrome – ADMX – AutoFillEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AutoFillEnabledstring<disabled/>
Chrome – ADMX – CloudPrintSubmitEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/CloudPrintSubmitEnabledstring<disabled/>
Chrome – ADMX – DefaultBrowserSettingEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/DefaultBrowserSettingEnabledstring<enabled/>
Chrome – ADMX – DefaultPopupsSetting./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~ContentSettings/DefaultPopupsSettingstring<enabled/> <data id=”DefaultPopupsSetting” value=”1″/>
Chrome – ADMX – DefaultSearchProviderEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~DefaultSearchProvider/DefaultSearchProviderEnabledstring<enabled/>
Chrome – ADMX – DefaultSearchProviderName./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~DefaultSearchProvider/DefaultSearchProviderNamestring<enabled/> <data id=”DefaultSearchProviderName” value=”Google Encrypted Search”/>
Chrome – ADMX – DefaultSearchProviderSearchURL./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~DefaultSearchProvider/DefaultSearchProviderSearchURLstring<enabled/> <data id=”DefaultSearchProviderSearchURL” value=”https://www.google.com/search?q={searchTerms}”/>
Chrome – ADMX – DisableSafeBrowsingProceedAnyway./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/DisableSafeBrowsingProceedAnywaystring<enabled/>
Chrome – ADMX – ExtensionInstallForcelist./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForceliststring<enabled/> <data id=”ExtensionInstallForcelistDesc” value=”1&#xF000;heildphpnddilhkemkielfhnkaagiabh;https://clients2.google.com/service/update2/crx”/>
Chrome – ADMX – ForceGoogleSafeSearch./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ForceGoogleSafeSearchstring<enabled/>
Chrome – ADMX – ImportAutofillFormData./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportAutofillFormDatastring<disabled/>
Chrome – ADMX – ImportBookmarks./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportBookmarksstring<enabled/>
Chrome – ADMX – ImportHistory./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportHistorystring<disabled/>
Chrome – ADMX – ImportHomepage./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportHomepagestring<enabled/>
Chrome – ADMX – ImportSavedPasswords./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportSavedPasswordsstring<disabled/>
Chrome – ADMX – ImportSearchEngine./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportSearchEnginestring<disabled/>
Chrome – ADMX – NotificationsAllowedForUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~ContentSettings/NotificationsAllowedForUrlsstring<enabled/> <data id=”NotificationsAllowedForUrlsDesc” value=”1&#xF000;[*.]example.com“/>
Chrome – ADMX – PasswordManagerEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabledstring<disabled/>
Chrome – ADMX – PluginsAllowedForUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~ContentSettings/PluginsAllowedForUrlsstring<enabled/> <data id=”PluginsAllowedForUrlsDesc” value=”1&#xF000;[*.]example1.com&#xF000;2&#xF000;[*.]example2.com“/>
Chrome – ADMX – SafeBrowsingEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~SafeBrowsing/SafeBrowsingEnabledstring<enabled/>
Chrome – ADMX – VideoCaptureAllowedUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/VideoCaptureAllowedUrlsstring<enabled/> <data id=”VideoCaptureAllowedUrlsDesc” value=”1&#xF000;[*.]example.com“/>

This concludes this post.

Regards,
The Author – Blogabout.Cloud

Creating/Managing Local User Account in Windows 10 using PowerShell

Creating/Managing Local User Account in Windows 10 using PowerShell

Sometimes a GUI just isnt enough and PowerShell wins overall..

I have been recently scripting the creation of several Windows 10 Local Users accounts and assigning them to Local Groups but discovered some machines didn’t have the New-LocalUser cmdlet available. Which is very annoying so in order to get around this issue I have created the following if statement to check if the module exists and install if required.

$LocalAccountModule = Get-module Microsoft.PowerShell.LocalAccounts
if ($LocalAccountModule)
{
Write-Host "Detected: Microsoft.PowerShell.LocalAccounts PowerShell Module" -BackgroundColor DarkGreen -ForegroundColor White
}
else
{
Write-Host "Not Detected: Microsoft.PowerShell.LocalAccounts PowerShell Module" -BackgroundColor DarkRed -ForegroundColor White
Install-Module  LocalAccount -Force
}

Once you have this module on your local Windows 10 client you can use the following Microsoft doc and create/manage any local accounts/group on your client desktop using PowerShell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1

Regards

The Author – Blogabout.Cloud

Goodbye OneNote 2016 from Office Portal

Goodbye OneNote 2016 from Office Portal

Image result for the end is near

Back in September 2018, Microsoft announced it would be removing OneNote from its Office installation and OneNote for Windows 10 will be the default going forward. Microsoft has now announced (12th Feb) that OneNote 2016 will be removed from the Office Portal for installation using Semi-Annual channel.

So all installations from this post forward will not include OneNote 2016 by default when a user on the Semi-Annual channel using Office 365 on Windows 10 from the Office Portal.

So what now?

OneNote is available to download from the following url it is important to note that Microsoft are no longer developing new features for OneNote 2016. If you want to take advantage of the latest that OneNote has to offer, Microsoft state you should consider switching to OneNote for Windows 10

Regards
The Author – Blogabout.Cloud

Big news in the world of the modern desktop: Office 2016 supported extended

Big news in the world of the modern desktop: Office 2016 supported extended

Microsoft announced in April 2017 that they be ceasing support for legacy Office clients into Office 365 services, however this stance has now changed based on customer feedback to Microsoft

  • Office 2013 and below will cease as expected on 13th October 2020
  • Office 2016 will now be extended until October 2023

 

With this announcement it also includes a number of changes to the supported operating system versions of Windows.

Office 365 ProPlus delivers cloud-connected and always up-to-date versions of the Office desktop apps. To support customers already on Office 365 ProPlus through their operating system transitions, we are updating the Windows system requirements for Office 365 ProPlus and revising some announcements that were made in February. We are pleased to announce the following updates to our Office 365 ProPlus system requirements:

  • Office 365 ProPlus will continue to be supported on Windows 8.1 through January 2023, which is the end of support date for Windows 8.1.
  • Office 365 ProPlus will also continue to be supported on Windows Server 2016 until October 2025.
  • Office 365 Pro Plus will also continue to be supported on Windows 7 (ESU) Extended Security Updates through Janaury 2023. Windows 7 ESU will only be available for Windows 7 Pro/Enterprise customers with Volume Licensing.

Other big news is four changes Microsoft have also announced (Longer support windows for Windows 10):

  • All currently supported feature updates of Windows 10 Enterprise and Education editions (versions 1607, 1703, 1709, and 1803) will be supported for 30 months from their original release date. This will give customers on those versions more time for change management as they move to a faster update cycle.
  • All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of September (starting with 1809) will be supported for 30 months from their release date. This will give customers with longer deployment cycles the time they need to plan, test, and deploy.
  • All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of March (starting with 1903) will continue to be supported for 18 months from their release date. This maintains the semi-annual update cadence as our north star and retains the option for customers that want to update twice a year.
  • All feature releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (this applies to feature updates targeting both March and September).

In summary, our new modern desktop support policies—starting in September 2018—are:

Windows 10 Fall Creator Update 1709 – Sysprep was not able to validate your Windows installation

Windows 10 Fall Creator Update 1709 – Sysprep was not able to validate your Windows installation

Hello Reader,

In this post, we will look at a known bug within the Windows 10 Fall Creators Update 1709, where you are unable to perform a sysprep of a Windows 10 workstation running update 1709. This is a little annoying bug which prevents sysprep from running.

The error messages as shown below provides you with a bit of detail and a UNC Folder to check the log file for more information.
Sysprep was not able to validate your Windows installation.
Review the log file at:
%WINDIR%\Systems32\Sysprep\Panther\setupact.log for details. After resolving this issue, use sysprep to valiate your installation again.

This error seems to be caused by Windows 10 Store Apps updating within the background, we can prevent this from happening by adding the following reg key either by using regedit or Powershell. As I am a big avodate of PowerShell I will using show the deployment and removal of this key using PowerShell.

Identifiying the Windows 10 Applications.

Using the path provided within the sysprep error message you will be able to easily identify the problem application, this is case the problem was being caused by the SketchBook application. Once removing SketchBook app the problem persisted as a number of other apps needs to be removed also.

Video demostration.

You can find a video of each application being removed until sysprep was able to successfully execute.

We hope that this post has helped your issue.

Regards
Author