Intune – Deploy required user settings to Windows 10 with powershell

In this blog I would like to describe, how I managed to set required user settings to Windows 10.
Since I still do have an On-Premises environment, in which also File Servers reside and a DFS Namespace is still up and running, I wanted to make sure to get the advantages of using the local network.
So here are my two use-cases to solve:
1. Add a Network location for the DFS Path if the user is logged on On-Premises
2. Modify the local “host” file, to redirect the workfolder clients to the file server internally
Continue reading

Intune Autopilot – Prepopulate the Startmenu

It might be not that popular with Windows 10, but every company wants a well curated startmenu, rather than the default delivered from Microsoft:

We have multiple Options to configure the startmenu, I’m sure I don’t know them all. But when it comes to Windows 10 and Intune autopilot, we do not really have an option as what I have considered. This blog tries to catch the available options we currently have with Intune and Autopilot.
Continue reading

I have configured “Network Security: Restrict NTLM: NTLM authentication in this domain” months ago, here is why it catched me

Today I would like to share my experience with troubleshooting a overcommitted security admin with less knowledge than it would be required (In fact, I’m talking about me here). Some month ago, I read about NTLM (v2 as well), and I decided to restrict NTLM in my LAB, to check what is working afterwards, and what stops working. To my surprise, everything went smooth, and I could not find an issue. So I forgot about this setting, everything seems to work, and it did.

Lastly I decided to cut off Direct Access, since Microsoft does not invest in its future, and for other reasons, I’m not required to have a permanent connection to the LAB from remote, a VPN would be sufficient. I’m using WorkFolders as well, and secured it with Azure MFA, the same should apply to my VPN connection, the authentication should be not only be covered by Username and Password. With this, the goal was set, and I built up the LAB. Everything went nice, until the first VPN client wanted to connect. The NPS Server gave me the error:
“The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.”

Continue reading

SCCM – Configure a pointer record for your Cloud Management Gateway

Lets assume you want to set a pointer record (PTR) for your System Center Configuration Manager Cloud Management Gateway (CMG).

First of all, you will need to install the “Azure PowerShell Service Management module”, and Login to your Tenant. This process is documented on the Microsoft Website:
Installing the Azure PowerShell Service Management module

When this is done, you may want to change the subscription, in my case it was necessary. To do so, simply show all of your subscriptions with “Get-AzureSubscription” and select the appropriate subscription with “Select-AzureSubscirtion” afterwards:

When you have selected the correct subscription, you can list the Azure Services with “Get-AzureService”.
With the following command, you can set the Pointer record for your CMG:
Set-AzureService -ServiceName "YOURSERVICENAME" -ReverseDnsFqdn "HOSEBECMG01.hosebei.ch."

ADFS – Install Web Application Proxy fails with 401: Unauthorized

Hi,

today I faced the issue, that when I tried to install my Web Application Proxy for ADFS, it permanently fails with the Event ID 422:
AD FS Event ID 422
With Text:
‎Unable to retrieve proxy configuration data from the Federation Service.
Additional Data
Trust Certificate Thumbprint:
3CD8F7C4697ED510546F74C25B4FD4F8C183CE34

Status Code:
Unauthorized
Exception details:
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()
—- End Snip—
I was quite sure, that I had everything quite well configured, and that I was using the correct certificate. Continue reading

ConfigrMgr 1511 – Service connection point issues

Hi reader,

I was running ConfigMgr 1511 from an upgraded System Center 2012 Configuration Manager R2 SP1 Infrastructure with configured Intune Subscription without a problem for more than a month. But due to my Azure Tenant Name selection more than two years ago, I wanted to change the Tenant name from uncoolname.onmicrosoft.com to hosebei.onmicrosoft.com, because you might already guess it: the SharePoint URL.
Exchange Hybrid and all other Services was not easy, but worked how I planned to do it. But unfortunately the Service Connector did not work after this change, even after changing the Intune Subscription to my new Tenant. Continue reading