User Profile
isotonic_uk
Brass Contributor
Joined Jun 23, 2020
User Widgets
Recent Discussions
Re: Source image is not created for trusted boot but it is turned on the VM.
Thought I would add, managed to resolve in the end. I needed to add features into the deploy-shared-image-gallery.bicep file features: [ { name: 'SecurityType' value: 'TrustedLaunch' } ] at the point when it creates the resource galleryDefinition after it declares the hyperVGeneration. What I found is its not well documented at the moment. isotonic_uk1.2KViews0likes0CommentsSource image is not created for trusted boot but it is turned on the VM.
Hi New to Bicep and learning it by deploying a mini environment in my lab. I am using the same code base as defined here: https://rozemuller.com/avd-automation-cocktail-avd-with-bicep-and-azure-cli/#azure-compute-gallery but I have made some alterations to it as I am trying to create a gen2 Trusted Launch VM to be used instead of a standard SecurityType defined in this blog. I create my initial image version of Windows 11 using Securitytype trusted launch. This was just a standard Microsoft gallery image, which I then sysprep and generalise. That all seem to well and my base image has the security Type that I want. Defined in my BICEP file under resource vm 'Microsoft.Compute/virtualMachines@2023-03-01' = { // Security profile properties... securityProfile: { uefiSettings: { secureBootEnabled: true vTpmEnabled: true } securityType: 'TrustedLaunch' } diagnosticsProfile: { bootDiagnostics: { enabled: true } } } When I come to run the main.bicep file alongside the parameters which then pulls the various modules depending on where it is in the build it goes through the process of deploying the gallery image but fails with the error: The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure, Target: /subscriptions/<mysubscriptionID>/resourceGroups/uks-rb81-vdi-avd-hpl-priv-001-01/providers/Microsoft.Compute/galleries/uksbldglbssvgal01/images/uks-img-Windows-desktop-11-gen2-22h2-priv-tl-001/versions/2023.09.26) The source 'subscriptions/<mysubscriptionID>/resourceGroups/rg-Win11-template/providers/Microsoft.Compute/virtualMachines/i4xsd3rrtnobm-vm' has security type 'TrustedLaunch' and cannot be used as a source for an image definition with SecurityType feature set to 'None'. (Code: Conflict) I am really confused where I need to set this, I thought it would be under the bicep file deploy-shared-image-gallery.bicep but then when I declare the params and resource as } //Create VM with Security type resource virtualMachine 'Microsoft.Compute/virtualMachines@2023-07-01' = { name: imageDefinitionName location: location securityType: 'TrustedLaunch' } It just says The property "securityType" is not allowed on objects of type "Microsoft.Compute/virtualMachines". Permissible properties include "asserts", "dependsOn", "extendedLocation", "identity", "plan", "properties", "tags", "zones". If this is an inaccuracy in the documentation, please report it to the Bicep Team. Could it be an expression that I need to define:? Param and var value? Any help on this would be most appreciated. ThanksSolved1.3KViews0likes1CommentIntune deployment of OneDrive only
Hi I think what I am asking is possible but just looking for validation. We looking at implementing a Privileged Access Workstation IPAW) using the zero trust principles we have with our AVD standard build which is modern managed, however we do not want to allow use of the productivity suite like Microsoft 365. However there is a need that a user using a PAW may need to retrieve logs and needs a way to send these via the internet. We currently deploy the full M365 Office via Intune deployment. Is there a way we can just deploy OneDrive only? The AVD VM will also not have internet access except for the mandatory URLs and ports to run the AVD service as well as any service endpoints we want to allow for the PAW to function as intended. Microsoft have a list of IPs that we would need to allow, I am aware that if we allow OneDrive, by default it was also allow SharePoint Online as it uses the same URLs considering it uses the same backend. Would my understanding of this be correct? Thank you2.2KViews0likes1CommentDoes AVD support OATH for authentication?
Hi Just wanted to ask if we wanted to use OATH authentication for a certain population of our users who don't have access to a mobile. Does AVD support this method. I am aware it can support FIDO from at least the host device and not within the session host which is fine. The reason I ask is we have Conditional access policies which require a compliant device and we finding registration of FIDO is not possible without the use of temporary access pass (for situations where user does not have a mobile). So want to explore OATH as another option. One benefit of that is the ability for the administrator to manage the onboarding of the OATH keys. ThanksSolved996Views0likes1CommentRe: User actions - Register Security Information from unmanaged devices.
Hi Yes I have looked at TAP however the administration to set this up is quite over burdening for a very large organisation where every hour we may get many password resets and counteracts the benefit of using combined registration and for the user to self serve. As far as I know, TAP can only be administered in the portal and as lots of our processes wish to be automated I don't believe TAP is a suitable option for us, correct me if I am wrong though.2.1KViews0likes0CommentsUser actions - Register Security Information from unmanaged devices.
Hi fellow members I work in an highly regulated organisation where we DO NOT allow unmanaged devices access to any of our Azure/M365 services. We use both Azure conditional access and tenant restrictions and other methods to secure our environment this way. However we are in the process of enabling Azure virtual desktop (AVD) and we DO want some users to be able to use this from an unmanaged device and only in this scenario. Our tenant is pre August 2020 so currently we still use the old MFA/SSPR workflows, we cannot enable combined registration for all so are using the scoped combined registration in user feature in AAD. We find that since enabling combined registration one of CA policies is blocking access for a user to register their security information either from the legacy workflows or using the combined registration experience. Using the user actions – register security information to allow from all locations also doesn’t seem to work. We cannot make any exceptions or remove the conditional access policy, which BTW prevents unmanaged devices to access. We do have another CA policy which does allow AVD from an unmanaged device but mandates MFA. That works great until we force the user to register SSPR security information. Is anyone aware of any other options that could help address this in this scenario? Many ThanksWindows Hello hybrid key trust checking
Hi Everyone I am working with a client on a WHfB implementation using hybrid key trust deployment method. The customer has opted to use GPO as they not quite ready yet for Intune policies. The machines tested are using 1909 of Windows 10 and are Hybrid joined which much of the policies being deployed using GPO however I noticed when the device is in MEM it has Intune workloads set for device configuration. With this model can I ask if its ok to use GPO WHfB policies over Intune or would I need to use Intune policies? When reviewing the configuration it seems that it is applying the policies. The Dsregcmd command shows the policy enabled as no, would I expect this if the policy is not delivered by Intune? Also I want to confirm that the machine is using WhFB rather than just regular Windows Hello. Is there a way I can confirm this? Many thanks in advance for advice on this.1.1KViews0likes0CommentsSSPR forced registration
Hi All I am looking for some pointers on a question I have on SSPR forced registration. Over 100,000 employees, global organisation. Due to a technical and political issue around MFA forced registration we have not enabled the Combined Reg feature but we wish to use forced SSPR. We have about a 50/50 split of users on Win7 or Mac devices and Windows 10 and there already a migration in place to migrate users but the sheer size means this is taking some time. Due to legacy requirements a sizeable number of users won't be able to use SSPR due to use of Win7/MacOS devices so these are out of scope. We have tried using the approach where users can self register but the uptake has been low and so our intention is to enable the force registration in SSPR but stage this deployment over a period of weeks/months. The issue is in the current config of SSPR a dynamic Azure AD group is in place and due to the number of domains the plan is to create a master AAD static group and add nested synced AD groups into this master AAD group. However we don't want existing users (approx. 20,000 registered users) to not be affected by the group changes. We use a tool called migration studio (https://migrationstudio.com/) as our source of truth for data and so the intention is to extract information from a variety of sources to determine who is in scope to be included in the respective nested groups for SSPR forced registration. We can leverage the graph API (https://docs.microsoft.com/en-us/graph/api/resources/credentialuserregistrationdetails?view=graph-rest-beta) and so can understand who is currently registered for the service. We will use this data to populated those nested group and then make the change on the SSPR group configuration so existing users can continue to use SSPR and they don't need to re-register. My question is understanding and confirming whether the data from credentialUserRegistrationDetails is enough to ensure we capture all the correct users from the export we perform from migration studio. There are other criteria we need to consider e.g. exclude Windows 7/Mac users which we collate. We also considered excluding service accounts and other operational accounts not suited for SSPR Would there be anything else we would need to consider with us doing a staged approach? Many ThanksSSPR and Mac OSX using Jamf Connect 1.11- Is it supported?
Hi All Just wondering if there are users who use Mac OSX using Jamf Connect and have attempted to use Microsoft Azure Self Service Password Reset (SSPR) to enable mac users to register for the service to reset or unlock their Azure AD account. Is this is a supported scenario or are there issues with this approach? When we have tested this we seem to be seeing issues once a user is setup with enforced registration. When connecting via the JAMF connect login, they receive the 'more information required' message but then go into a loop with the security details not showing correctly. Any help if anyone has seen similar issues would be greatly appreciated Thanks1.3KViews0likes0CommentsDevice isn’t showing as registered in ATP.
Hi Was wondering if anyone can advise. Onboarding our devices to ATP. We use the onboard file and deploy the file using Microsoft Endpoint Manager. I can see the file is install successfully however the device is not showing in ATP. Have used this URL to help troubleshoot but to no avail: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding I think it maybe a networking/firewall issue. Is there a way for me easily to identify whether the endpoint can reach the ATP URLs, ICMP is blocked. What is odd the issue only occurs on a domain machine, on a non domain joined machine it works and registers into ATP. If anyone can advise it would be greatly appreciated. Thanks4.6KViews0likes3CommentsSource hierarchy migration to new domain, DP considerations.
Hi fellow professionals. I am currently doing a source hierarchy migration from 2002CB to 2002Cb in 1 forest trust with 2 domains. I done in a way so that the new site server mirrors the old one as much as possible Apart from the server OS which is 2016 as opposed to 2012 in the old environment There are 4 DPs in the source and I can see they are all eligible for re-assignment however my question is if those servers sit in the old domain but I need to move those servers in the new domain. What would be the best approach? I assume the only way would be to recreate those DPs in the new domain against the new site code? Is there a way to migrate DPs from source to new destination DP or is it case of introducing the new DPs in the destination hierarchy and then just ensure they have the DP role and then ensure the content is populated onto that DP before the old is decommissioned? Also currently the old DPs are serving PXE for OSD deployment so I believe before that is done the DHCP or switch helpers will need to point to the new DPs so that process can continue, would that be correct? I look forward to any responses. Thanks Thanks537Views0likes0CommentsWDAC deployment guidance and questions.
Hi I am currently working with a client who currently use AppLocker and will soon be mandated to use WDAC. I am currently setting it up in audit mode in the short term however I will be configuring it with the intention of enabling. I am looking for some deployment of WDAC assistance. A few questions I had were: Does WDAC use 'allow' and 'deny' rules or is it just a whitelist or blacklist control? AppLocker has rules based on multiple conditions (path, publisher, hash etc), how would these transfer to WDAC? When merging WDAC policies, is there and order of precedence or are they just grouped together (in block /allow)? Can AppLocker and WDAC co-exist on the same machine at the same time? If so, can AppLocker allow something WDAC doesn't? Or can AppLocker only block what WDAC has allowed? Some of the scenarios the client does with AppLocker Using certain IT tools are only allowed for an IT AD group. C:\Program Files\* is allowed, with expectations for applications that require users to have modify rights on the directory. C:\Windows\* is allowed, with expectations for dir/applications that we don’t want to run by a std user. (exclusion example C:\windows\temp) App1.exe is hashed and allowed for all users. App2.exe is signed and allowed for all users.1.1KViews0likes0CommentsDomain joined BitLocker recovery ID not updating in AD but is in MECM
Hi fellow professionals. I have a question regarding BitLocker key recovery in AD. On-premises AD is based on 2008 R2, MECM environment is 1910 and Windows 10 is on 1909. I am working with a client who is seeing inconsistent recovery keys being updated into AD and seems to be intermittent. Devices can be either on the corporate network or using a VPN. What they are finding is if they need to recover the key it won't always update the value in AD. The devices are also managed by ConfigMgr (MECM) and also recovery can be performed by Microsoft BitLocker Administration and Monitoring. If the recovery is performed here it successfully writes the drive recovery key into the MECM database. During the OSD built there is a MECM task sequence to enable BitLocker and enable the key recovery into AD. This first key after OSD build seems to always appear in AD, its the subsequent ones where it changes. My understanding is once you setup MECM Bitlocker and following post build of Windows 10 and the ConfigMgr client is installed, receiving MECM policies the MECM Bitlocker feature then takes over. I am just puzzled why the recovery key writes successfully for some devices and not others. I thought it maybe because they client doesn't have a CMG and it is unable to write the keys to AD over VPN however it appear to occur for corporate devices as well. If anyone could clarify this it would be greatly appreciated. Thanks1.6KViews0likes0CommentsRe: Windows 10 UE-V synced settings don't always apply, DesktopSettings never apply.
sethbest I am also seeing similar issues with 1909. It seems to save settings for one machine and I can see the profiles in the share but they dont seem to apply on the secondary machine. Thanks2.2KViews0likes1CommentRe: Troubleshooting Autopilot Hybrid Azure Build
Hi Just an update I think we know what the issue is, we are seeing errors 304/307 in the event viewer of a failed AP build. It seems to be related to the service connection point configuration, so looking into that. The environment does already have an SCP configured but it doesnt match up with the tenant name so are making changes to reflect the correct details. Plan to re-reun the Azure AD Connect wizard again to update the SCP config.13KViews0likes3CommentsTroubleshooting Autopilot Hybrid Azure Build
Hi Everyone I'm having some trouble with an Autopilot deployment. I am pretty new to this too.. I am seeing errors with app deployments as part of an Autopilot profile which is Hybrid Azure AD joined. The environment is configured with co-management but the devices are new AutoPilot builds which have their hashes uploaded by the vendor. Can confirm all the pre-requisites are setup in the environment for HAAJ Autopilot. Automatic enrolment is setup and user provisioning device is within the scope and has a M365 E3 license. Testing with a number of devices and all are failing at App 14 to 16. When collecting the logs and reviewing we are seeing the following in the IntuneManagementExtension.log, I have extracted a few lines from it: <![LOG[AAD User check is failed, exception is Intune Management Extension Error. Exception: Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.TokenAquireException: Attempt to get token, but failed. at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneTokenManager.<GetTokenInternalAsync>d__41.MoveNext() I have reviewed the event viewer logs and IntuneManagementExtension.log where the above is taken from. Are there any other logs that I should review to help me troubleshoot or even better does anyone know what this issue could relate to? Many Thanks13KViews0likes4CommentsBitLocker encryption not working on newly created Autopilot device
Hi Community I am currently setting up Autopilot and want to enable BitLocker security at the point when the device is built or as a last resort could do post build. Unfortunately I am unable to get my device to enable BitLocker for a start. The device is co-managed and I have created a policy in Intune. When the device is built from an Autopilot reset, it doesn't seem to be enforcing BitLocker. I also get an error in Intune device profile settings targeted for the device. -2016281112 (Remediation failed) The error code is 0x87d1fde8. I include a screenshot of the settings defined in Intune. Ideally I want to set 256 bit encryption with a start-up PIN and the PIN stored in Azure AD. Any advice on what I am doing wrong would be greatly appreciated. On a side note, Should I be attaching this policy through endpoint security now going forward? I hear the older methods will become deprecated in the future. Many Thanks for members support.8.2KViews0likes2CommentsPrompts for MFA across OneDrive, Teams, Outlook
Hi All Got a weird issue here. A customer I am working with has mentioned that after 60 days when he is prompted for MFA users are getting prompted not once but once when they signin into Onedrive, then into Teams and then into Outlook. It only seems to be these three apps and they will be ok for 60 days and then the same behaviour will be seen. I have checked trusted locations and the MFA settings and also reviewed the conditional access settings setup but am stuck. As an example for one user looking at the sign-ins for the user all seems to be normal. There are many conditional access policies however most are not applied and there are either successes or disabled. Has anyone else seen this behaviour? ThanksCollocating SQL or remote SQL
Hi All Wanted to bounce my thoughts with fellow members. I am about to embark on a mini project for a customer. It's for a small experiment and a new network and infrastructure environment will be created on-premises. Unfortunately for this piece of work cloud is not an option. So a Virtualisation environment, SAN, networking, firewalls will all be procured. I need to build MECM to help deploy a gold image to approx. 100 workstations, there are 2 variances of laptops I need to consider. As its an experiment it also not going to grow. I also need to ensure patching is configured for both clients and the small server estate being built. So my thoughts are to build a new VM with MECM 2006 with the SUP role for WSUS and then use the OSD techniques with TS to build the Windows 10 image using PXE. They will be building a SQL server to host a database for a third party application. My question is as its such a small environment should I put SQL on the same standalone server which will host the Primary site MECM server and SUP or it is doing a lot already and I should move the SQL stuff to a remote SQL rather than collocate? From reading the docs I understand some considerations need to be taken into account to host both WSUS and ConfigMgr DBs within SQL (difference instances?) but because the environment will be so small my personal preference would be to keep it on same box, easier for me to deploy and easier for the customer to manage. The security of the environment is high due to the nature of the customer. What would others recommend and what would your approach be? Many thanksSolved
Recent Blog Articles
No content to show