User Profile
NidalT
Brass Contributor
Joined 9 years ago
User Widgets
Recent Discussions
Android - Corporate-owned devices with work profile - Screen lockout time
Hi, I have an issue with some Android devices managed via Intune. These devices are enrolled as "Corporate-owned devices with work profile". Initially, the devices have been enrolled with a specific set of settings. We now have a need to change the screen lock timeout of those devices to allow for different screen lock timeouts. The issue is that the new settings are not applied on the devices. We have set everything to our needs, but the new policy is just not applied. The initial set of settings is still in effect. Reboot, Sync, Wating for a couple of days, etc... nothing changes the settings. I have created a new enrollment profile with the desired settings as a matter of test. When enrolling new devices, these settings are correctly applied. It does what we want it to do. However, settings these settings on devices already enrolled doesn't seem to do much. We woud very much like to avoid having to enroll all those devices again. Logistically it is almost impossible to get them to do that due as those particular users are not very IT-minded. Does anyone have any idea on what to do here? The devices with this issue are CAT phones wchich run on Stock Android (v12). I have tested this with a Samsung Galaxy phone and have the exact same issue. Am I missing something here? This should be possible, right? Thank you for your time.Windows Virtual Desktop Client can't connect
Hi, We're in the process of rolling out WVD to some users, one of which is me. I can connect via the Web Client without problems. I can connect to a full desktop and start apps only. So no issues there. However, with the Remote Desktop Client I receive the following error (screenshot attached): "Your computer can't connect to the remote computer because a security package error occurred in the transport layer. Retry the connection or contact your network administrator for assistance". Other colleagues can also connect without problems with the RD Client. I also can connect from other devices with my account. So it's clearly something on my own device. Important to note is that I can see all the WVD's and apps in the client. It's when I try to connect to it that it throws the error. What I've done: Clear all entries from the Credential Manager No proxy Not blocked on firewall Created this registry entry: HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client Name: RDGClientTransport Type: Dword Data: 1 Created this registry key: Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa Name: LMCompatilityLevel Type: REG_DWORD Value: 3 Honestly no idea why it doesn't work. I don't think that my device differs anything from those of my colleagues and from other domain joined devices. Btw... Normal RDP to on-prem servers is working just fine. Any thoughts?Report on MFA Status with Conditional Access
Is there any effective way to get a report of the actual MFA state of your users? I mean, the individual MFA state as well as MFA enabled via Conditional Access. It's easy to report on the individual MFA state. You get nice results: Enabled, Disabled, Enforced... However, if MFA is enabled via Conditional Access I can't seem to find an effective way to report on them. Below Powershell snippet is the closest I can get. It will check if MFA is enabled individually. If not, it will check the "StrongAuthenticationMethods.IsDefault" attribute and report on that. But this is not always accurate, because if the "Phone" or "Alternate Phone" are configured in the Azure user object, it will still report it here even if the user is not member of a Conditional Access policy. There is a built-in Azure report for this, but it is completely incorrect. It says that, for instance, I'm not enabled for MFA even though I'm enabled for the last 6 years. Report:https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthMethodsOverviewBlade Has anyone figured this out yet? $user = get-msoluser -UserPrincipalName yourUserName@contoso.com $StrongAuthenticationMethodsresult = $user.StrongAuthenticationMethods | Select-Object MethodType, IsDefault [PSCustomObject]@{ UserPrincipalName = $user.UserPrincipalName ObjectID = $user.objectid DisplayName = $user.DisplayName AuthEmail = $user.StrongAuthenticationUserDetails.Email AuthPhoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber PhoneDeviceName = $user.StrongAuthenticationPhoneAppDetails.DeviceName AuthAltPhone = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber State = if ($user.StrongAuthenticationRequirements.State -ne $null) { $user.StrongAuthenticationRequirements.State } elseif ( $user.StrongAuthenticationMethods.IsDefault -eq $true) { "ConditionalAccess ($(($user.StrongAuthenticationMethods| Where IsDefault -eq $True).MethodType))" } else { "Disabled" } PhoneAppNotification = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }) { $true } else { $false } PhoneAppNotificationIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }).isDefault -eq "True") { $true } Else { $false } PhoneAppOTP = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTP" }) { $true } else { $false } PhoneAppOTPIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTPIsDefault" }).isDefault -eq "True") { $true } Else { $false } TwoWayVoiceMobile = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobile" }) { $true } else { $false } TwoWayVoiceMobileIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobileIsDefault" }).isDefault -eq "True") { $true } Else { $false } OneWaySMS = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMS" }) { $true } else { $false } OneWaySMSIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMSIsDefault" }).isDefault -eq "True") { $true } Else { $false } }Enable MFA with AzureAD Module V2
Hi there, I have written a lot of Powershell scripts to automate and report Office 365/Azure in the last couple of years. Now I'm in the process of re-writing some of them to utilize the new AzureAD v2 module instead of the old MSOL module. Whih, I think, will be deprecated soon? One of the benefits of this will be that will will be able to enable MFA on ALL admin accounts. The only thing that's holding me back is the fact that I can't figure out how to enable MFA with the new AzureAD module. Our user provisioning script will enable MFA for all new users. With the old MSOL cmdlets it is a piece of cake. But how to do it with AzureAD Module? ThanksBitLocker/MBAM Question
Hi, Not really sure where to put this question, so I'll try here. In my LAB I have installed the MBAM server and SQL DB's on a cluster. Reporting services also installed... I can access the MBAM web page without problems. GPO's configured as well. All according to the official documentation. However, after noticing that I can't find any recovery info of my test devices on the MBAM recovery page I wanted to check directly in the database. There are no tables in the Recovery DB at all. I then dropped the Recovery DB and created it again. No errors whatsoever, but the DB still doesn't contain any tables. Also not in the Event Viewer. It all looks fine. But DB remains empty. The Compliance Status DB does contain tablles, but also no data yet. Any ideas?The newest Windows features update is here popup - How to turn off
Hi, Our users are starting to see these popups on their devices: Our devices are managed with SCCM. Why are these popups suddenly appearing? Our users cannot perform this upgrade themselves. Not it's very persistent and it cannot be snoozed anymore. It is incredibly intrusive and unacceptable that Microsoft does this. We have policies in place to get updates from SCCM but this somehow still goes through. Can this be turned off via GPO or reg key? ThanksTurning on Modern Authentication with mixed Outlook versions
Hi, We have not yet turned on Modern Authentication in our tenant. Our scenario: Hybrid environment with Exchange 2010 and Office 365 without ADFS. We have approximately 1.5k users with an Enterprise E3 licenses and Office 365 ProPlus 2016 Another 1.5k users withEnterpriseE1 license and Office 2010 (we still have a lot of licenses for Ofiice 2010, and E3 is quite expensive) And another 2k users with EnterpriseF1 (formerly K1) licenses. Multi-Factor Authentication is enforced on all our users. All Outlook and Skype for Business profiles have been set up with an App Password becauseof MFA. If we enable Modern Authentication, what would happen with all those configured accounts? Would they get another login prompt or would it just continue to work? There is no way to enable it to a couple of users and see what would happen. Also, what about the users who still have Office 2010? Would they be able to continue working with the App Passwords? Or would we render them to be unable to login in Outlook anymore? It's hard for us to know what the consequences are. The last thing we want is to cause issues with users' Outlook and Skype for Business. It took us a lot of effort to teach them about MFA and App Passwords.
