User Profile
isotonic_uk
Brass Contributor
Joined 5 years ago
User Widgets
Recent Discussions
Source image is not created for trusted boot but it is turned on the VM.
Hi New to Bicep and learning it by deploying a mini environment in my lab.I am using the same code base as defined here:https://rozemuller.com/avd-automation-cocktail-avd-with-bicep-and-azure-cli/#azure-compute-gallerybut I have made some alterations to it as I am trying to create a gen2 Trusted Launch VM to be used instead of a standard SecurityType defined in this blog. I create my initial image version of Windows 11 using Securitytype trusted launch. This was just a standard Microsoft gallery image, which I then sysprep and generalise. That all seem to well and my base image has the security Type that I want. Defined in my BICEP file under resource vm 'Microsoft.Compute/virtualMachines@2023-03-01' = { // Security profile properties... securityProfile: { uefiSettings: { secureBootEnabled: true vTpmEnabled: true } securityType: 'TrustedLaunch' } diagnosticsProfile: { bootDiagnostics: { enabled: true } } } When I come to run the main.bicep file alongside the parameters which then pulls the various modules depending on where it is in the build it goes through the process of deploying the gallery image but fails with the error: The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure, Target: /subscriptions/<mysubscriptionID>/resourceGroups/uks-rb81-vdi-avd-hpl-priv-001-01/providers/Microsoft.Compute/galleries/uksbldglbssvgal01/images/uks-img-Windows-desktop-11-gen2-22h2-priv-tl-001/versions/2023.09.26) The source 'subscriptions/<mysubscriptionID>/resourceGroups/rg-Win11-template/providers/Microsoft.Compute/virtualMachines/i4xsd3rrtnobm-vm' has security type 'TrustedLaunch' and cannot be used as a source for an image definition with SecurityType feature set to 'None'. (Code: Conflict) I am really confused where I need to set this, I thought it would be under the bicep file deploy-shared-image-gallery.bicep but then when I declare the params and resource as } //Create VM with Security type resource virtualMachine 'Microsoft.Compute/virtualMachines@2023-07-01' = { name: imageDefinitionName location: location securityType: 'TrustedLaunch' } It just saysThe property "securityType" is not allowed on objects of type "Microsoft.Compute/virtualMachines". Permissible properties include "asserts", "dependsOn", "extendedLocation", "identity", "plan", "properties", "tags", "zones". If this is an inaccuracy in the documentation, please report it to the Bicep Team. Could it be an expression that I need to define:? Param and var value? Any help on this would be most appreciated. ThanksSolved1.1KViews0likes1CommentIntune deployment of OneDrive only
Hi I think what I am asking is possible but just looking for validation. We looking at implementing a Privileged Access Workstation IPAW) using the zero trust principles we have with our AVD standard build which is modern managed, however we do not want to allow use of the productivity suite like Microsoft 365. However there is a need that a user using a PAW may need to retrieve logs and needs a way to send these via the internet. We currently deploy the full M365 Office via Intune deployment. Is there a way we can just deploy OneDrive only? The AVD VM will also not have internet access except for the mandatory URLs and ports to run the AVD service as well as any service endpoints we want to allow for the PAW to function as intended. Microsoft have a list of IPs that we would need to allow, I am aware that if we allow OneDrive, by default it was also allow SharePoint Online as it uses the same URLs considering it uses the same backend. Would my understanding of this be correct? Thank you2KViews0likes1CommentDoes AVD support OATH for authentication?
Hi Just wanted to ask if we wanted to use OATH authentication for a certain population of our users who don't have access to a mobile. Does AVD support this method. I am aware it can support FIDO from at least the host device and not within the session host which is fine. The reason I ask is we have Conditional access policies which require a compliant device and we finding registration of FIDO is not possible without the use of temporary access pass (for situations where user does not have a mobile). So want to explore OATH as another option. One benefit of that is the ability for the administrator to manage the onboarding of the OATH keys. ThanksSolved952Views0likes1CommentUser actions - Register Security Information from unmanaged devices.
Hi fellow members I work in an highly regulated organisation where we DO NOT allow unmanaged devices access to any of our Azure/M365 services. We use both Azure conditional access and tenant restrictions and other methods to secure our environment this way. However we are in the process of enabling Azure virtual desktop (AVD) and we DO want some users to be able to use this from an unmanaged device and only in this scenario. Our tenant is pre August 2020 so currently we still use the old MFA/SSPR workflows, we cannot enable combined registration for all so are using the scoped combined registration in user feature in AAD. We find that since enabling combined registration one of CA policies is blocking access for a user to register their security information either from the legacy workflows or using the combined registration experience. Using the user actions – register security information to allow from all locations also doesn’t seem to work. We cannot make any exceptions or remove the conditional access policy, which BTW prevents unmanaged devices to access. We do have another CA policy which does allow AVD from an unmanaged device but mandates MFA. That works great until we force the user to register SSPR security information. Is anyone aware of any other options that could help address this in this scenario? Many ThanksSSPR and Mac OSX using Jamf Connect 1.11- Is it supported?
Hi All Just wondering if there are users who use Mac OSX using Jamf Connect and have attempted to use Microsoft Azure Self Service Password Reset (SSPR) to enable mac users to register for the service to reset or unlock their Azure AD account. Is this is a supported scenario or are there issues with this approach? When we have tested this we seem to be seeing issues once a user is setup with enforced registration. When connecting via the JAMF connect login, they receive the 'more information required' message but then go into a loop with the security details not showing correctly. Any help if anyone has seen similar issues would be greatly appreciated Thanks1.1KViews0likes0CommentsSSPR forced registration
Hi All I am looking for some pointers on a question I have on SSPR forced registration. Over 100,000 employees, global organisation. Due to a technical and political issue around MFA forced registration we have not enabled the Combined Reg feature but we wish to use forced SSPR. We have about a 50/50 split of users on Win7 or Mac devices and Windows 10 and there already a migration in place to migrate users but the sheer size means this is taking some time. Due to legacy requirements a sizeable number of users won't be able to use SSPR due to use of Win7/MacOS devices so these are out of scope. We have tried using the approach where users can self register but the uptake has been low and so our intention is to enable the force registration in SSPR but stage this deployment over a period of weeks/months. The issue is in the current config of SSPR a dynamic Azure AD group is in place and due to the number of domains the plan is to create a master AAD static group and add nested synced AD groups into this master AAD group. However we don't want existing users (approx. 20,000 registered users) to not be affected by the group changes. We use a tool called migration studio (MigrationStudio) as our source of truth for data and so the intention is to extract information from a variety of sources to determine who is in scope to be included in the respective nested groups for SSPR forced registration. We can leverage the graph API (credentialUserRegistrationDetails resource type - Microsoft Graph beta | Microsoft Docs) and so can understand who is currently registered for the service. We will use this data to populated those nested group and then make the change on the SSPR group configuration so existing users can continue to use SSPR and they don't need to re-register. My question is understanding and confirming whether the data from credentialUserRegistrationDetails is enough to ensure we capture all the correct users from the export we perform from migration studio. There are other criteria we need to consider e.g. exclude Windows 7/Mac users which we collate. We also considered excluding service accounts and other operational accounts not suited for SSPR Would there be anything else we would need to consider with us doing a staged approach? Many ThanksSource hierarchy migration to new domain, DP considerations.
Hi fellow professionals. I am currently doing a source hierarchy migration from 2002CB to 2002Cb in 1 forest trust with 2 domains. I done in a way so that the new site server mirrors the old one as much as possible Apart from the server OS which is 2016 as opposed to 2012 in the old environment There are 4 DPs in the source and I can see they are all eligible for re-assignment however my question is if those servers sit in the old domain but I need to move those servers in the new domain. What would be the best approach? I assume the only way would be to recreate those DPs in the new domain against the new site code? Is there a way to migrate DPs from source to new destination DP or is it case of introducing the new DPs in the destination hierarchy and then just ensure they have the DP role and then ensure the content is populated onto that DP before the old is decommissioned? Also currently the old DPs are serving PXE for OSD deployment so I believe before that is done the DHCP or switch helpers will need to point to the new DPs so that process can continue, would that be correct? I look forward to any responses. Thanks Thanks505Views0likes0CommentsSQL and MECM install media question
Hi All Am I right in thinking that MECM 2002 does come with a flavour of SQL express on the same media or does this need to be downloaded separately? In the past I have downloaded and installed SQL on a separate server but for the life of me can’t remember the process when co-locating SQL on the same primary site server. Is anyone able to advise?? please? ThanksWDAC deployment guidance and questions.
Hi I am currently working with a client who currently use AppLocker and will soon be mandated to use WDAC. I am currently setting it up in audit mode in the short term however I will be configuring it with the intention of enabling. I am looking for some deployment of WDAC assistance. A few questions I had were: Does WDAC use 'allow' and 'deny' rules or is it just a whitelist or blacklist control? AppLocker has rules based on multiple conditions (path, publisher, hash etc), how would these transfer to WDAC? When merging WDAC policies, is there and order of precedence or are they just grouped together (in block /allow)? Can AppLocker and WDAC co-exist on the same machine at the same time? If so, can AppLocker allow something WDAC doesn't? Or can AppLocker only block what WDAC has allowed? Some of the scenarios the client does with AppLocker Using certain IT tools are only allowed for an IT AD group. C:\Program Files\* is allowed, with expectations for applications that require users to have modify rights on the directory. C:\Windows\* is allowed, with expectations for dir/applications that we don’t want to run by a std user. (exclusion example C:\windows\temp) App1.exe is hashed and allowed for all users. App2.exe is signed and allowed for all users.1.1KViews0likes0CommentsWindows Hello hybrid key trust checking
Hi Everyone I am working with a client on a WHfB implementation using hybrid key trust deployment method. The customer has opted to use GPO as they not quite ready yet for Intune policies. The machines tested are using 1909 of Windows 10 and are Hybrid joined which much of the policies being deployed using GPO however I noticed when the device is in MEM it has Intune workloads set for device configuration. With this model can I ask if its ok to use GPO WHfB policies over Intune or would I need to use Intune policies? When reviewing the configuration it seems that it is applying the policies. The Dsregcmd command shows the policy enabled as no, would I expect this if the policy is not delivered by Intune? Also I want to confirm that the machine is using WhFB rather than just regular Windows Hello. Is there a way I can confirm this? Many thanks in advance for advice on this.
Groups
Recent Blog Articles
Re: Conditional access for the Azure AD combined MFA and password reset registration experience
What will happen when the new combined reg workflow takes effect on Sept 30th 2022. Will this still work? Enable combined security information registration - Azure Active Directory | Microsoft Docs ...0likes0Comments