Latest posts

Intune Silently Enable BitLocker

When you are managing devices with Microsoft Intune aka Microsoft Endpoint Manager it’s great to control BitLocker but silently enabling BitLocker for all devices is even better.

Here is everything you need to know to silently enable BitLocker with Intune.

Disk Encryption Policy Profile

First up we need to create a disk encryption policy profile that we can use later on with our configuration profile. The Disk Encryption Policy Profile by itself really does nothing other than defining the settings that will apply when referenced by a configuration profile.

  • Login to Microsoft Intune admin center
  • Click on Endpoint Security
  • Click on Disk encryption
  • Click on Create Policy

VMware Horizon Customize Web Portal

VMware Horizon’s web portal has a decent appearance out of the box. However, I wanted to customize it to make it look like my own.

If you have a customized login background on your Microsoft 365, it could be beneficial to create a consistent end-user experience by making them look similar.

I couldn’t find any official documentation from VMware about this. I suspect the customizations might break when you upgrade to a new version of VMware Horizon. With all of that aside altering the images on the HTML portal is actually really straightforward.

Here’s how to change the default background and the default logo on the VMware Horizon HTML web portal.

  • Go to your current VMware Horizon web portal and right click on the VMware Horizon logo and select Open image in new tab
  • You will now have a new tab that has a URL that looks something like this horizon.yourwebsite.com/portal/webclient/icons-21414280/logo.png

ESXi Config Restore

Having a backup is great, but it only helps if you know how to restore it. Previously I showed you how to take an ESXi Config Backup. Now let me show you the process to restore that ESXi config backup.

The Process

  • Make a note of your current ESXi build number and the build number of the ESXi config backup file.

If you aren’t sure how, here’s a post I made about how to get your ESXi Build Number without vCenter for your current ESXi and your ESXi config backup file.

Your current ESXi build number and the ESXi build number in the ESXi config backup file must match.

Technically you can still restore with mismatching build numbers however that is a bug and it could cause unexpected behavior and based on VMware’s documentation it would likely not be supported if something goes wrong later on.

You can read more about this bug on my post called ESXi Config Restore Bug.

  • Rename the ESXi config backup file you want to restore to configBundle.tgz
  • Enable SSH by right clicking on the host and selecting Services > Enable Secure Shell (SSH)

Onyx (MLNX-OS) BIOS Password Reset

Recently I’ve been playing with some Nvidia/Mellanox switches specifically the SN2410. An issue that I ran into was that I didn’t have the BIOS password.

All of the documentation says that the default BIOS password is admin. That password did not work on my switch.

You can absolutely use the switch even without the BIOS password, however it may limit some of your options in the future specifically recovery options if needed.

The documentation that I found says that if the default password doesn’t work you need to contact Mellanox/Nvidia support. The issue with that is I’m playing with this switch in my home lab so I don’t exactly have a support contract to contact support.

I took the switch apart and there doesn’t appear to be a CMOS battery to pull to clear the BIOS either. There might be a jumper for it but it wasn’t obvious which one it might be and I didn’t want to risk breaking it.

Inside the SN2410 switch

In the end I ended up figuring out a way to reset the BIOS password back to default.

Here’s how to do it.

Intune Dynamic Device Groups

Intune aka Microsoft Endpoint Manager can be extremely powerful but as it always goes with great power comes great responsibility.

To make sure I’m only targeting the devices I want, I like to make a few dynamic device groups that I’ll use for various Intune policy targeting.

The dynamic device groups I create are:

  • Windows AAD Joined for all the Windows devices joined to Azure AD.
  • Windows Hybrid AAD Joined for all the Windows devices that are hybrid joined to Azure AD.
  • Windows AAD Registered for all the Windows devices that are registered to Azure AD this is typically BYOD (Bring Your Own Device).
  • Windows Personal for all the personal Windows devices.

By creating these groups I can correctly target my Intune policies to always have the intended outcome.

Here are the dynamic membership rules I use for the dynamic device groups.

Lenovo Remote Physical Presence

On Lenovo servers the default configuration has a physical presence policy enabled. When a physical presence policy is enabled it prevents you from doing a few tasks on the system either in BIOS or IPMI. Lenovo calls their IPMI XClarity Controller (XCC).

With an enabled physical presence policy your only options to do some of those task is to either physically go move a jumper on the motherboard or to make some tweaks in XCC or BIOS to assert your physical presence even if you are remote.

Here’s how to do it in IPMI or BIOS.

Upgrading Duo Authentication for Windows Logon

Duo Authentication for Windows Logon and RDP is great tool that I like to use to add MFA to Windows systems specifically servers, as it could help prevent lateral movement in the network.

When you only have a few systems running Duo Authentication for Windows Logon and RDP upgrading it is short and painless. When you have many systems it can be a bit of a painful process as the only method seems to be to do it manually.

Naturally to solve this I wrote a PowerShell script to do the work.

PowerShell Script

The PowerShell script will check if Duo Authentication for Windows Logon is installed. If no Duo Authentication for Windows Logon install is found it will just exit.

ESXi Config Restore Bug

While I was looking into various ways to restore an ESXi config backup I came across a bug.

If you read VMware’s documentation about how to restore an ESXi config backup (you can find that here) you will see that it is full of references saying the build numbers must match.

The bug is that you can restore an ESXi config backup even if the build numbers don’t match. Which according to the VMware documentation should not be possible.

Even though it is possible to restore an ESXi config backup when the build numbers don’t match, I do not recommend doing this as there has to be a reason why VMware says that the build numbers must match.

In my testing I was able to replicate the bug in ESXi 7 and ESXi 8. I even went all the way back to ESXi 6.7 which had some interesting findings. I didn’t fully test everything in ESXi 6.7 as general support has ended on that version.

Here are my findings and how to replicate the bug.

ESXi Build Number without vCenter

Knowing your ESXi Build Number can be very useful. It’s really easy to do with vCenter. Without vCenter it’s not as straight forward. Here are a few ways to get your build number when you don’t have vCenter.

Console

If you have access to the console of the ESXi host via IPMI or iLO or iDRAC or physical access, you can get your ESXi build number right from there, you don’t even need to login.

Help Menu

You can also get your ESXi build number right from the Help menu in the Web UI.

  • Login to the Web UI of your ESXi host
  • Click on Help > About

You will now get a screen that show you your ESXi build number.

It should look something like this

In this example we know that my ESXi build number is 19482537.

SSH

  • Enable SSH on your ESXi Host by right clicking on the host and selecting Services > Enable Secure Shell
  • Login to your ESXi host with SSH
  • Enter the following command vmware -v

You will get an output that looks something like this

VMware ESXi 7.0.3 build-19482537

In this example we know that my ESXi build number is 19482537.

ESXi Config Backup File

You can also get your ESXi build number from an ESXi config backup file, which can be helpful if you want to know which ESXi build number was installed when a backup was taken.

To do this we will need something that can open a tgz archive. I like to use 7-Zip.

Cisco Aironet Won’t Connect to Wireless LAN Controller

I ran into an issue where some older Cisco Aironet APs (Access Points) stopped connecting to a Cisco WLC (Wireless LAN Controller). No config changes had been made and some of the Cisco Aironet APs would connect and some wouldn’t. All of them were the same model, the Cisco Aironet APs were able to ping the Cisco WLC and vice versa.

What happened is the Cisco MIC (Manufacture Installed Certificate) expired and the default setup of a Cisco WLC is to reject any Cisco Aironet AP with an expired MIC.

It looks like this could impacts every Cisco WLC when used with older Cisco Aironet APs that have an expired Cisco MIC. Cisco has a Field Notice about this issue, you can read it here FN63942.

Any Cisco Aironet AP that was manufactured from July 18, 2005 until 2017 will have a Cisco MIC that expires 10 years after the manufacture date. There seems to be no way to replace or renew that Cisco MIC, this will keep being an issue that could randomly show up until 2027 when all of them should be broken.

The reason some of my Cisco Aironet APs worked and some didn’t is because they were manufactured at different times even though they have the same model number.

The fix is super quick we just need to tell the Cisco WLC to ignore expired Cisco MICs.