Latest posts

VMware Unified Access Gateway Certificate Install

Installing your own certificate is one of the first things you’ll need to do when setting up the VMware Unified Access Gateway appliance.

In this post, I will detail step-by-step how to install a certificate on the VMware UAG.

Prerequisites

The Process

  • Login to the UAG
  • Select Configure Manually.
  • Under Advanced Settings, click on TLS Server Certificate Settings.

Exporting a Certificate with MMC

If you work with wild card certificates, it’s common to need to deploy them to more than one server. You will need to export the certificate to install it on other systems.

In this post, I will show you step-by-step how to export a certificate using MMC (Microsoft Management Console).

The Process

  • Connect to the system that has the certificate you want to export.
  • Open MMC.
  • Add theĀ CertificatesĀ Snap-in.
  • Select Computer account and click Next.
  • Select Local computer and click Finish.
  • Click OK to close the Add or Remove Snap-ins window.
  • Right-click on the Certificate you want to export and click Export.

Complete a CSR

When you create a CSR and provide it to your certificate vendor or CA (Certificate Authority), you must complete the CSR (Certificate Signing Request).

In this post, I will show you step-by-step how to complete a CSR.

Prerequisites

  • CSR generated on a system that you want to complete the CSR on. If you don’t know how my post Generate CSR with MMC details all the steps.

You can check which system has the pending certificate by checking the Certificate Enrollment Requests in MMC (Microsoft Management Console).

Certificate Pending completion of CSR

The Process

  • Connect to the system you used to generate the CSR.
  • Download the certificate files from your certificate vendor or CA.
  • Right-click on the certificate file and select Install Certificate.

VMware Horizon Desktop Pool without vCenter

You usually want to connect VMware Horizon directly to VMware vCenter, but it can make sense to leave them disconnected from each other in some situations.

In this post, I’ll show you step-by-step how to install the VMware Horizon Agent without using the VMware vCenter integration. You can do this on persistent VDIs and Physical Machines.

The Process

The configuration will be divided into two sections. The first section covers the steps needed on the system that you will install the VMware Horizon agent on, and the second section covers the steps needed on the VMware Horizon Connection Server.

VMware Horizon Agent

  • Launch the VMware Horizon agent install with the command line argument /v VDM_VC_MANAGED_AGENT=0
  • Click Next
  • Agree to the general terms and click Next.
  • Select IPv4 and click Next.

Microsoft 365 Sign-in Page Branding

A custom-themed Microsoft 365 sign-in page can augment the user experience by making it easier to tell if it is a phishing sign-in page, as it will help users recognize whether the login page is legitimate or not. It also adds a nice custom tweak to your Microsoft 365 tenant.

Microsoft 365 Sign-in Page before and after Company Branding

In this post, I will show you step-by-step how to customize your Microsoft 365 sign-in page.

The Process

  • Log in to the Microsoft Entra admin center
  • Click on User Experiences > Company branding
  • Under Default sign-in experience, click on Customize
  • Upload a Favicon that is 32 x 32 pixels and less than 5 KB in size.
  • Upload a Background image that is 1920 x 1080 pixels and less than 300 KB in size.

The background image will be darkened by a black overlay with an opacity of 0.5.

Cloudflare Access IdP with Entra ID

Cloudflare Access is a wonderful tool that can add MFA (Multi-Factor Authentication) to applications that don’t support it.

I’ve previously covered Setting Up Cloudflare Access using email OTP (One-time PIN). What I didn’t cover in that post was how to set up Cloudflare Access with an IdP (Identity Provider).

In this post, I will show step-by-step how to set up Cloudflare Access to use Microsoft Entra ID (formerly Microsoft Azure Active Directory) as the IdP and use Microsoft 365 SSO (Single sign-on) to make everything very transparent to the user.

Prerequisites

  • DNS for the web application in Cloudflare with Cloudflare Proxy enabled on the DNS record. (or a Cloudflare Tunnel)

The Process

  • Click on Custom Pages.
  • Make a note of your Team domain.

For this example, I will be using the team domain test.cloudflareaccess.com

Microsoft Entra ID Configuration

  • Login to Microsoft Entra admin center.
  • Click on Applications > App registrations.
  • Click on New registration.
  • Name your application. I will use the name Cloudflare Access.
  • Select Accounts in this organizational directory only (Single tenant)
  • Set the Redirect URI platform to Web.
  • Set the Redirect URI to the URL of the Team domain you noted down earlier. Add https:// to the front of it and add /cdn-cgi/access/callback to the end of it.

Palo Alto Private Data Reset with HA (Active/Passive)

Sometimes, you need to do a quick factory reset on a Palo Alto Networks firewall. If you aren’t decommissioning the firewall, a Private Data Reset can be a faster way to accomplish similar results as a factory reset and can be done via CLI directly and could technically be done remotely with some coordination.

In this post, I will show you step-by-step instructions on how to perform a private data reset on a primary Palo Alto Networks firewall in an Active/Passive High Availability Pair using the GUI and the CLI.

The Process

HA Election Settings

If the HA election settings are set to preemptive, we need to disable that.

HA Election Settings GUI

  • On the Primary firewall, click on Device.
  • Click on High Availability
  • Uncheck Preemptive (if it isn’t selected, you don’t need to do anything)
  • Commit the changes

HA Election Settings CLI

  • SSH into the Primary firewall
  • Enter the configuration mode by running the command configure
  • Run the following command to output your HA election settings show deviceconfig high-availability group election-option

If preemptive is set to yes, make a note of that (if it isn’t selected, you don’t need to do anything)

Intune Deploy Windows 10 Default Start Menu

I recently discovered that I caused an unintended side effect on Windows 10 when deploying a default taskbar for all users.

In my post Intune Deploy Default Taskbar I inadvertently introduced a bug to the Windows 10 Start Menu making it so users can’t customize anything.

The bug is that users can pin programs to the taskbar but they can’t pin anything to the Start Menu and they also can’t change anything in the Start Menu.

Can’t pin Microsoft Access to the Start Menu on Windows 10

The issue does not impact Windows 11 as the way the Windows 11 Start Menu layout uses JSON and the Windows 10 Start Menu layout uses XML, the same XML file that is used for the default taskbar.

I am happy to allow users to customize their Start Menu as much as they want but I do want a consistent user experience for all. Most users likely won’t change anything, but the ones that do want to customize their Start Menu would be blocked.

In this post, I will show you step-by-step how to fix the bug and how to deploy a partial custom Start Menu for Windows 10 using Microsoft Intune.

The Process

  • On a source system configure an application group in your start menu and pin the applications in the order you want.

The application group name will also be deployed. I named my application group Company Name for this example but you can make it whatever you want.

I don’t want the custom Start Menu application group to be very intrusive so I will use 1×1 icons for all the common Microsoft applications and I will use 2×2 icon for Company Portal as Company Portal is still new for a lot of people.

Source Windows 10 Start Menu application group
  • Export the Start Menu layout by running the following PowerShell command Export-StartLayout -UseDesktopApplicationID -path C:\temp\start-menu.xml
  • Open the Start Menu XML file as we will need to make changes to it.

Securing GlobalProtect

Out of the box, you can’t just add a Security Profile to the interface that runs GlobalProtect fortunately there’s a relatively easy way to do it with minimal impact to your existing GlobalProtect setup.

In this post, I will show you step-by-step how to secure GlobalProtect by adding protection with a Vulnerability Protection Profile or a Security Profile Group to an already existing GlobalProtect setup by using a loopback interface.

The Process

  • Log in to the Palo Alto Networks Firewall
  • Click on Objects
  • Click on Addresses
  • Add a new address for your loopback address

I will be using the address 192.168.187.2 for this example.

  • Click on Network
  • Click on Zones
  • Add a new Zone. I will be using the name GP-WAN. (This zone will be the zone allocated to the GlobalProtect loopback interface later on.)
    • Set the Type to Layer3
    • Select your Zone Protection Profile. In my case, I will use the one called Recommended_Zone_Protection
    • Select the option to Enable Packet Buffer Protection.
  • Click on Interfaces
  • Click on Loopback

Registry Check Setter

In the past, I’ve made a few one-off PowerShell scripts to set various registry settings. I find myself needing to do this more and more. I’ve always just forced my registry settings with no regard to whether the settings were already correct.

A perfect example of this is my PowerShell script to Disable Auto Windows Updates

While this method works I felt like it could be better. I decided to make a brand new script that would be less forceful and more modular and use functions and parameters.

This resulted in the creation of the PowerShell script that I call the Registry Check Setter.

The PowerShell script enables you to set multiple registry settings very easily while checking if the settings are already correct or not.

You can find the script on my GitHub https://github.com/thedxt/Registry-Check-Setter

How It Works

The script starts by checking if the registry key path exists, if the key path doesn’t exist the script considers it safe to just set the settings and sets them. If the key path does exist the script then moves on to checking if the registry value name exists.

If the registry value name is not found in the registry key path the script then creates the value with the needed setting and exists. If the registry value name exists the script then checks if the registry value name setting is correct.

If the registry value name setting is not correct the script then changes the setting to make it correct and then exits.

An example of this would be if I was trying to prevent a Windows 10 system from upgrading to Windows 11 and I wanted to turn off auto updates.

To lock the system to Windows 10 the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate needs a registry value named ProductVersion that is a String with a setting of Windows 10.

To lock the system to a specific feature update of Windows 10 the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate needs a registry value named TargetReleaseVersionInfo that is a String with a setting of 22H2.

To enable locking the system to Windows 10 22H2 the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate needs a registry value named TargetReleaseVersion that is a DWord with a setting of 1.

To turn off auto updates the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU needs a registry value named NoAutoUpdate that is a DWord with a setting of 1.

Yes, I could just force the settings to be correct but if I run the script multiple times it constantly changes the settings and doesn’t take into account if the Windows Update service is running. If the Windows Update service is already running these settings won’t properly take effect until the Windows Update service is restarted or the whole system is rebooted.

My thought process is you could combine the results of the Registry Check Setter to have another script take action.