Latest posts

New Teams Desktop Shortcut

Microsoft has stopped deploying the original version of Microsoft Teams (now called Microsoft Teams Classic) with new Microsoft 365 apps installs. I’ve been using New Microsoft Teams for quite a while now and I honestly can’t tell the difference between the two anymore.

An issue I do have with New Teams is that it doesn’t seem to place a shortcut on the desktop. Having a desktop shortcut for Microsoft Teams is great for shared computers like meeting rooms.

In this post, I’ll show you step-by-step how to deploy a desktop shortcut for New Teams and I will show you how I figured it out as there seems to be very little documentation about this.

The Discovery

If you search around for how to make a desktop shortcut for New Teams you will find a large number of posts saying to run shell:AppsFolder and just drag the New Teams Icon to the desktop. While this process does technically work, I don’t like it. It looks ugly and always seems to use your account’s accent color as the background color.

If you look at the details of the shortcut created via the shell apps folder way, it points to the UWP ID of New Teams and thankfully not just the version. I suspect this method is perfectly fine. However, I don’t like it.

A neat thing with UWP apps is that they sometimes have a URI (Uniform Resource Identifier) defined. When CVE-2022-30190 for the Microsoft Support Diagnostic Tool Vulnerability aka the Follina exploit was very active, one of the early mitigations was to disable the URI for ms-msdt by deleting the registry key for it which is located at HKEY_CLASSES_ROOT\ms-msdt if you go digging around in HKEY_CLASSES_ROOT there are a lot of interesting things in there like other applications that also use URIs. Such as both versions of Microsoft Teams.

If you’ve used the web version of Microsoft Teams or clicked on a Teams meeting link and ended up opening it in a web browser then you’ve run into the Teams web launcher.

New Teams Bulk Install Script

New Teams is a UWP (Universal Windows Platform) app and that presents its own challenges when it comes to system-wide mass installs.

If you download the MSIX directly and install it, it actually tricks you into thinking it’s installed for all users but in reality, it is only installed for the user that downloaded and installed it, this is why no local admin is needed to install it.

In this post, I will show how my new Teams mass install PowerShell script works.

Microsoft has provided a way to bulk install new Teams for all users and I’ve adapted the Microsoft method to be a bit more modular and make it always current.

The official method to bulk install new Teams is to use the Teams bootstrapper and run teamsbootstrapper.exe -p which will download the latest version of the new Teams MSIX and install it for all users. This used to be the only method for deployment.

Microsoft has since updated the new Teams bootstrapper to support an offline install allowing you to specify the location of the new Teams MSIX instead of downloading it. This is done with the argument -o

Rather than just using the new Teams bootstrapper to download and install the latest version of new Teams I decided to make the script download the latest version of the new Teams MSXI as this allows for more verbosity. You could also adapt the script to use a UNC path or an alternate location instead.

The goal of the script is to always be current and to be used with various deployment methods such as RMMs.

For the toggle for new Teams to work correctly in classic Teams, you need to make sure you have a compatible version of classic Teams installed. An easy way to do that is to use my Teams Machine Wide Install update script. Doing so will make sure everyone has a version of classic Teams that allows for toggling to new Teams.

The Script

The script is only intended to be run on Windows 10 or Windows 11 systems. It is not intended to be run on Windows Servers as some versions have very different install methods for new Teams.

Delete Microsoft 365 Tenant

There are various reasons why you may need to delete a Microsoft 365 tenant. The most common one I run into is after a corporate merger or acquisition. In this post, I will show step-by-step how to delete a Microsoft 365 tenant.

Prerequisites

  • All invoices are paid
  • All domains are removed other than the CompanyName.onmicrosoft.com domain name
  • All users are deleted and deleted from deleted users except for one Global Admin.
  • All App registration and Enterprise applications are deleted.
  • No Azure subscriptions.
  • All licenses are deleted and removed.

Completing all of those perquisites will take time and sometimes things are stuck but it is possible to complete all of them.

The Process

  • Login to Entra admin center
  • Click on Identity > Overview
  • Click on Manage tenants
  • Select the tenant and click Delete
  • It will check if the tenant can be deleted.

Saved Browser Passwords

It’s super convenient to save your passwords to your web browser but it isn’t very secure. In this post, I will show you step-by-step how to easily reveal a saved browser password.

Normally if you want to view a saved password you need to go into settings and click on it, then enter the password of the logged-in user account to view it. This isn’t always true, let me show you how to get around this.

The Process

  • Go to any website that has the login credentials saved.
  • Right-click on the password field and select inspect or just inspect the whole page.
  • Find the line for the password field this should show up as type="password"

Control Microsoft 365 Group Creation

Controlling who can and can’t create Microsoft 365 groups can be a very powerful tool. In this post, I will detail step-by-step how to prevent users from creating Microsoft 365 groups unless they are members of a specific security group.

Prerequisites

  • Microsoft Entra ID P1 or P2 is needed for the users who are allowed to create groups. (The old name was Azure Active Directory Premium P1 or P2)
  • Microsoft Graph Beta Installed.

The Process

  • Login to Microsoft Entra admin center
  • Click on Groups > All Groups
  • Click on New group
  • Make sure the Group type is set to Security.
  • Give your group a name. In my example, I will use the name Group Creators.
  • Add anyone that you want to have the power to create Microsoft 365 Groups to the security group you just created.
  • Open PowerShell ISE.
  • Copy the script from Microsoft here.
  • On line 6 enter the name of the security group you just created. In my case, that group is called Group Creators.

The beginning of the script should look something like this.

Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Beta.Groups

Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All"

$GroupName = "Group Creators"
$AllowGroupCreation = "False"

$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
Code language: PowerShell (powershell)

VMware Tools on Windows Server Core

I’m a fan of using Microsoft Windows Server Core for as many things as possible when it makes sense. In this post, I’ll cover step-by-step how to install VMware Tools on Windows Server Core via the GUI and PowerShell.

The GUI Way

  • From ESXi or vCenter mount VMware tools to the VM.
  • Login to the Windows Server Core VM.
  • Change to the D drive (or whichever drive your disk drive is on your install)
  • Enter the following command to being the install .\setup64.exe

Sometimes the VMware tools install screen hides behind the command line window.

  • Click Next
  • Select Typical and click Next.
  • Click Install.

Policy Based Forwarding

I needed to route an FQDN (Fully Qualified Domain Name) down an IPSEC VPN tunnel but couldn’t because it was an external address and the IP is dynamic so I wasn’t able to just make a static route to force it down the IPSEC VPN tunnel. To solve this I discovered something called policy based forwarding.

In this post, I will explain the setup and the reason for why I used policy-based forwarding to solve my problem and I will show step-by-step how to do all of this with a Palo Alto Networks firewall.

The Background

For the setup, Palo Alto Networks firewalls are being used. There are two sites the Head Office and the Data Center. There is an IPSEC VPN tunnel between both sites. The Data Center firewall also has various vendor IPSEC VPN tunnels.

The Head Office firewall has its own internet connection as does the Data Center firewall. The Head Office firewall is configured with static routes to only send traffic for the Data Center down the Data Center IPSEC tunnel. All other traffic goes out the Head Office WAN.

Configuring it this way allows for a very simple and basic SD-WAN type configuration, only essential traffic is sent down the Data Center IPSEC VPN tunnel freeing up the IPSEC tunnel from normal internet traffic that does not need to be routed to the Data Center.

The Problem

There are two vendors we’ll call them Vendor1 and Vendor2. Both of them have an Oracle database that users at the Head Office site need to connect to.

Vendor1 has an IPSEC VPN tunnel from the Data Center firewall to the firewall at Vendor1. The Oracle database on their end is on a private IP. All traffic from the Data Center to Vendor1 is NATed behind a specific IP. Vendor1 only allows connections that are from that NATed IP over the IPSEC VPN tunnel.

Vendor2 won’t set up an IPSEC VPN tunnel. The Oracle database for Vendor2 is an FQDN we’ll say that the FQDN is Oracle.Vendor2.com the resolving IP of that FQDN can and will change without notice. The only way users can connect to the Oracle database at Vendor2 is for Vendor2 to add the WAN IP to an allowed list on their side. This process is slow and doesn’t scale well. To help with this we can have Vendor2 add a specific WAN IP to their allow list that we can NAT our traffic to them behind.

Now this works for the most part when you tunnel all traffic from the Head Office to the Data Center firewall. The problem with this solution is that it can be very costly as you may need an E-Line/MPLS/VPLS connection back to the Data Center and depending on the location they can be very expensive. If the Head Office moves to a new physical location coordinating an E-Line/MPLS/VPLS move is not always the quickest option. Ideally, we want a solution that allows for flexibility.

Yes, you could IPSEC tunnel all the Head Office traffic back to the Data Center but why? Why would you want Microsoft 365 traffic and other normal internet traffic going down your Data Center IPSEC tunnel? This just adds unnecessary overhead and can cause slowness, especially today as so many applications are web-based.

The overarching problem in all of this is how to scale it without needing to reach out to the vendors to add a new IP to the allow list or to build a new IPSEC VPN tunnel.

The Solutions

The solution for Vendor1 is simple because it’s a private IP. We can just add a static route on the Head Office firewall telling it to go down the Data Center IPSEC VPN tunnel and out the Vendor1 IPSEC tunnel from the Data Center.

ONIE Partition Exists Fix

I recently ran into an issue where I had uninstalled Onyx on my switch and I was trying to reinstall it but couldn’t because I was getting an error. Below is an example of the error.

partition exists - please uninstall first
EXT4-fs (sda3): couldn't mount as ext3 due to feature incompatibilities
cp: write error: No space left on device

There is also another variation of this error that I ran into. Below is an example of that error too.

umount: can't unmount /mnt/onie-boot: Invalid argument
/mnt/onie-boot not mounted
Error: You requested a partition from 1000MiB to 2000MiB (sectors 2048000..4095999).
The closest location we can manage is 1000MiB to 1000MiB (sectors 2047999..2047999).

The issue seems to be that somewhere along the lines the NOS uninstall process left behind a partition or two. To fix this we need to delete them. In this post, I’ll show you step-by-step how to delete the leftover partitions with ONIE.

The Fix

This fix works for the Nvidia/Mellanox switches and will likely work on other ONIE switches however, I’ve only tested this on Nvidia/Mellanox switches.

  • Connect to ONIE. I’ll be using a console connection and PuTTY.
  • Enter GNU Parted for the disk by running the command parted /dev/sda

In my case the disk was sda it’s likely the same in most setups.

Upgrade Palo Alto HA Pair (Active/Passive) with CLI

I’m a big fan of CLI, I love to use it when I can, it always feels more complete and absolute. A while back I posted how to Upgrade Palo Alto Firewall HA Pair (Active/Passive) in that post I only covered the GUI method this post will detail how to complete everything with CLI only.

Here is step-by-step how to upgrade a Palo Alto Networks firewall in an Active/Passive High Availability Pair with CLI only.

In my example, I am running a Palo Alto Active/Passive HA pair. The firewall named DXT-FW-PA01 is the primary firewall and is the currently Active firewall. The firewall named DXT-FW-PA02 is the secondary and Passive firewall. Both are running PAN-OS 10.2 version 10.2.3. I will be upgrading them to PAN-OS 11.0 version 11.0.2-h2 which is the current preferred release for that version.

The Process

Confirm Upgrade Path

  • You always need to do every PAN-OS update as in you can’t jump from 9.1 to 11.0 you need to do 10.0 then 10.1 then 10.2 then 11.0
  • Check your upgrade path with Palo Alto’s documentation. Here is the upgrade path to PAN-OS 11.0.
  • Check what the preferred releases are for your upgrade path. You can do that here. (You will need a Palo Alto support account to access the link)

Review Release Notes

Review Upgrade/Downgrade Considerations

Upgrade Checklist

Check Content Updates

  • Connect to the currently Active firewall with SSH.
  • Run the following command to list out the PAN-OS version you are running along with the hostname and application and threat content versions.  show system info | match sw\|hostname\|app\|threat

TrueNAS Install Tweaks

I’m a long-time user of TrueNAS going back to the days when it was still called FreeNAS. I’ll always love the FreeNAS logo. In this post, I’ll go over step-by-step some of the tweaks that I like to make on a fresh install for TrueNAS specifically TrueNAS Core or TrueNAS Enterprise.

The Tweaks

HTTPS Redirection

HTTPS is always a good idea. Here is how to enable HTTP to HTTPS redirection.

  • Click on System > General
  • Select Web Interface HTTP -> HTTPS Redirect and click Save.
  • Confirm that you are restarting the web service by selecting Confirm and click on Continue.

Now if you try to access your TrueNAS on HTTP it will automatically send you over to HTTPS.

Autotune

Autotune is a Python script that is created by iXsystems that will automatically optimize your TrueNAS. If you want to see what the script is doing here is the location of it /usr/local/bin/autotune this is on by default on systems purchased from iXsystems.

  • Click on System > Advanced