Intune Device Filters

Intune Device Filters

As the end of Windows 10 starts creeping up we have to adapt some of our methods to support mixed environments with Windows 10 and Windows 11.

Most settings in Microsoft Intune aren’t specific to Windows 10 or Windows 11 some settings are specific to the version. For example, one of them is the Windows Start Menu. Windows 10 uses an XML file and Windows 11 uses a JSON file. Technically there’s no impact if you deploy those settings to either version of Windows but that might not always be the case. It’s a better idea to only target the intended version of Windows.

A way that I like to handle this is with Intune Device Filters. In this post, I’ll show you step-by-step how to create Device Filters for Windows 10 and Windows 11 in Microsoft Intune.

The Process

  • Login to Microsoft Intune admin center
  • Click on Devices
  • Click on Filters
  • Click on Create > Managed devices
  • Give your Filter a name. Like Windows 10 or Windows 11.
  • Set the Platform as Windows 10 and later

Read More Read More

Install VMware vCenter

Install VMware vCenter

VMware vCenter is a wonderful application that lets you take full advantage of your ESXi hosts. If you have more than one ESXi host you should look at vCenter. The full name of vCenter is vCenter Server Appliance or VCSA.

In this post, I will show you step-by-step how to install vCenter 8. The process is broken up into two stages. Stage 1 is the deployment on the vCenter VM and Stage 2 is the final settings to the vCenter VM.

The Process

Stage 1

  • Using a system that has access to the ESXi host you plan to use to create the vCenter VM download the vCenter ISO from VMware.
  • Mount or extract the ISO. I’m going to mount it.
  • Browse to \vcsa-ui-installer\win32 and run Installer.exe
  • Select Install

The next screen is the intro screen which lets you know that the process will be in two stages. The first stage is deploying the VM and the second stage is the final settings for the vCenter VM.

Read More Read More

HPE iLO Firmware Upgrade

HPE iLO Firmware Upgrade

HPE iLO (Hewlett Packard Enterprise Integrated Lights-Out) is a wonderful tool when your servers are remote. It’s important to keep it up to date as if not properly secured it could be a risk of compromise to your environment.

In this post, I’ll show step-by-step how to update the HPE iLO firmware on your server. This will cover iLO 5 specifically however, older versions of iLO will follow a similar process.

The Process

  • Download the latest iLO firmware from HPE.
  • Login to iLO.
  • Click on Firmware & OS Software
  • Click Update Firmware
  • Select the iLO firmware file you downloaded from HPE.

If you have a TPM you will see a warning saying CAUTION: Suspend or back up any software that uses the installed TPM or TM, or risk losing your data. Select the Confirm TPM override check box to proceed.

Double-check your OS documentation to see if there is a risk of data loss and if you should be disabling items like BitLocker first.

It’s normal to not see this if you don’t have a TPM. If all is safe then select Confirm TPM override.

Read More Read More

New Teams Desktop Shortcut

New Teams Desktop Shortcut

Microsoft has stopped deploying the original version of Microsoft Teams (now called Microsoft Teams Classic) with new Microsoft 365 apps installs. I’ve been using New Microsoft Teams for quite a while now and I honestly can’t tell the difference between the two anymore.

An issue I do have with New Teams is that it doesn’t seem to place a shortcut on the desktop. Having a desktop shortcut for Microsoft Teams is great for shared computers like meeting rooms.

In this post, I’ll show you step-by-step how to deploy a desktop shortcut for New Teams and I will show you how I figured it out as there seems to be very little documentation about this.

The Discovery

If you search around for how to make a desktop shortcut for New Teams you will find a large number of posts saying to run shell:AppsFolder and just drag the New Teams Icon to the desktop. While this process does technically work, I don’t like it. It looks ugly and always seems to use your account’s accent color as the background color.

Shortcut to New Teams via shell:AppsFolder and the normal shortcut to Teams Classic

If you look at the details of the shortcut created via the shell apps folder way, it points to the UWP ID of New Teams and thankfully not just the version. I suspect this method is perfectly fine. However, I don’t like it.

Details of the shortcut for New Teams via shell:AppsFolder method

A neat thing with UWP apps is that they sometimes have a URI (Uniform Resource Identifier) defined. When CVE-2022-30190 for the Microsoft Support Diagnostic Tool Vulnerability aka the Follina exploit was very active, one of the early mitigations was to disable the URI for ms-msdt by deleting the registry key for it which is located at HKEY_CLASSES_ROOT\ms-msdt if you go digging around in HKEY_CLASSES_ROOT there are a lot of interesting things in there like other applications that also use URIs. Such as both versions of Microsoft Teams.

Registry entries for the URIs for Teams

If you’ve used the web version of Microsoft Teams or clicked on a Teams meeting link and ended up opening it in a web browser then you’ve run into the Teams web launcher.

Read More Read More

New Teams Mass Install Script

New Teams Mass Install Script

New Teams is a UWP (Universal Windows Platform) app and that presents its own challenges when it comes to system-wide mass installs.

If you download the MSIX directly and install it, it actually tricks you into thinking it’s installed for all users but in reality, it is only installed for the user that downloaded and installed it, this is why no local admin is needed to install it.

In this post, I will show how my new Teams mass install PowerShell script works.

Microsoft has provided a way to bulk install new Teams for all users and I’ve adapted the Microsoft method to be a bit more modular and make it always current.

The official method to bulk install new Teams is to use the Teams bootstrapper and run teamsbootstrapper.exe -p which will download the latest version of the new Teams MSIX and install it for all users. This used to be the only method for deployment.

Microsoft has since updated the new Teams bootstrapper to support an offline install allowing you to specify the location of the new Teams MSIX instead of downloading it. This is done with the argument -o

Rather than just using the new Teams bootstrapper to download and install the latest version of new Teams I decided to make the script download the latest version of the new Teams MSXI as this allows for more verbosity. You could also adapt the script to use a UNC path or an alternate location instead.

The goal of the script is to always be current and to be used with various deployment methods such as RMMs.

For the toggle for new Teams to work correctly in classic Teams, you need to make sure you have a compatible version of classic Teams installed. An easy way to do that is to use my Teams Machine Wide Install update script. Doing so will make sure everyone has a version of classic Teams that allows for toggling to new Teams.

The Script

The script is only intended to be run on Windows 10 or Windows 11 systems. It is not intended to be run on Windows Servers as some versions have very different install methods for new Teams.

Read More Read More

Delete Microsoft 365 Tenant

Delete Microsoft 365 Tenant

There are various reasons why you may need to delete a Microsoft 365 tenant. The most common one I run into is after a corporate merger or acquisition. In this post, I will show step-by-step how to delete a Microsoft 365 tenant.

Prerequisites

  • All invoices are paid
  • All domains are removed other than the CompanyName.onmicrosoft.com domain name
  • All users are deleted and deleted from deleted users except for one Global Admin.
  • All App registration and Enterprise applications are deleted.
  • No Azure subscriptions.
  • All licenses are deleted and removed.

Completing all of those perquisites will take time and sometimes things are stuck but it is possible to complete all of them.

The Process

  • Login to Entra admin center
  • Click on Identity > Overview
  • Click on Manage tenants
  • Select the tenant and click Delete
  • It will check if the tenant can be deleted.

Read More Read More

Saved Browser Passwords

Saved Browser Passwords

It’s super convenient to save your passwords to your web browser but it isn’t very secure. In this post, I will show you step-by-step how to easily reveal a saved browser password.

Normally if you want to view a saved password you need to go into settings and click on it, then enter the password of the logged-in user account to view it. This isn’t always true, let me show you how to get around this.

The Process

  • Go to any website that has the login credentials saved.
  • Right-click on the password field and select inspect or just inspect the whole page.
  • Find the line for the password field this should show up as type="password"

Read More Read More

Control Microsoft 365 Group Creation

Control Microsoft 365 Group Creation

Controlling who can and can’t create Microsoft 365 groups can be a very powerful tool. In this post, I will detail step-by-step how to prevent users from creating Microsoft 365 groups unless they are members of a specific security group.

Prerequisites

  • Microsoft Entra ID P1 or P2 is needed for the users who are allowed to create groups. (The old name was Azure Active Directory Premium P1 or P2)
  • Microsoft Graph Beta Installed.

The Process

  • Login to Microsoft Entra admin center
  • Click on Groups > All Groups
  • Click on New group
  • Make sure the Group type is set to Security.
  • Give your group a name. In my example, I will use the name Group Creators.
  • Add anyone that you want to have the power to create Microsoft 365 Groups to the security group you just created.
  • Open PowerShell ISE.
  • Copy the script from Microsoft here.
  • On line 6 enter the name of the security group you just created. In my case, that group is called Group Creators.

The beginning of the script should look something like this.

Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Beta.Groups

Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All"

$GroupName = "Group Creators"
$AllowGroupCreation = "False"

$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
Code language: PowerShell (powershell)

Read More Read More

VMware Tools on Windows Server Core

VMware Tools on Windows Server Core

I’m a fan of using Microsoft Windows Server Core for as many things as possible when it makes sense. In this post, I’ll cover step-by-step how to install VMware Tools on Windows Server Core via the GUI and PowerShell.

The GUI Way

  • From ESXi or vCenter mount VMware tools to the VM.
  • Login to the Windows Server Core VM.
  • Change to the D drive (or whichever drive your disk drive is on your install)
  • Enter the following command to being the install .\setup64.exe

Sometimes the VMware tools install screen hides behind the command line window.

  • Click Next
  • Select Typical and click Next.
  • Click Install.

Read More Read More

Policy Based Forwarding

Policy Based Forwarding

I needed to route an FQDN (Fully Qualified Domain Name) down an IPSEC VPN tunnel but couldn’t because it was an external address and the IP is dynamic so I wasn’t able to just make a static route to force it down the IPSEC VPN tunnel. To solve this I discovered something called policy based forwarding.

In this post, I will explain the setup and the reason for why I used policy-based forwarding to solve my problem and I will show step-by-step how to do all of this with a Palo Alto Networks firewall.

The Background

For the setup, Palo Alto Networks firewalls are being used. There are two sites the Head Office and the Data Center. There is an IPSEC VPN tunnel between both sites. The Data Center firewall also has various vendor IPSEC VPN tunnels.

The Head Office firewall has its own internet connection as does the Data Center firewall. The Head Office firewall is configured with static routes to only send traffic for the Data Center down the Data Center IPSEC tunnel. All other traffic goes out the Head Office WAN.

Configuring it this way allows for a very simple and basic SD-WAN type configuration, only essential traffic is sent down the Data Center IPSEC VPN tunnel freeing up the IPSEC tunnel from normal internet traffic that does not need to be routed to the Data Center.

The Problem

There are two vendors we’ll call them Vendor1 and Vendor2. Both of them have an Oracle database that users at the Head Office site need to connect to.

Vendor1 has an IPSEC VPN tunnel from the Data Center firewall to the firewall at Vendor1. The Oracle database on their end is on a private IP. All traffic from the Data Center to Vendor1 is NATed behind a specific IP. Vendor1 only allows connections that are from that NATed IP over the IPSEC VPN tunnel.

Vendor2 won’t set up an IPSEC VPN tunnel. The Oracle database for Vendor2 is an FQDN we’ll say that the FQDN is Oracle.Vendor2.com the resolving IP of that FQDN can and will change without notice. The only way users can connect to the Oracle database at Vendor2 is for Vendor2 to add the WAN IP to an allowed list on their side. This process is slow and doesn’t scale well. To help with this we can have Vendor2 add a specific WAN IP to their allow list that we can NAT our traffic to them behind.

Now this works for the most part when you tunnel all traffic from the Head Office to the Data Center firewall. The problem with this solution is that it can be very costly as you may need an E-Line/MPLS/VPLS connection back to the Data Center and depending on the location they can be very expensive. If the Head Office moves to a new physical location coordinating an E-Line/MPLS/VPLS move is not always the quickest option. Ideally, we want a solution that allows for flexibility.

Yes, you could IPSEC tunnel all the Head Office traffic back to the Data Center but why? Why would you want Microsoft 365 traffic and other normal internet traffic going down your Data Center IPSEC tunnel? This just adds unnecessary overhead and can cause slowness, especially today as so many applications are web-based.

The overarching problem in all of this is how to scale it without needing to reach out to the vendors to add a new IP to the allow list or to build a new IPSEC VPN tunnel.

The Solutions

The solution for Vendor1 is simple because it’s a private IP. We can just add a static route on the Head Office firewall telling it to go down the Data Center IPSEC VPN tunnel and out the Vendor1 IPSEC tunnel from the Data Center.

Read More Read More