Microsoft Configuration Manager Backup

Microsoft Configuration Manager Backup

Backups are a good thing to have. Within Microsoft Configuration Manager you can set up a backup maintenance task, but what if you need to run a backup on demand how do you do that?

Microsoft Configuration Manager (ConfigMgr) has had a few names the longest-standing name was SCCM (System Center Configuration Manager) it also used to go by the name SMS (Systems Management Server) you will still find references to SMS even on the current version of ConfigMgr. For simplicity, I’m going to refer to it as ConfigMgr.

In this post, I will detail step-by-step how to configure backups for ConfigMgr and how to run an on-demand backup of ConfigMgr.

Configuring Backup Task

  • Open Configuration Manager Console
  • Click on Administration
  • Click on Site Configuration > Sites

Read More Read More

Swap Microsoft 365 Licenses with Microsoft Graph

Swap Microsoft 365 Licenses with Microsoft Graph

A few years ago I wrote a post about how to Swap Office 365 Licenses. Microsoft has deprecated the cmdlets that were used in that post specifically Set-MsolUserLicense and has replaced them with Microsoft Graph cmdlets specifically Set-MgUserLicense.

In this post, I will show step-by-step how to swap Microsoft 365 licenses using Microsoft Graph and PowerShell.

Prerequisites

The Process

We need a few more permissions than the default permissions for Microsoft Graph.

  • Run the following command to connect Microsoft Graph to your Microsoft 365 tenant with the necessary permissions Connect-MgGraph -Scopes User.ReadWrite.All, Organization.Read.All

Now let’s find out what SKUs we have to work with.

  • Run the following command to get the list of SKUs in your Microsoft 365 tenant Get-MgSubscribedSku -All | select SkuPartNumber

If you aren’t sure what product the SKU correlates to Microsoft has made a decoder ring, you can find that here.

Now for the license swap part, I’ve created a PowerShell script to do it.

Read More Read More

Windows Verbose Status

Windows Verbose Status

By default, Windows servers display lots of details when you logon to them and rarely leave you wondering what it’s doing. A while back I ran into an issue that was causing 15 minute login times when a user would log in to the computer for the first time. This was particularly a problem with shared systems like meeting room computers as many users may have never logged into that computer before. The problem scales with the more meeting rooms you have and the more users you have, and typically people are rushing for meetings and don’t have time to wait for a long Windows login process.

From the user’s perspective, it looks like the computer would just sit at Welcome for 15 minutes. Yes, you can go dig into the event logs and see what’s causing that or you could make it so the computer can output what it’s doing, making it so the users can provide you with more useful information.

To do this you need to enable verbose statuses. This is enabled by default on Windows servers but not regular Windows devices. When a regular Windows device logins in and sits at the Welcome message it is doing stuff but not telling you what it’s doing.

In this post, I will detail step-by-step how to enable the Windows verbose login status with a GPO or Intune.

The Process

GPO

  • Make a new GPO
  • Go to Computer Configuration > Policies > Administrative Templates > System
  • Set Display highly detailed status messages to Enabled.
  • Link the GPO to the OU of the devices you want to enable Verbose Status on.

Intune

  • Login to Microsoft Intune admin center.
  • Click on Devices
  • Click on Configuration profiles

Read More Read More

Microsoft 365 Setup Microsoft Graph PowerShell SDK

Microsoft 365 Setup Microsoft Graph PowerShell SDK

Microsoft has been warning about the deprecation of the MS Online and Azure AD PowerShell cmdlets for a while now; the end date is fast approaching, and some of the commands have stopped working. You can read the Microsoft post about the deprecation here.

Microsoft Graph is becoming a day-to-day reality and a tool we’ll need to use to manage items in Microsoft 365 with PowerShell.

In this post, I’ll cover step-by-step how to setup the Microsoft Graph PowerShell SDK to connect to a Microsoft 365 tenant and show how it works and how to secure it.

Installing

To get started with Microsoft Graph we first need to install it.

  • Open PowerShell as Admin
  • Install Microsoft Graph PowerShell SDK by running the command Install-Module Microsoft.Graph

Connecting

Now that the Microsoft Graph is installed we can connect to a Microsoft 365 tenant.

  • Run the following PowerShell command to connect to a Microsoft 365 tenant Connect-MgGraph
  • Login with a Global Admin account.

You will now see a screen that lists the permissions that Microsoft Graph needs to function.

Microsoft Graph permissions
  • Select Consent on behalf of your organization and click Accept

It is normal that the Microsoft Graph Command Line Tools shows up as unverified, there is a long-standing issue on GitHub about it. You can read more about Issue #482 on GitHub.

Now you are connected to the Microsoft 365 tenant and can run Microsoft Graph cmdlets.

How it works

I got curious about why the application permissions are needed and what is happening. Here’s what I found out.

When you click Accept it creates an enterprise application in Microsoft Entra ID (Azure AD) named Microsoft Graph Command Line Tools and has an Application ID of 14d82eec-204b-4c2f-b7e8-296a70dab67e and grants the app delegate permission to the permissions that were listed. By selecting Consent on behalf of your organization allows the app to not have to ask for the permissions every time you use it.

Read More Read More

Windows Search Box Company Branding

Windows Search Box Company Branding

A while back I saw someone’s computer that had a company logo in the Windows taskbar; it looked super slick. I wanted to duplicate the same thing in my setup.

The documentation on what causes a company logo to show up in the search box in the Windows taskbar and the Windows start menu is kind of lacking however, after playing around I figured it out. It’s the custom default theme in Microsoft 365 that will cause the organization logo to show up on Windows devices connected to a Microsoft 365 tenant be it joined or just registered devices.

Before and after adding the company logo branding

In this post, I will show step-by-step how to add a custom default theme to your Microsoft 365 tenant that will also apply to the search box in the taskbar of Windows devices. This works on Windows 10 and Windows 11.

The Process

  • Login to the Microsoft 365 admin center
  • Click on Settings > Org settings
  • Click Organization profile

Read More Read More

Microsoft 365 Enable DKIM

Microsoft 365 Enable DKIM

DKIM (DomainKeys Identified Mail) is a way to help validate the authenticity of the emails you send.

DKIM adds a signature to your email by using a private key and a public key. Your public key is your DKIM DNS record and only your email server knows your private key. When you have DKIM setup every email you send gets signed with DKIM.

A DKIM signature is built from the hashed values of some of the email headers, one of which is the hash of the email body itself. With the hashed value of the email headers, DKIM encrypts it by using a private key and a public key and adds the encrypted result to the email as a DKIM header signature. This is similar to how PGP works. If you want to know more about PGP you can read more in my post about PGP.

When the recipient receives an email that was signed with DKIM, the recipient’s email server can validate that the email hasn’t been tampered with by decrypting the DKIM header signature using the sender’s public key. If the message was altered the DKIM header signature wouldn’t exist or the decrypted result wouldn’t match.

In this post, I will detail step-by-step how to enable DKIM on a Microsoft 365 tenant by using the GUI and PowerShell.

GUI Way

  • Login to Microsoft 365 admin center
  • Click on Security
  • Click on Policies & rules
  • Click on Threat policies

Read More Read More

VMware Horizon Enable Copy Paste

VMware Horizon Enable Copy Paste

I’m a big fan of using copy paste as it helps me reduce typos and allows me to paste links or other information quickly between systems. Previously I wrote a post that covers how to enable copy paste with VMRC (VMware Remote Console) however that’s not super useful for the users that are using Omnissa Horizon (formerly VMware Horizon). If you want to know how to enable copy paste with VMRC you can read my post about it called VMware Copy Paste Enabler.

The default configuration of VMware Horizon is that copy paste only works in one direction. You can paste items into VMware Horizon but you can’t copy items out, from an end-user perspective they may report that as broken. Thankfully there’s an easy way to enable full copy paste in both directions in Omnissa Horizon.

In this post, I will detail step-by-step how to enable copy paste in both directions in VMware Horizon.

Perquisites

  • Have the Horizon GPO templates deployed to your Central Store.

Here’s how to deploy the VMware Horizon GPO Templates.

The Process

  • Create a new GPO.
  • Go to Computer Configuration > Policies > Administrative Templates > VMware View Agent Configuration > Clipboard Redirection

Read More Read More

PGP

PGP

PGP (Pretty Good Privacy) has been around for a long time. PGP is a system that allows you to encrypt a message using a key pair. A key pair consists of a public key and a private key. The public and private key pair are created at the same time and are permanently linked; one can not work without the other.

The basics of PGP are that the private key has a passphrase on it that only the creator knows. When you encrypt a message with PGP you encrypt it with your private key and a public key you specify, be that your public key or someone else’s public key. This makes it so the PGP encrypted message can only be decrypted using the public key you specified.

Here is a step-by-step example of using PGP.

Setup

For this example I will use an online PGP Tool.

First we need to generate our key pair to get our public and private key.

  • Fill in the options and click Generate keys
PGP key pair options
  • Download the public and private key.
My example public and private keys

Below is my full PGP public key for this example.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Keybase OpenPGP v2.0.76
Comment: https://keybase.io/crypto

xo0EZSHBoAEEAOgwPyzB0SK3qTcMm4qAdPy5v3uB+pEydKIypNMW+aDPc4ybYAYy
lPgKXmLqAEFE7QkE6zkvOJwUAoqZLOHinAD41f66pxZfEGCcdfPF5X7PPJHyr5/y
znNZLs28O54yZ2lLbsecTR+znyADMK3oebSDnuiJURlqC8L0Y8xekwm9ABEBAAHN
GW15IG5hbWUgPGVtYWlsQGdtYWlsLmNvbT7CugQTAQoAJAUCZSHBoAIbLwMLCQcD
FQoIAh4BAheAAxYCAQIZAQUJAAAAAAAKCRAZDnvqP9lqifE8A/4ytKWOSQJLSVzY
p2K0gtSLmFOfgD+kaMQ+CdtUEBbU/V6UoMu8w1/eRS9XMX4eDTY5n+paT0r6+Vis
ej9tFhTR1O0iZ+6Bose/MBIiSElZrw38rqmlh3tJd7iL1J3/THTM58+hjj2Ld4QZ
oomr1U4ORvLRF8vUNpTlxrOKRcyiz86NBGUhwaABBADiTMFd/AcihKHreVmHpxxW
buZHdtyj7sk6j7eEWAv40LnnhtZWASiW0BR07DRQzFMQmOrHaSqwdI5Ey/B/XBIl
el5+fIp/9/wEuAL7i3/fc8ugGJoEMuW4NLSNLjzHHasd8b9QT4mxD/F96JLx1ewF
masTU56csW2UqJnrUA5LTwARAQABwsCDBBgBCgAPBQJlIcGgBQkAAAAAAhsuAKgJ
EBkOe+o/2WqJnSAEGQEKAAYFAmUhwaAACgkQ0I8cDT2aUH6QjgQAikUt4cpoaGMO
ZmuqKytMDNk8WNbcCNjuMvJFEWa5UrSlhPv//7TP/8d7fxVeQzMn1I/Z4xmbtoz9
Yg6B0opMD0BV/FO1HOkYZ+9s1CqCQTy5frKrFppf1EC176FunBXAZtenUzBpCDxb
80SVarDHo6JFF9pkuf1b6Yixp7VGzaU2DAQAvfofR3/dZ15B0eLp1kVfq49b/9uj
g/yJjG8/86xUMTh6IoHEWuWOedVo3PHiAObYTNkv8IDWxLKBJDZcDE8STpF1kWO7
lVBP2JM2VSyUPqbH/A78Its00DiEeDH1n9PyTta2SJHrRPpneTUzuCQns6KarEfn
8bxBYJMxYAyf1SXOjQRlIcGgAQQAv1rfDxtbuhBzRtzrIYC8w9O5SH34HNDiZi9d
Zdhryku358l8sQhnSnQgeHO4v0s3yk1mdCFLNBZmeBgZ0UgDH0Kw+P1S96Qj6RKs
H26e0PkUgSTtfx2KpNx/QuYLRYJJtsULyTWmT8jUvapjcNggb8rhrAtmXDwrBD0g
EK1ZkoEAEQEAAcLAgwQYAQoADwUCZSHBoAUJAAAAAAIbLgCoCRAZDnvqP9lqiZ0g
BBkBCgAGBQJlIcGgAAoJEE4F+cdvR1VK9mED/0AvioatNTUcTQyuZ6d5+/ZRRiQL
3Oxtxbn9TmHmSO8F7h7qujsTNLz17D7bPUl4V7+spWpP30sjSYu7EzFJdv0VnEUZ
c7NcGlMM3krDbgK0QnV6iX65iQ1mWFlnatXl0OVzaTYHhZZ5EAimz2HbHSeW7PTW
I/X/WfruK6LfrObQBpgD/1l20D/5yPmp7hc/CxHYQewhhg6XsO+NoE2clpyRmPg+
dqFqwMQ31gLF0z5Ob9OOnzH+dB9W7r/T5whG/VKuJMctF7URCvWJn0DA/aRs0px5
5v0gvzo6TJekLPqfajK2TRqk8ZQdZ5iM+GIYLjnstooYVJ40Hl5B9N7m6ZPBvpiv
=vnvb
-----END PGP PUBLIC KEY BLOCK-----
Code language: plaintext (plaintext)

Encrypting

Now lets encrypt a message.

Read More Read More

Log PuTTY Output

Log PuTTY Output

I use PuTTY a lot and sometimes I want to log my changes as I make them or I want a quick and dirty way to get a config file off a device. In this post, I will show step-by-step how to log the PuTTY output to a log file.

  • Open PuTTY
  • Click on Session > Logging
Selecting Logging
  • Select Printable output
Selecting Printable output
  • Select the location where you want the log file to be saved. I’m going to save mine in C:\temp
Set the save location for the log file

Read More Read More

Intune Deploy Default Taskbar

Intune Deploy Default Taskbar

Update

The process detailed below works perfectly on Windows 11 however, on Windows 10 the process below will lock the Start Menu layout preventing users from being able to pin anything to the Windows 10 Start Menu or change anything in the Start Menu. The process to fix this is to also deploy a default Windows 10 Start Menu the process for the fix is detailed in my post Intune Deploy Windows 10 Default Start Menu.

Deploying the same taskbar to all users is a very nice quality of life improvement, as it can help eliminate the problems of users using Windows Mail instead of the already installed Microsoft Outlook.

I opted to deploy a standard default taskbar using Microsoft Intune as Microsoft Office is a required application on all Intune systems in my setup so I didn’t need to worry about a system trying to pin Microsoft Outlook when it wasn’t installed.

In this post, I’ll show you step-by-step how to create the taskbar XML file and how to deploy it to Windows 10 and Windows 11 using Microsoft Intune.

Create the XML

<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection>
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
 </CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
Code language: HTML, XML (xml)

We will need to make some changes as it isn’t perfect. We will start by telling Windows to unpin all the default pinned apps.

  • To remove all the default pinned apps we need to change <CustomTaskbarLayoutCollection> to be   <CustomTaskbarLayoutCollection PinListPlacement="Replace">

Even though we configure the taskbar XML to replace the default pinned apps this has no impact on the apps the user has pinned, it may move the items to the start of the taskbar if they have them pinned further down but that’s it.

Now we can start adding the pinned apps we want. I like to have Edge, File Explorer, and Outlook pinned.

Read More Read More