Latest posts

Omnissa Horizon Term License Expiry

There’s not a lot of information about what happens when an Omnissa Horizon (formerly VMware Horizon) term license expires, specifically what end users will and won’t see.

In this post, I will detail what happens when an Omnissa Horizon Term License expires and the messaging that administrators and end users will see.

Starting with Omnissa Horizon 8 release 2111, all term licenses have a 30-day grace period. During the grace period, everything works normally.

Administrator Messaging

During the 30-day grace period, the Horizon Administrator Console presents an orange banner message to administrators. The message says, “Your license has expired and your service may be disrupted as a result. To renew, contact your sales representative.”

Messaging to administrators when Horizon is expired and the grace period is active

Things become disruptive after the 30-day grace period as end users can no longer use Horizon.

The orange banner message in the Horizon Administrator Console changes to red and now says, “Your license has expired and your service has been disrupted. To renew, contact your sales representative.”

If you browse to Settings > Product Licensing and Usage in the Horizon Administrator Console, you will see that the license has been removed.

Messaging to administrators when Horizon is fully expired

End User Messaging

During the grace period, end users will have no idea that the Horizon license has expired and is in the 30-day grace period. However, after the 30-day grace period ends, the end users will start seeing messages after they log in that Horizon has expired and can’t be used. The exact wording is slightly different depending on which Horizon client they are using.

Palo Alto Device Certificate

Palo Alto Networks firewalls often require a device certificate. A device certificate is needed for items like device telemetry and for some of the CDSS (Cloud-Delivered Security Services) items, such as WildFire, DNS and URL filtering, and others.

In this post, I show you step-by-step how to check if a device certificate is installed and how to install a device certificate on a Palo Alto Networks firewall.

Before we proceed with installing the device certificate, we should double-check whether the firewall already has one.

Checking Device Certificate

  • Log in to the Palo Alto Networks Firewall

CLI

  • To check if a device certificate is installed, run the following command show device-certificate status

If the result is No device certificate found, move ahead with installing the device certificate.

GUI

  • Click on Dashboard
  • The General Information widget will display the Device Certificate Status.

With the GUI, you can also check if a device certificate exists in another place.

  • Click on the Device tab.
  • Click on Setup.
  • The Management tab will have a widget about the Device Certificate.

If there is no device certificate installed, we can move ahead with installing the device certificate.

Installing Device Certificate

  • Log in to the Palo Alto Networks Customer Support Portal.
  • Click on Products > Device Certificates.
  • Under the One Time Password section, click on Generate OTP.

Entra ID External Authentication Methods with Duo

Microsoft recently introduced the public preview of External Authentication Methods in Microsoft Entra ID. I am very excited about External Authentication Methods as they finally allow third-party MFA providers like Cisco Duo to integrate better with Microsoft Entra ID (formerly Microsoft Azure AD).

Microsoft has supported third-party MFA providers for years. The original method for adding external MFA providers is Custom Controls, which was introduced in 2017 as a public preview.

As MFA grew in necessity, the limitations of Custom Controls became apparent. In 2020, Microsoft announced that Custom Controls would not leave public preview but a new solution that addressed its limitations would be created. In May of 2024, the replacement solution External Authentication Methods (EAM) was released as a public preview.

EAM addresses the limitations with Custom Controls, such as satisfying the Multifactor authentication requirement in a conditional access policy rather than using a custom control. EAM is a big deal, as the Entra sign-in logs show Custom Controls as a single-factor authentication when that is not true. I suspect this is because Microsoft has no way of validating whether MFA was completed or not.

Here’s an example of the Entra ID Sign-in logs with Duo using a Custom Control that reports as a Single-factor authentication.

Entra sign-in logs for Duo with custom control grant

If we drill into more details under the Basic info tab, we will still see that the login is reporting as single-factor authentication.

Sign-in log basic info for Duo when using a custom control grant

If we look at the Authentication Details tab, we will see nothing. I suspect this is because Entra has no way of knowing what happened on the Duo side of things, only that Duo said yup this user is good move along.

Sign-in log Authentication Details when Duo uses a custom control grant

If we look at the Conditional Access tab, we finally see that Duo was applied with the custom control and that the result was a success.

Sign-in log conditional access using Duo custom control

The issue of Custom Controls reporting as single-factor authentication in the sign-in logs is resolved with EAM.

Using EAM, we can now directly use third-party MFA solutions like Cisco Duo as an MFA option in Microsoft Entra Authentication methods, allowing us to use the MFA setting in a conditional access policy instead of a custom control. This even allows you to be more granular with the accepted forms of MFA, such as allowing Windows Hello rather than just Duo to grant MFA.

External Authentication Methods is currently in preview. However, everything seems to be working correctly in my testing.

In this post, I will show you step-by-step how to set up Cisco Duo with External Authentication Methods in Microsoft Entra ID.

The Process

Initial Setup

  • Login to the Duo Admin console.
  • Click on Applications > Protect an Application
  • Search for External Authentication Methods and click on Protect beside Microsoft Entra ID: External Authentication Methods.
  • Click on Authorize to spawn the process for Duo to create the needed Enterprise application in your Microsoft 365 tenant.

Microsoft 365 Remove Stay Signed In Option

Microsoft 365’s Stay signed in option is designed for user convenience but can increase security risks when used on public or non-corporately owned devices. The risk is due to the potential for unauthorized access to the user’s account and the resources they have access to.

The Stay signed in option presented to users

The stay signed in option, also known as KMSI (Keep Me Signed In), stores a cookie on the device for around 90 days when the user selects Yes to KMSI. When the cookie’s lifetime is active, users will see fewer prompts to log in with their Microsoft 365 account and fewer MFA prompts, this can pose a security risk on shared or public devices.

For corporate devices that are Microsoft Entra joined or Microsoft Entra Hybrid joined, the impact of removing the stay signed in option is minimal, as these devices already participate in Microsoft Entra SSO, which reduces the number of times users need to log in with their Microsoft 365 account when accessing Microsoft 365 web resources.

Turning off the stay signed in option in Microsoft 365 can help reduce your attack surface. This helps prevent users from accidentally selecting Yes to KMSI and can positively impact an audit or penetration test.

In this post, I will show you step-by-step how to remove the Stay signed in? option in Microsoft 365.

The Process

  • Login to Microsoft Entra admin center.
  • Click on Identity > Users > User settings

Palo Alto User-ID Agent Upgrade

Palo Alto Networks has this awesome program called the User Identification Agent, aka the User-ID Agent. It allows you to identify which device a user is using, allowing you to craft security policy rules based on the users themselves.

In this post, I will show you step-by-step how to upgrade the Palo Alto Networks User-ID Agent.

Prerequisites

  • Verify that the new User-ID agent version is compatible with your current PAN-OS.

The User-ID Agent is typically compatible with the same release number along with earlier still-supported PAN-OS versions. For example, User-ID agent 11.0 works with PAN-OS 11.0 and earlier. You can confirm this by reading the OS Computability section in the release notes.

The Process

  • Log in to the Palo Alto Networks Customer Support Portal.
  • Click on Updates.
  • Click on Software Updates.
  • Select the User Identification Agent.
  • Click on the version you need to start the download.
  • Connect to the server that is running the Palo Alto User-ID Agent.
  • Open Services.
  • Stop the User-ID Agent service.

Active Directory Schema

Active Directory is very much a database. It even has a schema to define what can and can’t be created and how everything is related and linked. An oversimplification is that the Active Directory schema is the rules about the types of items you can make in Active Directory, and this also includes the available attributes for each item.

Your schema level (or schema version) is not your domain functional level or forest functional level. The schema level doesn’t always match the domain functional level or the forest functional level.

Windows Server 2019 and Windows Server 2022 both operate at the domain and forest functional level of Windows Server 2016. Even though a server running Windows Server 2019 or Windows Server 2022 has a functional level of Windows Server 2016, its schema version is higher than Windows Server 2016.

In this post, I will show you step-by-step how to check your AD schema level using the GUI or PowerShell and how to translate the output to the corresponding Windows Server version.

GUI Way

  • Open ADSI Edit.
  • Click on Action > Connect to…
  • In the Connection Point section, click on Select a well known Naming Context option and select Schema.

OneDrive Shortcuts

A while back, Microsoft added a feature to SharePoint Online called Add shortcut to OneDrive. This feature adds a shortcut to the file or folder in another SharePoint site directly in your OneDrive. The Add shortcut to OneDrive feature is on by default.

Depending on your setup, you may want to turn the Add shortcut to OneDrive option on or off for your SharePoint sites.

Enabling or disabling the Add shortcut to OneDrive setting isn’t a per-site option, it is a global option. If you turn it off, it won’t break any existing OneDrive shortcuts it only prevents the creation of future shortcuts.

In this post, I will show you step-by-step how to check the status of the Add shortcut to OneDrive feature and how to turn it off or on.

Prerequisites

The Process

  • Connect to SharePoint Online using the Connect-SPOService command with the URL for your SharePoint admin center.

The command should look something like this Connect-SPOService -Url https://contoso-admin.sharepoint.com

  • Run the following command to check the status of the Add shortcut to OneDrive feature. Get-SPOTenant | format-list DisableAddShortCutsToOneDrive
Add shortcut to OneDrive feature status

If the returned value is false, then OneDrive shortcuts can be created. If the returned value is true, then OneDrive shortcuts can not be made.

VMware vCenter Reduced Downtime Upgrade with Automatic Switchover

VMware vCenter RDU (Reduced Downtime Upgrade (or Update)) is a relatively new feature that allows you to update your vCenter to the next version with limited downtime, just like the name indicates. It works similarly to the process for upgrading from vCenter 7 to vCenter 8, which is also very similar to doing a fresh install of VMware vCenter.

In October 2021, VMware introduced the vCenter Reduced Downtime Upgrade feature. However, the feature was not available for on-premises vCenters. In September 2023, vSphere 8 Update 2 introduced the feature for on-premises vCenters. With the release of vSphere 8 Update 3 in June 2024, more features have been added, including one called automatic switchover, allowing the whole process to be even more seamless.

The magic that makes vCenter RDU work is the vCenter installer ISO. When you mount the ISO to your existing vCenter, the RDU process will create a new upgraded vCenter VM. Once that part is completed, it will transfer the settings from your current vCenter to the newly upgraded vCenter VM and cut you over. This process reduces the time that VMware vCenter is down and can also reduce some risks of in-place upgrades.

My blog post, Install VCSA Updates, covers the traditional method of upgrading VMware vCenter in-place.

In this post, I will show you step-by-step how to upgrade VMware vCenter using the Reduced Downtime Upgrade with Automatic Switchover.

Prerequisites

  • Backup of vCenter.
  • VMware vCenter ISO.
  • Temporary IP for the new upgraded vCenter VM.
  • Temporary root password for the new upgraded vCenter VM.

The Process

  • Upload the VMware vCenter Server Appliance ISO to a datastore in vCenter.
  • Attach the VCSA ISO to your current vCenter VM.
  • Click on your vCenter and select the Updates tab.
  • Under the vCenter Server section, click on Upgrade.
  • The process will check and confirm that your upgrade path is supported. If all is good, click Next.

In my example, I am upgrading from vCenter 8 Update 2b to vCenter 8 Update 3.

  • Confirm that you have a backup and click Next.
  • Click on Upgrade Plug-in to upgrade the vCenter Server Life-Cycle Manager plug-in.

I’m Going to VMware Explore

I am very excited about VMware Explore this year, as it will be my first time at VMware Explore and the first large tech conference I’ve attended in person.

VMware Explore is a conference about VMware products that VMware (technically Broadcom now) organizes. It used to be known as VMworld, but in 2022, it was renamed VMware Explore. VMware Explore usually takes place in Las Vegas and Barcelona.

The VMware Explore event that I am attending takes place from August 26th to August 29th in Las Vegas. What’s really cool about VMware Explore is that it covers a wide range of topics, from entry-level to very technical. One of the items at VMware Explore that I’m excited about is the hands-on labs, which will allow me to play with some of the VMware products I’ve only read about.

I’m eager to learn more about VMware Cloud Foundation, Tanzu Kubernetes, NSX, and so much more. I’m also very excited to network with other like-minded people and nerd out about all the technical things. I will also be able to meet other vExperts with whom I’ve only spoken with online.

There are over 400 sessions at VMware Explore, and here are a few of the sessions I plan on attending.

vCenter ESXi Config Backup Script

When using VMware vCenter, you may only occasionally need a configuration backup of each VMware ESXi host. However, there are some situations where having a config backup of each ESXi host is nice to have.

I didn’t want to back up each ESXi host manually, as it doesn’t scale well. Instead, I created a PowerShell script called vCenter ESXi Config Backup to do everything for me.

You can find the script on my GitHub. https://github.com/thedxt/VMware#vcenter-esxi-config-backup

Prerequisites

How It Works

The vCenter ESXi config backup script connects to VMware vCenter, uses vCenter to connect to each ESXi host, and takes a configuration backup for each host. Because the script uses vCenter, you don’t need to enable SSH on any of the ESXi hosts for the backup to work.

By default, the vCenter ESXi config backup script assumes you are not connected to vCenter and will prompt you to connect to vCenter. You can suppress this behavior if you are already connected to vCenter by setting the optional parameter named connected to the value of Yes.

The script checks to see if the backup folder you defined exists. If the folder does not exist, the script will create it.

Next, the vCenter ESXi config backup script enumerates all of the ESXi hosts in vCenter, it connects to each one and takes a configuration backup. The script outputs the backup into the folder you defined.