Latest posts

Cloudflare Access IdP with Entra ID

Cloudflare Access is a wonderful tool that can add MFA (Multi-Factor Authentication) to applications that don’t support it.

I’ve previously covered Setting Up Cloudflare Access using email OTP (One-time PIN). What I didn’t cover in that post was how to set up Cloudflare Access with an IdP (Identity Provider).

In this post, I will show step-by-step how to set up Cloudflare Access to use Microsoft Entra ID (formerly Microsoft Azure Active Directory) as the IdP and use Microsoft 365 SSO (Single sign-on) to make everything very transparent to the user.

Prerequisites

  • DNS for the web application in Cloudflare with Cloudflare Proxy enabled on the DNS record. (or a Cloudflare Tunnel)

The Process

  • Click on Custom Pages.
  • Make a note of your Team domain.

For this example, I will be using the team domain test.cloudflareaccess.com

Microsoft Entra ID Configuration

  • Login to Microsoft Entra admin center.
  • Click on Applications > App registrations.
  • Click on New registration.
  • Name your application. I will use the name Cloudflare Access.
  • Select Accounts in this organizational directory only (Single tenant)
  • Set the Redirect URI platform to Web.
  • Set the Redirect URI to the URL of the Team domain you noted down earlier. Add https:// to the front of it and add /cdn-cgi/access/callback to the end of it.

Palo Alto Private Data Reset with HA (Active/Passive)

Sometimes, you need to do a quick factory reset on a Palo Alto Networks firewall. If you aren’t decommissioning the firewall, a Private Data Reset can be a faster way to accomplish similar results as a factory reset and can be done via CLI directly and could technically be done remotely with some coordination.

In this post, I will show you step-by-step instructions on how to perform a private data reset on a primary Palo Alto Networks firewall in an Active/Passive High Availability Pair using the GUI and the CLI.

The Process

HA Election Settings

If the HA election settings are set to preemptive, we need to disable that.

HA Election Settings GUI

  • On the Primary firewall, click on Device.
  • Click on High Availability
  • Uncheck Preemptive (if it isn’t selected, you don’t need to do anything)
  • Commit the changes

HA Election Settings CLI

  • SSH into the Primary firewall
  • Enter the configuration mode by running the command configure
  • Run the following command to output your HA election settings show deviceconfig high-availability group election-option

If preemptive is set to yes, make a note of that (if it isn’t selected, you don’t need to do anything)

Intune Deploy Windows 10 Default Start Menu

I recently discovered that I caused an unintended side effect on Windows 10 when deploying a default taskbar for all users.

In my post Intune Deploy Default Taskbar I inadvertently introduced a bug to the Windows 10 Start Menu making it so users can’t customize anything.

The bug is that users can pin programs to the taskbar but they can’t pin anything to the Start Menu and they also can’t change anything in the Start Menu.

Can’t pin Microsoft Access to the Start Menu on Windows 10

The issue does not impact Windows 11 as the way the Windows 11 Start Menu layout uses JSON and the Windows 10 Start Menu layout uses XML, the same XML file that is used for the default taskbar.

I am happy to allow users to customize their Start Menu as much as they want but I do want a consistent user experience for all. Most users likely won’t change anything, but the ones that do want to customize their Start Menu would be blocked.

In this post, I will show you step-by-step how to fix the bug and how to deploy a partial custom Start Menu for Windows 10 using Microsoft Intune.

The Process

  • On a source system configure an application group in your start menu and pin the applications in the order you want.

The application group name will also be deployed. I named my application group Company Name for this example but you can make it whatever you want.

I don’t want the custom Start Menu application group to be very intrusive so I will use 1×1 icons for all the common Microsoft applications and I will use 2×2 icon for Company Portal as Company Portal is still new for a lot of people.

Source Windows 10 Start Menu application group
  • Export the Start Menu layout by running the following PowerShell command Export-StartLayout -UseDesktopApplicationID -path C:\temp\start-menu.xml
  • Open the Start Menu XML file as we will need to make changes to it.

Securing GlobalProtect

Out of the box, you can’t just add a Security Profile to the interface that runs GlobalProtect fortunately there’s a relatively easy way to do it with minimal impact to your existing GlobalProtect setup.

In this post, I will show you step-by-step how to secure GlobalProtect by adding protection with a Vulnerability Protection Profile or a Security Profile Group to an already existing GlobalProtect setup by using a loopback interface.

The Process

  • Log in to the Palo Alto Networks Firewall
  • Click on Objects
  • Click on Addresses
  • Add a new address for your loopback address

I will be using the address 192.168.187.2 for this example.

  • Click on Network
  • Click on Zones
  • Add a new Zone. I will be using the name GP-WAN. (This zone will be the zone allocated to the GlobalProtect loopback interface later on.)
    • Set the Type to Layer3
    • Select your Zone Protection Profile. In my case, I will use the one called Recommended_Zone_Protection
    • Select the option to Enable Packet Buffer Protection.
  • Click on Interfaces
  • Click on Loopback

Registry Check Setter

In the past, I’ve made a few one-off PowerShell scripts to set various registry settings. I find myself needing to do this more and more. I’ve always just forced my registry settings with no regard to whether the settings were already correct.

A perfect example of this is my PowerShell script to Disable Auto Windows Updates

While this method works I felt like it could be better. I decided to make a brand new script that would be less forceful and more modular and use functions and parameters.

This resulted in the creation of the PowerShell script that I call the Registry Check Setter.

The PowerShell script enables you to set multiple registry settings very easily while checking if the settings are already correct or not.

You can find the script on my GitHub https://github.com/thedxt/Registry-Check-Setter

How It Works

The script starts by checking if the registry key path exists, if the key path doesn’t exist the script considers it safe to just set the settings and sets them. If the key path does exist the script then moves on to checking if the registry value name exists.

If the registry value name is not found in the registry key path the script then creates the value with the needed setting and exists. If the registry value name exists the script then checks if the registry value name setting is correct.

If the registry value name setting is not correct the script then changes the setting to make it correct and then exits.

An example of this would be if I was trying to prevent a Windows 10 system from upgrading to Windows 11 and I wanted to turn off auto updates.

To lock the system to Windows 10 the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate needs a registry value named ProductVersion that is a String with a setting of Windows 10.

To lock the system to a specific feature update of Windows 10 the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate needs a registry value named TargetReleaseVersionInfo that is a String with a setting of 22H2.

To enable locking the system to Windows 10 22H2 the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate needs a registry value named TargetReleaseVersion that is a DWord with a setting of 1.

To turn off auto updates the registry path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU needs a registry value named NoAutoUpdate that is a DWord with a setting of 1.

Yes, I could just force the settings to be correct but if I run the script multiple times it constantly changes the settings and doesn’t take into account if the Windows Update service is running. If the Windows Update service is already running these settings won’t properly take effect until the Windows Update service is restarted or the whole system is rebooted.

My thought process is you could combine the results of the Registry Check Setter to have another script take action.

Intune Device Filters

As the end of Windows 10 starts creeping up we have to adapt some of our methods to support mixed environments with Windows 10 and Windows 11.

Most settings in Microsoft Intune aren’t specific to Windows 10 or Windows 11 some settings are specific to the version. For example, one of them is the Windows Start Menu. Windows 10 uses an XML file and Windows 11 uses a JSON file. Technically there’s no impact if you deploy those settings to either version of Windows but that might not always be the case. It’s a better idea to only target the intended version of Windows.

A way that I like to handle this is with Intune Device Filters. In this post, I’ll show you step-by-step how to create Device Filters for Windows 10 and Windows 11 in Microsoft Intune.

The Process

  • Login to Microsoft Intune admin center
  • Click onĀ Devices
  • Click on Filters
  • Click on Create > Managed devices
  • Give your Filter a name. Like Windows 10 or Windows 11.
  • Set the Platform as Windows 10 and later

Install VMware vCenter

VMware vCenter is a wonderful application that lets you take full advantage of your ESXi hosts. If you have more than one ESXi host you should look at vCenter. The full name of vCenter is vCenter Server Appliance or VCSA.

In this post, I will show you step-by-step how to install vCenter 8. The process is broken up into two stages. Stage 1 is the deployment on the vCenter VM and Stage 2 is the final settings to the vCenter VM.

The Process

Stage 1

  • Using a system that has access to the ESXi host you plan to use to create the vCenter VM download the vCenter ISO from VMware.
  • Mount or extract the ISO. I’m going to mount it.
  • Browse to \vcsa-ui-installer\win32 and run Installer.exe
  • Select Install

The next screen is the intro screen which lets you know that the process will be in two stages. The first stage is deploying the VM and the second stage is the final settings for the vCenter VM.

HPE iLO Firmware Upgrade

HPE iLO (Hewlett Packard Enterprise Integrated Lights-Out) is a wonderful tool when your servers are remote. It’s important to keep it up to date as if not properly secured it could be a risk of compromise to your environment.

In this post, I’ll show step-by-step how to update the HPE iLO firmware on your server. This will cover iLO 5 specifically however, older versions of iLO will follow a similar process.

The Process

  • Download the latest iLO firmware from HPE.
  • Login to iLO.
  • Click on Firmware & OS Software
  • Click Update Firmware
  • Select the iLO firmware file you downloaded from HPE.

If you have a TPM you will see a warning saying CAUTION: Suspend or back up any software that uses the installed TPM or TM, or risk losing your data. Select the Confirm TPM override check box to proceed.

Double-check your OS documentation to see if there is a risk of data loss and if you should be disabling items like BitLocker first.

It’s normal to not see this if you don’t have a TPM. If all is safe then select Confirm TPM override.

New Teams Desktop Shortcut

Microsoft has stopped deploying the original version of Microsoft Teams (now called Microsoft Teams Classic) with new Microsoft 365 apps installs. I’ve been using New Microsoft Teams for quite a while now and I honestly can’t tell the difference between the two anymore.

An issue I do have with New Teams is that it doesn’t seem to place a shortcut on the desktop. Having a desktop shortcut for Microsoft Teams is great for shared computers like meeting rooms.

In this post, I’ll show you step-by-step how to deploy a desktop shortcut for New Teams and I will show you how I figured it out as there seems to be very little documentation about this.

The Discovery

If you search around for how to make a desktop shortcut for New Teams you will find a large number of posts saying to run shell:AppsFolder and just drag the New Teams Icon to the desktop. While this process does technically work, I don’t like it. It looks ugly and always seems to use your account’s accent color as the background color.

Shortcut to New Teams via shell:AppsFolder and the normal shortcut to Teams Classic

If you look at the details of the shortcut created via the shell apps folder way, it points to the UWP ID of New Teams and thankfully not just the version. I suspect this method is perfectly fine. However, I don’t like it.

Details of the shortcut for New Teams via shell:AppsFolder method

A neat thing with UWP apps is that they sometimes have a URI (Uniform Resource Identifier) defined. When CVE-2022-30190 for the Microsoft Support Diagnostic Tool Vulnerability aka the Follina exploit was very active, one of the early mitigations was to disable the URI for ms-msdt by deleting the registry key for it which is located at HKEY_CLASSES_ROOT\ms-msdt if you go digging around in HKEY_CLASSES_ROOT there are a lot of interesting things in there like other applications that also use URIs. Such as both versions of Microsoft Teams.

Registry entries for the URIs for Teams

If you’ve used the web version of Microsoft Teams or clicked on a Teams meeting link and ended up opening it in a web browser then you’ve run into the Teams web launcher.

New Teams Mass Install Script

New Teams is a UWP (Universal Windows Platform) app and that presents its own challenges when it comes to system-wide mass installs.

If you download the MSIX directly and install it, it actually tricks you into thinking it’s installed for all users but in reality, it is only installed for the user that downloaded and installed it, this is why no local admin is needed to install it.

In this post, I will show how my new Teams mass install PowerShell script works.

Microsoft has provided a way to bulk install new Teams for all users and I’ve adapted the Microsoft method to be a bit more modular and make it always current.

The official method to bulk install new Teams is to use the Teams bootstrapper and run teamsbootstrapper.exe -p which will download the latest version of the new Teams MSIX and install it for all users. This used to be the only method for deployment.

Microsoft has since updated the new Teams bootstrapper to support an offline install allowing you to specify the location of the new Teams MSIX instead of downloading it. This is done with the argument -o

Rather than just using the new Teams bootstrapper to download and install the latest version of new Teams I decided to make the script download the latest version of the new Teams MSXI as this allows for more verbosity. You could also adapt the script to use a UNC path or an alternate location instead.

The goal of the script is to always be current and to be used with various deployment methods such as RMMs.

For the toggle for new Teams to work correctly in classic Teams, you need to make sure you have a compatible version of classic Teams installed. An easy way to do that is to use my Teams Machine Wide Install update script. Doing so will make sure everyone has a version of classic Teams that allows for toggling to new Teams.

The Script

The script is only intended to be run on Windows 10 or Windows 11 systems. It is not intended to be run on Windows Servers as some versions have very different install methods for new Teams.