Installing your own certificate is one of the first things you’ll need to do when setting up the Omnissa Unified Access Gateway appliance (formerly the VMware Unified Access Gateway appliance).
In this post, I will detail step-by-step how to install a certificate on the VMware UAG.
If you work with wild card certificates, it’s common to need to deploy them to more than one server. You will need to export the certificate to install it on other systems.
In this post, I will show you step-by-step how to export a certificate using MMC (Microsoft Management Console).
The Process
Connect to the system that has the certificate you want to export.
Open MMC.
Add theĀ CertificatesĀ Snap-in.
Select Computer account and click Next.
Select Local computer and click Finish.
Click OK to close the Add or Remove Snap-ins window.
Right-click on the Certificate you want to export and click Export.
When you create a CSR and provide it to your certificate vendor or CA (Certificate Authority), you must complete the CSR (Certificate Signing Request).
In this post, I will show you step-by-step how to complete a CSR.
Prerequisites
CSR generated on a system that you want to complete the CSR on. If you don’t know how my post Generate CSR with MMC details all the steps.
You can check which system has the pending certificate by checking the Certificate Enrollment Requests in MMC (Microsoft Management Console).
Certificate Pending completion of CSR
The Process
Connect to the system you used to generate the CSR.
Download the certificate files from your certificate vendor or CA.
Right-click on the certificate file and select Install Certificate.
You usually want to connect Omnissa Horizon (formerly VMware Horizon) directly to VMware vCenter, but it can make sense to leave them disconnected from each other in some situations.
In this post, I’ll show you step-by-step how to install the VMware Horizon Agent without using the VMware vCenter integration. You can do this on persistent VDIs and Physical Machines.
The Process
The configuration will be divided into two sections. The first section covers the steps needed on the system that you will install the VMware Horizon agent on, and the second section covers the steps needed on the VMware Horizon Connection Server.
VMware Horizon Agent
Launch the VMware Horizon agent install with the command line argument /v VDM_VC_MANAGED_AGENT=0
A custom-themed Microsoft 365 sign-in page can augment the user experience by making it easier to tell if it is a phishing sign-in page, as it will help users recognize whether the login page is legitimate or not. It also adds a nice custom tweak to your Microsoft 365 tenant.
Microsoft 365 Sign-in Page before and after Company Branding
In this post, I will show you step-by-step how to customize your Microsoft 365 sign-in page.
The Process
Log in to the Microsoft Entra admin center
Click on User Experiences > Company branding
Under Default sign-in experience, click on Customize
Upload a Favicon that is 32 x 32 pixels and less than 5 KB in size.
Upload a Background image that is 1920 x 1080 pixels and less than 300 KB in size.
The background image will be darkened by a black overlay with an opacity of 0.5.
Cloudflare Access is a wonderful tool that can add MFA (Multi-Factor Authentication) to applications that don’t support it.
I’ve previously covered Setting Up Cloudflare Access using email OTP (One-time PIN). What I didn’t cover in that post was how to set up Cloudflare Access with an IdP (Identity Provider).
In this post, I will show step-by-step how to set up Cloudflare Access to use Microsoft Entra ID (formerly Microsoft Azure Active Directory) as the IdP and use Microsoft 365 SSO (Single sign-on) to make everything very transparent to the user.
Prerequisites
DNS for the web application in Cloudflare with Cloudflare Proxy enabled on the DNS record. (or a Cloudflare Tunnel)
For this example, I will be using the team domain test.cloudflareaccess.com
Microsoft Entra ID Configuration
Login to Microsoft Entra admin center.
Click on Applications > App registrations.
Click on New registration.
Name your application. I will use the name Cloudflare Access.
Select Accounts in this organizational directory only (Single tenant)
Set the Redirect URI platform to Web.
Set the Redirect URI to the URL of the Team domain you noted down earlier. Add https:// to the front of it and add /cdn-cgi/access/callback to the end of it.
Sometimes, you need to do a quick factory reset on a Palo Alto Networks firewall. If you aren’t decommissioning the firewall, a Private Data Reset can be a faster way to accomplish similar results as a factory reset and can be done via CLI directly and could technically be done remotely with some coordination.
In this post, I will show you step-by-step instructions on how to perform a private data reset on a primary Palo Alto Networks firewall in an Active/Passive High Availability Pair using the GUI and the CLI.
I recently discovered that I caused an unintended side effect on Windows 10 when deploying a default taskbar for all users.
In my post Intune Deploy Default Taskbar I inadvertently introduced a bug to the Windows 10 Start Menu making it so users can’t customize anything.
The bug is that users can pin programs to the taskbar but they can’t pin anything to the Start Menu and they also can’t change anything in the Start Menu.
Can’t pin Microsoft Access to the Start Menu on Windows 10
The issue does not impact Windows 11 as the way the Windows 11 Start Menu layout uses JSON and the Windows 10 Start Menu layout uses XML, the same XML file that is used for the default taskbar.
I am happy to allow users to customize their Start Menu as much as they want but I do want a consistent user experience for all. Most users likely won’t change anything, but the ones that do want to customize their Start Menu would be blocked.
In this post, I will show you step-by-step how to fix the bug and how to deploy a partial custom Start Menu for Windows 10 using Microsoft Intune.
The Process
On a source system configure an application group in your start menu and pin the applications in the order you want.
The application group name will also be deployed. I named my application group Company Name for this example but you can make it whatever you want.
I don’t want the custom Start Menu application group to be very intrusive so I will use 1×1 icons for all the common Microsoft applications and I will use 2×2 icon for Company Portal as Company Portal is still new for a lot of people.
Source Windows 10 Start Menu application group
Export the Start Menu layout by running the following PowerShell command Export-StartLayout -UseDesktopApplicationID -path C:\temp\start-menu.xml
Open the Start Menu XML file as we will need to make changes to it.
Out of the box, you can’t just add a Security Profile to the interface that runs GlobalProtect fortunately there’s a relatively easy way to do it with minimal impact to your existing GlobalProtect setup.
In this post, I will show you step-by-step how to secure GlobalProtect by adding protection with a Vulnerability Protection Profile or a Security Profile Group to an already existing GlobalProtect setup by using a loopback interface.
The Process
Log in to the Palo Alto Networks Firewall
Click on Objects
Click on Addresses
Add a new address for your loopback address
I will be using the address 192.168.187.2 for this example.
Click on Network
Click on Zones
Add a new Zone. I will be using the name GP-WAN. (This zone will be the zone allocated to the GlobalProtect loopback interface later on.)
Set the Type to Layer3
Select your Zone Protection Profile. In my case, I will use the one called Recommended_Zone_Protection
Select the option to Enable Packet Buffer Protection.
