How to Find Azure AD Connect Server

I will show you how to find Azure AD Connect in your environment using Active Directory Users and Computers. I visited a customer who needed to force a delta sync using Azure AD Connect. The person responsible was absent, which meant that nobody knew where it was installed. I found a simple method of finding the server after some research, but it depends on the service account. It turns out that the installer writes the servername to the description field of the GMSA account during installation. Azure AD Connect is the engine that synchronizes the identities from your Active Directory…

0 Comments
Server Missing in Wsus Console

In this post I will explain how I solved my problem when I had a server missing in wsus console. I had just set up a new WSUS Server for a customer and deployed the GPO settings. The GPO contained the basic settings required to configure the clients, like servername, computer group and what update schedule to follow. Even though all settings were correct only some servers appeared in the console. After some thorough troubleshooting I was sure that the GPO settings were correct but I still had the same issue. I had a feeling that something was wrong when…

0 Comments
Configuring Local Administrator Password Solution (LAPS)

Introduction Local Administrator Password Solution (LAPS) is a technology from Microsoft that allows you secure the passwords for local administrators and store them in Active Directory, in a similar way to BitLocker recovery keys.This technology allows you to randomize a password for each computer you enable it on and to enforce complexity policies to make sure they stay secure. With all the new security features coming around lately you should definitely configure LAPS for Windows 10 to use it like a great supplement. Local administrator accounts has always been an issue to manage in large environments and especially when there are multiple…

0 Comments
How to Enable BitLocker on Existing Devices Using SCCM

All businesses want to protect their data to make sure it is safe from unauthorized users. A big part of this is to encrypt the disks of their devices using BitLocker. This can easily be done during OS installation for all new computers but it might be troublesome to enable BitLocker on existing devices. BitLocker can use multiple key information methods but in this case, I will focus on TPM. TPM is a hardware component that is installed by the manufacturer and can be used to ensure that the computers have not been tampered with while the computer was powered…

6 Comments
How to Use Geofencing for Intune Managed Devices

Background While using Microsoft Intune you might want to limit access to Apps depending on where the device is located. You can now use geofencing for intune managed devices by using Named locations in Azure Active Directory. In previous versions of Intune you had access to locations for Compliance Policies but were limited to network details, such as the following list. IPv4 Range (eg. 192.168.1.0/24)IPv4 GatewayIPv4 DHCP serverIPv4 DNS ServersDNS suffixes You can now use the physical location of the device as a condition for Conditional Access (CA) by creating a Named Location and selecting the country you want to…

0 Comments
How to create SCCM collection based on Configuration Baseline compliance

Background I was looking at how to create SCCM collection based on configuration baseline as a validation step before running upgrades on Windows 10 devices. During this process I wanted to automate collection memberships based on the results of the validation. It turns out that you can quite easily create SCCM Collection Based on Configuration Baseline. I'm using this method to verify that our devices fulfill the requirements before assigning the Feature Upgrade. Solution All you need to do is navigate to Configuration Baselines to select the baseline you want to use. Click the Deployments tab and right-click on the deployment…

1 Comment
How to execute powershell.exe with script and parameters

Background I had some problems today powershell.exe and the syntax. My goal was to use an application that executes a script together with parameter to start an installation. This is how to execute powershell.exe properly using command prompt. What I tried to do I wanted to run Powershell.exe from the command line and supply it with arguments, a file and parameters. First I was trying to use something like this powershell.exe -ExecutionPolicy Bypass -File "Install-Application.ps1 -Mode Install" -WindowStyle Hidden -NoProfile I couldn't get this to work and the CM logs didn't tell me what the issue was. What the issue…

0 Comments
GPO Inaccessible, Empty or Disabled due to delegations

Introduction During a project a customer of mine found that a new policy didn't work as intented due to GPO inaccessible. The GPOs were verified multiple times and there was nothing wrong with either the settings, the scope or the security filtering. After some troubleshooting I found that gpresult /h indicated that the reason was beacuase GPO Inaccessible, Empty or Disabled. Issue Because of vulnerabilities in GPOs Microsoft implemented a design change in Security Update for Group Policy (3163622). The update changes how the policies are retrieved by using the computers security context instead of the usersĀ“. The reason for this…

0 Comments
Application Catalog is still required when deployed as available for users

Background I was recently asked what the prerequsites was for deploying application to users as Available. It turns out the customer was interested in moving from Application Catalog to the new Software Center which in turn made them ask some questions. Previously in the Silverlight based Software Center users were unable to install applications that was Available to them. They had to open Application Catalog to see those applications. Solution It turns out that while you can install available applications through the new Software Center you still need Application Catalog installed and configured in ConfigMgr even though you don't have…

0 Comments
Deploy App With Intune to All Asers With Enrolled Devices

Deploy an app to all users with enrolled devices Today I noticed a new option when it comes to assignment of applications in Intune. Earlier, you had to select an Assignment Type and then a targeted group to include in the assignment. Now you can select the assignment type Available for enrolled devices or Available with or without enrollment and when you press Included Groups you will have an option to deploy the app to all eligible users instead of including a specific group. I hope this is new for you as well and will help you with your deployments. How…

0 Comments