All Activity

To renew an expired secret in an Azure Function app, you will need to follow these steps: Log in to the Azure portal and navigate to your Function app. In the Function app menu, select "Platform features" and then click on "Managed service identity" under the Security section. Turn on the "System-assigned" managed identity if it is not already on. Go back to the Function app menu and select "Application settings". Locate the key or connection string that contains the expired secret and click on it. Update the value of the key or connection string with the new secret. Save the changes. Navigate back to the "Managed service identity" page and grant the Function app the necessary permissions to access the resource that the secret is used for. Finally, update your Function app code to use the new secret instead of the expired one. By following these steps, you should be able to renew an expired secret in your Azure Function app. Regards, Peter

To use Windows AutoPilot with a proxy, you need to ensure that your device can communicate with the required endpoints over the network. Here are the steps to follow: Determine the URLs or IP addresses that your device needs to communicate with to use Windows AutoPilot. These include the Microsoft Endpoint Configuration Manager service, the Microsoft Store for Business and Education, and the Microsoft Intune service. Configure your proxy server to allow traffic to these URLs or IP addresses. Configure your device to use the proxy server. You can do this either during device setup or by modifying the device's network settings later on. If you're using a web proxy, ensure that it supports SSL interception and decryption, as Windows AutoPilot requires SSL inspection. Verify that your device can communicate with the required endpoints over the network. You can use tools like telnet, ping, or nslookup to test connectivity. Once you've completed these steps, you should be able to use Windows AutoPilot with a proxy. Note that some proxy servers may require additional configuration, such as authentication or SSL certificate installation. Consult your proxy server documentation for more information. Regards, Peter

To move devices from non-compliant to compliant in Microsoft Intune, you can follow these steps: 1. Identify the non-compliant devices: First, you need to identify the non-compliant devices in your Intune portal. You can do this by going to Devices > All devices and filtering the list to show only the devices that are currently marked as non-compliant. 2. Identify the compliance issue: Once you have identified the non-compliant devices, you need to identify the compliance issue. Check the device's compliance policy to see which policy rule the device is failing to meet. 3. Resolve the compliance issue: To move the device from non-compliant to compliant, you need to resolve the compliance issue. Depending on the specific issue, you may need to perform one or more of the following actions: Update the device: Make sure that the device is up-to-date with the latest operating system and app updates. Install required apps: Make sure that any required apps are installed on the device. Configure settings: Make sure that any required device settings are configured correctly. Remove non-compliant apps: If the device has non-compliant apps installed, you may need to remove them from the device. 4. Check compliance again: Once you have resolved the compliance issue, go back to the device's compliance policy and check if the device is now marked as compliant. If the device is still non-compliant, double-check that you have resolved the compliance issue correctly. 5. Re-evaluate the compliance status: If the device is now compliant, you may need to wait for the compliance status to be re-evaluated. This can take up to 24 hours, but you can manually trigger a compliance evaluation by selecting the device and clicking on "Check compliance" in the device details pane. 6. Confirm the device is now marked as compliant: After the compliance evaluation is complete, confirm that the device is now marked as compliant in the Intune portal. By following these steps, you can move devices from non-compliant to compliant in Microsoft Intune. Greetings, Peter

You can enable MDM auto-enrollment for Microsoft Intune in Azure by following these steps: Sign in to the Azure portal with an account that has the necessary permissions to manage Intune. Navigate to Intune by searching for it in the search bar at the top of the Azure portal. In the Intune pane, select "Device enrollment" from the menu on the left. Click on "Windows enrollment" and then select "Automatic enrollment". In the Automatic enrollment blade, select "Intune MDM user scope" from the options at the top of the page. Choose the user groups that you want to enable auto-enrollment for by selecting them from the list of available groups. Under the "Device enrollment type" section, select "Managed devices" if you want to allow users to enroll their personal devices, or select "Corporate-owned devices" if you want to restrict enrollment to company-owned devices only. Under the "Credentials" section, choose the type of credentials that will be used for auto-enrollment. You can choose from Azure AD, Microsoft accounts, or Google accounts. Save your changes by clicking on the "Save" button at the top of the blade. Once you have completed these steps, MDM auto-enrollment will be enabled for the selected user groups, and their devices will automatically enroll in Intune MDM when they sign in with their Azure AD credentials. You can monitor the enrollment status of devices in the Intune portal under "Devices > All devices". Greetings, Peter

To deploy Microsoft Visio 2021 Standard from Intune, you can follow these steps: First, you need to have a Microsoft 365 subscription and access to the Microsoft Endpoint Manager portal. Once you are in the Endpoint Manager portal, go to Devices > Windows > Windows enrollment > Automatic enrollment. Ensure that automatic enrollment is enabled, and then go to Devices > All devices > Add. Select Windows 10 and later for the platform and select the appropriate profile type. Fill in the necessary details and create a profile. After creating the profile, go to Apps > All apps > Add. Select the "Line-of-business app" option and upload the Visio 2021 Standard app package. Fill in the required details such as the name, publisher, and version of the app. In the App information section, select the appropriate architecture and operating system. In the App package file section, select the app package file that you uploaded in step 7. Configure the rest of the app settings as per your requirements. Click on the Assignments tab, select the appropriate group or user, and then click on Save. Once you have completed these steps, Intune will start deploying Microsoft Visio 2021 Standard to the selected devices. You can track the deployment status in the Endpoint Manager portal. Regards, Peter

hi @Wizu I've now finished updating the changes and testing to the new release (1.5.28) I plan on blogging about the changes shortly, if you'd like to try it before I blog it then please pm me and i'll make the code available,

Microsoft Outlook users advised to urgently apply the security patches provided by Microsoft Hannover, Germany – 16 March 2023 – A severe security vulnerability has been discovered in Microsoft Outlook, which is currently being exploited by cybercriminals. The vulnerability, identified as CVE-2023-23397 with a CVSS score of 9.8, permits a remote, unauthorized attacker to compromise systems simply by transmitting a specifically crafted email. This malicious email enables the attacker to gain unauthorized access to the recipient’s credentials. More widespread attacks that target this vulnerability are expected Umut Alemdar, Head of the Security Lab at Hornetsecurity, said, “We expect that the likelihood of more widespread attacks targeting the CVE-2023-23397 vulnerability to increase, as public proof-of-concepts have already been released. We therefore highly recommend that all users of Microsoft Outlook apply the security patches provided by Microsoft as soon as possible.” He confirmed that Hornetsecurity detects emails that exploit the vulnerability and quarantines them to prevent emails from reaching the victim’s inbox, and added, “The Security Lab at Hornetsecurity is continuing to monitor the threat landscape to ensure that customers are protected from the latest cyber threats.” Exploitation occurs even before the email is displayed in the preview pane The exploit is initiated by fetching and processing a malicious email by the Outlook client, potentially leading to exploitation even before the email is displayed in the preview pane. It triggers a connection from the victim to a location controlled by the attacker. This results in the leakage of the victim’s Net-NTLMv2 hash, a challenge-response protocol used for authentication in Windows environments. The attacker can then relay this information to another service and authenticate as the victim, further compromising the system. The complexity of the attack is low, and it has been seen in the wild according to Microsoft, with the exploit being used to target the European government, military, energy, and transportation organisations. It was initially reported to Microsoft by CERT-UA (the Computer Emergency Response Team for Ukraine). A proof-of-concept created by the Hornetsecurity’s Security Lab team demonstrates that the exploit is hard-to-detect since all anti-malware and sandbox services incorporated into VirusTotal were unable to recognize it as malicious. Recommended actions For a list of affected versions, and recommended action to secure your organization, please click here.

Introduction If you are new to Windows 365 Cloud PC's please check out our series about Getting Started with Windows 365. Microsoft recently blogged about the ability to use alternate ANCs (Azure Network Connection) when Provisioning Cloud PCs so that if one ANC goes down it can fall over to the next in line according to priority. You can read that blog post here. Lets look at the new feature in detail. But first, what is a provisioning policy. This policy defines what settings you will apply to new Cloud PCs when they are provisioned for your users. When creating a new provisioning policy you have to enter some details, such as join type, network type, and so on. In this case we are interested in the type of network we'll use, it can be Microsoft hosted network Azure network connection as you can see here The reason there are two types of network depends entirely on your needs. If you want minimum fuss and minimum requirements when creating the policy choose the Microsoft hosted network, that way you don't have to create a virtual network or have an Azure subscription tied to your Cloud PCs connectivity. If on the other hand you want to have more control over the type of network settings such as specifying individual DNS servers, IP ranges or address spaces then you need to choose Azure network connection and create those separate virtual networks (vnet) in your Azure subscription. Once you've decided which network join type to use, you are shown active working ANCs in your environment at the time you started creating the provisioning policy. Those ANC's listed are based on the list of healthy ANC's you have at time of creation of the provisioning policy, so at the time I created this provisioning policy, the following ANCs were healthy. Note that it will only list those ANCs based on the join type you select. Note: You should only add an alternate ANC if you fully understand the implications of provisioning Cloud PCs in a different ANC. If any of the above are unhealthy, they won't appear in the drop down list. Select those that you want included in this provisioning policy. You'll notice that a new Network prioritization UI appears behind your choices. Clicking away from the drop down menu allows you to sort your ANCs by your chosen priority. You can click and drag the ANC from one priority to another within your list. After sorting your ANCs by priority your new list is shown UI note: It would be nice if all the information in each of the columns for each ANC was shown, right now you need to scroll right to see what's what. Continue through the wizard to complete your Alternate ANC provisioning policy. The policy is listed below, note how the Azure network connection column shows a + What about existing provisioning policies ? You can also edit existing provisioning policies to add alternate ANCs, however it's not that intuative. To do so, open the properties of an existing policy and click Edit at the General settings. in the Azure network connection section, click the drop down menu to show other healthy ANC's next, make your selection and change priority as shown earlier Verifying alternate ANCs in your provisioning policy Now that I've created an Alternate ANC provisioning policy with three healthy ANCs (listed below), I decided it was time to see this working in a lab. W365Demo1_anc W365Demo2_anc W365 North Europe HAAD ANC For this test I forced one of the three Routing and Remote Access Service (RRAS) servers which host services used in the hybrid azure network connections into an unhealthy state by shutting down the corresponding on premises server. By doing this I basically forced the following ANC offline. W365Demo1_anc Once that ANC was offline I retried the network tests in each respective ANC and then refreshed to see the latest status. You can clearly see that W365Demo1_anc is listed with a status of Checks failed. The next logical step is to provision a Cloud PC for a user targeted with the Alternate networks in windows 365 provisioning policy. I then added a user to the group targeted with the this provisioning policy and waited for it to provision. The provisioning started after a few minutes, but strangely it listed the very ANC that i took offline in the Azure network connection status column. This was not what I expected, but maybe just a UI glitch. According to the priority I specified in my alternate ANC list, I expected W365Demo2_anc to be the ANC used during provisioning as W365Demo1_anc was already offline and marked unhealthy. I've made the Product Group aware of this. I'll update this blog post once they reply back. After completing the provisioning process I could see that it correctly listed the second of three available ANC's from my list (as the first was offline). That's a result ! Great job Microsoft ! Recommended reading Using Alternate ANCs in Windows 365 - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-alternate-ancs-in-windows-365/ba-p/3780384 Getting started with Windows 365 - https://www.windows-noob.com/forums/topic/23040-getting-started-with-windows-365-part-1-introduction/ Configuring alerts for Windows 365 Cloud PC's - https://www.windows-noob.com/forums/topic/23164-how-can-i-configure-alerts-for-windows-365-activity-in-intune/ Create and assign provisioning policy - https://learn.microsoft.com/en-us/windows-365/enterprise/create-provisioning-policy#continue-creating-a-provisioning-policy Summary Providing the ability to use multiple/alternate ANC's during provisioning of a new Windows 365 Cloud PC is an important step forward in reducing downtime when provisioning new Cloud PC's. The recommended actions in Matt's blog post do point out that you should keep an eye on the health of your ANC's and while that is nice in theory, the existing methods of doing that are to look at the ANC health in the Azure Network Connections view directly, or read the emails generated by the alerting feature. I'd like to see a report that shows the reliability/health of your ANC's over time, so that it's easy for the admin to pinpoint problem locations (during specific time periods) and fix them. This new feature only applies to the actual provisioning of the new Cloud PC. It does not apply to existing Cloud PC's that may be affected if an ANC goes unhealthy.

I created the driver package and added it as an install during the imaging process and it seems to have run successfully (checked the logs) but the driver does not show up in Print Management. I'm guessing it's because the printer is a network one and therefore not attached to the device but I'm wondering if it's possible to put the driver on the device so that the user doesn't have to download/install the driver when they go to add printers the first time. Thanks!

Hi. I'm testing the roll out of Windows 10 22H2, and have encountered some odd problems. Most computers in the company are currently on Windows 10 20H2, and we have no problems with them. I've updated a handful to 22H2 - some with an enablement package, and others have been re-imaged with a task sequence. All 22H2 machines are facing the same problems. First of all, driver installation always fails during the task sequence. The only difference between the 20H2 and 22H2 task sequences is the choice of OS image and Unattend.xml. This is a status message from one of the driver installation steps: The other problem is that no updates are showing up in Software Center (on 22H2). All the applications are there, though. I've looked through a bunch of logs, and can't see anything obvious, so am not sure of the next step. Any suggestions? Thanks.

FYI...it is on the left side, as well as the up/downvote on my MAC. All good now

Ok. That checkmark for me is on the right side...at least on my phone it is. I think we're good. I have the upvote/downvote on the left side but again... I think it's good now. Thanks for the assist

Click on the area I marked in yellow

Is it the checkmark button? Didn't notice that before.

nevermind i figured it out, it was a forum setting you should be able to mark it as solved now

I don't today (I'm now away from my Mac), but can tomorrow.

i admit i'm stumped, do you have time to do a remote session with me so I can see exactly what you see ?

hmm i'll keep digging, I've not found the answer yet, but i'll try !

And, if it's this difficult to close a post/mark best answer, then obviously changes should be made to the UI

I assume you mean "Moderation Actions"? No... I do not have that. The attached pic shows what I see

does this help ? https://invisioncommunity.com/news/invision-community/45-marking-as-solved-r1187/ do you see the option by clicking in the top right of a post ?

Thanks! 😊

heh good question, let me try and figure it out, it could be a forum setting that i need to enable, i'll take a look and report back later

@anyweb How do I mark my comment as the 'correct answer'? I received an email to do so, which I'm more than happy to do, but there are no options next to a comment saying 'best answer' or 'mark as answer', etc. ....at least, none I can see. Thanks!

SELECT sys.Name0 'Name', sys.Operating_System_Name_and0 'Operating System' FROM v_ServiceWindow AS sw INNER JOIN v_FullCollectionMembership AS fcm ON sw.CollectionID = fcm.CollectionID RIGHT JOIN v_R_System AS sys ON fcm.ResourceID = sys.ResourceID WHERE sw.Name is NULL AND sys.Client0 = 1 ORDER BY sys.Name0