All Activity
- Earlier
-
System Center Service Manager 2022 and create incident truth e-mail
Joe13 replied to keywan's question in System Center Service Manager
Howsit, on your exchange server, did you allow the SCSM server to relay? Haven't worked on this in ages, cannot recall if it still works this way. -
Ok, fixed it. In case anyone else ends up with this issue; the problem in this case was trusted site settings. For some reason the "include all local (intranet) sites" option was not being respected and the fqdn of the primary site; cmserver.corp.com had to be added to the local intranet zone. The company portal logs shows that an exception occurred when calling the config manager user service Exception of type MessageSecurityException has been thrown. Detailed message: MessageSecurityException handled when trying to query the User Service with using... and that the Config Manager user service is using Windows Authentication 76xxxxxa-0xxa-4a6e-911f-fxxxxxxx9 2-1-1 Configuration Manager User Service is using Windows Auth. IIS logs on site server shows no authenticating users but a series of 401 returns to requesting client. When the client is on the Internet the company portal logs shows that the user service is contacted using AAD Auth instead of Windows auth so in that case no Integrated authentication was attempted. After adding the site server to the local intranet zone and re-launching the company portal all apps were displayed and no auth failures were logged
- 1 reply
-
- 1
-
Clients not getting self singed certs
WinDoozer replied to TeachMeSCCM's topic in Configuration Manager 2012
Hi there, I know this is an old post but i was wondering if you could clarify a bit. Did you end up reinstalling the MP on the primary site? I am experiencing the same thing right now and I am unable to pinpoint the issue. Ive pretty much gone down the same log dive as you did and I am receiving the a lot of the same errors. The properties on SMS_MP seem to be correct on our MP. We have a pretty flat hierarchy, 1 primary site and 5 DPs. -
Changed WSUS directory during installation via Powershell. C drive don't have enough space , so created E drive for Wsus specifically. Getting error alerts as below: Log file is located at :\users\name.domain name\appdata\local\temp\wsuspostinstallation is starting Fatal Error: Time out has expired and the operation has not been completed. Note that, I never used SQL data for this, just been using wid and internal directory and deleted during removal Would appreciate any help please. Thanks. RK
-
I'm having an issue with company portal only showing some of the apps deployed from ConfigMgr (Intune apps show up fine). On a closer look, apps assigned to device collections shows up in both software center and in company portal while apps assigned to users only show up in software center. This issue only occurs while I am on-prem and only on hybrid joined devcies. If I move the device to an Internet connection or force the client into alwaysOnInternet via the registry (or use a co-managed Entra ID joined device) all apps show up in Company Portal. I tried a few different types of deployments; packages, applications, custom, msi, weblinks, deployed as required, deployed as available -no difference noted. Is this the expected behaviour? I'm seeing this both in a prod environment and in lab Setup (both in prod and lab): ConfigMgr 2403 Entra ID hybrid joined devices CMG in place Client apps workload moved to Intune Client setting deployed to use company portal instead of Software Center User / device allowed to retrieve policies from Internet MP allows CMG traffic ConfigMgr in HTTPS only mode policyAgent.log shows device recieving user and device policies Win10 (22H2) and Win11 (23H2) clients
-
Hi there, I hope you are doing well. I have a question, how can we automate updating the domain profile GUID on remote Windows 10 devices for users who connect to VPN post logon? Thank You, Mike Taku.
-
Hey there, Welcome to the forum. If you need any kind of help fro me I am here to assist you, feel free to ask me. Thanks, Mike Taku.
-
Hello Everyone! Excited to join this tech forum! I’m new here, so I’m still figuring things out, but I’m eager to dive into discussions. If I get stuck or need help navigating, I'd appreciate any pointers. Looking forward to learning from and contributing to this community! Thanks for the warm welcome! Mike Taku.
-
Surface Laptop 7 (ARM)
anyweb replied to RobDrizz's topic in System Center Configuration Manager (Current Branch)
here's some info to assist you https://www.niallbrady.com/2023/12/03/arm64-support-for-osd-added-to-configuration-manager/ -
Surface Laptop 7 (ARM)
RobDrizz replied to RobDrizz's topic in System Center Configuration Manager (Current Branch)
We just updating ADK think we were a couple out of date(22H2) version, waiting to do some testing, will keep you updated -
Surface Laptop 7 (ARM)
anyweb replied to RobDrizz's topic in System Center Configuration Manager (Current Branch)
did you add support for ARM pxe ? -
Introduction This is Part 3 of a new series of guides which will cover managing Windows 365 Cloud PC's using PowerShell and Microsoft Graph. This mini series should help you get started with automating and managing your Cloud PC's using PowerShell via Microsoft Graph. If you are new to Windows 365 Cloud PC's then please read our previous series called Getting started with Windows 365 available here. At the time of writing, Paul is a 8 times Enterprise Mobility MVP based in the UK and Niall is a 14 times Enterprise Mobility & Windows and Devices MVP based in Sweden. Below you can find all parts in this series: Automating Windows 365 part 1 - Introducing Graph and setting up Visual Studio code Automating Windows 365 part 2 - Using Graph X-Ray Automating Windows 365 part 3 - Provisioning Cloud PC's <- you are here Automating Windows 365 part 4 - Managing your Cloud PC Automating Windows 365 part 5 - Cloud PC reports The automation used in this part is based upon the manual actions we took in a previous series on Windows 365 here. In this part we'll cover the following: Install Powershell 7 Assigning Licenses to Users Adding licensed users to an Entra Id Group Decide which network your Azure AD Joined Cloud PC's will use Create or reuse a Virtual Network (optional) Create an Azure Network Connection (optional) Create a Provisioning Policy Summary Install Powershell 7 To avoid errors later on, and in order to get the full benefit of Powershell, we'll install Powershell version 7, you can determine your Powershell version using the following code, in Visual Studio Code. $PSVersionTable As you can see here, our PC is running an older version of Powershell so it's time to update it. You can download Powershell 7 from here. Once installed, restart Visual Studio Code and check the version again and it should reflect PowerShell version 7.4.6 as below. Assigning Licenses to Users You need to assign a Windows 365 license to your users in order for them to use the service, much as you would with any Microsoft 365 product. To do this, open the Microsoft 365 admin center and expand the Billing node, select Licenses, and choose the appropriate Windows 365 product from those you've purchased. When it comes to automation however, we first need to know what SKUS are available in our tenant. Using the following code, we can list all of those SKUS, this uses the following cmdlet Get-MgSubscribedSku documented here. # 1. Get the SKUs Install-Module Microsoft.Graph.Identity.DirectoryManagement -Force -AllowClobber Connect-MgGraph -Scopes "Organization.Read.All" Get-MgSubscribedSku | Select-Object SkuId, SkuPartNumber Launch Visual Studio Code as Administrator and give it a whirl. The results will be displayed similar to the below output. and here are the corresponding licenses in admin.microsoft.com Now that we know the SKU id of our available licenses, we will assign users to the Windows 365 Enterprise 2 vCPU, 8 GB, 128 GB license shown as e2aebe6c-897d-480f-9d62-fff1381581f7 CPC_E_2C_8GB_128GB in the Powershell output. In order to do so, drop a file called userId.txt in C:\temp containing the UPN of the users you wish to assign licenses to: # 2. Assign Users to SKU Connect-MgGraph -Scopes "Group.ReadWrite.All" # The SKU ID for the license you want to assign $skuId = "e2aebe6c-897d-480f-9d62-fff1381581f7" # Path to the text file containing UPNs (one per line) $userIdsFilePath = "C:\temp\userId.txt" # Read UPNs from the text file $userIds = Get-Content -Path $userIdsFilePath # Loop through each UPN and assign the license foreach ($userId in $userIds) { # Assign the license Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/users/$userId/assignLicense" -Body (@{ addLicenses = @(@{ skuId = $skuId }) removeLicenses = @() } | ConvertTo-Json) > Null Write-Host "License assigned to $userId" } After running the code above, the result is revealed: which can be confirmed in the admin portal Ok, now that we know how to assign licenses to users, let's automate the creation of an Entra Id group and populate it with users. Adding licensed users to an Entra Id group Next, you need to add the licensed user(s) to an Entra Id group, you can name the group whatever you want but it would be a good idea to match the name of your Entra Id group to the Provisioning policy that we will create later in this guide by using a naming convention. In this example, the script will create an Entra Id group called W365 North Europe AAD W11 users via Graph and it will add the licensed user(s) to that group. By using this naming convention we can quickly determine that members of this group will get a Windows 365 Cloud PC configured for Northern Europe, using Azure AD Join and running Windows 11. To accomplish this we'll use the following code: # 3. Add Users to EntraID Group # Install and connect to Microsoft Graph Install-Module Microsoft.Graph.Beta.Groups -Force -AllowClobber Install-Module Microsoft.Graph.Beta.Users -Force -AllowClobber Connect-MgGraph -Scopes "Group.ReadWrite.All" # group name $groupName = "W365 North Europe AAD W11 users via Graph" # create the group $GroupParam = @{ DisplayName = $groupName GroupTypes = @() SecurityEnabled = $true MailEnabled = $false MailNickname = (New-Guid).Guid.Substring(0,10) } New-MgBetaGroup -BodyParameter $GroupParam # Retrieve the group by name $group = Get-MgBetaGroup -Filter "displayName eq '$groupName'" # Path to the text file containing UPNs (one per line) $userIdsFilePath = "C:\temp\userId.txt" # Read UPNs from the text file $userUPNs = Get-Content -Path $userIdsFilePath # Loop through each UPN and add the user to the group foreach ($upn in $userUPNs) { # Add the user to the group using their object ID $user = Get-MgBetaUser -UserId $upn New-MgBetaGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id Write-Host "User $upn added to group" } The code above not only creates the Entra Id group but then populates it with all users found in the text file. Note: If you run the script more than once it will error out, as currently there is no error checking to verify if the group was already created. Decide which network your Azure AD joined Cloud PCs will use You need to decide which network type your Cloud PC's will use for the Azure AD Join scenario. There are 2 choices listed below. • A Microsoft-hosted network • Your own network (using an Azure network connection) Tip: If you want your Azure AD Joined Windows 365 Cloud PCs to be 100% Cloud Only then select the built-in Microsoft-hosted network. If you select that choice then you can skip the next three optional steps. If however you want to control the region where your network is located (in relation to your users) and which DNS settings your Cloud PC's will use plus many other additional network settings, then you should configure the next three steps. Create or reuse a Resource Group (optional) Windows 365 uses Resource Groups in Azure to store certain resources, such as Virtual networking. When creating a provisioning policy for a Cloud PC you can select to use the Microsoft hosted network (cloud only) or use a previously created Azure network connection (ANC). If you choose the option to use your own network via an Azure network connection, that ANC needs to be in a Resource Group. To prepare for that, we'll create a new Resource Group in Azure. We need to run the following code #4 Create or reuse a Resource Group (optional) # Install Az.Resources and connect to Azure account Install-Module Az.Resources -Force -AllowClobber Connect-AzAccount # Define resource group name and location $resourceGroupName = "W365ResourceGroupviaGraph" $location = "NorthEurope" # Create the resource group New-AzResourceGroup -Name $resourceGroupName -Location $location Write-Host "Resource group '$resourceGroupName' created in location '$location'." After running, it should prompt you for an account to use and next it'll prompt you for which tenant and subscription to use: and after that, it should create the resource group. which can be confirmed in Azure, Resource Groups. Create or reuse a Virtual Network (optional) Windows 365 in an Azure AD Join scenario can use a Microsoft Hosted Network to be completely cloud only, or can use Virtual Networks to allow your Cloud PC's to use specific network settings that you define. Note: If you want your Azure AD Join based Windows 365 Cloud PC's to be cloud only you can skip this step. To use your own network and provision Azure AD joined Cloud PCs, you must meet the following requirements: • Azure virtual network: You must have a virtual network (vNET) in your Azure subscription in the same region as where the Windows 365 desktops are created. • Network bandwidth: See Azure’s Network guidelines. • A subnet within the vNet and available IP address space. In your newly created Resource Group, click on Create and select Virtual Network. Here you can define the ip addresses to use if that's your preference. # 5. Create or reuse a Virtual Network (optional) # Install Az.Network and connect to Azure account Install-Module Az.Network -Force -AllowClobber Connect-AzAccount # Define hardcoded values for resource group, location, virtual network, and subnet $resourceGroupName = "W365ResourceGroupviaGraph" $location = "NorthEurope" $vnetName = "W365VirtualNetworkviaGraph" $addressPrefix = "10.0.0.0/16" $subnetName = "W365SubnetviaGraph" $subnetPrefix = "10.0.1.0/24" # Create the virtual network and subnet $subnetConfig = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix $subnetPrefix New-AzVirtualNetwork -ResourceGroupName $resourceGroupName -Location $location -Name $vnetName -AddressPrefix $addressPrefix -Subnet $subnetConfig Write-Host "Virtual network '$vnetName' and subnet '$subnetName' created successfully." After running, it will prompt you which account to use and once again prompt you which tenant and subscription to use, pressing enter will keep your previous choice. If everything went ok, your virtual network and subnet will be created successfully. And that virtual network will be in your chosen resource group in Azure. Create Azure network connection (optional) Windows 365 in an Azure AD Join scenario can use a Microsoft Hosted Network to be completely cloud only, or can use an Azure network connection to allow your Cloud PC's to access your on-premises network resources. Note: If you want your Azure AD Join based Windows 365 Cloud PC's to be cloud only you can skip this step. The following code will create the ANC for you, using the details of the Resource Group, virtual network and subnets which were created in the previous code. Keep in mind that each tenant has a limit of 10 Azure network connections, if you need more than that you must contact Microsoft support. # 6. Create an ANC # Install required modules with -Force and -AllowClobber Install-Module -Name Az.Accounts -Force -AllowClobber Install-Module -Name Az.Resources -Force -AllowClobber Install-Module -Name Az.Network -Force -AllowClobber Install-Module -Name Microsoft.Graph.Beta.DeviceManagement.Administration -Force -AllowClobber # Connect to Azure and Microsoft Graph accounts # For permissions required see - https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.beta.devicemanagement.administration/new-mgbetadevicemanagementvirtualendpointonpremiseconnection?view=graph-powershell-beta Connect-AzAccount #Capture the subscription ID entered by user $subscription = (Get-AzContext).Subscription.Id Write-Host "Using Subscription ID: $subscription" Connect-MgGraph -NoWelcome -Scopes "CloudPC.ReadWrite.All" Import-Module Microsoft.Graph.Beta.DeviceManagement.Administration # Static variables (using values from previous examples) $resourceGroupName = "W365ResourceGroupViaGraph" $location = "NorthEurope" $vnetName = "W365VirtualNetworkviaGraph" $subnetName = "W365SubnetviaGraph" $connectionName = "W365 North Europe EntraID via Graph" # Azure Network Connection name # Get the Virtual Network and Subnet IDs $vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroupName $subnet = $vnet.Subnets | Where-Object { $_.Name -eq $subnetName } # Define parameters for ANC creation $params = @{ DisplayName = $connectionName Type = "azureADJoin" SubscriptionId = $subscription ResourceGroupId = "/subscriptions/$subscription/resourceGroups/$resourceGroupName" VirtualNetworkId = "/subscriptions/$subscription/resourceGroups/$resourceGroupName/providers/Microsoft.Network/virtualNetworks/$vnetName" SubnetId = "/subscriptions/$subscription/resourceGroups/$resourceGroupName/providers/Microsoft.Network/virtualNetworks/$vnetName/subnets/$subnetName" scopeIds = @("0") } # Create Azure Network Connection $ancProfile = New-MgBetaDeviceManagementVirtualEndpointOnPremiseConnection -BodyParameter $params # Monitor the creation process do { Write-Output "Azure Network Connection is being created... Running Checks, please wait." Start-Sleep -Seconds 60 $policyState = Get-MgBetaDeviceManagementVirtualEndpointOnPremiseConnection -CloudPcOnPremisesConnectionId $ancProfile.Id } while ($policyState.HealthCheckStatus -eq "running") # Check the health status of the ANC switch ($policyState.HealthCheckStatus) { "passed" { Write-Output "The Azure Network Connection created successfully." } default { throw "ANC creation failed. Review errors at: https://endpoint.microsoft.com/#view/Microsoft_Azure_CloudPC/EditAzureConnectionWizardBlade/connectionId/$($policyState.id)/tabIndexToActive~/0" } } Write-Host "Azure Network Connection '$connectionName' created successfully." -ForegroundColor Green When executed, it'll once again prompt for username before asking you to confirm the subscription, next it'll probably launch a web browser asking you to login, and then once logged in, you'll have to confirm the scoped permissions. This permission request (shown below) will only happen as needed. After it's got the permissions needed, It will check the health status every 60 seconds to see if it has completed. Side note, while you are waiting for your ANC to be built, keep in mind that all of the Powershell examples we are using here are coming via help from Graph X-Ray, here's an example of the Graph X-Ray snippet used for this section. And after some time, the ANC should be created successfully as we can see here in Visual Studio Code. And it should appear in the Intune portal. Create provisioning policy Next you need to create a provisioning policy. To create the Provisioning Policy using Graph we'll use the following script. This code will create the Provisioning Policy with the optional Azure Network Connection details added. So if you have used all the optional steps when executing the previous code then we recommend using this code to create a provisioning policy with an ANC. # 7. Create a Cloud PC Provisioning Policy # Install required modules with -Force and -AllowClobber Install-Module -Name Microsoft.Graph.Beta.DeviceManagement.Administration -Force -AllowClobber Install-Module -Name Microsoft.Graph.Groups -Force -AllowClobber Install-Module Microsoft.Graph.Beta.DeviceManagement.Actions -Force -AllowClobber # Connect to Microsoft Graph Connect-MgGraph -NoWelcome -Scopes "CloudPC.ReadWrite.All","Group.ReadWrite.All" # Static values for provisioning policy $policyName = "W365 North Europe Entra ID W11 Via Graph" $description = "Provisioning policy for W365 North Europe Entra ID W11 Via Graph" $provisioningType = "dedicated" # Enterprise license (dedicated provisioning) $ancName = "W365 North Europe EntraID via Graph" # ANC name $imageName = "Windows 11 Enterprise + Microsoft 365 Apps 24H2" # Gallery image name $groupName = "W365 North Europe AAD W11 users via Graph" # Group name $selectedLanguageCode = "en-US" # Language set to en-US # Query for the ANC ID based on the ANC name $ancId = (Get-MgBetaDeviceManagementVirtualEndpointOnPremiseConnection -Filter "displayName eq '$ancName'").Id # Query for the gallery image ID based on the image name $imageId = (Get-MgBetaDeviceManagementVirtualEndpointGalleryImage -Filter "displayName eq '$imageName'").Id # Query for the group ID based on the group name $groupId = (Get-MgGroup -Filter "displayName eq '$groupName'").Id # Define the body for the provisioning policy creation following the correct formatting $params = @{ "@odata.type" = "#microsoft.graph.cloudPcProvisioningPolicy" description = $description displayName = $policyName domainJoinConfigurations = @( @{ onPremisesConnectionId = $ancId type = "azureADJoin" } ) enableSingleSignOn = $false # Single Sign-On is disabled imageDisplayName = $imageName imageId = $imageId imageType = "gallery" windowsSettings = @{ language = $selectedLanguageCode } provisioningType = $provisioningType } # Create the provisioning policy $provisioningPolicy = New-MgBetaDeviceManagementVirtualEndpointProvisioningPolicy -BodyParameter $params # Assign the provisioning policy to the group "W365 North Europe AAD W11 users via Graph" $assignmentParams = @{ assignments = @( @{ target = @{ groupId = $groupId # Group ID of "W365 North Europe AAD W11 users via Graph" } } ) } # Assign the policy to the group try { Set-MgBetaDeviceManagementVirtualEndpointProvisioningPolicy -CloudPcProvisioningPolicyId $provisioningPolicy.Id -BodyParameter $assignmentParams Write-Host "Provisioning Policy '$policyName' created and assigned to group '$groupName' successfully." -ForegroundColor Green} catch {Write-Host "Provisioning Policy '$policyName' failed to assign to group '$groupName'." -ForegroundColor Red} Here you can see the successful creation of the policy in Intune with the Azure network connection that we specified. If you are not doing the optional steps above and are going to use the Microsoft Hosted Network, then use the following code, don't forget to adjust the variables as appropriate for your environment, eg: $regionGroup # 7. Create a Cloud PC Provisioning Policy # Install required modules with -Force and -AllowClobber Install-Module -Name Microsoft.Graph.Beta.DeviceManagement.Administration -Force -AllowClobber Install-Module -Name Microsoft.Graph.Groups -Force -AllowClobber Install-Module -Name Microsoft.Graph.Beta.DeviceManagement.Actions -Force -AllowClobber # Connect to Microsoft Graph Connect-MgGraph -NoWelcome -Scopes "CloudPC.ReadWrite.All","Group.ReadWrite.All" # Static values for provisioning policy $policyName = "W365 North Europe Entra ID W11 Via Graph" $description = "Provisioning policy for W365 North Europe Entra ID W11 Via Graph" $provisioningType = "dedicated" # Enterprise license (dedicated provisioning) $regionGroup = "europeUnion" $imageName = "Windows 11 Enterprise + Microsoft 365 Apps 24H2" # Gallery image name $groupName = "W365 North Europe AAD W11 users via Graph" # Group name $selectedLanguageCode = "en-US" # Language set to en-US # Query for the gallery image ID based on the image name $imageId = (Get-MgBetaDeviceManagementVirtualEndpointGalleryImage -Filter "displayName eq '$imageName'").Id # Query for the group ID based on the group name $groupId = (Get-MgGroup -Filter "displayName eq '$groupName'").Id # Define the body for the provisioning policy creation following the correct formatting $params = @{ "@odata.type" = "#microsoft.graph.cloudPcProvisioningPolicy" description = $description displayName = $policyName domainJoinConfigurations = @( @{ type = "azureADJoin" regionGroup = "$regiongroup" regionName = "automatic" } ) enableSingleSignOn = $false # Single Sign-On is disabled imageDisplayName = $imageName imageId = $imageId imageType = "gallery" windowsSettings = @{ language = $selectedLanguageCode } provisioningType = $provisioningType } # Create the provisioning policy $provisioningPolicy = New-MgBetaDeviceManagementVirtualEndpointProvisioningPolicy -BodyParameter $params # Assign the provisioning policy to the group "W365 North Europe AAD W11 users via Graph" $assignmentParams = @{ assignments = @( @{ target = @{ groupId = $groupId # Group ID of "W365 North Europe AAD W11 users via Graph" } } ) } # Assign the policy to the group try {Set-MgBetaDeviceManagementVirtualEndpointProvisioningPolicy -CloudPcProvisioningPolicyId $provisioningPolicy.Id -BodyParameter $assignmentParams Write-Host "Provisioning Policy '$policyName' created and assigned to group '$groupName' successfully." -ForegroundColor Green} catch {Write-Host "Provisioning Policy '$policyName' failed to assign to group '$groupName'." -ForegroundColor Red} here's the output Job done! Your newly provisioned Cloud PC is now available to the targeted user(s). Summary Automating tasks for your Cloud PC users is doable with PowerShell and Microsoft Graph. Using the Graph X-Ray web browser extension and Copilot to assist with your scripts makes your job a whole lot easier as now you can automate repetitive tasks instead of manually doing them in the various portals.
-
RobDrizz started following Surface Laptop 7 (ARM)
-
HI All We took receipt of a new Surface Laptop 7 to try from Microsoft, but for the life of me i can't get it to PXE boot (waiting for approval) or boot from standalone stick (loops). I am assuming i need to put some additional drivers in from the Microsoft pack but the extracted pack has some 174 folders ...... Also our ADK is a couple of version out of date. but within the version supported 'I think' Anybody had any joy with these.
-
Migrate to the cloud - Part 1. Setup
anyweb replied to anyweb's topic in System Center Configuration Manager (Current Branch)
hi @RobsonM, thanks ! this tool does not migrate any of the users data, but ... it also doesn't delete anything so the users data (files apps etc) is still stored and hidden in their old profile located in C:\Users\<username.old> if you really want to migrate their data then you'll need to customize the scripts and/or use a 3rd party tool for that cheers niall -
Hi Niall, Hope you are doing well and thank you for the great stuff you put together 😉 I have a small question, would it be possible to migrate the data from the old profile to the new one created after the migration of the machine? I know all the data will be on OneDrive, but just in case user start to download all the data again and end up facing storage problems.
-
Introduction In previous blog posts such as this one, I've shown you how to create http triggers within Function apps in Azure to do magic with Intune managed devices, however in my examples for brevity I used secrets, and pointed out that the more secure method is to use Azure Key Vault. In this blog post I'll show you how to set that up so that your triggers are more secure. But first, let's see what Microsoft describes Azure key vault as and explains why it's important. In this blog post the scenario we are going to use is basically how to replace previously created app registration secrets used within your http triggers with Azure key vault secrets. Note: After spending a few days at MMS it was clear that there's an even better way of doing this and that is to use managed identities (step 5 onwards in this post) instead of app registrations to replace the need for expired secret renewals, I'll post an update as soon as I get a chance coming soon. Step 1. Create or reuse a resource group As we'll base this guide upon a previously created solution, we'll re-use our previously created resource group, but if you want you can go ahead and create a new one for this purpose. Resource groups are a way of grouping resources within Azure and to protect secrets within that resource group you'll use key vault. Below I'm highlighting the previously created PC Buyback resource group which we will reuse in the next step. Step 2. Create a key vault Now that we have a resource group, let's go ahead and create out Key Vault. In https://portal.azure.com search for key vaults, select the service from the list of services displayed. Next, click on + Create to create a key vault. In the UI that appears, the first screen is dedicated to the Basics or general information about your key vault. You'll need to select a valid Azure subscription and then select a previously created resource group (or create new). In this example we'll reuse the PC Buyback resource group. You also need to assign the key vault a name, so give it something descriptive (you cannot use spaces). Next select the region where this will be used, and that should match your Resource Group region. Finally select the pricing tier, in my example Standard is fine, you'll only need to use Premium if you need to avail of HSM capabilities (Hardware Security Module), for more info on the pricing plans see here. There are some additional options available relating to how long to key keep vaults after they are deleted and the default settings are good enough for us here. Click Next to see the Access Configuration screen. In here you can once again choose the defaults, as we'll be using RBAC (role based access control) in a later step. Click Next to proceed to the Networking screen. In the Networking screen you have the option to use All networks to allow access from your PowerShell scripts and more, or if in a locked down environment you can select Selected networks which may involve you setting up a virtual network with it's own private endpoint connection. In this example however we'll use the All networks setting. Note: These settings can be changed later in the Key Vaults Networking settings and some of the settings may be disallowed by your own internal policy if an initiative of Public network access should be disabled for PAAS services is enabled in your ARM policy. Click next through the Tags screen and review and create your key vault. After the deployment is complete, select it to see the properties. Step 3. Assign role permissions In your newly completed key vault, click on the secrets section highlighted below, and take note of the permissions error. So even though I'm a Global Admin in Azure I'm not authorized to review those secrets. To resolve this we need to click on Access control (IAM) and assign some roles. You could simplify things and assign the Key Vault Administrator role to your chosen user or group which would give you the access you need to create secrets, keys and certificates, but as we only care about secrets in this blog post we'll assign the following role. Key Vault Secrets Officer To assign these roles in Access control (IAM) clcik on + Add and select Add role assignment from the drop down. Next search for key vault in the search field, and select Key Vault Secrets Officer from the list. Click Next and then click on + Select Members and browse to your chosen user Finally click on Select and then select Review and Assign. At this point you can now select the Secrets option in your key vaults Objects node and no longer get permission errors. It will state that there are no secrets available but we'll get to that shortly. Next select Key Vault Security User from the list and repeat as above (add role assignment). Step 4. Create a key, secret or certificate Now that you've configured your key vault, it's time to create your first resource, this can be a key, secret or certificate. Note: As we are replacing previously created App registrations secrets with azure key vault secrets we'll select that option for this blog post. Therefore, you'll need to know your previously created secrets when you created them back in the PC Buyback tutorial, steps 7 and 8 here. In key vaults secrets, click on + Generate/Import to start that process. Give the secret a suitable name and paste in the value from the previously created app registration secret. We can see that secret taken from a http trigger within my PC Buyback functionapp. The contents are blurred. and paste in that value into your key vault secret creation. You should also configure the activation and expiration date and make the expiration date to one day before the actual secret expires to allow you time to recreate a new one. Below you can see the app registrations secret expiry details. and that is reflected (minus 1 day) in the key vault secret creation. after creation, your secret is listed in the key vault. Step 5. Grant functionapp permissions to consume the key vault Next we'll grant permissions to our previously create functionapp to allow it to consume the key vault. To do that, open up the PC Buyback functionapp and click on the Settings drop down, select Identity and change the Status to On. After clicking Save you'll get the following message. Click Yes to proceed. After clicking Yes the results are displayed. Step 6. Grant the key vault permission Next open your key vault and browse again to Access control (IAM). In the role assignments click on Add and add the Key Vault Secrets User role. Click Next and select Managed identity, then in the wizard that appears select function app from the managed identity field and select your PC Buyback function app. once done, click Select and your PC Buyback function app is added. Don't forget to click on Review + Assign. Step 7. Configure function app environment variables Open up the previously created PC Buyback function app and expand Settings, select Environment variables and click on + Add, give it a suitable name such as var_pcbuybackappregistration. paste in the following string in the value line @Microsoft.KeyVault(VaultName=mykeyvault;SecretName=mysecret) edit the VaultName and SecretName values to match your environment... click on Apply when done. and click Apply again once the environment variable is added. At this point you'll need to confirm the change as it needs to restart the function app. Step 8. edit the http triggers Now you are finally ready to apply the key vault secret variable to your previously created http triggers, so let's do that. Select a trigger and review the contents, find the line that pointed to the Access Secret and replace the with the new environment variable, like so: $env:var_pcbuybackappregistration when $env:var... is your environment variable created above. Below is the result, and after saving the code and doing a Test/Run we can see it's working just fine using Azure Key Vault, Summary Using app registration secrets in your http triggers is a bad idea, use Azure key vault to protect those resources, this blog post helps you to to just that. See you in the next one !
-
invalid namespace in WMI, i would do a manual uninstall of the ccm client, and do a software updates reset using WURESET "should be on github" "Manuel Gil" I believe. After WUREST, reboot, reinstall the client, and view logs while it installs. Keep a copy of CMTrace on your desktop before deleting the CCMClient.
-
I have followed all steps, but when the script runs it keeps saying: "Precentage Encrypted 0%." and the Autopilot will timeout. This is on a Microsoft Surface device (Surface Laptop 5). Also I tried to run the PowerShell command Clear-Tpm at the beginning of the script but it didn't make any difference. Great job btw, thanks for all your work!
-
Jeremy Lyons started following client installation failure
-
Hi, can anyone help here I have tried with this command to install locally .\ccmsetup.exe /AllowMetered /MP:XXX SMSSITECODE=XX the installation starts but then performs a roll back now i see that the computer shows a green tick but inactive, however ping and c$ does work from server please find log attached ccmsetup-20241010-153416.log
-
Hi, Did anyone solve this. Getting same error after migrated to new hardware (New hardware created with same Hostname and IP address)
-
bumping back up as i'm trying this again. Imaged fresh computers and am no longer receiving that error pop up saying bitlocker could not be enabled. it's all silent now... so i've got that going for me. I am however still getting the bitlocker "unable to connect to the MBAM recovery and hardware service" under > microsoft windows mbam / admin in event viewer Anyone else got any ideas? https is enabled and cert bound on the IIS site on the MP.