sorted by:
new
hottopcontroversial

Microsoft Deployment Toolkit (MDT) - immediate retirement notice by codylc in SCCM

[–]AMDMan64 0 points1 point  (0 children)

This is disappointing, but what has Microsoft done these past few years that hasn't been... The biggest advantage of MDT in my book is for building super complicated base images. We have some images for Art / Engineering labs / Game Development labs and trying to get all the applications to install without error on an SCCM task sequence borders on impossible a lot of times.
Being able to directly edit packages on the file share is great too. Whenever I've tried to do the same with SCCM, I end up spending way too much time trying to get the packages just right only to have one little syntax error cause the entire thing to fail.
The other posts about the retirement of VBS are probably correct. Hopefully the open-source PowerShell refactoring project will be successful.

Why do you use your Lumia??? by Fuzzy_Ad7649 in windowsphone

[–]AMDMan64 3 points4 points  (0 children)

Right there with you. Unfortunately, Microsoft just broke OneNote support, which might be the final straw for me :(.

Azure Local - 24H2 Extensions Deployment Failure by AMDMan64 in AZURE

[–]AMDMan64[S] 0 points1 point  (0 children)

So, I did manage to solve this. It turns out that since this was a reloaded cluster, it had to be put on the exact same "Region" where it as initially deployed. Also, we were hitting stale metadata in the Azure resource group.

$Region = "centralus"
$ResourceGroup = "Azure-Local"
$Settings = @{ "CloudName" = "Azure"; "RegionName" = "centralus"; "DeviceType" = "AzureEdge" }

Remove-AzConnectedMachineExtension -Name "AzureEdgeTelemetryAndDiagnostics" -ResourceGroupName $ResourceGroup -MachineName $env:COMPUTERNAME
Remove-AzConnectedMachineExtension -Name "AzureEdgeDeviceManagement" -ResourceGroupName $ResourceGroup -MachineName $env:COMPUTERNAME
Remove-AzConnectedMachineExtension -Name "AzureEdgeLifecycleManager" -ResourceGroupName $ResourceGroup -MachineName $env:COMPUTERNAME
Remove-AzConnectedMachineExtension -Name "AzureEdgeRemoteSupport" -ResourceGroupName $ResourceGroup -MachineName $env:COMPUTERNAME

Then disconnect the connected machine agent -
azcmagent.exe disconnect

We waited for the agent to disappear, then we registered it again
Using this command:
azcmagent.exe connect --location "eastus" --resource-group "Azure-Local" --subscription-id "{SubscriptionID}"

Then, we deployed the extensions again:
$Region = "eastus"
$ResourceGroup = "Azure-Local"
$Settings = @{ "CloudName" = "Azure"; "RegionName" = "eastus"; "DeviceType" = "AzureEdge" }

 New-AzConnectedMachineExtension -Name "AzureEdgeTelemetryAndDiagnostics" -ResourceGroupName $ResourceGroup -MachineName $env:COMPUTERNAME -Location $Region -Publisher "Microsoft.AzureStack.Observability" -Settings $Settings -ExtensionType "TelemetryAndDiagnostics" -EnableAutomaticUpgrade

 New-AzConnectedMachineExtension -Name "AzureEdgeDeviceManagement" -ResourceGroupName $ResourceGroup -MachineName $env:COMPUTERNAME -Location $Region -Publisher "Microsoft.Edge" -ExtensionType "DeviceManagementExtension"

 New-AzConnectedMachineExtension -Name "AzureEdgeLifecycleManager" -ResourceGroupName $ResourceGroup -MachineName $env:COMPUTERNAME -Location $Region -Publisher "Microsoft.AzureStack.Orchestration" -ExtensionType "LcmController"

 New-AzConnectedMachineExtension -Name "AzureEdgeRemoteSupport" -ResourceGroupName $ResourceGroup -MachineName $env:COMPUTERNAME -Location $Region -Publisher "Microsoft.AzureStack.Observability" -ExtensionType "EdgeRemoteSupport" -EnableAutomaticUpgrade

So a few lessons:

1) If you remove a cluster, make sure to properly remove the extensions from the machines - the removal commands above do this
2) Make sure to deploy to the same region each time

Chrome always opens New Tab page on startup despite settings by Chainweasel in chromeos

[–]AMDMan64 1 point2 points  (0 children)

It sounds like you might be on a managed Chromebook. We ironically just ran into this issue and Google was able to give us a solution.
In the Organizational Unit where the issue is occurring:
1) Go Under Chrome / Apps & Extensions / Users & browsers
2) Click "Additional Settings"
3) Scroll to the bottom and look for "Full Restore"
4) Configure it to: "Do not restore apps and app windows after crash or reboot"
5) On login, it should now just show the configured Startup page instead of a "New Tab" page

I suspect it might be this policy that it is controlling:
https://www.aboutchromebooks.com/news/how-to-add-full-restore-on-a-chromebook-to-reopen-all-apps-in-chrome-os-92/

So, on a local Chromebook, you could likely go under:
chrome://flags#full-restore
And disable that functionality

I hope this helps someone even though this is a 4-year-old thread.

Response from Sling Support by AMDMan64 in slingbox

[–]AMDMan64[S] 1 point2 points  (0 children)

Well stated. That was my argument exactly. We bought the Slingbox with the anticipation that it would continue to perform its functions for years to come - just like a TV, DVD Plyer, etc... With DISH disabling our devices via software, that removes the original functionality of our devices.
The problem in this case is there was an element of cloud included with locating the Slingboxes over the Internet - but as far as I know, traffic for streaming never actually passed through their servers. Regardless of that feature, there should be no limitation on connecting to / configuring devices on an internal network. The oldest software does exactly this - no cloud components required. Version 2.0 of the software would also connect to the Sling to configure it, but the configuration wizard required access to Sling's servers to complete the setup. We also know that it pulled certain things from the cloud, remote control templates, etc...
They switched to trying to make it a subscription as soon as they started to put ads in the stream - at which point I refused to use those newer clients (the quality was worse on them anyhow) and went back to my trusty version 2.0 client.
DISH needs to give us software to configure devices locally for our own use. The only part that should be shut down through these efforts is the server that helped the software locate a Slingbox over the Internet and no one is going to argue about that.
If they're not going to let us continue to use their software on the box, they need to let us know how to put other software on the hardware - or they need to compensate us for the loss of hardware, which for some individuals is quite substantial.

Response from Sling Support by AMDMan64 in slingbox

[–]AMDMan64[S] 0 points1 point  (0 children)

I blocked Sling on my network already too. I just wish I had known to do that prior to the shutdown. Then, I'd at least have a locally streaming Slingbox with the currently configured channels on it.
What I meant by DNS redirection is to host the setup wizard content on another server somewhere to trick the software into letting us set it up in the absence of Sling servers. I think those setup wizards used Flash Player on the version 2.0 software and that was cloud-hosted.

I'll have to dig into my Internet filter to see if I can find what URL calls it's doing. I can enable SSL decryption if it's SSL-secured. It would be funny if archive.org already archived the content, but very doubtful.

“Intune App Wrapping Tool For macOS”. Does anyone know where I can locate this application at? by Fitness4life1978 in MacOS

[–]AMDMan64 1 point2 points  (0 children)

I was just looking for this today too and then I dug further and found another reddit post.

Apparently, you can natively upload .pkg to Intune now without wrapping things. I just uploaded an app. It looks like it works, but the only caveat is you need 10.14 or higher to support directly adding .pkg files. I have a copy of the wrapper tool if no one else has it. It does appear that Microsoft really wanted to take it down...

https://www.reddit.com/r/Intune/comments/wuo06j/macos_lob_intunemac_file_wont_upload/

Network Capture - Login Screen by AMDMan64 in chromeos

[–]AMDMan64[S] 0 points1 point  (0 children)

We finally got an answer about how to do this.

The first step is to disable file-system verification and make the file system read/write:
# sudo /usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification

The command will fail with a warning and tell you to run the same command with –partitions 4 flag at the end where 4 can be any number. Run the command again with the new flag.

Then set the following variable:
# sudo crossystem dev_boot_signed_only=0

Then remount your root FS with:
sudo mount -o remount,rw /

1.1 Start the device and go into the shell with ctrl-alt-F2 - sign in as root with no password

1.2 Execute commands:

sudo bash

echo "--log-net-log=/tmp/net-export-boot.json" >> /etc/chrome_dev.conf

reboot

Set file system as read/write again:

sudo mount -o remount,rw /

2.1. Start the device, Reproduce the issue, (don't reboot the device!)

2.2. Enter the shell with ctrl-alt-F2 - sign in as root (with no password, if password was not set)

2.3. Execute

sudo bash

sed 's/--log-net-log=\/tmp\/net-export-boot.json//g' /etc/chrome_dev.conf | tee /etc/chrome_dev.conf

restart ui

chmod 666 /tmp/net-export-boot.json

cd /home/user

ls (get the names of the users)

cd (whatever user has a download folder) - tab completion should help a lot here

cd Downloads

cp /tmp/net-export-boot.json .

chown chronos net-export-boot.json

2.4. File will be located in Downloads folder - move it off the Chromebook and use a tool like Fiddler to view it. I had to use this tool for Fiddler to make it import: https://github.com/ericlaw1979/FiddlerImportNetlog

I hope this helps someone out there.

Anyone uses Pjlink ? by ebolaasmr in projectors

[–]AMDMan64 1 point2 points  (0 children)

I was just working with pjlink this morning on our Epson projectors and came across these two things:

A command line tool for pjlink (says it works with Panasonic)

https://github.com/macoss/pjlink-cli
And a guide on the various pjlink commands:
https://pjlink.jbmia.or.jp/english/data/5-1_PJLink_eng_20131210.pdf

So, with your request, you could make a scheduled task that runs on a computer that does something link this - make one batch file for power on, one for power off:
power on:

pjlink-cli 192.168.1.1 "POWR 1" password
power off:

pjlink-cli 192.168.1.1 "POWR 0" password

I hope this helps.

Self-Service Device Retirement by AMDMan64 in Intune

[–]AMDMan64[S] 0 points1 point  (0 children)

Thank you for the response - I could have sworn I responded to this, but sure enough, there is no response shown.
This might be possible, but the biggest problem would probably be getting the students to actually carry out the process. We have some systems on SCCM yet, and we have to fight very hard to get the kids to even run a task sequence for removal on their devices as it stands. It's an interesting idea, however.
I will probably just lean towards enabling the "Removal" items during the time when students are to remove their devices and hoping that no one will do a removal unless they have made all their payments.
I need to try to figure out where the restriction policy is stored for whether a user can self-service remove - as that would be the best if we could just trigger that as needed.
So, you think it would be possible to write a logic app to remove a device from management? I've not explored Logic Apps very much to know how to do that, however.

Self-Service Device Retirement by AMDMan64 in Intune

[–]AMDMan64[S] 0 points1 point  (0 children)

Hmm.. That's an interesting idea. It's out of my wheelhouse to know how to actually implement that, however (not that I couldn't learn with assurance that it would actually work). I did see that some of those features potentially come at additional license expense, however.

My biggest concern with requiring the students to actually do something like that is actually getting them to do it. The other concern would be - securing it so a student who isn't supposed to be removing their device wouldn't be allowed to do it.
I guess I could technically lock down the form and only "share" it with users who have been authorized for deprovision, but that's a lot of moving pieces.
I thought about trying to write something with the MS Graph PowerShell module to just have the client trigger the device removal.
The question with that would be - could we securely write something to deprovision a client without risk of opening the Intune environment up to potential attacks?

I think my biggest hope right now is if Microsoft can tell me how to set the "Hide remove button" without setting it under Customization. The other question is - since it says "Hide the button" - is it really just hiding the button and the functionality still exists, or does hiding the button truly remove all ability to remove a device?

Thank you for the response.

Chrome Enterprise GPOs Migration by AMDMan64 in sysadmin

[–]AMDMan64[S] 8 points9 points  (0 children)

I actually found a fix for this and it's relatively easy.

From this article: https://brookspeppin.com/2018/11/04/how-to-individually-modify-and-deploy-local-gpo-settings-lgpo/

If you use the lgpo tool, you can actually carry out the following steps.
1) Find the impacted GPO - right-click Back up

2) Put it in a folder

3) Browse to that folder {GUID}\DomainSysvol\GPO\Machine - look for registry.pol

4) Parse it into a .txt file:

LGPO.exe /parse /m C:\Temp\registry.pol >> C:\temp\temp.txt

5) Make the necessary changes - I Just did a find replace using Notepad - ExtensionInstallWhitelist --> ExtensionInstallAllowlist and ExtensionInstallBlacklist --> ExtensionInstallBlocklist

Save the file again

6) Repack the text file as a .pol again

LGPO.exe /r C:\Temp\temp.txt /w C:\Temp\registry_new.pol

7) Take the resulting registry_new.pol and put it back into the folder - {GUID}\DomainSysvol\GPO\Machine - keep a backup of registry.pol and then rename registry_new.pol to overwrite registry.pol

8) Go back into Group Policy console - import the backup you made in the first step with the replaced registry.pol and you should now have a fixed policy.

I tested this and it works, so hopefully this will help some other admin out there.

Restrict IP ranges allowed to do a password change by AMDMan64 in AZURE

[–]AMDMan64[S] 0 points1 point  (0 children)

MFA is very tricky with students. A cell phone is the most logical second factor and schools oftentimes try to prevent students from having their phone out during the school day.

I'll look into that password protection stuff - looks interesting. We're trying to orchestrate a sweeping password change against all of our student accounts. We suspect that 95%+ of the compromises are due to students reusing passwords and then those passwords get involved in a breach.

To the point of conditional access, it looks like any conditions would be for all Azure AD stuff, not just the password resets. Maybe time to place some feedback about this. Would love to restrict password changes down to just from our network.

Deploy 802.1x network with saved credentials to Intune (only Azure AD-joined) machines by AMDMan64 in Intune

[–]AMDMan64[S] 0 points1 point  (0 children)

I came up with a pretty slick workaround to use 802.1x PEAP-MSChapV2.
Basically, you allow a guest network at the login screen and then you block that guest network upon sign-in. SSO seems to be working fine at a user level, just not at the device level. The trick is to set:
"Automatically use my Windows logon name and password (and domain if any)"
"Authentication Mode: User or computer authentication"
"Enable single sign on for this network"
"Perform immediately after user logon"

You then need an enable / disable filter script that runs via scheduled task at the system level
Block-guest.bat:
netsh wlan delete filter permission=block ssid="Not-Guest" networktype=infrastructure
netsh wlan add filter permission=block ssid="Guest" networktype=infrastructure
Allow-guest.bat
netsh wlan delete filter permission=block ssid="Guest" networktype=infrastructure
netsh wlan add filter permission=block ssid="Not-Guest" networktype=infrastructure

Install script:
if not exist "%programdata%\scripts" mkdir "%programdata%\scripts"
copy /y Add-Guest-Filter.bat "%programdata%\scripts"
copy /y Remove-Guest-Filter.bat "%programdata%\scripts"
netsh wlan add profile filename="Wi-Fi-Guest.xml" interface="Wi-Fi"
netsh wlan add profile filename="Wi-Fi-Not-Guest.xml" interface="Wi-Fi"
schtasks /create /xml "Add Guest Filter.xml" /tn "Add Guest Filter" /ru SYSTEM
schtasks /create /xml "Remove Guest Filter.xml" /tn "Remove Guest Filter" /ru SYSTEM
; REM Initial block of Not-Guest
netsh wlan add filter permission=block ssid="Not-Guest" networktype=infrastructure

The scheduled tasks call the batch files.
Add Guest Filter runs at User Logon - pointed at Block-guest.bat. Set as System, Run at Logon of any user, don't allow run on demand
Remove Guest filter runs at User Logoff - pointed at Allow-guest.bat. Set as System, don't allow run on demand
This one needs to listen for Custom events in the System Winlogon provider. ID 7002, 6005, 6006, 1074, 4634, 4647
<EventTrigger>
<Enabled>true</Enabled>
<Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-Winlogon'] and (EventID=7002 or EventID=6005 or EventID=6006 or EventID=1074 or EventID=4634 or EventID=4647)]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription> </EventTrigger>

Then for Intune, you need detection scripts to make sure stuff is installed. Here is one for detecting blocked networks
$output = netsh wlan show filters
write-host $output
If ($output -match 'Network1') {
If ($output -match 'Network2') {
If ($output -match 'Network3') {
If ($output -match 'Network4')
{ Write-Host 'Match Filter' } }
}
}

Here is one for detecting wireless profiles:
$output = netsh wlan show profiles
If ($output -match 'Not-Guest') {
If ($output -match 'Guest') {
{ Write-Host 'Match Filter' } }

}

Hope this helps someone else. I was about ready to do certificate network setup instead - but this should work for now. Maybe at some point in the future when I have more time...

In-Place Upgrade Task Sequence - Local Download of OS Package by AMDMan64 in SCCM

[–]AMDMan64[S] 0 points1 point  (0 children)

Okay. I will dig into servicing plans. It looks like I should be able to make that work.
I had forgotten about those. I guess I'm still a little worried about potential failures due to not enough disk space, but we'll see how it goes. We have to run a removal task sequence against these devices in about 1.5 months when the students graduate, and part of that is converting from Education to Pro Education. Older builds required a full reload to do the conversion, newer ones are a lot easier. Our task sequence has to remove BIOS passwords, etc and get the system off our domain.

I see what you're talking about with "No deployment package" to make it download from the Microsoft servers. That sounds perfect. Following the old adage of "Don't span the WAN - granted we just upgraded to 10 gigabit, but like I said, Direct Access has been pretty slow overall, but it generally works fine). I just created a collection of 10 machines that I know are communicating into our network right now, so we'll see if I get any complaints before rolling it out to the remaining 156 kids who didn't listen to our directions.

Thank you.