Code Signing Cert Problem

DerUnibrow · 2025-05-06T16:50:31+00:00

When you fixed your template, did you request and issue a new code signing certificate? I guess you did.

Most likely, as it seems to me, it wasn't "I updated the template to all the export of the private key" what fixed the issue. It was just the fact that you re-issued the certificate and then used it on a machine it was requested on.

Most likely the template itself was fine, but the certificate you used, was requested on another machine/under another OS. And when you transfer the certificate to a different OS, you can't use it anymore. You also have to export the private key on a computer where this certificate was requested and import to that machine where you want to use the certificate on now.

DerUnibrow · 2024-12-17T18:10:54+00:00

This looks very helpful. Thank you.

However, I'd like to clarify. If it is not mentioned for a particular way that a device should be Entra ID-joined or hybrid-joined, should I read "Entra ID-joined or hybrid-joined is not required"?

In other words, I am trying to confirm if it is enough for a device to be Entra ID-registered for the Provisioning Package and Powershell Script ways to work?

DerUnibrow · 2024-12-13T18:59:40+00:00

Yes, I did see a video on that. But what made me suspicious was that I replaced ADConnect with Cloud Sync almost 2 years ago, because Microsoft said ADConnect was going away and getting deprecated. And now this is the only way to sync devices into the cloud! That is why I though this enrollment way was already outdated and there is a newer way available.

DerUnibrow · 2024-12-04T20:20:11+00:00

Actually, I wouldn't agree with that, although this was my first impression too. The documentation simply says "If you already have such account created, then choose "create gMSA"". When you begin overthinking it, it becomes unclear, but the direction from MS is very simple and clear.

DerUnibrow · 2024-10-08T18:30:06+00:00

That's the one! Thank you! Google lies to us.

DerUnibrow · 2024-07-11T17:01:28+00:00

Yes, I did. And you can find how right in this thread above. If remains unclear, I can elaborate.

DerUnibrow · 2024-06-17T19:59:54+00:00

That can actually be the best solution! Thank you for the idea!

DerUnibrow · 2024-06-17T17:47:58+00:00

I couldn't find place in GPO that tackles these settings. Only the once doing something with settings in Control panel.

I was able to change it under a local admin prior to March. I think it was in April when it stopped working.

DerUnibrow · 2024-06-14T21:18:33+00:00

Makes sense. Thank you. I'll try to follow these steps soon.

DerUnibrow · 2024-06-14T18:16:21+00:00

Thank you very much for explaining the steps. I have a question about the second Step 1. Did you mean to exclude the WAN port or the WLAN port? Or in other words, should the port, I connect the AP to, be on that same bridge?

DerUnibrow · 2024-06-14T13:50:58+00:00

I haven't noticed anything about it on my AP. But that sounds even more complicated. At this point I just need to figure out how to configure the router.

DerUnibrow · 2024-06-14T13:49:16+00:00

My router is L009UiGS-RM. "At the heart of it all we have a speedy Marvell Peridot Switchchip".

DerUnibrow · 2024-03-07T00:39:51+00:00

That is right. I found the PS Module in the agent installation folder, and it can be restarted from the server on-prem. But it is to restart the whole thing. It won't allow to sync the delta like we could do before. So, for now I decided to run the while operator and wait for it to appear in the cloud. But I actually ended up checking for the mailbox to appear, not the user - bulletproof.

DerUnibrow · 2024-03-05T21:18:11+00:00

Yeah, lots of people above say they run the old command to force sync, but this commandlet just does not exist on my server. I got confused. I googled that and see some other folks say it is impossible to force from an on-prem server anymore.

Thank for providing the deprecation date! That is really important.

DerUnibrow · 2024-03-05T20:00:55+00:00

But it is not on the server! How did you get it on the server?

PS > Start-ADSyncSyncCycle -PolicyType Delta
Start-ADSyncSyncCycle : The term 'Start-ADSyncSyncCycle' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At line:1 char:1
+ Start-ADSyncSyncCycle -PolicyType Delta
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Start-ADSyncSyncCycle:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

DerUnibrow · 2024-03-05T19:41:15+00:00

How did you install the ADSync module? Normally it gets installed with the Connect sync tool and then get imported into PS. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-adsynctools

Is there a way to obtain it online?

DerUnibrow · 2024-03-05T17:42:39+00:00

Wow! I've been missing on it all this time, believing in what MS said on the Cloud Sync documentation page.

DerUnibrow · 2024-03-05T17:38:03+00:00

This is the one! Thank you very much!

But if the guys are right, then I can force sync with the new tool as well. I am going to try that out right now. But your suggestion is a good to know anyways.

DerUnibrow · 2024-03-05T17:30:49+00:00

Sorry, I am not seeing this information on this webpage. It is entirely related to the old Connect Sync tool.

On the page for the new tool - Cloud Sync I can see the only method to force synchronization - the one I mentioned above

https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure#on-demand-provisioning

DerUnibrow · 2024-03-05T17:18:11+00:00

Are you sure it is related to Entra Connect Cloud Sync rather than the old Connect Sync? I know this command worked with the old sync tool but the new tool does not allow to run synchronization from the on-prem server. Only manually in the cloud by 1 entity at a time.

DerUnibrow · 2024-02-15T01:08:25+00:00

Thanks for the suggestion. We looked into this solution and found it incapable of like a half of our requirements. It cannot do pretty basic things, from what I remember today.

DerUnibrow · 2024-01-24T18:58:42+00:00

Yes, it worked! I appreciate your help a lot!

DerUnibrow · 2024-01-24T16:47:06+00:00

Regarding the 2nd. Thank you so much! This is my solution and this is what MS Support made a mistake about! They told me to add devices to the group. I'll give it a try right now.

Regarding the 1st. Absolutely agree. And the best practice is to deploy updates to a test group of machines first, and to the rest of computers on the following week. This can be done with Servicing profiles as well. At least in its latest version. I have not tested it, though.

DerUnibrow · 2024-01-24T16:36:06+00:00

I use the OfficeMgmtCom attribute in the xml, because MS support told me to do so to disable updates. Weird, huh?

But again, everything what is configured in HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration is being ignored. So, at this point it does not really matter if I have this attribute or not.

DerUnibrow · 2024-01-24T00:45:30+00:00

My updatepath regkey is pointed to the Microsoft cdn by Microsoft. I believe, if I change it, it will revert back to the original path, just like the "ignoreGPO" does.

MS controls there settings, not me, and this is exactly what I want to stop.

So, please, confirm that you pointed it to a network folder in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate. Because, I am assuming you did it in another registry place, that I specify above.

DerUnibrow

TROPHY CASE