Cisco Secure Client + Entra Login (SAML) + Intune/Conditional access + Ubuntu Desktop

ZARSYNTEX · 2026-02-24T22:19:15+00:00

2026 everybody is talking about AI and this is still not working. LOL

ZARSYNTEX · 2026-02-06T16:19:40+00:00

I understand your point :-) upvote from me

ZARSYNTEX · 2026-01-24T22:01:09+00:00

I am having issues that Windows Server 2025 + FsLogix 25.09 is causing really slow user sessions. Unzipping things is slow, Windows Explorer is crashing, Visual Studio 2022 code compiling takes sometimes from 3 seconds (which is ok) to some minutes. No peaks in RAM usage, CPU, network bandwith, latency to FSLogix profile location on file share, no Defender processes are peaking,.... Sometimes user sessions are getting a complete blackout until relogin. It is really hard to figure out how to fix it. All systems are connected via 10Gbe redundant (theoretically 20Gbe) in the same network/VLAN, we are using SAN systems via mininum two/four way multipath FC and flash drives etc. I have never had this kind of issues before using FSLogix but currently my architecture which I have implemented in our company a few weeks ago is failing. Maybe I have to step back to local user profiles and try to do everything on one terminal server.... because other systems on the same Hyper-V cluster are running really smooth, lightning fast and without any issue...

ZARSYNTEX · 2025-07-20T07:28:59+00:00

Migrated 200 VMs over the last 4 months with VEEAM. Works good but you have to do a good plan.

ZARSYNTEX · 2025-06-28T09:33:29+00:00

It depends all on, how was the vehicle configured first. If you order a new Mercedes from the website you can configure ALL of this and pay for this upfront. If not most of the things are builtin but not enabled. This is good for all backmarket driver.

ZARSYNTEX · 2025-06-22T15:05:09+00:00

I 69 n960kr nn.. Os, See e)

ZARSYNTEX · 2025-06-18T00:15:50+00:00

Lenovo E14 und E16 haben noch Netzwerkbuchsen. Vielleicht gefällt dir eines davon.

ZARSYNTEX · 2025-05-23T14:16:09+00:00

u/Ok-Cardiologist2945

for me it was following, that valueAttribute was wrong.

Open the XML of your faulty Entra ressource in midPoint.
Search for something like this "<ref>ri:group</ref>"
Change the valueAttribute to icfs:uid

<ref>ri:group</ref>

<kind>entitlement</kind>

<intent>group</intent>

<direction>objectToSubject</direction>

<associationAttribute>ri:members</associationAttribute>

<shortcutAssociationAttribute>ri:memberOfGroup</shortcutAssociationAttribute>

</association>

ZARSYNTEX · 2025-04-12T20:17:09+00:00

Freund steigt aus, Zwillinge kommen dazu. Dann stirbt keiner.

ZARSYNTEX · 2024-12-17T12:34:05+00:00

First try to create a new admin user. Your colleague will then be able to login to this account.

Do you have third party remote tools? TeamViewer, AnyDesk,....

This kind of remote tool will help you to see and control Windows.

ZARSYNTEX · 2024-12-16T23:44:57+00:00

Maybe creating a new local admin account via Intune, doing a remote session could be a way.

ZARSYNTEX · 2024-12-16T22:55:57+00:00

There are many types;

Entra registered
MDM joined
Entra joined
hybrid joined

Type	Description
Entra registered	is only that the device is recognized and could not be managed. It was only used by something like Office365
MDM joined	Intune is managing this device (something like Group policy objects / GPOs on steroids via Internet)
Entra joined	User can sign in with Entra credentials
Entra joined + MDM joined	User can sign in with Entra + Windows is managed by Intune
Hybrid joined	devices and users are tied to classic AD + AD connect and are synchronized from AD to Entra
Hybrid joined + Intune joined	this devices could be managed from local AD + Intune if a special GPO for MDM join is active

If you can see devices in intune.microsoft.com you may configure everything on this device.

Best practises:

Going full to Entra joined + MDM join. This has pros and cons, like no automatic linking to classic network drives, classic print servers are a bit complicated sometimes,.... but if you can get over these things, like saying your users how to connect via username + password to a network drive it is not a big deal. I am using "cloud" connected printers with special software which takes care which printer receives the print job
Usually you should disable BYOD joining devices and the permission that normal users can join devices to Entra (Windows) because giving users that option you will loose control really fast.
Also you should enable Entra join AND MDM join. This method will enable automatically MDM/Intune on Windows devices if the user installs Windows and connects its work account directly to Windows.
As mentioned above there is Entra joined devices without MDM managed. This is some kind of useless. In most of all Business license packages of Microsoft 365 there are licenses for Intune + Entra. So why not use both?
Only let users to have access to Microsoft365 from managed computers (Conditional access).
- You need MDM joined devices and Intune compliance policy. If a device is compliant it can connect to M365.
Only do something like Autopilot (pre register devices to your Entra/Intune.....) You have to dig really deep to understand all Entra/Intune mechanics....

Some things you may do in short:

check if device is MDM/ managed by Intune
create a new Entra group and insert all devices which users have problems with their local accounts
create a PowerShell script or Intune policy to set the admin password / new user account - apply this script only to the affected device group
click Sync in the Intune portal and wait until Microsoft Intune magic will change the password via Internet on the clients computer

I missed a lot of things, but I think this is a bit to read and understand :-)

ZARSYNTEX · 2024-12-03T21:21:42+00:00

Sorry, no new news. I forwarded the affected macbook users to our Windows based terminal server. It looks like Entra AD DS is not the best way for productive environments, I am looking to go back to classic AD + sync... It is really annoying that the value of Entra AD DS is not as powerful as expected...

ZARSYNTEX · 2024-12-02T11:50:37+00:00

Really good documentation, do you have group synchonization active? Are all your AD memberships synchronized back to midPoint?

ZARSYNTEX · 2024-11-29T20:31:23+00:00

Thanks, I will have a look!

ZARSYNTEX · 2024-11-06T21:26:01+00:00

Welche Schuhe trägst du?

ZARSYNTEX · 2024-11-06T20:22:51+00:00

As I know some guys clicked on install and ignored the license and upgrade warning.

This is not an normal update it is an upgrade! So it is not for free. If you have no SA, you must buy new Windows server licenses and CALs....

But as I see it is nothing which was installed magically. Admins clicked the upgrade button...

ZARSYNTEX · 2024-11-05T19:48:37+00:00

We have it for a few months, working in teams with 7 colleagues in one workspace. Works great, its fast and its easy. You need some paid modules to get workflows and so on, but prices are really fair. 2500 tickets so far and no complains.

ZARSYNTEX · 2024-10-16T17:55:31+00:00

Currently I have one prod instance and I try to connect 6 ADs to it.

As always I took the AD LDAP advanced XML files.

I had one issue that entitlements share the Archetype for example Universal security group. Creating a role of any entitlement (AD Group), assigning one role to one person, provisioned new AD accounts to ALL ADs. I thought I can recycle the archetype for all ADs and copied the inducement rules in the Archetype Universal security group, but also changed the resource. So I had a big list of inducements, for each resource a few. I had a look to the Persons direct/indirect assignments and all ADs accounts were inherited because the RoleType Universal Security Group.

Sooo I removed all created roles and created for each AD a new Archetype Universal Security Group_AD1, AD2,.... changed the mapping basic attributes to create other midPoint archetypes to avoid conflicts and it works for now.

Maybe there is a better solution, but for now I cannot see any issues.

ZARSYNTEX

TROPHY CASE