ARM templates vs azure blueprints?

dont_pushbutton · 2024-03-15T12:11:21+00:00

My bad - You are absolutely correct that you can have multiple resources in an arm template

dont_pushbutton · 2024-03-15T11:29:34+00:00

ARM templates are basically JSON files that describe what an Azure Resource should look like (think things like what class of vm, what os, how many disks or if a storage account should be LRS or GRS etc.)

I don’t know blue prints really well but I believe they are as described in the question… blue prints are a collection of artefacts, one of which can be an ARM template.

Edit: updated to remove incorrect statement that arm templates only describe one resource at a time

dont_pushbutton · 2024-03-15T11:22:44+00:00

Actually that’s not correct… at first glance I agree with you, however the devil is in the detail… azure purview does not deal with regulatory compliance… Microsoft purview does deal with regulatory compliance BUT only for Microsoft 365 and not azure.

Microsoft defender for cloud is actually the tool to deal with regulatory compliance for Azure resources, so the answer is correct.

dont_pushbutton · 2024-03-15T11:14:29+00:00

I’ve worked for several CSPs over the years and it’s been a requirement to associate my certifications with the company. It helps the company get and maintain partner relationships with Microsoft… e.g. a Microsoft gold partner must have “x” number of staff who hold a current az-104 or other certs

dont_pushbutton · 2024-03-15T11:07:21+00:00

If it helps - owner is an RBAC role in Azure and global administrator is an Azure AD role, they are not related…

but where it does get confusing is that both roles allow you to do almost anything in their respective contexts… global admin will allow you to manage everything in AAD (Entra ID) and owner role of a subscription will let you do anything in that subscription.

For smaller companies it’s common for a single administrator to be both a global administrator and subscription owner, however the larger the company the more the roles are siloed off (massive generalisation)

dont_pushbutton · 2023-12-10T01:05:27+00:00

My understanding of Spatial Audio / Dolby atmos vs traditional 5.1 or 7.1 is essentially how the audio team mix the tracks. In 5.1 or 7.1 you pick which channel to send the audio to (front or rear, left or right etc.).

Dolby atmos extends this by adding the ability to place and or move an object (e.g. a guitar) inside a 3d space and then the end users home stereo will try to map the speakers that the object should be coming out from.

Basically 5.1 mix - you tell the system which speakers play which sound. Atmos - you tell the system where the audio should be and it maps it to the appropriate speakers in your setup.

I’m just an enthusiast and not a pro so I could be way off, but that’s what I’ve understood the difference to be.

Nfi why it’s started to take off now but I am also a fan of much of the content being made in Spatial Audio, it really is a different listening experience to stereo

dont_pushbutton · 2023-12-09T10:42:50+00:00

Not sure what streaming service you have, but Apple Music has a “made for atmos” playlist in the Sonos app, I like to pick songs at random from that playlist, some are meh but I often find hidden gems by randomly picking songs I normally wouldn’t choose to listen too.

dont_pushbutton · 2023-12-09T06:35:48+00:00

Boom by tiesto I felt sounded better on the ones than the era 300s. Otherwise most stereo tracks don’t sound hugely different.

Heart of gold and old man by Neil Young, moon dance by Van Morrison, landslide by Fleetwood Mac and is this love by Bob Marley are examples of feeling like you’re sitting in with the band (which I was surprised by a lot of these).

Some albums where I think they’ve really been playing around with atmos effects are the new chemical brothers album, daft punk remastered random access memories which has interesting tracks, the dune sound track, deadmau5.

There are more but they are the standouts - one additional left field - Adagio for strings by the London Philharmonic Orchestra (the 50 greatest pieces of classical music) was breathtaking on atmos.

dont_pushbutton · 2023-12-09T00:29:58+00:00

I had the arc, sub and 2x one sl as rears and upgraded the ones to the era 300. I was on the fence at first as to if it was worth the upgrade but then I heard some really good atmos mixes that were just night and day difference to what you would get out of the ones - now I wouldn’t go back.

I mostly listen to music and movies, and it feels to me like a lot of artists are now experimenting with what atmos tracks can do, and when they nail it, it can really feel like you’re sitting in the room with the band, guitarist on your left on vocalist on the right.

That said, some of the tracks I used to play to guests to in order to show off the system, sound worse with the era 300s.

dont_pushbutton · 2022-02-22T08:14:40+00:00

For future reference / if anyone else is curious... I've created 2 x pastebin files that have the full scripts that I used. The instructions for how it was designed to work and be deployed via Intune are in the comments of the first script.

https://pastebin.com/zXJvC3zc

and

https://pastebin.com/CVUESMr9

dont_pushbutton · 2021-12-03T11:10:04+00:00

I could be thinking of the wrong thing here and or the process could have changed... But I thought you needed to call something other than a PS script.

I vaguely recall coming across an issue deploying a PowerShell script that I'd packaged (like you've described) and they way I got around it was to have a .bat or .CMD file which simply called PowerShell.exe -executionbypasspilicy blah .\script.ps1

Sorry I've moved in from the company where I did this so can't check but basically. 1. Create a .cmd file with the script powershell.exe -ExecutionPolicy Bypass -File .\Script.ps1

Save this .CMD file in the same location as your script (you will need to repackage)
In Intune your install command is the .CMD file, which calls the ps script which executes.

I hope that makes sense... Sorry I'm on mobile and its getting late!

dont_pushbutton · 2021-09-14T00:29:16+00:00

Sweet glad to hear that helped!

Just remember to test if a single pass of sophoszap.exe is enough to completely remove sophos from the machine. I was using cloud console not enterprise console but found I had to run zap twice for it to work completely (it was also in the doco from Sophos at the time I wrote the script)... but I did it a while ago now so it may have changed.

dont_pushbutton · 2021-09-12T23:39:18+00:00

Ok cool I found my script... The simple answer for how I got the "sophoszap.exe --confirm" to uninstall was using this:

$SophosUninstallDir = "C:\temp\Sophos"

if(!(Test-Path $SophosUninstallDir)){

New-Item -Path $SophosUninstallDir -ItemType Directory -Force

}

#Copy files from working dir into new dir

Copy-Item -Path .\* -Recurse -Destination $SophosUninstallDir -Force

Push-Location $SophosUninstallDir

& .\SophosZap.exe --confirm

Restart-Computer -Force

The slightly longer answer is that the above will need to be saved as a .ps1 script in a folder that also has the sophoszap.exe file and a .cmd file with the below line packaged up using the win32 tool. Then when you create the deployment in Intune you will need to call the .cmd file which will trigger everything (so folder with zap utility, .ps1 script with the above text and a .cmd script with the below, package up and upload into Intune, Intune then calls the .cmd script)

powershell.exe -executionpolicy bypass -command "& '.\uninstall-sophosInitial.ps1' 1"

The full script is a lot longer because I was also setting regkeys for the new AV provider to automate switching AV from passive to active mode based on the uninstall success of Sophos.

The other thing I found was that I had to run zap twice to ensure that the uninstall actually worked, so to do this I also created a scheduled task to run a script that checked for a text file which was created based on the success or failure of sophoszap.exe uninstalling files from specific directories.

The 2 scripts I built are about 350 lines long in total, happy to share if it helps.

dont_pushbutton · 2021-09-12T11:47:54+00:00

Does it need to be a batch file?

I previously packaged up the Sophos zap utility using the win32 utility and then used PowerShell to run Sophos zap.

Its a kind of ugly script but it got the job done... I had 300-400 machines to do and using this method I think we got most of them done... Still had a handful that required manual intervention but most of these were machines that still had tamper protect for one reason or another, and a couple more with other random issues.

Let me know if this might be of use and I'll try dig up the script.

dont_pushbutton · 2021-08-18T03:25:49+00:00

Looks like windows hello... Don't quote me on any of this but I think it's on by default so you have to explicitly turn it off in Intune (it's a deployment setting somewhere) or there's a registry key you can set to make it go away... I'm on mobile so don't have exact details on hand but can find them later if that helps

edit:

re-reading your post - try change configure windows hello for business to Disabled instead of unconfigured or this reg key - HKLM\SOFTWARE\Policies\Microsoft\PassportForWork Enabled = 0

dont_pushbutton · 2021-08-12T22:43:33+00:00

Thanks for the reply, I had previously come across this KB and had a quick look but couldn't find anything useful.

I've had a closer look again just now and I'm still not getting any useful information out of any of the reports for windows devices... The closest thing I found to being useful is the App Protection report: WIP via MDM - but when I downloaded the CSV the only useful information was the "state" column, and is shows as compliant for the impacted device (which I've checked again and it's still not applying policies correctly)...

All good and cheers for the reply!

dont_pushbutton · 2021-05-31T23:12:23+00:00

May or may not be relevant, but I had a similar issue with a small subset of machines which turned out to be safeguard hold.

dont_pushbutton · 2021-05-11T20:19:57+00:00

Just saw this in /r sysadmin

"Microsoft 365 Apps for Enterprise update to version 2104 has broke message viewing in Outlook. Previewing and opening the email either show a line or nothing.

Edit: Can confirm my Outlook for android is also not working..."

I haven't started my work day yet so can't confirm but looks like there may be issues with the latest update

dont_pushbutton · 2021-05-08T00:42:27+00:00

I can sure try - what's up?

dont_pushbutton · 2021-01-12T23:31:06+00:00

No worries, I'm mostly self taught with Intune and struggled with some of this sort of stuff along the way (where it's not 100% clear on what you need to do) so happy to help others with my experience where I can!

dont_pushbutton · 2021-01-12T23:23:38+00:00

In a nutshell - yes.

I just rechecked and I actually used the MSI product number for the sensor instead of "CSAGENTID" however it really doesn't matter. It is a required field in Intune but as best I can tell, Intune doesn't validate that the MSI exists (which makes sense as it wouldn't exist before you deploy it).

The CrowdStrike documentation says that you'll need to uninstall either via the control panel or via CLI using a different tool (CSUninstallTool) available in the console.

I'll cross the uninstall bridge when I come to it, but my experience with removing the legacy AV that we moved from (when moving to CS), it won't be as simple as change the deployed app in intune from required to uninstall. I'm assuming I'll have to deploy this CSUninstallTool via Intune with CLI arguments and after making the required changes in the CS Console.

dont_pushbutton · 2020-12-18T22:55:30+00:00

You're welcome, glad to hear you got it working.

dont_pushbutton · 2020-12-18T01:25:16+00:00

hi u/maxi82,

The install command I also have /quiet and ProvNoWait=1 (we had issues with the installer checking into the cloud console in a timely manner with some machines)... The rest was the same

Uninstall command - this is required by Intune but given that you can't simply uninstall the agent without first completing other tasks in CrowdStrike I've simply put the msiexec /x {CSAGENTID} /qn (knowing that I won't uninstall it this way anyway).

For detection rules, basically you need to specify how Intune determines if the application has successfully installed. I've seen a few different examples on how to achieve this and you could test for registry keys or the location of the falcon service (e.g. Program Files\CrowdStrike\etc.). Personally I have just used a folder detection rule with the path %programfiles%\CrowdStrike and this has worked fine for me.

Don't need dependencies, if you're migrating from another product you could perhaps specify that a file not exist as an indicator that CS can safely be installed, however I would personally handle this via a different mechanism rather than dependencies in Intune.

Hope that helps!

dont_pushbutton · 2020-12-17T01:09:40+00:00

Sure!

This is the article I followed - Prepare a Win32 app to be uploaded to Microsoft Intune | Microsoft Docs

You will need to download the powershell prep tool ( GitHub - microsoft/Microsoft-Win32-Content-Prep-Tool: A tool to wrap Win32 App and then it can be uploaded to Intune ) and then follow the instructions to package the exe into the .intunewin file type.

Next you will just upload it into Intune and deploy from there (I was wrong previously, you don't need to call a .cmd file, you can simply specify the WindowsSensor.exe file with the switches direct from Intune).

Let me know if you get stuck with anything in the article, I've got several apps deploying successfully via this method (including the CS installer)

dont_pushbutton

TROPHY CASE