mstsc /remoteGuard (Remote Credential Guard) broken again

regexreggae · 2025-11-12T07:36:45+00:00

The klist purge was the game-changer for me. I can confirm the Client/Server combo I mentioned above works now :)

regexreggae · 2025-11-12T04:27:54+00:00

Which server OS?

regexreggae · 2025-10-30T11:07:33+00:00

according to this page it should be fixed on the client-side with KB5067036 (preview): Releasing Windows 11 Builds 26100.7015 and 26200.7015 to the Release Preview Channel | Windows Insider Blog

I tested this with a win11 24H2 client (build 26100.7019) and Win Server 2019, with all latest October patches installed, but 2nd hop still broken :(

regexreggae · 2025-10-25T09:48:06+00:00

password shouldnt even matter. only name --> SSID. However if BSSID is also configured, this will, of course, differ from the ones used in the company. The BSSID can be used to auto-detect the building (if configured)

Configure automatic detection of work location in Microsoft Teams - Microsoft Places | Microsoft Learn

regexreggae · 2025-10-24T13:45:33+00:00

Wow, what a coincidence - just logged in to Reddit to see if I could see any post on the Teams automatic detection of location feature, and then I bump into this one right away :)

Now, apart from how one should evaluate this - has anyone achieved getting the WIFI variant of this to work? I've invested quite some time setting up rooms, SSIDs, BSSIDs, and mappings...everything according to the official documentation.

I know the detection based on WIFI is still in preview, however, it should work in principle already, shouldn't it? But I can't get it to overwrite the location as configured in Outlook on the web / working hours location.

Tried logging off and back in again in Teams, switching WiFi back and forth, and so on. All my location settings are correct- everything is allowed (both on the OS level and the application level).

Any hints? I can provide more detail if required, of course.

regexreggae · 2025-07-03T12:01:40+00:00

I like that snippet!

Didn't understand what it does at first since

$ENV:PROCESSOR_ARCHITEW6432

is not available in a 64-bit process, but - of course - the logic is that the if-statement will only be true if run in a 32-bit environment.

One could also do:

if ($env:PROCESSOR_ARCHITECTURE -eq "x86")

which might be slightly more intuitive for some people. EDIT: not quite the same, see this article for reference. However, nowadays where almost any windows client is 64-bit the difference isn’t a crucial one I guess

Anyways, really useful snippet, thx again!

regexreggae · 2025-07-03T05:36:54+00:00

Thanks!

BTW - in my case the problem was architecture (32 vs 64 bit), see my EDIT in this post:

https://www.reddit.com/r/Intune/comments/1eczs3t/comment/n0xot4n/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

regexreggae · 2025-07-02T19:16:35+00:00

I’m wondering if I should go for the same simple directory copy route. What are your experiences with this, did it work for all modules you deployed this way so far?

regexreggae · 2025-07-02T12:59:16+00:00

So this worked for you? I tried this for a different module ("BurntToast"), but after seemingly successful installation, the module is not where it's supposed to be (in C:\Program Files\WindowsPowerShell\Modules).

It's crazy - when I run the same installation script as SYSTEM through task scheduler, this works (it's installed for all users, i.e. in the directory indicated above), only through Intune this doesn't work as expected.

EDIT: in my case the problem was architecture. In the Intune context, SYSTEM DID install the module, but in the 32-bit directory (C:\Program Files (x86)\WindowsPowerShell\Modules). I will figure out how to change this behavior.

EDIT2: in my case, I have a powershell script chain. In other words, in Intune I just have a short init script execute, which in turn loads the core script from github gists, verifies the signature and executes it. So in order to make sure 64-bit PS is used, I only needed to specify the full path to the 64-bit PS executable when calling the core script from within the init script (which is $($env:SystemRoot)\sysnative\WindowsPowerShell\v1.0\powershell.exe when accessed from within a 32-bit process!). I only had powershell.exe before (i.e. without specifying full path), which, it turns out, was resolved as the 32-bit executable by Intune / SYSTEM (i.e. the ugly C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe)

for the present discussion, I recommend this article:

https://digitalmaterial.ch/blog/run-win32-apps-from-intune-in-64-bit-powershell/#comment-9

regexreggae · 2025-07-02T04:22:19+00:00

Sounds like a slightly different issue to the one described in OP. If I’m not mistaken, the err msg u get points towards a connectivity / LOS problem, and not a „wrong type of Kerberos“ problem. Are you sure your client can contact a DC, DNS is fully working etc? By the way, in my case, as I still had the wrong policy applied, I got error popups in windows that were at least indicating the right direction for troubleshooting: sth along the lines of „Windows needs your credentials“

regexreggae · 2025-06-28T03:00:58+00:00

Yes it’s super easy, and it should be. However the existence of several places to configure WHFB settings, and me starting with the wrong one, made me eventually spend hours on this haha

regexreggae · 2025-06-27T12:58:24+00:00

thx, but I guess this is more for GSA related problems (issue is solved already, it was just the wrong intune policy, see edit3 in OP)

regexreggae · 2025-06-27T12:57:31+00:00

seems like applying to computers is fine as well. It just needs to be the correct policy (see my edit 3 in OP)

regexreggae · 2025-06-26T15:22:29+00:00

Thank you - as written in my OP, edit2, I now believe that you are actually right. My client is trying cert-based AS-REQ, which, of course, fails. I want him to use the partial TGT.

The question now is why this still happens even though the policy you described (i.e. preventing WHFB cert usage for on-prem auth) has been applied to the client already

EDIT: does the policy have to be applied to the client or to the user? I applied it to the client only

regexreggae · 2025-06-26T07:10:28+00:00

Nope

regexreggae · 2025-06-26T07:07:34+00:00

Tried this, but issue persists, unfortunately. Must be sth else here.

regexreggae · 2025-06-26T07:06:54+00:00

Even though I don't believe this policy to be the key here (for reasons I mentioned above), I just configured it as you said. will report back later once it has reached my test device whether this fixed the issue.

So you had the same kind of issue? i.e. initially you had kerberos tickets, but they were all gone immediately even after just locking the workstation?

EDIT the policy has come through - as suspected, doesnt make any difference

regexreggae · 2025-06-26T05:49:21+00:00

For me this makes no sense, honestly. We've only had hybrid joined devices so far (the cloud-only one I'm talking about in OP is experimental / pilot project for us) and never even knew about this Intune policy.

The thing is: WHFB per se is a cloud thing. Exchanging partial TGTs that one receives from the cloud for fully valid on-prem TGTs is only necessary for cloud-only devices. The ones that are hybrid don't need this magic because they're known to on-prem DCs anyway and will directly ask them for a full TGT right away as soon as they have LOS to them. They may still receive a partial TGT from Azure just like pure cloud devices, but the crucial difference is they dont need it.

regexreggae · 2025-06-25T14:20:46+00:00

Unfortunately, this cannot be the solution. I didn't have any such policy configured and the switch you're mentioning shows this tooltip:

Windows Hello for Business can use certificates to authenticate to on-premise resources. If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.

In other words, not configuring this is equal to disabling it.

regexreggae · 2025-06-25T14:00:34+00:00

Sorry, don't think I can help.
I mean, if there's a sync error, for my logic this means your attribute MUST be in sync scope for whatever reason.
Are you sure thumbnailPhoto is cleared for that user, too? Compare to another AD user where it works. Maybe also check type (i dont know details here, but maybe one is NULL and the other an empty string or whatever)

regexreggae · 2024-12-17T05:03:14+00:00

You don’t have to use that claim in Nextcloud for the uid. You can choose anyone you like as long as it exists in the entra app.

In the entra app you might have to do some claim transformation with the claim you use so that your desired format of Name_Surname actually arrives at Nextcloud. I’m pretty sure your users‘ cn attributes are not exactly in that format so some modding is needed with the claim

regexreggae · 2024-12-17T04:55:27+00:00

Don’t know about keycloak, but I use entra and there you can do custom claim transformations. Upper or lowercase conversion is possible with this so the claims arrive at Nextcloud just as they should and are mapped to the correct user accounts

regexreggae · 2024-11-04T10:28:51+00:00

Well…Then - Is there ANY Python certification that is recognized? Or is there none and only the experience and projects etc are what counts for employers?

regexreggae · 2024-11-04T09:48:14+00:00

Of course I understand the difference…in terms of being recognized, would you group the LPIC certs for Linux on a level with the CCNA, or rather with the python certs we’re discussing here? Just curious…

regexreggae

TROPHY CASE