Monday, August 8, 2022

Automating Teams voice assignment for users (1:2)

In order to manage voice and phone number assignments in Microsoft Teams, you need at least Teams Communications Administrator role. This role does however have more privileges than most organizations want to assign to their first line staff. This blog post will cover a way for first line to automate voice activation of users with the granularity necessary to cover several technologies such as Direct Routing and Operator Connect.

The main idea is to let first line operators use the tools they have access to when managing users without the demand of acquiring extra privileges.


By adding the Teams phone number in E.164 format to the users telephoneNumber field in AD/AAD and assigning the user as member of a defined security group, I have enough information to automate the Teams voice assignment for the user. This could also include license assignment through the group membership.

Monday, August 1, 2022

Find where your colleagues are on a floor plan

Microsoft Search helps users find relevant content, the right answers or people. Search administrators use their knowledge of the organization and its users to make it easy for users to find the relevant content. This blog post will cover how you can prepare information about employees in order to place them on a floor plan for the office buildings. 

This type of setup is part of my mindset of using as many features as possible from the Microsoft 365 licenses, often triggered through configuration and maintenance of information which provides value throughout the product line.


This kind of functionality will add value when searching for colleagues in the office landscape, or even when searching for the closest meeting room.

Monday, July 25, 2022

Autopilot - Device deadlock between two tenants

After wiping a Windows10 Autopilot device from Microsoft Endpoint Manager, we got welcomed to the correct tenant by name and logo. When signing in with a current licensed user, we got the message saying "That username looks like it belongs to another organization. try signing in again or start over with a different account". Time to troubleshoot!

The background for the wipe was to repurpose the device for a new user. 


Windows Autopilot is managed and maintained by Microsoft in a backend database that associates hashes with customer tenants. This time I got a schizophrenic device dealing with two tenants.

Monday, July 18, 2022

Disable "Do Not Send a Response" option in Outlook with MDM

When users select the option to not send a response when accepting a meeting invite in Microsoft Outlook, their response is not visible for the invitee. This makes it troublesome to keep track of attendees for the meeting. This is why many organizations want to disable this option. 

If someone replies to a meeting invite by using the "Do Not Send a Response" option, the action is marked in the users calendar, but it will not reflect in the meeting tracking visible for invitees.


The problem has been present for a long time, and there has been some information available on how this can be solved by use of Group Policies in legacy Active Directory environments. Here's how to remove the option to not send a response on meeting invites using Configuration Policies in Microsoft Endpoint Manager and a Settings Catalog profile type.

Configuration Profile

Create a new Configuration Profile for Windows 10 and later of the Settings catalog type


In the Configurations Settings for the new Configuration profile, you should "Add Settings" and search for "disable command bar". Select the category "Microsoft Outlook 2016\Disable items in User interface\Custom" and push the button "Select all these settings".


The settings are now added to the profile, and you can enter command bar IDs to be disabled. The picture above shows three IDs (19987, 19995, 19991). These are the IDs for disabling the options of "Do Not Send a Response" when opening a calendar item in a separate window. The following list of IDs should be added to remove these options from other places of the Outlook graphical user interface (19987, 19995, 19991, 25507, 25510, 25513, 25514, 25515, 25516, 18273, 25519, 25520, 25517, 25518, 25521, 25522):

The IDs are listed in the Office 2016 Help Files for Office Fluent User Interface Control Identifiers from Official Microsoft Download Center. This download contains several Excel files. You can extract these files to a folder and search for "AcceptInvitationNoResponse" in order to find the correct file to investigate. You can find even more Office Fluent User Interface Control Identifiers targeted to several Office versions at OfficeDev/office-fluent-ui-command-identifiers on github.

When opening this file in Excel, you will find a long list of available Policy IDs to use in your MEM Configuration profile. This time we are interested in policies regarding "NoResponse", and a search in the file gives the list of IDs included in my list above.


Finish up the Configuration profile and assigned it to a group.

Once this policy has synced out to the members of the group assigned to the policy, the option to respond to a meeting invite with "Do Not Send a Response" has been disabled.


Summing up

By removing the option to not send response to meeting invites, you will force responses to invitations that are visible to meeting participants. This will make it more predictable for those planning and attending meetings.

Please note: This will only apply for Outlook on Microsoft Windows. 

New RSVP responses to come?

The modern hybrid work drives the development, and Microsoft is now adding additional options for more detailed RSVP responses. This planned feature will let you inform how you plan to attend a meeting - in person or virtually. 

This will start to roll out to Outlook pretty soon (associated with Microsoft 365 Roadmap ID 88535). Once the feature is deployed, you will have 3 options for accepting a meeting:
  • - Yes
  • - Yes in-person
  • - Yes virtually

Premature screenshots of this functionality does not have any options for answering without sending a response. Could it be that this option is being removed as well....?

source https://supersimple365.com/outlook-additional-rsvp-options/


Tuesday, July 12, 2022

Posten inn i Homey

Inspirert av lærdommen fra prosjektet med å få Min renovasjon inn i Homey har jeg kastet meg over Posten sin løsning for å se om jeg kan få lest inn postbudets rute som variabler i min Homey.

Posten.no

Posten leverer nå ut post annenhver dag. Dette betyr postombæring mandag, onsdag og fredag den ene uken og tirsdag og torsdag den andre uken. Det kan jo være mulig å enkelt reprodusere denne takten ved hjelp av oddetall og partalls uker. Men - posten har jo laget en egen webside hvor man kan slå opp når man kan forvente post utlevert: https://www.posten.no/levering-av-post. Dette betyr kanskje at det kan oppstå uregelmessigheter her - og det må jo fanges opp av et smart hus.

Monday, July 11, 2022

Automatic file upload from legacy server to Microsoft 365

Companies that have gone through several generations of IT systems will have to make their cloud journey in small steps - system by system. Devices and document storage are quickly moved to Microsoft 365. Special Line of Business systems may take longer to cloudify. This can present challenges in making data from dinosaur systems available to users of the modern Microsoft 365 platform.

The challenge from a real world scenario

I was challenged by a customer with a production environment running in an old on premises environment while all users and endpoints had converted to Microsoft 365. They had challenges in reaching reports that were produced on premises and needed a solution to have this data automatically uploaded to Sharepoint for easy and modern access. Challenge accepted!

Solution

Read on to get a detailed insight into the solution that made the desired elasticity in the migration to the cloud. 

Sharepoint Site

We started out by creating a separate Sharepoint site for the purpose.

We planed to create an Azure App registration with limited rights for the SharePoint site where authentication will be done with a private certificate between the server on premises and the online Azure/Sharepoint environment.

Private Certificate

The private certificate is created in Powershell on the server on premises which will upload the data. The PFX private key of the certificate will be installed on the server, while the CER public key of the certificate will be installed in Azure.
$cert = New-PnPAzureCertificate -OutPfx .\pnp.pfx -OutCert .\pnp.cer -CommonName "SP Upload" -ValidYears 5

The PFX private key certificate is installed on the server from an elevated powershell.
Import-PfxCertificate -Exportable -CertStoreLocation Cert:\LocalMachine\My -FilePath .\pnp.pfx

The certificate can now be verified in the Microsoft Management Console (MMC) within the Certificates Snap-in for Local Computer.

Azure App Registration

Inside Microsoft Azure Admin Portal - Azure Active Directory we find App Registrations where a new registration is added.

The registration will be given a name, and it will be set as a Single tenant type.

Once the App Registration has finished, take a note of the Application Client ID.

Assign Sharepoint permissions

Inside the Application Registration, we find the API Permissions which now should be assigned for Sharepoint.

Located under Application permissions, the "Sites.Selected" permission is added.

Admin consent is given.

With the "Sites.Selected" permission set, I am now able to give rights for this App Registration to specific Sharepoint sites. This is done with Microsoft Graph API, and for this tutorial I will be using Graph Explorer. First I run a GET in order to receive the ID for the Sharepoint site:
https://graph.microsoft.com/v1.0/sites/tenantname.sharepoint.com:/sites/SPSiteName?$select=id

The number in the middle from the response will be the ID we need. Test this by running a query for permissions on this ID in Graph Explorer: https://graph.microsoft.com/v1.0/sites/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/permissions

You might get an error at this point which you can get past by giving consent to the site.

Now it's time to give write access to the actual site for the current app registration. This is done by the following code as a Post operation:
{
    "roles": [
    "write"
    ],
    "grantedToIdentities": [
    {
        "application": {
            "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
            "displayName": "SP SITE NAME"
        }
    }
    ]
}

Add the code to Microsoft Graph Explorer as Post and run the query.

At this point, the Azure App Registration has rights to write to the specified Sharepoint site.

Assign Certificate for authentication from the on premises server

I am now uploading my public key certificate created on the on premises server to prepare for the authentication. This is done from Manage - Certificate & Secrets - Certificates - Upload Certificate:


Script for upload of data

Access to the site by use of the certificate can now be tested in Powershell with the PnP.Powershell module from the actual server.
# Install-Module PnP.Powershell0
Import-Module PnP.Powershell

Connect-PnPOnline -Tenant XXXXXXXXX.onmicrosoft.com -ClientId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX -Thumbprint XYXYXYXYXYXYXYXYXYXYXYXYXYX -Url https://TENANTNAME.sharepoint.com/sites/SITENAME


The command Get-PnPList will now list all content on the site. Take note of the last part of the URL for the Document library. This is used in the $SPFolder variable in the following script.

I have now created a short script which will upload all files from a defined folder on the on premises server to the Sharepoint site. Uploaded files are then moved to a separate folder on premises.
# Install-Module PnP.Powershell
Import-Module PnP.Powershell

Connect-PnPOnline -Tenant tenantname.onmicrosoft.com -ClientId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -Thumbprint <your-certificate-thumbprint-goes here> -Url https://tenantname.sharepoint.com/sites/SharePointSiteName

$SPFolder = "Shared Documents"
$Files = Get-ChildItem "C:\Simon\ToImport"
foreach ($File in $Files) {
    if ($File.PSIsContainer -ne $true) {
        write-host $File.Fullname
        $Upload = Add-PnPFile -Folder $SPFolder -Path $File.FullName
        Move-Item -Path $File.FullName -Destination "C:\Simon\Imported"
    }
}

A test-drive of this script verifies that the file is uploaded to the Sharepoint site and the document is moved to the defined subfolder on the on premises server.

The script can now be added as a scheduled task on the on premises server with powershell as the progam/script, and "-File C:\Simon\UploadFilesToSharePointLibrary.ps1 -ExecutionPolicy Bypass" as argument.

Complementary information

Desmond Tutu once wisely said that "there is only one way to eat an elephant: a bite at a time." What he meant by this is that everything in life that seems daunting, overwhelming, and even impossible can be accomplished gradually by taking on just a little at a time. 

You can't migrate a complex environment in a weekend. You need to do it step by step. I hope this can inspire someone to find smart ways to automate a way from ground to the cloud. 

The following sources was used for inspiration while figuring out this routine:

Wednesday, July 6, 2022

HP Connect for Microsoft Endpoint Manager

To be certain we have a secure system from chip to cloud, it is fundamental to boot device from a trusted BIOS - often referred as secure boot. HP Connect for Microsoft Endpoint Manager is a cloud application designed to ease the management of UEFI BIOS on supported HP systems. This blog post will cover updating the BIOS on HP devices using MEM.

We need to have control of the boot environment of our managed devices

Please note: This is not a sponsored post!

In May 2022, I delivered 2 speeches in Molde at HP and Microsoft's roadshow along the Norwegian coast. Here, HP Connect for MEM was presented by Tor Petter Abrahamsen from HP. This received attention from many in the audience, and I have set this solution up with several customers after this event.
 

HP Connect for MEM

HP Connect for MEM has a framework to develop BIOS management policies that are published to Microsoft Endpoint Manager device groups. While HP Connect creates the policies, Microsoft Endpoint Manager (Intune) executes them as compliance proactive remediations. No additional software is required to be downloaded or installed in each device. 

HP Connect for Microsoft Endpoint Manager supports the following policy features: 
  • BIOS Updates 
    • Always up to date 
    • Critical versions only 
    • specific version 

  • BIOS Settings 
    • Supported on a per platform basis 

  • BIOS Authentication 
    • HP Sure Admin (HP Sure Admin Infosheet)
    • Passwords

The requirements for using HP Connect for Microsoft Enpoint Manager are:
  • Administrative access to Microsoft Azure
  • An appropriate subscription for Microsoft Endpoint Manager which allows the use of Proactive Remediations

HP Connect is a cloud application free of use, and it interacts directly with an Azure Active Directory tenant to access device groups and to publish BIOS policies to these groups.

Onboarding to HP Connect

  1. Log in to https://admin.hp.com as a Global Administrator for the tenant.
  2. Accept the permissions for the organization. 
After this initial process, an Intune Administrator will be able to login and use HP Connect for the organization.
The Home page for HP Connect for Microsoft Endpoint Manager

Groups

Under the Groups menu on the left hand menu, you will find security groups imported from Azure Active Directory (AAD). We will create a dynamic device security group in AAD containing all HP devices for this demo.

(device.deviceManufacturer -eq "HP")

The values can be queried directly on the devices if you want to verify the accuracy:
wmic computersystem get manufacturer

After a while, the security group will be populated with devices, and a refresh in the HP Connect portal will reveal the group.


HP Connect Policies

This blog post will concentrate on making sure all Bioses are up to date. I will not address policies applying settings or controlling authentication in the BIOS this time.

Bios Update Policies

There are 3 types of BIOS update policies supported by HP Connect:
  • Keep BIOS of all devices always updated
  • Deploy only critical BIOS updates
  • Establish a rule for a specific device model

Policy to keep all devices always updated

This time I will create a policy when applied to a group of supported devices, Microsoft Endpoint Manager (MEM) will use the policy as a compliance item to monitor and update every device in the selected group every time a BIOS is released that matches a device.

  1. Navigate to Policies in the left hand menu of HP Connect for MEM and create a new policy

  2. Define a Policy Name which will be shown in MEM. Set the policy type to be Bios Update

  3. As BIOS update method, select to "Keep BIOS of all devices always updated".

  4. The new policy will now be created, and it can be applied to Azure AD Groups and published to AAD.




  5. The new proactive remediation policy is now published to MEM.


How is the policy applied?

When the policy is added to Microsoft Endpoint Manager, Intune will use its native Windows 10/11 agent to send the policy action to all devices in the collection at scheduled times. By default, the policy is checked and applied every 60 minutes. This schedule can be modified to run once, every hour or at a daily basis.
The Intune agent send a task to each device assigned the policy as an action to be performed. THP HP action queries the HP cloud for BIOS versions newer than the installed one on the device. If a newer one exists, the signed version is downloaded and applied to the device. This will follow these steps:
  • BIOS UEFI capsule bin file is downloaded 
  • The capsule file components are hosted on the UEFI System partition 
  • UEFI BIOS in device is made aware of the pending update 
  • On next reboot, UEFI BIOS performs the update 

A BIOS update policy will not automatically restart the device: therefore, the update will not occur until such action is taken. Once a BIOS update policy is applied, the device will display a toaster notification message like the following: 


The BIOS update will occur once the device is rebooted.


The overview for the configured proactive remediation gives information about how the script package is performing on the targeted devices.

Note the change in the graphs as a new BIOS version is available and updated

Bitlocker recovery key?

Please be aware that some devices will require the user to enter the Bitlocker Recovery Key after BIOS and Firmware upgrades. 

Windows will require a recovery key for Bitlocker when it detects a possible unauthorized attempt to access data. This can also happen on changes in hardware, firmware or software which Bitlocker finds suspicious and can't distinguish from a possible attack. The end user can in such settings often find the Bitlocker recovery keys for it's own devices on the device-list in My Account (microsoft.com). If not, please refer to the article Finding your BitLocker recovery key in Windows (microsoft.com)

A Bitlocker recovery key can be found in My Account if integrated with Microsoft Azure AD


Next step: Bios Authentication Policies

BIOS Authentication is an important aspect of managing, controlling, and securing Windows devices. The BIOS contains the start-up code for the hardware, including settings that should be secured prior to booting into Windows. If the BIOS can be accessed without authentication, a local or remote user may be able to disable basic security features, or introduce malware early into the startup process that Windows may not protect against. 

Now as the BIOS versions are up to date with the newest security and vulnerability updates, the next step should include getting control over the BIOS authentication. That will be the topic of a follow-up blog post.


Tuesday, July 5, 2022

Fortinet VPN Profile distribution with MDM

Fortinet Document Library has a documented routine for distributing the FortiClient application with Intune to Microsoft Windows. This routine is working Ok, but it is missing information on how to distribute the VPN profiles to the client. This will be the topic for this post.

Installation of the FortiClient application

Please read and follow the document in Fortinet Document Library covering the topic of configuring the FortiClient application in Intune. During this routing you need to download the current FortiClient VPN client and start the downloaded EXE file to download the actual MSI installation. This could be wise to do in a Windows Sandbox environment. You will find the MSI file in the newest folder with {randomguid} name under %localappdata%\Temp\.


After this routine has been setup and you have the app distributed to a group and installed, you will find the application available in the system tray on the devices.
FortiClient without VPN profile

Installation of FortiClient VPN Profile

I am using proactive remediations to distribute the VPN profile to the Windows devices. This means a prerequisite for an appropriate license SKU.

The scripts used for detection and remediation is located in my GitHub account.

The detection script checks if a defined VPN profile folder exists in the local Registry.
<#
  .NOTES
  ===========================================================================
   Created on:    27.06.2022
   Created by:    Simon Skotheimsvik
   Filename:      FortinetVPNProfile-Detect.ps1
   Instructions:    https://skotheimsvik.blogspot.com/
  ===========================================================================
 
  .DESCRIPTION
    This script will detect if VPN profile is present
#>

# Defining variables for the VPN connection
$VPNName = "Simons VPN"

if ((Test-Path -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName") -ne $true) {
  Write-Host "Not existing"
  Exit 1
}
Else {
  Write-Host "OK"
  Exit 0
}

The remediation script will kick in if the detection script finds the profile to be missing.
<#
  .NOTES
  ===========================================================================
   Created on:      27.06.2022
   Created by:      Simon Skotheimsvik
   Filename:        FortinetVPNProfile-Remediation.ps1
   Instructions:    https://skotheimsvik.blogspot.com/
  ===========================================================================
 
  .DESCRIPTION
    This script will create a VPN profile
#>

# Defining variables for the VPN connection
$VPNName = "Simons VPN"
$Server = "vpn.skotheimsvik.no:443"

# Install VPN Profiles
New-Item "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'Description' -Value $VPNName -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'Server' -Value $Server -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'promptusername' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'promptcertificate' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'ServerCert' -Value '1' -PropertyType String -Force -ea SilentlyContinue;

if ((Test-Path -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName") -ne $true) {
    $exitCode = -1
}
else {
    $exitCode = 0
}

exit $exitCode

This script package should now be added as a proactive remediation package under Microsoft Endpoint Manager. Assign the package to the same group of computers as the FortiClient installation and set an appropriate schedule.





As soon as the remediation script hits your Windows devices, the FortClient will get updated with the assigned VPN Profiles.

Complementary information

You can find a routine from Alex Durrant in letsconfigmgr.com describing a complete routine deploying FortiClient VPN and Profiles in one run. This has been tested as a good routine! If you have however followed the documentation from Fortinet Document Library or you need to change or add VPN profiles, you need my proactive remediation routine to automate the VPN profiles for your environment.