Author: Julian Rasmussen

BitLocker issues after upgrading to Windows 11

After upgrading my machine from Windows 10 to Windows 11 (Insider) i stumbled onto an issue with BitLocker witch was not enabled anymore on my machine.

I have compliance policies in Microsoft Endrpoint Manager (Intune) witch need`s BitLocker enabled to give the machines the “Compliant” stamp.

When trying to enable BitLocker we got the error message:

So a work-arround to fix this is to delete some registry entries from this location

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

In my system I deleted all marked entries and rebootet the machine.
After the reboot I could enable BitLocker as normal.

CosmosDB access keys

From when ever there is need to rotate access keys to your CosmosDB or any other storage service using Access keys this is the best practis method to do so.

So for CosmosDB these are the steps needed to be used.

  1. Head into Azure portal and navigate to your CosmosDB and select “keys” from the menu.
  2. rotate the “Secondary Access key” by selecting the “Regenerate Secondary Key” from the ellipsis menu
  3. Change the key used within your application to use the newly generated “Secondary Access key
  4. Head back to the Azure portal and rotate the “Primary Access key
Screenshot of the Azure portal showing how to regenerate the secondary key

After these four steps you have rotated both keys within your services and your application is now running on the secondary key. No need to switch to the primary key at this point.

Windows365 – So easy!

Windows365

Windows365 is a Cloud pc for all users and it`s so easy to start using!
In this post I will go through a setup of Windows365 Business in a cloud only tenant and show you how fantasticly easy this is!

There are some pre-requisites that need to be taken in considiration and I`l list them here

  • Azure AD – IAM
  • Maximum 300 users in your tenant
  • Microsoft Endpoint Manager (Intune) for admin/config

So with that “short” list the joker here is that you should have Intune configured allaready as that makes the Windows365 deployment soooo super easy.

Let`s first talk about licenses.

There are Windows365 Business and there is Windows365 Enterprise, as mentioned I will cover the Business version here – so let`s have a look at the different machine sizes.

The pricing is ranged between $24 for the cheapes one and $162 for the most expensive one with most vCPU`s, most RAM and biggest Storage.

  • 1 vCPU and 2GB RAM + 64 GB Storage
  • 2 vCPU and 4GB/8GB RAM + 64GB/128GB/256GB Storage
  • 4 vCPU and 16GB RAM + 128GB/256GB/512GB Storage
  • 8 vCPU and 32GB RAM + 128GB/256GB/512GB Storage

So there are some different licenses to choose from as you see. 12 of them to be exact and i`m guessing everyone can find a license fitting their needs.

In my scenario I`m using the $45 machine with the spec`s “2 vCPU, 8GB RAM and 128GB Storage” this is a machine that run`s the most of my regular work tools.

Provisioning the beauty!

So to the easy part! First off is to buy the license that you need based on your machine size – and when that`s done just simply add the licence to the user you are going to provition a cloud PC for.

That easy!

The user (maybe your own..) can simply logon to https://windows365.microsoft.com/ and access the machine πŸ™‚ First time when you click the to connect the machine it will provition and get ready – in my case this took about 30 minutes – but after that the machine was ready for me to connect to.

about 1 hour later the machine was reporting into Intune that it`s a Compliant computer just like any other physical machine out there!

From the management pane of your cloud pc you can do actions like Restart, Reset, Rename and Troubleshoot.

De-provisioning and cleanup

This is even easier! Just remove the license from the user and the Cloud PC is removed after approximently 30 minutes.

I`m back!

So! I`m back again after not blogging, speaking or “anything” for the community for the last one and half year (since the pandemic started in Norway 12.03.2020)!

I have been spending the summer in paternity leave at home with my 1 year old son and been been recharging my batteries to full and from now on I will be starting with community work again as I feel ready to meet, great and have fun with all you fellow community people again.

The pandemic has physically drawn me down to a place where i have not been able to contribute to the community at all. I used all my energy on delivering my hours at work and spending time with my family at home.

Now that we see the end of the pandemic i feel energized and ready to work hard both from our company offices and from home when that`s needed!

Next community talk is our “Office 365 User Group Agder” meetup in Kristiansand Norway where I will be delivering the “What`s new” section. This will be a in-person event with both food and drinks complimented to our guests! SO EXITED!!

I will also work hard on getting back on stage on other conferences and meetups moving forward!

See you guys arroud – Cheers

List all users and their manager

Sometime we need to gain a list of all users and their managers so the managers can get a review of “their” staff!

An easy oneliner within PowerShell using AzureAD ps module is this one. this takes the first 4000 users and export them to CSV


Get-AzureADUser -Top 4000 | select UserPrincipalName,@{n="Manager";e={(Get-AzureADUser -ObjectId (Get-AzureADUserManager -ObjectId $_.ObjectId).ObjectId).UserPrincipalName}} | Export-Csv C:\Temp\YOURUSERS_usr_with_manager.csv -Encoding UTF8

EO Archive issue

So! Today I got an issue from a client of mine! One of his mailboxes where full! meaning that 99GB of emails was in that mailbox. So! We need archiving.

Wen`t on it and created a Archive mailbox for that mailbox and wanted to start the Folder assistant to actually do some archiving for me!

For the record I created a Retention tag that should archive emails older that 1 year and then added that to a Retention Policy witch i added to the user, then runned the Foler assistand! BOOOOM! Error..

After checkin a bit and tried several commands i went for the last option by using GUID while running the command and you know what? That works!

Why? Yes because when you run it against the UPN or Identity the command just picks the first and best GUID for that user and that`s the Archive mailbox (facepalm).

So by manually adding the right GUID everything works fine and the mailbox was “fixed” πŸ™‚

get-mailboxLocation –user username@domain.no | fl mailboxGuid,mailboxLocationType

MailboxGuid         : 636aad27-xxxx-463c-xxxx-d256c8c18716
MailboxLocationType : Primary

MailboxGuid         : cd4dbe38-xxxx-4d2b-xxxx-0237bf1a2f78
MailboxLocationType : MainArchive

Start-ManagedFolderAssistant 636aad27-xxxx-463c-xxxx-d256c8c18716

Enterprise application – Admin consent workflow

The new built-in admin consent workflow within AzureAD Enterprise Application is amazing!

This feature will give you the control that you need to take care of your companies sensitive information like user id`s, files, email accounts etc.

Did you know that malicious applications is often a start of a sophisticated phising attack?

If a malicious application get`s the right permissions it could be a bad situation for your company!

Just have a look at this random application and what that app can retreive, other also gives a complete user list of all the employees back to the app developers.

In this case ALL files that this user has access to does this app now have access to read – meaning that`s there is no secrets anymore.. 

So to be able to block and and have controll over the applications that get`s granted to your AzureAD tenant you should use the new “Admin Consent Workflow” within AzureAD. This feature is in preview at the moment but I highly recomend using it.

It takes two minute to configure and after it`s configured the users see`s this when trying to connect a thirdparty application to your tenant

Admin consent user request and justification

After this request is sent – the admin that is configured within the workflow get`s an approval email and can easlly approve consents πŸ™‚

The configuration looks like this:

Please have a look at the official documentation and enable it for your deployment!

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow#enable-the-admin-consent-workflow

Get your data to your home country!

If your Microsoft 365 tenant like mine is located in a region that not`s include your country then this is how you should configure your tenant to get the data as close to you as posible!

(if Microsoft has opened a Datacenter in your country of course :))

Why move your data?

There are several improvements by getting your data moved to a closer datacenter.

  • Improved latency to the services
  • Data stored in your own country
  • Still have DR capabilities outside of your country if infrastructure failes
  • Multi-geo capabilities to many more closeby countries for your staff

The latency improvements are incredible! I have noticed this when using a SharePoint Online site located in Europe vs. In my home country Norway. The latency against Norway was much much better and when using the service it feels much more “snappy”.

Creating a new Microsoft 365 tenant for everyone living in Norway will create the data store in Norway aswel for the services

  • Exchage Online
  • SharePoint Online
  • Microsof Teams

When to do it?

Microsoft has released a table of when the Request period for requesting a move of data, take a look here to have a look for your country!

https://docs.microsoft.com/nb-no/Office365/Enterprise/request-your-data-move#when-can-i-request-a-move

For us in Norway this means that we need to opt-in by the end of October to be migrated and get our core customer data at rest in Norway.

When will your data be moved?

A catch with all this is that Microsoft says that they may use 24 months to move your data! TWO years for migrating it to new datacenters.. But that said, it can happend faster. After you request a move of data, Microsoft will plan to move your company data as soon as operational constraints allow.

How to request a move of data?

It`s quite easy to request a move of data!

Head in to “Settings -> Organization profile -> Data residency” and check the checkmark and “Save changes” then wait πŸ™‚

To look at where your data is at the moment head into the “Data location” in the same menu under Organization profile and have a look πŸ™‚

Get started with Microsoft Endpoint Manager

In this post I want to go through some steps that I think is quickest method to get started with Microsoft Endpoint Manager. This will not cover ALL the features but it will give you an quickstart to the service.

For instance, what shold you start with?

To be honest, start with something easy and creates quick ROI (Return of investment) and that could be more than just how to get my money back – rather it could mean that your infrastructure is getting more secure.

So to start with something “easy” let`s kick it of with mobile devices. Many companies does not have any Mobile device management in place and their Cloud services is available for EVERYONE to attache to. So let`s start with demanding compliant devices and closing the door for others!

Requirements:
Microsoft 365 E3 / E5
or
EMS E3 / E5
or
Intune licenses

Devices
Android devices will work straight “out of the box” with Intune but to be able to join iOS/iPadOS Devices to Intune we need to generate and apply a “Apple MDM Push certificate”.

Let`s start with the Certificate for Apple devices (this certificate is also needed for MacOS devices). The only thing you need here is an Apple ID and follow the guide from “Devices -> iOS enrollment -> Apple MDM Push Certificate”. When this is in plnace we can procede.

When it`s created you have a valid Certificate for the next 365 days. That means that you need to remind your self to renew the certificate every year! When the certificate expires your intune services will stop against Apple devices.

So what is a compliant device?

A compliant device is a device registred to Intune and has passed the Compliance policy that you have created.

The policy can contain several “settings” that must be enabled or set on your device for it to be marked as “Compliant Device”. For iOS/iPadOS we have at the moment (04.04.2020) 17 settings we can check to validate the device and for Android 19 settings (04.04.2020).

Here is a simple set of compliant device policies for Android and iOS.

iOS/iPadOS Comliance.

Navigate to “Devices -> iOS -> Compliance policies” and create a new policy. Give it a name, set some settings and click create. In this policy i have just put on two settings, “block Jailbroken devices” and “Require password to unlock device”

Hit Create and go to “Assignments”, in this menu we will assign the policy to all users so that everyone that tries to enroll their device will get the policy.  (this is the same step for both iOS and Android).

Android Compliance

Navigate to “Devices -> Android -> Compliance policies” and create a new policy. Give it a name, set some settings and click create. In this policy i have just put on two settings, “block Rooted devices” and “Require password to unlock device”

And like the iOS policy we need to assign it to all users, so head in to Assignents after creating the policy and assign it to all users.

Block devices that are not compliant

To block users from connecting with other devices we will use Conditional Access to prevent devices that are not enrolled in your organization. The policy is created from the Microsoft Endpoint Manager portal under “Endpoint security -> Conditional Access. Create a new policy and name it “Require compliant devices”

The policy looks like this and will of course not block the Intune enrollment portal 😊

  • Users and groups
    • Include all users and create exclution for users you want to exclude from the policy
  • Cloud Apps or actions
    • Include “All cloud apps” and click on “Exclude” and search after “Microsoft Intune Enrollment”
  • Conditions
    • Device platforms, configure it and choose Android and iOS from the list.
  • Access controls
    • Grant access and choose “Require device to be marked as compliant”

Now you can enroll your first device, i`ll show it with an iPad her, but first you need to downlod the Company Portal to your iPad.

Then you stat the application and sign in – then starts the enrollment of the device.

Sign-in

setup device

Apply profile

Enrolled!

When that`s completed the device is registred in the Device pane in Microsoft Endpoint Manager Admin Center and you`ll see complance status on it.

That`s it! Now you have a new requirement for all users, they need to enroll their devices (mobile devices) within Microsoft Endpoint Manager to gain access to cloud resources!

Until next time – stay safe and secure!

What is Microsoft Endpoint Manager?

Many people wonder what Microsoft Endpoint Manager is and how to quickly gain value to their company by using it.

In this post i will give you some quick information on what it is and later on create a how to get started quckly with Microsoft Endpoint Manager!

So what is Microsoft Endpoint Manager?

Some people are saying “It`s the new name of Intune” and that`s not what it is at all! or Intune is in there, but it`s so much more.

MS Endpoint Manager is a tool set witch are combining several solutions and gives you “One place to manage” several infrastructure services. To name them:

  • Microsoft Intune (ofcourse :))
  • Microsoft Endpoint Configuration Manager (SCCM)
  • Windows Autopilot
  • Desktop Analytics
  • Microsoft Defender ATP
  • Azure Active Directory

By doing this Microsoft achieves a ground breaking new management solution for us that gives us ability to manage all major platforms like Windows devices, Apple devices, Linux distros and Android devices.

So to be clear, Microsoft Intune or Microsoft Endpoint Configuration Manager (SCCM) will not be discontinued! They both will live their life but be combined with Microsoft Endpoint Manager.

So what do you need to start using Microsoft Endpoint Manager?

You need to have either Intune licenses or SCCM licenses and you also need to have Azure Active Directory Premium P1 to utilize Azure AD Conditional Access.

I will in the next blogpost come up with a brief guide om how to get started using Microsoft Endpoint Manager and quickly gain usage of yours EMS package!

Stay tuned for more secure devices!