Tim D'Annecy

#Windows #Azure #AVD

Recently, a company I work with requested a way for users to access a web app that they were hosting on-premises, but didn't want to open up connections to the app to the internet. The app is out of support from the vendor and can't be opened outside of their secure network.

We planned to allow access to the app by instructing users to connect over a VPN, but we found this would be a hassle for users, as they would need to install the VPN client, connect to the VPN, and then launch a browser to access the app. In this case, the site also requires IE11 with a custom extension to be installed. These requirements just to access a single site really made it a headache for users and the Helpdesk received regular tickets from staff who had issues accessing the site.

Instead of the VPN approach, we deployed a Microsoft Edge shortcut in Azure Virtual Desktop. This approach has advantages because it allows users to launch a browser window and jump onto the network that the Host Pool is connected to. If you have your networking configured correctly in Azure, you can access internal sites and apps without going over the internet directly from the client PC. This also allows you to control the browser version and other settings that are configured in the Host Pool. If paired with Intune policies, you can define the browser settings and extensions that are available to users and require certain sites to open in Internet Explorer Compatibility Mode. This could be helpful if you have a legacy app that only works in IE11 and requires a specific extension to be installed.

In this post, I'll show you how to deploy a Microsoft Edge shortcut in Azure Virtual Desktop.

To start, you must have an existing Azure Virtual Desktop deployment set up with Host Pools and a Workspace. You'll also need at least Contributor access to the Resource Group you're working in.

Create a new Application Group in Azure Virtual Desktop.

On the Basics tab, make the following changes:

• Subscription and Resource group – Set for your AVD environment.
• Host Pool – Select the Host Pool you want to deploy the shortcut to.
• Application group type – Remote App (RAIL)
• Application Group name – Something like BrowserShortcuts

On the Applications tab, click the “Add applications” button and set the following properties:

• Application source: File path
• Application path: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
• Application name: Your shortcut name
• Display name: Your shortcut name
• Icon path: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
• Icon index: 0
• Description:
• Require command line: Yes
• Command line: http://google.com/

If you want multiple tabs to open, separate the URLs with a space. For example, http://google.com/ http://bing.com/

On the Assignments tab, select your user or group:

On the Workspace tab, change the “Register application group” to “Yes” and you should already have an application group assigned.

You can leave the Advanced and Tags tabs as default.

After saving the Application Group, you should see the shortcut in the Azure Virtual Desktop client in a few minutes. You may need to click the Refresh button to force it to update:

These steps allow you to deploy secure web apps inside your AVD deployment. Whether you're connecting to a legacy web app that you're hosting on prem or you have specific application or environment requirements that you need to meet, this is a great way to provide access to your users without having to jump through hoops.

If you combine this Edge shortcut with Intune policies that require Edge to open certain sites in Internet Explorer Compatibility Mode, you can ensure your users can easily access apps and sites quickly without compromising your secure internal network.

Discuss...

#Windows #Azure #AVD #Intune

I recently had an issue with an Azure AD Joined host pool in Azure Virtual Desktop where users could not successfully login using their Azure AD credentials.

In our environment, both the client computer and the Azure Virtual Desktop host computer are Azure AD Joined. The user was able to log in to their Azure AD Joined computer, but when they tried to log in to the Azure Virtual Desktop host computer, they would get an error message:

Couldn't connect. Something went wrong when we tried to connect. If this keeps happening, ask your admin or tech support for help. Error code: 0x9735 Extended error code: 0x0 Activity ID: {e194ae11-b2ed-4d33-9520-c1d5ed140000}

The error message the users received came after a loop of unsuccessful logins using a combo of azuread\user or user@domain.com that would say “Establishing Connection”, “Configuring Gateway”, “Securing connection to remote PC” and then fail with the following error: “The username and password used to connect to the remote resource didn't work. Enter a different account and try again.”

As a note: Connections to Host Pools in a different AVD environment that are joined to Active Directory work fine. The issue seems to occur when the client computer and the AVD host computer are Azure AD Joined.

Currently, as of February 2023, the official Microsoft package for the Remote Desktop app in the Microsoft Store installs an old version of 10.2.3000.0 that has bugs connecting to Azure AD Joined Azure Virtual Desktop Host Pools. This buggy version impacted our organization because we deploy the Microsoft Remote Desktop app using an Application Deployment in Intune. We've tested this issue using the Microsoft Store for Business, Microsoft Store (Legacy), and the new Microsoft Store (WinGet) deployments and all of them have the same issue and run the same version:

The workaround for this error is to uninstall the Microsoft Store version of the application and install the latest version of the Remote Desktop app from the Microsoft website at this link: https://learn.microsoft.com/en-us/azure/virtual-desktop/whats-new-client-windows

I manually installed Public Release version 1.2.3918.0 and it fixed my connectivity issues. To get this rolled out to your Intune devices, you will need to package the MSI file from the Microsoft website and deploy it using an Application Deployment in Intune.

I hope this helps someone else who is having this issue. Microsoft should really update the Microsoft Store version of the Remote Desktop app to the latest version to avoid this issue.

References

• https://www.anoopcnair.com/avd-azure-ad-joined-vm-login-issue-error-0x9735/
• https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows

Discuss...

#Netsuite

I recently had a request to make expense reporting easier for a finance department. They wanted an easier way to get their employees' reported expenses into Netsuite and associate them to an expense report without a lot of manual entry. The process they were using required the employee to email receipts to the finance department, then someone would take time out of their day to manually enter the expenses one-by-one into Netsuite. This was a time consuming process and prone to errors.

To make things easier, I created a CSV import that would allow them to import expenses in bulk and then review them before submitting the expense report.

CSV file template

The process begins by creating a CSV file with the following columns:

EXTERNAL ID	EMPLOYEE	STATUS	DATE	AMOUNT	FOREIGN AMOUNT	CURRENCY	EXCHANGE RATE	EXPENSE CATEGORY	MEMO	SOURCE TYPE	IMPORT TYPE	CARD CURRENCY	CORPORATE CARD
20230202-01	Jane Doe	Ready	1/31/2023	12345.67		USD		CC – Printing and Copying	Test	Visa		USD
20230202-02	Guy Person	Ready	2/1/2023	5555.11		USD		CC – Postage and Delivery	Test 2	American Express		USD	TRUE
20230202-03	Tim Kavaklian-D'Annecy	Ready	2/2/2023	987.65		USD		CC – Travel-Airfare	Test 3	Mastercard		USD

Save the CSV somewhere on your computer and open it in Excel. The first row is the header row and the second row is an example of the data that needs to be entered. The columns are as follows:

The values for these columns come from Netsuite and you will need to copy and paste the valid entries into the CSV for it to be imported correctly:

• External ID – This needs to be a unique value. I recommend using the date with a number (e.g. 20230202-01).
• Employee – This needs to be a name from the “Employees” page.
• Status – For you to add it to an Expense Report, this value needs to be set to “Ready”.
• Date – Format is mm/dd/yyyy (e.g. 02/02/2023).
• Amount – No currency indicator, just raw number (e.g. 123.45)
• Foreign amount – I left this value blank.
• Currency – This needs to be set as a valid currency. In the Sandbox, USA is the currency. This is found under Lists > Accounting > Currencies.
• Exchange rate – I left this value blank.
• Expense category – This value needs to be set as one of the named categories under Setup > Accounting > Expense Categories (e.g. CC – Printing and Copying).
• Memo – This field can be blank or a short description.
• Source Type – This needs to be set as a value from Setup > Accounting > Accounting Lists > Type: Payment Method (e.g. American Express, Visa)
• Import Type – I left this field blank.
• Card Currency – This needs to be set as a valid currency. In the Sandbox, USA is the currency. This is found under Lists > Accounting > Currencies.

• Corporate Card – This can be set as “True” or “False”.

  CSV Import setup

After filling in the information in the CSV file, navigate in Netsuite to Setup > Import/Export > Import CSV Records.

In the Import Assistant, set the “Import Type” to Employees and the “Record Type” to Imported Employee Expenses. Change the CSV file location to your imported file then click the Next button:

If you don't have a “Imported Employee Expenses” item, you will need to enable this feature first.

Leave the Import Option as “Add” and click the Next button:

On the Field Mapping page, leave the values as default and click the Next button:

On the “Save mapping…” page, hover over the dropdown arrow and click “Run”:

The job will begin to import. Click on the “Import Job Status” link to view the progress:

The MESSAGE column will indicate any issues with your import. Click the “CSV Response” link to download a report:

These records will need to be re-imported once remediated:

Associating Employee Expenses with Expense Reports

Back in Netsuite, once you have all of the records re-imported, navigate to Transactions > Employees > Imported Employee Expenses. Choose the Employee from the dropdown or select “-All-” and add more filters. Select the items you want to import, then click the “Add to New Expense Report” button:

From there, you can see the imported Expenses at the bottom of the page and submit the report:

A note about permissions

I created this report and can run it with the Administrator Role.

If you want to allow your users to access this report, you will need to make the visibility “Public”.

Additionally, update each users' Employee page under Access > Global Permissions > Imported Employee Expenses. I set this value to “Full”, but you might be able to just set to “Create”:

Conclusion

I wanted to write this up as a blog post because I think it's a good example of how you can use the CSV import feature to make your life easier.

I also wanted to write this down because Netsuite is overly complicated and there is no free training available. I'm sure someone else has had this same issue and is looking for a solution.

Discuss...

#Exchange #AzureAD

Microsoft has announced several times that they are depreciating Basic Authentication for Exchange Online soon, possibly this month (January 2023).

A recent post has information about the deprecation and how to prepare for it.

I wanted to write down how to identify any Basic Authentication usage in your environment from that post and simplify it to just a few clicks. This is a good way to identify any applications that are using Basic Authentication and need to be updated before they get blocked.

Navigate to the Azure AD portal sign in to Azure AD with an account that has Global Administrator permissions.

Select Azure Active Directory > Sign-in logs:

Add some filters in the top bar, specifying the time range you want to search. For Client app select all options that are under the “Legacy Authentication Clients” section of the dropdown:

To filter out the brute force login attempts, change Result type to Success.

This list will give you all of the sign in attempts that are using Basic Authentication. You can then use this list to identify the applications that are using Basic Authentication and update them before they get blocked:

The easiest way to get these logins remediated is to implement an Azure AD Conditional Access policy that blocks or audits Basic Authentication. You can then use this information and contact the application owners or users to get these methods updated.

Discuss...

#Azure

After setting up RedCap in Azure in a previous post, I got a request to add an external person to your RedCap installation. I wanted to document what I did to make it easier for others.

To make user management easier, I created an Assigned Security Group in Azure AD titled “RedCap Users”. I then added the Group assignment to the RedCap app in Azure AD at Enterprise applications > RedCap > Users and groups > Add user/group:

After I assigned the Group to the app, I invited my external Gmail account to the Azure AD tenant at Users > New user > Invite external user:

I added my user information, then added the account to the RedCap users group:

After I added the account, I needed to change the setting in Azure AD to allow external Microsoft accounts to access Redcap. To do this, I needed to change the App Registration Manifest, found in Azure AD > App registrations > RedCap > Manifest.

I changed 2 values from the default:

• "accessTokenAcceptedVersion": Null, ↪ "accessTokenAcceptedVersion": 2,
• "signInAudience": "AzureADMyOrg", ↪ "signInAudience": "AzureADandPersonalMicrosoftAccount",

After making these changes, I checked my email and completed the invitation to the Azure AD tenant:

After going through the signup process, I see the App listed in the My Apps page for my Guest account:

After clicking through, I was able to setup my RedCap account and was authorized to login:

My RedCap user account shows up as my email at tdannecy_gmail.com#ext#@DOMAIN.onmicrosoft.com, indicating that I am a Guest/External account in the tenant:

When I login as a RedCap administrator, I can see my Guest account has been added to the Browse Users list:

I hope this was helpful to others. It took me a bit to find the attribute I needed to change in the Manifest to get it working.

Discuss...

#Windows #Intune

A company I'm working with requested an Application Deployment of Word LTSC using a Multiple Activation Key (MAK) purchased through Volume Licensing in their Intune/Endpoint environment.

To deploy Office LTSC, I needed to have the MAK key in hand before starting this process, as you'll need it when zipping up the .intunewin package.

To keep things clean, I'm building my package at C:\temp\package

Create an XML configuration for installation using the Office Customization Tool

Open the Office Customization Tool page and begin defining your settings for deployment:

• Products and releases
  • Architecture: 64-bit
  • Products: Select the products that you want to deploy.
  • Office Suites: I selected Office LTSC Standard 2021 - Volume License
  • Update Channel:
  • Select the update channel: Office LTSC 2021 Perpetual Enterprise
• Language
• Installation
  • Installation options
  • Where do you want to deploy Office from? Office Content Delivery Network (CDN)
  • Show installation to user: Off
  • Shut down running applications: Off
• Update and upgrade
  • Update and upgrade options
  • Where do you want to deploy updates from? Office Content Delivery Network (CDN)
  • Automatically check for updates On
  • Upgrade options
  • Uninstall any MSI versions of Office, including Visio and Project Off
  • For uninstalled MSI versions of Office, install the same languages Off
  • Automatically upgrade to the selected architecture On
• Licensing and activation
  • Automatically accept the EULA On
  • Product Key
  • Office LTSC Standard 2021 – Volume License MAK and paste in your 25-character key value here.
  • Product activation
  • User based
• General
  • Customize as needed.
• Application preferences
  • Customize as needed.

Save this XML file at C:\temp\package\install.xml

Here is the contents of my file to just install Word and allow regular updating:

<Configuration ID="f42ea3d0-d7a4-46bf-8a49-594df9549b6f">
  <Add OfficeClientEdition="64" Channel="PerpetualVL2021" MigrateArch="TRUE">
    <Product ID="Standard2021Volume" PIDKEY="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX">
      <Language ID="en-us" />
      <ExcludeApp ID="Excel" />
      <ExcludeApp ID="OneDrive" />
      <ExcludeApp ID="OneNote" />
      <ExcludeApp ID="Outlook" />
      <ExcludeApp ID="PowerPoint" />
      <ExcludeApp ID="Publisher" />
      <ExcludeApp ID="Teams" />
    </Product>
  </Add>
  <Property Name="SharedComputerLicensing" Value="0" />
  <Property Name="FORCEAPPSHUTDOWN" Value="FALSE" />
  <Property Name="DeviceBasedLicensing" Value="0" />
  <Property Name="SCLCacheOverride" Value="0" />
  <Property Name="AUTOACTIVATE" Value="1" />
  <Updates Enabled="TRUE" />
  <Display Level="None" AcceptEULA="TRUE" />
</Configuration>

Create an XML configuration for uninstallation

Open Notepad or another text editor like VS Code and create an XML file at the location C:\temp\package\uninstall.xml

Add the following information:

<Configuration>
    <Display Level="None" AcceptEULA="True"/>
    <Property Name=""FORCEAPPSHUTDOWN" Value="True"/>
    <Remove>
        <Product ID="Standard2021Volume"> </Product>
    </Remove>
</Configuration>

Be sure to change your Product ID to match what you have in your install.xml file that was generated by the Office Customization Tool:

Create an .intunewin package

To perform the next steps, you will need to download two apps, the Office Deployment Tool (ODT) and the Microsoft Win32 Content Prep Tool.

Install the Office Deployment Tool (ODT)

1. Download the ODT from Microsoft's website and run the application: https://www.microsoft.com/en-us/download/details.aspx?id=49117
2. You will need to select a destination to extract the files. I'm using C:\temp\
3. When the extraction is complete, you should have 5 files in the folder:
4. Move the setup.exe file to C:\temp\package\setup.exe

Use the Win32 Content Prep Tool

1. Navigate to the Microsoft Win32 Content Prep Tool from Microsoft's Github site: https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool
2. Click on the Code icon and select “Download Zip”:
3. Unzip the file in a location like C:\temp
4. Open Powershell or the Windows Terminal and navigate to the location by typing: cd C:\temp\Microsoft-Win32-Content-Prep-Tool-master
5. Run the app “IntuneWinAppUtil.exe”
6. Make sure you have the 3 files in your C:\temp\package directory before proceeding:
   • setup.exe
   • install.xml
   • uninstall.xml
7. Fill in the prompts with the following information:
   • Please specify the source folder: C:\temp\package
   • Please specify the setup file: C:\temp\package\setup.exe
   • Please specify the output folder: C:\temp\package
   • Do you want to specify catalog folder (Y/N)? N
8. The package will begin to build and you'll see a file created at C:\temp\package\setup.intunewin :

When the process is complete, you are ready to upload the package to Intune and configure your Application Deployment.

Create an Application Deployment in Intune

1. Navigate to the Intune/Endpoint dashboard: https://endpoint.microsoft.com/

2. Navigate to Apps > Windows and click the “Add” button. Select “Windows app (Win 32)” from the dropdown list and click the “Select” button:

3. On the App Information tab, click “Select app package file” and upload your setup.intunewin file from C:\temp\package. Click the OK button:

4. Back on the App Information tab, begin by filling in some basic information about the package and click the “Next” button when finished:

5. On the “Program” tab, configure the Install Command and Uninstall Command fields and leave the rest default. Click “Next” to continue:

   • Install command: setup.exe /configure install.xml
   • Uninstall command: setup.exe /configure uninstall.xml
   • Install behavior: System
   • Device restart behavior: App install may force a device restart

6. On the “Requirements” tab, set the following options and click Next to continue:

   • Operating system architecture: Set this value based on your Office Customization Tool setting.
   • Minimum operating system: Windows 10 1607

7. On the “Detection rules” tab, set the following options and click Next to continue:

   • Rules format: Manually configure detection rules
   • Rule type: Registry
   • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\
   • Value name: 16.0
   • Detection method: Key exists
   • Assocated with a 32-bit app on 64-bit clients No

8. Leave the “Dependencies” and “Supersedence” tabs unconfigured.

9. On the “Assignments” tab, select the group you want to target for deployment or uninstallation.

10. Double check the options on the “Review + create” tab and then click “Create” to begin uploading your package.

After the application is uploaded, your deployment will begin:

The setup.exe package will always pull the latest version of Office from Microsoft, but your install.xml file determines whether the applications will be automatically updated. If you need to push a new version or a different version (e.g. Standard or ProPlus), you may need to repackage and deploy again.

I hope this is helpful to someone and I wanted to write my steps down in case I have to go back and fix something later.

Discuss...

#Azure

I recently got a trial of Lucidscale, a tool that can ingest your Azure environment and automatically create a resource visualization diagram.

I am pretty happy with the product and will recommend that my company purchase it for client work.

I wanted to detail the setup process in Azure so it's easy to use.

To get Lucidscale to interact with your Azure subscription, you will need to be a Global Administrator. To try Lucidscale, you will need a trial. Once you get that setup, you can continue to configure it.

First, navigate to the main Lucid website and click New > Lucidscale > Azure Model:

We will need to configure the subscription information to connect into Azure. Click “Open Data hub to Import Subscriptions”:

Click “New Subscription”:

You can automate using an Azure CLI script, but for now let's set it up manually. Click “Azure AD Application”:

Now, we are ready to configure your Azure environment to allow access to the tool. Open a new tab and navigate to Azure Active Directory. Click “App registrations” and then click “New registration”

Inside the wizard, type the name you want to use and then click “Register”. Leave the other options on the default setting:

After registering the app, open the configuration settings inside Azure AD. Navigate to the “Overview” blade and copy and paste the Application (client) ID and Directory (tenant) ID over into the Lucidscale setup page:

After pasting in that info, navigate to the “Certificates & secrets” blade in Azure AD and click the “Client secrets” tab. Click “New client secret”. Fill in a name and click “Add”:

Once you've created the secret, copy and paste the “Value” of the client secret from the Azure AD page into the “Client Secret” box in Lucid:

After pasting in the three required values, enter an Application name in Lucid. I named mine after the client company.

Now, we will need to give permissions to the App Registration so that it can read the Azure environment. Navigate to the Subscription blade in Azure and click on the one you want to use. Click on the “Access control (IAM)” blade, then click “Add > Add custom role”:

On the “Basics” tab, type a Custom role name. I used “Lucidscale import”. Under “Baseline permissions”, select “Start from JSON” and upload the following file:

{
    "properties": {
        "roleName": "Lucidscale import",
        "description": "Role that gives Lucidscale read access to import resources",
        "assignableScopes": [],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.ApiManagement/service/read",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachineScaleSets/read",
                    "Microsoft.Databricks/workspaces/read",
                    "Microsoft.DBforMySQL/servers/databases/read",
                    "Microsoft.DBforMySQL/servers/read",
                    "Microsoft.DBforPostgreSQL/servers/databases/read",
                    "Microsoft.DBforPostgreSQL/servers/read",
                    "Microsoft.DocumentDB/databaseAccounts/read",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.Network/applicationGateways/read",
                    "Microsoft.Network/azurefirewalls/read",
                    "Microsoft.Network/connections/read",
                    "Microsoft.Network/dnszones/read",
                    "Microsoft.Network/dnszones/recordsets/read",
                    "Microsoft.Network/frontDoors/read",
                    "Microsoft.Network/loadBalancers/read",
                    "Microsoft.Network/localnetworkgateways/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Network/privateDnsZones/read",
                    "Microsoft.Network/privateDnsZones/ALL/read",
                    "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
                    "Microsoft.Network/privateEndpoints/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/routeTables/read",
                    "Microsoft.Network/trafficManagerProfiles/read",
                    "Microsoft.Network/virtualNetworkGateways/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.ServiceBus/namespaces/read",
                    "Microsoft.ServiceBus/namespaces/queues/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Web/serverfarms/Read",
                    "microsoft.web/sites/functions/read",
                    "Microsoft.Web/sites/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Navigate to the Permissions tab. The JSON is not complete and you will need to add an additional role to this list. Click the “Add permissions” button, then search for “managed”. Check the box for Microsoft.ManagedIdentity/userAssignedIdentities > Read : Get User Assigned Identity. Click the “Add” button when you're finished.

Navigate to the “Assignable scopes” tab and click the “Add assignable scopes” button. Change the Type field to “Subscription”, then click on your subscription in the right column. Click “Select” when you're finished:

Leave the JSON tab as default and complete the wizard to Create the role.

Once you've created the role, return to Azure Active Directory and open Subscriptions. Select the subscription you want to use.

Navigate to the “Access control (IAM)” blade and navigate to the “Roles” tab. Search for “Lucid” and locate your newly created role. Click the “View” link:

In the new popup, click on the Assignments tab, then click “Add assignment”:

Navigate to the “Members” tab. Check the radio button for “Assign access to” as “User, group, or service principal” and click the “Select members” button. Search for “Lucid” in the popup window and click on your app. Click the “Select” button when you're finished:

After you've completed this part, complete the wizard to add the role assignment in Azure AD.

Now that we've configured the environment, return to Lucidscale to complete the configuration. Move to the “Select Subscriptions” page and check the box next to the correct subscription:

On the “Subscription configuration” tab, leave all options as default and click the “Import Azure subscriptions” button:

After completing the wizard, data import will begin. This process could take a while, depending on the size of your environment.

When it's complete, select your subscription and click the “Create new Model” button:

Check the box next to the subscription you want to diagram, then click the “Choose subscriptions” button at the bottom right.

Review your selection and then click “Create Azure Model”.

Now, Lucidscale will build your model in the background. It could take a while, depending on the size of your environment:

After it's complete, your diagram will be generated:

Discuss...

#Azure #PowerShell #Windows

If you’ve added a new session host to an existing Azure Virtual Desktop host pool, you might get a Windows Activation error watermark notifying you that the Windows license wasn’t found:

Activate Windows. Go to Settings to activate Windows.

When I got the ticket from users complaining about the watermark, I started brainstorming. I thought I might be able to fix this issue several ways:

1. License users with Microsoft 365 E5.

2. Manually add an existing Windows license (only possible if you’re running a stock image of Windows, not the Azure-specific Windows Enterprise Multi-Session).

Since I don’t have those E5 licenses already and I’m running the multi-session OS, it would add cost to purchase and I would need to get approval.

Instead, I found that you can check the VM license by running this command in PowerShell (change the XXX values to match your Resource Group and VM name):

Import-Module AzCLI 
Connect-AzAccount
Get-AzVM -ResourceGroupName XXXresourcegroupXXX -Name XXXvirtualmachineXXX

After running that command, the string that you want to focus on is LicenseType. If it says Windows_Client, you are good to go and Azure will apply the license on the OS-level.

If it is null or displays as {}, that could be a cause for the Activation error. You can run this PowerShell command in the AzCLI (edit the XXX values to match your environment):

$rg = XXXresourcegroupXXX
$vm = XXXvirtualmachineXXX
$vm.LicenseType = ‘Windows_Client’

Get-AzVM -ResourceGroupName $rg -Name $vm | Update-AzVM 

I wish Azure had a built in Troubleshooting function or feature to “quick fix” this issue, but I couldn’t find one.

Putting this here for my notes when I have to fix this issue again.

Discuss...

#Intune #Windows

A company I'm working with requested an Intune deployment of Adobe Acrobat Pro DC to users on machines running Windows 10 or 11.

I wasn't able to find great documentation about how to deploy this using Intune, so I wanted to write all of this down. There are some guides going around about MSP transforms, but that's not necessary for a simple deployment.

1. First, download the Adobe Acrobat Pro single app package and select the 64 bit Windows installer:

1. Then, download the Microsoft Win32 Content Prep Tool.

2. Unzip all of the files to that they're in a format as follows:

   • C:\temp\Microsoft-Win32-Content-Prep-Tool-Master
   • C:\temp\Adobe Acrobat

3. Now that you have the prereqs, we need to build the .intunewin package for Intune. Open Command Prompt and cd into the C:\temp\Microsoft-Win32-Content-Prep-Tool-Master folder and run .\IntuneWinAppUtil.exe

4. Step through the prompts to build the package:

   • Please specify the source folder: C:\temp\Adobe Acrobat
   • Please specify the setup file: C:\temp\Adobe Acrobat\setup.exe
   • Please specify the output folder: C:\temp\Adobe Acrobat
   • Do you want to specify catalog folder (Y/N)? n

Now that the intunewin package is built, it's time to upload it on the Microsoft Endpoint and create an app package. You can close the Win32 Content Prep tool.

1. Log into the Intune/Endpoint dashboard and navigate to Apps > Windows > Add. Set the “App type” to Windows app (Win32):

1. On the “App information” tab, upload the file you created at C:\temp\Adobe Acrobat\setup.intunewin and fill out the required fields to continue:

1. On the “Program” tab, enter the following values:
   • Install command: setup.exe /sAll
   • Uninstall command: msiexec /x "{AC76BA86-1033-FFFF-7760-BC15014EA700}" /q
   • Install behavior: System
   • Device restart behavior: App install may force a device restart
   • Specify return codes to indicate post-installation behavior: Leave as default.

1. On the “Requirements” tab, enter the following values:
   • Operating system architecture: 64-bit
   • Minimum operating system: Windows 10 1607

1. On the “Detection rules” tab, set “Rules format” to Manually configure detection rules, then click the “+ Add” button. Change the “Rule type” to MSI and set the “MSI product code” field to {AC76BA86-1033-FFFF-7760-BC15014EA700}. Set the “MSI product version check” to No:

1. On the “Dependencies” and “Supersedence” tabs, just leave the defaults.

2. On the “Assignments” tab, target your deployment group or users for installation. You may want to hide the “End user notifications” so that it's completely silent, but this is optional:

After uploading the file, your application deployment will be complete:

Machines will begin to check in and pick up the app assignment. I find that installation can take up to 30 minutes, so be patient!

Discuss...

#Sharepoint #Windows

One of the companies that I'm working with wants to migrate all of their files on a local file share and move them into a Sharepoint site.

To do this, I ran the official Microsoft Sharepoint Migration Tool from the file server. I set my source as the shared folder containing 1.8 TB of files and the target destination as the Documents library in a newly created Sharepoint site.

After letting the tool run for a few hours, the migration tool completed and reported that it had successfully moved 209,726 files, but 500 were not moved because the scanner has issues with special characters:

They're an international organization and has French, Spanish, and Portuguese workers that connect into the shared drive. They're also using a mix of MacOS and Windows PCs, so the folders can get pretty cluttered with UTF and non-Windows character sets.

From the logs, the Sharepoint Migration Tool seems to only allow ANSI characters, probably for URLs and other internal compatibility. I needed to rename all of the non-migrated files from the accented characters into the ANSI equivalents and then run an incremental sync.

To fix the accent characters, I could go in manually an rename all of the files, but I needed an easier way to automate this.

Instead of figuring out the right regex command and running a rename command in Powershell, I decided to keep it simple and use the Bulk Rename Utility app that I've used for other projects, including the project I wrote about to redact Microsoft Word files quickly.

After downloading and installing the app on the file server, open it and target the share location on the local drive.

Inside the app, click on the option at Special > Character Translations.

I copied and pasted all of the accented characters and their ANSI equivalents into Excel and formatted it for Bulk Rename Utility to be able to use the list. Copy and paste this list into this Character Translation popup window:

Á=A
á=a
À=A
à=a
Â=A
â=a
Ã=A
ã=a
Ä=A
ä=a
Å=A
å=a
ç=c
Ç=C
É=E
é=e
È=E
è=e
Ê=E
ê=e
Ë=E
ë=e
Í=I
í=i
Ì=I
ì=i
Î=I
î=i
Ï=I
ï=i
Ó=O
ó=o
Ò=O
ò=o
Ô=O
ô=o
Ö=O
ö=o
Õ=O
õ=o
Ú=U
ú=u
Ù=U
ù=u
Û=U
û=u
Ü=U
ü=u

After pasting in the info, press OK and return to the main window:

Make sure that you have the following options checked:

✓ Files > Files

✓ Files > Folders

✓ Files > Subfolders

✓ Special > Character Translations

After checking those boxes, click into the file list at the top right of the window and press the Ctrl + A keys on the keyboard to select all items. This could take a few seconds, depending on the number of files that you have.

To verify, click the “Preview” button, then press “Rename” if the renaming task looks correct:

After renaming these files, I returned to the Sharepoint Migration Tool and started the Incremental sync. The sync completed successfully without any file scan issues or unrecognized characters.

Discuss...