#Windows #Azure #AVD #Intune

I recently had an issue with an Azure AD Joined host pool in Azure Virtual Desktop where users could not successfully login using their Azure AD credentials.

In our environment, both the client computer and the Azure Virtual Desktop host computer are Azure AD Joined. The user was able to log in to their Azure AD Joined computer, but when they tried to log in to the Azure Virtual Desktop host computer, they would get an error message:

Couldn't connect. Something went wrong when we tried to connect. If this keeps happening, ask your admin or tech support for help. Error code: 0x9735 Extended error code: 0x0 Activity ID: {e194ae11-b2ed-4d33-9520-c1d5ed140000}

The error message the users received came after a loop of unsuccessful logins using a combo of azuread\user or user@domain.com that would say “Establishing Connection”, “Configuring Gateway”, “Securing connection to remote PC” and then fail with the following error: “The username and password used to connect to the remote resource didn't work. Enter a different account and try again.”

As a note: Connections to Host Pools in a different AVD environment that are joined to Active Directory work fine. The issue seems to occur when the client computer and the AVD host computer are Azure AD Joined.

Currently, as of February 2023, the official Microsoft package for the Remote Desktop app in the Microsoft Store installs an old version of 10.2.3000.0 that has bugs connecting to Azure AD Joined Azure Virtual Desktop Host Pools. This buggy version impacted our organization because we deploy the Microsoft Remote Desktop app using an Application Deployment in Intune. We've tested this issue using the Microsoft Store for Business, Microsoft Store (Legacy), and the new Microsoft Store (WinGet) deployments and all of them have the same issue and run the same version:

The workaround for this error is to uninstall the Microsoft Store version of the application and install the latest version of the Remote Desktop app from the Microsoft website at this link: https://learn.microsoft.com/en-us/azure/virtual-desktop/whats-new-client-windows

I manually installed Public Release version 1.2.3918.0 and it fixed my connectivity issues. To get this rolled out to your Intune devices, you will need to package the MSI file from the Microsoft website and deploy it using an Application Deployment in Intune.

I hope this helps someone else who is having this issue. Microsoft should really update the Microsoft Store version of the Remote Desktop app to the latest version to avoid this issue.

References

• https://www.anoopcnair.com/avd-azure-ad-joined-vm-login-issue-error-0x9735/
• https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows

Discuss...

#Windows #Intune

A company I'm working with requested an Application Deployment of Word LTSC using a Multiple Activation Key (MAK) purchased through Volume Licensing in their Intune/Endpoint environment.

To deploy Office LTSC, I needed to have the MAK key in hand before starting this process, as you'll need it when zipping up the .intunewin package.

To keep things clean, I'm building my package at C:\temp\package

Create an XML configuration for installation using the Office Customization Tool

Open the Office Customization Tool page and begin defining your settings for deployment:

• Products and releases
  • Architecture: 64-bit
  • Products: Select the products that you want to deploy.
  • Office Suites: I selected Office LTSC Standard 2021 - Volume License
  • Update Channel:
  • Select the update channel: Office LTSC 2021 Perpetual Enterprise
• Language
• Installation
  • Installation options
  • Where do you want to deploy Office from? Office Content Delivery Network (CDN)
  • Show installation to user: Off
  • Shut down running applications: Off
• Update and upgrade
  • Update and upgrade options
  • Where do you want to deploy updates from? Office Content Delivery Network (CDN)
  • Automatically check for updates On
  • Upgrade options
  • Uninstall any MSI versions of Office, including Visio and Project Off
  • For uninstalled MSI versions of Office, install the same languages Off
  • Automatically upgrade to the selected architecture On
• Licensing and activation
  • Automatically accept the EULA On
  • Product Key
  • Office LTSC Standard 2021 – Volume License MAK and paste in your 25-character key value here.
  • Product activation
  • User based
• General
  • Customize as needed.
• Application preferences
  • Customize as needed.

Save this XML file at C:\temp\package\install.xml

Here is the contents of my file to just install Word and allow regular updating:

<Configuration ID="f42ea3d0-d7a4-46bf-8a49-594df9549b6f">
  <Add OfficeClientEdition="64" Channel="PerpetualVL2021" MigrateArch="TRUE">
    <Product ID="Standard2021Volume" PIDKEY="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX">
      <Language ID="en-us" />
      <ExcludeApp ID="Excel" />
      <ExcludeApp ID="OneDrive" />
      <ExcludeApp ID="OneNote" />
      <ExcludeApp ID="Outlook" />
      <ExcludeApp ID="PowerPoint" />
      <ExcludeApp ID="Publisher" />
      <ExcludeApp ID="Teams" />
    </Product>
  </Add>
  <Property Name="SharedComputerLicensing" Value="0" />
  <Property Name="FORCEAPPSHUTDOWN" Value="FALSE" />
  <Property Name="DeviceBasedLicensing" Value="0" />
  <Property Name="SCLCacheOverride" Value="0" />
  <Property Name="AUTOACTIVATE" Value="1" />
  <Updates Enabled="TRUE" />
  <Display Level="None" AcceptEULA="TRUE" />
</Configuration>

Create an XML configuration for uninstallation

Open Notepad or another text editor like VS Code and create an XML file at the location C:\temp\package\uninstall.xml

Add the following information:

<Configuration>
    <Display Level="None" AcceptEULA="True"/>
    <Property Name=""FORCEAPPSHUTDOWN" Value="True"/>
    <Remove>
        <Product ID="Standard2021Volume"> </Product>
    </Remove>
</Configuration>

Be sure to change your Product ID to match what you have in your install.xml file that was generated by the Office Customization Tool:

Create an .intunewin package

To perform the next steps, you will need to download two apps, the Office Deployment Tool (ODT) and the Microsoft Win32 Content Prep Tool.

Install the Office Deployment Tool (ODT)

1. Download the ODT from Microsoft's website and run the application: https://www.microsoft.com/en-us/download/details.aspx?id=49117
2. You will need to select a destination to extract the files. I'm using C:\temp\
3. When the extraction is complete, you should have 5 files in the folder:
4. Move the setup.exe file to C:\temp\package\setup.exe

Use the Win32 Content Prep Tool

1. Navigate to the Microsoft Win32 Content Prep Tool from Microsoft's Github site: https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool
2. Click on the Code icon and select “Download Zip”:
3. Unzip the file in a location like C:\temp
4. Open Powershell or the Windows Terminal and navigate to the location by typing: cd C:\temp\Microsoft-Win32-Content-Prep-Tool-master
5. Run the app “IntuneWinAppUtil.exe”
6. Make sure you have the 3 files in your C:\temp\package directory before proceeding:
   • setup.exe
   • install.xml
   • uninstall.xml
7. Fill in the prompts with the following information:
   • Please specify the source folder: C:\temp\package
   • Please specify the setup file: C:\temp\package\setup.exe
   • Please specify the output folder: C:\temp\package
   • Do you want to specify catalog folder (Y/N)? N
8. The package will begin to build and you'll see a file created at C:\temp\package\setup.intunewin :

When the process is complete, you are ready to upload the package to Intune and configure your Application Deployment.

Create an Application Deployment in Intune

1. Navigate to the Intune/Endpoint dashboard: https://endpoint.microsoft.com/

2. Navigate to Apps > Windows and click the “Add” button. Select “Windows app (Win 32)” from the dropdown list and click the “Select” button:

3. On the App Information tab, click “Select app package file” and upload your setup.intunewin file from C:\temp\package. Click the OK button:

4. Back on the App Information tab, begin by filling in some basic information about the package and click the “Next” button when finished:

5. On the “Program” tab, configure the Install Command and Uninstall Command fields and leave the rest default. Click “Next” to continue:

   • Install command: setup.exe /configure install.xml
   • Uninstall command: setup.exe /configure uninstall.xml
   • Install behavior: System
   • Device restart behavior: App install may force a device restart

6. On the “Requirements” tab, set the following options and click Next to continue:

   • Operating system architecture: Set this value based on your Office Customization Tool setting.
   • Minimum operating system: Windows 10 1607

7. On the “Detection rules” tab, set the following options and click Next to continue:

   • Rules format: Manually configure detection rules
   • Rule type: Registry
   • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\
   • Value name: 16.0
   • Detection method: Key exists
   • Assocated with a 32-bit app on 64-bit clients No

8. Leave the “Dependencies” and “Supersedence” tabs unconfigured.

9. On the “Assignments” tab, select the group you want to target for deployment or uninstallation.

10. Double check the options on the “Review + create” tab and then click “Create” to begin uploading your package.

After the application is uploaded, your deployment will begin:

The setup.exe package will always pull the latest version of Office from Microsoft, but your install.xml file determines whether the applications will be automatically updated. If you need to push a new version or a different version (e.g. Standard or ProPlus), you may need to repackage and deploy again.

I hope this is helpful to someone and I wanted to write my steps down in case I have to go back and fix something later.

Discuss...

#Intune #Windows

A company I'm working with requested an Intune deployment of Adobe Acrobat Pro DC to users on machines running Windows 10 or 11.

I wasn't able to find great documentation about how to deploy this using Intune, so I wanted to write all of this down. There are some guides going around about MSP transforms, but that's not necessary for a simple deployment.

1. First, download the Adobe Acrobat Pro single app package and select the 64 bit Windows installer:

1. Then, download the Microsoft Win32 Content Prep Tool.

2. Unzip all of the files to that they're in a format as follows:

   • C:\temp\Microsoft-Win32-Content-Prep-Tool-Master
   • C:\temp\Adobe Acrobat

3. Now that you have the prereqs, we need to build the .intunewin package for Intune. Open Command Prompt and cd into the C:\temp\Microsoft-Win32-Content-Prep-Tool-Master folder and run .\IntuneWinAppUtil.exe

4. Step through the prompts to build the package:

   • Please specify the source folder: C:\temp\Adobe Acrobat
   • Please specify the setup file: C:\temp\Adobe Acrobat\setup.exe
   • Please specify the output folder: C:\temp\Adobe Acrobat
   • Do you want to specify catalog folder (Y/N)? n

Now that the intunewin package is built, it's time to upload it on the Microsoft Endpoint and create an app package. You can close the Win32 Content Prep tool.

1. Log into the Intune/Endpoint dashboard and navigate to Apps > Windows > Add. Set the “App type” to Windows app (Win32):

1. On the “App information” tab, upload the file you created at C:\temp\Adobe Acrobat\setup.intunewin and fill out the required fields to continue:

1. On the “Program” tab, enter the following values:
   • Install command: setup.exe /sAll
   • Uninstall command: msiexec /x "{AC76BA86-1033-FFFF-7760-BC15014EA700}" /q
   • Install behavior: System
   • Device restart behavior: App install may force a device restart
   • Specify return codes to indicate post-installation behavior: Leave as default.

1. On the “Requirements” tab, enter the following values:
   • Operating system architecture: 64-bit
   • Minimum operating system: Windows 10 1607

1. On the “Detection rules” tab, set “Rules format” to Manually configure detection rules, then click the “+ Add” button. Change the “Rule type” to MSI and set the “MSI product code” field to {AC76BA86-1033-FFFF-7760-BC15014EA700}. Set the “MSI product version check” to No:

1. On the “Dependencies” and “Supersedence” tabs, just leave the defaults.

2. On the “Assignments” tab, target your deployment group or users for installation. You may want to hide the “End user notifications” so that it's completely silent, but this is optional:

After uploading the file, your application deployment will be complete:

Machines will begin to check in and pick up the app assignment. I find that installation can take up to 30 minutes, so be patient!

Discuss...

#Windows #Intune

On Windows, to allow Quick Assist to display UAC prompts to a remote user, you need to make a few quick changes.

Microsoft Endpoint (Intune)

Older instructions are here: https://www.cloud-boy.be/portfolio/run-as-admin-gives-black-screen-in-quick-assist-teamviewer-intune-fix/ [A]

New instructions are:

1. Open the Endpoint management dashboard

2. Click on “Devices” and select “Configuration profiles”. Click on “Create profile”. Change Platform to “Windows 10 and later” and the Profile type field to “Settings catalog (preview)”. Click the “Create” button.

3. Give it a basic name and navigate to the “Configuration settings” page.

4. Click the “Add settings” button. Double click on the “Local Policies Security Options” entry in the Settings picker pane on the right. Check the box for the option “User Account Control Switch To The Secure Desktop When Prompting For Elevation”. Back on the main settings area to the left, change the dropdown to “Disabled” and click the “Next” button.

5. Enable the policy to all devices (as needed) and then test.

Discuss...