Here's a script that I'm using to roll out the Quest ODM agent on PCs in my environment that do not have access to the LAN. I used Atera Service Desk to deploy it for internet-only installation.
Once that's complete, you will need to upload the file to a publicly accessible file share. I used Azure Files to create a storage container and provide direct access to the file. This URI will be pointed to in the script, so you cannot use something like OneDrive or SharePoint without special configuration.
Script
Before running this script, you will need to change the following XXX values:
$QuestODMMSIURI – This will be the publicly accessible MSI that you uploaded to your file share.
Ringcentral requires audio files to be saved as .mp3 files.
To do this, you'll need to convert your audio that you recorded in the Voice Recorder from .m4a into .mp3 using the app Audacity and the ffmpeg plugin. Audacity and ffmpeg are open source programs that can convert audio into different formats. Audacity is the main program and ffmpeg is an extension that Audacity uses to open .m4a files.
Install Audacity and the ffmpeg extension
Before you'll be able to convert the file, follow these steps to get Audacity and ffmpeg set up on your computer:
If you've deployed an Azure VM and did not enable the “Login with AAD credentials”, option, you can enable sign in using Azure Active Directory credentials later using Cloud Shell with this command in Azure CLI:
az vm extension set \
--publisher Microsoft.Azure.ActiveDirectory \
--name AADLoginForWindows \
--resource-group ResourceGroup \
--vm-name VMName
After running that command, you'll need to add an entry to the local group to allow interactive sign in using RDP. The extension doesn't add this permission and you will need to do it manually, running this command in a remote Powershell:
net localgroup "remote desktop users" /add "AzureAD\user@domain.com"
You will also need to add 2 lines the RDP file downloaded from the “Connect” tab so that you can connect without issues:
enablecredsspsupport:i:0
authentication level:i:2
After connecting to the VM using RDP, you will also need to disable network-level authentication from Control Panel.
In the background, the extension will change the Join Type of the VM to “Azure AD Joined” and your Devices blade will update with that information after a couple of minutes.
I wrote up a quick and dirty Powershell script today that adds a split-tunnel VPN connection, asks the user for connection info, dials the connection, then configures static routes.
# Add-MerakiVPN.ps1
# Creates a split-tunnel VPN connection and adds static routes.
# Tim D'Annecy 2021-09-08
function Add-MerakiVPN {
$ServerAddress = 'blahblahblah.dynamic-m.com' # Change this value to match your Meraki hostname
$ConnectionName = 'Meraki VPN'
$PresharedKey = 'blah' # Change this value
Add-VpnConnection `
-Name $ConnectionName `
-ServerAddress $ServerAddress `
-TunnelType L2tp `
-EncryptionLevel Optional `
-SplitTunneling `
-AllUserConnection `
-L2tpPsk $PresharedKey `
-AuthenticationMethod Pap, MSChapv2 `
-Force
$StaticRoutes = @(
'10.0.13.0/24', # Change these to match your internal subnets
'10.0.12.0/24',
'172.16.0.0/16'
)
try {
rasphone.exe -d $ConnectionName
Start-Sleep -Seconds 30
$StaticRoutes | foreach {
New-NetRoute -DestinationPrefix $_ -InterfaceAlias $ConnectionName
}
}
catch {
Write-Error 'There was an error adding the VPN connection'
exit
}
}
Add-MerakiVPN
This one-liner imports a CSV formatted with at least the header Name and a list of user names. It outputs to a CSV with the SamAccountName and Enabled properties.
I found this post on Reddit and wanted to save the command for my notes.
Running this command in Powershell will give you the PC's currently connected SSID. This is handy for troubleshooting network issues when connected remotely through a PSSession.
Change entry at Computer Configuration > Administrative Templates > System > Specify settings for optional component installation and component repair to “Enabled” and check the box for “Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)”
Run gpupdate in Command Prompt.
Open Settings > Apps > Apps & features > Optional features and click “Add a feature”. Search for and install “RSAT: Active Directory Domain Services and Lightweight Directory Services Tools”
Click on “Devices” and select “Configuration profiles”. Click on “Create profile”. Change Platform to “Windows 10 and later” and the Profile type field to “Settings catalog (preview)”. Click the “Create” button.
Give it a basic name and navigate to the “Configuration settings” page.
Click the “Add settings” button. Double click on the “Local Policies Security Options” entry in the Settings picker pane on the right. Check the box for the option “User Account Control Switch To The Secure Desktop When Prompting For Elevation”. Back on the main settings area to the left, change the dropdown to “Disabled” and click the “Next” button.
Enable the policy to all devices (as needed) and then test.