Add you own local admin users on Azure AD devices

Do you have issues when trying to add an account as local admin on your Azure AD Joined device? Maybe you have specific requirements regarding which accounts should be admins on your client machines and the Azure AD solution (additional local administrators on Azure AD joined devices) is not enough to satisfy your needs.

There are a couple of alternatives out there, for example the use of RestrictedGroups policy (minimum version 1803) where you can define which users should be members of your local groups via a policy. Unfortunately, this is not a great solution if you want to set different users for each computer.

So how do we solve this?

We developed a Powershell script that will help you automate this process. It can add multiple users to different local groups on your Azure AD Joined devices. It’s based on the Add-LocalGroupMember command which gives you the opportunity to add users from multiple sources (including Azure AD). Just copy the script, make it fit your environment, verify functionality, upload it in the Powershell script section in the Intune portal and deploy it to the users/devices of your choice.

The script is highly adoptable and can be changed in a lot of ways to fit your environment. So feel free to use it as you want.

If you have any questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.

 



Citrix Hypervisor 8.0

25th of April Citrix published new major release 8.0 of XenServer, which now officially becomes Citrix Hypervisor. The release is added to the Current Release (CR) track and comes in handy to upcoming End of Life for formerly latest Current Release, Xenserver 7.6.

Below I will shortly cover the most exciting news.

Name change

As quickly touched on initially, with this release XenServer officially changes name to Hypervisor. Along with Citrix changing name for most of the products in their portfolio, the naming for different editions has also gotten an update. Citrix Hypervisor 8.0 is released in below three editions:

  • Premium Edition (previously Enterprise Edition)
  • Standard Edition
  • Express Edition (previously Free Edition)

New features

  • “Platform refresh” – Version updates for Kernel, Xen hypervisor and control domain OS.
  • Full support for Windows Server 2019 VMs.
  • Web-based help – XenCenter and Conversion Manager
    • When pressing F1 the relevant article opens in your default browser
  • Disk and memory snapshots on vGPU enabled VMs now maintains the state of vGPU and is restored when the snapshot is applied.
    • Note: This requires Premium edition of Citrix Hypervisor
  • Ability to create Virtual Disk images larger than 2TB on GFS2 storage repositories
    • Note: This requires Premium edition of Citrix Hypervisor

Experimental features

Citrix also included an experimental feature in the boot mode section, UEFI boot mode for guest VMs. This to provide a richer interface for guest operating systems, limited support to Windows 10, Server 2016 and 2019.

As this is an experimental feature, Citrix added a lot of disclaimers for support regarding virtualization technologies such as MCS and PVS with guest UEFI boot mode.

Read more

For a full walk-through of changes, requirements and support, read more about Citrix Hypervisor 8.0 here:

https://www.citrix.com/blogs/2019/04/25/citrix-hypervisor-8-0-is-here/

https://docs.citrix.com/en-us/citrix-hypervisor.html

https://www.citrix.com/blogs/2018/10/03/major-platform-changes-to-xenserver-what-you-need-to-know/



How to create a custom Address Lists in Exchange Online

Introduction

A lot of people are using the Address Book in Outlook or their web mail to find people, but sometimes it can be a hard time filtering on company or departments.
Therefore we will go thru how to create custom Address Lists, and in this case only users with a mailbox that have something typed into the Office-attribute will appear in these lists.



Deploy separate Intune workloads to different collections (Co-management)

I was looking for a way to be able to deploy a Co-management policy with only Windows Update policies workload to a specific collection. This in order to transition a smaller amount of computers (who are not a member of the already existing Pilot group) to be controlled via Intune instead. In the Configuration Management console I was not able to create multiple Co-management policies so I thought that this was not possible to do. But then I found this great article describing the exact scenario I had and so I went ahead and tried it in my environment which worked like a charm.

All the credits goes to Cody Mathis and his original article about this topic.

Co-management – Multiple Pilot Policies


So what do I need to do this make this possible?

We need to use Powershell to create a new Co-management policy with the cmdlet New-CMCoManagementPolicy. We can then rename and deploy the policy to whatever collection we want. Isn’t that awesome?

In this example we will create a policy with the WufbWorkloadEnabled which will only activate the Windows update policies on the specific collection of our choice.

Other Workloads can be set be using the following parameters.

  • CAWorkloadEnabled = Compliance policies
  • RAWorkloadEnabled = Resource access policies
  • WufbWorkloadEnabled = Windows Updates Policies
  • EPWorkloadEnabled = Endpoint Protection
  • Office Click-to-Run apps = Doesn’t have it’s own parameter so you need to create that via an XML instead. Very well described in Codys article (link above) so I won’t write about that in this post.

Start Powershell from within the console and run the following commands (please note that there is different commands depending on the version you are running):


If done correctly the policy should now be deployed to the collection you defined in the commands above and you should see it like on the picture below.

On the computer you can now see that the new Co-management policy (CoMgmtSettingsPilot-WUFB) has been applied in configurations tab (control smscfgrc). Please note that you can see multiple CoMgmtSettings depending on your configuration.

We can also see that the Intune policies have been applied to the computer (Settings > Update & Security > View configured update policies > Policies set on your device).


If you have any questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.


Other articles about Configuration Manager and Intune.

Move Software Updates to Intune with Co-management

Device cleanup rules for Microsoft Intune

Intune – Administrative Templates (Preview) are here

App Protection Policies for managed and unmanaged devices in Intune

 



Palo Alto VM-Series with active/passive HA support in Azure

Since the latest release of Palo Alto Network PAN-OS 9.0.0 the VM-Series firewall now supports the VM-Series plugin, a built-in-plugin architecture for integration with public clouds or private cloud hypervisors, with the plugin you can now configure VM-Series firewalls with active/passive high availability (HA) in Azure. I will cover some of the requirements in short which is needed to setup HA in Azure.



Windows 7 licens key is “not genuine” and activation failes after installing KB971033.

INTRODUCTION

After installing KB971033 update some clients has issue with the KMS licens key is not genuine.  It is a known issue for Microsoft. You find more information here.  https://support.microsoft.com/en-us/help/4480970/windows-7-update-kb4480970

SOLUTION

The solution from Microsoft to be able to activate Windows again is to uninstall the patch, rebuild the Activation related files and then activate Windows.

  1. Start with uninstall the patch from Control Panel > Windows Update > View update history > Installed Updates, right-click Update (KB971033), and select Uninstall.
  2. Restart the computer.
  3. Now when the patch is no longer installed, we should rebuild the activation related files and activate Windows. Start CMD as administrator and run following commands:

net stop sppuinotify

sc config sppuinotify start= disabled

net stop sppsvc

del %windir%\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 /ah

del %windir%\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 /ah

del %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat

del %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\cache\cache.dat

net start sppsvc

cscript c:\windows\system32\slmgr.vbs /ipk <edition-specific KMS client key>

cscript c:\windows\system32\slmgr.vbs /ato

sc config sppuinotify start= demand

 

You can find the KMS-keys in the following link. https://docs.microsoft.com/sv-se/windows-server/get-started/kmsclientkeys

 



mixed authentication methods added for Global Protect

In Palo Alto Networks latest release 9.0.0, a new feature was added that allows you to have mixed authentication methods to the same Global Protect portal and/or gateway.

When this feature is enabled it will basically allow your users to authenticate with user credentials and/or client certificates. The options are to either to require both user credentials and client certificates or you can allow user credentials or client certificates.

On top of this you can also set different requirements depending on what OS the user connects from. Below are the current list for available operating systems you can set policies on:

  • Andriod
  • Chrome
  • iOS
  • Linux
  • Mac
  • Satellite
  • Windows
  • WindowsUWP
  • X-Auth

With this you could create an authentication-profile that requires Windows-users to authenticate with both user credentials and client certificates.

Then create another that allows your Android-users to authenticate with either user credentials or client certificates.

This feature could be used in some different cases, for example if you already have two different portals and one of them only requires user credentials for authentication. In that case you could put the two configurations together and save the public IP that was used for the other portal/gateway.

More information can be found on: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/globalprotect-features/mixed-authentication-method-support-for-certificates-or-user-credentials.html 

If you have any questions, feel free to email me at petter.vikstrom@xenit.se or comment down below.



Citrix Virtual Apps and Desktops 1903

Citrix announced their new release Virtual Apps and Desktops 1903 on 28th of March and it contains a lot of interesting changes in all categories along with a long list of fixed issues. I will cover two of the changes in this blog-post which I found extra interesting, and that I would recommend you looking into as well!

Director

Citrix Director has been given some love and has received a few changes in the user interface. It has also been announced that similar changes to improve the user experience, are to be expected in the coming releases.

Also a profile processing duration counter has been added on the logon duration chart. This for making troubleshooting easier on profile related matters.

Virtual Delivery Agent

DPI matching on Windows Server 2016/2019, which allows your session to match your clients DPI. Requires minimum Citrix Workspace App on your client.

Pen functionality support with Windows Ink-based applications on Microsoft Surface products. Requires Windows 10 and Citrix Workspace App 1902 for a minimum.

Deprecation and removal

With change comes deprecation, and Virtual Apps and Desktops release 1903 is not an exception. In this release Citrix announced and removed the following components:

  • Announced in 1903 – To be removed
    • Smart Check for Virtual Apps and Desktops
  • Removed in 1903
    • Linux VDA – Support on Red Hat Enterprise Linux/CentOS 7.5
    • Citrix Receiver for Web classic experience
    • Support for Framehawk – Also removed option to enable from VDA installation
    • Delivery Controller options for end-of-life products (VDI-in-a-Box, and XenMobile < 9.0)

A full list of changes can be found here:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/whats-new.html

If you have any questions regarding Citrix Virtual Apps and Desktops, feel free to email me at robert.skyllberg@xenit.se or comment down below.



Microsoft Teams devices

So maybe you’ve read my article on Microsoft Teams Rooms? These solutions are just a part of Teams devices which offer smarter ways to connect and work together in the ever-changing workplace.

First of all, the Teams devices are certified to work with Teams and Skype for Business for that matter. Then they offer the best-in-class performance and crisp sound and picture that the certification requires.

Room Systems – check this article out.

Room phones – These are for smaller rooms which don’t need a complete Room System. These devices actually run Android and have the Teams client installed so essentially, the device and room is actually logged into a room. This way you can quickly book a room and join the meeting from the room phone. You don’t have to login with your personal credentials but it can also be a shared room which is always logged on. Here’s a sneak peek how it looks:

Personal devices – these devices are your personal ones. For example the Jabra 710 which has a Teams button/LED which will flash if you have a missed call and when you press it, it will get you to the missed calls list in the Teams client.

Desk phones are still used by many. For example the left one below is Plantronics Elara 60 which is a mobile dock. Just put your mobile phone in the dock for wireless charging and it will pair itself with the dock. You will get hard puttons for calling and also a Teams button which will flash if you have missed calls in Teams and will bring you to the missed calls list on your mobile phone and remind you when you have meetings.

The right is a Yealink phone which has a large touchscreen which is running Android and the Teams app. This means you can easily perform and receive Teams calls directly on the phone. You can have it as a companion to your computer where you have your daily meeting schedule open on the device at all times. For the IT-pro, this also means you will be able to manage these phones from the Teams admin center since the device itself is actually enrolled into Azure AD as Azure AD registered.

And of course, the headsets which comes in various models and sizes. At Xenit, we use Jabra which have a large portfolio of different models.

But seriously, what’s wrong with any-high-quality Bluetooth headset out there, won’t it work? Well, to be honest – it might. My personal experience is that you can definitely pair your headset to your phone and Windows 10 client. You might miss out on some special functionality like busy-light on, call control functionality but you might not get the crisp sound quality you otherwise get because to be honest, the built-in Bluetooth in some laptop devices are simply not manufactured with sound quality in mind. But when I tried to use a high-quality Jabra Bluetooth headset with the built-in Bluetooth in my laptop did not work well. It worked 9 out of 10 times but I experience some unplanned disconnections during some meetings which I didn’t with the Jabra dongle.. that’s sad since the USB dongle really annoys me.

So before you go shopping, make sure you check out the list of certified devices at http://office.com/teamsdevices.



Printix – The Secure Cloud Print Management Solution

Are you looking for a new print solution that will work for a modern workplace? A solution that will let you get rid of those nasty on-premise print servers? A solution that will make print management more easy and fun? Look no further, you just found one!

With Printix solution you will get a serverless, simple, cloud service that integrates with Microsoft or Google which gives you a single sign-on experience. Printix will provide a centralized management portal with support for all USB and network printers, mobile and secure printing, high document security and Print Anywhere at any time. The setup is easy and you will be able to use it almost instantly.

So how does this work? 

Instead of dedicated print servers, you will leverage the Printix Cloud together with the Printix client from a device of your choice (Windows, Mac, Chrome OS, Andriod, iOS). Once you installed the Printix Client it will detect your existing printers on your network and automatically configure these in the Printix Cloud and even upload the current drivers(!). You can also manually add printers from the Printix dashboard if you want. Once your printers are configured in the Printix Cloud you don’t need your on-premise servers anymore since the document will be (re)directed to the printer either directly to the printer on your network or via the Printix Cloud through the installed Printix Clients on your computers.

There is a number of ways to print your documents.

From the Printix dashboard, which you will be provided, you can configure everything related to your printing environment, like print queues, user settings, network settings, cloud storage, analytics, downloading the Printix client and much more.

The license method is per user-based which can be setup on a monthly or annual year subscription. An active user is any user that logged into Printix (client and admin interface) at least once during the monthly billing cycle.

Please note that this solution also works with Citrix and RDS environments.


Does this sound interesting for your organisation? Maybe you want to try it out and feel how easy it is to setup and get going? If so, please let me know at tobias.sandberg@xenit.se and I will get you a trial right away since Xenit is a partner of Printix.

If you have any other questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.