InTune - Don't forget this important e-mail setting!

December 10, 2015 FoxDeploy

On a recent InTune deployment, we had a requirement to force encryption and security on mobile devices and also provision mail profiles as well.

During the pilot, we heard informal reports that a user thought they couldn’t send a photo using their company e-mail after migration, but we found this hard to reproduce.

However, during the production roll-out, we discovered that users were unable to add attachments using their InTune configured mail account.

Note that this was an ConfigMgr w/ InTune deployment, and the affected devices were mostly iOS and Android devices.

How do I fix this?

You control this setting from ConfigMgr, so launch the console.

Browse to Assets\Compliance Settings\Company Resource Access\E-mail Profiles

Open Mail Profile

Check the Synchronization Settings tab and ensure the ‘Allow email to be sent from third-party applications’ checkbox is checked.

00intunepolicy_email.png

 

Will mobile devices reflect this change?

YES!  The next time your devices check in for policy, they will note the change and the InTune MDM agent will allow your users to add attachments and send e-mail from other applications again.

How do I force update of my iOS and Android Devices?

If you’re reading this, chances are that you forgot to make this change, and are wondering precisely how screwed you might be.

You’re OK!

Mobile Devices refresh their policy in accordance with the Default Device Policy setting in SCCM itself, and respect no other client setting.  You can alter this setting under Administration\Client Settings\Default Settings.

The value you want is under Client Policy\Client policy polling interval (minutes)

The default Setting is 60 minutes, meaning that the device will phone home every hour.  You could ratchet this setting down to 5 minutes, but your devices in the field will still only check-in once an hour or so.

InTunePolicy

Once they note the change devices will automatically remediate themselves. So you’re OK!

How do I force a single device to update policy?

You can force a single Device by launching the Company Portal application.  In the app, click on ‘devices’ and then click Sync.  Assuming good data coverage, this process takes roughly five minutes.

References

http://www.theexperienceblog.com/2014/03/18/bug-deploying-email-profiles-to-ios-using-intuneconfigmgr/

http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/12/12/force-a-refresh-of-microsoft-intune-policies-on-ios.aspx

http://blogs.msdn.com/b/beanexpert/archive/2015/07/07/microsoft-intune-standalone-device-policy-refresh-interval.aspx

Continue Reading...

ATLPUG meetup, TONIGHT!

December 08, 2015 FoxDeploy

Just a reminder, the new venue will not be ready until next months’ meeting, so please meet us instead at the Microsoft office in Alpharetta, Microsoft Corporation 1125 Sanctuary Pkwy Ste 300, Alpharetta

Join us TONIGHT, December 8th when June Blender will be giving a talk on PowerShell Events!  This will be in the Microsoft office in Alpharetta, near the mall!  Wear your Santa hats for a special door prize!

About June Blender

June Blender is a technology evangelist for SAPIEN Technologies, Inc. Formerly a Senior Programming Writer at Microsoft Corporation, she is best known for her work with the Windows PowerShell product team from 2006-2012, developing the help system and writing the Get-Help help topics for PowerShell 1.0 – 3.0. In other roles, June wrote content for the Azure Active Directory SDK and Azure PowerShell Help, Windows Driver Kits, Windows Support Tools, and Windows Resource Kits. She lives in magnificent Escalante, Utah, where she works remotely when she’s not out hiking, canyoneering, or convincing lost tourists to try Windows PowerShell. She is a Windows PowerShell MVP, a PowerShell Hero, an Honorary Scripting Guy, and a frequent contributor to PowerShell.org. Contact her at  juneb@sapien.com and follow her on the SAPIEN Blog and on Twitter at @juneb_get_help

Register now on Meetup!

Continue Reading...

DSC - The Simplest Domain Controller config, ever

December 02, 2015 FoxDeploy

IntroToDsc

This post is part of the Learning PowerShell DSC Series, here on FoxDeploy. Click the banner to return to the series jump page!


I’ve been pointing people to my series on DSC for a while now, and noticed that my instructions were not 100% accurate, plus I was sending people all over the web to download the needed files to build a Domain Controller using DSC. So, in this post, I’ll provide much simpler instructions to deploying a one-click domain controller.

I’ve also provided some custom versions of the DSC Resources used in this post, which include some code fixes not yet available on the PowerShell Gallery today.

To avoid heart-ache, I would strongly encourage you to use the copies I’m providing with this post.

 

DSC

  • First and foremost, download a .zip of the full repo here
  • Now, make sure you have a Windows Server machine ready, running WMF 5.0. If you need it, download it here
  • VM Configuration: The VM should have two network adapters.
  • The first one should be internal (that is to say facing the VMs where you’d like this DC to be accessible) and once the script completes, you’ll have working DHCP and DNS on this vSwitch.
  • The second vNic should be external, if desired. DNS and DHCP will not be provided on this connection.
  • Create a new Administrator on this machine. The Admin which you use to run this process becomes the first Domain Administrator in your new Domain.
  • Next, extract this to your new Domain Controller to be, under C:\temp.
  • Copy all of the xModuleName folders into $env:ProgramFiles\WindowsPowerShell\Modules on your VM
  • From an Administrative PowerShell prompt, run the below command to unblock all files downloaded.
dir -recurse -path $env:ProgramFiles\\WindowsPowerShell\\Modules | Unblock-File 

Now, simply launch OneClickDSC.ps1 in PowerShell, and click the Play button (or hit F5), to launch the GUI.

You only have to provide two values.  On the left, if you choose to, you can rename your computer.  If you choose to do so, you’ll have to reboot before you can complete DSC Application.  But DSC will continue after the reboot, so there’s really no worry.

On the right side of the screen, simply type in the domain name for your new Domain.  You’ll then be prompted for credentials.

IntroToDsc

This prompt is a little bit nonstandard. See, DSC will run a check for DSC consistency regularly, and it will do so using the values you type in on the credentials prompt as the DSC Admin account.

What’s going to happen is that our current account will be elevated to domain admin and when DSC runs this check again for consistency, it will use the credentials we specify here.

Important warning!!!! Make sure to specify your username as NewDomainName\CurrentUserName.

So, if you’re making Domain Ham, and your name is Bacon, then login as Ham\Bacon.

IntroToDsc

That’s it

First step for application, is to change the computer’s name. This requires a reboot. So…reboot.

IntroToDsc

On restart, we can run the following commands to watch the rest of the DSC Application

powershell #Pause the last application Stop-DSCConfiguration -Force #Resume so we can watch it Start-DscConfiguration -ComputerName localhost -Wait -Force -Verbose -UseExisting

Now, if you diverged from using my copy of the DSC resources, you may run into an error, specifically w/ the computername module, around specifying a name for a Computer, without specifying a domain name. This is an open issue in GitHub right now, so hopefully the problem will be resolved soon, but for now, the copy you’ll get w/ this blog post has the proposed fix to the issue.

And…we’re done when we see this screen!

IntroToDsc

So, I hope this clears up the questions people were asking about how to use this ‘OneClick Domain Controller’.

Continue Reading...

Solved: Ubuntu install hangs on Hyper-V

November 29, 2015 FoxDeploy

Recently, I’ve been getting more and more interested in Chef, and decided it was time to build out a testlab in my Hyper-V.

I started imaging a new VM using the 14.10 LTS release of Ubuntu, one of the supported environments for Chef Server.

However, during install, my VM would freeze here:

chefUbuntuwtf01

 

At the same time, I noticed a critical level event from Hyper-V.

‘VMName’ was faulted because the guest executed an intercepting instruction not supported by Hyper-V instruction emulation. If the problem persists, contact Product Support. (Virtual machine ID 8895146E-C175-4CA5-B7A6-57E1D6E48290)

chefUbuntuwtf00.png

I did a bunch of googling and found…almost no one with this same issue, and I thought it was related to Hyper-V on Windows 10 Tech Preview.  As it turns out, this is caused by some generation 2 Virtual Machine features, namely Dynamic Memory.

Symptom

Install of Ubuntu or other *Nix distro freezes during install on Hyper-V, as a Gen 2 VM

Cause

Dynamic Memory does not appear to be supported during install of Ubuntu, and will manifest as errors during OS Install and Parititoning

Resolution

Disable Dynamic Memory until install is completed.  After installing, run ‘sudo apt-get update’ to ensure drivers are up to date, for optimum VM sveltness.

Continue Reading...

Quicky: How to use Server Nano TP4 in Hyper-V

November 25, 2015 FoxDeploy

Hey guys,

Super quicky here.  With Windows Server Tech preview 4 shipping now, we have a new release of Server Nano to play with.  Ben Armstrong wrote a guide for tech preview 3, but the cmdlets have changed since then, so I figured I’d write this out to help you as well!

Step 1: Get the Server tech preview 4 media here

Step 2: Launch PowerShell, browse to the media\NanoServer folder.  (In my case, Drive F:)

Step 3: In PowerShell run the following:

New-NanoServerImage -MediaPath F:\\ -BasePath X:\\Nano -TargetPath 'X:\Nano\VHD\NanoServer.vhd' -GuestDr ivers -Containers -EnableEMS -ComputerName Nano 

Let’s break down those parameters:

  • MediaPath - the Server TP 4 drive, in my case F:\
  • BasePath - the staging directory, this cmdlet will dump a lot of stuff here to do its magic to convert the WIM into a VHD
  • TargetPath - where to put the completed VHD
  • GuestDrivers - this switch injects the Hyper-V guest Drivers
  • Containers - want to try Docker Containers?  Put this param in!
  • EnableEms - want to play with the new Emergency Management Console for Nano?  Sure you do, include this one too!
  • ComputerName - Whatcha wanna call this new computer?

These are probaby the most important params.

If it worked, you’ll see something like the followingnano

Now, be warned that this will create a .vhd, so you’re stuck with a Gen 1 VM, which really isn’t so bad, given how little Nano can do today :p

To boot her up:

NanoServer

My next step is to do domain join, and see what all we can load up on her!

Continue Reading...

Solved: Cisco AnyConnect 'Session Ended' error

November 20, 2015 FoxDeploy

This was kicking my butt today, but turns out that it had an easy work around.

I learned a long-time ago that if you’re running Hyper-V on your Device, you should not install a VPN client on the host, but rather should be doing this within child VMs.  The reason for this is that sometimes the drivers associated with a VPN adapter don’t play nicely with a hypervisor, and can often result in a blue screen error when they attempt to make changes to the virtual adapters displayed to the parent partition.

So, I made a Windows 10 VM to run my VPN client…however, I was getting errors of ‘Session Ended’, along with tons of murky stuff in my Event Viewer, related to missing devices, etc.  It looked pretty scary.

As it turns out this is a simple resolution.

Symptom

A VPN connection is immediately dropped when connecting on a Windows 8 or higher VM

VPN_win10

Validation

Launch AnyConnect and click the cog icon, then click the Mesage History tab.

Look for an error of “VPN establishment capability from a remote desktop is disabled.  A VPN connection will not be established”.

VPN_win10_01

Cause

When connecting to Windows 8.1 and newer child OSes in Hyper-V, Virtual Machine Connection will actually attempt to connect via RDP, rather than through the secured backchannel that VMC normally offers.  This will appear as an RDP session on the remote machine, and AnyConnect is often configured to prohibit this behavior.

Resolution

While connecting to the VPN, use basic connection instead of ‘Enhanced Session’  You can use this button here to toggle between the two, and it’s okay to jump back into enhanced session after the VPN connection in completed.

Continue Reading...


Microsoft MVP

Five time Microsoft MVP, and now I work for the mothership


Need Help?

Get help much faster on our new dedicated Subreddit!

depicts a crowd of people in a night club with colored lights and says 'join the foxdeploy subrreddit today'


Blog Series
series_sml_IntroToDsc
series_sml_PowerShellGUI series_sml_IntroToRaspberryPi Programming series_sml_IntroToWindows Remote Management Series The Logo for System Center Configuration Manager is displayed here Depicts a road sign saying 'Learning PowerShell Autocomplete'




Blog Stats