Prevent ‘Use this account everywhere on your device’ – M365 Apps

Prevent ‘Use this account everywhere on your device’ – M365 Apps

When you install Office 365 ProPlus / M365 Apps, you may be presented with a screen which says ‘Use this account everywhere on your device’.

Below is how to prevent that screen appearing, and prevent the Azure AD device registration that may result from pressing yes.

All goes well, until they get presented with this, at which point in a state of confusion they likely either just press yes, or possibly another option as we will see below:

Hide this screen by preventing Azure AD registration

This screen can be hidden by editing the registry as per https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-things-you-should-know:

You can prevent your domain joined device from being Azure AD registered by adding this registry key – HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, “BlockAADWorkplaceJoin”=dword:00000001

This registry key takes effect immediately and does not require a reboot. You won’t see the screen again. Note that you can still use Hybrid join via AD Connect.

 

Bypass Windows 11 Network Setup to create a local user account

Bypass Windows 11 Network Setup to create a local user account

Bypass Windows 11 Network Setup to create a local user account.

Whether you are turning on your new device for the first time or performed a clean installation of Windows 11, say are always prompted to join a WiFi Network if you are not using an Ethernet cable to connect to the internet, follow the steps below to bypass this network setup so you can create a local account without needing a Microsoft account.

On the “Let’s connect you to a network” page, use the Shift + F10 keyboard shortcut.
In Command Prompt, type the OOBE\BYPASSNRO command to bypass network requirements on Windows 11 and press Enter.

bypass win 11

 

The computer will restart automatically, and the out-of-box experience (OOBE) will start again.

Quick note: You will need to select the region and keyboard settings one more time to get to the network connection page.

Click the “I don’t have internet” option.

win 11 i dont have internet

Click the “Continue with limited setup” option.

bypass win11 network

You have now bypassed the Windows 11 Network Setup menu and create a local user account.

 

Disable AzureAD Security Defaults – MFA

Disable AzureAD Security Defaults – MFA

Microsoft recently turned on security defaults for M365 Tenants forcing MFA for users.

You can check by going into Azure AD > Properties > Manage Security defaults

M365 tenancy

 

If defaults are set to “Yes” that is the reason MFA turned on. You should be able to set that to NO to remove the “new” defaults and turn MFA off. – However it is highly recommended to use MFA for all accounts.

disable security defaults

 

 

 

Exchange Server VM becomes unresponsive – FIX

Exchange Server VM becomes unresponsive – FIX

Sometimes when performing exchange server updates after rebooting the server it will hang on ‘Getting Windows Ready’ then sometimes when logging in it may lock up again and become unresponsive.
This is a common issue with Exchange 2013 and Windows Server 2012 R2 Operating System.

Follow the guide below to resolve this issue.

I restarted VM few times, but the Exchange Server VM was unusable.

 

The best solution is to enter Boot Menu and run VM in Safe Mode.
For this we have to boot VM from Windows Server 2012 R2 ISO and instead of Install option, we select Repair your computer.
After selecting Troubleshoot, we enter Command Prompt.

We enable Boot Menu on our Windows Server 2012 R2 OS of Exchange Server VM by entering commands:
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 15

After VM reboot, we can enter Boot Menu by pressing F8 and select Safe Mode option.

 

In Safe Mode Exchange Server VM starts without problems.

Go into Services and disable all Exchange Services on VM (by changing Start-up Type of services to Manual). After this reboot the VM in normal way and machine will start.
Re-enable Exchange Services again (by changing Start-up Type of services to Automatic) and reboot VM.

The Exchange Server should now boot up straight away without being stuck at the ‘Getting Windows Ready’ screen

Create Group Policy to Whitelist Applications

Create Group Policy to Whitelist Applications

Create Group Policy to Whitelist Applications – Ransomware prevention

 

Recommended to test Whitelisting in a test environment before deploying in production environment. Purpose is to Block Ransomware, Block Java Updates You will need to manually add Whitelist entries for each new Java Update you wish to install

Go to https://java.com/en/download/

Take note of the latest Java Version (eg, 8u301)

Login to your to a server that can Access/Create/Edit Group Policy objects

Open the run command, type in gpmc.msc – Click OK

 

Right click on the Organizational Unit you wish add the Whitelist to, Select the first option.

(Create GPO)

Enter a name for the Whitelist, Click OK (i.e CryptoLocker/Ransomware Prevention)

Link the newly create GPO to any other Organizational Units you want to be added to the GPO.

(eg. Right click on Computers OU, ‘select Link an Existing GPO…’ then select the new GPO)

Right click on the GPO, click Edit…

Drill down in; Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Software Restriction Policies

Right click on Software Restriction Policies, Select the first option

Right click on Additional Rules, Select New Path Rule…

Enter the following path: %localAppData%\*\*.exe

Security Level = Disallowed

Click OK

Create Additional Path Rules for the following paths:

%localAppData%\*.exe

%AppData%\*.exe

%AppData%\*\*.exe

%Temp%\*.zip\*.exe

%Temp%\7z*\*.exe

%Temp%\Rar*\*.exe

%Temp%\wz*\*.exe

Your list should look like this:

Exit out of Group Policy Editor.

Create another GPO called Cryptolocker/Ransomware – Whitelist Allow (Link to same OU’s as previous GPO)

Right click on the GPO, click Edit…

Drill down in; – Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Software Restriction Policies

Right click on Software Restriction Policies, Select the first option

Right click on Additional Rules, Select New Path Rule…

Under ‘Path:’ enter the path of the Java Installer you wish to allow:

%localappData%\temp\jre-8u301-windows-i586-iftw.exe

 

Depending on which version of Java you are updating, replace ‘8u91’ with the version you want to allow.

Set Security Level to ‘Unrestricted’

Enter an appropriate description name.

Click OK.

Verify that new Path Rule has been added to Whitelist.

Close GPO Editor.

Refresh Group policy Management

Go down to the Whitelisting Çryptolocker/Ransomware – Whitelist Allow GPO, click on it once

In the window on the right select ‘Settings’ from the tabs.

Drill down to; Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Software Restriction Policies/Additional Rules

Verify that new Path rule is shown in Policy List.

Exit Group Policy Management.

 

Go to a machine what is linked to the GPO to test whitelist.

Run Java Updater/Installer

Note the successful installation of Java

If fails = Perform forced Update to GPO

From Administrative Command Prompt,

gpupdate /force

 

 

Exchange Server VM becomes unresponsive – FIX

Enable Auditing on Windows Folders/Files

Audit all access to folders and/or files on a server or workstation.

Log onto the server/workstation that you wish to enable auditing on.

Open Local Group Policy Editor.

CTRL + R

gpedit.msc

Browse to the following location: – Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

Double click ‘Audit object access’

Select Success and Failure

Click Apply then OK

Exit Local Group Policy Editor

 

Navigate to the folder/file you wish to track permission changes.

Right click the folder/file then select Properties.

Select the Security tab then select Advanced

Select the Auditing tab then select Continue (if prompted)

Click Add

Click Select a principal

Type ‘everyone’ then select Check Names. – Click OK

Set the Type: to All

Untick the default auditing permissions and only select ‘Change permissions’ – Click OK

Click OK Twice more.

Open up cmd or powershell as ADMIN

Execute the command: gpupdate /force

Auditing is now implemented on the specific folders/files.

 

To check audit logs open Event Viewer.

Select the Security Logs

Filter the logs based on Event ID 4670

 

 

 

 

 

 

 

Move Remote Desktop Licensing to a New Server

Move Remote Desktop Licensing to a New Server

You may want to move the existing RDS licenses to a new server to put an old operating system out of production or just upgrade in general.

Login to the server as an administrator

Install the Remote Desktop Licensing Server and Gateway Role via Server Manager

Once installed open Remote Desktop Licensing Manager from Server Manager

 

Add the current server into the Terminal Server License Server group as per below,

Select Add to group.

Right click on the server name and select Activate Server

Select Next at the Connect Method screen, (Automatic connection (recommended) is the default)

Enter the relevant information (Company Information) then select Next

Proceed to the next page and fill out additional information.

Click Next and the server will activate

 

On the new licensing server add the old server into the console by select Action > Connect

Enter the IP Address of the old licensing server.

The old server should now be visible on the new server.

To get the licensing ID right click on the old server and select properties

To get the licensing ID right click on the old server and select properties

Select the new licensing server, then go to Action > Manage licenses

Once the window opens select Next

Select the first option as shown below.

Select the checkbox and select the operation system the old licensing server is running.

Enter the license server ID previously copied, Select Next

Tick the checkbox to agree to manually remote the licenses from the source server then select next.

 

If the old licensing Server is running Windows Server 2008 not 2008 R2 you will need the original RDS CAL licenses (Refer to documentation) to apply to the new licensing server as a 2008 server cannot automatically migrate the RDS CAL licenses, only 2008 R2 and above.

If the old licensing Server is running 2008 R2 or above proceed through the wizard to migrate the RDS CAL licenses.

 

After you have verified the licences are activated and functional you can deactivate the old RDS licensing server.

Once deactivated uninstall the RDS licensing role via Server Manager

Microsoft Exchange Services disabled after windows updates

Microsoft Exchange Services disabled after windows updates

Post Windows Updates you may notice Microsoft Exchange services and other dependent services are disabled you can check this by viewing services.msc

Execute the powershell commands below on the Exchange Server to get the services up and running.

First, we have to know which services there are and which need to have their startup type changed. I used the Get-Service cmdlet to find out. In my case, I was just interested in the Exchange Services, so I needed to filter them with the following command:
Get-Service | Where-Object { $_.DisplayName –like “Microsoft Exchange *”} | ft Name,Status

The output told me which services needed to have their startup type changed. To do that, I only had to change the entry after the last Pipe. (To change the startup type I don’t need a displayed output, but I need to change the startup type for the selected services.) This I did with the following cmdlet:
Get-Service | Where-Object { $_.DisplayName –like “Microsoft Exchange *” } | Set-Service –StartupType Automatic

The Exchange Services startup type was changed from disabled to automatic. But they were still not running. To start the services, we can use the following cmdlet:
Get-Service | Where-Object { $_.DisplayName –like “Microsoft Exchange *” } | Start-Service

 

Next step, IIS

After the Exchange Services have all changed their startup type and status, we are almost done. There is another service we also have to think about IIS

To edit the IIS Admin Service, we can follow the same concept as we did with the Exchange Services. First, we need to identify the services and set the startup type to automatic. For that, we can use this cmdlet:
Get-Service | Where-Object { $_.DisplayName –eq “IIS Admin Service” } | Set-Service –StartupType Automatic
Last but not least, we also need to start IIS Admin Service. This we can do with the following cmdlet:
Get-Service | Where-Object { $_.DisplayName –eq “IIS Admin Service” } | Start-Service

 

Create Group Policy to Whitelist Applications

Convert SSL Certificate to .pfx format (Microsoft IIS)

Convert SSL Certificate to .pfx format (Microsoft IIS)

Obtain a SSL Certficate from a trusted CA (Certificate Authority)

Usually you receive three certificates from the CA, SSL Certificate, CA Bundle and a Private key

In this tutorial we will be using the SSL Certificate and Private key.

 

Create a new text document on your local machine called private_key.key paste the contents of the private key from the CA into the file.

Save the file. (Make sure it is saved as .key)

 

Repeat the same process for the SSL Certificate

Copy the contents of the SSL Certificate key field

Create a new text document on your local machine called public_ssl_key.cer paste the contents of the SSL Certificate into the file.

Save the file. (Make sure it is saved as .cer)

 

You will end up with the following 2 files

 

To bind the public/private key pair and a set password for .PFX File you will need to download OpenSSL

Download OpenSSL: https://sourceforge.net/projects/openssl/files/latest/download?source=files

Once downloaded extract the contents of the OpenSSL folder and browse to the bin folder.

Open Powershell as Administrator and change to the directory of the bin folder.

Example: cd C:\openssl-1.0.2j-fips-x86_64\OpenSSL\bin

Copy the previously created SSL files containing the Public and Private key into this directory.

 

Execute the following command to generate a .PFX file with a password

.\openssl.exe pkcs12 -export -inkey private_key.key -in public_ssl_key.cer -out ssl_cert.pfx

(This will create a .pfx called ssl_cert.pfx and will be saved in same directory as the bin directory.)

 

You will then be prompted to enter a password for the .PFX file.

 

The .PFX file will then be generated with a password attached to it.

 

You can now use this certificate to Import into IIS on Windows Server or via Windows MMC Console.

 

 

 

 

 

 

 

 

 

 

Exchange Server VM becomes unresponsive – FIX

Remote Web Access (RWA) SSL Gateway not working after Windows Update

Remote Web Access (RWA) SSL Gateway not working after Windows Update

After installing Windows updates you may get the following error when trying to logon to RDS via RWA (Remote Web Access)

rwa gateway

 

Log into the Domain Controller

Open Powershell as ADMIN

Run the following command:

dism /online /Enable-Feature:Gateway-U

pwoershell rwa install

 

Open the Remote Desktop Gateway Manager from Administrative Tools > Remote Desktop Services.

remote deskop gateway manager

 

 

 

 

 

Right click the server name then select Properties

Select the SSL Certificate tab then select Import Certificate…

ssl cert import rdg

 

Select the correct SSL certificate for the Remote Desktop Gateway then select Import

import ssl remote desktop gateway

 

Click Apply then OK

 

Close Remote Desktop Gateway Manager

Test connectivity via RWA

 

 

 

 

 

Create Group Policy to Whitelist Applications

Disable Microsoft Teams from starting at login

Launch powershell as Admin on the workstation server where Microsoft Teams runs at start-up

Execute the following command:

Remove-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name “com.squirrel.Teams.Teams”

Reboot server/workstation

If the above does not work login as an administrator and manually remove MS Teams from Add Programs and Features menu

Create Group Policy to Whitelist Applications

Move Active Directory Database to new disk drive

NOTE: Take a backup and/or snapshot of the VM before making any changes.

When setting up Active Directory, the IT Administrator is given an option to select the folder path to copy the Active Directory database files to. It is advised to always to use a separate partition to save the database files instead of using the default C:\Windows\NTDS\ folder path.  This provides an easier opportunity to move the Active Directory database to different location should disk space on the server dry up.

In this Step-By-Step, the lab DC currently stores its AD database files in default C:\Windows\NTDS\ folder. Steps will be detailed amidst this post to move it to a new disk added to the server. The new path it will be moved to will be E:\ADDB

Step 1: Prepping Active Directory to be moved

  1. Log in to the primary domain controller as domain or enterprise administrator
  2. In Server Manager, navigate to Tools > Services
  3. Once mmc loads, right click on Active Directory Domain Services and click stop

4. When asked if it’s okay to stop associated services, click Yes to continue.

 

Step 2: Moving the Active Directory database

  1. Right click on start button and click on Command Prompt (Admin)

2. Once command prompt is visible, type ntdsutil and press enter

3. Next type activate instance ntds and press enter

4. Then type files and press enter

5. In files maintenance the command to move the db is required. As mentioned earlier, the need to move the database to E:\ADDB.Type the following command to enable the move: move db to E:\ADDB
Note: Remember to use quotations (“”) should the path contain a space

6. Once the database files are successfully moved, type the following command to move the logs: move logs to E:\ADDB

7. Once the move has successfully completed, Return to the initially used services.msc and start Active Directory Domain Services stopped in Step 1

Browse to the new directory where the database files were transferred to confirm they have been transferred successfully.

Restart System.

Test logging in as a AD user.