-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.json
1 lines (1 loc) · 37.8 KB
/
index.json
1
[{"content":"","date":"2025-02-03","externalUrl":null,"permalink":"/","section":"AJF8729","summary":"","title":"AJF8729","type":"page"},{"content":"","date":"2025-02-03","externalUrl":null,"permalink":"/tags/autopilot/","section":"Tags","summary":"","title":"Autopilot","type":"tags"},{"content":" Use this script to quickly register a device with Autopilot, such as a new VM for testing:\nWrite-Host \u0026#39;Setting execution policy to Unrestricted...\u0026#39; -ForegroundColor Green Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force | Out-Null Write-Host \u0026#39;Installing NuGet package provider...\u0026#39; -ForegroundColor Green Install-PackageProvider -Name NuGet -Force | Out-Null Write-Host \u0026#39;Installing Get-WindowsAutoPilotInfo script...\u0026#39; -ForegroundColor Green Install-Script -Name Get-WindowsAutoPilotInfo -Force | Out-Null Write-Host \u0026#39;Installing WindowsAutopilotIntune module...\u0026#39; -ForegroundColor Green Install-Module -Name WindowsAutopilotIntune -Force | Out-Null Write-Host \u0026#39;Executing \u0026#34;Get-WindowsAutoPilotInfo -Online -Assign\u0026#34;...\u0026#39; -ForegroundColor Green Get-WindowsAutoPilotInfo -Online -Assign I have this script is stored within this GitHub Pages site at https://ajf8729.com/ap.ps1, with the Bitly link http://bit.ly/getwapi pointed at it, so for complete ease of use, you can execute the script at the OOBE screen in PowerShell via:\niex (irm bit.ly/getwapi) After running the above one-liner, come back in a minute or two and all of the necessary modules/scripts will be installed, without any prompts, and you should be at an authentication prompt to complete Autopilot registration!\n","date":"2025-02-03","externalUrl":null,"permalink":"/posts/get-wapi/","section":"Posts","summary":"How to quickly register a new device with Autopilot for testing purposes","title":"Get-WAPI","type":"posts"},{"content":"","date":"2025-02-03","externalUrl":null,"permalink":"/tags/intune/","section":"Tags","summary":"","title":"Intune","type":"tags"},{"content":"","date":"2025-02-03","externalUrl":null,"permalink":"/tags/powershell/","section":"Tags","summary":"","title":"PowerShell","type":"tags"},{"content":"","date":"2025-02-03","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"2024-09-16","externalUrl":null,"permalink":"/tags/sql/","section":"Tags","summary":"","title":"SQL","type":"tags"},{"content":" Here\u0026rsquo;s a simple SQL query you can run against your ConfigMgr site database to return hardware hashes for all devices running a client OS:\nSELECT S.Name0, B.SerialNumber0, M.DeviceHardwareData0 FROM v_R_System S JOIN v_GS_PC_BIOS B ON S.ResourceID = B.ResourceID JOIN v_GS_MDM_DEVDETAIL_EXT01 M ON S.ResourceID = M.ResourceID JOIN v_GS_OPERATING_SYSTEM OS ON S.ResourceID = OS.ResourceID WHERE OS.ProductType0 = 1 ORDER BY S.Name0 Source\n","date":"2024-09-16","externalUrl":null,"permalink":"/posts/exporting-hardware-hashes-from-configmgr/","section":"Posts","summary":"A quick SQL query to get all hardware hashes out of your ConfigMgr site database","title":"SQL query to get hardware hashes from your ConfigMgr site database","type":"posts"},{"content":" I wanted a quick way to determine when this month\u0026rsquo;s Patch Tuesday was without having to look at a calendar, so I came up with this silly thing. Toss it in your PS profile and never forget when Patch Tuesday is again!\nfunction Get-PatchTuesday { $Month = Get-Date -Format \u0026#39;MMMM\u0026#39; switch ((Get-Date -Day 1).DayOfWeek) { \u0026#39;Tuesday\u0026#39; {return \u0026#34;Patch Tuesday is on $Month 8th\u0026#34;} \u0026#39;Monday\u0026#39; {return \u0026#34;Patch Tuesday is on $Month 9th\u0026#34;} \u0026#39;Sunday\u0026#39; {return \u0026#34;Patch Tuesday is on $Month 10th\u0026#34;} \u0026#39;Saturday\u0026#39; {return \u0026#34;Patch Tuesday is on $Month 11th\u0026#34;} \u0026#39;Friday\u0026#39; {return \u0026#34;Patch Tuesday is on $Month 12th\u0026#34;} \u0026#39;Thursday\u0026#39; {return \u0026#34;Patch Tuesday is on $Month 13th\u0026#34;} \u0026#39;Wednesday\u0026#39; {return \u0026#34;Patch Tuesday is on $Month 14th\u0026#34;} } } New-Alias -Name gpt -Value Get-PatchTuesday ","date":"2024-02-01","externalUrl":null,"permalink":"/posts/get-patchtuesday/","section":"Posts","summary":"A silly PowerShell function to determine when this month\u0026rsquo;s Patch Tuesday is","title":"A silly PowerShell function to determine when this month's Patch Tuesday is","type":"posts"},{"content":" Here\u0026rsquo;s a neat trick to make it easier to launch CMTrace (and smscfgrc.cpl) from the Run box and command line: Add the ConfigMgr client path to the PATH variable! Let\u0026rsquo;s do it via a configuration item:\nDetection Script: To detect if it is already present, we get the existing contents of the PATH variable, break it down into an array, and then loop through all of the entries, looking for a match.\n$Compliant = $False $CCMPath = \u0026#39;C:\\Windows\\CCM\u0026#39; $Paths = (Get-Item \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\u0026#39;).GetValue(\u0026#39;PATH\u0026#39;, $null, \u0026#39;DoNotExpandEnvironmentNames\u0026#39;) -split \u0026#39;;\u0026#39; foreach ($Path in $Paths) { if ($Path -eq $CCMPath) { $Compliant = $True } } return $Compliant Remediation Script: To remediate the configuration, we combine the contents of the current PATH variable, add the CCM directory to it, and use the SetEnvironmentVariable method to save the changes.\nWe need to use SetEnvironmentVariable here instead of just setting $env:Path directly so the changes are persisted beyond the current session.\n$CCMPath = \u0026#39;C:\\Windows\\CCM\u0026#39; $Paths = (Get-Item \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\u0026#39;).GetValue(\u0026#39;PATH\u0026#39;, $null, \u0026#39;DoNotExpandEnvironmentNames\u0026#39;) -split \u0026#39;;\u0026#39; $NewPath = ($Paths + $CCMPath) -join \u0026#39;;\u0026#39; [System.Environment]::SetEnvironmentVariable(\u0026#39;PATH\u0026#39;, $NewPath, [System.EnvironmentVariableTarget]::Machine) Now you can do stuff like this without having to fully qualify the path or browsing to it!\n","date":"2023-07-07","externalUrl":null,"permalink":"/posts/add-ccm-to-path/","section":"Posts","summary":"How to add the CCM directory to the PATH variable to make it easier to run CMTrace","title":"Adding the CCM directory to the PATH variable via ConfigMgr DCM","type":"posts"},{"content":"","date":"2023-07-07","externalUrl":null,"permalink":"/tags/configmgr/","section":"Tags","summary":"","title":"ConfigMgr","type":"tags"},{"content":" In order to fully enable the fix for CVE-2023-32019 as part of the 2023-06 CU, a specific registry value must be configured, depending on OS version. More info can be found here: KB5028407: How to manage the vulnerability associated with CVE-2023-32019.\nI\u0026rsquo;ve put together the following PowerShell scripts that can be used to detect/remediate the registry setting via ConfigMgr DCM, which are also available in my GitHub. These could easily be retrofitted to be used via Intune Remediation as well, which I hope to also have available soon.\n2023-06-22 Update: I converted the scripts to be utilized as a [Proactive] Remediation via Intune by modifying the detection script a bit; the remediation script is the same. These scripts are also now in my GitHub.\nDetection Script: This script will get the OS build number and patch level, then check to see if the necessary registry path exists and if the required registry value if configured correctly. If the path does not exist, or the value is not set correctly, it will return false, otherwise it will return true.\nNOTE: If the OS is unsupported (e.g. Server 2012 R2), or the OS is not at the correct patch level, the script will still return true/compliant.\n$Compliant = $true $BuildNumber = (Get-CimInstance -ClassName Win32_OperatingSystem).BuildNumber $UBR = (Get-ItemProperty -Path \u0026#39;HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\\u0026#39; -Name \u0026#39;UBR\u0026#39;).UBR switch ($BuildNumber) { # Windows 10 21H2/22H2 {$_ -in \u0026#39;19044\u0026#39;, \u0026#39;19045\u0026#39;} { if ($UBR -ge 3086) { $Value = Get-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Name \u0026#39;4103588492\u0026#39; -ErrorAction Ignore if ($Value) { if ($Value.4103588492 -ne 1) { $Compliant = $false } } else { $Compliant = $false } } } # Windows 11 21H2 \u0026#39;22000\u0026#39; { if ($UBR -ge 2057) { $Value = Get-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Name \u0026#39;4204251788\u0026#39; -ErrorAction Ignore if ($Value) { if ($Value.4204251788 -ne 1) { $Compliant = $false } } else { $Compliant = $false } } } # Windows 11 22H2 \u0026#39;22621\u0026#39; { if ($UBR -ge 1848) { $Value = Get-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Name \u0026#39;4237806220\u0026#39; -ErrorAction Ignore if ($Value) { if ($Value.4237806220 -ne 1) { $Compliant = $false } } else { $Compliant = $false } } } # Server 2016 \u0026#39;14393\u0026#39; { if ($UBR -ge 5989) { $Value = Get-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager\u0026#39; -Name \u0026#39;LazyRetryOnCommitFailure\u0026#39; -ErrorAction Ignore if ($Value) { if ($Value.LazyRetryOnCommitFailure -ne 0) { $Compliant = $false } } else { $Compliant = $false } } } # Server 2019 \u0026#39;17763\u0026#39; { if ($UBR -ge 4499) { $Value = Get-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager\u0026#39; -Name \u0026#39;LazyRetryOnCommitFailure\u0026#39; -ErrorAction Ignore if ($Value) { if ($Value.LazyRetryOnCommitFailure -ne 0) { $Compliant = $false } } else { $Compliant = $false } } } # Server 2022 \u0026#39;20348\u0026#39; { if ($UBR -ge 1787) { $Value = Get-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Name \u0026#39;4137142924\u0026#39; -ErrorAction Ignore if ($Value) { if ($Value.4137142924 -ne 1) { $Compliant = $false } } else { $Compliant = $false } } } } return $Compliant Remediation Script: This script will get the OS build number and patch level, then if necessary, create the required registry path, and configure the required value.\n$BuildNumber = (Get-CimInstance -ClassName Win32_OperatingSystem).BuildNumber $UBR = (Get-ItemProperty -Path \u0026#39;HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\\u0026#39; -Name \u0026#39;UBR\u0026#39;).UBR switch ($BuildNumber) { # Windows 10 21H2/22H2 {$_ -in \u0026#39;19044\u0026#39;, \u0026#39;19045\u0026#39;} { if ($UBR -ge 3086) { if (-not (Test-Path -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39;)) { New-Item -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Force } New-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Name \u0026#39;4103588492\u0026#39; -PropertyType DWord -Value 1 -Force } } # Windows 11 21H2 \u0026#39;22000\u0026#39; { if ($UBR -ge 2057) { if (-not (Test-Path -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39;)) { New-Item -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Force } New-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Name \u0026#39;4204251788\u0026#39; -PropertyType DWord -Value 1 -Force } } # Windows 11 22H2 \u0026#39;22621\u0026#39; { if ($UBR -ge 1848) { if (-not (Test-Path -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39;)) { New-Item -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Force } New-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Name \u0026#39;4237806220\u0026#39; -PropertyType DWord -Value 1 -Force } } # Server 2016 \u0026#39;14393\u0026#39; { if ($UBR -ge 5989) { if (-not (Test-Path -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager\u0026#39;)) { New-Item -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager\u0026#39; -Force } New-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager\u0026#39; -Name \u0026#39;LazyRetryOnCommitFailure\u0026#39; -PropertyType DWord -Value 0 -Force } } # Server 2019 \u0026#39;17763\u0026#39; { if ($UBR -ge 4499) { if (-not (Test-Path -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager\u0026#39;)) { New-Item -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager\u0026#39; -Force } New-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager\u0026#39; -Name \u0026#39;LazyRetryOnCommitFailure\u0026#39; -PropertyType DWord -Value 0 -Force } } # Server 2022 \u0026#39;20348\u0026#39; { if ($UBR -ge 1787) { if (-not (Test-Path -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39;)) { New-Item -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Force } New-ItemProperty -Path \u0026#39;HKLM:\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FeatureManagement\\Overrides\u0026#39; -Name \u0026#39;4137142924\u0026#39; -PropertyType DWord -Value 1 -Force } } } ","date":"2023-06-14","externalUrl":null,"permalink":"/posts/cve-2023-32019-kb5028407-registry-settings/","section":"Posts","summary":"How to configure the necessary registry settings for CVE-2023-32019 - KB5028407 via PowerShell, ConfigMgr DCM, and Intune","title":"Managing the Registry Settings for CVE-2023-32019 (KB5028407)","type":"posts"},{"content":" SSMS Full Download\nWiX Toolset\nC:\\CORP\\SSMS\u0026gt;\u0026#34;C:\\Program Files (x86)\\WiX Toolset v3.11\\bin\\dark.exe\u0026#34; -x C:\\CORP\\SSMS\\Extracted SSMS-Setup-ENU.exe Windows Installer XML Toolset Decompiler version 3.11.2.4516 Copyright (c) .NET Foundation and contributors. All rights reserved. SSMS-Setup-ENU.exe C:\\CORP\\SSMS\u0026gt; ","date":"2022-12-15","externalUrl":null,"permalink":"/posts/sql-native-client/","section":"Posts","summary":"How to acquire the latest version of the SQL Native Client for your ConfigMgr servers","title":"Acquiring the Latest Version of the SQL Native Client","type":"posts"},{"content":" If you maintain a large number of Client Settings profiles in your ConfigMgr environment, it can get annoying when you need to create new profiles and shift them high up in the priority list. A good example of this is creating a new profile to test a settings change on a subset of clients and it needs to be above the profile it is overriding. For example, I just added two new profiles in my lab for testing:\nPS CAS:\\\u0026gt; Get-CMClientSetting | Select-Object -Property Name,Priority | Sort-Object -Property Priority | Format-Table -AutoSize Name Priority ---- -------- Site Settings - PSA 1 Site Settings - PSB 2 Default Settings - Server 3 Default Settings - Workstation 4 Test Settings - Server 5 Test Settings - Workstation 6 Default Client Agent Settings 10000 I need the two new profiles that are currently set to 5 and 6 to be moved to 1 and 2. Doing this in the console can get really annoying, as you can\u0026rsquo;t set the priority directly; instead, you need to select the profile, click \u0026ldquo;Increase Priority\u0026rdquo; or \u0026ldquo;Decrease Priority\u0026rdquo; in the ribbon, and repeat. Who has time for that?\nInstead, let\u0026rsquo;s move to our best friend PowerShell!\nPS CAS:\\\u0026gt; Set-CMClientSetting -Name \u0026#39;Test Settings - Server\u0026#39; -Priority 1 WARNING: The cmdlet \u0026#39;Set-CMClientSetting\u0026#39; has been deprecated and may be removed in a future release. The cmdlet \u0026#39;Set-CMClientSettingGeneral\u0026#39; may be used as a replacement. OK, that\u0026rsquo;s fine, we should use the newer cmdlet, but let\u0026rsquo;s check what happened:\nPS CAS:\\\u0026gt; Get-CMClientSetting | Select-Object -Property Name,Priority | Sort-Object -Property Priority | Format-Table -AutoSize Name Priority ---- -------- Site Settings - PSA 1 Site Settings - PSB 2 Default Settings - Server 3 Default Settings - Workstation 4 Test Settings - Workstation 5 Test Settings - Server 6 Default Client Agent Settings 10000 Huh, the priority for Test Settings - Server changed from 5 to 6. What happened? Well, if you go back and tab-complete the options for the Priority parameter, you\u0026rsquo;ll find that the available options are actually Increase and Decrease. Entering 1 was converted to the second possible value of Decrease. If I go back and run the same command, but using 0 this time, it will revert to priority 5:\nPS CAS:\\\u0026gt; Set-CMClientSetting -Name \u0026#39;Test Settings - Server\u0026#39; -Priority 0 WARNING: The cmdlet \u0026#39;Set-CMClientSetting\u0026#39; has been deprecated and may be removed in a future release. The cmdlet \u0026#39;Set-CMClientSettingGeneral\u0026#39; may be used as a replacement. PS CAS:\\\u0026gt; Get-CMClientSetting | Select-Object -Property Name,Priority | Sort-Object -Property Priority | Format-Table -AutoSize Name Priority ---- -------- Site Settings - PSA 1 Site Settings - PSB 2 Default Settings - Server 3 Default Settings - Workstation 4 Test Settings - Server 5 Test Settings - Workstation 6 Default Client Agent Settings 10000 Well that\u0026rsquo;s mildly inconvenient. Let\u0026rsquo;s look at that newer cmdlet:\nPS CAS:\\\u0026gt; Set-CMClientSettingGeneral -Name \u0026#39;Test Settings - Server\u0026#39; -PriorityValue 1 PS CAS:\\\u0026gt; Set-CMClientSettingGeneral -Name \u0026#39;Test Settings - Workstation\u0026#39; -PriorityValue 2 PS CAS:\\\u0026gt; Get-CMClientSetting | Select-Object -Property Name,Priority | Sort-Object -Property Priority | Format-Table -AutoSize Name Priority ---- -------- Test Settings - Server 1 Test Settings - Workstation 2 Site Settings - PSA 3 Site Settings - PSB 4 Default Settings - Server 5 Default Settings - Workstation 6 Default Client Agent Settings 10000 Awesome! Set-CMClientSettingGeneral has a parameter named PriorityValue that accepts a number and shifts the rest of the profiles down! Interestingly, I only discovered this parameter via trial and error; it is not listed in the cmdlet documentation.\nI have created an issue on GitHub mentioning this, so hopefully that gets updated. Until then, I hope this post helps!\n","date":"2022-12-07","externalUrl":null,"permalink":"/posts/modifying-client-settings-priorities/","section":"Posts","summary":"How to easily modify ConfigMgr Client Settings priorities with PowerShell","title":"Modifying Client Settings Priorities With PowerShell","type":"posts"},{"content":" In case you\u0026rsquo;ve been living under a rock, Desktop Analytics has been deprecated for a while, and finally being retired on November 30th (in one week!).\nDesktop Analytics is easy enough to remove by following the instructions, but after completing these steps, I noticed one item left behind:\nIf you try to right-click this item, there will be no menu and no delete option anywhere in the console. In order to remove this, it must be deleted via WMI:\n# Listing all AAD app names Get-CimInstance -Namespace root/SMS/site_CAS -ClassName SMS_AAD_Application_Ex | select Name # Removing the Desktop Analytics app Get-CimInstance -Namespace root/SMS/site_CAS -ClassName SMS_AAD_Application_Ex -Filter \u0026#34;Name = \u0026#39;Desktop Analytics Server App\u0026#39;\u0026#34; | Remove-CimInstance The above commands reference information about my lab site; be sure to change the namespace name to match your site code, and select the correct AAD application name.\nAfter running the above commands and refreshing the console, the Desktop Analytics app should no longer be listed:\nHooray! Happy Thanksgiving! 🦃\n","date":"2022-11-23","externalUrl":null,"permalink":"/posts/removing-desktop-analytics/","section":"Posts","summary":"How to remove Desktop Analytics and clean up everything left behind","title":"Removing Desktop Analytics from your ConfigMgr Site","type":"posts"},{"content":" Problem: You\u0026rsquo;ve shifted the \u0026ldquo;Device Configuration\u0026rdquo; workload in your ConfigMgr site to Intune, and your existing Configuration Baselines are no longer applying, and there\u0026rsquo;s a lot of them.\nSolution: Spend the next two hours clicking away in the console PowerShell of course!\nGet-CMBaseline -Fast | Set-CMBaseline -AllowComanagedClients $true Running the above one-liner will enable all of your existing baselines to be run on co-managed clients even when the workload has been shifted to Intune. For reference, we are setting the following property on each baseline:\n","date":"2022-11-21","externalUrl":null,"permalink":"/posts/enabling-baselines-for-comanaged-devices/","section":"Posts","summary":"How to quickly enable all of your configuration baselines to run on co-managed devices","title":"Enabling Configuration Baselines for Co-managed Clients","type":"posts"},{"content":"","date":"2022-11-16","externalUrl":null,"permalink":"/tags/active-directory/","section":"Tags","summary":"","title":"Active Directory","type":"tags"},{"content":" If you choose to run services such as SQL Server under a service account (not a domain user called a \u0026ldquo;service\u0026rdquo; account, but a \u0026ldquo;real\u0026rdquo; managed/group managed service account), one thing you will need to do manually is register necessary service principal names (SPNs) under this account to allow for Kerberos authentication.\nIf the service were running as NT AUTHORITY\\SYSTEM, this would occur automatically, as the computer account already has the necessary permissions.\nHere\u0026rsquo;s how you can achieve the same behavior by granting NT AUTHORITY\\SELF the same permission, which will allow a gMSA to write SPNs on itself:\n$gMSA = Get-ADServiceAccount -Identity \u0026#39;gMSA_Name$\u0026#39; dsacls $gMSA.DistinguishedName /G \u0026#39;SELF:RPWP;servicePrincipalName\u0026#39; After setting the above permission, simply restarting the SQL Server service will cause the SPNs to be registered, which you can confirm by running setspn -L gMSA_Name$.\nTo easily handle this for more than one gMSA, you can also delegate permissions to an OU that contains your gMSAs the same permission via the \u0026ldquo;Delegate Control\u0026rdquo; wizard:\nSelect NT AUTHORITY\\SELF as the identity to delegate permissions to. Select custom task to delegate. Select only group managed service account objects to apply the delegated permissions to. Select the \u0026ldquo;Write servicePrincipalName\u0026rdquo; property-specific permission to delegate. Click Finish to complete the permissions delegation. The full output text in the last window should look similar to the following:\nYou chose to delegate control of objects in the following Active Directory folder: corp.ajf.one/TEST The groups, users, or computers to which you have given control are: SELF (NT AUTHORITY\\SELF) They have the following permissions: Write servicePrincipalName For the following object types: msDS-GroupManagedServiceAccount ","date":"2022-11-16","externalUrl":null,"permalink":"/posts/gmsa-autospn/","section":"Posts","summary":"Configuring permissions for group managed service accounts (gMSAs) to self-register service principal names (SPNs)","title":"gMSA AutoSPN","type":"posts"},{"content":" The following PowerShell will test functionality of an HTTPS-enabled Management Point by using a locally installed client authentication certificate and testing the MPCert and MPList URLs:\n[CmdletBinding()] Param( [Parameter(Mandatory = $true)] [string]$ManagementPointFqdn, [Parameter(Mandatory = $true)] [string]$CAName ) $Certificate = Get-ChildItem -Path Cert:\\LocalMachine\\My\\ | Where-Object -FilterScript {$_.EnhancedKeyUsageList -like \u0026#39;Client Authentication (1.3.6.1.5.5.7.3.2)\u0026#39; -and $_.Issuer -like \u0026#34;*$CAName*\u0026#34;} | Select-Object -First 1 Write-Host \u0026#34;MPCert Results:\u0026#34; Invoke-WebRequest -Uri \u0026#34;https://$ManagementPointFqdn/sms_mp/.sms_aut?mpcert\u0026#34; -Certificate $Certificate -UseBasicParsing | Select-Object -ExpandProperty Content Write-Host \u0026#34;MPList Results:\u0026#34; Invoke-WebRequest -Uri \u0026#34;https://$ManagementPointFqdn/sms_mp/.sms_aut?mplist\u0026#34; -Certificate $Certificate -UseBasicParsing | Select-Object -ExpandProperty Content Sample output from my lab:\nPS C:\\CORP\u0026gt; .\\Test-HTTPSManagementPoint.ps1 -ManagementPointFqdn cmpsb01.corp.ajf.one -CAName \u0026#34;AJF.ONE CORP SIGNING CA\u0026#34; MPCert Results: \u0026lt;MPCertificate\u0026gt;\u0026lt;Certificate\u0026gt;30820616308203FEA003020102021378000000723A1D42C83A28C278000000000072300D06092A864886F70D01010B0500306231133011060A0992268993F22C64011916036F6E6531133011060A0992268993F22C6401191603616A6631143012060A0992268993F22C6401191604636F72703120301E06035504031317414A462E4F4E4520434F5250205349474E494E47204341301E170D3232313032303136353133395A170D3234313031393136353133395A301F311D301B06035504031314434D50534230312E636F72702E616A662E6F6E6530820122300D06092A864886F70D01010105000382010F003082010A0282010100BF1EDD70ED259ADCB8147DD2BEB483C5C68B38CDB3E9DFAF22402BE9D49D554D083B64A36BFBBB51C7D59218C860951711DE948E3FCFB56E91D998A66878BF3F038C4D78A2D55C10C1813AB212DAB2C170A76B4830CCC607374346ECFBF176AD9CB2CA87C095545CC31B370B41CD827DB63D7DFCCA432E6B84D9A38B83BD9A178C8C57D2E965B6108C36D7524FEFF9111077B1D7AEBB65DD96752BD2F4C7DC1B7130BAF12FF266BA8B10372E288AF933404D2BB0B86BA9A659A54C3502E3B57BEFF58DA69A2EF60654235ECD713CCE0B4D44A588C1CBE0B829CCF7AEFA090E601912914F4919E52CCC795FD7A51F8CB8842E00B697E9C63377C944580035B7390203010001A382020630820202303D06092B06010401823715070430302E06262B060104018237150883C8945083A2FC2387B9992583ECC3318396AD594282E7BB6286EEAC4502016402010230130603551D25040C300A06082B06010505070301300E0603551D0F0101FF0404030205A0301B06092B060104018237150A040E300C300A06082B06010505070301301D0603551D0E0416041433035B65CAF05437A25323F1EB77549E2B7F114A301F0603551D23041830168014F83D3E0A1BE77F0B81CF6804154B08FC812CCCBD30550603551D1F044E304C304AA048A0468644687474703A2F2F706B692E636F72702E616A662E6F6E652F43657274456E726F6C6C2F414A462E4F4E45253230434F52502532305349474E494E4725323043412E63726C307606082B06010505070101046A3068306606082B06010505073002865A687474703A2F2F706B692E636F72702E616A662E6F6E652F43657274456E726F6C6C2F434F5250444330312E636F72702E616A662E6F6E655F414A462E4F4E45253230434F52502532305349474E494E4725323043412E637274301F0603551D11041830168214434D50534230312E636F72702E616A662E6F6E65304F06092B060104018237190204423040A03E060A2B060104018237190201A030042E532D312D352D32312D313734353239363139332D323232363739343739362D323339333132363335372D31323135300D06092A864886F70D01010B05000382020100ADA08750C34DF1CC77EE83A809D7ACBE75F2993E11652DA7651D172BA65B8C87F88D26F9FC779BAB2ED9715F74EAFD774FD0396A4836B03434AE7F9EBED4B82AAB18F14814C065823230AA884B8B90F37913D569E5FCFB924331DC892FEB27C4DBF6FFF81291BD5DA9FD34DE7645854B57336448361D1F6EFCC6F247F16028567F4A3FE0E355A3268385688692F103742C869B9E1D5F7D34382FB4D1DAD1031670D896A4AE217854ED6C1A2ED7B4AB1A07DBDEFF08126117EFE875727C37AA22CAE0865E219A8524585F2BCF2E3B13609AD58BCB7C3E95DC45E7370D989FE83EC3515E1EC744D6B9E3B21E21FB30B932496A3F9D70C662949505B1740BC09B754CE7915B520435DFD7CF2655F0B89E97450E0B2C9C32B36CA10FC6153C5C0AF9276AA27BE17A146842D1DD86E5B965029F4816B8692704E8349993B88BE2CC3A6288E4D8F9A0055FC4EFEC98E252A9E555B477BE23328CD9F706C2468232376C4EF4FE0C2D49AEE6B93AA56E8DAFA2FB3576FD32AEA55DE320F21F2C8ED5A4361893718314AF8A9CAB5E7E86DF094075503C1625EA6BA2C11C374D36604D120645EBED97E44145D648B05E9852AB868C1A04211D76FB852E063ECDA78131C73E4024B8B39B9FF9D63E7DA31DA64D24BD60F26642D19E03DE9A99A4D68AB235ED73A34CC87CBB29AAABF24CBDAEBE5DCD9C975CC3976457B798EF68693090618B\u0026lt;/Certificate\u0026gt;\u0026lt;/MPCertificate\u0026gt; MPList Results: \u0026lt;MPList\u0026gt;\u0026lt;MP Name=\u0026#34;CMPSB01.CORP.AJF.ONE\u0026#34; FQDN=\u0026#34;CMPSB01.corp.ajf.one\u0026#34;\u0026gt;\u0026lt;Version\u0026gt;9088\u0026lt;/Version\u0026gt;\u0026lt;Capabilities SchemaVersion=\u0026#34;1.0\u0026#34;\u0026gt;\u0026lt;Property Name=\u0026#34;SSL\u0026#34; Version=\u0026#34;1\u0026#34;/\u0026gt;\u0026lt;Property Name=\u0026#34;SSLState\u0026#34; Value=\u0026#34;63\u0026#34;/\u0026gt;\u0026lt;/Capabilities\u0026gt;\u0026lt;/MP\u0026gt;\u0026lt;/MPList\u0026gt; The above script is also available in my GitHub.\n","date":"2022-11-15","externalUrl":null,"permalink":"/posts/testing-cm-https-mps/","section":"Posts","summary":"How to test ConfigMgr HTTPS Management Points using PowerShell","title":"Testing ConfigMgr HTTPS Management Points","type":"posts"},{"content":" I\u0026rsquo;m AJ, an IT professional in the Microsoft space for over fifteen years. I\u0026rsquo;m originally from South Shore region of Massachusetts, and currently reside in the Rochester, New York area.\nI am currently a Cloud Solution Architect for Microsoft as a vendor. I primarily work with ConfigMgr, but also am heavily involved with Intune, Active Directory, Entra ID, and Azure Arc. Previously, I was a systems administrator/engineer for a private university, focused on endpoint management, ConfigMgr, Active Directory, and other various services/applications.\nI\u0026rsquo;m also one of the admins of the WinAdmins Community on Discord.\nMy main tech interests include endpoint management, AuthN/AuthZ, and security/infosec. Ask me about deploying internet-accessible domain controllers!\nIn my free time, I enjoy learning and helping others with tech-related stuff on various social media platforms, tinkering in my homelab, and writing the occasional technical blog post about stuff I do or find interesting. Beyond that, a bit of gaming to fry the last few remaining brain cells for the day.\nFeel free to hit me up any time if you\u0026rsquo;ve got a question or comment about something I\u0026rsquo;ve posted or shared, feedback is always welcome! You can usually find me in most places on the internet using the handle ajf8729, or via the following links:\nBlog\nBluesky\nGitHub\nLinkedIn\nMastodon\nWinAdmins Community\nEmail\n","date":"2022-11-13","externalUrl":null,"permalink":"/about/","section":"AJF8729","summary":"","title":"About","type":"page"},{"content":" In response to CVE-2022-37966, the following PowerShell will find all accounts (users, computers, managed service accounts, and group managed service accounts) explicitly configured to use RC4 Kerberos encryption only:\nGet-ADObject -Filter \u0026#34;objectClass -eq \u0026#39;user\u0026#39;\u0026#34; -Properties msDS-SupportedEncryptionTypes | Where-Object -FilterScript { (($_.\u0026#34;msDS-SupportedEncryptionTypes\u0026#34; -band 0x3f) -ne 0) -and (($_.\u0026#34;msDS-SupportedEncryptionTypes\u0026#34; -band 0x38) -eq 0) } The above script is also available in my GitHub.\n","date":"2022-11-13","externalUrl":null,"permalink":"/posts/finding-rc4-accounts/","section":"Posts","summary":"Tracking down AD account configured to use only RC4 Kerberos encryption with PowerShell","title":"Finding AD Accounts Explicitly Configured To Use RC4 Kerberos","type":"posts"},{"content":"","date":"2022-11-13","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":" Summary # An enthusiastic and highly skilled IT professional in the Microsoft ecosystem, with excellent technical abilities and communication skills. Highly experienced in managing client and server operating systems via Microsoft Endpoint Configuration Manager, Active Directory/Group Policy, and PowerShell. Moderately experienced with Azure Active Directory and Intune.\nExperience # Customer Engineer # JDA Technical Services Group\n2021-11 - Present\nStandard Product Work Shops - Training In-Depth Product Reviews - White Board (Chalk Talk) Sessions Health Checks / Assessments Post Operational Review of Product Implementations Product Upgrade / Migration Assessments Systems Performance Reviews Windows System Administrator/Engineer # Rochester Institute of Technology\n2012-09 - 2020-04\nManaged ~5,000 Windows client endpoints and ~300 Windows server endpoints across 1 main campus, and 2 remote campuses, via Microsoft Endpoint Configuration Manger (ConfigMgr). Maintained ~800 applications within ConfigMgr, including automating packaging and deployment of new applications, and updates to existing applications. Maintained the OSD process, including dynamically installing applications depending on department, and maintaining base images with updates to decrease OSD runtime. Maintained client endpoint AD/GPO structure across 2 forests and 3 domains, including baseline policies, firewall/IPSec policies, and security policies. Utilized Advanced Group Policy Management (AGPM) to control GPOs and maintain a change history. Utilized PowerShell and GitLab to source control and automate updating various configurations. Worked with external IT groups that utilized central IT resources to provide assistance and new features. Managed multiple Windows file servers containing ~50 TB of data across ~1,200 shares, as well has home directory shares, and Work Folders. Managed multiple Windows print servers, totaling ~350 print queues, along with multiple PaperCut installations, totaling ~1,000,000+ pages per month. Managed a project to migrate ~900 clients and ~15 servers from a legacy AD forest/domain to a new AD forest/domain, including building out new AD/GPO structures, a newer, more secure baseline, new ConfigMgr collections and deployments, and migrating user profiles between domains using PowerShell scripts and User State Migration Tool (USMT). Managed ConfigMgr site upgrades from 2012 R2 to Current Branch versions up to 1910, including building/documenting an upgrade, testing, and verification process. Maintained a Remote Desktop Services (RDS) infrastructure utilized by ~100 users to provide various Windows-based applications to macOS/BYOD users. Assisted with implementing IPSec within the Windows Firewall across all services, in order to increase security of applications. Assisted with a project to implement certificate-based authentication with IPSec to make Domain Controllers available from remote clients, along with making other various services/applications internet-facing, to eliminate the need for a traditional VPN. Education # Rochester Institute of Technology2 BS, Applied Networking \u0026amp; System Administration 2006 - 2012\nCompleted 152 credits towards a BS in Applied Networking \u0026amp; Systems Administration Certifications # ITIL Foundation - 2019-06-11 Skills # Microsoft Intune Product Family (formally Microsoft Endpoint Manager) Configuration Manager Intune Active Directory Group Policy PowerShell Windows Firewall/IPSec File/Print Services Remote Desktop Services Personal Development # Admin team member of the Windows Admins Discord community. Founded community in July 2015 on Slack as a ConfigMgr community, merging together a few other Slack communities and a Google Hangout. Rebranded as the WinAdmins community in July 2016. Began the move to Discord in September 2019, utilizing a bot to bridge the two platforms. Completed migration to Discord and shut down Slack in October 2020. Manage the community Twitter account, GitHub organization, and website. Perform future planning and changes for the community. Launched a Wiki in September 2022, with the idea of capturing some of the useful information talked about regularly within our Discord channels for ease of sharing. Broke 10,000 members in November 2022. Home Lab Manage/maintain a small homelab consisting of Active Directory, ConfigMgr, Azure AD, and Intune in order to stay current with new technologies. Blog Manage my own blog running on WordPress in DigitalOcean, writing about things I\u0026rsquo;ve worked with in the past. ","date":"2022-11-13","externalUrl":null,"permalink":"/resume/","section":"AJF8729","summary":"","title":"Resume","type":"page"},{"content":" Subject: CN=AJF8729 ROOT CA 02 Thumbprint: 2C:BF:66:D7:61:BB:A7:E7:05:A5:9B:FA:F6:18:AA:37:34:85:44:B9 Valid From: 2022-02-03 00:10:41 UTC Valid To: 2042-02-03 00:20:40 UTC AIA: http://pki.ajf8729.com/AJF8729-ROOT-CA-02.crt CDP: http://pki.ajf8729.com/AJF8729-ROOT-CA-02.crl ","date":"2022-02-03","externalUrl":null,"permalink":"/certificate-authority/","section":"AJF8729","summary":"","title":"Certificate Authority","type":"page"},{"content":" The following will show you how to upgrade a ConfigMgr site to the latest available update.\n# Import the ConfigurationManager module Import-Module -Name ConfigurationManager # Get the site code $SiteCode = (Get-CimInstance -Namespace ROOT/SMS -ClassName SMS_ProviderLocation).SiteCode # Change to the site psdrive Set-Location -Path \u0026#34;$($SiteCode):\u0026#34; # Find the latest update $LatestSiteUpdate = (Get-CMSiteUpdate -Fast | Sort-Object -Descending -Property LastUpdateTime | Select-Object -First 1).Name # Install the update Install-CMSiteUpdate -Name $LatestSiteUpdate -Confirm:$false -Force The above script is also available in my GitHub.\n","date":"2021-09-07","externalUrl":null,"permalink":"/posts/how-to-upgrade-configmgr/","section":"Posts","summary":"How to upgrade a ConfigMgr site using the least amount of PowerShell as possible!","title":"How to Upgrade ConfigMgr via PowerShell","type":"posts"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"}]