Download: http://technet.microsoft.com/en-us/systemcenter/dd408384.aspx
On your workstation, change the data value in the following key:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Setup
Data: Type
Data Value: dword:00000001
Usually this is set to 00000004 on a workstation signifying just the admin console. 00000001 Is for Primaries, type 00000002 is for Secondaries.
I created the following registry keys:
HKLM\SOFTWARE\SHIM1
Name: Version
Type: REG_SZ
Data: 1.0
HKLM\SOFTWARE\SHIM2
Name: Version
Type: REG_SZ
Data: 2.0
Then create a quick SMS Installer package (SHIMVER.EXE) to read SHIM1 Registry Key for Version 1.0.
Check Disk Space
Get Registry Key Value
Variable=VER
Key=SOFTWARE\SHIM1
Value Name=VersionDisplay Message
Title English=Version Check
Text English=Version is %VER%
Then ran Application Compatibility Administrator and created the following VirtualRegistry Shim.
Selected VirtualRegistry – Parameter – Command Line: ADDREDIRECT(HKLM\SOFTWARE\SHIM1^HKLM\SOFTWARE\SHIM2)
Now when I run SMS Installer package (SHIMVER.EXE) it reads 2.0
Thank You Chris Jackson…
The hardware and software requirements for BitLocker are:
Configuration Manager Task Sequence:
1. Create 2 Partitions under Partition Disk 0 Step:
1st Partition for BitLocker
2nd Partition for Operating System
2. Apply Operating System Step:
Select the location where you want to apply this operating system
3. Add Run Command Line: Script to enable TPM / BIOS Password / Etc
4. Add Restart Computer Step
5. Enable BitLocker Step
Add the following lines to the Task Sequence under Capture User Files and Settings (this is not needed if using MDT…):
Set Task Sequence Variable
Type: Set Task Sequence Variable
Name: Enable Hard Links Capture Command
Task Sequence Variable: OSDMigrateAdditionalCaptureOptions
Value: /nocompress /hardlink
Set Task Sequence Variable
Type: Set Task Sequence Variable
Name: Set Local State Location
Task Sequence Variable: OSDStateStorePath
Value: %_SMSTSUserStatePath%
Then Run Capture User Files and Settings
Add the following lines to the Task Sequence under Restore User Files and Settings (this is not needed if using MDT…):
Set Task Sequence Variable
Type: Set Task Sequence Variable
Name: Enable Hard Links Restore Command
Task Sequence Variable: OSDMigrateAdditionalRestoreOptions
Value: /nocompress /hardlink
1) Attach the USB Flash Drive to a Windows Vista/7
2) As Administrator: Open a command window and run 'DISKPART’
3) At the DISKPART> prompt, type 'List disk'
4) Determine which disk number corresponds to the USB flash drive (make sure you correctly make this determination!), then at the DISKPART> prompt, type 'Select
disk <x>' where <x> is the disk number that the USB flash drive corresponds to
5) At the DISKPART> prompt, type 'Clean'
WARNING!: This will wipe all the contents from the drive you selected in step 4 so make sure that the correct drive is selected and that there is nothing on the drive that is needed.
6) At the DISKPART> prompt, type 'List Partition'. If there are no partitions,
move on to step 7. If there is a partition, at the DISKPART> prompt, type 'Select
Partition 1' then type 'Clean'
7) At the DISKPART> prompt, type 'Create Partition Primary'. If you receive an
error at this stage regarding not being able to create a partition, the USB Flash
Drive is not capable of being made bootable and will not work as an SCCM 2007
bootable Task Sequence Media. Please restart the process using a different USB
Flash Drive.
8) At the DISKPART> prompt, type 'Select Partition 1'
9) At the DISKPART> prompt, type 'Format FS=FAT32 QUICK'
10) At the DISKPART> prompt, type 'Active'
11) At the DISKPART> prompt, type 'Assign'
12) At the DISKPART> prompt, type 'Exit'
I am going to document (with screen shots) how to integrate System Center 2012 Configuration Manager with Microsoft Network Access Protection (NAP). All Servers are running Windows Server 2012 and clients are Windows 8.
There are different ways to implement NAP:
I setup a basic NAP implementation using DHCP Enforcement. The NAP DHCP server is running on a Windows Server 2012 Domain Controller with the DHCP server role installed along with Network Policy and Access Services Role. The NAP DHCP server restricts noncompliant client access by providing a limited IP address configuration to computers that do not meet health requirements. A limited access configuration has a subnet mask of 255.255.255.255 and no default gateway.
I will not go into detail on how to setup NAP, but here is a screen shot on how to enable it on DHCP. I also set a DHCP Policy to enable User Class for NAP and MAC Filter so I can target only a couple of machines in my lab environment.
Step 1:Install System Health Validator Point:
A System Health Validator point validates Configuration Manager Network Access Protection (NAP) policies. It must be installed on a NAP health policy server. In my lab environment, I installed the System Health Validator Point on my Domain Control that is also my DHCP and Network Policy and Access Server.
There are no properties to configure for this site system role. Configure the System Health Validator point component configuration for settings that apply to all System Health Validator points in the site.
Step 2: Enable Network Access Protection on clients:
I created a separate Client Agent Policy that enables NAP. Then deployed it only to my Windows 8 Systems Collection. Here is a screen shot:
Step 3: Configure Site Component (optional)
There are a few Component properties that can be adjusted: Active Directory query interval (minutes), Statement of health time validation (hours) and Designate an Active Directory forest in different. In my lab environment, I left the default settings. Screen shot below:
Step 4 (Final Step): Enable Software Updates for NAP Evaluation
Select 1 or more Software Updates (hold down control key) from a Software Update Group and/or Software Update Deployment Package, click the NAP Evaluation Tab and select to enable NAP Evaluation.
I then deployed Software Updates to Windows 8 System Collection. I marked the Deployment as Available to help with Screen Shots and Demos from the Client Side.
On the Windows Client system, I setup the Network Access Protection Service to Automatic and started the service. I have enabled Windows Security Health Agent (SHA) to check the following:
Firewall Settings
Antivirus Settings
Spyware Protection Settings
I did NOT enable the following (these will be handled by System Center 2012 Configuration Manager):
Automatic Updates Settings
Security Updates Settings
These settings are configured on the Network Policy Server, screen shot below:
I have enabled Configuration Manager 2012 System Health Agent (SHA) to check the following:
Software Updates:
*I have installed and configured System Center Updates Publisher 2011 to integrate with Configuration Manager. Now I am able to add 3rd Party Updates to the NAP Policy (i.e. Adobe Reader, Flash, etc...)
The default settings for NAP Enforcement on Non-compliant systems is "Allow limited access". Non-compliant clients are allowed access only to a restricted network for updates. I configured my Remediation Server Group to include Network Policy Server and Configuration Manager Server. This way, clients can still access Remediation Servers while having limited network access.
However, for demo purposes, I checked "Allow full network access" for Non-Complaint Systems. That is why the screen shot below will show "You have full network access"
Windows Security Health Agent is unsuccessful because I have disable Windows Firewall. You can have NAP Automatically Remediate the firewall if it is not enforced by Local or Domain Group Policy.
Configuration Manager 2012 System Health Agent is unsuccessful (non-compliant) because I uninstalled Security Update KB2830290. The first time I logged in with NAP enabled, Configuration Manager automatically installed the Security Updates to make the client Compliant. I went back and manually removed the Update so NAP will report Non-Compliant for this screen shot.
And finally, all Network Access Protection can be monitored from Configuration Manager Reporting. You can sort by Category - Network Access Protection and there are 13 built-in reports.
I am going to detail some of the scenarios on managing Mac Computers with System Center 2012 R2 Configuration Manager.
Key links to get started:
How to Install Clients on Mac Computers in Configuration Manager - http://technet.microsoft.com/en-us/library/jj591553.aspx which includes the following steps:
Steps to install and configure Site Server Roles to support Mac Clients
Steps to install Client on Mac Computers
Here is a screen shot of the Mac Client:
The Mac Client can be configured using Client Agents Settings: Enrollment (Default Client Settings), Computer Policy, Compliance Settings and Hardware Inventory.
Here are some of the features that Configuration Manager supports on Mac computers with screen shots:
Discovery– Discovers Mac OS X system in Active Directory and through network discovery
Hardware Inventory– Provides hardware inventory and auditing of computers running Mac OS X, including a list of installed software similar to add/remove programs for Windows systems.
Settings Management– Ensures computers running Mac OS X comply with company policies using scripts and preference list management.
This is an example and screen shots for Detecting if Security Update is applied. Create necessary Compliance Items, add them to a Baseline, then deploy Baseline to a Mac Collection(s).
Image below is a screen shot of Configuration Item Setting to detect if Security Update 2013-001 (Lion) is installed. You can get the Application ID from Package or get Application ID and Key from the installation XML file using pkgutil command.
Configuration Item Rule to report if Security Update 2013-001 (Lion) is NOT installed and create a Noncompliance Severity Warning for Reporting.
I also created Compliance Settings to detect if System Center 2012 Endpoint Protection for Mac is installed and another to detect if it is running. You can create Compliance for just about anything using a Shell Script and/or Preference List.
Application Deployment– Distributes required software via app model.
To create an application, you have to run the CMAppUtil on a Mac Computer to create the .cmmac file. In my example, I created an Application package for System Center 2012 Endpoint Protection. Once the package is created, you can import it using Application Model in Configuration Manager Console.
Configuration Manager does not support the deployment of Mac applications to users; these deployments must be to a device. For more information on deploying Software to Mac Computers, please visit How to Create and Deploy Applications for Mac Computersin Configuration Manager - http://technet.microsoft.com/en-us/library/jj687950.aspx
You can create a Device Collection based on Operating System by using the following: Mac OS X%, Mac OS X 10.7%, or ClientEdition = 5 in your query.
Here is a picture of what the Mac User will see when deploying software:
Software Updates Management– Distributes patches utilizing Software Distribution and Settings management features.
There are a couple of way to accomplish this. Create the software update packages using CMAppUtil, import them into Configuration Manager Application Model and then use Compliance Settings to detect if they are installed and remediate if desired.
Another option is to use the built-in command softwareupdate on Mac Computers.
NOTE: I have not finished testing this, but this is what I am targeting...
You can use a Discovery Shell Script to run softwareupdate -l | grep 'update' - (Update - the script is taking too long and timing out, set the script to run on a set schedule and not during the client connect).
and
Then use a Remediation Shell Script to run softwareupdate -i -a (or other appropriate switched).
Finally, set the Compliance Rule to look for The value returned by the specified script: Contains "No new software available"
Reporting - You can report and monitor all the features listed above using standard reports and built-in monitoring tools in Configuration Manager Console.
Internet-Based Client Management - Internet-based client management allows you to manage Mac clients when they are not connected to your company network but have a standard Internet connection.
Log Files - Log file for Configuration Manager client for Mac computers records information in the following locations:
Log name | Details |
CCMClient-<date_time>.log | Records activities that are related to the Mac client operations, which includes application management, inventory, and error logging. This log file is located in the folder /Library/Application Support/Microsoft/CCM/Logs on the Mac computer. |
CCMClient-<date_time>.log | Records activities that are related to the Mac client operations, which includes application management, inventory, and error logging. This log file is located in the folder /Library/Application Support/Microsoft/CCM/Logs on the Mac computer. |
CCMAgent-<date_time>.log | Records information that is related to client operations, which includes user logon and logoff operations and Mac computer activity. This log file is located in the folder ~/Library/Logs on the Mac computer. |
CCMNotifications-<date_time>.log | Records activities that are related to Configuration Manager notifications displayed on the Mac computer. This log file is located in the folder ~/Library/Logs on the Mac computer. |
Additionally, the log file SMS_DM.log on the site system server records communication between Mac computers and the management point that is enabled for mobile devices and Mac computers.
The Microsoft Desktop Optimization Pack (MDOP) is a portfolio of technologies available as a subscription for Software Assurance customers. MDOP helps to improve compatibility and management, reduce support costs, improve asset management, and improve policy control.
Here is a list of the latest MDOP Technologies and supported client operating systems. I am only listing the last two versions of each product and not defining the service pack level requirements for each client.
Microsoft BitLocker Administration and Monitoring (MBAM) provides an administrative interface to enterprise-wide BitLocker drive encryption.
Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 provides a simplified administrative interface that you can use to manage BitLocker drive encryption. In BitLocker Administration and Monitoring 2.0, you can select BitLocker drive encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes.
MBAM 2.0 supports Windows 7 and Windows 8
MBAM 1.0 supports Windows 7
Microsoft Application Virtualization (App-V) transforms applications into centrally managed services that are never installed and don’t conflict with other applications.
With App-V 5.0, virtual applications work more like traditionally installed applications. Virtual Applications leverage Windows standards for a consistent user experience. Businesses can connect separately packaged App-V applications, enabling them to communicate with each other and with traditionally installed applications. This gives businesses the best of both worlds, providing isolation – reducing conflict and time spent regression testing – yet allowing applications to interact and communicate when needed. App-V integrates with System Center Configuration Manager, so you can manage virtual and physical applications.
App-V 5.0 supports Windows 7 and Windows 8
App-V 4.6 supports Windows XP, Windows Vista and Windows 7
Microsoft User Experience Virtualization (UE-V) captures and centralizes application settings and Windows operating system settings for the user. These settings are then applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
UE-V roams the operating system experience for Windows 7 and Windows 8, providing the consistent look and feel that users expect. UE-V helps retain the application experience without having to reconfigure applications when a user logs in from a different Windows instance —regardless of how the application is delivered or whether it is a rich desktop or virtual desktop session. Smart synchronization policies determine when and where to synch application and OS settings, helping ensure seamless personalization and quick loading.
UE-V 1.0 supports Windows 7, Windows 8, Server 2008 R2 and Server 2012
Microsoft Diagnostics and Recovery Toolset (DaRT) helps troubleshoot and repair Windows-based desktops.
The toolset helps IT professionals quickly respond to and resolve user issues onsite or remotely. It also helps your IT staff work more quickly and simplifies helpdesk support, reducing your overall support costs as well as lost productivity caused by downtime.
DaRT 8.0 supports Windows 8 and Windows Server 2012.
DaRT 7.0 supports Windows 7 and Windows Server 2008 R2.
Microsoft Advanced Group Policy Management (AGPM) extends the capabilities of the Group Policy Management Console (GPMC) to provide change control and improved management.
AGPM provides a more secure archive for controlling changes to GPOs by letting IT develop, review, and modify GPOs without affecting employee desktops. By acting as an extension to the Active Directory management console and providing granular administration, AGPM enables your staff to have much greater control over how edits are made and applied, resulting in a much richer level of PC manageability.
Microsoft Advanced Group Policy Management helps you avoid the downtime that can result from improperly configured or conflicting GPOs. Its offline editing and workflow delegation capabilities allow IT to configure, test, and approve changes before they go live, and quickly roll back changes if needed. It also helps IT recover deleted GPOs and repair live GPOs, reducing the risk of widespread failures.
AGPM 4.0 supports Windows Vista, Windows 7, Windows 8, Server 2008, Server 2008 R2 and Server 2012
AGPM 3.0 supports Windows Vista and Windows Server 2008.
Microsoft Enterprise Desktop Virtualization (MED-V) uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization.
MED-V 2.0 supports Windows 7.
MED-V 1.0 supports Windows Vista and Windows XP.
Posted for Kevin Saye…
I recently had a request to report on the number of Visual Studio installs in a customer environment. Honestly, the customer did not have a full understanding of how many and where it was installed. Luckily, the customer had System Center Configuration Manager 2012 installed, so this was a snap.
I was asked "Kevin, how can I report on where it is installed?"
Answer: "Simple, write a report that shows only what you want. What do you want?"
Next question: "Umm, machine name, version of Visual Studio, User and OS".
Next Answer: "Great, do these 8 steps…."
Step 1. Goto your Configuration Manager Reports site: http://servername/Reports and click "Report Builder"
Step 2. Create a Table Report:
Step 3. Chose the dataset that matches your Configuration Manager install:
Step 4. Click the "Edit as Text" and type in the following query. (See appendix for a copy and paste of the query)
Step 5. Set the "ProductName" as the Row Group and all others as Values.
Step 6. Resize the report and title it as you like.
Step 7. Save the report (rdl file). I saved mine directly in the "Software – Companies and Products" folder in the System Center directory.
Step 8. Simply run the newly published report to see the results. You can also export to Excel here to slice and dice as you wish.
Appendix:
select distinct P.DisplayName0 as ProductName,
P.InstallDate0 as InstallDate,
S.Netbios_Name0 as ComputerName,
S.User_Name0 as LastUser,
S.Operating_System_Name_and0 as OperatingSystem,
S.Last_Logon_Timestamp0 as LastSeen
from [dbo].[v_Add_Remove_Programs] as P,
[dbo].[v_R_System] as S
where
S.ResourceID = P.ResourceID
and
(P.DisplayName0 like 'Microsoft Visual Studio %Premium%'
or P.DisplayName0 like 'Microsoft Visual Studio %Ultimate%'
or P.DisplayName0 like 'Microsoft Visual Studio %Professional%'
or P.DisplayName0 like 'Microsoft Visual Studio %Express%' )
and P.InstallDate0 is not null
order by S.Netbios_Name0
In this blog I will detail how to perform the following with screenshots:
NOTE: Everything is running in Hyper-V on Windows Server 2012, Configuration Manager 2012 and Windows 8 clients. This blog is for people who are experienced with Configuration Manager 2012 and Application Virtualization 5.0. All the steps are the same for creating an Office 2013 Volume License App-V Pacakge or an Office 365 Click-To-Run App-V Package. You will choose which package to create when you run the Office Deployment Tool outlined later in this blog.
Deploying Office 2013 or 365 with App-V 5.0 will provide the best experience for your enterprise. With App-V 5.0, Office deploys more quickly and easily by providing on-demand access, co-existence with previous Office versions, integration with local applications, centralized add-in management and tighter integration with System Center 2012 Configuration Manager SP1 or R2. Best of all... NO Sequencing is Required !!!!
Office Deployment Tool for Click-to-Run can be downloaded from - http://www.microsoft.com/en-us/download/details.aspx?id=36778
The Office Deployment Tool allows the administrator to customize and manage Office 2013 Volume License or Office 365 Click-to-Run deployments. This tool will help administrators to manage installations sources, product/language combinations, and deployment configuration options for Office Click-to-Run.
Note: I am using Version 1; Date Published: 11/25/2013
When you download and run the Office Deployment Tool, it will ask you where to extract the files - I picked C:\Temp\Office\DeploymentTool
There will be 2 files in this directory: Configuration.xml and Setup.exe
Office Deployment Tool Setup runs the following tasks:
I made the following changes (highlighted) to default Configuration.xml file:
<Configuration>
<Add SourcePath="C:\Temp\Office\Download" OfficeClientEdition="32" >
<Product ID="O365ProPlusRetail">
<Language ID="en-us" />
</Product>
<Product ID="VisioProRetail">
<Language ID="en-us" />
</Product>
</Add> -->
<!-- <Updates Enabled="TRUE" UpdatePath="\\Server\Share\Office\" /> -->
<Display Level="None" AcceptEULA="TRUE" />
<Logging Name="OfficeSetup.txt" Path="%temp%" />
<Property Name="AUTOACTIVATE" Value="1" />
</Configuration>
The following Product IDs are used for Office 365 Retail Activation:
"O365ProPlusRetail""VisioProRetail""ProjectProRetail"The following Product IDs are used for Office 2013 Volume License Activation:
"ProPlusVolume""VisioProVolume""ProjectProVolume"Download: From a Command Prompt (Admin) - run the following command from C:\Temp\Office\DeploymentTool\ folder: Setup /Download Configuration.xml
This will download Click-To-Run source files for Office 365 to C:\Office\Download. Then we will use these files to create an installation.
Configure: We are going to skip the Configure piece and go straight to creating the App-V Package. We will do some Configuration once the App-V Package is imported into Configuration Manager.
Packager: Now we have the Source Files downloaded, we can create the App-V package.
Using a Command Prompt (Admin) - run the following command from C:\Temp\Office\DeploymentTool\ folder: Setup /Packager Configuration.xml C:\Office\App-V
This will create the App-V Package for Office 365 in the target folder C:\Office\App-V
This is a screenshot during the creation:
Now we have an App-V Package to import into Configuration Manager.
For more information on customizing Click-To-Run, please visit the following links:
Office Deployment Tool for Click-to-Run - http://technet.microsoft.com/en-us/library/jj219422(v=office.15)
Reference for Click-to-Run configuration.xml file - http://technet.microsoft.com/en-us/library/jj219426
Copy the App-V Package to the Configuration Manager server. Launch Configuration Manager Console - Select Software Library - Right Click Applications Node and choose Create Application
I select Microsoft Application Virtualization 5 as the Type and use a UNC Path to the Office 365 .appv file
This is a screenshot of the Imported Information
I named the Application: Office 365 ProPlus (April 2013) and filled in most of the other optional information.
You can complete the Wizard by Accepting the Defaults.
Now we have imported the Office 365 ProPlus Package into Configuration Manager Application Model. Now it is time to Configure the Package.
I created two App-V 5 Deployment Types:
Note that Primary Device is 1st in the Priority List.
I set the Publishing and Requirements for Primary Device using the Tabs shown below:
I did not set Requirements for Non-Primary Device Deployment since I only have 2 Deployment Types and it is last on the list. I did configure the Publishing Tab to only include Excel, Word and PowerPoint. During an installation, Configuration Manager will check 1st Deployment and see if machine is meets the requirements, if not if will continue down the list. Therefore, if the machine is not a Primary Device, then it will fall back to Priority 2 Deployment Type and only Publish the three applications listed.
You can be more elaborate with the Deployment Types / Publishing / Requirements. We could add another Deployment that only applies to Windows 7 or 8 Machines that are Primary Devices, and those can have a separate selection of Application to Publish. We could make those Deployment Types Priority 1 and 2 and Push the Non-Primary Device Deployment to Priority 3.
You can also set Dependencies where the Application Installation will check for the appropriate App-V 5.0 Client and Service Pack level and if desired, install any missing Dependencies.
Now our Application and Deployment Types are set and we are ready to Deploy Office 365 Click-to-Run...
From the Applications Node, Right Click Office 365 Application and Choose Deploy - see screen shot below
I want this application to show up on the Application Catalog Website, so I chose a User Collection and made the Purpose Available and Checked Require Administrator Approval if Users Request this Application, but this step is not necessary.
Now the Office 365 App-V Application will show up in the Application Catalog Website - it is the last one on the screen shot below:
I installed the Office Application to two separate machines - one is my Windows 8 Primary Device and the other is not. Here is a screenshot from App-V Client on one of my Windows 8 machines.
Here is a screenshot of my Start Screen on my Windows 8 Primary Device showing all the Office applications published.
Here are the same screenshot from my Windows 8 Non Primary machine.
And now for the final step - How to Update Office 365 Click-to-Run Package.
Here are the "normal" steps for updating an App-V package. However, all these steps do not apply to Office 365 Click-to-Run:
The steps are little different for updating Office 365 App-V Package. Follow the steps outlined at the beginning of this blog and create a new Office 365 App-V Package. The /download switch from the Office Deployment Tool will download the latest and updated source files. Create a new package, but name it slightly different. I started adding the month and year to my Office 365 Packages in Configuration Manager: Office 365 ProPlus (April 2013) and Office 365 ProPlus (August 2013). Once you have created your new package, then follow the steps for configuring Supersedence above.
If you do not set Supersedence, the installation will remove your old package and all settings before updating. Supersedence will retain each users settings. See screenshot below:
This blog post covered the following steps with screenshots:
Supported scenarios for deploying Microsoft Office as a sequenced App-V Package can be found here - http://support.microsoft.com/kb/2772509
Clarification Notes on Office 2013 / 365:
I used the Office 365 solution for creating the App-V Package and Deployment with Configuration Manager that I detailed in this blog post.
More information on the differences can be found at - http://office.microsoft.com/en-us/business/microsoft-office-365-for-business-faq-FX103030232.aspx
With the release of Windows 8.1, it is no longer required to have a Microsoft Account (aka Live ID) to run Windows Mail Client. I will walk you through the steps (with Screenshots) on how to enable this new feature.
When you first launch the Mail Client, it will prompt you to "Switch to a Microsoft account on this PC" if you did not sign in with a Microsoft Account - see screenshot below. Customers that use domain accounts and do not use Microsoft Accounts, are still able to use Windows Mail Client with Windows 8.1.
To Turn this Feature Off, you have to Enable the following Group Policy:
Computer Configuration -> Administrative Templates -> Windows Components -> App runtime -> Allow Microsoft accounts to be optional
This does not only apply to Windows Mail Client, but other Windows Store Apps that support the feature and required a Microsoft Account.
Once that policy is enabled, you will now be prompted and able to use an Enterprise Account instead - see screenshot below:
If you do not publish your Email Server settings, Click on Show more details, then you are now able to enter your: Email Address, Server Address, Domain, Username and Password as show below.
I hope you find this Blog Post helpful when trying to setup the Windows Mail App without using a Microsoft Account.
Overview: As an IT Administrator, I value backups both in the datacenter and on personal devices. While SkyDrive (or whatever it will be renamed to) are the answer for user data, some of us still maintain a lot of binary data and full installs that would simply fill up SkyDrive. I have historically been a big fan of solutions like iDrive, but have never been a big fan of the agents provided. This blog shows how to use your Azure benefits to safely store any data at an affordable price point.
Pricing: Azure storage is pretty affordable. At today’s prices, I can store my 100 GB or data (binaries, documents and etc.) for $9.50 per month and pay nothing for transferring data in (Azure does not charge for ingress). If I did ever need to restore everything, the bandwidth charge would just be $11.40 for a complete restore. This cost of $9.50 can be part of my $140 per month MSDN benefits I already get, so there is no additional charge.
How it works: Using the PowerShell script below, I simply run a monthly backup (scheduled task) of my main workstation and it compares the MD5 hash (see second script) of the local files to what is held in the cloud. If the hash of the local file is different, it uploads the file and deletes any files from my cloud backup that are no longer on my local machine. It is just that simple!
Setting up Azure: In Azure, simply create a Storage account (either local or Geo, your choice) and click the “Manage Access Keys” to get the $storageAccount and the $storageKey. Next create a container and be sure to mark it “Private”, else you will be sharing with the world!
Script (version 1.0):
This version of the script works off of the Archive bit set on the local file system. This is adequate for most usages, but can be impacted if you have existing backup software. For this to work you will need to install the PowerShell commandlets for Azure (http://www.windowsazure.com/en-us/manage/install-and-configure-windows-powershell/) and will need to run the “set-AzureSubscription” command to connect your Azure account to the local store on the machine.
# Import the modules
import-module "C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\Azure\Azure.psd1"
#### Set these parameters as you see fit
$logfile = "C:\Temp\backup.log"
$storageAccount = "your storage account here"
$storageKey = "your storage key here"
$storageContainer = "your storage container here"
$backupDirectories = "c:\data", "c:\users"
####
# Log into Azure. You must first have run 'set-AzureSubscription' for this to work
$context = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey $storageKey
$startTime = get-date
"$startTime => Starting Backup" | Out-File $logfile -Append
# get each item in the directories mentioned above that have the Archive bit set, a standard for backup technologies
#for each directory in $backupDirectories
foreach ($backupDirectory in $backupDirectories) {
$files=get-childitem $backupDirectory *.* -rec | where-object {!($_.psiscontainer) -and ($_.attributes -match "Archive")}
#for each item in the directory
foreach ($file in $files) {
Set-AzureStorageBlobContent -Blob $file.fullname -Container $storageContainer -File $file.fullname -Context $context -Force
$endTime = get-date
$fullname = $file.fullname
"$endTime => Uploaded $fullname" | Out-File $logfile -Append
attrib -a $file.fullname
}
}
$startTime = get-date
"$startTime => Starting Removal of old files" | Out-File $logfile -Append
# Now we need to delete objects from Azure that no longer exist on the local computer
$existingFiles = Get-AzureStorageBlob -context $context -Container $storageContainer
foreach ($existingFile in $existingFiles) {
if ((Test-Path $existingFile.name) -ne $True) {
Remove-AzureStorageBlob -context $context -Container $storageContainer -Blob $existingFile.name
$deleteTime = get-date
"deleteTime => Deleted $existingFile" | Out-File $logfile -Append
}
}
Script (version 2.0):
This version of the script:
performs an MD5 hash check of the files using a file stream
includes directory path skipping (to not uploade .ost files and the like)
maintains multiple log files
has a debug mode
sets the power plan
URL encodes the file names, as certain NTFS file names do not work in URI formats, specifically the ]
Includes summary information in the log files
It can incur more bandwidth retrieving the MD5 hash from Azure, but is a more secure solution as the integrity of the file is compared and guarantees the files are the same.
# This script was written by Kevin Saye (ksaye@saye.org)
#
# This is a Powershell backup script that backs up entire directories to Azure Storage
# to get the Azure Powershell modules, you must install the following commandlets:
# http://www.windowsazure.com/en-us/manage/install-and-configure-windows-powershell/
# A special thanks to http://www.nikgupta.net/2013/09/azure-blob-storage-powershell/ for the tips!
#
# I am assuming you have one container for each machine you are backing up.
#### Set these parameters as you see fit
$logfile = "C:\Temp\backup.log"
$storageAccount = "your storage account here"
$storageKey = "your storage key here"
$storageContainer = "your storage container here"
$backupDirectories = "c:\users", "c:\data"
$skipDirectoryMatch = "\Temp", "~", ".tmp", ".ost"
$debugLevel = $False
$logfilelimit = 5
####
# Import the Azure modules
import-module "C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\Azure\Azure.psd1"
[Reflection.Assembly]::LoadWithPartialName("System.Web")
function SetPowerPlan([string]$PreferredPlan) {
$guid = (Get-WmiObject -Class win32_powerplan -Namespace root\cimv2\power -Filter "ElementName='$PreferredPlan'").InstanceID.tostring()
$regex = [regex]"{(.*?)}$"
$newpowerVal = $regex.Match($guid).groups[1].value
powercfg -S $newpowerVal
}
function escapeURL($escapeString) {
$escapedString = [web.httputility]::urlencode($escapeString)
$escapedString
}
function unEscape($escapeString) {
$escapedString = [web.httputility]::UrlDecode($escapeString)
$escapedString
}
$totalLocalFiles=0
$totalLocalFileSize=0
$totalCloudFileSize=0
$totalCloudFileSizeOld=0
$totalCloudFileCountOLd=0
$context = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey $storageKey
$md5 = [System.Security.Cryptography.MD5]::Create()
# rename log files
do {
if ($logfilelimit -eq 1) {
$logfilebackupsource = "$logfile"
} else {
$logfilelimitbefore = $logfilelimit -1
$logfilebackupsource = "$logfile.$logfilelimitbefore"
}
$logfilebackuptarget = "$logfile.$logfilelimit"
Copy-Item $logfilebackupsource $logfilebackuptarget -Force
$logfilelimit--
}
while ($logfilelimit -gt 0)
#set Preferred powerplan
SetPowerPlan "High Performance"
$startTime = get-date
"$startTime => Starting Backup" | Out-File $logfile
"$startTime => Backing up directories: $backupDirectories, skipping any path that matches: $skipDirectoryMatch" | Out-File $logfile -Append
#get each item in the directories mentioned above and compare the MD5 hash values with what is in the cloud
foreach ($backupDirectory in $backupDirectories) {
$files=get-childitem $backupDirectory *.* -rec | where-object {!($_.psiscontainer)}
#for each item in the directory
foreach ($file in $files) {
$totalLocalFiles++
$fullnameEsc = escapeURL($file.fullname)
$fullname = $file.fullname
$startTime = get-date
$totalLocalFileSize = $totalLocalFileSize + $file.Length
# Get local and cloud MD5 hash
$localMD5 = $null
$cloudMD5 = $null
$fileReader = new-object System.IO.FileStream $fullname, "Open"
$localMD5 = [System.Convert]::ToBase64String($md5.ComputeHash($fileReader))
$cloudMD5 = (Get-AzureStorageBlob -Blob $fullnameEsc -Container $storageContainer -Context $context).ICloudBlob.Properties.ContentMD5
$cloudfile = (Get-AzureStorageBlob -Blob $fullnameEsc -Container $storageContainer -Context $context).Name
$skipfile = $false
$localFileSize = $file.Length / 1024
$fileReader.Close()
if ($cloudMD5 -ne $localMD5) {
foreach ($skipDirectory in $skipDirectoryMatch) {
if ($fullname.ToLower().Contains($skipDirectory.ToLower())) {
$skipfile = $True
}
}
if (!$skipfile) {
if ($debugLevel) {"$startTime => Debug: $fullname ($localFileSize KB) local hash is '$localMD5'. Cloud file $cloudfile cloud hash is '$cloudMD5', uploading file now." | Out-File $logfile -Append}
Set-AzureStorageBlobContent -Blob $fullnameEsc -Container $storageContainer -File $fullname -Context $context -Force -ConcurrentTaskCount 1
if ($debugLevel) {
$cloudfile = (Get-AzureStorageBlob -Blob $fullnameEsc -Container $storageContainer -Context $context).Name
$cloudMD5 = (Get-AzureStorageBlob -Blob $fullnameEsc -Container $storageContainer -Context $context).ICloudBlob.Properties.ContentMD5
"$startTime => Debug: After upload cloud file $cloudfile, the cloud hash is '$cloudMD5'." | Out-File $logfile -Append
}
$startTime = get-date
"$startTime => Uploaded $fullname as $fullnameEsc" | Out-File $logfile -Append
$totalCloudFileCountOLd++
} else {
if ($debugLevel) {"$startTime => Debug: we are skipping: $fullname, because the path matches: $skipDirectoryMatch." | Out-File $logfile -Append}
}
} else {
$endTime = get-date
if ($debugLevel) {"$startTime => Debug: Cloud and Local MD5 hash match for: $fullname, not uploading." | Out-File $logfile -Append}
}
}
}
$startTime = get-date
[int]$totalLocalFileSize = $totalLocalFileSize/1024/1024/1024
"$startTime => Completed Backup of files to the cloud. Processed $totalLocalFiles local files for a total size of $totalLocalFileSize GB." | Out-File $logfile -Append
# Now we need to delete objects from Azure that no longer exist on the local computer
$existingFiles = Get-AzureStorageBlob -context $context -Container $storageContainer
$startTime = get-date
$fileCount = $existingFiles.Count
"$startTime => Starting Removal of old files, if any. Found $fileCount item(s) in the cloud. Processing now." | Out-File $logfile -Append
foreach ($existingFile in $existingFiles) {
$fullname= $existingFile.Name
$fullnameEsc = escapeURL($existingFile.Name)
$deleteTime = get-date
$skipfile = $false
$filenameUnEsc = unEscape($fullname)
if ((Test-Path -LiteralPath $filenameUnEsc) -ne $True) {
foreach ($skipDirectory in $skipDirectoryMatch) {
if ($filenameUnEsc.ToLower().Contains($skipDirectory.ToLower())) {
$skipfile = $True
}
}
if (!$skipfile) {
Remove-AzureStorageBlob -context $context -Container $storageContainer -Blob $fullname
"$deleteTime => Deleted file $fullname from the cloud backup." | Out-File $logfile -Append
$totalCloudFileSizeOld = $totalCloudFileSizeOld + $existingFile.Length
$totalCloudFileCountOLd++
}
} else {
if ($debugLevel) {"$deleteTime => Debug: File $filenameUnEsc exist in cloud and on local machine, skipping." | Out-File $logfile -Append}
$totalCloudFileSize = $totalCloudFileSize + $existingFile.Length
}
}
[int]$totalCloudFileSize = $totalCloudFileSize/1024/1024/1024
[int]$totalCloudFileSizeOld = $totalCloudFileSizeOld/1024/1024/1024
$startTime = get-date
"$startTime => Completed Removal of unmatched cloud files. Processed $totalLocalFiles cloud files for a total size of $totalLocalFileSize GB." | Out-File $logfile -Append
"$startTime => Completed Removal of unmatched cloud files. Deleted $totalCloudFileCountOLd cloud files for a total size of $totalCloudFileSizeOld GB." | Out-File $logfile -Append
#set Preferred powerplan
SetPowerPlan "Balanced"
The Microsoft Desktop Optimization Pack (MDOP) is a portfolio of technologies available as a subscription for Software Assurance customers. MDOP helps to improve compatibility and management, reduce support costs, improve asset management, and improve policy control.
Here is a list of some of the new features added to MDOP 2013 R2 with either a new service pack level or new version.
Microsoft Advanced Group Policy Management (AGPM) extends the capabilities of the Group Policy Management Console (GPMC) to provide change control and improved management.
Microsoft Application Virtualization (App-V) provides the administrative capability to make applications available to end user computers without installing the applications directly on those computers.
Microsoft BitLocker Administration and Monitoring (MBAM) provides an administrative interface to enterprise-wide BitLocker drive encryption.
Microsoft Diagnostics and Recovery Toolset (DaRT) helps troubleshoot and repair Windows-based computers.
Microsoft User Experience Virtualization (UE-V) captures settings to apply to computers accessed by the user including desktop computers, laptop computers, and VDI sessions.
Written by Wes Johns
With the proliferation of tablet devices, things have changed because most tablets do not have fixed network cards; rather they come in the form of a USB network adapter. This leads to the desire to leverage a single adapter or docking station for Operating System deployments (OSD). Each adapter or docking station has a unique MAC address yet the tablet itself does not (excluding the WIFI adapter). Configuration Manager requires uniqueness of devices during the OSD build process. If we use a shared adapter we run into issues.
Configuration Manager supports both MAC and SMBIOS UUID. The key to solving the issue is the fact that the SMBIOS UUID is device specific as opposed to adapter specific. By using an identifier unique to the device we can get around the problem of “uniqueness” when a shared adapter is used. Some vendors may provide .csv files with bulk orders with the list of MAC and SMBIOS information to simplify the process. Depending on the OEM, the SMBIOS UUID may be available to view in the BIOS. In any case we want to automate the collection of the UUID using WMI.
Here is a VB Script that will collect the SMBIOS UUID and export it a .csv file:
strComputer = "."
Set objFSO=CreateObject("Scripting.FileSystemObject")
Const ForAppending = 8
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_ComputerSystemProduct",,48)
For Each objItem in colItems
outFile="D:\UUID.csv"
Set objFile = objFSO.OpenTextFile(outFile, ForAppending, True)
objFile.WriteLine "ComputerName" & "," & objItem.UUID & "," & vbCr
objFile.Close
Next
MsgBox "UUID gathering complete"
NOTE: Make sure outFile=D:\UUID.csv equals your USB Device in Windows PE.
2. Save the file as GatherUUID.vbs and put it on a Bootable USB Device.
3. Boot the Device from USB Stick that contains GatherUUID.vbs file.
4. Once in Windows PE, run GatherUUID.vbs to populate UUID.csv file.
After running against all the desired devices you will need to open the files and modify the computer names so they are unique. It may be desirable to use Excel so auto fill can be used for naming structures such as Tablet1, Table2 and so on.
Leverage the standard device import process SCCM Console\Devices\Import computer information. Since we have a file, select “Import computers using a file”. The default field mapping should work fine because the file we previously created matched the defaults of Name, SMBIOS GUID, MAC. It should look something like the below screen capture.
It may also be necessary to import some drivers into Windows PE that is used by OSD to ensure network connectivity is available for the build process.
posted for Kevin Saye
With the large usage of consumer and enterprise devices from inside and outside the organization, many customers are asking what Microsoft’s native MFA (Multi Factor Authentication) options are.
This blog discusses the how to architect, implement and troubleshoot: internal and external devices, password and/or certificates and users and/or groups to accomplish multi factor needs for ADFS aware applications.
While different people have different interpretation of MFA, most will agree it is generally view and accomplished by combining 2 different factors to identify the user. The most common are what you know (password) and what you have (some artifact that cannot be in 2 places at once).
The most common deployments are password + hard token. More cost effective are “soft” tokens, which are forms of software running on a device that cannot be cloned.
Microsoft offers 2 forms of “MFA” out of the box: certificates and software such as PhoneFactor. ADFS 3.0 supports both for passive profile applications.
Out of the box, ADFS 3.0 can determine:
internal or external access networks
Registered or non-registered devices
User / group membership
Devices with and without user certificates
ADFS also has a pluggable ecosystem for third party solutions. Microsoft maintains a “step by step” list of ADFS solutions here: http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=WS.10).aspx.
Using the above 4 options we can construct enforcement policies such as:
You can access all “non-sensitive” applications without MFA
If not on the corporate network, you must have MFA to access a specific application
If not on the network and not on a registered device, you must have MFA
If not on the corporate network, you can’t use Outlook, but you can use ActiveSync
If a privileged user, must always have MFA
On a non-standard device, must always use MFA
If not accessing from in country locations (need: http://www.ip2location.com/ database) must use MFA
As you can see from above, we can combine many forms of policy and enforce it at ADFS.
Implanting MFA takes 3 core steps:
Enable Certificates as an authentication method
Defining MFA at the Global Policy
Requiring MFA on a “Relying Party Trust” basis
[Optional] Defining Issuance Authorization Rules for each “Relying Party Trust”
Configure AD FS -> Authentication Policies -> Edit Global Primary Authentication to allow Certificate Authentication on the location you desire.
Configure AD FS -> Authentication Policies -> Edit Global Multi Factor Authentication Policy to determine what other options qualifies as MFA. Below you see I have selected certificates, which will qualify user certificates as MFA.
Configure AD FS -> Authentication Policies -> Per Relying Party Trust to determine when and to whom MFA is required.
To require a specific “Relying Party Trust” to use certificate type or to deny/allow based on device and or protocol, you can define an Issuance Authorization Rule to allow / disallow based on any claim you choose. Example below says “must be cert” but the options are endless.
Enable Auditing in the Federation Services Properties.
When you user logs in with multiple factors, you will see:
If they log in with forms based authentication and a certificate you will see:
If they log in with integrated authentication:
If the user logs in from the intranet, you will see:
To see what the application is and if it came through a proxy:
Problem: Using Certificate Authentication or Device Registration with ADFS on Server 2012 R2 fails when published externally. Internally it works, externally it fails.
Cause: Changes were made in ADFS on Windows Server 2012 R2 to support Device registration. These same changes apply certificate authentication, where the client (machine and / or web browser) initiates a TCP connection to the ADFS or WAP server on destination port 49443. This design change is documented here: http://technet.microsoft.com/en-us/library/dn486819.aspx.
Solution: On your external Firewall, in addition to TCP port 443, publish TCP port 49443 for ADFS or the WAP (preferred method).
In this blog I will detail the steps (with screenshots) on how to implement and monitor Mobile Device Encryption using Configuration Manager 2012 R2 and Windows InTune. I will outline the following:
This blog post assumes that you already have Configuration Manager and Windows Intune up and running and are knowledge operating and managing devices with Configuration Manager.
These are the steps to enroll a Windows Phone 8.1 Device to be managed by Configuration Manager and Windows InTune.
Go into Settings on Windows Phone 8.1 Device and select Workplace. Click onAdd Account and then enter your email address and select Sign In.
 |  |
Enter your Password and click Sign In to Enroll. Finally, select Install Company App and Click Done.
 |  |
Once you Enroll your phone, you can expect policy and changes to take effect within an hour. You can also force a policy refresh by clicking on the Refresh Button.
I created User and Device Collections. I have a User Collection called All Windows Intune Users and multiple Device Collections. I will focus on creating the Device Collections below:
All Mobile Devices
Built-In Collection. All Mobile Device Collections below are limited to this Collection
All Mobile Windows Phone Devices
Criteria: System Resource.Agent Edition is equal to 4
All Mobile iPhone Devices
Criteria: System Resource.Agent Edition is equal to 8
All Mobile Android Devices
Criteria: System Resource.Agent Edition is equal to 11
I only have one Windows InTune Users Collection that queries an AD Group. This collection defines which users will be able to enroll there devices for management.
All Windows InTune Users
Criteria: User Resource.User Group Name is equal to "CONTOSO\Windows Intune Users"
From the Configuration Manager Console, Navigate to Assets and Compliance Node. Select Configuration Items and Right Click to Create Configuration Item.
Select Encryption under the Select the mobile device setting groups to configure. Click Next.
Change File encryption on mobile device from Not Configured to On. You can select Remediate noncompliant settings to force Encryption on devices that support that feature. I change Noncompliance severity for reports to Critical.
Under the Supported Platforms screen, uncheck Select All and then only select Windows Phone 8.1.
The following page is the Platform Applicability. If any settings are not supported by all platforms, they will be listed on the following screen. Encryption is supported on Windows Phone 8.1, so nothing to show here. I just clicked Next.
Next is the Summary Page.
Completion Page.
Navigate to Assets and Compliance Node in Configuration Manager Admin Console. Select Configuration Baselines, Right Click and Select Create Configuration Baseline.
Enter a Name: All Windows Phone 8.1 Encryption Baseline and Description is desired.
From the Configuration Data section, click on Add and Choose Configuration Items.
Select All Windows Phone 8.1 Encryption Policy Configuration Item that was created in the previous step and Click Add then OK. You can add multiple Configuration Items if desired.
Now that the Configuration Baseline is created, the next step is to deploy the Baseline to a Collection.
Right Click Configuration Baseline and Select Deploy. You can select multiple options for Remediation and Generating an Alert. I choose All Windows InTune Users Collection and a Simple Schedule to Run Every 4 Hours.
Click OK to Complete the Deployment.
There are multiple ways to monitor and report on the Encryption Status of the devices in our Deployment. Navigate to Monitoring Node in Configuration Manager Console. From here, we can utilize Alerts Node, Reporting Node and Deployments Node to monitor and track Encryption Status of the devices.
Here are screenshot from the Deployment Status:
Each Deployment Status will show Compliant, Error (if a Configuration Item does not apply), Non-Compliant and Unknown (if a device has not gotten the policy).
This screen shows that Andrew's Windows Phone is Encrypted and therefore Compliant.
The Non-Compliant Tab shows that Dawn and Madison's Windows Phones are not Encrypted and therefore Non-Compliant.
There are also 17 Built-In Compliance and Settings Reports.
And finally, we have Alerts that can be configured when deploying each Baseline.
This concludes a high-level overview of how to monitor the Encryption Status (or any other Mobile Device Setting).
Step 1: Connect to Exchange Online using remote PowerShell - http://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx
Launch Windows PowerShell from a Windows 7, 8 or 8.1 with .NET Framework 4.5 or higher and Windows Framework 3.0 or higher
Run the following command: $UserCredential = Get-Credential
Type your Exchange Online user name and password, and then click OK
Run the following command: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Run the following command: Import-PSSession $Session
Step 2: Updates Templates for Exchange Online - http://technet.microsoft.com/en-us/library/dn642472.aspx
Using Windows PowerShell in Exchange Online from Step 1
Run the following command: Import-RMSTrustedPublishingDomain -Name "RMS Online - 1" -RefreshTemplates –RMSOnline
To confirm that the templates have imported successfully, wait a few minutes
Run the following command: Get-RMSTemplate
Note: I used the default TPD Name"RMS Online - 1". To verify your TPD name, you can run the following command Get-RMSTrustedPublishingDomain
Azure Rights Management, enables implicit trust between organizations and users in any organization. This means that protected content can be shared between users within the same organization or across organizations when users have Microsoft Office 365, or Azure Rights Management, or users sign up for RMS for individuals. There is a default Do Not Forward template that can be used across organizations. The Do Not Forward Template allows recipients to read the message, but cannot Forward, Print or Copy content. For additional settings and templates to use across organication, you must create a new Rights Management Template using PowerShell.
I will detail the steps in this blog to show how to create an Azure Rights Management Template for Users Across an Organization.
Step 1: Connect to Azure Rights Management using Windows PowerShell
Run the following command: $AdminCredentials = Get-Credential
Type your Azure user name and password, and then clickOK
Run the following command: Connect-AadrmService -Credential $AdminCredentials
Step 2: Create Azure Rights Management Template
Run the following commands to create a Template for Marketing where joe@company123.com only has View and Export rights and the Marketing Department has Co-Author rights:
Specify Name and Local Variable: $names = @{}
Specify Name and Local: $names[1033] = "Company123 - External Company Confidential"
Specify Description Variable: $descriptions = @{}
Specify Description: $descriptions[1033] = "This content is confidential and should only be Viewed by Joe at Company 123"
Specify Rights for Joe at Company 123: $r1 = New-AadrmRightsDefinition –EmailAddress joe@company123.com -Rights "VIEW","EXPORT"
Specify Rights for Marketing Department:$r2 = New-AadrmRightsDefinition –EmailAddress marketing@contoso.com -Rights "Co-Author"
Create and Publish Template: Add-AadrmTemplate -Names $names –Descriptions $Descriptions -RightsDefinitions $r1, $r2 -Status Published
Step 3: Connect to Exchange Online using remote PowerShell
Launch Windows PowerShell from a Windows 7, 8 or 8.1 with .NET Framework 4.5 or higher and Windows Framework 3.0 or higher
Run the following command: $UserCredential = Get-Credential
Type your Exchange Online user name and password, and then click OK
Run the following command: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Run the following command: Import-PSSession $Session
Step 4: Updates Templates for Exchange Online
Using Windows PowerShell in Exchange Online from Step 3
Run the following command: Import-RMSTrustedPublishingDomain -Name "RMS Online - 1" -RefreshTemplates –RMSOnline
To confirm that the templates have imported successfully, wait a few minutes
Run the following command: Get-RMSTemplate
Note: I used the default TPD Name"RMS Online - 1". To verify your TPD name, you can run the following command Get-RMSTrustedPublishingDomain
MSDN Links:
Azure Rights Management Cmdlets - http://msdn.microsoft.com/en-us/library/azure/dn629398.aspx
Connect-AadrmService - http://msdn.microsoft.com/en-us/library/azure/dn629415.aspx
Add-AadrmTemplate - http://msdn.microsoft.com/en-us/library/azure/dn727075.aspx
This is blog is part 1 of 4 blogs about customizing Microsoft’s ADFS for advanced user scenarios by Kevin Saye (Azure TSP).
I will break down this series into the following parts:
Part 1 – Customizing the Login Page | Customizing the Login Page for advanced features. We will add icons and have automated presentation logic. |
Part 2 – Using Cloud or on Premises MFA | What changes happen in the claims and how to control where MFA takes place. |
Part 3 – User Certificates | Enabling enrollment and usage of user certificates for ADFS. |
Part 4 – Expired Passwords | How to detect and address users with expired passwords. |
Part 1 – Customizing the Login Page:
Our goal is to customize the end user login page for simplicity and usability. Our end state will look something like this:
I have added:
Change Password / Reset Password capability
User Certificate registration
Mobile device registration
Company Policy Information
Renamed x.509 certificate to User Certificate
(inherit) Multi-Factor integration and registration (part 2)
(inherit) Expired Password detection (part 4)
Most of these customization are via HTML (and JavaScript) with a few PowerShell commands.
Button Bar:
The 4 core buttons (aka Button Bar) are simple HTML that redirect to other URLs. They are both touch and click enabled with a nice color scheme. The HTML to make this happen is:
<table cellspacing="6" cellpadding="8"><tr>
<td width="50%" onclick="location.href='https://passwordreset.microsoftonline.com/?whr=kevinsay.scd365.net'" style='background:#0072c6;padding: 8px'><span style='color:white'>Change or Reset Password</span></td>
<td width="50%" onclick="location.href='https://multifactor.kevinsay.scd365.net/certsrv/certrqus.asp'"style='background:#00BCF2;padding: 8px'><span style='color:white'>Request new User Cert (requires phone)</span></td>
</tr><tr>
<td width="50%" onclick="location.href='http://device.kevinsay.scd365.net'" style='background:#DC3C00;padding: 8px'><span style='color:white'>Register mobile OS: iOS, Windows, Android</span></td>
<td width="50%" onclick="location.href='http://policy.kevinsay.scd365.net/remote'" style='background:#00188F;padding: 8px'><span style='color:white'>Read Remote Access Policy</span></td>
</tr></table>
Based on the limited formatting, this button bar resizes nicely and is cross browser.
To apply this button bar, as is (your will need to change the URLs), simply run this PowerShell command on your ADFS Server:
Set-AdfsGlobalWebContent -SigninPageDescriptionText "<table cellspacing=""6"" cellpadding=""8""><tr><td width=""50%"" onclick=""location.href='https://passwordreset.microsoftonline.com/?whr=kevinsay.scd365.net'"" style='background:#0072c6;padding: 8px'><span style='color:white'>Change or Reset Password</span></td><td width=''50%'' onclick=''location.href='https://multifactor.kevinsay.scd365.net/certsrv/certrqus.asp'''style='background:#00BCF2;padding: 8px'><span style='color:white'>Request new User Cert (requires phone)</span></td></tr><tr><td width=''50%'' onclick=''location.href='http://device.kevinsay.scd365.net''' style='background:#DC3C00;padding: 8px'><span style='color:white'>Register mobile OS: iOS, Windows, Android</span></td><td width=''50%'' onclick=''location.href='http://policy.kevinsay.scd365.net/remote''' style='background:#00188F;padding: 8px'><span style='color:white'>Read Remote Access Policy</span></td></tr></table>'
Notice, based on the PowerShell command, we have replaced double quotes (") with 2 double quotes ("") and then opened and closed the string with a double quote ("). Because registering a mobile device is unique to each device, or if you want to require Intune, this button simply redirects to a documentation page.
Button Bar with JavaScript hiding logic:
Sometimes having the button bar on the screen can be confusing. Example, if we are preforming a MultiFactor authentication, we should eliminate the button bar and just focus on the MFA technology. The graphic below should focus on MFA, but instead the button bar seems to take away the focus.
To resolve this, we use simple JavaScript that will “hide” the button bar if we are doing a MFA login. We know we are doing a MFA login if we see the element id “WindowsAzureMultiFactorAuthentication” in the HTML. Knowing that, we simply write a JavaScript code to hide the button bar, now wrapped in a div, if we see our keyword.
Now our simple HTML looks like:
<script>
function hideBar() {
if (document.getElementById("WindowsAzureMultiFactorAuthentication").text != "")
{document.getElementById("buttonBar").style.display = 'none';}
};
window.onload=hideBar;
</script>
<div id="buttonBar"> <table cellspacing="6" cellpadding="8"><tr>
<td width="50%" onclick="location.href='https://passwordreset.microsoftonline.com/?whr=kevinsay.scd365.net'" style='background:#0072c6;padding: 8px'><span style='color:white'>Change or Reset Password</span></td>
<td width="50%" onclick="location.href='https://multifactor.kevinsay.scd365.net/certsrv/certrqus.asp'"style='background:#00BCF2;padding: 8px'><span style='color:white'>Request new User Cert (requires phone)</span></td>
</tr><tr>
<td width="50%" onclick="location.href='http://device.kevinsay.scd365.net'" style='background:#DC3C00;padding: 8px'><span style='color:white'>Register mobile OS: iOS, Windows, Android</span></td>
<td width="50%" onclick="location.href='http://policy.kevinsay.scd365.net/remote'" style='background:#00188F;padding: 8px'><span style='color:white'>Read Remote Access Policy</span></td>
</tr></table></div>
Now we get the following graphic (button bar missing when in Multi Factor mode):
To apply this button bar with JavaScript logic, as is (your will need to change the URLs), simply run this PowerShell command on your ADFS Server:
Set-AdfsGlobalWebContent –SigninPageDescriptionText "<script>function hideBar() { if (document.getElementById(""WindowsAzureMultiFactorAuthentication"").text != """") {document.getElementById(""buttonBar"").style.display = 'none';} }; window.onload=hideBar;</script><div id=""buttonBar""><table cellspacing=""6"" cellpadding=""8""><tr><td width=""50%"" onclick=""location.href='https://passwordreset.microsoftonline.com/?whr=kevinsay.scd365.net'"" style='background:#0072c6;padding: 8px'><span style='color:white'>Change or Reset Password</span></td><td width=''50%'' onclick=''location.href='https://multifactor.kevinsay.scd365.net/certsrv/certrqus.asp'''style='background:#00BCF2;padding: 8px'><span style='color:white'>Request new User Cert (requires phone)</span></td></tr><tr><td width=''50%'' onclick=''location.href='http://www.msn.com''' style='background:#DC3C00;padding: 8px'><span style='color:white'>Register mobile OS: iOS, Windows, Android</span></td><td width=''50%'' onclick=''location.href='http://www.msn.com''' style='background:#00188F;padding: 8px'><span style='color:white'>Read Remote Access Policy</span></td></tr></table></div>'
Rename User Certificate and Multi-Factor:
The default UI ask the user if they want to sign in using an X.509 certificate. While most of my business users don’t know that that is, they might know what a user certificate is.
Running the following PowerShell command on the ADFS server can make this a more user friendly message:
set-AdfsAuthenticationProviderWebContent -Name certificateauthentication -DisplayName "Sign in using a user certificate."
If you want to rename “Multi-Factor Authentication”, you can run the following PowerShell command, giving you the following login screen:
set-AdfsAuthenticationProviderWebContent -Name WindowsAzureMultiFactorAuthentication -DisplayName "Sign in using your phone."
Other Customizations:
Other customization are documented here: https://technet.microsoft.com/en-us/library/dn280950.aspx and here: https://technet.microsoft.com/en-us/library/dn636121.aspx.
