Intune is Group Policy Management

Hey guys and girls, sorry about not updating my blog because I have been occupied with work. I feel so bad to break this goal, which is to write every once a week.

So I think my title caught your attention right? You thought that this post is going to be talking nonsense? Hahaha…No! I do still receiving people having misunderstanding what is Intune, its capability and its limitations. I do see quite a lot of blogs are only talking about the wins and lose of Intune and Group Policy Management,  not many in explaining.

Familiar questions that I usually get;

“I thought Intune is a replacement of GPO?”

“Why do we still need to rely on GPO?”

“No,  you are wrong, I saw there is administrative templates in Intune”

I am here to explain it to you properly.

If you took your time to look closely on Intune’s Device configuration categories, you will notice their settings are actually not as complete as GPO for Windows. So seeing something half does not mean it gives you full understanding of Intune capability and limitations until you put yourself and it into experiment or lab testing.

The journey I had with Intune, I would say it was a roller-coaster, I experience its limitations, behavior and good part. Yes, technology keeps changing to ease our daily challenges.

Throughout my experience, I would say that Intune does their job but still not stable enough. I usually have to combine other technology to achieve the work. You might thought of this “Urgh…is lots of work and to keep track on.”, well, if you are creative person, these are your possibilities to your resolutions from stopping you to get that work done.

In conclusion, Intune is not Group Policy Management, but Intune and Group Policy Management can be one (combine) to get your work done.

 

 

 

Azure & PowerShell: Service Plan Information

Hey dudes and ladies! Malaysia Movement Control Order has announce extend till 12th May but with relax conditions. Before the announcement, there was a decrease in number of reported cases and we had hope that there won’t be another extend announcement. However, the reported cases increases. Anyway, hope you guys are doing good at home, to those are infected by Covid-19, hope rapid recovery and to those are getting racism attack or getting criticism from past infection, hope you don’t hurt yourself which is not your fault.

Have you ever have customers that wanting to disable certain service plans in subscription or license? Are you going to manually click person by person to disable? Of course not! Things like these is best to use PowerShell, you could even generate/export a report.

Note:

  1. Don’t call Microsoft Support to identify your service plans because they have no idea and they most likely don’t take your case. Trust me I been there.

 

There are 2 type of command library you could use to extract these information either Azure AD PowerShell or MSOnline PowerShell. Play around with the service get to know which is the service that it belongs to and which service has dependency.

Below the list of service plans for Office 365 Enterprise E3 and E5;

  • I grab the below information using MSOnline PowerShell, this was during the year 2017. I will post up a new update.
Office 365 Enterprise E3
-------------------------
Deskless
FLOW_O365_P3
POWERAPPS_O365_P3
TEAMS1
ADALLOM_S_O365
EQUIVIO_ANALYTICS
LOCKBOX_ENTERPRISE
EXCHANGE_ANALYTICS
SWAY
ATP_ENTERPRISE
MCOEV
MCOMEETADV
BI_AZURE_P2
INTUNE_O365
PROJECTWORKMANAGEMENT
RMS_S_ENTERPRISE
YAMMER_ENTERPRISE
OFFICESUBSCRIPTION
MCOSTANDARD
EXCHANGE_S_ENTERPRISE
SHAREPOINTENTERPRISE
SHAREPOINTWAC

Office 365 Enterprise E5
-------------------------
Deskless (StaffHub)
FLOW_O365_P2 (Flow)
POWERAPPS_O365_P2 (PowerAPPS)
TEAMS1 (MsTeams)
PROJECTWORKMANAGEMENT (Planner)
SWAY (Sway)
INTUNE_O365 (Mobile Device)
YAMMER_ENTERPRISE (Yammer)
RMS_S_ENTERPRISE (Azure Right management)
OFFICESUBSCRIPTION (O365ProPlus)
MCOSTANDARD (Skype For Business)
SHAREPOINTWAC (Office Online)
SHAREPOINTENTERPRISE (SharePoint Online)
EXCHANGE_S_ENTERPRISE (Exchange Online)

Below Microsoft 365 Enterprise E5 using Azure PowerShell;

*the list is too long so I’m just going to show partial only.

Capture

This below is using the MSOnline Powershell;

Capture

 

References:

  1. https://docs.microsoft.com/en-us/office365/enterprise/powershell/view-account-license-and-service-details-with-office-365-powershell
  2. https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolaccountsku?view=azureadps-1.0

 

 

Azure Storage & Office 365 Import PST: Troubleshoot Error “HttpStatusMessage: Bad request”

Hey guys and girls, just hope everyone are good during this Covid-19, movement control. Those that are hospitalize, hope that you recover. Those that have recovered, hope that you don’t face any criticism from others and not fall for Covid-19 again.

Well for IT field workers, our work still continues. In my lab environment, I was testing out Office 365 Import PST feature in Security and Compliance. Personally I feel this is a good feature but there is too much manual work on it.

Note:

Using network upload to import PST files is free.

Check out license plan to have this import feature at the reference below.

So just a brief explanation of what I was performing, in the Office 365 Import PST has 2 option for us on how we want to upload the PST, either network upload (free) or physical (Charges). I choose network upload to upload my PST, it require to use AzCopy command to run the upload. I have a PST that the size is more than 1 GB, and the upload failed with the following error message on the AzCopy console shows “HttpStatusMessage: This request is not authorized to perform this operation using this permission.

At first I thought that there could be limitation on the upload size, due to the given Azure Storage is temporary only. Looking through the documentation it didn’t state any upload limitation. Hence, further research.

The resolution to this was to disable the ATP agent that was in my lab PC, to prevent blocking the upload. Rerun the AzCopy command again to reupload the PST.

If you have any third party or applications that has network control or ATP functionality, would recommend that you disable to avoid this problem happen to you.

 

References:

  1. https://docs.microsoft.com/en-us/microsoft-365/compliance/faqimporting-pst-files-to-office-365?view=o365-worldwide
  2. https://www.microsoft.com/en-us/microsoft-365/business/compare-more-office-365-for-business-plans

Office 365: What to know about Data Investigation?

“A data spill occurs when a document containing confidential, sensitive, or malicious content is released into an untrusted environment. When a data spill is detected, it’s important to quickly contain the environment, assess the size and locations of the spillage, examine user activities around it, and then delete the spilled data from the service. “

If you would like to try this preview out, I highly recommend that you test it out in a new test tenant. Please review the reference below for further explore. 

There is one functionality in this that caught my attention, is it even investigate unsupported files, example, files that are password protected cannot be processed since the files are locked or encrypted. Using error remediation, investigators can download files with such errors, remove the password protection, and upload the remediated files.

How to get to this?

  1. Login to your https://protection.office.com
  2. Scroll to the bottom of the left taskbar
  3. Data Investigation is just after eDiscovery

Capture

Before you could start using this preview, you have to read the Terms of Service and either approve or cancel to proceed. If you cancel, the agreement it will redirect you back to Home tab.

Microsoft takes its preview seriously.

Capture

References:

  1. https://docs.microsoft.com/en-us/microsoft-365/compliance/overview-data-investigations?view=o365-worldwide

How to change Forest Functional Level and Domain Level?

Note:

Make sure you have Enterprise Admin account/permission to run this command and run the PowerShell as Admin. 

If you run into error that you can’t bring up a new Domain Controller due to Operating System is not in the suitable forest functional level, this solution could help you out. RODC is not accepted to run these commands.

I am not sure whether does this require FSMO roles to make the changes towards these functional levels. Hence, I run these commands on the Primary domain controller.

  1. Login to your existing domain controller using an enterprise admin account
  2. Run the Windows PowerShell as Admin
  3. Type in the following command to change the forest functional level
    • #Get Forest level Info
      Get-ADForest
      
      #To Set the forest level
      Set-ADForestMode -ForestMode <Operating System Name>
      
      #Example: Set-ADForestMode -ForestMode Windows2012R2Forest
  4. Type the following command to change the domain level
    • #Get Domain level Info
      Get-ADDomain
      
      #To Set the forest level
      Set-ADDomainMode -DomainMode <Operating System Name>
      
      #Example: Set-ADDomainMode -DomainMode Windows2012R2Forest

 

Would recommend that you study on the difference between Forest Functional Level and Domain level. I would write a blog post about it soon!

 

Azure AD Connect: Error 8344 Permission Issue Insufficient Access Rights to Perform the Operation

If your sync service completed with error and the error code is shown below;

Error 8344: Permission Issue Insufficient Access Rights to Perform the Operation

It means that the service account that you used to add the domain during the wizard setup does not have the correct/necessary permissions.

In the wizard, is this part

Capture

Capture

Note:

Please do take note that this is only for Password Synchronization and Password Writeback, for further extend permission please review the references below.

Step by step;

  1. Provide the necessary permission to the service account
    • Add the service account into the Administrators Group (Built-in OU)
    • At the forest level > Properties > Security > Add > service account
      • Next, select the service account, scroll to the permission and check “Replicate Directory Changes All” and “Replicate Directory Change
      • Due to password writeback will be turn on too, another permission you have to give to this service account is the “Change Password” and “Reset Password” under the Advanced
        • Select the service account > Advanced > Select Add > Select Principal > Service account > Descendent User Objects > Check the box for “Change Password” and “Reset Password”
    • Save your changes
    • Refresh
  2. Head to your AADC server and rerun the synchronization
  3. Check the Sync status whether it is completed without error
  4. The End

 

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions
  2. https://mstechtalk.com/step-by-step-azure-ad-sync-installation-guide-part-1/

 

Appendix:

  1. ADUC – Active Directory Users and Computers
  2. ADS – Active Directory Sync
  3. OU – Organization Unit
  4. AADC – Azure Active Directory Connect

What to take note when establishing trust between Domain Controllers?

Prerequisites to establish trust;

  1. Cannot be a Read-Only Domain Controller
  2. Both source and target domain controllers has to hold the PDC role to establish the trust.
    • Make sure you transfer the fsmo
  3. Both domain controllers must be able to ping each other
    • At target domain controller, Ping <source domain DNS>
    • Ping domain controller IP addresses
  4. Firewall are disable at both domain controllers
  5. Able to Nslookup each other domains

You will fail with an error if the prerequisites are not met;

“The secure channel verification on Active Directory Domain Controller <DC name> of domain <source domain> to <target domain> failed with error: The specified domain either does not exist or could not be contacted.”

 

Format not working. How to reformat USB to its original size?

The format from here doesn’t help to reformat the USB to its original size.

What I mean is this format here: File Explorer > Right click on the USB > Format

Capture

you will see that the format size allow is 32GB only, but your USB  is more than that.

The resolution to this is that you use Disk Management to reformat your USB.

  1. Open Disk Management
  2. You will notice that your USB’s volume has partial that is “Unallocated” and partial is “Used”
  3. Right click on the USB > Delete the Volume
    • Capture
  4. Then the Volume status will become “Unallocated”
  5. Right click on the USB > Select New Volume > Setup the new volume of your USB
  6. The End

Troubleshoot Virtual machines status off-critical problem in Hyper-V

In this case, it was my lab environment, I have an external SSD which is purely just for my lab. I faced this problem is because my laptop reads the external SSD and apply that drive with a different disk letter.

So at first all my virtual Hard Disk are located in disk letter E, this is their original location.

I have multiple USB and external drives so the laptop tends to have a cache of previous used drive. I recently created a bootable USB for another product and when I try to plug in my lab’s external drive, my laptop apply the driver letter as G, I didn’t notice it until I launch my Hyper-V console, the status of my virtual machines are still showing “Off-critical” for quite a long period, refresh also didn’t work. Thus, this causes unable to boot up my virtual machines.

Capture

After some thoughts, I connect one of the virtual machine and see the location/directory of my virtual hard disk and it is pointing to the driver letter E, next I go ahead and launch the file explorer and there my external drive is no longer listed as letter E instead of the letter G.

To resolve this, I launch the “Disk management” console, and change the letter of my external drive from G to E. Head back to my Hyper-V console, my virtual machines are able to boot up and the status “Off-critical” is no longer showing.

Note:

  • Do take note that it requires a requires a reboot of your laptop if you were trying to mimic/simulate this issue.

Capture

There are other reasons that you could face this issue, it could be corrupted drive, or drive is disconnected.

 

Difference of Hyper-V in Legacy Server and Non-Legacy Server (Backup)

To those that wants to perform Live backup or export (to a local drive or external drive) of your virtual machines via Hyper-V, before you jump into that there are few things that you need to take concern of;

  1. Where is your virtual machines located on what server operating system?
  2. Does the server support live backup or export?

What is live backup or export?

  • A live backup or export is where you could run your backup without having to shut down the virtual machines. This require minimal to zero impact or downtime.

 

If your virtual machines are hosted on a legacy server, such as Windows Server 2012 below, you are require to shut down the virtual machines and perform the backup or export. If the virtual machine is not shut down the export button will not be shown to you to perform the backup. However, please do take note that if you were to migrate virtual machines from legacy server to non-legacy server, is best to not use the export feature in the legacy server, please refer the reference below for full explanation and proper way to migrate.

 

If your virtual machines are hosted on a non-legacy server, such as Windows server 2012 and above, then you can perform live backup or export without the need to experiences total downtime. As technology getting more advance this is the benefit to IT admins to perform their tasks without the need to perform after hours, and end users will not experience total downtime.

 

Do also read up and understand when to use checkpoints and when not to use checkpoints. Is basically means snapshots.

 

References:

  1. https://sabrinaksy.wordpress.com/2020/02/20/how-to-migrate-or-import-vm-from-windows-server-2008-r2-to-windows-server-2012-r2/
  2. https://www.petri.com/live-exporting-windows-server-2012-r2-hyper-v-vms
  3. https://blog.workinghardinit.work/2016/06/16/live-export-a-running-virtual-machine-or-a-checkpoint/