AADSTS165000 after enabling Modern Auth in Exchange Online

June 23, 2017 Jos Leave a comment

If you enable Modern Auth in Exchange Online with Set-OrganizationConfig -OAuth2ClientProfileEnabled $true , and then start seeing this error in Office 2016 or 2013 clients:

AADSTS165000: Invalid request: the request tokens do not match the user context. One or more of the user context values (cookies; form fields; headers) were incorrect or invalid, these values should not be copied between requests or user sessions; always maintain ALL of the supplied values across a complete single user flow. Failure reasons:[Token is invalid;]

You need to re-activate Office.

Automation, EMS, Intune, Powershell, Security

Automatically bitlocker Windows 10 MDM Intune Azure AD Joined devices

June 14, 2017 Jos 2 Comments

I recently ran into an article by Pieter Wigleven, based on an original idea of Jan Van Meirvenne that I simply have to share, and expand upon.

When you go cloud first, and do light MDM management of your Azure AD Joined Windows 10 devices, you will likely enable a Bitlocker policy in Intune. What you’ll quickly discover, is that your policy will not automatically enforce/enable Bitlocker on non-InstantGo capable devices.

So, I expanded upon Jan and Pieter’s script to automatically enable Bitlocker on Windows 10; it has additional error handling, local logging and it will eject removable drives prior to immediately (vs reboot) encrypting your system drive. After this is started, it will register your recovery key in AzureAD. Of course all credit for the original idea goes to Jan van Meirvenne.

Powershell source file

enableBitlockerAndRegisterInAAD.ps1 (right click, save as)

MSI file

enableBitlockerAndRegisterInAAD_v0.2.msi(right click, save as)

As Intune won’t let you deploy a Powershell script, I’ve also wrapped the script in an MSI file with Advanced Installer for you. What this will do;

Deploy the PS1 file to the machine
Register a scheduled task to run this PS1 file at logon each time
Kick off the scheduled task once so a first reboot isn’t required

Advanced installer package (.aip)

enableBitlockerAndRegisterInAAD.zip (right click, save as)

Requirements

Windows 10, AzureAD Joined
TPM chip
User should be local admin

O365Migrator

O365Migrator v0.99 released!

May 30, 2017 Jos Leave a comment

An import bugfix and two new features:

bugfix: if a homedir fails to upload, the document library’s versioning setting would stay disabled
if you’re uploading homedirectories, the script will attempt to set the author/editor of all files to the owner of the homedirectory (thanks for the idea Sean!)
new ‘unAuthorize’ button, to remove admin permissions from homedirectories after the migration

Get it here

EMS, Intune, OneDrive for Business, Powershell

Deploying the new Onedrive Next Generation Sync client as MSI through Intune to Windows 10

May 29, 2017 Jos Leave a comment

Onedrive for Business’s client, the new Next Generation Sync client, is awesome. Obviously.

So you want it on your devices, but Microsoft distributes it as .exe. Nasty, because I want to manage Windows 10 as mobile devices through Intune, and that only allowes me to distribute as MSI.

I created an MSI for Onedrive for Business’s Next Generation Client using Advanced Installer. Because I’m not allowed to redistribute Microsoft’s .exe, this MSI downloads the .exe from Microsoft’s website, it uses /silent and /takeover as installation switches. Continue reading Deploying the new Onedrive Next Generation Sync client as MSI through Intune to Windows 10 →

Office 365, Security

SecureScore of your Office 365 environment

May 22, 2017 Jos Leave a comment

Have you tried https://securescore.office.com yet?

You should 🙂

Automation, O365GroupSync, Office 365, Powershell

GroupSync v0.56 available!

May 22, 2017 Jos Leave a comment

Version 0.56 is out, changes since v0.50:

prevent running twice (if scheduled task hangs for some reason)
send email notification if logfile is locked
replace add-adgroupmember and remove-adgroupmember with set-adgroup because of a known bug in these commands
multi-delete protection
auto reconnect to Exchange Online when the connection times out + longer timeout
additional filtering method for groups: extensionAttribute2
- If you want to use this instead of the displayName prefix filter, read up on how to switch

Get it here

OneDriveMapper

OnedriveMapper v3.08 released!

May 21, 2017 Jos 11 Comments

Version 3.08 of OneDriveMapper has been released!

Modified folder redirection into three seperate options (mydocs, favorites, desktop)
Fixed a onetime crash after the auto updater runs
redirectMyDocsTo renamed to redirectToSubfolderName
Minor bug/performance fixes

Get the new version here

Identity

Azure Active Directory Connect with Multiple Source Forests: The specified domain does not exist or cannot be contacted

May 15, 2017 Jos Leave a comment

Configuring a multi forest sync solution for a single Office 365 tenant is pretty straightforward, but there are a few small tiny gotcha’s:

1. DNS resolution is critical, adding a few host file entries won’t do the trick, use a (conditional) forwarder to a DC for each forest
2. Ensure the proper firewall ports are open
3. Ensure you type your login in the netbios format and include the suffix, e.g.: LIEBEN.NU\Admin, using LIEBEN\Admin will fail

If you don’t, you’ll probably run into this error:

[ERROR] Caught exception while validating the domain credentials and retrieving domain FQDN of the specified user XXXX.XXX\Admin.
Exception Data (Raw): System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: The specified domain does not exist or cannot be contacted.
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at Microsoft.Online.Deployment.Framework.Providers.ActiveDirectoryProvider.ValidateUserCredentials(String domainName, String username, SecureString password, String& domainFqdn)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigSyncDirectoriesPageViewModel.ValidateADDirectoryConnection(DirectoryConnectionViewModel connection)

Office 365, OneDrive for Business, OneDriveMapper

Onedrive Files On Demand is finally coming!

May 15, 2017 Jos 9 Comments

I’ve been ‘mentioning’ it a few times here and there, wasn’t allowed to say too much….but now it is finally public, coming before the end of the year Onedrive will have a sync on demand feature, no longer requiring local storage on your device!

It will allow all of us OnedriveMapper users to switch to a fully supported Microsoft solution for Windows 10 users.

Quirky thing is, Windows 7 and 2008 / 2012 R2 are not in scope. Possibly another good one to vote on at uservoice 🙂

Azure

Azure Runbooks and Write-Progress

May 1, 2017 Jos Leave a comment

If you use Azure Runbooks, but develop scripts locally first…you may like to display progress indicators to yourself when handling large amounts of records / data with Write-Progress.

Be sure to parameterise this, because if you use Write-Progress in an Azure Runbook, it will seriously slow your runbook down, increasing the cost, and if there are over 4000 write-progress calls the runbook will hang and crash.

Liebensraum