AADSTS165000 after enabling Modern Auth in Exchange Online

If you enable Modern Auth in Exchange Online with Set-OrganizationConfig -OAuth2ClientProfileEnabled $true , and then start seeing this error in Office 2016 or 2013 clients:

AADSTS165000: Invalid request: the request tokens do not match the user context. One or more of the user context values (cookies; form fields; headers) were incorrect or invalid, these values should not be copied between requests or user sessions; always maintain ALL of the supplied values across a complete single user flow. Failure reasons:[Token is invalid;]

You need to re-activate Office.

Automatically bitlocker Windows 10 MDM Intune Azure AD Joined devices

I recently ran into an article by Pieter Wigleven, based on an original idea of Jan Van Meirvenne that I simply have to share, and expand upon.

When you go cloud first, and do light MDM management of your Azure AD Joined Windows 10 devices, you will likely enable a Bitlocker policy in Intune. What you’ll quickly discover, is that your policy will not automatically enforce/enable Bitlocker on non-InstantGo capable devices.

So, I expanded upon Jan and Pieter’s script to automatically enable Bitlocker on Windows 10; it has additional error handling, local logging and it will eject removable drives prior to immediately (vs reboot) encrypting your system drive. After this is started, it will register your recovery key in AzureAD. Of course all credit for the original idea goes to Jan van Meirvenne.

Powershell source file

enableBitlockerAndRegisterInAAD.ps1 (right click, save as)

MSI file

enableBitlockerAndRegisterInAAD_v0.2.msi(right click, save as)

As Intune won’t let you deploy a Powershell script, I’ve also wrapped the script in an MSI file with Advanced Installer for you. What this will do;

  1. Deploy the PS1 file to the machine
  2. Register a scheduled task to run this PS1 file at logon each time
  3. Kick off the scheduled task once so a first reboot isn’t required

Advanced installer package (.aip)

enableBitlockerAndRegisterInAAD.zip (right click, save as)

Requirements

  1. Windows 10, AzureAD Joined
  2. TPM chip
  3. User should be local admin

O365Migrator v0.99 released!

An import bugfix and two new features:

  • bugfix: if a homedir fails to upload, the document library’s versioning setting would stay disabled
  • if you’re uploading homedirectories, the script will attempt to set the author/editor of all files to the owner of the homedirectory (thanks for the idea Sean!)
  • new ‘unAuthorize’ button, to remove admin permissions from homedirectories after the migration

Get it here

Deploying the new Onedrive Next Generation Sync client as MSI through Intune to Windows 10

Onedrive for Business’s client, the new Next Generation Sync client, is awesome. Obviously.

So you want it on your devices, but Microsoft distributes it as .exe. Nasty, because I want to manage Windows 10 as mobile devices through Intune, and that only allowes me to distribute as MSI.

I created an MSI for Onedrive for Business’s Next Generation Client using Advanced Installer. Because I’m not allowed to redistribute Microsoft’s .exe, this MSI downloads the .exe from Microsoft’s website, it uses /silent and /takeover as installation switches. Continue reading Deploying the new Onedrive Next Generation Sync client as MSI through Intune to Windows 10

GroupSync v0.56 available!

Version 0.56 is out, changes since v0.50:

  • prevent running twice (if scheduled task hangs for some reason)
  • send email notification if logfile is locked
  • replace add-adgroupmember and remove-adgroupmember with set-adgroup because of a known bug in these commands
  • multi-delete protection
  • auto reconnect to Exchange Online when the connection times out + longer timeout
  • additional filtering method for groups: extensionAttribute2
    • If you want to use this instead of the displayName prefix filter, read up on how to switch

Get it here

Azure Active Directory Connect with Multiple Source Forests: The specified domain does not exist or cannot be contacted

Configuring a multi forest sync solution for a single Office 365 tenant is pretty straightforward, but there are a few small tiny gotcha’s:

1. DNS resolution is critical, adding a few host file entries won’t do the trick, use a (conditional) forwarder to a DC for each forest
2. Ensure the proper firewall ports are open
3. Ensure you type your login in the netbios format and include the suffix, e.g.: LIEBEN.NU\Admin, using LIEBEN\Admin will fail

If you don’t, you’ll probably run into this error:

[ERROR] Caught exception while validating the domain credentials and retrieving domain FQDN of the specified user XXXX.XXX\Admin.
Exception Data (Raw): System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: The specified domain does not exist or cannot be contacted.
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at Microsoft.Online.Deployment.Framework.Providers.ActiveDirectoryProvider.ValidateUserCredentials(String domainName, String username, SecureString password, String& domainFqdn)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigSyncDirectoriesPageViewModel.ValidateADDirectoryConnection(DirectoryConnectionViewModel connection)

Onedrive Files On Demand is finally coming!

I’ve been ‘mentioning’ it a few times here and there, wasn’t allowed to say too much….but now it is finally public, coming before the end of the year Onedrive will have a sync on demand feature, no longer requiring local storage on your device!

It will allow all of us OnedriveMapper users to switch to a fully supported Microsoft solution for Windows 10 users.

Quirky thing is, Windows 7 and 2008 / 2012 R2 are not in scope. Possibly another good one to vote on at uservoice 🙂

Azure Runbooks and Write-Progress

If you use Azure Runbooks, but develop scripts locally first…you may like to display progress indicators to yourself when handling large amounts of records / data with Write-Progress.

Be sure to parameterise this, because if you use Write-Progress in an Azure Runbook, it will seriously slow your runbook down, increasing the cost, and if there are over 4000 write-progress calls the runbook will hang and crash.