Systems
-
Methods to reset an autopilot device
There are a few different ways to remotely reset a Windows 10/11 device from Intune: wipe, fresh start, reset.
The following table summarises the behaviours of each method.
Method Usage OOBE User data Intune management Azure AD enrollment Retire/Delete Get rid of outdated devices Yes Keep remove remove Wipe (keep enrollment) Reset device to default. Remove Apps No Keep keep keep Wipe Reset OS to default.
Good for lost stolen device and device handoverYes Remove remove remove Fresh Start (keep user data) Reset device to Signature Edition, remove Apps.
Update to latest Windows versionNo Keep keep keep Fresh Start Reset device to latest Windows Signature Edition.
Update to latest Windows versionYes Remove remove keep Autopilot Reset Reuse a device.
Does not support Hybrid Azure AD joined devicesNo Remove keep keep -
Different Azure AD Join Types
It can take some research and tests to understand the difference between different Azure AD join types.
I summarised some key differences in the following.
Difference between Azure AD registered Azure AD joined Hybrid Azure AD joined Primary audience Bring your own device (BYOD) Mobile devices Organizational computer Organizational computer OS Windows 10, iOS, Android, and MacOS Windows 10 devices (except Windows 10 Home) Windows Server 2019 Virtual Machines running in Azure (except Server core) Windows 10, 8.1 and 7 Windows Server 2008/R2, 2012/R2, 2016 and 2019 Device sign in options Local account Windows Hello Organizational account in Azure AD Windows Hello for Business Organizational account in on-prem AD Windows Hello for Business Sign in authenticate to Local computer Azure AD On-prem domain controller Device management MDM (Intune) MDM (Intune) MDM (Intune) and Group policy SSO SSO to cloud resources SSO to both cloud and on-premises resources SSO to both cloud and on-premises resources Self-service Password Reset Only for local account For Organizational account at login/lock screen For Organizational account at login/lock screen As more and more staff work from home, IT starts to consider solutions to allow remote identity management without relying on line-of-sight to domain controllers. so:
- If you want to login to a computer by authenticating to Azure AD, you will need to unbind the computer from on-prem AD then bind to Azure AD. A hybrid Azure AD joined computer will still authenticate to your domain controller
- Microsoft recommends to use the MDM-only approach to manage all Azure AD joined devices, instead of co-management with SCCM.
-
Auto-create Default Outbound NSG for Servers in Azure
Overview
In Azure, Network Security Group (NSG) is a basic firewall containing a list of security rules.
NSG can be associated to subnets, individual NICs or both.
By default the outbound NSG for a subnet allows all outbound traffic, which is not secure for servers.
There are discussions [1] [2] on how to limit the outbound traffic while allowing traffic to Azure infrastructures required by different services like Windows updates.
I found that existing methods created hundreds of rules which are difficult to maintain. This post introduces a method to create a single rule the allows the outbound traffic to all Azure IP ranges.
Implementation
Code – new
The following script uses Azure Powershell az.
As it doesn’t support GUI yet so there are more parameters to set before running it.
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859# JZ 20190712# This script creates a rule to allow outbound traffic to all Azure IPs# Note: before running, delete the existing NSG rule named $nsgName at priority $priorityNumber# Parameters$subscriptionID = "00000000-aaaa-bbbb-cccc-0000000000"$selectedRegions = "australiaeast","australiasoutheast","australiac","australiac2"$rgName = "Resource-group-name"$nsgName = "network-security-group-name"$ruleName = "Allow_Outbound_to_Azure_IPs"$priorityNumber = 200# Sign-in with Azure account credentialsConnect-AzAccount# Select Azure SubscriptionSelect-AzSubscription -SubscriptionId $subscriptionID# Download current list of Azure Public IP ranges# See https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653 for latest list$downloadUri = "https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653"$downloadPage = Invoke-WebRequest -Uri $downloadUri$xmlFileUri = ($downloadPage.RawContent.Split('"') -like "https://*PublicIps*")[0]$response = Invoke-WebRequest -Uri $xmlFileUri# Get list of regions & public IP ranges[xml]$xmlResponse = [System.Text.Encoding]::UTF8.GetString($response.Content)$regions = $xmlResponse.AzurePublicIpAddresses.Region$ipRange = ( $regions | where-object Name -In $selectedRegions ).IpRange# combine all IPs# They need to be in an array format to use NSG augmented security rules$all_subnets=""ForEach ($subnet in $ipRange.Subnet) {$all_subnets+=$subnet$all_subnets+=","}$all_subnets=$all_subnets.trimend(",")$test=$all_subnets.split(",")# Add the NSG rules$nsg = Get-AzNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgNameAdd-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name $ruleName `-Access Allow -Protocol * -Direction Outbound -Priority $priorityNumber `-SourceAddressPrefix * -SourcePortRange * `-DestinationAddressPrefix $test -DestinationPortRange *Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsgCode – old
The following script uses Azure Powershell.
Adjust the 3 parameters before running it.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778# JZ 20180810# This script creates a rule to allow outbound traffic to all Azure IPs# Note: before running, delete the existing NSG rule named $nsgName at priority $priorityNumber# Parameters$nsgName = "VLAN-webDMZ-Security-Group"$ruleName = "Allow_Outbound_to_Azure_IPs"$priorityNumber = 200# Sign-in with Azure account credentialsLogin-AzureRmAccount# Select Azure Subscription$subscriptionId =(Get-AzureRmSubscription |Out-GridView `-Title "Select an Azure Subscription ..." `-PassThru).SubscriptionIdSelect-AzureRmSubscription -SubscriptionId $subscriptionId# Select Azure Resource Group$rgName =(Get-AzureRmResourceGroup |Out-GridView `-Title "Select an Azure Resource Group ..." `-PassThru).ResourceGroupName# Download current list of Azure Public IP ranges# See https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653 for latest list$downloadUri = "https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653"$downloadPage = Invoke-WebRequest -Uri $downloadUri$xmlFileUri = ($downloadPage.RawContent.Split('"') -like "https://*PublicIps*")[0]$response = Invoke-WebRequest -Uri $xmlFileUri# Get list of regions & public IP ranges[xml]$xmlResponse = [System.Text.Encoding]::UTF8.GetString($response.Content)$regions = $xmlResponse.AzurePublicIpAddresses.Region# Select Azure regions for which to define NSG rules$selectedRegions =$regions.Name |Out-GridView `-Title "Select Azure Datacenter Regions ..." `-PassThru$ipRange = ( $regions | where-object Name -In $selectedRegions ).IpRange# combine all IPs# They need to be in an array format to use NSG augmented security rules$all_subnets=""ForEach ($subnet in $ipRange.Subnet) {$all_subnets+=$subnet$all_subnets+=","}$all_subnets=$all_subnets.trimend(",")$test=$all_subnets.split(",")# Add the NSG rules$nsg = Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgNameAdd-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name $ruleName `-Access Allow -Protocol * -Direction Outbound -Priority $priorityNumber `-SourceAddressPrefix * -SourcePortRange * `-DestinationAddressPrefix $test -DestinationPortRange *Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsgAfter running the code
After defining these Azure-related outbound rules, you may need to add some additional rules to permit outbound access to other legitimate non-Azure services, such as
- public DNS servers
- email services
- kms.core.windows.net:1688
- APIs,
- etc, that your applications may also need to access
Then, you can create a rule at the end of the NSG to block all outbound traffic.
Reference
[1] https://blogs.technet.microsoft.com/keithmayer/2016/01/12/step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell/
[2] https://serverfault.com/questions/888645/nsg-block-all-outbount-internet-traffic
-
Exchange – “send as” and “send on behalf” records
In Exchange 2010 and 2013, when you configure “send as” and “send on behalf” for a mailbox or shared mailbox, by default the sent emails are only copied to sender’s sent box but not from’s mailbox.
If multiple persons have access to the same mailbox or shared mailbox, they may want to see the email/reply sent by other persons so that they are aware of the status/conversation.
To copy sent emails to both sender and from mailbox:
1Set-MailboxSentItemsConfiguration JZ@example.com -SendAsItemsCopiedTo SenderAndFrom1Get-Mailbox JZShared | Set-Mailbox -MessageCopyForSentAsEnabled $true -MessageCopyForSendOnBehalfEnabled $true