Need to Know podcast–Episode 190

Brenton and I take an opportunity to get you up to date ahead of Microsoft Ignite on all the latest news in the Microsoft Cloud. We have some news about SharePoint and Outlook as well as some changes to Windows 7 support. Brenton also suggests that maybe we need a dedicated episode on PowerShell. What do you think? Let us know.

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-190-cloud-updates/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

New Outlook on the web

Helping customers shift to a modern desktop

Microsoft Ignite

Microsoft Teams data residency

Windows 7 monthly update charge

PowerShell basics

Initial set up of an Office 365 PowerShell environment

CIAOPS Learn

CIAOPS Patron

Auditing Office 365 logins

Using Azure Automation to schedule mailbox checks

Introduction to Windows Autopilot

Microsoft has introduced a new technology called Windows Autopilot that allows you to easily deploy Windows 10 Professional and Enterprise machines with nothing more than just an Internet connection.

A good way to get a feel of how all this works in practice is to use a Virtual Machine (VM) as a test bed which is what I’ll show you here.

The first thing is that you are going to need to get some information about the machine so that it can be recognised by Windows Autopilot when it is provisioned. Normally, this information will be provided directly by the manufacturer of the PC, but here’s how it actually works behind the scenes.

For this test process we start by running up a new clean virtual machine with Windows Professional installed.

Once the machine is running (we don’t need to worry about connecting to Azure or a domain just yet), we need to run PowerShell as an administrator so we can extract the required information.

image

The first PowerShell command that needs to be run is:

wmic bios get serialnumber

record the number that it produces.

image

Next, run the PowerShell command:

Get-ItemPropertyValue “hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey\” “ProductId”

once again, record the number that is output.

image

Finally, run these two commands:

$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter “InstanceID=’Ext’ AND ParentID=’./DevDetail’”

$wmi.DeviceHardwareData | Out-File “$($env:COMPUTERNAME).txt”

This will create a file containing machine identification information, basically a hash.

image

This file will be written to the location from which the PowerShell command was run. By default this will be c:\windows\system32.

image

If you open the text file created (which has the name of the machine) it should appear like that shown above.

image

With all the information safely recorded, you can now run SYSPREP to generalise the machine and reboot or blow away the version of Windows (but not the actual VM. That needs to be retained so it is correctly identified during the coming provisioning process).

image

You need to now create a .CSV file to upload so that the machine can be identified at boot and provisioned. You can see the format of the file above.

Basically, the machine configuration file has at least 2 lines. The first is a heading line:

Device, Serial Number, Windows Product ID, Hardware Hash

The second line are the results from your PowerShell commands above separated by commas.

Ensure that you save the file as .CSV not .TXT!

You’ll now need to upload this file to the web. Navigate to:

https://businessstore.microsoft.com/

and login there with the Office 365 global administrator account for your tenant. This will typically be a tenant with Microsoft 365 licenses installed.

image

Once logged in the screen should appear like that shown above. Select the Manage option from the menu across the top of the page.

image

This should then take you to a screen like shown above. From the menu on the left hand side select Devices.

image

If this is the first device you’ve added to Windows Autopilot, you won’t see any existing devices.

Select the + Add devices menu option just under the Search devices box.

image

Navigate to the location of the .CSV file you created earlier that contains the information about your test VM. Select the file to upload it to the portal.

image

Since there are currently no deployment groups you’ll be asked to add a new one as shown above. Simply enter a group name and select Add.

image

The file should successfully upload to the portal and you’ll see a message telling you that it is being currently processed and you should refresh your screen to see the progress.

image

When the process is complete, you’ll get a happy green bar across the top and you’ll also see you machine listed below as shown above.

image

You’ll now need to create a profile for the deployment of Windows. Select the menu option AutoPilot deployment from the menu just above the list of devices as shown. From the menu that appears select Create new profile.

image

Give the new profile a name (here Test-Policy) and select any other desired settings.

Select the Create button when complete.

image

That will take you back to the list of devices. You’ll now need to apply the new profile you just created to the machine you have just added.

To do this, select the machine from the list.

image

Then select the option to Apply the appropriate policy.

Most of what we have just done will actually be done by the PC supplier down the track. They will basically get the details of each PC prior to shipment and upload that into the portal where you can then create and apply policies. We have stepped through the whole process here because we are using a virtual machine and to show you what actually happens.

The idea at this point is the new Windows 10 machine is shipped out to the end user. The only requirement the user needs to have is their Office 365 login details plus an Internet connection.

image

If we now re-provision the original machine it will boot to a point and ask the user to confirm their regional preference.

Make a select and press Yes.

image

They will then be prompted for a keyboard layout.

Make a selection and press Yes.

image

The use will also be prompted for any additional keyboard configuration. In most cases the user will select Skip here.

At this point the new machine will check to see whether it is connected to the Internet. If it detects a wifi network it will prompt the user to login. This means the machine can be provisioned ANYWHERE there is an internet connect (i.e.at home, at a coffee shop, etc). It doesn’t need to be connected to the corporate LAN.

image

The next prompt will ask the user to login with their Office 365 account. This is their Azure AD account which is the same as they use to login to the Office 365 portal.

image

The user will now be prompted for their password.

image

The machine will now add itself to the Office 365 Azure AD and apply any policies that have been configured. I’ll cover the deployment of custom policies and application deployment in another article.

image

After a few moments the user will be logged into the Windows 10 machine and will display the information from their Office 365 account as shown above.

image

You will also find that the machine has been joined to Azure AD as shown above.

image

If you dig into the user accounts on the machine you will find that there are no local accounts enabled as we elected back when we set up the initial AutoPilot profile in the portal.

image

Now, thanks to Windows Autopilot, we have quickly and easily deployed a new Windows 10 machine without the need for administrative intervention (such as joining to a domain). This machine is now directly connected to Azure AD and any Office 365 user can now login.

Although this process has been done using a virtual machine it can be done with any Windows 10 Pro or Enterprise machine. The main requirement is to get the machine information into the web portal so that it can be identified and provisioned at boot. Obtaining that information is as simple as a few PowerShell commands so you can try it for yourself to get a feel of how well it works.

For more information on Windows Autopilot visit – https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot

Look Ma, SBS running on Azure

image

One of the challenges I set myself when I first started using Azure was to get Windows Small Business Server (SBS) working in Azure IaaS. Happily, I can announce that today I have achieved that goal as the above image shows hopefully demonstrates.

Why did I do this? Apart from the technical challenge I wanted to have a typical on premises SMB ‘legacy’ environment in Azure for testing, labs, training and migration scenarios. I am not planning to use it in production and STRONGLY recommend that SBS should no longer be run in production for many reasons anywhere, including on premises. I appreciate this is bordering on heresy for some, but I stand by the fact that you need to be off SBS. 

That said, I do appreciate that there are people out there running it and some may even be considering moving SBS onto the cloud. Although I would never recommend you do that in production I can tell you that it is 100% possible with Azure. This, to me, demonstrates the flexibility and power Azure provides as well as it’s ability to solve just about any IT challenge you throw at it.

So, if you wanna know how I did, just ask me.

Azure Nested Virtualization

One of the things that Azure VMs currently don’t seem to allow is the ability to login to machines using just Azure AD credentials. So, how to overcome this issue but remain totally cloud based?

The solution is to use nested virtualisation in Azure which Microsoft recently announced here:

Nested Virtualization in Azure

Nested virtualization is only available on specific machines (See above link for details). One of these is the E_V3 series, which are currently not available in every region.

image image

Just for comparison, I looked at my usual ‘go to’ machine (a DS2_v2) and the supported E2S_V3. As you can see from the above the E2S_V3 is far better value, being cheaper and having more RAM.

This made me think that perhaps I should convert some of my stand alone test VMs into guest VMs in a nested arrangement. As long as I only use these machines together the compute cost would only be for the single host VM on which the multiple guests are running rather than multiple individual Azure VMs. Hmm…something to consider down the track.

image

So I ran up a E2S_V3 out of the West US 2 datacenter with Windows Server 2016 datacenter in the standard manner.

Once the server I up I simply went in and added the Hyper V role as you would with any Windows Server.

image

The feature installed and when complete I rebooted the server as required.

image

After the reboot I had access to the Hyper V Manager as you can see above, as with any Windows Server.

image

I now needed to create a new Hyper V Virtual Switch that would support NAT that my guests could connect to and then get access to the Internet.

To do this I needed to run 3 lines of PowerShell:

New-VMSwitch -SwitchName “NATSwitch” -SwitchType Internal

New-NetIPAddress -IPAddress 192.168.0.1 -PrefixLength 24 -InterfaceAlias “vEthernet (NATSwitch)”

New-NetNAT -Name “NATNetwork” -InternalIPInterfaceAddressPrefix 192.168.0.0/24

You can alter the IP addresses to suit.

image

Once this is complete if I now look in my Hyper V Manager I see a new virtual switch as shown above. I’ll use this to connect the network card of my VMs to.

At this point I’ll need to assign the IP addresses to my virtual machines manually. I can configure an appropriate DHCP server if I want but I’ll leave that for a future article.

image

So now I just create a VM on this server as I would normally. In this case I chose a Windows 10 Preview edition.

image

When complete I need to set a static IP until I get the DHCP server operating.

image

Voila, a nested VM in Azure connected to the Internet and ready for further testing.

I can’t tell you how much flexibility this is going to provide me. Not only can I now login to machines using Azure AD account but I can run up things like Windows 10S and (shock, horror) maybe even get SBS working as a guest. Now that would be really cool to achieve and I have added that to my ‘to do’ list. Watch for and article real soon!

Till then, all I can say is that Azure Nested Virtualization is super cool and really super cheap! Love the cloud!

In private browsing

I work across many different Office 365 (and Azure) tenants every day. Many times I need to be inside multiple tenants at the same time. How can I do that effectively? I use ‘private’ browsing modes inside each browser to keep login details isolated.

You can think of ‘private’ browsing as an isolated instance of surfing the web. When you start ‘private’ browsing you start with a ‘clean’ environment (no credentials, logins, etc) are remembered. When you close down the sessions everything is forgotten.

Here’s how you start ‘private’ browsing sessions across the major browsers.

Microsoft Edge

image

Right mouse click on the Microsoft Edge browser icon and select New InPrivate window from the menu that appears.

image

If you are already using Microsoft Edge, select the three dots in the upper right to display the above menu. Select the New InPrivate window option.

Google Chrome

image

Right mouse click on the Google Chrome browser icon and select New incognito window from the menu that appears.

image

If you are already using Google Chrome, select the three dots in the top right to display the menu shown above. From this menu select New incognito window.

Internet Explorer

image

Right mouse click on the Internet Explorer browser icon and select Start InPrivate browsing from the menu that appears.

image

if you are already using Internet Explorer, select the Cog icon in the top right, then from the menu that appears select Safety. From the fly out menu that then appears, select InPrivate Browsing.

Firefox

image

Right mouse click on the Firefox browser icon and select New private window from the menu that appears.

image

If you are already using Firefox, select the three lines in the top right to display the menu shown. From the menu that appears, select New Private Window.

Thus, between these four major browsers and their ‘private’ browsing modes, I can work with eight different tenants all at once. Barely enough, I’m telling you. Barely enough.

Need to Know Podcast–Episode 135

More interviews with speakers at the upcoming Microoft Ignite Australia. This time we feature Gino Barletta and speak about his two sessions:

What you need to know about Windows Server 2016 Security

Windows Server 2016 introduces more security features than any previously released Microsoft server operating system. Making your organization more secure is one of the big benefits of Windows Server. In this demo heavy session you’ll learn about new features included Credential Guard, Device Guard, Privileged Access Management (Just in Time Administration), Just Enough Administration, DNS policies, Guarded Fabrics, Shielded VMs as well as the security benefits of Nano Server, Windows Server and Hyper-V Containers. You’ll also learn how you can integrate Advanced Threat Analytics into your on-premises Windows Server deployment.

and

Azure Financial Management, Reporting and Subscription Hygiene through Power BI

This session, helps you understand your current Azure subscription, resources, billing and spend. Controlling spend through analytics and leveraging Microsoft Power BI to visually see your spend / consumption via powerful GUI dashboards.

Don’t forget to send us your feedback at feedback@needtoknow.cloud

You can listen to this episode directly at:

https://ciaops.podbean.com/e/episode-135-gino-barletta/

or on Soundcloud here: 

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show. Resources

@ginobarletta

@marckean

@directorcia

gino.barletta@andeim.com.au

https://cpem.io/tJ01Hzu2k.js?w=640&h=360

Need to Know Podcast–Episode 130

Marc and I have some brief news and cloud updates for you and then we are straight into our guest for this episode. I speak with MVP Alan Burchill all about his upcoming Microsoft Ignite presentations:

Using Edge in the Enterprise

Microsoft Edge is one of the most secure and web standards compatible browsers on the market. See how the new management features in Windows 10 can help IT Professional to provide support for legacy web sites while still allowing users to access web sites with the latest web standards.

Don’t forget to send us your feedback at feedback@needtoknow.cloud

You can listen to this episode directly at:

https://ciaops.podbean.com/e/episode-130-alan-burchill/ 

or on Soundcloud here:

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@alanburchill

@marckean

@directorcia

www.grouppolicy.biz

Azure ready

Office 365 German datacenters

Microsoft tech days online

Microsoft tech summit – Birmingham

Enabling Azure AD Domain Services

One of the last remaining pieces of infrastructure that was required to either stay on premises or be virtualised was the Active Directory Domain Controller (DC). That is no longer the case as Microsoft has made its Directory Services as a Service available from Azure.

What that effectively now means is that you no longer need a dedicated box (physical or virtualised) for Active Directory, you can simply consume it as a service directly from Azure.

Given that this is a new Azure service there are some challenges. The main one is that Azure Active Directory Services is only available in the older Service Manager portal, not the newer Resource Manager model where everything should really be created these days. Azure Active Directory Services will be coming to the Resource Manager, however at the moment, we need to deploy it using the older Service Manager.

In preparation, I’ve used Azure AD Connect to synchronise users from an existing on-premises Active Directory to Office 365. This has also created accounts for those users in Azure AD. I’ve then added a paid Azure subscription to my free Office 365 Azure AD to enable all the services required.

Next, I created a Virtual Network in both Service Manager and Resource Manager. I then connected these together using a site to site VPN. The idea is that the Service Manager network will simply be used for Directory Services, while the Resource Manager network will hold all the other services such as member servers and so on.

Now, with the site to site VPN between Azure Service Manager (ASM) and Azure Resource Manager (ARM) in place, I navigate to the ASM portal.

image

Here I select my Active Directory option and then name of the Active Directory.

image

I select the Groups option at the top of the page and create a new security group called:

AAD DC Administrators

It is to create a group EXACTLY as it appears above.

Into this new security group add all the users from your AD that you want to be effectively Domain Administrators in Azure AD Domain Services.

image

Now select the Configure option at the top of the page.

image

Scroll down the page until you locate the Domain Services area as shown above.

Select the Yes option to enable the service.

image

You’ll also need to check that the DNS Domain and Virtual Network options are correct. in this case I’ve select the custom domain I have in Office 365 and synchronised from an on-premises AD.

Select Save at the bottom of the page to complete the configuration.

image

Azure will now hum away for about 35 minutes enabling the service for you.

image

When the enablement process is complete you should now see two IP addresses at the bottom of the domain services area as shown above.

You should update the virtual network on the ARM network to point to these DNS servers on the ASM network. You can think of it like the Domain Controller for the whole network is now on the ASM network which is reached by the ARM network across the VPN.

So let’s say you now spin up a member server on the ARM network. You add this member server to the domain as you would normally. When you do, you’ll be prompted for credentials to allow this. Here you’ll need to use a member of the security group AAD DC Administrators you created earlier. Apart from that everything is exactly the same as if there was a physical domain controller in the network.

image

So your next question is probably going to be about to manage this ‘DC as a service’? Easy. Simply add the AD management tools to any member server and as you can see from the above, the domain appears exactly like it would if there as an on-premises server on the network. If you go in and look a the domain controllers on the network you’ll two, as see above. They have a random GUID and obvious correlate to the two IP addresses provided by the Directory Service during configuration.

If you then elect to say, remove the on-premises domain controller you’ll have all your users and a fully functioning domain in Azure. You’ll have your AD now as service rather than requiring dedicated equipment, which is far more flexible as easier to manage. You’ll be able to manage your users, group policy and the like just as you could on premises, but now totally in the cloud.

At the moment there is some extra configuration because of the necessity of an ASM network for Directory Services but in time everything will move to ARM which will make it even easier to have your domain controllers as a service!

For more information on Azure AD Domain Services visit:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-getting-started/