550 – 5.7.64 TenantAttribution; Relay Access Denied

Research

Trying to setup a subdomain for iManage communication server in 365. I created a Connection from 365 to OnPrem server

Create a Connector

What I needed to do was also add the domain to 365 and change it to Internal Relay

Add the domain in below

Change the accepted Domain Type for the subdomain to internal relay

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How to Enable Workspace Search in Worksite/iManage

Research

By default this is disabled , to Enable , open the registry key : 

SOFTWARE\Interwoven\WorkSite\imDmsSvc\Databases\%databasename%

“Workspace Index”

Set to Y

Then

Restart Worksite Service

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How to cope with 3 Million Hits in 24 hours

Research

Recently had to help someone launch a site that was going to get significant traffic, estimates were 100,000 Global Visitors/hour. 

The site was going to be a simple one paralex site that redirected people to a newsletter for future communication. It was going to be written in wordpress with some plugins. After the developer showed me the site the page was loading at 3.3MB and took 10seconds network tools in chrome showed. This was actually mostly alot of JS files ( due to Plugins etc etc ) and a 400KB background image.

My first thought straight away was Cloudflare to help with the cache of this site around the world on their network and also for their awesome simple free tools e.g. Minify. Enabling Minify dropped the site down to 1.1mb and halved the load times. 

Next we installed Jetpack to help offload images to their CDN. 

The site was not actually going to be updated either so we enabled Static Content : https://support.cloudflare.com/hc/en-us/articles/200172256-How-do-I-cache-static-HTML-

The backend of the site ran on normal webhosting , and we enabled loadbalancing on Cloudflare just in case one server was overloaded

Results : 

 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Bighand Client deploying via GPO – BighandUpdater.job Unable to establish existence of the account specified

Research

When trying to deploy BigHand Via GPO via the system account uses for Computer installations the below error comes up 

 

You will need to deploy the MSI with the MST Transform attached here : no updater

e.g. to test

msiexec /i “bighand install.msi” Transforms=”no updater.mst” /qb

 

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)

Bighand – Could not write value AuthenticationType to key \Software\Bighand\TotalSpeech\v3

Research

Trying to deploy Bighand via GPO MSI , running the System App Via the Transform brings up the below error

 

That error relates AD authentication, but because you are using BigHand Professional, this should always be turned off.


Browse to – 
[HKEY_LOCAL_MACHINE\Software\Bighand\Totalspeech\v3] 
(on a 64 bit machine this will change to [HKEY_LOCAL_MACHINE\Software\Wow6432Node\BigHand\Totalspeech\v3]) 

The REG_DWORD to look for is called “AuthenticationType” This should be set to “0” 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How to download Device Management powershell scripts from intune

InTune

There is no current way to download existing Powershell Scripts Uploaded to Intune Device Management. To do this you have to use the graph API. There is a Demo called : DeviceManagementScripts_Get.ps1 , however it wasn’t working for me , so I created the below

 

This downloads a Single Script for you , it asks you for the id ( shows you each linked to the file name ) 


#Function to get AuthToken for Azure GraphAPI
function Get-AuthToken {

<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>

[cmdletbinding()]

param
(
    [Parameter(Mandatory=$true)]
    $User

)

$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User

$tenant = $userUpn.Host

Write-Host "Checking for AzureAD module..."

    $AadModule = Get-Module -Name "AzureAD" -ListAvailable
    
    if ($AadModule -eq $null) {
        
        Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
        $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable

    }

    if ($AadModule -eq $null) {
        write-host
        write-host "AzureAD Powershell module not installed..." -f Red
        write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
        write-host "Script can't continue..." -f Red
        write-host
        exit
    }

# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version

    if($AadModule.count -gt 1){

        $Latest_Version = ($AadModule | select version | Sort-Object)[-1]

        $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

    else {

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
 
# Client ID used for Intune scopes

$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"

$redirectUri = "urn:ietf:wg:oauth:2.0:oob"

$resourceAppIdURI = "https://graph.microsoft.com"

$authority = "https://login.microsoftonline.com/$Tenant"

    try {

    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

    # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
    # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession

    $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"

    $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
            
    $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result

    # If the accesstoken is valid then create the authentication header

        if($authResult.AccessToken){

        # Creating header for Authorization token

        $authHeader = @{
            'Content-Type'='application/json'
            'Authorization'="Bearer " + $authResult.AccessToken
            'ExpiresOn'=$authResult.ExpiresOn
            }

        return $authHeader

        }

        else {

        Write-Host
        Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
        Write-Host

        break

        }

    }

    catch {

    write-host $_.Exception.Message -f Red
    write-host $_.Exception.ItemName -f Red
    write-host
    break

    }

}

#Get Admin Username

$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
 
#Get Auth Token
 
$authToken = Get-AuthToken -User $User

#Get Scripts

$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceManagementScripts"

$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource/"
$scriptarray = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value


foreach ($script in $scriptarray) {
	$script.fileName + " ( " + $script.id + " )"
}


$scriptid = Read-Host -Prompt "Enter ID you would like to download, number in brackets without spaces"
Write-Host


$detailuri = "https://graph.microsoft.com/$graphApiVersion/$Resource/" + $scriptid
Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get
$script64 = (Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get).scriptContent
#Decode Base64 into Scripts
$decodedscript = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($script64))
#output File
New-Item -Path . -Name $script.fileName -ItemType "file" -Value $decodedscript
DownloadSingleIntunepowershellScript.ps1 view raw

This downloads all the Scripts in your InTune Directory

#Function to get AuthToken for Azure GraphAPI
function Get-AuthToken {

<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>

[cmdletbinding()]

param
(
    [Parameter(Mandatory=$true)]
    $User

)

$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User

$tenant = $userUpn.Host

Write-Host "Checking for AzureAD module..."

    $AadModule = Get-Module -Name "AzureAD" -ListAvailable
    
    if ($AadModule -eq $null) {
        
        Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
        $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable

    }

    if ($AadModule -eq $null) {
        write-host
        write-host "AzureAD Powershell module not installed..." -f Red
        write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
        write-host "Script can't continue..." -f Red
        write-host
        exit
    }

# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version

    if($AadModule.count -gt 1){

        $Latest_Version = ($AadModule | select version | Sort-Object)[-1]

        $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

    else {

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
 
# Client ID used for Intune scopes

$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"

$redirectUri = "urn:ietf:wg:oauth:2.0:oob"

$resourceAppIdURI = "https://graph.microsoft.com"

$authority = "https://login.microsoftonline.com/$Tenant"

    try {

    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

    # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
    # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession

    $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"

    $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
            
    $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result

    # If the accesstoken is valid then create the authentication header

        if($authResult.AccessToken){

        # Creating header for Authorization token

        $authHeader = @{
            'Content-Type'='application/json'
            'Authorization'="Bearer " + $authResult.AccessToken
            'ExpiresOn'=$authResult.ExpiresOn
            }

        return $authHeader

        }

        else {

        Write-Host
        Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
        Write-Host

        break

        }

    }

    catch {

    write-host $_.Exception.Message -f Red
    write-host $_.Exception.ItemName -f Red
    write-host
    break

    }

}

#Get Admin Username

$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
 
#Get Auth Token
 
$authToken = Get-AuthToken -User $User

#Get Scripts

$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceManagementScripts"

$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource/"
$scriptarray = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value


foreach ($script in $scriptarray) {
	$detailuri = "https://graph.microsoft.com/$graphApiVersion/$Resource/" + $script.id
	#Show Scripts in Output
	Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get
	$script64 = (Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get).scriptContent
	#Decode Base64 into Scripts
    $decodedscript = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($script64))
	#output Files
	New-Item -Path . -Name $script.fileName -ItemType "file" -Value $decodedscript
}
DownloadAllInTunePowershellFiles.ps1 view raw
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

iManage Desksite – Register Server Connection Pop up on Opening PDF

Research

Recently we had deployed Desksite to a few users , however some of them when opening PDF would get a connection Dialog box opening up and clicking on Connect in the Server List would freeze the screen with 

“Not Responding” 

And the connection would stay disconnected, even though the user was connected fine to Desksite.

We made sure Adobe Protected Mode was disable and ran a Repair of Desksite.

In the End we had to remove and reinstall Desksite from Scratch to repair this

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How to deploy trusteer rapport via Intune or GPO silently

Research

Download from 

http://download.trusteer.com/Gcur4Wtnu/RapportSetup-Full_x64.exe

Intune : 

RapportSetup-Full_x64.exe /s /p NOICONS=true NOBROWSER=true ACCEPTLICENSE=TRUE

GPO Powershell Computer Startup Script : 

If(!(Test-Path -path "C:\Program Files (x86)\Trusteer\Rapport\Console.ico"))

 {
 cd "\\local\to\installer\GroupPolicy\Trustee"
.\RapportSetup-Full_x64.exe /s /p NOICONS=true NOBROWSER=true ACCEPTLICENSE=TRUE

}
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

This device hasn’t been setup for corporate use yet – Company Portal

Research

Trying to open the Company Portal as a user after Intune Enrollment shows the below 

 

2019-02-19_10-28-51.jpg

 

When clicking continue to Enroll you then get the error

The device is already registered in Intune

 

You will need to re-enroll the device using the following method

Delete ( or as much as you can ) :  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments

Re-enroll PC as the correct User using the Access Work and School Method

 

If it asks you for the Server URL for MDM you can use this 

EnterpriseEnrollment-s.manage.microsoft.com

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Intune Management Extension Application / Service not installing after InTune deploy

InTune

Recently I found an InTune pc having issues deploying software and PowerShell 

In the “Company Portal” Store App it showed there was a: Delay in Downloading files error

I then found there was no Management Extension Application Service installed as all

This can be manually downloaded and installed from here : 

https://prodamsub0102data.azureedge.net/IntuneWindowsAgent.msi 

After installing , software started Deploying

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)