1. Setup an Azure subscription if you haven’t got this already, this will be used for Billing. The storage is under a 1$/Month for 1 GB space 
  2. Create a Storage Container in the right Azure Region with the correct redundancy ( Local Redundancy Storage in Cheaper ) . Use General Purpose V2!
  3. Create a Blob Container in this Storage Resource
  4. Use Storage Explorer to upload files here

  5. Upload what file you would like to deploy
  6. Right click on the file and choose “Get Shared Access Signatue”

I set a 100 Year Expiry , and leave access as Read Only

It will give you URI and query string

Copy the URI ONLY up to the file name ( nothing after e.g. the example below )  and put in $BlobUri

Copy the FULL Query String and put in $Sas

Change the Output Path which will need to exist with a trailing \, this example I have used the Users Desktop

#Variables ( Use the Azure Storage Explorer to get the URI ( Shared Access Signature ) of the file and copy the first part up to the file name in BlobURI and the Query String to the Sas) 
#You will need a new Sas for each file

$BlobUri = 'https://xxxxx.blob.core.windows.net/xxxxx/1.jpg'
$Sas = '?sp=XXXXXXXXXXXXXXXXXXXXXXXXXXXX'
#Output Path with \ on the end
$OutputPath = 'C:\Users\' + $env:UserName + '\Desktop\'



#Gets full Uri
$FullUri = "$BlobUri$Sas"
#Downloads file to outpath with correct file type and file found in BlobURI
(New-Object System.Net.WebClient).DownloadFile($FullUri, $OutputPath + ($BlobUri -split '/')[-1])

Deploy this powershell file via Device Config Scripts

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

This will stop Windows from resetting your default file associations, and this will force your choice of application to stick. It works well for my org.

#Creates a "drive" to access the HKCR (HKEY_CLASSES_ROOT)
New-PSDrive -Name HKCR -PSProvider Registry -Root 
HKEY_CLASSES_ROOT

If ('HKCR:\.pdf')
{
    #This is the .pdf file association string
    $PDF = 'HKCR:\.pdf'
    New-ItemProperty $PDF -Name NoOpenWith
    New-ItemProperty $PDF -Name NoStaticDefaultVerb
}

If ('HKCR:\.pdf\OpenWithProgids')
{
    #This is the .pdf file association string
    $Progids = 'HKCR:\.pdf\OpenWithProgids'
    New-ItemProperty $Progids -Name NoOpenWith
    New-ItemProperty $Progids -Name NoStaticDefaultVerb
}
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
$Days = $%id%Days%id%

$Days = (get-date).adddays(-($Days))

$SnapshotList = $null

$SnapshotList = Get-VM | Get-VMSnapshot | where-object { $_.CreationTime -lt $Days }

	if ($SnapshotList -eq $null)
	{
		$OverdueSnapshot = "NO Overdue Snapshot"
	}
	else
	{
		foreach ($EachSS in $SnapshotList)
		{
			$OverdueSnapshot += "$EachSS.VMName : $EachSS.Name : $EachSS.CreationTime : "
		}
	}

$%id%OverdueSnapshot%id% = $OverdueSnapshot
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Download

Click here to Download the software

Install

Install 32bit or 64bit depending on server , install ALL the Management Tools

Open Powershell as Administrator and with Domain Admin Writes and run

Import-module AdmPwd.PS  

Then

Update-AdmPwdADSchema 

Make sure the above says Sucess

In the same Powershell Window you need to declare the OU’s where the computers will live

Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>

Now you want to see who have access to look at the password in the OU

Find-AdmPwdExtendedrights -identity “OU NAME”

Add or remove permissions via : 

Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

Group Policy

On the PC you installed the LAPS tool to ,  copy the following files : 

C:\Windows\PolicyDefinitions\AdmPwd.admx to ( ON a domain controller ) C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\

C:\Windows\PolicyDefinitions\en-US\AdmPwd.adml to ( ON a domain controller ) C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US\AdmPwd.adml 

Now create a Group Policy and Apply to the computers you would like to have self managed local Administrator Password

 

Administering

How to find password using Gui

On the PC installed with LAPS , run  : C:\Program Files\LAPS\AdmPwd.UI.exe and enter the computer name to find the password

Use Powershell : 

Get-AdmPwdPassword -Computername "%COMPUTERNAME%"

To reset password Immediately :

 Reset-AdmPwdPassword -ComputerName <computername>

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

The autodiscover process checks a few records , one of these is the root domain A record, and once you have an SSL certificate on your Web Server under cPanel, it intercepts the Autodiscover request cPanel believes it is hosting the email, and directs that to itself to its email servertrying to be helpful ( Instead of your Exchange server or 365 ) .

The email users are not setup on your cpanek, so no matter what you try, you will not be able to setup the user’s Outlook profile. This is the error I was getting in Outlook 2016. The error will be different for other versions of Outlook or if you are setting up the profile from Control Panel, but essentially it will not let you complete the profile setup.

 

The fix is quite simple, you just need to change the setting in cPanel or WHM (also owned by cPanel) from the default setting of “Local Mail Exchanger” to “Remote Mail Exchanger” and that’s it.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

Check the user is connecting to Exchange via MAPI , I had a few setups where users were set to Active Sync instead

In this case, the solution was to run both commands on the exchange server:

Set-AutodiscoverVirtualDirectory “SERVER\Autodiscover (Default Web Site)” -WSSecurityAuthentication $True

Set-WebServicesVirtualDirectory -identity “EWS (default web site)” -WSSecurityAuthentication $true

This two command solved my problem

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently on a terminal server environment, we have a few users getting black screen on logins. The terminal server used User Profile Disks so I thought it could be corruption.

Checking the Terminal Server Event log had a lot of NTFS 50,51,140 and 137 Errors.

When the profile would eventually load Outlook would come up with “ost is not valid”

Logging into the File sharing that shared the UPD’s and it showed that the UPD disk hosting the files was full up and someone had not added it to monitoring! 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Outlook 365 2016 Trusted Platform Module error code 80090016Recently a user had their Motherboard swapped out on their laptop. 2 Days Later they could not sign into Outlook.

The error was TPM

This is due to the Laptop falling out of Trust with Azure AD due to TPM chip change

  1. Reset Local Admin Password
  2. Go to Settings . Accounts work or School and Disconnect
  3. Restart PC’
  4. Sign Back into Go to Settings . Accounts work or School

If Intune sign back into Azure AD

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)