Social Networks

There are several ways to enroll a Windows 10 PC to Microsoft Intune:

Manually

  • During the Out-of-the-box Experience (OOBE), when starting a Windows 10 PC for the first time
  • In the Windows Settings, after the PC configuration

Manual enrollment will require that the user enters his Azure AD credentials.


Automatically

  • Using Azure AD Join + automatic Intune enrollment
  • Using Hybrid Azure AD Join + automatic Intune enrollment

Automatic enrollment can be triggered using a Group Policy, SCCM Co-Management or Windows AutoPilot.

Windows 10 automatic enrollment requires the creation of public DNS records enterpriseregistration and enterpriseenrollment. More info here.


However, sometimes it is possible that a Windows 10 PC is in an inconsistent enrollment state, with error "The sync could not be initiated".


This can happen because:

  • The PC was shut down during a long time, and the Microsoft Intune certificate is expired (located in Local Machine / Certificates / Personal)
  • Someone manually deleted the Microsoft Intune certificate
  • The PC is enrolled in another Intune tenant

Prerequisites: check Hybrid Azure AD Join status

Before re-enrolling your device to Microsoft Intune, you need to make sure that the certificates for Hybrid Azure AD Join are not expired as well.

Follow this procedure to Manually re-register a Windows 10 or Windows Server machine in Hybrid Azure AD Join.


Method 1: With data and configuration loss


The easiest way to unenroll a Windows 10 PC from Microsoft Intune is to disconnect the work or school account.


Just go to All settings > Accounts > Access work or school, select your corporate account and click Disconnect.



However, the problem with this is that all data and configuration pushed by Microsoft Intune will be deleted from the PC.


Method 2: Without data or configuration loss


There is a way to manually re-enroll your Windows 10 PC without loosing all the current configuration and apps deployed by Microsoft Intune.

This method is not officially supported by Microsoft


As you may know, automatic enrollment can be triggered either by a Group Policy Object or by the SCCM client on a co-managed device.

In both cases, the feature will basically create a scheduled task to enroll the PC at next logon.



This task will launch the following command in the SYSTEM context:

%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM

To manually re-enroll the PC, we will need to clean up the environment and relaunch this command in the SYSTEM context to re-enroll the PC.

Here are the steps that you need to follow to make it work:

  1. Delete stale scheduled tasks
  2. Delete stale registry keys
  3. Delete the Intune enrollment certificate
  4. Restart the enrollment process

Step 1: Delete stale scheduled tasks

Follow this procedure:

  • Run the Task Scheduler as an administrator.

  • Go to Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt. Write down the enrollment ID somewhere, you will need it for the cleanup.

  • Delete all the existing tasks the enrollment folder.

  • Delete the enrollment ID folder.

Step 2: delete stale registry keys

Use the previous enrollment ID to search the regitry:

  • Open the Registry Editor as an administrator.

  • Search for the enrollment ID you wrote in the following locations and if found, delete the key that is containing the ID:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\xxxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\xxxxxxxxxxxxx

DO NOT delete registry keys that are not in the list above. They will be overwritten after the new enrollment.


Step 3: delete the Intune enrollment certificate

Follow the procedure:

  • Search for the option "Manage computer certificates" or use the command certlm.msc as an administrator.

  • Go to Personal > Certificates and delete the certificate issued by either "Microsoft Intune MDM Device CA" or "SC_Online_Issuing" (depending on the date of the enrollment).

Step 4: Restart the enrollment process

To be properly executed, the enrollment command must be entered in a SYSTEM context. We will use the PSExec tool for that purpose.


  • Use PSExec to launch a Command Prompt as SYSTEM:
psexec /i /s cmd

  • In the Command Prompt, enter the following command:
%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM

  • In the computer certificate store, check that a new Intune certificate has been enrolled for the device:

  • You are now ready to start a policy sync from the Windows Settings, and check that the connection with the Intune service is now OK:

Tags: , , , , , , , ,

  

Hybrid Azure AD Join devices are machines under Windows 10 or Windows Server 2016+ that are:

  • Joined to an on-premises Active Directory domain
  • Registered in Azure AD as a hybrid device

Having a Hybrid Azure AD Joined device enables the following features:

  • Automatic device enrollment in Microsoft Intune
  • Device-based conditional access for corporate devices
  • Backup of the BitLocker recovery key in Azure AD
  • Sync of some Windows settings by the Enterprise State Roaming


Sometimes, a machine can be in an inconsistent registration state in Azure Active Directory. This can happen because:

  • The machine was shut down during a long time, and the Azure AD device registration certificate is expired (located in Local Machine / Certificates / Personal)
  • Someone manually deleted the device registration certificate
  • Someone manually deleted the device object in the Azure AD portal
  • The machine is registered in another Azure AD tenant

Please note that this method will only succeed if your organization meets all the prerequisites for Hybrid Azure AD Join. For more information, please refer to this documentation.


Step 1: Unregister the device from Azure AD

Follow this procedure:

  • On the machine to unregister, launch a Command Prompt as an administrator and type the following command:
dsregcmd /leave

  • Make sure the certificates issued by "MS-Organization-Access" and "MS-Organization-P2P-Access [xxxx]" have been deleted from the local machine Personal certificate store:

  • Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values:
dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+
AzureAdJoined : NO  <-----
EnterpriseJoined : NO
DomainJoined : YES  <-----

Step 2: Re-register the device as a Hybrid Azure AD Join

Follow this procedure:

  • On the machine to re-register, run the Task Scheduler as an administrator.

  • Go to Task Scheduler Library > Microsoft > Windows > Workplace Join and manually start the task "Automatic-Device-Join".

  • Make sure the certificates issued by "MS-Organization-Access" and "MS-Organization-P2P-Access [xxxx]" have been created in the local machine Personal certificate store:

  • Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values:
dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+
AzureAdJoined : YES  <-----
EnterpriseJoined : NO
DomainJoined : YES

  • Reboot the PC.

  • Start an Azure AD Connect delta synchronization.

Tags: , , , , , , , , ,

  

La communauté aOS (Azure Office 365 SharePoint) et le Monaco Microsoft User Group (MMUG) vous invitent à la 1ère édition de la journée aOS Monaco le 26 Septembre 2019.

Pendant une journée entière, vous pouvez rencontrer et échanger avec des experts des technologies Office 365 et Azure. Différentes sessions vous seront proposées où nous vous apporteront des retours terrain. Il vous sera ainsi possible de découvrir ou approfondir vos connaissances sur :

  • Azure
  • Office 365
  • Microsoft Teams, SharePoint
  • Power Platform : Power BI, PowerApps, Microsoft Flow

Ce sera aussi l’occasion de partager et échanger entre utilisateurs et professionnels, locaux, nationaux et internationaux, de l’offre Cloud Microsoft.

J'animerai un atelier deep-dive "Sécurisez votre SI et vos services Office 365", alors n'hésitez pas à réserver vos agendas 🙂

agenda aos monaco 2019

Tags: , , , , , ,

  

L'association Le Numérique Pour Tous organise plusieurs conférences sur le digital, de Février à Mai 2019.

Ces conférences gratuites se dérouleront à la Bibliothèque municipale Kateb Yacine du centre commercial Grand' Place, à Grenoble :

  • 7.02.2019 : S'équiper en appareils numériques
  • 7.03.2019 : Sécuriser et entretenir son environnement numérique
  • 4.04.2019 : Réseaux sociaux et communication
  • 2.05.2019 : Quels outils alternatifs libres ou gratuits ?

N'hésitez pas à y assister !

Tags: ,

  

Petite note car je vois pas mal de soucis chez nos clients.

Microsoft a changé le fonctionnement de l’authentification RDP entre clients / serveurs.

 

 

Le but de ce décalage de 2 mois était de patcher d’abord les serveurs (Mars), puis les clients (Mai) pour que ces derniers puissent s’y connecter 2 mois après.

Suite à ces modifications, la connexion RDP à des serveurs non-patchés depuis des clients patchés peut échouer (erreur CredSSP).

 

An authentication error has occured.
The function requested is not supported
This could be due to CredSSP encryption oracle remediation

 

Voici les scénarios possibles :

Ne fonctionne pas

  • Serveur non patché depuis Mars / client patché depuis Mai

Fonctionne

  • Serveur non patché depuis Mars / client non-patché
  • Serveur patché depuis Mars / client non-patché
  • Serveur patché depuis Mars / client patché depuis Mai

 

Workaround (fortement déconseillé)

Si un client a été patché alors que le serveur n’est pas à jour, il est possible de désactiver le Network Level Authentication côté serveur de manière temporaire pour s’y connecter.

 

 

 

Il est aussi possible de désactiver la fonctionnalité "Encryption Oracle Remediation" par GPO sur les serveurs non-patchés :

  1. Si pas encore fait, installez les ADMX pour Windows 10 build 1803 (ou supérieur)
  2. Allez dans Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
  3. Modifiez le paramètre Encryption Oracle Remediation en Enabled / Vulnerable

 

 

Note : La recommandation officielle reste toutefois de patcher serveurs et clients.

 

Tags: , , , , , , , , , , , , ,