How to disable XBOX and HomeGroup services with Workspace ONE UEM

Since Windows 10 embedded a lot of feature some consumer feature are available in the enterprise space like Xbox services and Homegroup, this article explain how do we block these with UEM.

Since Windows 10 1803, we can change the services start type using CSP. This available for any support MDM managed Windows Desktop, (Pro, Business, Enterprise, Education)

Note : Xbox Game Monitoring service is missing from the list but this service depends on Xbox Live Auth Manager and this one is going to be disabled so the service itself won’t be able to start even if the by default the start is on Manual.

Continue reading

ADMX Backed – The Office Case

This case come from one of my customer, they followed the Chrome example available at code.vmware.com, but didn’t seems to work correctly for the Office ADMX available from Microsoft, as the profile said “Install Failed”.

Step 1 – Reproduce

Created a custom XML in the console in this format :

<Add>
 <CmdID>2</CmdID>
 <Item>
  <Target>
   <LocURI>./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OfficeADMX/Policy/Office16</LocURI>
  </Target>
  <Data>{AMDX DATA HERE converted from <value> to &lt;value&gt; }</Data>
 </Item>
</Add>

Continue reading

How to configure Workspace ONE UEM and mS-DS-ConsistencyGuid

When it comes to Azure AD integration within Workspace ONE UEM. The configuration is quite straight forward, however when we work on complex environment with a lot of different Active Directory, it can become complex as the source Anchor is going to change most of the time from objectGUID to mS-DS-ConsistencyGuid, which is also the best practice from Microsoft. If you are in this case, most likely the mS-DS-ConsistencyGuid won’t equal the objectGUID that why it is important to configure it properly.

To check the immutable ID/Source Anchor in Azure AD, check this post : How to check the Immutable ID/Source Anchor

Continue reading

How to check the Immutable ID/Source Anchor

This article expains how to check which attribute is used as the source anchor for the synchronization between Active Directory and Azure Active Directory.

PowerShell

0 – Install necessary PowerShell Modules, if needed.

Install-Module MSOnline
Import-Module MSOnline

1 – Get User Immutable ID from Azure.

Connect-MSOLService
Get-MsolUser -UserPrincipalName user@domain.tld | select ImmutableID

Continue reading

Active Directory – Password Reset on a PDC

I had an issue in my lab where the PDC emulator changed his password while the IPv6 communication was not properly up and running, and so 2 different password were register on my 2 DCs,  this remember that IPv6 is the preferred network in Windows and been like that since Vista.

Nothing new in the this article, but just some precision, as the documentation can be confusing sometimes and we tend to forget things.

The architecture is the following:

DC1 : Server 2012R2

DC2 : Server 2016 (All FMSO hosted) – The culprit

First thing to check is the DNS and point the network card of DC2 to the working DC, as DC2 DNS server might not be working properly, in my case DC2 didn’t had IPv6 records while DC1 had them and since the DNS zone is replicated via AD, we clearly see an issue here.

Continue reading

Encrypting File System

A lot of folks have the perception that EFS is complicated as it may use PKI management (not mandatory) and messing around with the Key can result in a data loss but in fact it’s rather simple and you need to have some concept specific to EFS. Let’s dive into it.

While EFS have been used in enterprises for quite some times, it came back in the spotlight with Windows Information Protection (WIP) (More info on WIP later).

Continue reading