Rob Moir's questions

Not sure if I'm missing something obvious here but I'm having trouble getting Management Scopes in Exchange Online to work as expected.

I'm hoping to delegate admin rights for a group of users in a geographic area to accounts that are not Exchange Online / O365 admins in general, but who can do certain limited tasks for the target mailboxes.

So I've identified the users as a member of a MSOL group, tried to set up a Management scope based on that group (see below) and assigned a 'normal' user to be an admin of that scope. However, while this user can go to https://outlook.office365.com/ecp and see the Exchange Admin centre and can browse users, they cannot change any of the users I would expect to be in that management scope. Where am I going wrong?

DG = get-msolgroup -objectid <guid>

(note I've tried targetting a normal Distribution list and a dynamic DL with no change to the end result).

New-ManagementScope "robm's Exchange Management Scope" -RecipientRestrictionFilter "MemberOfGroup -eq '$($DG.DisplayName)'"

New-RoleGroup -Name “robm User Admins” -Roles “Mail Recipients”, “Distribution Groups”, “Mail Recipient Creation” -CustomRecipientWriteScope "robm's Exchange Management Scope"

Everything appears to run ok, everything appears to have been created... I'm just not able to administer the users afterwards.

Looking for a bit of help with the Intune Powershell/graph interface.

I'm trying to manipulate Intune Device Categories via Powershell, so that I can firstly correct devices that were placed into the wrong category during enrollment, and secondly, I'm in the middle of moving from Hybrid SCCM/Intune to Azure Intune and where we're not using Device Categories for devices already enrolled into SCCM Hybrid Intune, I want to use powershell to loop through a CSV file full of device serial numbers / IMEI numbers and place corporate devices into the right device category.

Investigating the powershell/graph interface for Intune, I can do something like

Get-IntuneManagedDevice -Filter "IMEI eq '01 012345 678910 1'" (Or -Filter "serialNumber eq 'DEADBEEF'" or whatever) and get my all my device's details output. This includes a field for "deviceCategoryDisplayName", which is the value I want to change.

I can even do Get-IntuneManagedDevice -Filter "serialNumber eq 'DEADBEEF'"| select manageddeviceid to get the managedDeviceID value as an output.

As far as I can tell, this should work with Update-IntuneManagedDevice (see below)

get-help Update-IntuneManagedDevice -detailed

NAME
Update-IntuneManagedDevice

SYNOPSIS
Updates a "microsoft.graph.managedDevice".

SYNTAX
Update-IntuneManagedDevice -managedDeviceId <string>

So I should be able to update a device by using its managed Device ID?

What I can't do is:

Get-IntuneManagedDevice -Filter "serialNumber eq 'deadbeef'"| select manageddeviceid | Update-IntuneManagedDevice -deviceCategoryDisplayName 'BYOD'

When I try, I get the error below. Clearly I'm doing something wrong but can anyone point me in the right direction? I don't think that what I'm trying to do is fundamentally unreasonable... is it?

(just to be clear, doing Get-IntuneManagedDevice -managedDeviceID deadbeef-aaaa-bbbb-cccc-0123456789ab returns my target device details ok, and running Update-IntuneManagedDevice -managedDeviceID deadbeef-aaaa-bbbb-cccc-0123456789ab -deviceCategoryDisplayName 'BYOD' gives me the same error)

Update-IntuneManagedDevice : 400 Bad Request
{
"error": {
"code": "InternalError",
"message": "{\r\n \"_version\": 3,\r\n \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 6f743002-b0e0-48ed-a25d-0cdd33870efd - Url:
https://fef.msub02.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDe... \"CustomApiErrorPhrase\":
\"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}",
"innerError": {
"request-id": "6f743002-b0e0-48ed-a25d-0cdd33870efd",
"date": "2019-03-06T14:08:02"
}
}
}
At line:1 char:92
+ ... ddeviceid | Update-IntuneManagedDevice -deviceCategoryDisplayName 'BY ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ConnectionError: (@{Request=; Response=}:PSObject) [Update-IntuneManagedDevice], HttpRequestException
+ FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.Update_IntuneManagedDevice

I’m looking at moving a MDM config from SCCM hybrid to Intune Standalone. I know I can migrate but right now I’m running down options for a fresh setup.

If all I have is an xml dump of an Apple Configuator plist/xml output, can I use that “as is” in an Intune custom profile? I know that ideally I’d generate a new file in Apple Configurator 2 but is it required?

I'm trying to install the Azure AD Connect ADFS health agent on the primary server in an ADFS 4.0 farm running on Windows Server 2016.

The installation completes successfully but I get an error on configuration:

Register-AzureADConnectHealthADFSAgent : Could not query the MEX on http ports: 443 in hosts: localhost
At line:1 char:190
+ ... gent\PowerShell\AdHealthAdfs; Register-AzureADConnectHealthADFSAgent}
+                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Register-AzureADConnectHealthADFSAgent], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Identity.Health.Adfs.PowerShell.Configuration
   Module.RegisterADHealthAdfsAgent

Now I've run that error through the google and it tells me that this could be a STS certificate issue so I've checked as per the article pointed at there, and there are no issues, no other unexpected or incorrect certificate thumbprint visible, and besides on ADFS 4.0 you can't change certificates on the secondary servers in an ADFS farm, so even simply trying to re-register the certs didn't help.

Running further diags as per maweeras' suggestions:

PS C:\Users\administrator.INTERNAL> $error[0] | fl * -f


PSMessageDetails      :
Exception             : System.InvalidOperationException: Could not query the MEX on http ports: 443 in hosts:
                        localhost
                           at Microsoft.Identity.Health.Adfs.PowerShell.ConfigurationModule.AdfsServiceExaminer.GetAdfs
                        FarmNameFromSts()
                           at Microsoft.Identity.Health.Adfs.PowerShell.ConfigurationModule.AdfsServiceExaminer.Compute
                        ServiceSignature()
                           at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthA
                        gent.ProcessRecord()
                           at System.Management.Automation.CommandProcessor.ProcessRecord()
TargetObject          :
CategoryInfo          : NotSpecified: (:) [Register-AzureADConnectHealthADFSAgent], InvalidOperationException
FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Identity.Health.Adfs.PowerShell.ConfigurationModule.
                        RegisterADHealthAdfsAgent
ErrorDetails          :
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}

The install/config log doesn't seem to tell us anything that isn't already here. I can browse to the MEX endpoint via its FQDN in a web browser.

I don't know if anyone has seen this issue or has any ideas?

We've recently migrated ADFS from ADFS 2.1 on W2008r2 to ADFS 4.0 on W2016.

Basic functionality seems fine but I'm seeing an issue with updating federation metadata with all of my relying party trusts; attempting to right-click and select "Update from Federation Metadata..." (or going to properties, monitoring, test URL) gives the following error:

"An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid metadata endpoint".

The error message associated is

Method not found: 'Microsoft.identitymodel.protocols.WSFederation.Metadata.MetadataBase Microsoft.Identity.Model.Protocols.WSFederation.Metadata.MetadataSerializer.ReadMetadata(System.IO.Stream)'.

There is no proxy server required and no proxy server defined. I can browse to the federation metadata URL just fine in IE on the ADFS server and get the expected XML page. I've checked that certificates are correctly defined, that the ADFS service account has read access to them, etc.

There are no error messages in the event log either at service start or when trying to test/update metadata. Trying to add a new relying party trust gives the same error.

I've run the ADFS diagnostics, and test-adfsserverhealth gives an error which I think is key, but I don't know where to go next.

Name             : PingFederationMetadata
Result           : Fail
Detail           : System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a
                   send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing
                   connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An
                   existing connection was forcibly closed by the remote host
                      at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags
                   socketFlags)
                      at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                      --- End of inner exception stack trace ---
                      at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                      at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
                      at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest
                   asyncRequest)
                      at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer,
                   AsyncProtocolRequest asyncRequest)
                      at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
                      at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext,
                   ContextCallback callback, Object state, Boolean preserveSyncCtx)
                      at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
                   callback, Object state, Boolean preserveSyncCtx)
                      at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
                   callback, Object state)
                      at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
                      at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
                      at System.Net.ConnectStream.WriteHeaders(Boolean async)
                      --- End of inner exception stack trace ---
                      at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
                      at System.Net.WebClient.DownloadData(Uri address)
                      at CallSite.Target(Closure , CallSite , Object , Object )
Output           : {PingFedmetadataException}
ExceptionMessage : 

I'm trying to work out a process that would allow my helpdesk to delete an individual user's profile from Office 365 sharepoint online using powershell.

It's easy to connect to our Sharepoint Online URL and see the sites we have:

Connect-MsolService
Connect-SPOService -url https://example-admin.sharepoint.com -Credential [email protected]

I can verify that I'm connected. get-sposite returns a list of our sharepoint online URLs, as you expect.

Running commands such as repair-sposite or remove-sposite work for the entire site collection, e.g. repair-sposite -identity https://example-my.sharepoint.com works on the whole site collection, so the last thing I want to be doing is running remove-sposite at this level, and running it at a deeper level (repair-sposite -identity https://example-my.sharepoint.com/personal/user_example_com) fails to locate a sharepoint site to work with.

There are a few sites out there that have all cut and pasted the same snippet of code to iterate all the users in a sharepoint mysites collection and remove all of them, but I'm not convinced that code works for sharepoint 2013 sites and it's trivial to remove a user's permissions from a site. But I don't want to do either of those things, I just want to remove one user's profile from mysites.

This is a Canonical Question about Redundant DHCP Servers.

Is it possible to have more than one DHCP server on the same LAN? What are the implications of doing this?

1. What happens if there is more than one DHCP server available? How do my clients know which one to use?
2. How can I have DHCP servers supplying addresses to more than one subnet\network segment?
3. How can I configure multiple DHCP servers to supply addresses for the same subnet.

I'm trying to add and remove Library locations from Windows 7's "Library" locations in for each of my users.

While its easy to do this from the desktop, and its easy to disable libraries appearing in explorer, how can I add or remove locations from a library location (e.g. remove c:\users\public\documents from the user's documents library)?

I don't need to 'lock' their list of library locations, I'm happy for them to add and remove their own locations as they wish, but I want to control the initial locations that they are offered.

Trying to configure RADIUS for a college network, and have run into the following frustration:

I can't set an "AND" condition for group membership of authenticated objects in the network policy rules, e.g. I'm trying to create a NPS rule that says, essentially "IF user is a member of [list of user groups] And is authenticating from a computer in [wireless computer group] then allow access.

The screenshot above is the rule I am having trouble with. It does not work as written. The rule underneath it, which is identical in every aspect except the conditions rule, does work.

I've tried changing the non-working rule to define each set of groups as "Windows group" rather than specifically as machine and user groups, with no change.

With the "faulty" rule enabled and the working one disabled, any attempt to login with a valid account from a machine that is in the wireless computers group gives a 6273 audit event in the windows event log: Reason code 66 - "the user attempted to use an authentication method that is not enabled on the matching network policy". Disabling the "faulty" rule, enabling the other rule and logging in with the same account and computer works just fine.

Having a problem with a SQL Server which was virtualised from a physical machine. The CPU mask was set on the physical SQL Server for some reason prior to virtualisation and now advanced options are not available in the machine now it's a VMware guest. So I need to reconfigure the CPU affinity mask settings - which are advanced options, so this is blocked because of the affinity mask issue.

I've tried doing this from the SQL server in single user command line mode, I've googled and found lots of people with similar problems but no real solution.

Sample commands and output from query analyser below.

sp_configure 'show advanced options', 1 
GO
RECONFIGURE WITH OVERRIDE
GO
sp_configure 'affinity mask', 0x00000000
GO
RECONFIGURE 
GO

-----------------------------------------

Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.

Msg 5832, Level 16, State 1, Line 1

The affinity mask specified does not match the CPU mask on this system.

Msg 15123, Level 16, State 1, Procedure sp_configure, Line 51

The configuration option 'affinity mask' does not exist, or it may be an advanced option.

I was wondering if anyone had seen and fixed this one:

We have a number of Windows 2003 SP2 based DCs which normally work well. However, sometimes after a warm reboot they fail to correctly initialise their network connections - the cards are enabled and appear to be working correctly but traffic does not flow over the cards. This is the case on both their LAN and iSCSI interfaces.

A subsequent warm reboot fixes the issue (e.g. they start up normally and work fine). Cold Reboots do not appear to cause the problem. We've seen this issue with different hardware, both in terms of the server platform (different models of Dell PowerEdge) and different network cards (broadcom & Intel based NICs). And of course we've tried different versions of drivers for all the network cards we have tried.

There are no windows or 3rd party firewalls running on the servers.