Windows | Alex Ø. T. Hansen

Alex Ø. T. Hansen

12/12/2018

Exam AZ-102: Microsoft Azure Administrator Certification Transition

Recently passed the 70-533 exam and earned a MCSE. Now I’m studying for the transition exam AZ-102 (expiring March 31, 2019), which would give me the Azure Administrator Associate badge. In this post I will give a short description on which methods I used to pass AZ-102.

The resources I used were:

Sharon Bennett’s LinkedIn course (30 days free trial)
Saw the videos on the Microsoft Learn portal
Tested my self through the official practice tests on mindhub
Used the official Azure documentation.
Hands-on labs in a Azure subscription (30 days free trial).

The exam is broken into 8 sections:

1. Manage Azure Subscriptions and Resources (5-10%)
  - May include but not limited to: Configure diagnostic settings on resources; create baseline for resources; create and rest alerts; analyze alerts across subscription; analyze metrics across subscription; create action groups; monitor for unused resources; monitor spend; report on spend; utilize Log Search query functions; view alerts in Log Analytics
2. Implement and Manage Storage (5-10%)
  - May include but not limited to: Create Azure file share; create Azure File Sync service; create Azure sync group; troubleshoot Azure File Sync
3. Configure and manage virtual networks (15-20%)
  - May include but not limited to: Create and configure VNET peering; create and configure VNET to VNET; verify virtual network connectivity; create virtual network gateway
  - May include but not limited to: Configure Azure DNS; configure custom DNS settings; configure DNS zones
4. Manage identities (15-20%)
  - May include but not limited to: Add custom domains; configure Azure AD Identity Protection, Azure AD Join, and Enterprise State Roaming; configure self-service password reset; implement conditional access policies; manage multiple directories; perform an access review
  - May include but not limited to: Install and configure Azure AD Connect; configure federation and single sign-on; manage Azure AD Connect; manage password sync and writeback
5. Evaluate and perform server migration to Azure (15-20%)
  - May include but not limited to: Discover and assess environment; identify workloads that can and cannot be deployed; identify ports to open; identify changes to network; identify if target environment is supported; setup domain accounts and credentials
  - May include but not limited to: Migrate by using Azure Site Recovery (ASR); migrate using P2V; configure storage; create a backup vault; prepare source and target environments; backup and restore data; deploy Azure Site Recovery (ASR) agent; prepare virtual network
6. Implement and manage application services (5-10%)
  - May include but not limited to: Create and manage objects; manage a Logic App resource; manage Azure Function app settings; manage Event Grid; manage Service Bus
7. Implement advanced virtual networking (5-10%)
  - May include but not limited to: Monitor on-premises connectivity; use network resource monitoring and Network Watcher; manage external networking and virtual network connectivity
8. Secure identities (5-10%)
  - May include but not limited to: Enable MFA for an Azure tenant; configure user accounts for MFA; configure fraud alerts; configure bypass options; configure trusted IPs; configure verification methods; manage role-based access control (RBAC); implement RBAC policies; assign RBAC Roles; create a custom role; configure access to Azure resources by assigning roles; configure management access to Azure

If you can answer (and know the reason behind the answer) the following questions regarding Azure, you should be ready to take the AZ-102 exam. For each question I will provide a link to the answer. There might be more than one correct answer to a question, but the questions link points to which tool or technology you should know about in order to pass.

Alex Ø. T. Hansen

01/12/2018

PowerShell – Set the account profile picture from Azure AD

If you ever need to set the local Windows user account profile pictures from Azure AD, you can use the following script.

The script leverages the Graph API through a service principal (app) in Azure AD. There is some requirements before running the script:

An Azure AD App with “read all users’ full profiles” Graph API permission. More information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
You must be able to get the object id (client id), key (client secret) and token endpoint (OAuth 2.0 Token Endpoint) from the Azure AD app.
The OS must be Windows 10.
The client must be able to contact the Azure AD.

You can run the script “manually” or deploy it with Azure Intune. You can run the script under your own or with the “nt authority\system” account. Just be sure that the account have access to write to the following registry path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users” and it child objects.

The only thing you need to change in the script is three variables (line 43, 44 and 45) for the Azure AD app information.

Here is a basic walk through of what the script actually does:

Create folder structure in “C:\Scripts\ProfilePicture” to store pictures, script and logs. The folder path can be changed to your liking on line 33, 34 and 39.
Start transcript logs to “C:\Scripts\ProfilePicture\Logs\”.
Get the access token for Graph API.
Get user information (UPN, Username and SID) that have already logged in to the local device.
Download user profile photo for each user in “C:\Scripts\ProfilePicture\Data\”.
Sets registry keys to use the downloaded photo for each user.
Create a task schedule (if it doesn’t exist) so it updates any picture change in Azure AD.
Copy the script to location “C:\Scripts\ProfilePicture”.

You may need to compile the code into an executable, this will disguise the client secret used to retrieve the profile pictures. One way of turning a PowerShell script into an executable is to use this script, but remember to change the schedule task in the code to point to the .exe file instead of the .ps1 before compiling.

#requires -version 3
<#
.SYNOPSIS
  .

.DESCRIPTION
  .

.NOTES
  Version:        1.0
  Author:         Alex Ø. T. Hansen (ath@tofte-it.dk)
  Creation Date:  01-12-2018
  Purpose/Change: Initial script development
#>

#region begin boostrap
############### Bootstrap - Start ###############

#Clear the screen.
Clear-Host;

#Assemblies.
Add-Type -AssemblyName System.Web;

############### Bootstrap - End ###############
#endregion

#region begin input
############### Input - Start ###############

#Folders:
$Folders = @{
    Logs = ("C:\Scripts\ProfilePicture\Logs\");
    Data = ("C:\Scripts\ProfilePicture\Data\");
};

#Files:
$Files = @{
    Script = ("C:\Scripts\ProfilePicture\Set-AzureADProfilePicture.ps1");
};

#Azure AD Application.
$OauthTokenEndpoint = "https://login.microsoftonline.com/<GUID>/oauth2/token";
$ClientID = "<Client ID>";
$ClientSecret = "<Client Secret>";

############### Input - End ###############
#endregion

#region begin functions
############### Functions - Start ###############

#Write to the console.
Function Write-Console
{
    [cmdletbinding()]	
		
    Param
    (
        [Parameter(Mandatory=$false)][string]$Category,
        [Parameter(Mandatory=$false)][string]$Text
    )

    #If the input is empty.
    If([string]::IsNullOrEmpty($Text))
    {
        $Text = " ";
    }

    #If category is not present.
    If([string]::IsNullOrEmpty($Category))
    {
        #Write to the console.
        Write-Output("[" + (Get-Date).ToString("dd/MM-yyyy HH:mm:ss") + "]: " + $Text + ".");
    }
    Else
    {
        #Write to the console.
        Write-Output("[" + (Get-Date).ToString("dd/MM-yyyy HH:mm:ss") + "][" + $Category + "]: " + $Text + ".");
    }
}

#Sets a user profile picture.
Function Set-UserProfilePicture
{
    [cmdletbinding()]	
		
    Param
    (
        [Parameter(Mandatory=$true)]$SID,
        [Parameter(Mandatory=$true)]$FilePath
    )

    #Check if the profile picture exist.
    If(Test-Path -Path $FilePath)
    {
        #Create new image folder.
        $ImageBase = ($env:public + "\AccountPictures\" + $SID);
        $ImageBaseFolder = (New-Item -Path $ImageBase -ItemType Directory -Force) | Out-Null;

        #Create registry path.
        $RegistryPath = ("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\" + $SID);
        New-Item -Path $RegistryPath -Force | Out-Null;

        #Array of image sizes.
        $ImageSizes = @(32, 40, 48, 96, 192, 200, 240, 448);

        #Foreach image size.
        Foreach($ImageSize in $ImageSizes)
        {
            #Set photo filename.
            $PhotoFileName = ("Image" + $ImageSize + ".jpg");

            #Save the photo.
            Copy-Item -Path $FilePath -Destination ($ImageBase + "\" + $PhotoFileName) -Force;

            #Create new registry key.
            New-ItemProperty -Path $RegistryPath -Name ("Image" + $ImageSize) -Value ($ImageBase + "\" + $PhotoFileName) -Force | Out-Null;
        }
    }
}

#Get cache user information from the registry.
Function Get-CacheUserInformation
{
    #Array to store user information.
    $Users = @();

    #Get all identities except system users.
    $Identities = Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache" | Where-Object {$_.Name -notlike "*S-1-5*"};

    #Foreach identity found.
    Foreach($Identity in $Identities)
    {
        #Clear variables.
        $UPN = $null;
        $SID = $null;
        $SamAccountName = $null;
        $Domain = $null;

        #Set SID.
        $SID = $Identity.PSChildName;

        #Get key values.
        $KeyValues = Get-ItemProperty -Path ("HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache\" + $SID + "\IdentityCache\" + $SID);

        #Set variables.
        $UPN = $KeyValues.UserName;
        $SamAccountName = $KeyValues.SAMName;
        $Domain = $KeyValues.ProviderName;

        #Create a new object.
        $User = New-Object -TypeName psobject;
    
        #Add data to the object.
        Add-Member -InputObject $User -MemberType NoteProperty -Name "UPN" -Value $UPN;
        Add-Member -InputObject $User -MemberType NoteProperty -Name "SID" -Value $SID;
        Add-Member -InputObject $User -MemberType NoteProperty -Name "SamAccountName" -Value $SamAccountName;
        Add-Member -InputObject $User -MemberType NoteProperty -Name "Domain" -Value $Domain;

        #Add object to array.
        $Users += $User;
    }

    #Return object array.
    Return $Users;
}

#Get access token from Graph API.
Function Get-GraphAccessToken
{
    [cmdletbinding()]	
		
    Param
    (
        [Parameter(Mandatory=$true)][string]$TokenEndpoint,
        [Parameter(Mandatory=$true)][string]$ClientID,
        [Parameter(Mandatory=$true)][string]$ClientSecret
    )

    #Encode the client secret so it removes any special characters.
    $ClientSecretEncoded = [System.Web.HttpUtility]::UrlEncode($ClientSecret);

    #Construct request body to Graph API.
    $AuthBody = ("grant_type=client_credentials" + "&client_id=$ClientID" + "&client_secret=$ClientSecretEncoded" + "&resource=https://graph.microsoft.com/");

    #Call the Graph API to get bearer token.
    $AuthReponse = Invoke-RestMethod -Method Post -Uri $OauthTokenEndpoint -body $AuthBody -ContentType "application/x-www-form-urlencoded";

    #Return access token.
    Return ($AuthReponse.access_token);
}

#Get the user profile picture from Azure AD.
Function Get-UserProfilePicture
{
    [cmdletbinding()]	
		
    Param
    (
        [Parameter(Mandatory=$true)][string]$AccessToken,
        [Parameter(Mandatory=$true)][string]$UPN,
        [Parameter(Mandatory=$true)][string]$Destination
    )

    #Invoke rest method to Graph API with access token.
    Invoke-RestMethod -Method Get -Uri ("https://graph.microsoft.com/v1.0/users/" + $UPN + '/photo/$value') -Headers @{"Authorization"="Bearer $($AccessToken)"} -OutFile $Destination;
}

#Create a schedule task.
Function New-ProfilePictureScheduleTask
{
    [cmdletbinding()]	
		
    Param
    (
        [Parameter(Mandatory=$true)][string]$Script
    )

    #Template to create the schedule task.
    $XML = @"
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2018-12-01T00:00:00.0000000</Date>
    <Author>blog.tofte-it.dk</Author>
    <URI>\Set Profile Account Pictures</URI>
  </RegistrationInfo>
  <Triggers>
    <CalendarTrigger>
      <StartBoundary>2018-12-01T10:00:00+01:00</StartBoundary>
      <ExecutionTimeLimit>P1D</ExecutionTimeLimit>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P1D</ExecutionTimeLimit>
    <Priority>7</Priority>
    <RestartOnFailure>
      <Interval>PT15M</Interval>
      <Count>3</Count>
    </RestartOnFailure>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
      <Arguments>-ExecutionPolicy Bypass -File "$($Script)"</Arguments>
    </Exec>
  </Actions>
</Task>
"@;

    #Add schedule task.
    Register-ScheduledTask -Xml $XML -TaskName "Set Profile Account Pictures" | Out-Null;
}

#Check if the schedule task already exist.
Function Test-ScheduleTask
{
    [CmdletBinding()]
    
    Param
    (
        [parameter(Mandatory=$true)][string]$Name
    )
 
    #Create a new schedule object.
    $Schedule = New-Object -com Schedule.Service;
    
    #Connect to the store.
    $Schedule.Connect();
 
    #Get schedule tak folders.
    $Task = $Schedule.GetFolder("\").GetTasks(0) | Where-Object {$_.Name -eq $Name -and $_.Enabled -eq $true};
 
    #If the task exists and is enabled.
    If($Task)
    {
        #Return true.
        Return $true;
    }
    #If the task doesn't exist.
    Else
    {
        #Return false.
        Return $false;
    }
}

############### Functions - End ###############
#endregion

#region begin main
############### Main - Start ###############

#Create folders.
New-Item -Path $Folders.Logs -ItemType Directory -Force | Out-Null;
New-Item -Path $Folders.Data -ItemType Directory -Force | Out-Null;

#Start transcript.
Start-Transcript -Path ($Folders.Logs + "\" + (Get-Date).ToString("ddMMyyyy") + ".log") -Append -Force;

#Get access token to access Graph API.
Write-Console -Category "Access Token" -Text "Getting Graph API access token";
$AccessToken = Get-GraphAccessToken -TokenEndpoint $OauthTokenEndpoint -ClientID $ClientID -ClientSecret $ClientSecret;

#Get all cached users.
Write-Console -Category "Registry" -Text "Getting cached users from registry";
$Users = Get-CacheUserInformation;

#Foreach user cached.
Write-Console -Category "Users" -Text "Enumerating cached users";
Foreach($User in $Users)
{
    #Write to log.
    Write-Output "";
    Write-Console -Category $User.UPN -Text $User.UPN;
    Write-Console -Category $User.UPN -Text $User.SID;
    Write-Console -Category $User.UPN -Text $User.SamAccountName;
    Write-Console -Category $User.UPN -Text $User.Domain;

    #Download the profile picture.
    Write-Console -Category $User.UPN -Text ("Downloading profile picture to '" + ($Folders.Data + $User.UPN + ".jpeg") + "'");
    Get-UserProfilePicture -AccessToken $AccessToken -UPN $User.UPN -Destination ($Folders.Data + $User.UPN + ".jpeg");

    #Set the user profile picture.
    Write-Console -Category $User.UPN -Text ("Setting registry keys");
    Set-UserProfilePicture -SID $User.SID -FilePath ($Folders.Data + $User.UPN + ".jpeg");
}

#Output empty line.
Write-Output "";

#Check if the schedule task doesn't exist.
If(!(Test-ScheduleTask -Name "Set Profile Account Pictures"))
{
    #Create the schedule task.
    Write-Console -Category "Schedule Task" -Text ("Creating schedule task");
    New-ProfilePictureScheduleTask -Script $Files.Script;

    #Copy running script.
    Write-Console -Category "Schedule Task" -Text ("Copying running script to '" + $Files.Script + "'");
    Copy-Item -Path $PSCommandPath -Destination $Files.Script;
}

############### Main - End ###############
#endregion

#region begin finalize
############### Finalize - Start ###############

#Stop transcript.
Stop-Transcript;

############### Finalize - End ###############
#endregion

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

#requires -version 3

.SYNOPSIS

.DESCRIPTION

.NOTES

Version: 1.0

Author: Alex Ø. T. Hansen (ath@tofte-it.dk)

Creation Date: 01-12-2018

Purpose/Change: Initial script development

#region begin boostrap

############### Bootstrap - Start ###############

#Clear the screen.

Clear-Host;

#Assemblies.

Add-Type -AssemblyName System.Web;

############### Bootstrap - End ###############

#endregion

#region begin input

############### Input - Start ###############

#Folders:

$Folders = @{

Logs = ("C:\Scripts\ProfilePicture\Logs\");

Data = ("C:\Scripts\ProfilePicture\Data\");

};

#Files:

$Files = @{

Script = ("C:\Scripts\ProfilePicture\Set-AzureADProfilePicture.ps1");

};

#Azure AD Application.

$OauthTokenEndpoint = "https://login.microsoftonline.com/<GUID>/oauth2/token";

$ClientID = "<Client ID>";

$ClientSecret = "<Client Secret>";

############### Input - End ###############

#endregion

#region begin functions

############### Functions - Start ###############

#Write to the console.

Function Write-Console

{

[cmdletbinding()]

Param

(

[Parameter(Mandatory=$false)][string]$Category,

[Parameter(Mandatory=$false)][string]$Text

)

#If the input is empty.

If([string]::IsNullOrEmpty($Text))

{

$Text = " ";

}

#If category is not present.

If([string]::IsNullOrEmpty($Category))

{

#Write to the console.

Write-Output("[" + (Get-Date).ToString("dd/MM-yyyy HH:mm:ss") + "]: " + $Text + ".");

}

Else

{

#Write to the console.

Write-Output("[" + (Get-Date).ToString("dd/MM-yyyy HH:mm:ss") + "][" + $Category + "]: " + $Text + ".");

}

#Sets a user profile picture.

Function Set-UserProfilePicture

{

[cmdletbinding()]

Param

(

[Parameter(Mandatory=$true)]$SID,

[Parameter(Mandatory=$true)]$FilePath

)

#Check if the profile picture exist.

If(Test-Path -Path $FilePath)

{

#Create new image folder.

$ImageBase = ($env:public + "\AccountPictures\" + $SID);

$ImageBaseFolder = (New-Item -Path $ImageBase -ItemType Directory -Force) | Out-Null;

#Create registry path.

$RegistryPath = ("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\" + $SID);

New-Item -Path $RegistryPath -Force | Out-Null;

#Array of image sizes.

$ImageSizes = @(32, 40, 48, 96, 192, 200, 240, 448);

#Foreach image size.

Foreach($ImageSize in $ImageSizes)

{

#Set photo filename.

$PhotoFileName = ("Image" + $ImageSize + ".jpg");

#Save the photo.

Copy-Item -Path $FilePath -Destination ($ImageBase + "\" + $PhotoFileName) -Force;

#Create new registry key.

New-ItemProperty -Path $RegistryPath -Name ("Image" + $ImageSize) -Value ($ImageBase + "\" + $PhotoFileName) -Force | Out-Null;

}

#Get cache user information from the registry.

Function Get-CacheUserInformation

{

#Array to store user information.

$Users = @();

#Get all identities except system users.

$Identities = Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache" | Where-Object {$_.Name -notlike "*S-1-5*"};

#Foreach identity found.

Foreach($Identity in $Identities)

{

#Clear variables.

$UPN = $null;

$SID = $null;

$SamAccountName = $null;

$Domain = $null;

#Set SID.

$SID = $Identity.PSChildName;

#Get key values.

$KeyValues = Get-ItemProperty -Path ("HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache\" + $SID + "\IdentityCache\" + $SID);

#Set variables.

$UPN = $KeyValues.UserName;

$SamAccountName = $KeyValues.SAMName;

$Domain = $KeyValues.ProviderName;

#Create a new object.

$User = New-Object -TypeName psobject;

#Add data to the object.

Add-Member -InputObject $User -MemberType NoteProperty -Name "UPN" -Value $UPN;

Add-Member -InputObject $User -MemberType NoteProperty -Name "SID" -Value $SID;

Add-Member -InputObject $User -MemberType NoteProperty -Name "SamAccountName" -Value $SamAccountName;

Add-Member -InputObject $User -MemberType NoteProperty -Name "Domain" -Value $Domain;

#Add object to array.

$Users += $User;

}

#Return object array.

Return $Users;

}

#Get access token from Graph API.

Function Get-GraphAccessToken

{

[cmdletbinding()]

Param

(

[Parameter(Mandatory=$true)][string]$TokenEndpoint,

[Parameter(Mandatory=$true)][string]$ClientID,

[Parameter(Mandatory=$true)][string]$ClientSecret

)

#Encode the client secret so it removes any special characters.

$ClientSecretEncoded = [System.Web.HttpUtility]::UrlEncode($ClientSecret);

#Construct request body to Graph API.

$AuthBody = ("grant_type=client_credentials" + "&client_id=$ClientID" + "&client_secret=$ClientSecretEncoded" + "&resource=https://graph.microsoft.com/");

#Call the Graph API to get bearer token.

$AuthReponse = Invoke-RestMethod -Method Post -Uri $OauthTokenEndpoint -body $AuthBody -ContentType "application/x-www-form-urlencoded";

#Return access token.

Return ($AuthReponse.access_token);

}

#Get the user profile picture from Azure AD.

Function Get-UserProfilePicture

{

[cmdletbinding()]

Param

(

[Parameter(Mandatory=$true)][string]$AccessToken,

[Parameter(Mandatory=$true)][string]$UPN,

[Parameter(Mandatory=$true)][string]$Destination

)

#Invoke rest method to Graph API with access token.

Invoke-RestMethod -Method Get -Uri ("https://graph.microsoft.com/v1.0/users/" + $UPN + '/photo/$value') -Headers @{"Authorization"="Bearer $($AccessToken)"} -OutFile $Destination;

}

#Create a schedule task.

Function New-ProfilePictureScheduleTask

{

[cmdletbinding()]

Param

(

[Parameter(Mandatory=$true)][string]$Script

)

#Template to create the schedule task.

$XML = @"

<?xml version="1.0" encoding="UTF-16"?>

<Author>blog.tofte-it.dk</Author>

<URI>\Set Profile Account Pictures</URI>

</RegistrationInfo>

</ScheduleByDay>

</CalendarTrigger>

</Triggers>

<RunLevel>HighestAvailable</RunLevel>

</Principal>

</Principals>

<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>

<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>

<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>

<RestartOnIdle>false</RestartOnIdle>

</IdleSettings>

<Hidden>false</Hidden>

<RunOnlyIfIdle>false</RunOnlyIfIdle>

<WakeToRun>false</WakeToRun>

</RestartOnFailure>

</Settings>

<Exec>

<Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>

<Arguments>-ExecutionPolicy Bypass -File "$($Script)"</Arguments>

</Exec>

</Actions>

</Task>

"@;

#Add schedule task.

}

#Check if the schedule task already exist.

Function Test-ScheduleTask

{

[CmdletBinding()]

Param

(

[parameter(Mandatory=$true)][string]$Name

)

#Create a new schedule object.

$Schedule = New-Object -com Schedule.Service;

#Connect to the store.

$Schedule.Connect();

#Get schedule tak folders.

$Task = $Schedule.GetFolder("\").GetTasks(0) | Where-Object {$_.Name -eq $Name -and $_.Enabled -eq $true};

#If the task exists and is enabled.

If($Task)

{

#Return true.

Return $true;

}

#If the task doesn't exist.

Else

{

#Return false.

Return $false;

}

############### Functions - End ###############

#endregion

#region begin main

############### Main - Start ###############

#Create folders.

New-Item -Path $Folders.Logs -ItemType Directory -Force | Out-Null;

New-Item -Path $Folders.Data -ItemType Directory -Force | Out-Null;

#Start transcript.

Start-Transcript -Path ($Folders.Logs + "\" + (Get-Date).ToString("ddMMyyyy") + ".log") -Append -Force;

#Get access token to access Graph API.

Write-Console -Category "Access Token" -Text "Getting Graph API access token";

$AccessToken = Get-GraphAccessToken -TokenEndpoint $OauthTokenEndpoint -ClientID $ClientID -ClientSecret $ClientSecret;

#Get all cached users.

Write-Console -Category "Registry" -Text "Getting cached users from registry";

$Users = Get-CacheUserInformation;

#Foreach user cached.

Write-Console -Category "Users" -Text "Enumerating cached users";

Foreach($User in $Users)

{

#Write to log.

Write-Output "";

Write-Console -Category $User.UPN -Text $User.UPN;

Write-Console -Category $User.UPN -Text $User.SID;

Write-Console -Category $User.UPN -Text $User.SamAccountName;

Write-Console -Category $User.UPN -Text $User.Domain;

#Download the profile picture.

Write-Console -Category $User.UPN -Text ("Downloading profile picture to '" + ($Folders.Data + $User.UPN + ".jpeg") + "'");

Get-UserProfilePicture -AccessToken $AccessToken -UPN $User.UPN -Destination ($Folders.Data + $User.UPN + ".jpeg");

#Set the user profile picture.

Write-Console -Category $User.UPN -Text ("Setting registry keys");

Set-UserProfilePicture -SID $User.SID -FilePath ($Folders.Data + $User.UPN + ".jpeg");

}

#Output empty line.

Write-Output "";

#Check if the schedule task doesn't exist.

If(!(Test-ScheduleTask -Name "Set Profile Account Pictures"))

{

#Create the schedule task.

Write-Console -Category "Schedule Task" -Text ("Creating schedule task");

New-ProfilePictureScheduleTask -Script $Files.Script;

#Copy running script.

Write-Console -Category "Schedule Task" -Text ("Copying running script to '" + $Files.Script + "'");

Copy-Item -Path $PSCommandPath -Destination $Files.Script;

}

############### Main - End ###############

#endregion

#region begin finalize

############### Finalize - Start ###############

#Stop transcript.

Stop-Transcript;

############### Finalize - End ###############

#endregion

Alex Ø. T. Hansen

20/11/2018

PowerShell – Get all nested groups for a user in Active Directory

Ever needed to get all nested groups a user belongs in Active Directory?

#Get all recursive groups a user belongs.
Function Get-ADUserNestedGroups
{
    Param
    (
        [string]$DistinguishedName,
        [array]$Groups = @()
    )

    #Get the AD object, and get group membership.
    $ADObject = Get-ADObject -Filter "DistinguishedName -eq '$DistinguishedName'" -Properties memberOf, DistinguishedName;
    
    #If object exists.
    If($ADObject)
    {
        #Enummurate through each of the groups.
        Foreach($GroupDistinguishedName in $ADObject.memberOf)
        {
            #Get member of groups from the enummerated group.
            $CurrentGroup = Get-ADObject -Filter "DistinguishedName -eq '$GroupDistinguishedName'" -Properties memberOf, DistinguishedName;
       
            #Check if the group is already in the array.
            If(($Groups | Where-Object {$_.DistinguishedName -eq $GroupDistinguishedName}).Count -eq 0)
            {
                #Add group to array.
                $Groups +=  $CurrentGroup;

                #Get recursive groups.      
                $Groups = Get-ADUserNestedGroups -DistinguishedName $GroupDistinguishedName -Groups $Groups;
            }
        }
    }

    #Return groups.
    Return $Groups;
}
 
#The user to check.
$User = "<SamAccountName/DN/UserPrincipal>";

#Get all groups.
$Groups = Get-ADUserNestedGroups -DistinguishedName (Get-ADUser -Identity $User).DistinguishedName;

#Output all groups.
$Groups | Select-Object Name | Sort-Object -Property Name;

#Get all recursive groups a user belongs.

Function Get-ADUserNestedGroups

{

Param

(

[string]$DistinguishedName,

[array]$Groups = @()

)

#Get the AD object, and get group membership.

$ADObject = Get-ADObject -Filter "DistinguishedName -eq '$DistinguishedName'" -Properties memberOf, DistinguishedName;

#If object exists.

If($ADObject)

{

#Enummurate through each of the groups.

Foreach($GroupDistinguishedName in $ADObject.memberOf)

{

#Get member of groups from the enummerated group.

$CurrentGroup = Get-ADObject -Filter "DistinguishedName -eq '$GroupDistinguishedName'" -Properties memberOf, DistinguishedName;

#Check if the group is already in the array.

If(($Groups | Where-Object {$_.DistinguishedName -eq $GroupDistinguishedName}).Count -eq 0)

{

#Add group to array.

$Groups += $CurrentGroup;

#Get recursive groups.

$Groups = Get-ADUserNestedGroups -DistinguishedName $GroupDistinguishedName -Groups $Groups;

}

#Return groups.

Return $Groups;

}

#The user to check.

$User = "<SamAccountName/DN/UserPrincipal>";

#Get all groups.

$Groups = Get-ADUserNestedGroups -DistinguishedName (Get-ADUser -Identity $User).DistinguishedName;

#Output all groups.

$Groups | Select-Object Name | Sort-Object -Property Name;

Alex Ø. T. Hansen

19/09/2018

Exchange – Add nested group recipients to parent resources

Do you have nested groups within Exchange resources such as distribution groups, shared mailboxes, rooms or equipment?

If you have, you have come to the right place. I have created a script that extracts all nested group members of a resource, and add it directly to the resource instead.

The script works in both on-premise and Exchange Online.

Before you can run the script, you need to have access to the following:

Access to on-premise and/or Office 365 environment as a administrator.
Have the AzureAD and Active Directory PowerShell module installed.

Alex Ø. T. Hansen

16/09/2018

Tutorial – Deploy Always On VPN

Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, non-domain-joined (workgroup), or Azure AD–joined devices, even personally owned devices. With Always On VPN, the connection type does not have to be exclusively user or device but can be a combination of both. For example, you could enable device authentication for remote device management, and then enable user authentication for connectivity to internal company sites and services.

The purpose for this guide is to demonstrate how to deploy the Always On feature easily. In this guide we will deploy the following platforms primarily using PowerShell where possible:

Active Directory (AD DS)
DNS
Certificate Authority (AD CS)
DHCP
Routing and Remote Access Service (RRAS)
Network Policy Server (RADIUS)

It will not be demonstrated how to install Windows Server or Windows 10 operating system.

Do not attempt to deploy Remote Access on a virtual machine (VM) in Microsoft Azure. Using Remote Access in Microsoft Azure is not supported, including both Remote Access VPN and DirectAccess.

Alex Ø. T. Hansen

18/06/2018

SCCM – Cloud Management Gateway and Cloud Distribution Point

The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional infrastructure. You also don’t need to expose your on-premises infrastructure to the internet.

A cloud-based distribution point is a System Center Configuration Manager distribution point that is hosted in Microsoft Azure. The following information is intended to help you learn about configurations and limitations for using a cloud-based distribution point.

In this step-by-step guide, I will demonstrate how to configure and establish a Cloud Management Gateway (CMG) and Cloud Distribution Point (CDP) in SCCM and Azure.

In order to walk you through the entire process of setting up the Cloud Management Gateway and Cloud Distribution Point features, I am going to break this down into 6 parts.

Overview
Certificates
Azure Service
Cloud Management Gateway
Cloud Distribution Point
Log Files

Alex Ø. T. Hansen

25/04/2018

Ethical Hacking – Tools for the 5 Phases of Hacking

After finishing two MCSA (Office 365 & Windows Server 2012 R2) certifications, I’m currently studying to take the CEH v10 certification, which is a valuable tool for any IT-professional.

This post is part of a series called “Ethical Hacking”.

While I’m studying for this certification, I’m going to update this post with variety of useful tools and websites. Only use these tools in your own environment for education purposes only.

Alex Ø. T. Hansen

08/08/2017

WSUS – High CPU due to “supersedence” updates.

Lately I have been seeing high CPU (90-100%) usage on servers where the Windows Server Updates Services (WSUS) is installed.

This is mainly caused by updates that is superseded, and is filling the database causing the CPU to spike.

Alex Ø. T. Hansen

03/08/2017

WSUS – Windows 10 Clients – Error 0x8024500c

Error

Just finished troubleshooting an error with Windows 10 clients (build 1607 and above) contacting WSUS server getting 0x8024500c like below while searching updates.

The client had an on-premise WSUS server which they wanted to push out Windows Updates, instead of using the internet (windowsupdate.microsoft.com).

Cause/Solution

They had configured the following group policy to enable:

Computer Configuration\Administrative Templates\Windows Components\Windows Update
- Do not connect to any Windows Update Internet location

This caused the Windows Update on the clients to break, instead they should disabled the above and configured the following instead:

Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
- Turn off access to all Windows Update features

The above will allow users to download apps on the Windows Store, but still only allowing the users to use the on-premise WSUS server.

Unfortunately Microsoft introduced a new feature called “Dual Scan” (read more about it here) which allows the Windows clients to access both WSUS and the internet, which would potentially bypass the local WSUS.

To disable the dual scan, the client needs to have the following registry keys deleted.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update
- BranchReadinessLevel
- DeferFeatureUpdatesPeriodInDays
- DeferQualityUpdatesPeriodInDays
- DeferUpdatePeriod
- DeferUpgradePeriod
- ExcludeWUDriversInQualityUpdate
- PauseDeferrals
- PauseFeatureUpdates
- PauseQualityUpdates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
- BranchReadinessLevel
- DeferFeatureUpdatesPeriodInDays
- DeferQualityUpdatesPeriodInDays
- ExcludeWUDriversInQualityUpdate
- DeferUpgrade

If though you set the matching group policies to “Not Configured” or “Disable”, it will not delete the keys but only set them to zero (DWORD) in the registry.

For those clients that are running build 1607, you need to install kb4025334 which will add a local policy “Do not allow update deferral policies to cause scan against Windows Update” under “Computer Configuration\Administrative Templates\Windows Components\Windows Update“.

You can set this group policy on those 1607 clients by adding the following registry through group policy.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
- Key: DisableDualScan
- Value: 0x1
- Type: DWORD

The WSUS server was also tuned a little, because all resources was used. This caused the clients to take a long time to talk and eventually timeout.

All superseded updates was declined in the WSUS management console.
The WSUS IIS application pool (“WsusPool“) was also tunned with the following settings (remember IISRESET afterwards):
- .NET Framework Version: v4.0
  - Already on Windows Server 2012 above, but this server was Windows Server 2008 R2
- Queue Length: 2000
- Private Memory Limit: 7843200

You can test the Windows Update by executing the following command in a elevated command prompt.

usoclient.exe StartScan

Troubleshooting

Registry Keys

If you want to see what registry keys you have on your client, you can run the following in a command prompt with elevated rights.

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
reg query HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update
reg query HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings

Windows Update Log

Check the Windows Update log by running the following command in PowerShell.

Get-WindowsUpdateLog

CBS Log

Check the Component-Based Servicing log here.

C:\Windows\Logs\CBS

That is my 2 cents, hope you can use it!

Alex Ø. T. Hansen

29/02/2016

SCCM – Image Capture – Error 0x00004005

I had to capture a Windows 7 image in SCCM. When I tried to capture the image, i was getting the following error.

Task Sequence: Image Capture Wizard has failed with the error code (0x00004005)

The solution was pretty easy. It turned out that it was the product key that couldn’t be activated.