Enable BitLocker on Azure AD Joined windows 10 Device

Windows 10 devices will automatically encrypt the local drive when joining to Azure Active Directory (AAD). The device must be InstantGo capable.

InstantGo (formerly known as Connected Standby) is a very low power state that some devices support. It’s very like your mobile phone, it’s almost switched off but still can receive text messages, e-mails and switch to a different power state when receiving phone calls.

How do you check this?

Open a command prompt, type powercfg /a

Devices that have InstantGo support will return “Network Connected”:


 Where do I find the recovery key?

Users can retrieve their recovery key by going to http://myapps.microsoft.com, select Devices and select the device for which they would like to get the recovery key:


PowerShell – Configure Active Directory Permissions to Join Computer to the Domain

In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.

These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample Set-OUPermissions.ps1 script and copied it to C:\Setup\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.

  1. On DC01, using Active Directory User and Computers, browse to contoso.com / Contoso / Service Accounts.
  2. Select the Service Accounts organizational unit (OU) and create the MDT_JD account using the following settings:
    1. Name: MDT_JD
    2. User logon name: MDT_JD
    3. Password: P@ssw0rd
    4. User must change password at next logon: Clear
    5. User cannot change password: Select
    6. Password never expires: Select
  3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press Enter after each command:
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
    Set-Location C:\Setup\Scripts
    .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
  4. The Set-OUPermissions.ps1 script allows the MDT_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted:
    1. Scope: This object and all descendant objects
      1. Create Computer objects
      2. Delete Computer objects
    2. Scope: Descendant Computer objects
      1. Read All Properties
      2. Write All Properties
      3. Read Permissions
      4. Modify Permissions
      5. Change Password
      6. Reset Password
      7. Validated write to DNS host name
      8. Validated write to service principal name

Microsoft Local Administrator Password Solution (LAPS)

Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as help desk administrators, are authorized to read passwords.

LAPS simplifies password management while helping customers implement recommended defenses against cyber attacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers.

LAPS stores the password for each computer’s local administrator account in Active Directory, in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.

The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration.


Windows 10 Group Policy Settings

Microsoft has released the latest Windows 10 Group Policy settings. As usual there is a handy spreadsheet with all the settings, plus new filtering capabilities that make find the new polices easier.

Download the spreadsheet: http://www.microsoft.com/en-us/download/details.aspx?id=25250

Get all the templates from any Windows 10 machine. They are located in the C:\Windows\PolicyDefinitions folder. Then copy them into your domain central store (C:\Windows\SYSVOL\sysvol\{domain}\Policies\PolicyDefinitions).

IT Camp: Extend your Datacenter with Microsoft Azure

Just finishing up an IT Camp with Microsoft. Great overview of Microsoft Azure. Good labs using virtual machines, SQL and a web frontend. Looking forward to get stuck into Azure AD. It is nice to have time to complete this course and get have some good food from Clifton’s kitchen. Thanks to Regan Murphy for leading a good MS event.

IT Camp: Extend your Datacenter with Microsoft Azure

Enabling Group Policy Logging and Tracing

Need to debug what is happening with your group policy preferences? Then enable the logging and tracing setting under:

Computer Configuration\Policies\Administrative Templates\System\Group Policy

Enable one or more of the preference client-side extensions.

Reboot the machine and logon.

The logs will be written to:

  • User trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\User.log
  • Computer trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Computer.log
  • Planning trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Planning.log


Adding third-party or custom built services into a GPO

You can add any service at all, including third-party or custom built services.

To get it from another machine that doesn’t have ADUC/GPMC…

  1. Logon to the machine that has the service you want to manage.
  2. Run Start>Run>secpol.msc.
  3. Create a new template.
  4. Edit that template’s ‘System services’ node and you’ll see the services on that machine. Simply add the service you want to the policy by just adding the default setting (Automatic/Everyone-FC). Don’t set ay other policies, just the services you want. Note: Not knowing the OS and what GP editor you are running, leaving the defaults for this step is recommended as there as some known issues.
  5. Save the file.
  6. Copy that file to the machine where you run the GP Editor.
  7. Edit your desired policy and go to the ‘Security’ node, right-click, choose import to import the file with the service you just grabbed.
  8. Your service is now in the policy. Just edit the service with the proper permissions and startup state as desired.

Debugging Domain Join Issues with NetSetup.LOG

One log file details the entire process of joining the domain:  C:\Windows\debug\NetSetup.log.  Look for the section with today’s date to watch the process from the beginning, or go to the bottom of the file to see the last attempt and why it failed.  If an attempt fails, Windows makes another attempt every five seconds, up to 80 times, As a result, your log may contains many duplicate failure messages.

A successful domain join displays the following message:

05/01/2012 09:28:01:740 NetpDoDomainJoin: status: 0x0

This line appears at the bottom of the last attempt, and denotes that the domain join process succeeded.  Any return status other than 0x0 denotes a failure.  You may also see the following lines above it, which also show success:

05/01/2012 09:28:01:740 NetpCompleteOfflineDomainJoin: status: 0x0 05/01/2012 09:28:01:740 NetpJoinDomain: NetpCompleteOfflineDomainJoin SUCCESS: Requested a reboot :0x0

Failure, again, is a non-zero return code:

01/20/2012 10:53:01:232 NetpDoDomainJoin: status: 0x2

One of the most common failures is an error attempting to connect to the IPC$ share on the domain controller.  It will look like this:

05/02/2012 23:14:21:057 NetUseAdd to \\DC1.company.local\IPC$ returned XXXX

Get the returned message (XXXX) and run net helpmsg XXXX from a command prompt to see the specific error.  The following are common domain join errors and solutions to those errors.

Failure 1326

05/02/2012 23:07:31:696 NetUseAdd to \\DC1.company.local\IPC$ returned 1326
05/02/2012 23:07:31:696 NetpJoinDomain: status of connecting to dc ‘\\DC1.company.local’: 0x52e
05/02/2012 23:07:31:696 NetpJoinDomainOnDs: Function exits with status of: 0x52e
05/02/2012 23:07:31:696 NetpDoDomainJoin: status: 0x52e

Failure 1326 is a straightforward password error, “Logon failure: unknown user name or bad password.”  Double-check the username and password in your unattend.xml file.

Failure 1909

05/02/2012 23:14:21:057 NetUseAdd to \\DC1.company.local\IPC$ returned 1909
05/02/2012 23:14:21:057 NetpJoinDomain: status of connecting to dc ‘\\DC1.company.local’: 0x77
505/02/2012 23:14:21:057 NetpJoinDomainOnDs: Function exits with status of: 0x775
05/02/2012 23:14:21:057 NetpDoDomainJoin: status: 0x775

A 1909 error means “The referenced account is currently locked out and may not be logged on to.”  Go to your Active Directory and unlock the account.  You should also determine how the account got locked.  Often the account becomes locked because the unattend.xml has an incorrect password.  Attempting to join a domain retries dozens of times. If the password is incorrect, you might get three password failures and dozens of “account locked” failures.

Bad OU specified

01/20/2012 10:53:01:232 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x2
01/20/2012 10:53:01:232 NetpProvisionComputerAccount: LDAP creation failed: 0x2
01/20/2012 10:53:01:232 NetpProvisionComputerAccount: Cannot retry downlevel, specifying OU is not supported
01/20/2012 10:53:01:232 ldap_unbind status: 0x0
01/20/2012 10:53:01:232 NetpJoinDomainOnDs: Function exits with status of: 0x2
01/20/2012 10:53:01:232 NetpJoinDomainOnDs: status of disconnecting from ‘\\DC1.company.local’: 0x0
01/20/2012 10:53:01:232 NetpDoDomainJoin: status: 0x2

The message “Cannot retry downlevel, specifying OU is not supported” means that the specified OU is invalid.  This error could indicate that the OU does not exist within the AD, or that you are attempting to specify the default Computers container.  Windows requires that the default OU be left unspecified, so if you want to put new desktops into the default Computers OU, you must delete the <MachineObjectOU> line entirely.  Look further up the log file for what the specified OU is:

01/20/2012 10:53:01:123    lpMachineAccountOU: OU=Computers,OU=VDI,DC=company,DC=local

Verify the existence of the specified OU and confirm that it is not the top-level Computers container.

Bad domain specified

If the domain name itself is invalid, a domain join makes no entries to NetSetup.log and does not create a log file.  In this situation, look in C:\Windows\Panther\UnattendGC\setupact.log for lines like this:

2012-07-13 16:11:15, Warning    [DJOIN.EXE] Unattended Join: DsGetDcName failed: 0x54b, last error is 0x0, will retry in 5 seconds…

The error text for 0x54b (1355) is “The specified domain either does not exist or could not be contacted.”  You can look further up in the setupact.log to see exactly what domain you were trying to join.  Note that this is an error with the “JoinDomain” tag, not the credentials.

Insufficient user rights

07/17/2012 13:26:47:524 NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error string: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
07/17/2012 13:26:47:524 NetpModifyComputerObjectInDs: ldap_add_s failed: 0x32 0x5
07/17/2012 13:26:47:524 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5
07/17/2012 13:26:47:524 NetpProvisionComputerAccount: LDAP creation failed: 0x5 …
07/17/2012 13:26:47:539 NetpDoDomainJoin: status: 0x5

The user account you specify must have rights to add machine accounts to the domain in the specified OU. This error appears when you have a valid account with insufficient privileges. Either try a different account or adjust the account privileges in the domain.