How to customise ADFS on Server 2012 R2 to look like the Azure AD Experience (ADFS 3.0)

Jump to:

Last week, after almost 12 years of using the old logo and branding, we have undergone a full rebrand at Hallam Medical. Being an active part of the rebrand process was a great experience and it was a lot of fun working with the Marketing Team and the Web Developer, especially trying to keep things under wraps in an open plan office!

One of the things that IT were tasked with was to update the logos on all of the services that we use. Simple task to be honest, except that we underestimated the amount of areas and formats that the logo existed in. Off the top of my head, there was the Service Desk, Mailchimp, Office 365, Sharepoint, Geckoboard, Email signatures, Echosign…

Updating Branding in Azure Active Directory

Azure was pretty straight forward, Just log onto the Azure Portal and go to Azure Active Directory > Company Branding. We only needed 3 different versions:

  • Banner Logo, 280x60px, 10KB Max Size, Transparent PNG Preferable
  • Square Logo (light theme), 240x240px, 10KB Max Size, Transparent PNG Preferable
  • Square Logo (dark theme), 240x240px, 10KB Max Size, Transparent PNG Preferable
Setting the logos for Azure AD

Once changed, don’t forget to hit Save at the top of the page.

Updating ADFS to look like the Azure AD Experience

In the back end of 2017, Microsoft changed the way the users experienced the login interface of Office 365 and Azure to a more centered and consistent way. Initially this was a bit of a shock to users as it broke a few things and I thought that there was no real reasoning to this update until I read the post a few months later on the Microsoft Blog.

Image result for azure ad sign in
The old ADFS sign in experience

Fast forward to now, in the progress of updating the logo on our ADFS servers and I thought to myself, surely there is a newer template that mimics the new sign in experience? Luckily there is!

All you need are two files that Microsoft have kindly published onto their GitHub repository – https://github.com/Microsoft/adfsWebCustomization/tree/master/centeredUi. Simply swing by to the repository and download the stylesheet, ThemeCenterBrand.css and the JavaScript file, paginatedOnload.js

Save these two files along with your company logo and a background image to your ADFS server in some place such as “C:\ADFS\CenteredUI”

Now that you have the files saved, we can start to customise your ADFS sign in page.

  1. First we will make a new template so that we can revert back if needed and end users won’t see us tinkering until we switch to the new view.
  2. Set the Stylesheet and Javascript File
  3. Update the new logo to the template (24x256px Transparent PNG)
  4. Add a background image to the template
  5. Tell ADFS to start using the new theme

The Code

Log onto the ADFS Server and fire up an administrative powershell window perform the following commands

#Create new theme called "CenteredUI" and set stylesheet
New-AdfsWebTheme -Name CenteredUI -SourceName default -StyleSheet @{path="C:\ADFS\CenteredUI\ThemeCenterBrand.css"}
#Add javascript file as additional resource
Set-AdfsWebTheme -TargetName CenteredUI -AdditionalFileResource @{Uri="/adfs/portal/script/onload.js"; path="C:\ADFS\CenteredUI\paginatedOnload.js"}
#Set the new logo
Set-AdfsWebTheme -TargetName CenteredUI -Logo @{Path="C:\ADFS\CenteredUI\NewLogo.png"}
#Set the new background image
Set-AdfsWebTheme -TargetName CenteredUI -Illustration @{Path="C:\ADFS\CenteredUI\NewBackground.jpg"}
#Activate the theme
Set-AdfsWebConfig -ActiveThemeName CenteredUI

If you have SSO set up you might find it difficult to see the new theme working, as the signing and redirect are pretty snappy.

To see the theme, go to https://your.ADFSserver.com/adfs/ls/idpinitiatedsignon.aspx

Our new sign in page with updated branding!

5 Ways To Make Your Commute More Productive

Although I only live 25 miles away from the office, unfortunately it averages between 45 minutes to an hour and 10 minutes to drive in.

For years I used to just listen to the radio or music on the way to and from work when one day it dawned on me, that’s 2 hours a day or 10 hours a week of dead time. That is like an extra working day!

I decided to find some things that I could do to safely fill this massive void of over 480 hours a year of dead time and this is what seems to work well for me:

  1. Podcasts
  2. Audiobooks
  3. Conference calls
  4. Keeping in touch with friends in different time zones
  5. Dictating notes and ideas to yourself
Continue reading “5 Ways To Make Your Commute More Productive”

How to manage Exchange Online via Powershell with 2FA enabled (and a bit about AppLocker too)

2FA is a great upgrade to security and everyone should use it. Once you get over the slight inconvenience of having to pull out your phone every time you log in it is not really that big of an issue.

I did however find an issue when i needed to administer our Exchange Online instance on Office 365 via powershell. When you try to connect using the normal method as per the Microsoft Docs with 2FA enabled

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

You get an access denied error similar to the following:

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following
error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12


$Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne …
~~~~~~~~~~~~~~
CategoryInfo : OpenError: System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

The reason for the access denied message is because the normal method has not got a way to pass the 2nd stage of authentication onto to the user and service.

So how do you manage to connect with 2FA enabled?

There are a few things you can do:

  1. See if you can do the action using the GUI – This is not always possible and doesn’t help if you want to create something more automated. Also, this is a bit of a cop out!
  2. Turn off 2FA – No! No! No! No!
  3. Use the Exchange Online Remote PowerShell Module – This is what we are going to do.

The Exchange Online Remote PowerShell Module knows about 2FA and will allow you to connect whilst keeping the added benefits of 2FA.

Downloading and Installing the Exchange Online Remote PowerShell Module

Annoyingly (or not depending on how you look at it) there is no direct download link to the tool. Instead it is served by a streaming installer from Microsoft which ensures that you will only ever install the latest version. This does mean that there is no need to remember links and such as the f

To download and install the file, you simply need to log into the Exchange Online Admin Center and go to the Hybrid section in the Side Menu.

Once there you should see an option to “configure” below the text “The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely.” Click the configure button the start the download and install of the software.

Click configure on the second box to start the download and install

After a brief moment an installer window should appear and prompt you to install. Click Install.

If all has worked correctly the module should launch and you will be presented with a nice new powershell window.

Connect to the Exchange Online by typing:

Connect-EXOPSSession -UserPrincipalName <enter your 365 admin UPN here>

A sign in box will appear asking you to provide your 2FA credentials. Go through this as normal, and once authenticated, you will see the module pulldown the commands and then drop you back down to the prompt.

You can now administer Exchange online via Powershell with 2FA enabled!

Now that you have gone through all that once, you don’t have to do that again the next time you want to connect, simply go to your start menu and find the newly installed module.

The AppLocker bit

If you have AppLocker enabled on your system, depending on your rules, you will probably fail at the installing part of this guide. This is most likely as the installer is not in the exe whitelist.

To add it to the list, you need to locate the file and then read the certificate information to add it to the whitelist.

Simply fire up Event Viewer and navigate to “Applications and Services Logs > Microsoft > Windows > AppLocker > EXE and DLL” In the list you should see an Error Entry for your the file Microsoft.Online.CSE.PSModule.Client.exe – make a note of this path (mine was “%localappdata%\Apps\2.0\9WG1O0DO.5E4\Y6BPMV80.E4N\micr..tion_1975b8453054a2b5_0010.0000_10d85008035862c6\Microsoft.Online.CSE.PSModule.Client.exe”) and then within Group policy Management, find the policy that controls AppLocker and add an exception for the exe.

Run a GPUpdate /Force and then give it another go!

How to Download and Extract Google Earth MSI

If you are trying to deploy software within a Windows Business Environment you are most likely using a deployment solution like SCCM, PDQ Deploy or plain old Active Directory.

Whilst the deployment tools make things really easy for getting the software out to the masses, it does create a new trial (especially with SCCM) of finding the network deployable package with an MSI file being the Holy Grail

Continue reading “How to Download and Extract Google Earth MSI”

Virtual disk could not be repaired because there is not enough free space in the storage pool. – Fun with storage spaces

Just a few fun notes with storage spaces:

I was trying to repair a failed storage spaces disk but didn’t have any spare disks or free slots available and the system was due to be decommissioned so investment was not really wanted.

Genius here thought that adding a iscsi disk and then repairing with that would work and as the system was going to be migrated it wouldn’t be much of an issue.

So i added a 2TB iscsi LUN and added the disk to the pool.

set the faulty disk to retired and then tried to repair the pool.

Error!:
Virtual disk could not be repaired because there is not enough free space in the storage pool.

But i have just added 2TB!?! what is going on? Free space for the pool is showing 2TB but yet i cannot use it to do the repair… Why?

Looking a bit harder i saw that the disk media type is showing as UnSpecified in the Physical Disks. Perhaps this is where the issue is – the iscsi disk is not a supported target and storage spaces doesn’t know what to do with it?

Can i force it to be a supported media type?

I know that when the tiered settings came out we could pretend to have SSD disks so why not give that a try?

Get-PhysicalDisk | Select-Object FriendlyName, MediaType, Size

find the Disk (PhysicalDisk9 in my case) and set it as media type HDD

Set-PhysicalDisk –FriendlyName PhysicalDisk9 -MediaType HDD

The command issued ok with no confirmation so just reissue the previous command to verify the disk has change media type

Get-PhysicalDisk | Select-Object FriendlyName, MediaType, Size

If all looks okay, try to start the repair.

Group Policy not applying – Inaccessible, Empty or Disabled

This is affecting Windows 8.1

Group Policies that used to work are now not applying. A quick check on the failing PC using gpresult –h shows that the policy is Inaccessible, Empty or Disabled.

GroupPolicy_Inaccessible_Empty_or_Disabled

No changes have been made to Group Policy.

Quick Solution

This is due to a Microsoft Patch to plug some holes in the way Group Policy is deployed ( https://support.microsoft.com/en-gb/kb/3159398 ) and affects group policies where there are security filtering enabled.

Find the Group Policy that is being affected and on the delegation tab give “read” permission to the “authenticated users” group. This will not apply the policy to all users as that is controlled using the “Apply group policy” permission. This will simply allow the GPO to be read and thus interpreted by the PC.

GPODelegation_Inaccessible_Empty_or_Disabled

Once updated, run a gpupdate /force and things should be back to the way they were.

Fixed_GPO_Inaccessible_Empty_or_Disabled

Alternative Solution

Uninstall_Patch_Inaccessible_Empty_or_Disabled

Remove the patch KB3159398 from all affected PCs

Export Windows Drivers to Central Store

Just made a script to export Drivers to a central store. Handy for when you need to grab a the drivers off of a PC to look at later or to update the rest of the estate with.

Link to resource on Spiceworks: https://community.spiceworks.com/scripts/show/3689-export-drivers-to-central-store

##########################################
###                                    ###
###         Script to extract          ###
###         latest drivers from        ###
###         windows system and         ###
###         dump to central store      ###
###                                    ###
### By Patrick Louis-Jean     v1       ###
##########################################


### Variables ###
$CentralStore = "\\server\Shares\Drivers" #Where Drivers will be stored centrally
$LocalStore = "C:\Drivers" #working folder on local machine

### Showtime! ###
$SystemOS = (Get-WmiObject -class Win32_OperatingSystem).Caption
$ComputerMake = "$((Get-WmiObject -Class win32_computersystem).Manufacturer)"
$DateTime = Get-date -Format yyyy-MM
$DriverStore = "$LocalStore\$SystemOS\$ComputerMake $((Get-WmiObject -Class win32_computersystem).Model) $DateTime"
mkdir $DriverStore
cd $DriverStore
$DriversList = Export-WindowsDriver -Online -Destination $DriverStore

foreach ($Driver in $DriversList) {
    #Make Class Directory
    $ClassDirectory = $DriverStore+"\"+$Driver.ClassName
    if (!(Test-Path $ClassDirectory)){
                 New-Item $ClassDirectory -type directory
    }
    #Make Provider Directory
    $ProviderDirectory = $ClassDirectory+"\"+$Driver.ProviderName
    if (!(Test-Path $ProviderDirectory)){
                 New-Item $ProviderDirectory -type directory
    }
    #Move Drivers to Folder
        #Get Original Folder Name
        $OrigDriverFolder = $Driver.OriginalFileName
        $OrigDriverFolder = $OrigDriverFolder.replace("C:\Windows\System32\DriverStore\FileRepository\","") #Assuming all drivers are stored here!
        $position = $OrigDriverFolder.IndexOf("\")
        $OrigDriverFolder = $OrigDriverFolder.Substring(0,$position)
        $OrigDriverFolder
        #Make New Folder Name
        $NewDriverFolder = $ProviderDirectory+"\"+$OrigDriverFolder+"_v"+$Driver.Version
        $NewDriverFolder
        #Move Folder
        robocopy $DriverStore"\"$OrigDriverFolder $NewDriverFolder /E /MOVE /NP
}

#Output List of Drivers to CSVFile
$DriversList | Select OriginalFileName, ClassName, ClassDescription, ProviderName, Version |Sort-Object OriginalFileName |  Export-Csv -Path $DriverStore"\DriverList.csv" -NoTypeInformation

#Move to Central Store
robocopy $LocalStore $CentralStore /E /MOVE /NP

System Center Config Manager 2012 R2 Error 0x80004005 when loading task sequence on Surface Pro 3

Windows Command Prompt time and date commands
Windows Command Prompt time and date commands

This is an interesting one that i came across recently whilst trying to deploy an image to a brand new Microsoft Surface Pro 3.

I had two sitting on the bench ready to deploy our stock Windows 8.1 image. The first Surface PXE booted fine and jumped straight into the task sequence as normal however the second one came up with an error 0x80004005 when trying to look for the task sequences.

I knew that it wasn’t the image as surface numberone was working fine. I checked all of the usual things, replaced the ethernet cable etc and after a few reboots, I still had the same error.

After a little digging I found the solution.

The time in the UEFI BIOS was wrong.

The problem is that there is no option to change the time in the UEFI BIOS so you must change it using the PE environment instead:

  1. Make sure that your boot image has command support enabled.
  2. Boot into the Config Manager image.
  3. Before proceeding any further, press the F8 key (Fn + F8).
  4. At the command prompt type the ‘time’ command to change the current time.
  5. Next type the ‘date’ command and enter the correct date following the format for the locale of the PE.
  6. Verify that it has applied by typing

    time /t’

    and then

    date /t

  7. Close the command prompt and continue with your build.

Microsoft OneDrive for Business now offers 1 terabyte of cloud storage per user!

Taken from ZDNet Article

The Microsoft OneDrive for Business team is adding additional incentives meant to attract business users to its cloud-storage offering.

In an April 28 post entitled “Thinking outside the box” (which seems to be a reference to Microsoft competitors Box and/or Dropbox), the OneDrive for Business team announced the following:

  • An increase in OneDrive for Business default storage from 25GB to 1TB per user
  • The inclusion of 1TB of OneDrive for Business storage per user as part of Office 365 ProPlus subscriptions
  • New OneDrive for Business migration assistance from Microsoft (The blog post didn’t elaborate on specifically what Microsoft is offering on this front. But a spokesperson said those interested should contact their Microsoft account managers or partner for details.)

In March 2014, Microsoft officials announced that OneDrive for Business (formerly known as SkyDrive Pro) would be available both as part of a number of existing Office 365 plans, as well as for purchase as a standalone service — something that wasn’t the case with SkyDrive Pro. The standalone version provided business users with 25 GB of storage per employee, with an option to purchase additional storage, offline sync and access from multiple devices. Now that default storage threshold is 1 TB.

Microsoft officials announced during earnings last week that Office 365 is currently on a $2.5 billion annual run rate.

“The cloud is about breaking down walls between people and information. Not building a new set of islands in the sky. Make sure you bet on a file sync and share solution that helps you embrace that,” said Corporate Vice President John Case in the conclusion of today’s blog post.

All Office 365 plans that include OneDrive for Business will see the increase to 1 TB. This includes:

  • All O365 E plans (E1, E3, E4)
  • O365 Small Business
  • O365 Small Business Premium
  • O365 Midsize Business
  • All SharePoint Online plans (SharePoint Online Plan 1 & Plan 2)
  • OneDrive for Business (standalone) with Office Online

As to when new and existing customers will see the 1TB bump, a Microsoft spokesperson said: “Customer eligibility is effective today, but as with service updates roll-out of these features will happen over the next few months.”