Module 11: Infrastructure as Code & DevOps
In this module, we cover Azure: Infrastructure as Code (IaC) and DevOps. This module focuses more on development on Azure, with less emphasis…
Categories:
13 minute read
In this module, we cover Azure: Infrastructure as Code (IaC) and DevOps. This module focuses more on development on Azure, with less emphasis…
13 minute read
We have all been there. A email is sent and you forgot to add the attachment or the wrong recipient. Exchange Online already has the feature recall messages inside your own tenant but now the cross tenant recall feature is announced, meaning we can recall messages sent to external users which also use Microsoft 365.
4 minute read
In this guide, I show the path from install to deployment: I install Terraform, I prepare my Azure login using Azure CLI, and then I run a “single server” Terraform setup so you can see the process end-to-end.
9 minute read
Over time, Microsoft Entra ID environments often become filled with old and inactive devices. Cleaning up these devices manually takes time and is easy to forget. By using Azure Automation, we can fully automate this process and remove devices that have been inactive for more than 180 days.
8 minute read
In this post I will be configuring MTA-STS for better email security alongside the theoretical explaination including different hosting options you can use.
15 minute read
A great way to encrypt your Microsoft 365 outbound emails using a similar technique as SSL is to use S/MIME. In this guide I will show you how to get certificates and configure S/MIME for your mailboxes.
12 minute read
In this post I will share 10 simple scripts for basic device administration tasks on Ubuntu endpoints.
7 minute read
For years, Bitlocker was a relatively secure protocol to encrypt your hard drives of your computer. However,recent multiple reports surfaced around attacks targeting BitLocker protected devices. Techniques like YellowKey and GreatXML focus on extracting BitLocker secrets from memory or abusing the boot process when devices are protected with TPM-only authentication.
6 minute read
In this post, I will be installing an Ubuntu Desktop instance and join it to Microsoft Intune to leverage Device Management on Ubuntu devices including some extra steps for proper device management.
10 minute read
If you see an “Unlock Teams Premium” button in Microsoft Teams, you’ll probably also have users who click it right away and start a trial. For most orgs, that’s not the experience you want. In this post, I’ll show you two ways to remove that button, through the 365 Admin Center and PowerShell
3 minute read
In this post I will explain TLS-RPT which is an email security reporting mechanism that gives you reports about TLS encryption problems for incoming email to your domain. In this guide, I will explain what TLS-RPT is, how it works and how you can configure it easily for your domains.
6 minute read
Microsoft released security updates for multiple Windows Server versions to address CVE-2026-41089. This vulnerability is rated as important and affects all supported Windows Server versions, including ESU editions of Windows Server 2012 and 2012 R2. This vulnerability affects the Windows Netlogon service, a core component used for authentication and secure communication between domain-joined systems and Domain Controllers. Successful exploitation could allow an attacker to execute arbitrary code on a vulnerable system.
5 minute read
On this page I will show the advanced and custom CSS controls available for Entra ID prompts to style this to your likings or organization branding.
7 minute read
In this post series, I will demonstrate how I bumped up the Microsoft Secure Score of my tenant up to 100% (98,78% to be exact). This can be used to change the settings of your own tenant and have a better security posture.However, 100% secure score will definitely not mean that you are not hackable. It only means you use 100% of the Microsoft toolbox to defend your digital fortress. Spending more resources on awareness training for employees is a good approach on top of these settings. They are often the weakest factor.
4 minute read
This guide explains how I configured the Secure Score recommendations related to Microsoft Information Protection and Purview. Make sure that to target those recommendations, you will need at least Microsoft 365 E5 licenses (or separate licenses that do the job).
6 minute read
On this page, I will describe how I implemented my current Microsoft Secure Score on the Apps pillar. This means altering mostly the options of Microsoft Defender for Office 365 but also for Exchange Online, Teams and SharePoint. I have categorized all of the requirements, so the reader cam implement the settings very easily using the least administrative effort.
16 minute read
On this page, I will describe how I implemented my current Microsoft Secure Score on the Devices pillar. This means altering mostly the options of Microsoft Defender and Intune.
8 minute read
Microsoft released that the Kerberos protocol will be hardened by an update coming in April to June 2026 to increase the security.
6 minute read
Microsoft 365 Backup ensures that your data, accounts and email is safe and backed up into a separate storage space. A good and reliable back-up solution is crucial for any cloud service, even when having versioning and recycle bin options. Data in SharePoint or OneDrive stays data in one central place and any minor error is made within seconds. In this guide, I will explain how Microsoft 365 Backup works and how you can start using it.
10 minute read
On this page, I will describe how I implemented my current Microsoft Secure Score on the Identity pillar. This means altering mostly the…
12 minute read
This blog post explains how to get started with Remote App V2 in Azure Virtual Desktop, and I will explain on what area’s this new version is better and what area’s still needs to improve.
3 minute read
With GitHub Pages, we can host some free websites for personal use. This is really great as we mostly already use GitHub to store our code and assets for websites. The website you see now is also hosted on GitHub Pages. In this guide, I will explain some of the advantages of GitHub Pages, and how to get started by using the service. Let’s dive into it!
5 minute read
When I first chose to use V6 or V7 machines with Azure Virtual Desktop, I ran into some boot controller errors about the boot controller not supporting SCSI images.
8 minute read
As we want to secure our Break Glass Accounts as good as possible, we cloud want to get alerts when break glass admins are used to login. Maybe they are used on a daily basis, or are being attacked. When we configure notifications, we instantly know when the accounts are being used and can check why a login has taken place. In this guide we will configure this without Microsoft Sentinel. If you already have a Sentinel workspace, the recommended action is to configure it there and to configure a automation rule/playbook.
6 minute read
In this post, I will explain how I redirect my domains and subdomains to websites and parts of my website. If you ever visited my tools page at https://justinverstijnen.nl/tools, you will see I have shortcuts to my tools themselves, although they are not directly linked to the instances. In this post I will explain how this is done, how to setup Azure Front Door to do this and how to create your own redirects from the Azure Portal.
6 minute read
Azure Bastion is a great tool in Azure to ensure your virtual machines are accessible in a fast, safe and easy way. This is cool if you want to embrace Zero Trust into your servers management layer and so a secure way to access your servers in Azure. In this guide I will explain more about Azure Bastion and I hope I can give you a good overview of the service, its features, pricing and some practice information.
9 minute read
In the past few weeks, I have been busy on scaling up my tools and the backend hosting of the tools. For the last year, I used multiple Static Web Apps on Azure for this, but this took a lot of time administering and creating them. I thought about a better and more scalable manner of hosting tools, minimizing the amount of hosts needed, uniforming URLs and shortcodes with Azure Front Door (guide coming up) andlinking multiple GitHub repositories into one for central management.
7 minute read
In this guide, I will show you how to delete the printers using a PowerShell script. This is compatible with Microsoft Intune and Group Policy and can be used on physical devices, Azure Virtual Desktop and Windows 365.
4 minute read
In some cases we want to automatically start the Windows App for connections to AVD and Windows 365 at startup. We can achieve this through different ways which I will describe in this post.
3 minute read
Microsoft Defender for Endpoint is a built-in antivirus and security solution that helps protect your Windows devices. Because we want as less overhead as possible at certain moments, I though of using Defender with PowerShell. Using PowerShell, you can manage Defender by checking its status, running Full and Quick scans, updating protections, and handling detected threats. In this guide, I will explain some PowerShell commands with simple steps to help you control Defender effectively from PowerShell, remotely or even to use in your scripts.
7 minute read
On this page I will describe how I built an environment with a pooled Azure Virtual Desktop hostpool with FSLogix and using the Entra Kerberos option for authentication. This new authentication option eliminates the unsafe need of storing the storage key in hosts’ registry like we did in my earlier AVD full Entra blog.
15 minute read
When using Azure Files and Windows 11 as operating system for Azure Virtual Desktop, we can leverage the highest SMB encryption/security available at the moment, which is AES-256. While we can change this pretty easily, the connection to the storage account will not work anymore by default. In this guide I will show how I got this to work in combination with the newest Kerberos Authentication.
3 minute read
When deploying Google Chrome with Microsoft Intune, users still have to manually login with their credentials into Microsoft Online websites. Microsoft Edge has built-in Single Sign On (SSO) for users who already logged in with their Microsoft account to their computer. However, there is a Chrome extension published by Microsoft themselves which allows users to also have this Single Sign On experience into Google Chrome. On this page I will show how this extension works, what the advantages are and how we can deploy this with Microsoft Intune. I will share both a Configuration Policy and a PowerShell script option where you may choose which one to use.
4 minute read
One day I came across an option in Microsoft 365 to disable the users’ self service trials. You must have seen it happening in your tenants, users with free licenses for Power Automate, Teams or Power BI. I will show you how to disable those and only let administrators buy and assign new licenses.
3 minute read
In Azure we can deploy ARM templates (+ script afterwards) to deploy resources on a big scale. This is like an easier version Terraform and Bicep, but without the great need to test every change and to learn a whole new language and convention. Also with less features indeed.
6 minute read
Today a short guide on how to disable Windows Taskbar widgets through Intune. I mean this part of the Windows 11 taskbar.
2 minute read
Microsoft just released a new feature, Windows Backup for Organizations, which is a revolution on top of the older Enterprise State Roaming. Windows Backup for Organizations will help you and your users by saving different components of your Windows installation to make a the proces of a new installation or computer much easier. Especially when used with Windows Autopilot, this is a great addition to the whole Windows/Intune ecosystem. In this guide I will dive into how it works, what is backed up and excluded and how to configure and use it.
5 minute read
In this guide, I’ll show you how to remove Universal Print connectors using PowerShell, because this cannot be done from the Universal Print portal.
3 minute read
Since the latest Windows 25H2 update, we have a great new feature. We can now remove pre-installed Windows Store Applications which we don’t want to ship with our devices. This helps us alot with both Windows 365 and Azure Virtual Desktop Personal deployments as with normal Intune-joined devices. The only downside is that Pooled Azure Virtual Desktop Deployments are not supported. In this guide I will dive into this new setting and explain how to configure this and why this is a great update. The step-by-step guide shows how I have configured a policy that removes most of the non-productive apps from my PC.
3 minute read
This blog post helps you to make the ADSync service more stable by utilizing a script that checks the service regularly and starting it when needed.
4 minute read
When deploying Microsoft Office apps to (pooled) Virtual Desktops, we mostly need to do some optimizations to the installation. We want to optimize performance on pooled and virtual machines, or maybe we want to enable shared computer activation because multiple users need the apps. In this guide I will show you how to customize the installation of Office apps, primarily for Virtual Desktops, but can be used on any Windows machine.
7 minute read
In Azure, we can configure Boot diagnostics to view the status of a virtual machine and connect to its serial console. However, this must be configured manually. The good part is that we can automate this process with Azure Policy. In this post I will explain step-by-step how to configure this and how to start using this in your own environment.
8 minute read
One of the small things I experienced in one of the updates for Windows 11 (24H2) is that the language bar/selector get’s automatically…
3 minute read
Wordpress. Its maybe the best and easiest way to maintain a website. This can be run on any server. In Azure, we also have great and serverless possibilities to run Wordpress. In this guide I will show you how to do this, how to enhance the experience and what steps are needed to build the solution. I will also tell more about the theoretical stuff to get a better understanding of what we are doing.
13 minute read
This guide explains how to perform a in-place upgrade Windows Server from 2022 to 2025 on Azure to leverage the newest version and stay secure.
8 minute read
Sometimes, it is necessary to match an existing local Active Directory (AD) user through Entra Connect with an existing Entra ID user (formerly known as Azure AD). This process ensures that the account in both environments is aligned and maintains the same underlying configurations and settings across systems.
4 minute read
Start VM on Connect is made to power on Azure Virtual Desktop session hosts only when a user actually connects. This is especially useful outside normal working hours, or in environments where you want to keep costs under control without blocking user access. Without this feature, a user simply can’t connect if the session host VM is powered off. With this feature enabled, Azure Virtual Desktop can start the required VM during the connection process.
4 minute read
Joining a storage account to Active Directory can be a hard part of configuring Azure Virtual Desktop or other components to work. We must join the storage account so we can do our Kerberos authentication against the storage account. In this guide I will write down the most easiest way with the least effort of performing this action.
5 minute read
Today I have a Logic App for you to clean up orphaned FSLogix profiles with Logic Apps. As you know, storage in Azure costs money and we want to store as minimum as possible. But in most companies, old and orphaned FSLogix profiles will be forgotten to clean up so we have automate this. In this guide I will show you how you can clean up FSLogix profiles from Azure Files by looking up the last modified date, and deleting the files after they exceeded the number of days.
9 minute read
In this blog post I will explain and demonstrate the pro’s and features of using FSLogix App Masking for Azure Virtual Desktop. This is a feature of FSLogix where we can hide certain applications and other components from our users while still having to maintain a single golden image. In this guide I will give some extra explaination about this feature, how it works, how to implement it in a production environment and how to create those rules based on the logged on user. I hope to give a “one-post-fits-all” experience.
9 minute read
In Azure, you have the option to create Ephemeral OS disks for your machine. This sounds really cool but what is it actually, what pro’s and cons are coming with them, what is the pricing and how do we use them? I will do my best to explain everything in this guide.
6 minute read
RDP Multipath is a new protocol for Azure Virtual Desktop and ensures the user always has a good and stable connection. It improves the connection by connecting via the best path and reduces random disconnections between session hosts and users.
4 minute read
When using Entra ID, we can automate a lot of different tasks. We can use a script processing server for this task but doing that normally means we have to save credentials or secrets in our scripts. Something we don’t want. Today I will show how to implement certificate-based authentication for App Registrations instead of using a client secret (which still feels like a password and matches it’s unsafety).
5 minute read
With Azure Logic apps we can save some money on compute costs. Azure Logic apps are flow based tasks that can be run on schedule, or on a specific trigger like receiving a email message or Teams message. After the trigger has been started, we can choose what action to do. If you are familiar with Microsoft’s Power Automate, Logic Apps is almost exactly the same but then hosted in Azure. In this guide I will demonstrate some simple examples of what Logic Apps can do to save on compute costs.
7 minute read
In this article, we are going to implement Azure Firewall in Azure. We are going to do this by building and architecting a new network and creating the basic rules to make everything work.
11 minute read
When it comes to basic email security, we have 3 techniques that can enhance our email security and delivery by some basic initial configuration. Those are called SPF, DKIM and DMARC. This means, configure, monitor and almost never touch again.
12 minute read
Since the beginning of Azure Virtual Desktop, it is mandatory to run it with an Active Directory. This because of the FSLogix dependency relying on SMB and Kerberos authentication, something which is not available in Entra ID at this time.
11 minute read
A scaling plan in Azure Virtual Desktop is one of the easiest ways to save costs on session hosts. Instead of leaving all hosts running all day and night, you can let Azure Virtual Desktop start and stop them based on a schedule. In this guide, I will show you how I usually configure a scaling plan for a pooled host pool. I focus on normal office hours, and outside those hours I prefer to use Start VM on Connect.
6 minute read
Microsoft Azure has a service called the ‘Static Web Apps" (SWA) which are simple but yet effective webpages. They can host HTML pages with included CSS and can link with Azure Functions for doing more advanced tasks for you. In this guide we will explore the possibilities of Static Web Apps in Azure.
6 minute read
Azure Workbooks are an excellent way to monitor your application and dependencies in a nice and customizable dashboard. Workbooks can…
2 minute read
Sometimes, we also want a step down from our work and want to fully enjoy a videogame. Especially when you really like games with open worlds, Minecraft is a great game. And what if I tell you we can setup a server for Minecraft on Azure so you can play it with your friends and have a 24/7 uptime this way.
12 minute read
Sometimes we want to know why a Azure Virtual Desktop logon took longer than expected. Several actions happen at Windows logon, like FSLogix profile mounting, Group Policy processing and preparing the desktop. I found a script online that helps us monitor the sign-ins and logons and basically tells us why it took 2 minutes and what parts took a specific amount of seconds.
4 minute read
Locks in Azure are a great way to prevent accidental deletion or modify resources or resource groups. This helps further securing your environment and make it somewhat more “fool proof”. Now with Azure Policy we can automatically deploy Locks to Resource Groups to secure them from deleting or read-only resources. In this guide I will explain how this can be done and how it works.
7 minute read
This page is about Azure Migrate and how you can migrate an on-premises server or multiple servers to Microsoft Azure. This process is not very easy, but it’s also not extremely difficult. Microsoft hasn’t made it as simple as just installing an agent on a VM, logging in, and clicking the migrate button. Instead, it is built in a scalable way.
8 minute read
I tested the new FSLogix 25.02 version and a very annoying bug appeared. “The Recycle Bin on C:\ is corrupted.”
4 minute read
With the Azure Start/Stop solution we can save costs in Microsoft Azure and save some environmental impact. In this guide I will explain how the solution works, how it can help your Azure solutions and how it must be deployed and configured.
10 minute read
In this guide, I will show how to do some popular Active Directory attacking tests and show how Defender for Identity (MDI) will alert you about the attacks. Not everyting detected by Defender for Identity will be directly classified as potential attack. When implementing the solution, it will learn during the first 30 days what normal behaviour in the network is.
9 minute read
In Microsoft Azure, we can build servers and networks that use IPv6 for their connectivity. This is especially great for your webservers, where you want the highest level of availability for your users. This is achieved the best using both IPv4 and IPv6 protocols. In this guide we do a deep dive into IPv6 in Microsoft Azure and I will show some practical examples of use of IPv6 in Azure.
6 minute read
When it comes to security, it is great to secure every perimeter. In the Zero Trust model, it has been stated that we have to verify everything, everytime, everywhere. So why consider not monitoring and defending your traditional Active Directory that is still in use because of some legacy applications?
11 minute read
Azure Update Manager is a tool from Microsoft and is developed to automate, installing and documenting Windows updates or updates to Linux server on Azure. This all in a single pane of glass and without installing any additional software.
4 minute read
Active Directory Domain Controllers are assigned 5 different FSMO roles, which all have their own function. We can separate them over multiple servers to create more redundancy, but make sure to handle those all as servers. All roles neeed a 24/7 uptime for your environment to work properly. In this guide, I will give a brief explaination of the roles, what their function is and how to move them to different servers to enhance availability and redundancy.
4 minute read
If you have the Office Apps installed with OneNote included, sometimes the OneNote printer will be installed as default. This post explains how to solve this problem.
3 minute read
8 minute read
Most companies who use Microsoft Azure in a hybrid setup have a Site-to-Site VPN gateway between the network in Azure and on-premises. This connection becomes mission critical for this company as a disruption mostly means a disruption in work or processes. But sometimes, Microsoft has to perform updates to these gateways to keep them up-to-date and secure. We can now define when this will be exactly, so we can configure the gateways to update only outside of business hours. In this guide I will explain how to configure this.
3 minute read
Sometimes, we add a new domain to Microsoft 365 and we want to have a domain alias for multiple or every user when acquiring a new domain in some cases. This post explains how to add a new alias with another domain to every user in your Microsoft 365 tenant.
2 minute read
Recently, Microsoft announced the general availability of 2 new security protocol when using Microsoft 365 and the service Exchange Online in particular. SMTP DANE and DNSSEC. What are these protocols, what is the added value and how can they help you secure your organization? Lets find out.
6 minute read
When using Azure Virtual Desktop (AVD) or Windows (W365), we sometimes use the mobile apps for Android, MacOS or iOS. But those apps rely on filling in a Feed Discovery URL instead of simply a Email address and a password.
3 minute read
Azure Stack HCI is a solution for Microsoft Azure to host Azure resources on your own hardware and location. This sounds traditional but can help to boost your Azure resources for your customer and/or use case. For example, with Azure Stack HCI it is possible to host some Azure Virtual Desktop hosts in your own network to boost performance by decreasing latency. Also it is possible to use GPU enabled software on this without having the very high monthly computing costs.
13 minute read
Now and then we come across a problem with Entra Connect Sync which states “DeletingCloudOnlyObjectNotAllowed”. This post helps you to solve this error.
4 minute read
This guide describes on how to disable Entra ID synchronization company-wide without the need of restoring users from the recycle bin. Therefore instructing you further on how to phase out Entra Connect Sync.
4 minute read
Microsoft will sometimes “pause” tenants with minor activity to reduce infrastructure costs. You will then get an error which contains “tenant dehydrated”. What this means and how to solve it, I will explain in this post.
3 minute read
Also impacted by the update where you can’t select users to filter your Group Policies (GPO)? Read this guide for a temporary solution.
3 minute read
By default, Microsoft Store applications are not supported when using FSLogix. The root cause is that Windows stores some metadata that is not roamed in the profile folder and cleared at every new logon. You will encounter this behaviour in every environment where you use FSLogix. Now a long time I told our end users that there unfortunately is no solution possible to download apps and make them persistent across Azure Virtual Desktop sessions but someday I found a workaround to this problem. I will explain this at this page.
4 minute read
Once in a while, we as IT administrators need to migrate our Group Policies of Windows Server to another server. Sometimes to…
3 minute read
When using Windows 11 on Azure Virtual Desktop (AVD), without the right optimization, the experience can be a little laggy, stuttery and slow. Especially when you came from Windows 10 with the same settings. You definitely want to optimize some settings. After that we will look into the official Virtual Desktop Optimization Toolkit (VDOT).
4 minute read
Sometimes a company wants to receive all email, even when addresses don’t really exist in Exchange. Now we call this a Catch all mailbox, where all inbound email is being catched that is not pointed to a known recipient. Think of a sort of *@domain.com. In this guide I will explain how to configure this in Exchange Online and how to maintain this by limiting our administrative effort.
7 minute read
When using Microsoft 365 and using multiple custom domains, sometimes you are unable to create a shared mailbox that uses the same alias as an existing mailbox. In this guide I will explain this problem and show how to still get the job done.
3 minute read
When still managing on-premises environments, but shifting your focus to the cloud you sometimes need to do a migration. This page helps you to migrate to SharePoint or Onedrive according to your needs.
2 minute read
2 minute read
In this guide I will explain how to use PowerShell remote sessions, what they are and how to configure your systems to use this. PowerShell Remote Sessions can be a great way to administer your virtual machines, cluster-nodes or physical Windows-based devices. With a Powershell remote session you can execute powershell commands on a remote device. It works the best with servers in a specific management subnet. I do not recommend to administer client devices with Powershell because this can be a huge security risk.
5 minute read
This guide explains how to perform Remote Group Policy updates and how to do the initial configuration needed.
3 minute read
When using Windows 365 in your organization, the deployment is very easy to do. When it comes to adding more users to the service, it can be much manual clicks to reach your goal. My advice is to leverage the Dynamic Group feature of Microsoft Entra.
4 minute read
This guide explains how Exchange Online Dynamic Distribution Groups work, how to create and maintain them with Microsoft 365.
4 minute read
When you install a fresh Windows Server Evaluation installation from a .iso file, it will be installing the OS as a Evaluation version…
2 minute read
This page will share a PowerShell script to create bulk AD users with Powershell including instructions to use it.
2 minute read