Step by Step Guides on justinverstijnen.nl

Microsoft Secure Score - Apps

Thu, 16 Apr 2026 00:00:00 +0000

Before we begin

I collected all the options of the Microsoft Secure Score for Apps on this page, and we I address them all. I also added some industry-accepted options which are not in the secure score framework but are really helpful in avoiding or minimizing attacks in your environment. You can use all options, or only a subset. The more of the options you implement, the higher your score.

Microsoft Secure Score - Devices

Thu, 09 Apr 2026 00:00:00 +0000

Before we begin

I collected all the options of the Microsoft Device Secure Score on this page, and we will address them all. I also added some industry-accepted options which are not in the secure score framework but are really helpful in avoiding or minimizing attacks in your environment.

You can use all options, or only use a subset of the options. This is up to you :)

Update your Kerberos configuration with Azure Virtual Desktop (RC4)

Thu, 09 Apr 2026 00:00:00 +0000

Microsoft released that the Kerberos protocol will be hardened by an update coming in April to June 2026 to increase security. This was released by Microsoft here:

https://techcommunity.microsoft.com/blog/fslogix-blog/action-required-windows-kerberos-hardening-rc4-may-affect-fslogix-profiles-on-sm/4506378

At first, they are not very specific about how to check what Kerberos encryption your environment uses and how to solve this before becoming a problem. I will do my best to explain this and show you how to solve it.

Microsoft already introduced Kerberos-related hardening changes in updates released since November 2022, which significantly reduced RC4 usage in many environments. However, administrators should still verify whether specific accounts, services or devices are explicitly or implicitly relying on RC4 before disabling it. In this guide, I will explain to you how to do this.

Getting started with Microsoft 365 Backup

Fri, 03 Apr 2026 00:00:00 +0000

Requirements

A Microsoft 365 environment with Global Administrator permissions
An Azure Subscription with PAYG capabilities
Around 30 minutes of your time
Basic knowledge of Microsoft 365

What is Microsoft 365 Backup?

Microsoft 365 Backup is an integrated solution of Microsoft to backup Microsoft 365 items. This applies to these items:

Exchange Mailboxes
OneDrive accounts
SharePoint sites/Teams

Microsoft 365 Backup can be used to extend the retention period of certain data. By default, spaces like SharePoint sites have a retention of 93 days if you count the recycle bin and versioning. But this is not really a backup, only some techniques to quicky restore a single file or folder. This doesn’t include things like permissions, which Microsoft 365 Backup does.

Microsoft Secure Score - Identity

Thu, 26 Mar 2026 00:00:00 +0000

On this page, I will describe how I implemented my current Microsoft Secure Score on the Identity pillar. This means altering mostly the options of Microsoft Entra ID.

Before we begin

I collected all the options of the Microsoft Entra ID Identity Secure Score on this page, and we will address them all. I also added some industry-accepted options which are not in the secure score framework but are really helpful in avoiding or minimizing attacks in your environment.

I tested Azure Virtual Desktop RemoteAppV2

Wed, 25 Mar 2026 00:00:00 +0000

Microsoft announced RemoteAppV2 under some pretty enhancements on top of the older RemoteApp engine. This newer version has some improvements like:

Better multi monitor support
Better resizing/window experience
Visuals like window shadows

I cannot really show this in pictures, but if you test V2 alongside V1, you definitely notice these small visual enhancements. However, a wanted feature called “drag-and-drop” is still not possible on V2.

Source: https://learn.microsoft.com/en-us/azure/virtual-desktop/remoteapp-enhancements

How to enable RemoteAppV2

To enable RemoteAppV2, you need to set a registry key as long as the preview is running. Make sure you are compliant with the requirements as described on this page (client + hosts):

Getting started with GitHub Pages

Thu, 19 Mar 2026 00:00:00 +0000

Requirements

A GitHub account (free)
A domain name for your website, or you can use the default domain name of GitHub
- youraccount.github.io
A template website to upload to your domain name
Some basic knowledge about websites and DNS

What is GitHub Pages?

GitHub Pages allows you to host a static website directly from a GitHub repository. This can be done without managing a server, infrastructure, or hosting provider. The only thing you do is create a repository, upload a website, and optionally connect it to a domain name of your choice. We can compare this to Azure Static Web Apps if you are familiar with that.

Azure Virtual Desktop V6/V7 VMs imaging

Thu, 12 Mar 2026 00:00:00 +0000

The VM size ‘Standard_E4as_v7’ cannot boot with OS image or disk. Please check that disk controller types supported by the OS image or disk is one of the supported disk controller types for the VM size ‘Standard_E4as_v7’. Please query sku api at https://aka.ms/azure-compute-skus to determine supported disk controller types for the VM size. (Code: InvalidParameter)
This size is not available because it does not support the SCSI disk controller type.

Because I really wanted to use higher version VMs, I went to research on how to solve this problem. I will describe the process from creating the initial imaging VM, to capture and installing new AVD hosts with our new image.

Get notifications when Entra ID break glass admins are used

Sun, 08 Mar 2026 00:00:00 +0000

The alert solution described

The solution we will configure looks like this:

Log Analytics Workspace
Set diagnostic settings for Entra ID sign in logs to write to Log Analytics
Set query to find successful or non-succesful sign in attempts (based on your needs)
Set Azure Monitor alert to alert admins of the attempts taking place
After all this we will test this to test if this works as excpected

Here we use all the features inside Azure only, and no 3rd party solutions.

Create HTTPS 301 redirects with Azure Front Door

Thu, 19 Feb 2026 00:00:00 +0000

Requirements

For this solution, you need the following stuff:

An Azure Subscription
A domain name or multiple domain names, which may also be subdomains (subdomain.domain.com)
Some HTTPS knowledge
Some Azure knowledge

The solution explained

I will explain how I have made the shortcuts to my tools at https://justinverstijnen.nl/tools, as this is something what Azure Front Door can do for you.

In short, Azure Front Door is a load balancer/CDN application with a lot of load balancing options to distribute load onto your backend. In this guide we will use a simple part, only redirecting traffic using 301 rules, but if interested, its a very nice application.

Everything you need to know about Azure Bastion

Sun, 15 Feb 2026 00:00:00 +0000

How does Azure Bastion work?

Azure Bastion is a serverless instance you deploy in your Azure virtual network. It resides there waiting for users to connect with it. It acts like a Jump-server, a secured server from where an administrative user connects to another server.

The process of it looks like this:

A user can choose to connect from the Azure Portal to Azure Bastion and from there to the destination server or use a native client, which can be:

Upload multiple Github repositories into a single Azure Static Web App

Thu, 15 Jan 2026 00:00:00 +0000

In this guide, I will describe how I now host multiple Github applications/tools into one single Static Web App environment in Azure. This mostly captures the simple, single task, tools which can be found on my website:

https://justinverstijnen.nl/tools or jvapp.nl if you need a shortcut.

Because I started with a single tool, then built another and another and another one, I needed a sort of scalable way of doing this. Each tool means doing the following stuff:

What is MTA-STS and how to use it to protect your email flow

Thu, 08 Jan 2026 00:00:00 +0000

Requirements

Around 30 minutes of your time
Access to your domains’ DNS hosting to create DNS records
An Azure Subscription if you want to publish your policy with a Static Web App
- A Github account if you use this option
An Azure Subscription if you want to publish your policy with a Function App
Basic knowledge of DNS records
Basic knowledge of Email security

MTA-STS versus SMTP DANE

MTA-STS overlaps with the newer SMTP DANE option, and they both help securing your email flow but each in its own manner. Some differences:

Remove Microsoft Print to PDF and OneNote printers script

Mon, 29 Dec 2025 00:00:00 +0000

By default in Windows 11 with Microsoft 365 apps installed, we have two software printers installed. These are:

OneNote (Desktop)
Microsoft Print to PDF

However, some users don’t use them and they will annoyingly be as default printer sometimes, which we want to avoid. Most software have built-in options to save to PDF, so this is a bit redundant. Our real printers will be further down which causes their own problems for end users.

Automatically start Windows App at startup

Thu, 25 Dec 2025 00:00:00 +0000

Creating the Intune script

We can achieve this with Intune using a PowerShell script. As Intune doesn’t support login/startup scripts, we have to create a Platform script that creates a Scheduled Task in Windows for us. This is a great way, as this is visible at the client side and can be disabled pretty easily.

To create this task/script, go to the Intune Admin center: https://intune.microsoft.com

Go to Devices -> Windows -> Scripts and remediations, then open the tab “Platform scripts”.

Azure Virtual Desktop FSLogix and Native Kerberos authentication

Tue, 16 Dec 2025 00:00:00 +0000

In this guide I will dive into how I configured an simple environment where I placed every configuration action in separate steps to keep it simple and clear to follow and also will give some describing information about some concepts and settings.

I also added some optional steps for a better configuration and security than this guide already provides for a better user experience and more security.

The solution described

The day has finally come; we can now build a Azure Virtual Desktop (AVD) hostpool in pooled configuration without having to host an Active Directory, and/or having to host an unsecured storage account by having to inject the Storage Access Key into the machines’ registry. This newer setup enhances performance and security on those points.

FSLogix and maximum Azure Files security

Sun, 14 Dec 2025 00:00:00 +0000

The Maximum Security preset in the Azure Portal

We can also run the SMB security on the Maximum security preset in the Azure Portal and still run FSLogix without problems. In the Azure Portal, go to the storage account and set the security of the File share to “Maximum security”:

This will only allow the AES_256_GCM SMB Channel encryption, but Windows 11 defaults to the 128 version only. We now have to tell Windows to use the better secured 256 version instead, otherwise the storage account blocks your requests and logging in isn’t possible. I will do this through Intune, but you could do this with Group Policy in the same manner or with PowerShell.

Deploy Google Chrome Single Sign On with Intune

Thu, 11 Dec 2025 00:00:00 +0000

How the extension works

The Microsoft SSO extension for Google Chrome uses the same token/session you already have when you have your device Entra ID joined. It will send that to every Microsoft Online webpage to show you are already authenticated and have a valid token. This makes the user experience a lot better as they don’t have to authenticate first before starting to use the web applications.

Disable users' self service license trials

Thu, 04 Dec 2025 00:00:00 +0000

Why should you disable trial licenses?

You can disable self service trial licenses if you want to avoid users to use un-accepted apps. This could result in shadow-it happening in your environment.

Let’s say, your company uses Zoom to call with each other, and users are starting to use Microsoft Teams. Teams then is an application not accepted by your organization and users then should not be able to use it. If you give them the possibility, they will. This all of course assuming you don’t have paid licenses for Microsoft Teams.

ARM templates and Azure VM + Script deployment

Thu, 20 Nov 2025 00:00:00 +0000

In this post I will show some examples of deploying with ARM templates and also will show you how to deploy a PowerShell script to run directly after the deployment of an virtual machine. This further helps automating your tasks.

Requirements

Around 30 minutes of your time
An Azure subscription to deploy resources (if wanting to follow the guide)
A Github account, Azure Storage account or other hosting option to publish Powershell scripts to URL
Basic knowledge of Azure

What is ARM?

ARM stands for Azure Resource Manager and is the underlying API for everything you deploy, change and manage in the Azure Portal, Azure PowerShell and Azure CLI. A basic understanding of ARM is in this picture:

Disable Windows Taskbar Widgets through Intune

Thu, 06 Nov 2025 00:00:00 +0000

Method 1: Settings Catalog

The easiest way to disable these widgets is through a Settings Catalog policy. Open up Microsoft Intune admin center and create a new policy through the Settings Catalog.

Search for “widget” and these options are available:

News and Interests: Disable Widgets on Lockscreen
News and Interests: Disable Widgets Board
Widgets: Allow Widgets

In my case, I have set all three options to disabled/Not allowed.

Using and configuring Windows Backup for Organizations in Intune

Sat, 01 Nov 2025 00:00:00 +0000

Requirements

Windows 11 with the latest feature updates installed for both creating and restoring backups
Entra ID joined or Entra Hybrid joined device
Microsoft Intune-capable license
Around 15 minutes of your time

What is Windows Backup for Organizations?

Windows Backup for Organizations is a feature where Windows creates a backup of your Windows settings and Windows Store applications every 8 days. This will be saved to your Microsoft business account. If ever having to re-install your device or to use a new device, you can easily restore your old configuration. This is a revolution on top of the older Enterprise State Roaming feature, who did around 20% of this.

Remove Pre-installed Windows Store Apps with Intune

Tue, 21 Oct 2025 00:00:00 +0000

This new feature described

In Intune we can now select which default shipped apps must be removed from Windows clients. Before, this was a complete package we had to use or remove with custom scripts, but now we can select the apps to remove (and deselect to keep).

Keep in mind, we have the following requirements for this new feature:

Windows 11 25H2
Education or Enterprise version

Also worth mentioning, removing an application needs a manual reinstall, which is easy to do.

Solved - ADSync service stopped (Entra Connect Sync)

Mon, 06 Oct 2025 00:00:00 +0000

Sometimes, the ADSync service stops without further notice. You will see that the service has been stopped in the Services panel:

In this guide I will explain how I solved this problem using a simple PowerShell script.

The Check ADSync script

The PowerShell script that fixes this problem is on my GitHub page:

Download script from GitHub

The script simply checks if the service is running, if this is the case the script will be terminated. If the service is not running, the service will be started.

Customize Office apps installation for Azure Virtual Desktop

Tue, 30 Sep 2025 00:00:00 +0000

Requirements

Around 30 minutes of your time
A Microsoft 365 tenant with Global Administrator, Security Administrator or Office Apps Admin permissions
A Windows machine to test the installation
Basic knowledge of Virtual Desktops and Office Apps

What is the Office Configuration Tool?

The Office Configuration Tool (config.office.com) is a customization tool for your Office installation. We can some custom settings and define which settings we want, how the programs must behave and include and exclude software we don’t need.

Automatic Azure Boot diagnostics monitoring with Azure Policy

Thu, 11 Sep 2025 00:00:00 +0000

In short, Azure Policy is a compliance/governance tool in Azure with capabilities for automatically pushing your resources to be compliant with your stated policy. This means if we configure Azure Policy to automatically configure boot diagnostics and save the information to a storage account, this will be automatically done for all existing and new virtual machines.

Step 1: The configuration explained

The boot diagnostics in Azure enables you to monitor the state of the virtual machine in the portal. By default, this will be enabled with a Microsoft managed storage account but we don’t have control over the storage account.

How to completely hide language bar/selector Windows 11

Tue, 09 Sep 2025 00:00:00 +0000

One of the small things I experienced in one of the updates for Windows 11 (24H2) is that the language bar/selector get’s automatically visible on the Windows taskbar. In previous versions of Windows, this was only available when using multiple keyboard languages.

Because this can get very annoying, I researched on how to disable this button to clean up our taskbar and only use it for the applications and space we need.

Wordpress on Azure

Thu, 04 Sep 2025 00:00:00 +0000

Requirements

An Azure subscription
A public domain name to run the website on (not required, but really nice)
Some basic knowledge about Azure
Some basic knowledge about IP addresses, DNS and websites
Around 45 minutes of your time

What is Wordpress?

For the people who may not know what Wordpress is; Wordpress is a tool to create and manage websites, without needing to have knowledge of code. It is a so-called content management system (CMS) and has thousands of themes and plugins to play with. This website you see now is also running on Wordpress.

In-Place upgrade to Windows Server 2025 on Azure

Thu, 28 Aug 2025 00:00:00 +0000

Once every 3 to 4 years you want to be on the last version of Windows Server because of new features and of course to have the latest security updates. These security updates are the most important these days.

When having your server hosted on Microsoft Azure, this proces can look a bit complicated but it is relatively easy to upgrade your Windows Server to the last version, and I will explain how to on this page.

Match AD users using Entra Connect Sync and MSGraph

Mon, 18 Aug 2025 00:00:00 +0000

The difference between soft and hard matching

Most of the time the system itself will match the users automatically using soft-matching. Here the service will be matching users in both Entra ID and Active Directory by using known attributes like UserPrincipalName and ProxyAddresses.

In some cases, especially when you use different Active Directory and Entra ID domains, we need to give the final tip to Entra ID to match and AD user to an Entra ID users. We will tell Entra ID what the GUID of the on-premises user is by getting that value and encode it into Base64. Then we pass Entra ID this value so it understands what local user to link with what cloud user. This process is called “hard-matching”, as we have to do this by hand or by scripting.

Joining storage account to Active Directory (AD DS)

Thu, 14 Aug 2025 00:00:00 +0000

Requirements

Around 30 minutes of your time
An Azure subscription with the storage account
An Active Directory (AD DS) to join the storage account with (on-premises/Azure)
Basic knowledge of Active Directory and PowerShell

Step 1: Prepare the Active Directory server

We must first prepare our server. This must be a domain-joined server, but preferably not a domain controller. Use a management server instead when possible. We must execute

Clean up old FSLogix profiles with Logic Apps

Thu, 07 Aug 2025 00:00:00 +0000

I will give you a step-by-step guide to build this Logic App yourself.

Make sure you have backups ofenabled on your storage account so when a file is deleted but you need it for some reason after some time, you can restore it from a monthly or yearly backup.

Also: Recover Services storage is much cheaper than live Storage Account storage, keep this in mind when implementing this sort of Logic Apps.

Using FSLogix App Masking to hide applications on Virtual Desktops

Thu, 31 Jul 2025 00:00:00 +0000

Requirements

Around 45 minutes of your time
An environment with Active Directory and separate client machine with FSLogix pre-installed
Basic knowledge of Active Directory
Basic knowledge of Windows and FSLogix

What is FSLogix App Masking?

FSLogix App Masking is an extra feature of the FSLogix solution. FSLogix itself is a profile container solution which is widely used in virtual desktop environments where users can login on any computer and the profile is fetched of a shared location. This eliminates local profiles and a universal experience on any host.

Use Ephemeral OS Disks in Azure

Thu, 24 Jul 2025 00:00:00 +0000

Requirements

Around 25 minutes of your time
An Azure subscription (if wanting to deploy)
Basic knowledge of Azure
Basic knowledge of servers and infrastructure

What are Ephemeral OS Disks?

Ephemeral OS Disks are disks in Azure where the data is stored directly on the hypervisor itself, rather than having a managed disk which could be resided at the very other end of a datacenter. Every cable and step between the disk and the virtual machine creates latency which will result in your machine being slower.

RDP Multipath - What is it and how to configure?

Wed, 16 Jul 2025 00:00:00 +0000

Let’s take a look what RDP Multipath adds to your connections:

Green: The normal paths of connecting with RDP/Shortpath Purple: The paths added by RDP Multipath

This adds extra ways of connecting session hosts to the end device, selects the most reliable one and therefore adds stability and decreases latency.

RDP Multipath now has to be configured manually, but the expectation is that it will be added to new AVD/Multi Session images shortly, just ad RDP Shortpath did at the time.

Implement Certificate-based authentication for Entra ID scripts

Sun, 13 Jul 2025 00:00:00 +0000

Requirements

Around 20 minutes of your time
An Entra ID environment if you want to test this
A prepared Entra ID app registration
A server or workstation running Windows to do the connection to Entra ID
Some basic knowledge about Entra ID and certificates

How does these certificates work?

Certificate based authentication means that we can authenticate ourselves to Entra ID using a certificate instead of user credentials or a password in plain text. When using some automated scripts it needs permissions to perform its actions but this means storing some sort of authentication. We don’t want to store our credentials on the server as this decreases our security and a potential risk of compromise.

Use Azure Logic Apps to automatically start and stop VMs

Sun, 13 Jul 2025 00:00:00 +0000

Azure Logic Apps

Azure Logic Apps is a solution to automate flows that we can run based on a trigger. After a certain trigger is being met, the Logic App can then perform some certain steps, like;

Get data from database/SharePoint
Process data
Send email
Start or Stop VM

To keep it simple, such logic app can looks like this:

In Logic Apps there are templates to help you starting out what the possibilities are:

How to implement Azure Firewall to secure your Azure environment

Thu, 10 Jul 2025 00:00:00 +0000

Requirements

Around 60 minutes of your time
An Azure subscription
Basic knowledge of Azure
Basic knowledge of Networking
Basic knowledge of Azure Firewall

Overview

Before creating all resources, it is great to plan before we build. I mean planning your network before building and having different overlaps or too much/less addresses available. In most cases, Azure recommends building a Hub-and-Spoke network, where we connect all spoke networks to a big hub.

Enhance email security with SPF/DKIM/DMARC

Mon, 16 Jun 2025 00:00:00 +0000

Microsoft announced that starting from May 5, 2025: SPF, DKIM and DMARC will become mandatory for inbound email delivery. Not configuring all three can result in your emails not being delivered correctly.

These 3 techniques are:

SPF: Sender Policy Framework
DKIM: Domain Keys Identified Mail
DMARC: Domain-based Message Authentication Reporting and Conformance

When using Microsoft 365 as your messaging service, I also highly recommend to configure SMTP DANE. A detailed guide of configuring this can be found here: https://justinverstijnen.nl/configure-dnssec-and-smtp-dane-with-exchange-online-microsoft-365/

Pooled Azure Virtual Desktop with Azure AD cloud users only

Thu, 12 Jun 2025 00:00:00 +0000

This deployment option is superseded by the more easy and secure Entra Kerberos option, check out the updated deployment guide here: https://justinverstijnen.nl/azure-virtual-desktop-fslogix-and-native-kerberos-authentication/

Since the beginning of Azure Virtual Desktop, it is mandatory to run it with an Active Directory. This because when using pooled session hosts, there has to be some sort of NTFS permission for FSLogix to reach the users’ profile disks. This permission is done using NTFS with Kerberos authentication. Something Azure AD doesn’t support.

Creating Static Web Apps on Azure the easy way

Thu, 29 May 2025 00:00:00 +0000

Requirements

Around 45 minutes of your time
An account for Github (recommended)
An Azure subscription to host your Static Web App
Some basic knowledge of Azure
A custom domain to link the web app to your domain

Introduction to Static Web Apps and Github

Before we dive into Static Web Apps and Github, I want to give a clear explaination of both the components that will help us achieving our goal, hosting a simple web app on Azure.

Create custom Azure Workbooks for detailed monitoring

Thu, 08 May 2025 00:00:00 +0000

Introduction

Azure Workbooks are a powerful way to build customizable dashboards for monitoring applications and infrastructure. They can combine multiple data sources such as:

Metrics
Log Analytics Workspaces
Visualizations

They are flexible enough for quick performance overviews or deep investigations.

Using Default Azure Workbooks

Many Azure resources include built-in workbook templates with basic health and performance insights.

Open your Virtual Machine.
Select Workbooks.
Choose Overview or another template.

Setup a Minecraft server on Azure

Thu, 01 May 2025 00:00:00 +0000

Requirements

An Azure environment
Basic knowledge of Azure
Basic knowledge of Linux and SSH
Basic knowledge of networking and TCP/UDP
Experience with Minecraft to test the server
Around 45 minutes of your time

System requirements of a Minecraft server

For a typical Minecraft server, without Mods, the guidelines and system requirements are as stated below:


Processor cores	Ram	Player Slots	World Size
2	8GB	Up to 10	Up to 8GB
4	16GB	Up to 20	Up to 15GB
8	32GB	Up to 50	Up to 20GB
16	64GB	Up to 100	Up to 60GB

Setup the Azure environment for a Minecraft server

Creating the Resource Group

First, we need to setup our Azure environment for a Minecraft server. I started with creating a Resource group named “rg-jv-minecraftserver”.

Monitor Azure Virtual Deskop logon speed

Thu, 24 Apr 2025 00:00:00 +0000

The script is not made by myself, the source of the script is: https://www.controlup.com/script-library-posts/analyze-logon-duration/

The script used in practice

I have a demo environment where we can test this script. There we will run the script.

The script must be run at the machine where a user has just finished the login process. The user must be still logged on at the time you run it because it needs information from the event log and the session id.

Deploy Resource Group locks automatically with Azure Policy

Thu, 17 Apr 2025 00:00:00 +0000

Note: Locks on Resource Groups can stop some automations. If you use read-only locks on a Azure Virtual Desktop resource group for example, autoscaling will not work anymore.

Take care and test these changes before creating them and assigning this policy to such (production) subscription.

The solution described

This solution consists of an Azure Policy Definition, that is assigned to the subscription where this must be executed. It also consists of a custom role that only gives the needed permissions, and nothing more.

Migrate servers with Azure Migrate in 7 steps

Thu, 03 Apr 2025 00:00:00 +0000

Requirements

A server to migrate to Microsoft Azure
Ability to install 1 or 2 additional servers
- Must be in the same network
Around 60 minutes of your time
Administrator access to all source servers
RDP access to all source servers is useful
Secure Boot must be disabled on the source servers
A target Azure Subscription with Owner access
1 server dedicated to Migration based on Windows Server 2016*
2 servers for Discovery and Migration based on Windows Server 2016*

*Windows Server 2016 is the only supported OS, please do not install other versions as this will not work.

Module 11: Infrastructure as Code & DevOps

Thu, 27 Mar 2025 00:00:00 +0000

In this module, we cover Azure: Infrastructure as Code (IaC) and DevOps. This module focuses more on development on Azure, with less emphasis on automation and IT management. While IaC and DevOps might seem less exciting at first, they are essential for modern cloud-based application development and operations, helping streamline deployments, ensure consistency, and integrate continuous delivery pipelines.

Azure Management Tools

There are multiple environments to manage Azure and its resources:

Solved - FSLogix release 25.02 breaks Recycle Bin - Azure Virtual Desktop

Mon, 03 Mar 2025 00:00:00 +0000

This issue has been solved in the newest release of FSLogix 25.04: https://learn.microsoft.com/en-us/fslogix/overview-release-notes

Please use this newer version instead of version 25.02. This fixes the bug in this article without any change in policies and settings.

The problem/bug described

When testing the new FSLogix 25.02 version, I came across a very annoying problem/bug in this new version.

“The Recycle Bin on C:\ is corrupted. Do you want to empty the Recycle Bin for this drive?”

Save Azure costs on Virtual Machines with Start/Stop

Sun, 02 Mar 2025 00:00:00 +0000

Requirements

Around 45 minutes of your time
An Azure subscription
One or more Azure VMs to automatically start and stop
Basic knowledge of Azure
No fear of JSON configurations
Some drink of your choice

Introduction to the Start/Stop solution

The Start/Stop solution is a complete solution and collection of predefined resources built by Microsoft itself. It is purely focussed on starting VMs and stopping VMs based on some rules you can configure. The solution consists of some different resources and dependencies:

Penetration testing Defender for Identity and Active Directory

Fri, 21 Feb 2025 00:00:00 +0000

Requirements

At least one Microsoft Defender for Identity running
- For a step by step guide of this, refer this guide!
A domain controller (vm-jv-mdi)
A workstation (ws-jv-mdi)
Around 30 minutes of your time

Starting out

So I want to mention, that most of the attacks to Active Directory can be easily prevented if everybody locks their computer everytime they walk away from it and also use good enough authentication methods. Some other attacks cannot always be prevented but we can do the most of it detecting them and acting in a greatly manner.

Deep dive into IPv6 with Microsoft Azure

Mon, 17 Feb 2025 00:00:00 +0000

Requirements

Basic knowledge of Azure and IPv4 and IPv6
- Reading this guide prior is recommended: https://justinverstijnen.nl/basic-ipv6-explaination/
Around 45 minutes of your time
An Azure subscription to test and succeed on
A cup of coffee or drink of your choice :)

Creating a Virtual Network (VNET) with IPv6

By default, Azure pushes you to use an IPv4 address space when creating a virtual network in Azure. Now this is the best understandable and easy version of addressing.

How to monitor your Active Directory with Defender for Identity

Sat, 15 Feb 2025 00:00:00 +0000

Requirements

An Microsoft 365 tenant
A traditional Active Directory (AD DS) environment which meets the system requirements and is Server 2016+
A license that has Defender for Identity included, like;
- Enterprise Mobility & Security E5
- E5 or E5 security add-on
- Standalone Defender for Identity license
- F5 Security add-on with F1 or F3 license already in place
- Source: https://learn.microsoft.com/en-us/defender-for-identity/deploy/prerequisites#licensing-requirements
Around 60 minutes of your time
A drink of your choice

What is Microsoft Defender for Identity (MDI)?

Microsoft Defender for Identity (MDI for short) is a comprehensive security and monitoring tool which is part of the Microsoft XDR suite that defends your Windows Server-based Active Directory (AD DS). This does it by installing agents on every domain controller and so monitoring every authentication request.

Using Azure Update Manager to manage updates at scale

Sat, 08 Feb 2025 00:00:00 +0000

Azure Update Manager is a tool from Microsoft and is developed to automate, installing and documenting Windows updates or updates to Linux server on Azure. This all in a single pane of glass and without installing any additional software.

Requirements

Around 15 minutes of your time
An Azure subsciption
An Azure server or Azure Arc server

Supported systems

Azure Update Manager supports the following systems for assessments and installing updates, therefore managing them:

Active Directory FSMO roles

Tue, 04 Feb 2025 00:00:00 +0000

What are the FSMO roles of Active Directory?

FSMO stands for Flexible Single Master Operations. Active Directory is normally multi-master, meaning changes can be made on any domain controller. However, some operations must be handled by one specific domain controller at a time to avoid conflicts. These special responsibilities are called the FSMO roles.

There are five FSMO roles:

Two forest-wide roles
Three domain-wide roles

Let’s look at them all and explain what their function is:

Stop OneNote printer from being default printer in AVD

Fri, 10 Jan 2025 00:00:00 +0000

This can be very annoying for our end users and ourselves as we want real printers to be the default printer. Today I will show you how to delete this printer for current and new session hosts permanently.

The issue itself

The issue is that OneNote automatically creates a printer queue in Windows at installation for users to send information to OneNote. This will be something they use sometimes, but a physical printer will be used much more often. The most annoying part is that the software printer for OneNote will be marked as default printer every day which is annoying for the end users.

How to upload PowerShell script to Gallery with Github Actions

Thu, 02 Jan 2025 00:00:00 +0000

When using the PowerShell Gallery to upload and publish your scripts and PowerShell modules to the world it’s recommended to use Github Actions for CI/CD to automatically update your live packages on the PowerShell Gallery. At first, this looked somewhat complex to me but it’s relatively easy.

On this page I will show how I’ve uploaded scripts from Github to the PowerShell Gallery with using a Github Action.

Requirements

Around 30 minutes of your time
Github account
Powershell Gallery account
A PowerShell script for testing to actually upload to the PowerShell Gallery

Introduction to PowerShell Gallery

In short, the PowerShell Gallery is a public repository which contains PowerShell scripts and modules which all PowerShell users can download and install. All of this using some simple commands:

Azure VPN Gateway Maintenance - How to configure

Wed, 01 Jan 2025 00:00:00 +0000

Why configure a maintenance configuration?

We would want to configure a maintenance configuration for our VPN gateway to Azure to prevent unwanted updates during business hours. Microsoft doesn’t publish when they perform updates to their infrastructure, so this could be any moment.

Microsoft has to patch or replace their hardware regularly, and by configuring this maintenance configuration, we tell them: “Hey, please only do this for us in this window“. You could understand that configuring this is essential for availability reasons, but also don’t postpone updates too long for security and continuity reasons. My advice is to schedule these updates daily or weekly.

Set a domain alias for every user in Microsoft 365

Fri, 13 Dec 2024 00:00:00 +0000

Logging in Exchange Online Powershell

To configure a alias for every user, we need to login into Exchange Online Powershell:

POWERSHELL

Connect-ExchangeOnline

If you don’t have the module already installed on your computer, run the following command on an elevated window:

POWERSHELL

Install-Module ExchangeOnlineManagement

Source: https://www.powershellgallery.com/packages/ExchangeOnlineManagement/3.7.2

Adding the 365 domain alias to every user

After succesfully logged in, run the following command:

Configure DNSSEC and SMTP DANE Microsoft 365

Thu, 31 Oct 2024 00:00:00 +0000

Domain Name System Security Extensions (DNSSEC)

DNSSEC is a feature where a client can validate the DNS records received by a DNS server to ensure a record is originated from the DNS server and not manipulated by a Man in the Middle attack.

DNSSEC is developed to prevent attacks like in the topology below:

Here a attacker injects a fake DNS record and sends the user to a different IP-address, not the actual IP-address of the real website but a fake, mostly spoofed website. This way, a user sees for example https://portal.azure.com in his address bar but is actually on a malicious webserver. This makes the user far more vulnerable to credential harvesting or phising attacks.

Automatic AVD/W365 Feed discovery for mobile apps

Wed, 09 Oct 2024 00:00:00 +0000

Did you know we can automate this process? I will explain how to do this!

Fast path for URL: https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery

The problem explained

When downloading the apps for your mobile devices, we get this window after installing:

After filling in our emailadress that has access to a Azure Virtual Desktop hostpool or Windows 365 machine, we still get this error:

We couldn’t find any Workspaces associated with this email address. Try providing a URL instead.

Now the client wants a URL, but we don’t want to fill in this URL for every device we configure. We can automate this through DNS.

Azure Stack HCI - Host your Virtual Desktops locally

Thu, 03 Oct 2024 00:00:00 +0000

Introduction to Azure Stack HCI

Azure Stack HCI is a solution for Microsoft Azure to host Azure resources on your own hardware and location. This sounds traditional but can help to boost your Azure resources for your customer and/or use case.

For example, with Azure Stack HCI it is possible to host some Azure Virtual Desktop hosts in your own network to boost performance by decreasing latency. Also it is possible to use GPU enabled software on this.

How to solve DeletingCloudOnlyObjectNotAllowed error Entra Connect Sync

Mon, 30 Sep 2024 00:00:00 +0000

Now and then we come across a problem with Entra Connect Sync which states “DeletingCloudOnlyObjectNotAllowed”. This error looks like this:

This error will be shown if opening the Syncronization Service and email messages of this error will aso be sent to your tenant’s technical contact.

In this guide, I will explain the cause of this problem and the options to solve the issue.

Cause of this problem

The cause of this problem is mostly an object that is first created cloud-only and then created in Active Directory, or a user that was synced previously but is deselected or deleted. Entra Connect Sync will not match the users correctly, and a the ImmutableId of the user in Entra still exists. In short; it still wants to sync a user that not exists.

Solved - Microsoft 365 tenant dehydrated

Fri, 20 Sep 2024 00:00:00 +0000

What is “Tenant dehydrated”?

Microsoft sometimes will dehydrate Microsoft 365 tenants where things will not often change to the tenant. This closes some parts of the tenant for changing, even if you have Global Administrator permissions.

The cause of this is for Microsoft to save on infrastructure cost. They will set the tenant in this sort of “sleep mode” where everything works properly but some configuration changes cannot be done. You can get this error with all sorts of changes:

Solved: August 2024 updates breaks GPO Item level targeting - user in group

Mon, 09 Sep 2024 00:00:00 +0000

If you are managing Windows Servers, Group Policies are a great way to distribute settings to your endpoints. However, a recent update of August 2024 in Windows Server 2022 and 2019 breaks user filtering in Group Policy (GPO) Item Level Targeting

The problem itself

When applying printers, registery settings or drive maps to users, we use Group Policy Item level targeting to filter users so only users with a group membership gets the policy applied.

Solved - Windows Store applications on FSLogix/Azure Virtual Desktop

Thu, 15 Aug 2024 00:00:00 +0000

Requirements

Around 15 minutes of your time
An Azure Virtual Desktop or Remote Desktop Services environment with FSLogix
Some basic knowledge about Windows, Azure and Active Directory
Session host must have winget installed

Default behaviour and why applications disappear

So the problem with Microsoft Store applications on any FSLogix based system is that the application can be installed like expected and they will work. After signing out of the session and logging in again, the applications will be gone. Under water, the applications are still installed on the computer, only Windows doesn’t know to show them to the user.

Migrate Group Policies to a new server or domain like a pro

Wed, 07 Aug 2024 00:00:00 +0000

Once in a while, we as IT administrators need to export and import our Group Policies of Windows Server to another server. Sometimes to copy a great policy you’ve built, or to migrate a customer to a new server.

By default, the only option Microsoft has built in into Group Policy Management (gpmc.msc) is the backup option. This creates some administrative tasks.

The Export and Import scripts

I have created two scripts with Powershell that fully exports and imports all Group Policy Objects (GPOs). This with 2 seperate scripts. These can be found and downloaded from my Github page:

Optimize Windows 11 for Azure Virtual Desktop (AVD)

Sun, 04 Aug 2024 00:00:00 +0000

Introduction to the Group Policy template

Assuming you run your Azure Virtual Desktop environment by using the good old Active Directory (AD DS), you can manage the hosts with Group Policy.

To help you optimizing the experience on Windows 11, I have a predefined group policy available with lots of settings to help optimizing your Windows 11 session hosts. This group policy follows the official Microsoft best practices, alongside with some of my own optimizations which has been proven good in production.

Create a Catch all mailbox in Exchange Online

Thu, 11 Jul 2024 00:00:00 +0000

I also created a full customizable PowerShell script for this task which you can find here:

Download script from GitHub

This way you can skip the guide for a faster solution. Otherwise, follow the steps below to do everything by hand and get a better understanding of the relevant steps needed.

Requirements

Around 20 minutes of your time
A Microsoft 365 environment
Basic knowledge of Exchange Online
Basic knowledge of PowerShell

How does this solution work?

The solution described in this guide works with 3 components:

Microsoft 365 create a shared mailbox with same alias

Thu, 06 Jun 2024 00:00:00 +0000

The problem of multiple shared mailboxes with same alias

Let’s say, we have a Microsoft 365 tenant with 3 domains;

domain1.com
domain2.com
domain3.com

When you already have a mailbox called “info@domain1.com” you are unable to create a “info@domain2.com” in the portal. The cause of this problem is that every mailbox has a underlying “alias” and that this alias is the same when created in the portal. I have tried this in the Microsoft 365 admin center, Exchange Online admin center and Powershell. I get the following error:

Migrate data to SharePoint/OneDrive with SPMT

Mon, 20 May 2024 00:00:00 +0000

At the moment, SharePoint is a better option to store your files because it has the following benefits over a traditional SMB share:

Single permissions system (No SMB/NTFS permissions)
High available by default
No server infrastructure needed
Users can work at the same file simultaneously
Integration with Microsoft Teams

The Microsoft SharePoint Migration Tool

Microsoft has a tool available which is free and which can migrate your local data to SharePoint. The targets you can specify are:

Using PowerShell remote sessions

Wed, 10 Apr 2024 00:00:00 +0000

Requirements

Management computer/Priveleged Access Workstation
15-20 minutes of your time
Management server and endpoints are Active Directory joined

Starting out

Before we can use Powershell to administer remote computers, we need to enable two things:

1. WinRM service (Endpoint): This is a service in Windows that enables remote management. Powershell Remote relies greatly on this service so we have to enable this on the endpoint. By default it is disabled due to its security reasons.
2. Trusted Hosts (Management server): This has to be configured on your management server. This is a whitelist to protect against security threats who can abuse this option. Here you configure to what machines (name/IP-address) you can connect to.

1. Configure Windows Remote Management (WinRM)

On the endpoint you have to enable WinRM. This can be done manually with one simple command, or at scale with Group Policy.

How to enable Remote Group Policy update

Wed, 10 Jan 2024 00:00:00 +0000

Group Policy update to multiple computers

Sometimes you want to force a group policy update on multiple computers. Often when i am configuring Azure Virtual Desktop Session Hosts i need this option instead of logging into all hosts and executing the command manually.

There is a option in Group Policy management to force a group policy update to all computers in a OU:

Actually, this only works after you configured this on the remote computers. The good part is, there is a way to do this with Group Policy!

Dynamic group for access to Windows 365

Fri, 01 Dec 2023 00:00:00 +0000

Requirements

Azure AD/Entra ID/Microsoft Graph Powershell module
- https://learn.microsoft.com/nl-nl/powershell/module/azuread/?view=azureadps-2.0
10 minutes of your time

What are Dynamic Groups?

The Dynamic Groups feature of Microsoft Entra is a great tool for auto-managing members of a group based on a single rule or collection of rules. Some examples of using dynamic groups:

Group for all users with the department “Office”
Group for all users with or without a specific attribute
Group for all users with a specific license assigned

Dynamic group don’t need any manual assignment or un-assignment. Instead of that, members will be automatically added based on the rules. Great feature for automation purposes!

Dynamic Distribution Groups in Microsoft 365

Sat, 21 Oct 2023 00:00:00 +0000

Sometimes you want to have a distribution group with all your known mailboxes in it. For example an employees@justinverstijnen.nl or all@justinverstijnen.nl address to send a mail company wide. A normal distribution group is possible, but requires a lot of manual maintenance, like adding and removing users.

To apply a little more automation you can use the Dynamic Distribution Group feature of Exchange Online. This is a feature like the Dynamic groups feature of Microsoft Entra which automatically adds new user mailboxes after they are created to make sure every new employee is added automatically.

Change Evaluation version to Standard/Datacenter version

Wed, 03 May 2023 00:00:00 +0000

When you install a fresh Windows Server installation from a .iso file, it will be installing the OS as a Evaluation version. When you want to activate the installation with a key you need to rebuild the OS and set the edition to Standard.

Microsoft considers Standard and Standard Evaluation as different editions of Windows, because of this we have to change the edition before you can activate the installation. When you want to use the edition Datacenter, you can change the command to Datacenter which also works.

Bulk create Active Directory users with Powershell

Mon, 20 Mar 2023 00:00:00 +0000

When it comes to creating users for Active Directory, especially in new implementations, you want to minimize the time needed to create the accounts. This is possible by creating the AD users with Powershell.

Requirements

Minimal knowledge of Powershell
An Active Directory environment

Full script for creating AD users

Here is the full script including CSV that creates the ad users:

Download script from GitHub