deploy: ajf8729/ajf8729.com-hugo@4cc4b92

posts/enabling-baselines-for-comanaged-devices/index.html

@@ -12,7 +12,10 @@
 </span></span></a><a class="px-1 hover:text-primary-700 dark:hover:text-primary-400" href=https://github.com/ajf8729 target=_blank aria-label=Github rel="me noopener noreferrer"><span class="inline-block align-text-bottom"><span class="relative block icon"><svg viewBox="0 0 496 512"><path fill="currentcolor" d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6.0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6.0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3.0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1.0-6.2-.3-40.4-.3-61.4.0.0-70 15-84.7-29.8.0.0-11.4-29.1-27.8-36.6.0.0-22.9-15.7 1.6-15.4.0.0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5.0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9.0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4.0 33.7-.3 75.4-.3 83.6.0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6.0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9.0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg>
 </span></span></a><a class="px-1 hover:text-primary-700 dark:hover:text-primary-400" href=https://www.linkedin.com/in/ajf8729/ target=_blank aria-label=Linkedin rel="me noopener noreferrer"><span class="inline-block align-text-bottom"><span class="relative block icon"><svg viewBox="0 0 448 512"><path fill="currentcolor" d="M416 32H31.9C14.3 32 0 46.5.0 64.3v383.4C0 465.5 14.3 480 31.9 480H416c17.6.0 32-14.5 32-32.3V64.3c0-17.8-14.4-32.3-32-32.3zM135.4 416H69V202.2h66.5V416zm-33.2-243c-21.3.0-38.5-17.3-38.5-38.5S80.9 96 102.2 96c21.2.0 38.5 17.3 38.5 38.5.0 21.3-17.2 38.5-38.5 38.5zm282.1 243h-66.4V312c0-24.8-.5-56.7-34.5-56.7-34.6.0-39.9 27-39.9 54.9V416h-66.4V202.2h63.7v29.2h.9c8.9-16.8 30.6-34.5 62.9-34.5 67.2.0 79.7 44.3 79.7 101.9V416z"/></svg>
 </span></span></a><a class="px-1 hover:text-primary-700 dark:hover:text-primary-400" href=https://infosec.exchange/@ajf8729 target=_blank aria-label=Mastodon rel="me noopener noreferrer"><span class="inline-block align-text-bottom"><span class="relative block icon"><svg viewBox="0 0 448 512"><path fill="currentcolor" d="M433 179.11c0-97.2-63.71-125.7-63.71-125.7-62.52-28.7-228.56-28.4-290.48.0.0.0-63.72 28.5-63.72 125.7.0 115.7-6.6 259.4 105.63 289.1 40.51 10.7 75.32 13 103.33 11.4 50.81-2.8 79.32-18.1 79.32-18.1l-1.7-36.9s-36.31 11.4-77.12 10.1c-40.41-1.4-83-4.4-89.63-54a102.54 102.54.0 01-.9-13.9c85.63 20.9 158.65 9.1 178.75 6.7 56.12-6.7 105-41.3 111.23-72.9 9.8-49.8 9-121.5 9-121.5zm-75.12 125.2h-46.63v-114.2c0-49.7-64-51.6-64 6.9v62.5h-46.33V197c0-58.5-64-56.6-64-6.9v114.2H90.19c0-122.1-5.2-147.9 18.41-175 25.9-28.9 79.82-30.8 103.83 6.1l11.6 19.5 11.6-19.5c24.11-37.1 78.12-34.8 103.83-6.1 23.71 27.3 18.4 53 18.4 175z"/></svg></span></span></a></div></div></div></div><div class=mb-5></div></header><section class="flex flex-col max-w-full mt-0 prose dark:prose-invert lg:flex-row"><div class="min-w-0 min-h-0 max-w-fit"><div class="article-content max-w-prose mb-20"><p>Problem: You&rsquo;ve shifted the &ldquo;Device Configuration&rdquo; workload in your ConfigMgr site to Intune, and your existing Configuration Baselines are no longer applying, and there&rsquo;s a lot of them.</p><p>Solution: <del>Spend the next two hours clicking away in the console</del> PowerShell of course!</p><div class=highlight><pre tabindex=0 class=chroma><code class=language-powershell data-lang=powershell><span class=line><span class=cl><span class=nb>Get-CMBaseline</span> <span class=n>-Fast</span> <span class=p>|</span> <span class=nb>Set-CMBaseline</span> <span class=n>-AllowComanagedClients</span> <span class=vm>$true</span>
-</span></span></code></pre></div><p>Running the above one-liner will enable all of your existing baselines to be run on co-managed clients even when the workload has been shifted to Intune. For reference, we are setting the following property on each baseline:</p><p><figure><img class="my-0 rounded-md" loading=lazy src=/img/enabling-baselines-for-comanaged-devices-01.png#center alt="Always apply this baseline even for co-managed clients"></figure></p></div></div><script>var oid="views_posts/enabling-baselines-for-comanaged-devices.md",oid_likes="likes_posts/enabling-baselines-for-comanaged-devices.md"</script><script type=text/javascript src=/js/page.min.0860cf4e04fa2d72cc33ddba263083464d48f67de06114529043cb4623319efed4f484fd7f1730df5abea0e2da6f3538855634081d02f2d6e920b956f063e823.js integrity="sha512-CGDPTgT6LXLMM926JjCDRk1I9n3gYRRSkEPLRiMxnv7U9IT9fxcw31q+oOLabzU4hVY0CB0C8tbpILlW8GPoIw=="></script></section><footer class="pt-8 max-w-prose print:hidden"><div class=pt-8><hr class="border-dotted border-neutral-300 dark:border-neutral-600"><div class="flex justify-between pt-3"><span><a class="flex group mr-3" href=/posts/gmsa-autospn/><span class="mr-3 text-neutral-700 group-hover:text-primary-600 ltr:inline rtl:hidden dark:text-neutral dark:group-hover:text-primary-400">&larr;</span>
+</span></span></code></pre></div><p>Running the above one-liner will enable all of your existing baselines to be run on co-managed clients even when the workload has been shifted to Intune. For reference, we are setting the following property on each baseline:</p><p><figure><img class="my-0 rounded-md" loading=lazy srcset="/img/enabling-baselines-for-comanaged-devices-01_hu_a5b854fcfe779400.png 330w,
+/img/enabling-baselines-for-comanaged-devices-01_hu_4341d9669689f75c.png 660w,
+/img/enabling-baselines-for-comanaged-devices-01_hu_dd38aba153448185.png 1024w,
+/img/enabling-baselines-for-comanaged-devices-01_hu_33bab6a6fa3dda50.png 2x" src=/img/enabling-baselines-for-comanaged-devices-01_hu_4341d9669689f75c.png alt="Always apply this baseline even for co-managed clients"></figure></p></div></div><script>var oid="views_posts/enabling-baselines-for-comanaged-devices.md",oid_likes="likes_posts/enabling-baselines-for-comanaged-devices.md"</script><script type=text/javascript src=/js/page.min.0860cf4e04fa2d72cc33ddba263083464d48f67de06114529043cb4623319efed4f484fd7f1730df5abea0e2da6f3538855634081d02f2d6e920b956f063e823.js integrity="sha512-CGDPTgT6LXLMM926JjCDRk1I9n3gYRRSkEPLRiMxnv7U9IT9fxcw31q+oOLabzU4hVY0CB0C8tbpILlW8GPoIw=="></script></section><footer class="pt-8 max-w-prose print:hidden"><div class=pt-8><hr class="border-dotted border-neutral-300 dark:border-neutral-600"><div class="flex justify-between pt-3"><span><a class="flex group mr-3" href=/posts/gmsa-autospn/><span class="mr-3 text-neutral-700 group-hover:text-primary-600 ltr:inline rtl:hidden dark:text-neutral dark:group-hover:text-primary-400">&larr;</span>
 <span class="ml-3 text-neutral-700 group-hover:text-primary-600 ltr:hidden rtl:inline dark:text-neutral dark:group-hover:text-primary-400">&rarr;</span>
 <span class="flex flex-col"><span class="mt-[0.1rem] leading-6 group-hover:underline group-hover:decoration-primary-500">gMSA AutoSPN</span>
 <span class="mt-[0.1rem] text-xs text-neutral-500 dark:text-neutral-400"><time datetime=2022-11-16T09:15:22-05:00>2022-11-16</time>

posts/gmsa-autospn/index.html

@@ -13,7 +13,22 @@
 </span></span></a><a class="px-1 hover:text-primary-700 dark:hover:text-primary-400" href=https://www.linkedin.com/in/ajf8729/ target=_blank aria-label=Linkedin rel="me noopener noreferrer"><span class="inline-block align-text-bottom"><span class="relative block icon"><svg viewBox="0 0 448 512"><path fill="currentcolor" d="M416 32H31.9C14.3 32 0 46.5.0 64.3v383.4C0 465.5 14.3 480 31.9 480H416c17.6.0 32-14.5 32-32.3V64.3c0-17.8-14.4-32.3-32-32.3zM135.4 416H69V202.2h66.5V416zm-33.2-243c-21.3.0-38.5-17.3-38.5-38.5S80.9 96 102.2 96c21.2.0 38.5 17.3 38.5 38.5.0 21.3-17.2 38.5-38.5 38.5zm282.1 243h-66.4V312c0-24.8-.5-56.7-34.5-56.7-34.6.0-39.9 27-39.9 54.9V416h-66.4V202.2h63.7v29.2h.9c8.9-16.8 30.6-34.5 62.9-34.5 67.2.0 79.7 44.3 79.7 101.9V416z"/></svg>
 </span></span></a><a class="px-1 hover:text-primary-700 dark:hover:text-primary-400" href=https://infosec.exchange/@ajf8729 target=_blank aria-label=Mastodon rel="me noopener noreferrer"><span class="inline-block align-text-bottom"><span class="relative block icon"><svg viewBox="0 0 448 512"><path fill="currentcolor" d="M433 179.11c0-97.2-63.71-125.7-63.71-125.7-62.52-28.7-228.56-28.4-290.48.0.0.0-63.72 28.5-63.72 125.7.0 115.7-6.6 259.4 105.63 289.1 40.51 10.7 75.32 13 103.33 11.4 50.81-2.8 79.32-18.1 79.32-18.1l-1.7-36.9s-36.31 11.4-77.12 10.1c-40.41-1.4-83-4.4-89.63-54a102.54 102.54.0 01-.9-13.9c85.63 20.9 158.65 9.1 178.75 6.7 56.12-6.7 105-41.3 111.23-72.9 9.8-49.8 9-121.5 9-121.5zm-75.12 125.2h-46.63v-114.2c0-49.7-64-51.6-64 6.9v62.5h-46.33V197c0-58.5-64-56.6-64-6.9v114.2H90.19c0-122.1-5.2-147.9 18.41-175 25.9-28.9 79.82-30.8 103.83 6.1l11.6 19.5 11.6-19.5c24.11-37.1 78.12-34.8 103.83-6.1 23.71 27.3 18.4 53 18.4 175z"/></svg></span></span></a></div></div></div></div><div class=mb-5></div></header><section class="flex flex-col max-w-full mt-0 prose dark:prose-invert lg:flex-row"><div class="min-w-0 min-h-0 max-w-fit"><div class="article-content max-w-prose mb-20"><p>If you choose to run services such as SQL Server under a service account (not a domain user called a &ldquo;service&rdquo; account, but a &ldquo;real&rdquo; managed/group managed service account), one thing you will need to do manually is register necessary service principal names (SPNs) under this account to allow for Kerberos authentication.</p><p>If the service were running as <code>NT AUTHORITY\SYSTEM</code>, this would occur automatically, as the computer account already has the necessary permissions.</p><hr><p>Here&rsquo;s how you can achieve the same behavior by granting <code>NT AUTHORITY\SELF</code> the same permission, which will allow a gMSA to write SPNs on itself:</p><div class=highlight><pre tabindex=0 class=chroma><code class=language-powershell data-lang=powershell><span class=line><span class=cl><span class=nv>$gMSA</span> <span class=p>=</span> <span class=nb>Get-ADServiceAccount</span> <span class=n>-Identity</span> <span class=s1>&#39;gMSA_Name$&#39;</span>
 </span></span><span class=line><span class=cl><span class=n>dsacls</span> <span class=nv>$gMSA</span><span class=p>.</span><span class=py>DistinguishedName</span> <span class=p>/</span><span class=n>G</span> <span class=s1>&#39;SELF:RPWP;servicePrincipalName&#39;</span>
-</span></span></code></pre></div><p>After setting the above permission, simply restarting the SQL Server service will cause the SPNs to be registered, which you can confirm by running <code>setspn -L gMSA_Name$</code>.</p><hr><p>To easily handle this for more than one gMSA, you can also delegate permissions to an OU that contains your gMSAs the same permission via the &ldquo;Delegate Control&rdquo; wizard:</p><hr><ul><li>Step 1: Select <code>NT AUTHORITY\SELF</code> as the identity to delegate permissions to.<figure><img class="my-0 rounded-md" loading=lazy src=/img/gmsa-autospn-01.png#center alt="Permissions Delegation Step 1"></figure></li></ul><p>Step 2: Select custom task to delegate.<figure><img class="my-0 rounded-md" loading=lazy src=/img/gmsa-autospn-02.png#center alt="Permissions Delegation Step 2"></figure></p><p>Step #3: Select only group managed service account objects to apply the delegated permissions to.<figure><img class="my-0 rounded-md" loading=lazy src=/img/gmsa-autospn-03.png#center alt="Permissions Delegation Step 3"></figure></p><p>Step #4: Select the &ldquo;Write servicePrincipalName&rdquo; property-specific permission to delegate.<figure><img class="my-0 rounded-md" loading=lazy src=/img/gmsa-autospn-04.png#center alt="Permissions Delegation Step 4"></figure></p><p>Step #5: Click Finish to complete the permissions delegation.<figure><img class="my-0 rounded-md" loading=lazy src=/img/gmsa-autospn-05.png#center alt="Permissions Delegation Step 5"></figure></p><hr><p>The full output text in the last window should look similar to the following:</p><pre tabindex=0><code>You chose to delegate control of objects
+</span></span></code></pre></div><p>After setting the above permission, simply restarting the SQL Server service will cause the SPNs to be registered, which you can confirm by running <code>setspn -L gMSA_Name$</code>.</p><hr><p>To easily handle this for more than one gMSA, you can also delegate permissions to an OU that contains your gMSAs the same permission via the &ldquo;Delegate Control&rdquo; wizard:</p><hr><ul><li>Step 1: Select <code>NT AUTHORITY\SELF</code> as the identity to delegate permissions to.<figure><img class="my-0 rounded-md" loading=lazy srcset="/img/gmsa-autospn-01_hu_5e228a6f63bf53a4.png 330w,
+/img/gmsa-autospn-01_hu_89b54957fe4b0825.png 660w,
+/img/gmsa-autospn-01_hu_e92048bdda9b188c.png 1024w,
+/img/gmsa-autospn-01_hu_6b15e39b4b5292fa.png 2x" src=/img/gmsa-autospn-01_hu_89b54957fe4b0825.png alt="Permissions Delegation Step 1"></figure></li></ul><p>Step 2: Select custom task to delegate.<figure><img class="my-0 rounded-md" loading=lazy srcset="/img/gmsa-autospn-02_hu_3e1e4c9a1542babe.png 330w,
+/img/gmsa-autospn-02_hu_1dbcff60cd87ad49.png 660w,
+/img/gmsa-autospn-02_hu_f9cf44f834baf194.png 1024w,
+/img/gmsa-autospn-02_hu_b97f05265d4c5299.png 2x" src=/img/gmsa-autospn-02_hu_1dbcff60cd87ad49.png alt="Permissions Delegation Step 2"></figure></p><p>Step #3: Select only group managed service account objects to apply the delegated permissions to.<figure><img class="my-0 rounded-md" loading=lazy srcset="/img/gmsa-autospn-03_hu_d89f21b04367c08d.png 330w,
+/img/gmsa-autospn-03_hu_c622a91727ef0e1.png 660w,
+/img/gmsa-autospn-03_hu_bd8769177790365f.png 1024w,
+/img/gmsa-autospn-03_hu_cd75bb32dba0804b.png 2x" src=/img/gmsa-autospn-03_hu_c622a91727ef0e1.png alt="Permissions Delegation Step 3"></figure></p><p>Step #4: Select the &ldquo;Write servicePrincipalName&rdquo; property-specific permission to delegate.<figure><img class="my-0 rounded-md" loading=lazy srcset="/img/gmsa-autospn-04_hu_f32606a474a1428a.png 330w,
+/img/gmsa-autospn-04_hu_cf54aa9ed5c0d074.png 660w,
+/img/gmsa-autospn-04_hu_19ce7a133d048551.png 1024w,
+/img/gmsa-autospn-04_hu_a25b3f935dcca407.png 2x" src=/img/gmsa-autospn-04_hu_cf54aa9ed5c0d074.png alt="Permissions Delegation Step 4"></figure></p><p>Step #5: Click Finish to complete the permissions delegation.<figure><img class="my-0 rounded-md" loading=lazy srcset="/img/gmsa-autospn-05_hu_5d434d9f52b7fdb8.png 330w,
+/img/gmsa-autospn-05_hu_dc6ff1a2949fed98.png 660w,
+/img/gmsa-autospn-05_hu_525749f9c5d950c7.png 1024w,
+/img/gmsa-autospn-05_hu_1d09132f24ae8fb5.png 2x" src=/img/gmsa-autospn-05_hu_dc6ff1a2949fed98.png alt="Permissions Delegation Step 5"></figure></p><hr><p>The full output text in the last window should look similar to the following:</p><pre tabindex=0><code>You chose to delegate control of objects
 in the following Active Directory folder:
 
     corp.ajf.one/TEST