Step by Step Guides on justinverstijnen.nl

Microsoft Secure Score - Devices

Thu, 09 Apr 2026 00:00:00 +0000

On this page, I will describe how I implemented my current Microsoft Secure Score on the Devices pillar. This means altering mostly the options of Microsoft Defender and Intune.

Before we begin

I collected all the options of the Microsoft Device Secure Score on this page, and we will address them all. I also added some industry-accepted options which are not in the secure score framework but are really helpful in avoiding or minimizing attacks in your environment.

Update your Kerberos configuration with Azure Virtual Desktop (RC4)

Thu, 09 Apr 2026 00:00:00 +0000

Microsoft released that the Kerberos protocol will be hardened by an update coming in April to June 2026 to increase security. This was released by Microsoft here:

https://techcommunity.microsoft.com/blog/fslogix-blog/action-required-windows-kerberos-hardening-rc4-may-affect-fslogix-profiles-on-sm/4506378

At first, they are not very specific about how to check what Kerberos encryption your environment uses and how to solve this before becoming a problem. I will do my best to explain this and show you how to solve it.

Microsoft already introduced Kerberos-related hardening changes in updates released since November 2022, which significantly reduced RC4 usage in many environments. However, administrators should still verify whether specific accounts, services or devices are explicitly or implicitly relying on RC4 before disabling it. In this guide, I will explain to you how to do this.

Getting started with Microsoft 365 Backup

Fri, 03 Apr 2026 00:00:00 +0000

Microsoft 365 Backup ensures that your data, accounts and email is safe and backed up into a separate storage space. A good and reliable back-up solution is crucial for any cloud service, even when having versioning and recycle bin options. Data in SharePoint or OneDrive stays data in one central place and any minor error is made within seconds.

In this guide, I will explain how Microsoft 365 Backup works and how you can start using it.

Microsoft Secure Score - Identity

Thu, 26 Mar 2026 00:00:00 +0000

On this page, I will describe how I implemented my current Microsoft Secure Score on the Identity pillar. This means altering mostly the options of Microsoft Entra ID.

Before we begin

I collected all the options of the Microsoft Entra ID Identity Secure Score on this page, and we will address them all. I also added some industry-accepted options which are not in the secure score framework but are really helpful in avoiding or minimizing attacks in your environment.

I tested Azure Virtual Desktop RemoteAppV2

Wed, 25 Mar 2026 00:00:00 +0000

Microsoft announced RemoteAppV2 under some pretty enhancements on top of the older RemoteApp engine. This newer version has some improvements like:

Better multi monitor support
Better resizing/window experience
Visuals like window shadows

I cannot really show this in pictures, but if you test V2 alongside V1, you definitely notice these small visual enhancements. However, a wanted feature called “drag-and-drop” is still not possible on V2.

Source: https://learn.microsoft.com/en-us/azure/virtual-desktop/remoteapp-enhancements

How to enable RemoteAppV2

To enable RemoteAppV2, you need to set a registry key as long as the preview is running. Make sure you are compliant with the requirements as described on this page (client + hosts):

Getting started with GitHub Pages

Thu, 19 Mar 2026 00:00:00 +0000

With GitHub Pages, we can host some free websites for personal use. This is really great as we mostly already use GitHub to store our code and assets for websites. In this guide, I will explain some of the advantages of GitHub Pages, and how to get started by using the service.

Let’s dive into it!

Requirements

A GitHub account (free)
A domain name for your website, or you can use the default domain name of GitHub
- youraccount.github.io
A template website to upload to your domain name
Some basic knowledge about websites and DNS

What is GitHub Pages?

GitHub Pages allows you to host a static website directly from a GitHub repository. This can be done without managing a server, infrastructure, or hosting provider. The only thing you do is create a repository, upload a website, and optionally connect it to a domain name of your choice. We can compare this to Azure Static Web Apps if you are familiar with that.

Azure Virtual Desktop V6/V7 VMs imaging

Thu, 12 Mar 2026 00:00:00 +0000

When I first chose to use V6 or V7 machines with Azure Virtual Desktop, I ran into some boot controller errors about the boot controller not supporting SCSI images.

The VM size ‘Standard_E4as_v7’ cannot boot with OS image or disk. Please check that disk controller types supported by the OS image or disk is one of the supported disk controller types for the VM size ‘Standard_E4as_v7’. Please query sku api at https://aka.ms/azure-compute-skus to determine supported disk controller types for the VM size. (Code: InvalidParameter)
This size is not available because it does not support the SCSI disk controller type.

Because I really wanted to use higher version VMs, I went to research on how to solve this problem. I will describe the process from creating the initial imaging VM, to capture and installing new AVD hosts with our new image.

Get notifications when Entra ID break glass admins are used

Sun, 08 Mar 2026 00:00:00 +0000

As we want to secure our Break Glass Accounts as good as possible, we cloud want to get alerts when break glass admins are used to login. Maybe they are used on a daily basis, or are being attacked. When we configure notifications, we instantly know when the accounts are being used and can check why a login has taken place.

In this guide we will configure this without Microsoft Sentinel. If you already have a Sentinel workspace, the recommended action is to configure it there and to configure a automation rule/playbook.

Create HTTPS 301 redirects with Azure Front Door

Thu, 19 Feb 2026 00:00:00 +0000

In this post, I will explain how I redirect my domains and subdomains to websites and parts of my website. If you ever visited my tools page at https://justinverstijnen.nl/tools, you will see I have shortcuts to my tools themselves, although they are not directly linked to the instances.

In this post I will explain how this is done, how to setup Azure Front Door to do this and how to create your own redirects from the Azure Portal.

Everything you need to know about Azure Bastion

Sun, 15 Feb 2026 00:00:00 +0000

Azure Bastion is a great tool in Azure to ensure your virtual machines are accessible in a fast, safe and easy way. This is cool if you want to embrace Zero Trust into your servers management layer and so a secure way to access your servers in Azure.

In this guide I will explain more about Azure Bastion and I hope I can give you a good overview of the service, its features, pricing and some practice information.

Upload multiple Github repositories into a single Azure Static Web App

Thu, 15 Jan 2026 00:00:00 +0000

In the past few weeks, I have been busy on scaling up my tools and the backend hosting of the tools. For the last year, I used multiple Static Web Apps on Azure for this, but this took a lot of time administering and creating them. I thought about a better and more scalable manner of hosting tools, minimizing the amount of hosts needed, uniforming URLs and shortcodes with Azure Front Door (guide coming up) andlinking multiple GitHub repositories into one for central management.

What is MTA-STS and how to use it to protect your email flow

Thu, 08 Jan 2026 00:00:00 +0000

MTA-STS is a standard for ensuring TLS is always used for email transmission. This increases security and data protection because emails cannot be read by a Man in the Middle. It works like this for inbound and outbound email to ensure security is applied to all of the messages processed by your emailing solution and domains.

In this guide I will explain how it works. Because it is a domain specific configuration, it can work with any service and is not bound to for example Exchange Online. In this guide we use Azure to host our MTA-STS policy. I present you 2 different options for you to choose, and of course only one is needed. You can also choose to use another solution, its it supports HTTPS and hosting a single TXT file, it should work.

Remove Microsoft Print to PDF and OneNote printers script

Mon, 29 Dec 2025 00:00:00 +0000

In this guide, I will show you how to delete the printers using a PowerShell script. This is compatible with Microsoft Intune and Group Policy and can be used on physical devices, Azure Virtual Desktop and Windows 365.

By default in Windows 11 with Microsoft 365 apps installed, we have two software printers installed. These are:

OneNote (Desktop)
Microsoft Print to PDF

However, some users don’t use them and they will annoyingly be as default printer sometimes, which we want to avoid. Most software have built-in options to save to PDF, so this is a bit redundant. Our real printers will be further down which causes their own problems for end users.

Automatically start Windows App at startup

Thu, 25 Dec 2025 00:00:00 +0000

In some cases we want to automatically start the Windows App for connections to AVD and Windows 365 at startup. We can achieve this through different ways which I will describe in this post.

Creating the Intune script

We can achieve this with Intune using a PowerShell script. As Intune doesn’t support login/startup scripts, we have to create a Platform script that creates a Scheduled Task in Windows for us. This is a great way, as this is visible at the client side and can be disabled pretty easily.

Azure Virtual Desktop FSLogix and Native Kerberos authentication

Tue, 16 Dec 2025 00:00:00 +0000

On this page I will describe how I built an environment with a pooled Azure Virtual Desktop hostpool with FSLogix and using the Entra Kerberos option for authentication. This new authentication option eliminates the unsafe need of storing the storage key in hosts’ registry like we did in my earlier AVD full Entra blog.

In this guide I will dive into how I configured an simple environment where I placed every configuration action in separate steps to keep it simple and clear to follow and also will give some describing information about some concepts and settings.

FSLogix and maximum Azure Files security

Sun, 14 Dec 2025 00:00:00 +0000

When using Azure Files and Windows 11 as operating system for Azure Virtual Desktop, we can leverage the highest SMB encryption/security available at the moment, which is AES-256. While we can change this pretty easily, the connection to the storage account will not work anymore by default.

In this guide I will show how I got this to work in combination with the newest Kerberos Authentication.

The Maximum Security preset in the Azure Portal

We can also run the SMB security on the Maximum security preset in the Azure Portal and still run FSLogix without problems. In the Azure Portal, go to the storage account and set the security of the File share to “Maximum security”:

Deploy Google Chrome Single Sign On with Intune

Thu, 11 Dec 2025 00:00:00 +0000

When deploying Google Chrome with Microsoft Intune, users still have to manually login with their credentials into Microsoft Online websites. Microsoft Edge has built-in Single Sign On (SSO) for users who already logged in with their Microsoft account to their computer.

However, there is a Chrome extension published by Microsoft themselves which allows users to also have this Single Sign On experience into Google Chrome.

On this page I will show how this extension works, what the advantages are and how we can deploy this with Microsoft Intune. I will share both a Configuration Policy and a PowerShell script option where you may choose which one to use.

Disable users' self service license trials

Thu, 04 Dec 2025 00:00:00 +0000

One day I came across an option in Microsoft 365 to disable the users’ self service trials. You must have seen it happening in your tenants, users with free licenses for Power Automate, Teams or Power BI. I will show you how to disable those and only let administrators buy and assign new licenses.

Why should you disable trial licenses?

You can disable self service trial licenses if you want to avoid users to use un-accepted apps. This could result in shadow-it happening in your environment.

ARM templates and Azure VM + Script deployment

Thu, 20 Nov 2025 00:00:00 +0000

In Azure we can deploy ARM templates (+ script afterwards) to deploy resources on a big scale. This is like an easier version Terraform and Bicep, but without the great need to test every change and to learn a whole new language and convention. Also with less features indeed.

In this post I will show some examples of deploying with ARM templates and also will show you how to deploy a PowerShell script to run directly after the deployment of an virtual machine. This further helps automating your tasks.

Disable Windows Taskbar Widgets through Intune

Thu, 06 Nov 2025 00:00:00 +0000

Today a short guide on how to disable Windows Taskbar widgets through Intune. I mean this part of the Windows 11 taskbar:

Method 1: Settings Catalog

The easiest way to disable these widgets is through a Settings Catalog policy. Open up Microsoft Intune admin center and create a new policy through the Settings Catalog.

Search for “widget” and these options are available:

News and Interests: Disable Widgets on Lockscreen
News and Interests: Disable Widgets Board
Widgets: Allow Widgets

Using and configuring Windows Backup for Organizations in Intune

Sat, 01 Nov 2025 00:00:00 +0000

Microsoft just released a new feature, Windows Backup for Organizations, which is a revolution on top of the older Enterprise State Roaming.

Windows Backup for Organizations will help you and your users by saving different components of your Windows installation to make a the proces of a new installation or computer much easier. Especially when used with Windows Autopilot, this is a great addition to the whole Windows/Intune ecosystem.

In this guide I will dive into how it works, what is backed up and excluded and how to configure and use it.

Remove Pre-installed Windows Store Apps with Intune

Tue, 21 Oct 2025 00:00:00 +0000

Since the latest Windows 25H2 update, we have a great new feature. We can now remove pre-installed Windows Store Applications which we don’t want to ship with our devices. This helps us alot with both Windows 365 and Azure Virtual Desktop Personal deployments as with normal Intune-joined devices. The only downside is that Pooled Azure Virtual Desktop Deployments are not supported.

In this guide I will dive into this new setting and explain how to configure this and why this is a great update. The step-by-step guide shows how I have configured a policy that removes most of the non-productive apps from my PC.

Solved - ADSync service stopped (Entra Connect Sync)

Mon, 06 Oct 2025 00:00:00 +0000

Sometimes, the ADSync service stops without further notice. You will see that the service has been stopped in the Services panel:

In this guide I will explain how I solved this problem using a simple PowerShell script.

The Check ADSync script

The PowerShell script that fixes this problem is on my GitHub page:

Download PowerShell script

The script simply checks if the service is running, if this is the case the script will be terminated. If the service is not running, the service will be started.

Customize Office apps installation for Azure Virtual Desktop

Tue, 30 Sep 2025 00:00:00 +0000

When deploying Microsoft Office apps to (pooled) Virtual Desktops, we mostly need to do some optimizations to the installation. We want to optimize performance on pooled and virtual machines, or maybe we want to enable shared computer activation because multiple users need the apps.

In this guide I will show you how to customize the installation of Office apps, primarily for Virtual Desktops, but can be used on any Windows machine.

Automatic Azure Boot diagnostics monitoring with Azure Policy

Thu, 11 Sep 2025 00:00:00 +0000

In Azure, we can configure Boot diagnostics to view the status of a virtual machine and connect to its serial console. However, this must be configured manually. The good part is that we can automate this process with Azure Policy. In this post I will explain step-by-step how to configure this and how to start using this in your own environment.

In short, Azure Policy is a compliance/governance tool in Azure with capabilities for automatically pushing your resources to be compliant with your stated policy. This means if we configure Azure Policy to automatically configure boot diagnostics and save the information to a storage account, this will be automatically done for all existing and new virtual machines.

How to completely hide language bar/selector Windows 11

Tue, 09 Sep 2025 00:00:00 +0000

One of the small things I experienced in one of the updates for Windows 11 (24H2) is that the language bar/selector get’s automatically visible on the Windows taskbar. In previous versions of Windows, this was only available when using multiple keyboard languages.

Because this can get very annoying, I researched on how to disable this button to clean up our taskbar and only use it for the applications and space we need.

Wordpress on Azure

Thu, 04 Sep 2025 00:00:00 +0000

Wordpress. Its maybe the best and easiest way to maintain a website. This can be run on any server. In Azure, we also have great and serverless possibilities to run Wordpress. In this guide I will show you how to do this, how to enhance the experience and what steps are needed to build the solution. I will also tell more about the theoretical stuff to get a better understanding of what we are doing.

In-Place upgrade to Windows Server 2025 on Azure

Thu, 28 Aug 2025 00:00:00 +0000

Once every 3 to 4 years you want to be on the last version of Windows Server because of new features and of course to have the latest security updates. These security updates are the most important these days.

When having your server hosted on Microsoft Azure, this proces can look a bit complicated but it is relatively easy to upgrade your Windows Server to the last version, and I will explain how to on this page.

Starting out with Universal Print

Tue, 19 Aug 2025 00:00:00 +0000

Universal Print is a Microsoft cloud solution which can replace your Windows based printservices. It can be used to deploy printers to endpoints, even to non-Windows devices in a cloud-only way.

Requirements

Around 30 minutes of your time
A license which includes Universal Printing
Basic knowledge of Intune and Windows

What is Universal Printing?

Universal Printing is a cloud based service of Microsoft for installing, managing and deploying printers to end users in a modern way. This service eliminates the need for having to manage your own print servers and enables us to deploy printers in a nice and easy way. This is mostly HTTPS-based.

Match AD users using Entra Connect Sync and MSGraph

Mon, 18 Aug 2025 00:00:00 +0000

Sometimes, it is necessary to match an existing local Active Directory (AD) user through Entra Connect with an existing Entra ID user (formerly known as Azure AD). This process ensures that the account in both environments is aligned and maintains the same underlying configurations and settings across systems.

What is soft-matching?

Most of the time the system itself will match the users automatically using soft-matching. Here the service will be matching users in both Entra ID and Active Directory by using known attributes like UserPrincipalName and ProxyAddresses.

Joining storage account to Active Directory (AD DS)

Thu, 14 Aug 2025 00:00:00 +0000

Joining a storage account to Active Directory can be a hard part of configuring Azure Virtual Desktop or other components to work. We must join the storage account so we can do our Kerberos authentication against the storage account.

In this guide I will write down the most easiest way with the least effort of performing this action.

Requirements

Around 30 minutes of your time
An Azure subscription with the storage account
An Active Directory (AD DS) to join the storage account with (on-premises/Azure)
Basic knowledge of Active Directory and PowerShell

Step 1: Prepare the Active Directory server

We must first prepare our server. This must be a domain-joined server, but preferably not a domain controller. Use a management server instead when possible. We must execute

Clean up old FSLogix profiles with Logic Apps

Thu, 07 Aug 2025 00:00:00 +0000

Today I have a Logic App for you to clean up orphaned FSLogix profiles with Logic Apps. As you know, storage in Azure costs money and we want to store as minimum as possible. But in most companies, old and orphaned FSLogix profiles will be forgotten to clean up so we have automate this.

In this guide I will show you how you can clean up FSLogix profiles from Azure Files by looking up the last modified date, and deleting the files after they exceeded the number of days.

Using FSLogix App Masking to hide applications on Virtual Desktops

Thu, 31 Jul 2025 00:00:00 +0000

In this blog post I will explain and demonstrate the pro’s and features of using FSLogix App Masking for Azure Virtual Desktop. This is a feature of FSLogix where we can hide certain applications and other components from our users while still having to maintain a single golden image.

In this guide I will give some extra explaination about this feature, how it works, how to implement it in a production environment and how to create those rules based on the logged on user. I hope to give a “one-post-fits-all” experience.

Use Ephemeral OS Disks in Azure

Thu, 24 Jul 2025 00:00:00 +0000

In Azure, you have the option to create Ephemeral OS disks for your machine. This sounds really cool but what is it actually, what pro’s and cons are coming with them, what is the pricing and how do we use them? I will do my best to explain everything in this guide.

Requirements

Around 25 minutes of your time
An Azure subscription (if wanting to deploy)
Basic knowledge of Azure
Basic knowledge of servers and infrastructure

What are Ephemeral OS Disks?

Ephemeral OS Disks are disks in Azure where the data is stored directly on the hypervisor itself, rather than having a managed disk which could be resided at the very other end of a datacenter. Every cable and step between the disk and the virtual machine creates latency which will result in your machine being slower.

RDP Multipath - What is it and how to configure?

Wed, 16 Jul 2025 00:00:00 +0000

RDP Multipath is a new protocol for Azure Virtual Desktop and ensures the user always has a good and stable connection. It improves the connection by connecting via the best path and reduces random disconnections between session hosts and users.

Let’s take a look what RDP Multipath adds to your connections:

Green: The normal paths of connecting with RDP/Shortpath Purple: The paths added by RDP Multipath

This adds extra ways of connecting session hosts to the end device, selects the most reliable one and therefore adds stability and decreases latency.

Implement Certificate-based authentication for Entra ID scripts

Sun, 13 Jul 2025 00:00:00 +0000

When using Entra ID, we can automate a lot of different tasks. We can use a script processing server for this task but doing that normally means we have to save credentials or secrets in our scripts. Something we don’t want.

Today I will show how to implement certificate-based authentication for App Registrations instead of using a client secret (which still feels like a password).

Requirements

Around 20 minutes of your time
An Entra ID environment if you want to test this
A prepared Entra ID app registration
A server or workstation running Windows to do the connection to Entra ID
Some basic knowledge about Entra ID and certificates

How does these certificates work?

Certificate based authentication means that we can authenticate ourselves to Entra ID using a certificate instead of user credentials or a password in plain text. When using some automated scripts it needs permissions to perform its actions but this means storing some sort of authentication. We don’t want to store our credentials on the server as this decreases our security and a potential risk of compromise.

Use Azure Logic Apps to automatically start and stop VMs

Sun, 13 Jul 2025 00:00:00 +0000

With Azure Logic apps we can save some money on compute costs. Azure Logic apps are flow based tasks that can be run on schedule, or on a specific trigger like receiving a email message or Teams message. After the trigger has been started, we can choose what action to do. If you are familiar with Microsoft’s Power Automate, Logic Apps is almost exactly the same but then hosted in Azure.

How to implement Azure Firewall to secure your Azure environment

Thu, 10 Jul 2025 00:00:00 +0000

In this article, we are going to implement Azure Firewall in Azure. We are going to do this by building and architecting a new network and creating the basic rules to make everything work.

Requirements

Around 60 minutes of your time
An Azure subscription
Basic knowledge of Azure
Basic knowledge of Networking
Basic knowledge of Azure Firewall

Overview

Before creating all resources, it is great to plan before we build. I mean planning your network before building and having different overlaps or too much/less addresses available. In most cases, Azure recommends building a Hub-and-Spoke network, where we connect all spoke networks to a big hub.

Enhance email security with SPF/DKIM/DMARC

Mon, 16 Jun 2025 00:00:00 +0000

When it comes to basic email security, we have 3 techniques that can enhance our email security and delivery by some basic initial configuration. Those are called SPF, DKIM and DMARC. This means, configure and mostly never touch again.

Microsoft announced that starting from May 5, 2025: SPF, DKIM and DMARC will become mandatory for inbound email delivery. Not configuring all three can result in your emails not being delivered correctly.

Pooled Azure Virtual Desktop with Azure AD cloud users only

Thu, 12 Jun 2025 00:00:00 +0000

This deployment option is superseded by the more easy and secure Entra Kerberos option, check out the updated deployment guide here: https://justinverstijnen.nl/azure-virtual-desktop-fslogix-and-native-kerberos-authentication/

Since the beginning of Azure Virtual Desktop, it is mandatory to run it with an Active Directory. This because when using pooled session hosts, there has to be some sort of NTFS permission for FSLogix to reach the users’ profile disks. This permission is done using NTFS with Kerberos authentication. Something Azure AD doesn’t support.

Creating Static Web Apps on Azure the easy way

Thu, 29 May 2025 00:00:00 +0000

Microsoft Azure has a service called the ‘Static Web Apps" (SWA) which are simple but yet effective webpages. They can host HTML pages with included CSS and can link with Azure Functions for doing more advanced tasks for you. In this guide we will explore the possibilities of Static Web Apps in Azure.

Requirements

Around 45 minutes of your time
An account for Github (recommended)
An Azure subscription to host your Static Web App
Some basic knowledge of Azure
A custom domain to link the web app to your domain

Introduction to Static Web Apps and Github

Before we dive into Static Web Apps and Github, I want to give a clear explaination of both the components that will help us achieving our goal, hosting a simple web app on Azure.

Create custom Azure Workbooks for detailed monitoring

Thu, 08 May 2025 00:00:00 +0000

Azure Workbooks are an excellent way to monitor your application and dependencies in a nice and customizable dashboard. Workbooks can contain technical information from multiple sources, like:

Metrics
Log Analytics Workspaces
Visualisations

They’re highly flexible and can be used for anything from a simple performance report to a full-on investigative analysis tool. A workbook can look like this:

Using the default Azure Workbooks

In Azure we can use the default workbooks in multiple resources that contain basic information about a resource and it’s performance. You can find those under the resource itself.

Setup a Minecraft server on Azure

Thu, 01 May 2025 00:00:00 +0000

Sometimes, we also want a step down from our work and want to fully enjoy a videogame. Especially when you really like games with open worlds, Minecraft is a great game. And what if I tell you we can setup a server for Minecraft on Azure so you can play it with your friends and have a 24/7 uptime this way.

Requirements

An Azure environment
Basic knowledge of Azure
Basic knowledge of Linux and SSH
Basic knowledge of networking and TCP/UDP
Experience with Minecraft to test the server
Around 45 minutes of your time

System requirements of a Minecraft server

For a typical Minecraft server, without Mods, the guidelines and system requirements are as stated below:

Monitor Azure Virtual Deskop logon speed

Thu, 24 Apr 2025 00:00:00 +0000

Sometimes we want to know why a Azure Virtual Desktop logon took longer than expected. Several actions happen at Windows logon, like FSLogix profile mounting, Group Policy processing and preparing the desktop. I found a script online that helps us monitor the sign-ins and logons and basically tells us why it took 2 minutes and what parts took a specific amount of seconds.

The script is not made by myself, the source of the script is: https://www.controlup.com/script-library-posts/analyze-logon-duration/

Deploy Resource Group locks automatically with Azure Policy

Thu, 17 Apr 2025 00:00:00 +0000

Locks in Azure are a great way to prevent accidental deletion or modify resources or resource groups. This helps further securing your environment and make it somewhat more “fool proof”.

Now with Azure Policy we can automatically deploy Locks to Resource Groups to secure them from deleting or read-only resources. In this guide I will explain how this can be done and how it works.

Note: Locks on Resource Groups can stop some automations. If you use read-only locks on a Azure Virtual Desktop resource group for example.

Migrate servers with Azure Migrate in 7 steps

Thu, 03 Apr 2025 00:00:00 +0000

This page is about Azure Migrate and how you can migrate an on-premises server or multiple servers to Microsoft Azure. This process is not very easy, but it’s also not extremely difficult. Microsoft hasn’t made it as simple as just installing an agent on a VM, logging in, and clicking the migrate button. Instead, it is built in a more scalable way.

Requirements

A server to migrate to Microsoft Azure
Ability to install 1 or 2 additional servers
- Must be in the same network
Around 60 minutes of your time
Administrator access to all source servers
RDP access to all source servers is useful
Secure Boot must be disabled on the source servers
A target Azure Subscription with Owner access
1 server dedicated to Migration based on Windows Server 2016*
2 servers for Discovery and Migration based on Windows Server 2016*

*Windows Server 2016 is the only supported OS, please do not install other versions as this will not work.

AMC - Module 11: Infrastructure as Code (IaC) and DevOps

Thu, 27 Mar 2025 00:00:00 +0000

In this module, we cover Azure: Infrastructure as Code (IaC) and DevOps. This module focuses more on development on Azure, with less emphasis on automation and IT management. While IaC and DevOps might seem less exciting at first, they are essential for modern cloud-based application development and operations, helping streamline deployments, ensure consistency, and integrate continuous delivery pipelines.

Azure Portal, Azure Powershell and Azure CLI

There are multiple environments to manage Azure and its resources:

Solved - FSLogix release 25.02 breaks Recycle Bin - Azure Virtual Desktop

Mon, 03 Mar 2025 00:00:00 +0000

This issue has been solved in the newest release of FSLogix 25.04: https://learn.microsoft.com/en-us/fslogix/overview-release-notes

Please use this newer version instead of version 25.02. This fixes the bug in this article without any change in policies and settings.

The problem/bug described

When testing the new FSLogix 25.02 version, I came across a very annoying problem/bug in this new version.

“The Recycle Bin on C:\ is corrupted. Do you want to empty the Recycle Bin for this drive?”

Save Azure costs on Virtual Machines with Start/Stop

Sun, 02 Mar 2025 00:00:00 +0000

With the Azure Start/Stop solution we can save costs in Microsoft Azure and save some environmental impact. In this guide I will explain how the solution works, how it can help your Azure solutions and how it must be deployed and configured.

Requirements

Around 45 minutes of your time
An Azure subscription
One or more Azure VMs to automatically start and stop
Basic knowledge of Azure
No fear of JSON configurations
Some drink of your choice

Introduction to the Start/Stop solution

The Start/Stop solution is a complete solution and collection of predefined resources built by Microsoft itself. It is purely focussed on starting VMs and stopping VMs based on some rules you can configure. The solution consists of some different resources and dependencies:

Penetration testing Defender for Identity and Active Directory

Fri, 21 Feb 2025 00:00:00 +0000

In this guide, i will show how to do some popular Active Directory attacking tests and show how Defender for Identity (MDI) will alert you about the attacks.

Not everyting detected by Defender for Identity will be directly classified as potential attack. When implementing the solution, it will learn during the first 30 days what normal behaviour in the network is.

Requirements

At least one Microsoft Defender for Identity running
- For a step by step guide of this, refer this guide!
A domain controller (vm-jv-mdi)
A workstation (ws-jv-mdi)
Around 30 minutes of your time

Starting out

So i want to mention, that most of the attacks to Active Directory can be easily prevented if everybody locks their computer everytime they walk away from it and also use good enough authentication methods. Some other attacks cannot always be prevented but we can do the most of it detecting them and acting in a greatly manner.

Deep dive into IPv6 with Microsoft Azure

Mon, 17 Feb 2025 00:00:00 +0000

In Microsoft Azure, we can build servers and networks that use IPv6 for their connectivity. This is especially great for your webservers, where you want the highest level of availability for your users. This is achieved the best using both IPv4 and IPv6 protocols.

In this guide we do a deep dive into IPv6 in Microsoft Azure and i will show some practical examples of use of IPv6 in Azure.

How to monitor your Active Directory with Defender for Identity

Sat, 15 Feb 2025 00:00:00 +0000

When it comes to security, it is great to secure every perimeter. In the Zero Trust model, it has been stated that we have to verify everything, everytime, everywhere. So why consider not monitoring and defending your traditional Active Directory that is still in use because of some legacy applications?

Requirements

An Microsoft 365 tenant
A traditional Active Directory (AD DS) environment which meets the system requirements and is Server 2016+
A license that has Defender for Identity included, like;
- Enterprise Mobility & Security E5
- E5 or E5 security add-on
- Standalone Defender for Identity license
- F5 Security add-on with F1 or F3 license already in place
- Source: https://learn.microsoft.com/en-us/defender-for-identity/deploy/prerequisites#licensing-requirements
Around 60 minutes of your time
A drink of your choice

What is Microsoft Defender for Identity (MDI)?

Microsoft Defender for Identity (MDI for short) is a comprehensive security and monitoring tool which is part of the Microsoft XDR suite that defends your Windows Server-based Active Directory (AD DS). This does it by installing agents on every domain controller and so monitoring every authentication request.

Using Azure Update Manager to manage updates at scale

Sat, 08 Feb 2025 00:00:00 +0000

Azure Update Manager is a tool from Microsoft and is developed to automate, installing and documenting Windows updates or updates to Linux server on Azure. This all in a single pane of glass and without installing any additional software.

Requirements

Around 15 minutes of your time
An Azure subsciption
An Azure server or Azure Arc server

Supported systems

Azure Update Manager supports the following systems for assessments and installing updates, therefore managing them:

Active Directory FSMO roles

Tue, 04 Feb 2025 00:00:00 +0000

Active Directory Domain Controllers are assigned 5 different FSMO roles, which all have their own function. We can separate them over multiple servers to create more redundancy, but make sure to handle those all as servers. All roles neeed a 24/7 uptime for your environment to work properly.

In this guide, I will give a brief explaination of the roles, what their function is and how to move them to different servers to enhance availability and redundancy.

Stop OneNote printer from being default printer in AVD

Fri, 10 Jan 2025 00:00:00 +0000

If you have the Office Apps installed with OneNote included, sometimes the OneNote printer will be installed as default:

This can be very annoying for our end users and ourselves as we want real printers to be the default printer. Today I will show you how to delete this printer for current and new session hosts permanently.

The issue itself

The issue is that OneNote automatically creates a printer queue in Windows at installation for users to send information to OneNote. This will be something they use sometimes, but a physical printer will be used much more often. The most annoying part is that the software printer for OneNote will be marked as default printer every day which is annoying for the end users.

How to upload PowerShell script to Gallery with Github Actions

Thu, 02 Jan 2025 00:00:00 +0000

When using the PowerShell Gallery to upload and publish your scripts and PowerShell modules to the world it’s recommended to use Github Actions for CI/CD to automatically update your live packages on the PowerShell Gallery. At first, this looked somewhat complex to me but it’s relatively easy.

On this page I will show how I’ve uploaded scripts from Github to the PowerShell Gallery with using a Github Action.

Requirements

Around 30 minutes of your time
Github account
Powershell Gallery account
A PowerShell script for testing to actually upload to the PowerShell Gallery

Introduction to PowerShell Gallery

In short, the PowerShell Gallery is a public repository which contains PowerShell scripts and modules which all PowerShell users can download and install. All of this using some simple commands:

Azure VPN Gateway Maintenance - How to configure

Wed, 01 Jan 2025 00:00:00 +0000

Most companies who use Microsoft Azure in a hybrid setup have a Site-to-Site VPN gateway between the network in Azure and on-premises. This connection becomes mission critical for this company as a disruption mostly means a disruption in work or processes.

But sometimes, Microsoft has to perform updates to these gateways to keep them up-to-date and secure. We can now define when this will be exactly, so we can configure the gateways to update only outside of business hours. In this guide I will explain how to configure this.

Set a domain alias for every user in Microsoft 365

Fri, 13 Dec 2024 00:00:00 +0000

Sometimes, we add a new domain to Microsoft 365 and we want to have a domain alias for multiple or every user.

Logging in Exchange Online Powershell

To configure a alias for every user, we need to login into Exchange Online Powershell:

POWERSHELL

Connect-ExchangeOnline

If you don’t have the module already installed on your computer, run the following command on an elevated window:

Configure DNSSEC and SMTP DANE Microsoft 365

Thu, 31 Oct 2024 00:00:00 +0000

Recently, Microsoft announced the general availability of 2 new security protocol when using Microsoft 365 and the service Exchange Online in particular. SMTP DANE and DNSSEC. What are these protocols, what is the added value and how can they help you secure your organization? Lets find out.

Domain Name System Security Extensions (DNSSEC)

DNSSEC is a feature where a client can validate the DNS records received by a DNS server to ensure a record is originated from the DNS server and not manipulated by a Man in the Middle attack.

Automatic AVD/W365 Feed discovery for mobile apps

Wed, 09 Oct 2024 00:00:00 +0000

When using Azure Virtual Desktop (AVD) or Windows (W365), we sometimes use the mobile apps for Android, MacOS or iOS. But those apps rely on filling in a Feed Discovery URL instead of simply a Email address and a password.

Did you know we can automate this process? I will explain how to do this!

Fast path for URL: https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery

The problem explained

When downloading the apps for your mobile devices, we get this window after installing:

Azure Stack HCI - Host your Virtual Desktops locally

Thu, 03 Oct 2024 00:00:00 +0000

Introduction to Azure Stack HCI

Azure Stack HCI is a solution for Microsoft Azure to host Azure resources on your own hardware and location. This sounds traditional but can help to boost your Azure resources for your customer and/or use case.

For example, with Azure Stack HCI it is possible to host some Azure Virtual Desktop hosts in your own network to boost performance by decreasing latency. Also it is possible to use GPU enabled software on this.

How to solve DeletingCloudOnlyObjectNotAllowed error Entra Connect Sync

Mon, 30 Sep 2024 00:00:00 +0000

Now and then we come across a problem with Entra Connect Sync which states “DeletingCloudOnlyObjectNotAllowed”. This error looks like this:

This error will be shown if opening the Syncronization Service and email messages of this error will aso be sent to your tenant’s technical contact.

In this guide, I will explain the cause of this problem and the options to solve the issue.

Cause of this problem

The cause of this problem is mostly an object that is first created cloud-only and then created in Active Directory, or a user that was synced previously but is deselected or deleted. Entra Connect Sync will not match the users correctly, and a the ImmutableId of the user in Entra still exists. In short; it still wants to sync a user that not exists.

Solved - Microsoft 365 tenant dehydrated

Fri, 20 Sep 2024 00:00:00 +0000

Microsoft will sometimes “pause” tenants to reduce infrastructure costs. You will then get an error which contains “tenant dehydrated”. What this means and how to solve it, I will explain in this post.

What is “Tenant dehydrated”?

Microsoft sometimes will dehydrate Microsoft 365 tenants where things will not often change to the tenant. This closes some parts of the tenant for changing, even if you have Global Administrator permissions.

Solved: August 2024 updates breaks GPO Item level targeting - user in group

Mon, 09 Sep 2024 00:00:00 +0000

If you are managing Windows Servers, Group Policies are a great way to distribute settings to your endpoints. However, a recent update of August 2024 in Windows Server 2022 and 2019 breaks user filtering in Group Policy (GPO) Item Level Targeting

The problem itself

When applying printers, registery settings or drive maps to users, we use Group Policy Item level targeting to filter users so only users with a group membership gets the policy applied.

Solved - Windows Store applications on FSLogix/Azure Virtual Desktop

Thu, 15 Aug 2024 00:00:00 +0000

By default, Microsoft Store applications are not supported when using FSLogix. The root cause is that Windows stores some metadata that is not roamed in the profile folder and cleared at every new logon. You will encounter this behaviour in every environment where you use FSLogix.

Now a long time I told our end users that there unfortunately is no solution possible to download apps and make them persistent across Azure Virtual Desktop sessions but someday I found a workaround to this problem. I will explain this at this page.

Migrate Group Policies to a new server or domain like a pro

Wed, 07 Aug 2024 00:00:00 +0000

Once in a while, we as IT administrators need to export and import our Group Policies of Windows Server to another server. Sometimes to copy a great policy you’ve built, or to migrate a customer to a new server.

By default, the only option Microsoft has built in into Group Policy Management (gpmc.msc) is the backup option. This creates some administrative tasks.

The Export and Import scripts

I have created two scripts with Powershell that fully exports and imports all Group Policy Objects (GPOs). This with 2 seperate scripts. These can be found and downloaded from my Github page:

Optimize Windows 11 for Azure Virtual Desktop (AVD)

Sun, 04 Aug 2024 00:00:00 +0000

When using Windows 11 on Azure Virtual Desktop (AVD) - without the right optimization - the experience can be a little laggy, stuttery and slow. Especially when you came from Windows 10 with the same settings. You definitely want to optimize some settings.

After that we will look into the official Virtual Desktop Optimization Toolkit (VDOT).

Introduction to the Group Policy template

Assuming you run your Azure Virtual Desktop environment by using the good old Active Directory (AD DS), you can manage the hosts with Group Policy.

Create a Catch all mailbox in Exchange Online

Thu, 11 Jul 2024 00:00:00 +0000

Sometimes a company wants to receive all email, even when addresses don’t really exist in Exchange. Now we call this a Catch all mailbox, where all inbound email is being catched that is not pointed to a known recipient. Think of a sort of *@domain.com.

In this guide I will explain how to configure this in Exchange Online and how to maintain this by limiting our administrative effort. I also created a full customizable PowerShell script for this task which you can find here:

Microsoft 365 create a shared mailbox with same alias

Thu, 06 Jun 2024 00:00:00 +0000

When using Microsoft 365 and using multiple custom domains, sometimes you are unable to create a shared mailbox that uses the same alias as an existing mailbox.

In this guide I will explain this problem and show how to still get the job done.

The problem of multiple shared mailboxes with same alias

Let’s say, we have a Microsoft 365 tenant with 3 domains;

domain1.com
domain2.com
domain3.com

When you already have a mailbox called “info@domain1.com” you are unable to create a “info@domain2.com” in the portal. The cause of this problem is that every mailbox has a underlying “alias” and that this alias is the same when created in the portal. I have tried this in the Microsoft 365 admin center, Exchange Online admin center and Powershell. I get the following error:

Migrate data to SharePoint/OneDrive with SPMT

Mon, 20 May 2024 00:00:00 +0000

When still managing on-premises environments, but shifting your focus to the cloud you sometimes need to do a migration. This page helps you to migrate to SharePoint or Onedrive according to your needs.

At the moment, SharePoint is a better option to store your files because it has the following benefits over a traditional SMB share:

Single permissions system (No SMB/NTFS permissions)
High available by default
No server infrastructure needed
Users can work at the same file simultaneously
Integration with Microsoft Teams

The Microsoft SharePoint Migration Tool

Microsoft has a tool available which is free and which can migrate your local data to SharePoint. The targets you can specify are:

Using PowerShell remote sessions

Wed, 10 Apr 2024 00:00:00 +0000

PowerShell Remote Sessions can be a great way to administer your virtual machines, cluster-nodes or physical Windows-based devices. With a Powershell remote session you can execute powershell commands on a remote device.

It works the best with servers in a specific management subnet. I do not recommend to administer client devices with Powershell because this can be a huge security risk.

Requirements

Management computer/Priveleged Access Workstation
15-20 minutes of your time
Management server and endpoints are Active Directory joined

Starting out

Before we can use Powershell to administer remote computers, we need to enable two things:

How to enable Remote Group Policy update

Wed, 10 Jan 2024 00:00:00 +0000

Group Policy update to multiple computers

Sometimes you want to force a group policy update on multiple computers. Often when i am configuring Azure Virtual Desktop Session Hosts i need this option instead of logging into all hosts and executing the command manually.

There is a option in Group Policy management to force a group policy update to all computers in a OU:

Actually, this only works after you configured this on the remote computers. The good part is, there is a way to do this with Group Policy!

Dynamic group for access to Windows 365

Fri, 01 Dec 2023 00:00:00 +0000

When using Windows 365 in your organization, the deployment is very easy to do. When it comes to adding more users to the service, it can be much manual clicks to reach your goal. My advice is to leverage the Dynamic Group feature of Microsoft Entra.

Requirements

Azure AD/Entra ID/Microsoft Graph Powershell module
- https://learn.microsoft.com/nl-nl/powershell/module/azuread/?view=azureadps-2.0
10 minutes of your time

What are Dynamic Groups?

The Dynamic Groups feature of Microsoft Entra is a great tool for auto-managing members of a group based on a single rule or collection of rules. Some examples of using dynamic groups:

Dynamic Distribution Groups in Microsoft 365

Sat, 21 Oct 2023 00:00:00 +0000

Sometimes you want to have a distribution group with all your known mailboxes in it. For example an employees@justinverstijnen.nl or all@justinverstijnen.nl address to send a mail company wide. A normal distribution group is possible, but requires a lot of manual maintenance, like adding and removing users.

To apply a little more automation you can use the Dynamic Distribution Group feature of Exchange Online. This is a feature like the Dynamic groups feature of Microsoft Entra which automatically adds new user mailboxes after they are created to make sure every new employee is added automatically.

Change Evaluation version to Standard/Datacenter version

Wed, 03 May 2023 00:00:00 +0000

When you install a fresh Windows Server installation from a .iso file, it will be installing the OS as a Evaluation version. When you want to activate the installation with a key you need to rebuild the OS and set the edition to Standard.

Microsoft considers Standard and Standard Evaluation as different editions of Windows, because of this we have to change the edition before you can activate the installation. When you want to use the edition Datacenter, you can change the command to Datacenter which also works.

Bulk create Active Directory users with Powershell

Mon, 20 Mar 2023 00:00:00 +0000

When it comes to creating users for Active Directory, especially in new implementations, you want to minimize the time needed to create the accounts. This is possible by creating the AD users with Powershell.

Requirements

Minimal knowledge of Powershell
An Active Directory environment

Full script for creating AD users

Here is the full script including CSV that creates the ad users:

Show PowerShell script on Github