Murray
@mynameismurray.bsky.social
Technology enthusiast & critic. IT Professional. Musician & Sci-Fi fan. Husband & farther. All opinions my own. Also find me on https://twitter.com/MyNameIsMurray
So yeah, I've applied for the free parallel job access and will await that side, but I really can't understand why the required web app isn't showing for the pipeline template. Not sure if I'm missing a permission, or it's a config thing.
June 10, 2025 at 11:16 AM
So yeah, I've applied for the free parallel job access and will await that side, but I really can't understand why the required web app isn't showing for the pipeline template. Not sure if I'm missing a permission, or it's a config thing.
Right now I've had to abandon pipelines, temporarily enable basic authentication for the web app when I need to do updates, then perform the upload via SFTP... which is super yucky. I've done this with AZ CLI previously, and it's another option, but I want this pipeline to work.
June 10, 2025 at 11:14 AM
Right now I've had to abandon pipelines, temporarily enable basic authentication for the web app when I need to do updates, then perform the upload via SFTP... which is super yucky. I've done this with AZ CLI previously, and it's another option, but I want this pipeline to work.
On that second one, I am the project owner with all rights in DevOps, and the same account currently has the Website Contributor role on the specific Azure Web App (via IAM), but that app never shows up in the dropdown for the required template steps. The subscription does, but not the web app.
June 10, 2025 at 11:13 AM
On that second one, I am the project owner with all rights in DevOps, and the same account currently has the Website Contributor role on the specific Azure Web App (via IAM), but that app never shows up in the dropdown for the required template steps. The subscription does, but not the web app.
Second, what permission or other requirements are needed to see an Azure Web App - within an active Azure Service Plan - when setting up a pipeline via template? I can see the subscription, but no web apps show in the next step. Using the template to build Python for Azure Web Apps.
June 10, 2025 at 11:12 AM
Second, what permission or other requirements are needed to see an Azure Web App - within an active Azure Service Plan - when setting up a pipeline via template? I can see the subscription, but no web apps show in the next step. Using the template to build Python for Azure Web Apps.
When I click on my AUM "Machines", I can see the "Associated schedules" column, and I'm expecting 2 per server... but all new Arc-enabled servers end up with ALL the schedules, and that doesn't seem right. Everything in "Dynamic Scopes" looks good, but Resources isn't correct: Shows all new servers.
May 12, 2025 at 2:49 AM
When I click on my AUM "Machines", I can see the "Associated schedules" column, and I'm expecting 2 per server... but all new Arc-enabled servers end up with ALL the schedules, and that doesn't seem right. Everything in "Dynamic Scopes" looks good, but Resources isn't correct: Shows all new servers.
As you can imagine, I have Maintenance Configurations for installing updates and rebooting, installing and rebooting after a different grace period, installing but not rebooting, etc. I have all these policies and maintenance configs created and they seem to mostly work fine... but also not really.
May 12, 2025 at 2:46 AM
As you can imagine, I have Maintenance Configurations for installing updates and rebooting, installing and rebooting after a different grace period, installing but not rebooting, etc. I have all these policies and maintenance configs created and they seem to mostly work fine... but also not really.
Hmm, I've not had any LLM work for this. Maybe I'm just asking for things that are too complex, or have just had bad luck, but it ALWAYS hallucinates cmdlets, Graph API endpoints, and generally just outputs nonfunctional code or suggestions.
May 9, 2025 at 8:35 PM
Hmm, I've not had any LLM work for this. Maybe I'm just asking for things that are too complex, or have just had bad luck, but it ALWAYS hallucinates cmdlets, Graph API endpoints, and generally just outputs nonfunctional code or suggestions.
We don't really have the budget to give admins a second device. It's not best practise to use a VM for admin activities either, and doing admin logon first is a nope. So without Dual Enrollment admins are needing to use usernames & passwords, even for jump servers (RDP)... ewww!
April 17, 2025 at 1:51 AM
We don't really have the budget to give admins a second device. It's not best practise to use a VM for admin activities either, and doing admin logon first is a nope. So without Dual Enrollment admins are needing to use usernames & passwords, even for jump servers (RDP)... ewww!
We nuked AD FS a long time ago. And we're trying to move to cloud PKI as our existing solution wasn't set up the way I like and I need to start over anyway. We unlocked Cloud Kerberos Trust already, over the Hybrid Key Trust we had before. But no Dual Enrollment kinda sucks.
April 17, 2025 at 1:48 AM
We nuked AD FS a long time ago. And we're trying to move to cloud PKI as our existing solution wasn't set up the way I like and I need to start over anyway. We unlocked Cloud Kerberos Trust already, over the Hybrid Key Trust we had before. But no Dual Enrollment kinda sucks.
I noted that Dynamic Scopes state they are evaluated at run time, so does that mean they apply to all servers and are evaluated on the schedule start to see if the config should apply? Or is this some whacky bug that means they'll run all schedules (including reboots)?
April 10, 2025 at 8:23 AM
I noted that Dynamic Scopes state they are evaluated at run time, so does that mean they apply to all servers and are evaluated on the schedule start to see if the config should apply? Or is this some whacky bug that means they'll run all schedules (including reboots)?
When I go back to AUM and review the Machines page, I can see that all servers have all three schedules listed in the "Associated Schedules" column. And If I go back to the Machine configuration area, and into each config, the Resources area now contains all servers. What?
April 10, 2025 at 8:22 AM
When I go back to AUM and review the Machines page, I can see that all servers have all three schedules listed in the "Associated Schedules" column. And If I go back to the Machine configuration area, and into each config, the Resources area now contains all servers. What?
Each of these was created with no manually assigned Resources, but rather a Dynamic Scope that uses assigned server Tags I've created. If I edit the Dynamic Scope, the correct servers (based on the tags) appear. I thought this was all good, however...
April 10, 2025 at 8:20 AM
Each of these was created with no manually assigned Resources, but rather a Dynamic Scope that uses assigned server Tags I've created. If I edit the Dynamic Scope, the correct servers (based on the tags) appear. I thought this was all good, however...
I created three test schedules:
1. Apply Patch Wednesday updates, deferred 3 days, no automatic reboot.
2. Apply Patch Wednesday updates, deferred 3 days, with automatic reboot.
3. Apply definition updates every 6 hours, no reboot (because it isn't needed).
1. Apply Patch Wednesday updates, deferred 3 days, no automatic reboot.
2. Apply Patch Wednesday updates, deferred 3 days, with automatic reboot.
3. Apply definition updates every 6 hours, no reboot (because it isn't needed).
April 10, 2025 at 8:16 AM
I created three test schedules:
1. Apply Patch Wednesday updates, deferred 3 days, no automatic reboot.
2. Apply Patch Wednesday updates, deferred 3 days, with automatic reboot.
3. Apply definition updates every 6 hours, no reboot (because it isn't needed).
1. Apply Patch Wednesday updates, deferred 3 days, no automatic reboot.
2. Apply Patch Wednesday updates, deferred 3 days, with automatic reboot.
3. Apply definition updates every 6 hours, no reboot (because it isn't needed).
But worse, in my case, step 8 doesn't work and I get a "Something went wrong" error and a list a couple of my other Microsoft accounts. I then need to click the "Use other device" option and repeat steps 4 through 8 a SECOND TIME before I can log in. Not sure how I can fix that issue, but it sucks.
March 27, 2025 at 1:41 AM
But worse, in my case, step 8 doesn't work and I get a "Something went wrong" error and a list a couple of my other Microsoft accounts. I then need to click the "Use other device" option and repeat steps 4 through 8 a SECOND TIME before I can log in. Not sure how I can fix that issue, but it sucks.
This is the one where I set Connect Sync to Staging, disable sync, add custom inbound and outbound rules, ensure GWBv1 + v2 are disabled, perform a couple of Initial syncs, then re-enable. I guess this really confirms the "we don't have GWBv2 enabled" comment I made... and I was hoping this worked.
March 14, 2025 at 4:22 AM
This is the one where I set Connect Sync to Staging, disable sync, add custom inbound and outbound rules, ensure GWBv1 + v2 are disabled, perform a couple of Initial syncs, then re-enable. I guess this really confirms the "we don't have GWBv2 enabled" comment I made... and I was hoping this worked.
Thanks for the reply. The most recent update from support was to follow the Migration from GWBv2 doc, even though it didn't seem super relevant. I went through each of the prerequisites and 7 steps from the doc, screenshotting the process the entire way... and at the end still had timeout issues.
March 14, 2025 at 4:20 AM
Thanks for the reply. The most recent update from support was to follow the Migration from GWBv2 doc, even though it didn't seem super relevant. I went through each of the prerequisites and 7 steps from the doc, screenshotting the process the entire way... and at the end still had timeout issues.
My understanding was that, like most modern Microsoft connectors and agents, the Agent establishes an secure outbound connection to the endpoint - in this case, Entra Cloud Sync endpoints - and essentially polls that for stuff to do... but there seems to be FW blocks from Entra to our external IP?
March 12, 2025 at 5:14 AM
My understanding was that, like most modern Microsoft connectors and agents, the Agent establishes an secure outbound connection to the endpoint - in this case, Entra Cloud Sync endpoints - and essentially polls that for stuff to do... but there seems to be FW blocks from Entra to our external IP?
Hey Jef, any more thoughts on this one? I'm still stumped as to the possible cause, and the Microsoft Support guy seems even more lost than I am.
Interestingly, while pouring through our org firewall logs for another reason, it looks like Entra is trying to directly talk back to the Prov. Agent?
Interestingly, while pouring through our org firewall logs for another reason, it looks like Entra is trying to directly talk back to the Prov. Agent?
March 12, 2025 at 5:12 AM
Hey Jef, any more thoughts on this one? I'm still stumped as to the possible cause, and the Microsoft Support guy seems even more lost than I am.
Interestingly, while pouring through our org firewall logs for another reason, it looks like Entra is trying to directly talk back to the Prov. Agent?
Interestingly, while pouring through our org firewall logs for another reason, it looks like Entra is trying to directly talk back to the Prov. Agent?
I had weird issues with WHfB when switching from Hybrid Key Trust to Cloud Kerberos Trust, random people had it just break for no good reason. Unfortunately, the fix was using CertUtil to wipe it out and start again rather than just a cheeky reboot. Passphrase LAPS will be a great improvement.
March 12, 2025 at 1:10 AM
I had weird issues with WHfB when switching from Hybrid Key Trust to Cloud Kerberos Trust, random people had it just break for no good reason. Unfortunately, the fix was using CertUtil to wipe it out and start again rather than just a cheeky reboot. Passphrase LAPS will be a great improvement.
Yep, it sucks. In about 1 month, Microsoft has destroyed all trust and credibility that remained in our org. Between a bad OS release that causes failures to apply any new security updates, to completely breaking WHfB, and more. They definitely don't have anyone testing this stuff, do they?
March 12, 2025 at 12:37 AM
Yep, it sucks. In about 1 month, Microsoft has destroyed all trust and credibility that remained in our org. Between a bad OS release that causes failures to apply any new security updates, to completely breaking WHfB, and more. They definitely don't have anyone testing this stuff, do they?