Azure AD Joined device ownership change

If you’ve done an Azure Ad Join for a device and found that you (the admin) is now the owner, it can create certain problems for you. If you’re going through an AutoPilot deployment the end user will end up being the owner. So, how do you modify the device owner to be the recipient of the device if you did the setup?

Get-AzureADUser -SearchString username

  • Run for both new user and current user

Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq “AzureAD”}

  • This will return all Joined devices. Might be too big a list.

Add-AzureADDeviceRegisteredOwner -ObjectId deviceObjectId -RefObjectId userObjectId

  • Add the user first, where deviceObjectId is the device and userObjectId is the new owner

Remove-AzureADDeviceRegisteredOwner -ObjectId deviceObjectId -OwnerId previousUserObjectId

  • Removes the previous owner where deviceObjectId is the device and previousUserObjectId is the previous owner

Get-AzureADDeviceRegisteredOwner -ObjectId deviceObjectId

  • Confirms change

Monitoring Temp and Fan Speed in a Quanta LB4M switch

I’m starting to replace the fans in my LB4M to try to quiet it down. During this process I wanted to keep an eye on my temp and the associated fan speeds to make sure I wasn’t running into a problem with cooling. Here’s my Telegraf code with the applicable OIDs.

[[inputs.snmp]]
agents = [ “192.168.1.1:161” ]
timeout = “5s”
retries = 3
version = 2
community = “something”
max_repetitions = 10
name = “QuantaSwitch”
[[inputs.snmp.field]]
name = “Temp”
oid = “1.3.6.1.4.1.4413.1.1.43.1.8.1.4.0”
[[inputs.snmp.field]]
name = “Fan Speed 1”
oid = “1.3.6.1.4.1.4413.1.1.43.1.6.1.4.0”
[[inputs.snmp.field]]
name = “Fan Speed 2”
oid = “1.3.6.1.4.1.4413.1.1.43.1.6.1.4.1”
[[inputs.snmp.field]]
name = “Fan Speed 3”
oid = “1.3.6.1.4.1.4413.1.1.43.1.6.1.4.2”

I started with pulling all 3 original fans and only installing two of the Noctua fans. The temp went from 40c to 60c before I shut it down. The Noctuas were also starting to run pretty fast. I’ve reconnected one of the original fans and now the temp is around 48c. I’m not sure if this is because the Noctuas are less efficient or if having the mixed fans is causing them to be confused about the speed. I’ll get a third Noctua soon and report my results.

The fan tray just slides out the back, so no need to open up the case. It’s super easy. This is the fan I used, and it’s a straight fit: https://www.amazon.com/gp/product/B071W93333/ref=ppx_yo_dt_b_asin_title_o00_s01?ie=UTF8&psc=1

MFA in Office 365, not talkin’ bout Azure

Microsoft is frustratingly vague about support for basic MFA in all Office 365 offerings. They have these lists of feature support across different packages, which go into great detail and yet don’t include basic MFA. Maybe this post will get up in the rankings so others don’t have to spin their wheels looking for an answer.

My results for licenses that have basic MFA include:

  • F1
  • Business Premium
  • E1
  • E3
  • E5

I have not tested Business Essentials or Exchange Online licenses yet. However, I do have an old Exchange Online Kiosk account and it appears to allow enabling it.

In fact, when I try to enable MFA there does not appear to be a restriction based on license type. Let me know your results!

OpenVAS on the Raspberry Pi 4 works really well!

I’ve been trying to set up OpenVAS on a tiny PC like the RPi lately. Based on this post: https://dayne.broderson.org/2018/05/24/RPi_Vulnerability_Scanner.html

I wasn’t expecting much success. And that’s what I found. It wasn’t really usable. I saw the TinkerBoard and the extra performance and RPi compatibility and thought that might be a good thing to try. I was never able to get a working mix of software on the Tinker. The repositories aren’t quite the same and some of the necessary packages, OpenVAS in particular, are not maintained.

Then the RPi4 was announced. I knew this might be the ticket to making this work. 4GB of RAM!!! Unfortunately, the 4GB model isn’t available yet, as far as I can tell. I decided to wait. Then I found out my sometimes partner in crime, Steve, had ordered a pair of 2GB models. Of course, I asked if I could borrow one.

I’m happy to report that the install is simple and it was able to scan my /24 that averages about 75 IP’s in about 3 hours! I didn’t modify anything performance related and didn’t have any of the problems that Dayne referenced.

I do need to sort through a few logistic issues to make this functional in the way I’m thinking. For one thing, I want to run this headless. No problem, except OpenVAS (specifically the GSA web management) is finicky about identifying the IP address it’s listening on. So far I have to manually set it and haven’t figured out how to make it work with 0.0.0.0. I’ll find a way. I also had a problem with the management interface failing due to memory starvation. I think. The scan will continue to run, so it’s not a showstopper. I’m hoping the 4GB will help with that. I also think it’ll be helpful to throw some heatsinks on. It seemed to get pretty hot.

Without further pre-amble, the steps I took. This is very similar to Dayne’s post with a few exceptions:

sudo apt update
sudo apt upgrade
sudo apt autoremove //habit for me
sudo apt-get install openvas
sudo openvas-setup //this took a good hour, maybe more, to run. Lots of errors, but it seems to have been ok.
sudo openvas-start

This is the part I haven’t sorted out yet. You need to update the service config files to reflect something other than 127.0.0.1. I tried 0.0.0.0 and was unsuccessful. When I changed it to the DHCP IP address it worked. I don’t see this as being a good solution as I intend on using this in different environments. Regardless, here are the commands until I can sort out the right answer:

sudo nano /lib/systemd/system/greenbone-security-assistant.service
sudo systemctl daemon-reload
sudo service greenbone-security-assistant restart

sudo nano /lib/systemd/system/openvas-manager.service
sudo systemctl daemon-reload
sudo service greenbone-security-assistant restart
sudo service openvas-manager restart
sudo service openvas-scanner restart

And my GS service line that I edited in the above command:
ExecStart=/usr/sbin/gsad –foreground –listen=0.0.0.0 –port=9392 –mlisten=0.0.0.0 –mport=9390 –allow-header-host=192.168.169.198

The –allow-header-host is the problem I need to fix. I’ll update as I make improvements. One of my goals is to attach a small LCD that will display the IP address.

Grafana and Chromecasting – Part 2

Following up on my previous post about running Grafana out to a Chromecast dongle on a TV, I’ve now tested it going directly to a Vizio 4k TV with the built in Chromecast functionality. Looks like it works fine and is actually pretty responsive. Unfortunately, it appears to be displaying in 1080P. I haven’t tested this much, so it might be possible to push it to 4k.

This is the tool I’m using on the server side: https://mrothenbuecher.github.io/Chromecast-Kiosk/

This opens up the possibility to use smaller, low end TVs for Grafana directly, but also for other signage or metrics displays. One reason I’ve been interested in this for a while was to run displays in a service desk/call center environment. Previously, you had to run video from dedicated PCs that would run a couple hundred dollars. With this solution you only need to buy a TV that has Chromecast built in and then run the Kiosk program on a Ubuntu VM. You can then have multiple different feeds running to different TVs.

I think the Chromecast implementation might still be a little finicky with picking a resolution, but it should be consistent across the same model of TV.

Grafana through built in Chromecast
My current layout, optimized for 1080p

OpenVAS for simple vulnerability scanning

I’ve been looking for a simple security vulnerability scanning tool for a while now. OpenVAS looked promising in the past, but I always had trouble getting it to work. I decided to work through it this weekend and figure out what I was doing wrong. In a nutshell, here it is:

GSM Community Edition and lagging OpenVAS Plugin Feed

The bottom line is that the free community version doesn’t update the feed except for daily. Per the link, you can manually force it at the initial setup and then wait about 30 minutes for the feed to download. This is what I did and now I have an excellent scanner! I also now have a list of things to fix on my home network. 🙂

Plex, Channels and trying to get the two to work together

For a while now I’ve been running Plex as my primary media server. I’ve been trying to use the Plex DVR, but found it to be very finicky. Mostly, it would fail to record shows without telling me in any way. I’d review my upcoming recordings and then check them a couple of days after and they just weren’t there. No notice, nothing. I’ve also been using the Channels app on the AppleTV for live TV. Part of my frustration with PlexDVR is that the channel tuning was always slow. I think if it worked well otherwise I probably would have stuck with it, but that’s not the case. So, I decided to try Channels DVR. What a difference. All I can say is it just seems to work. Everything appears to be getting recorded, channel changes on live TV are fast, it’s really been an excellent experience. I had one issue that I was able to overcome, which is how to get the Channels recordings into Plex in an automated way. Channels DVR has a means of managing recordings and will tag commercials with chapter markers, but that’s just in the Channels DVR app.

I have Channels DVR running in a Docker in Unraid. Probably not necessary, but it’s handy. It was super simple to install. The problem is that Channels DVR wants to record everything to a “TV” folder within the directory you set it to for the recordings. In my case, I have a couple of Unraid user shares related to TV. I have the main TV shows storage at /mnt/user/TVShows and I have the recordings directory at /mnt/user/LiveTV. This means the Channels DVR recordings will go into /mnt/user/LiveTV/TV/showname.

The fix ended up being pretty simple. I run Plex on a Ubuntu server. Here’s my fstab:

1
2
3
4
5
6
7
//192.168.169.8/DVDs /mnt/DVDs cifs guest,uid=1000,iocharset=utf8 0 0
//192.168.169.8/KidDVDs /mnt/KidDVDs cifs guest,uid=1000,iocharset=utf8 0 0
//192.168.169.8/Movies /mnt/Movies cifs guest,uid=1000,iocharset=utf8 0 0
//192.168.169.8/TVShows /mnt/TVShows cifs guest,uid=1000,iocharset=utf8 0 0
//192.168.169.8/Pictures /mnt/Pictures cifs guest,uid=1000,iocharset=utf8 0 0
//192.168.169.8/Music /mnt/Music cifs guest,uid=1000,iocharset=utf8 0 0
//192.168.169.8/LiveTV/TV /mnt/DVR cifs guest,uid=1000,iocharset=utf8 0 0

Inside Plex I have the TV shows library mapped to both /mnt/TVShows and /mnt/DVR. Plex’s autodiscovery scans both folders just fine and coalesces the shows from both locations. I still need to figure out the comskip, but hitting the jump button is fine for now. In retrospect, I probably could have simply pointed it at TVShows and let it create a new directory in there, but this way keeps the folder structures a little cleaner.