Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V



And all that stuff

Azure MFA on Windows 10 Native Mail Client

If you enable Azure MFA in Office 365 and try to sync mail using the native Windows 10 Mail client, this is what the user will see:

(Sorry for the Language. Just the buttons and boxes are all the same)

1 - add mail account
User needs to Select Office 365 for Azure MFA
2 - add user
User needs just now to enter his UPN, it can not be username
3 - autodiscover looks for your account
If it fails here then Autodiscover is broken.
4 - enter password
Observe that the mail app has pulled Down my Company details including logo and custom text
5 - Azure AD MFA calls
Right now yor phone would ring or you would get a sms/app challenge
6 - account added
Thats it
7 - policies
Your Company Security settings will now be Applied. Usually you get this Box regardless just to tell you that it might tighten security
8 - mail recieved
You recieve mail. If you do not see mail, mabye the mail is older than a month. Then you need to change the sync settings to enable all mail to sync down



Add my Machine to Azure AD out of the box

If you are setting up a new machine and you have Office 365, Azure AD, Intune or CRM why not Azure AD join it and get all the benefits!?10 - Azure AD Enrollment

9 - Azure AD Enrollment

8 - Azure AD Enrollment
or who manages your PC?

7 - Azure AD Enrollment

6 - Azure AD Enrollment
Supports ADFS ofcourse

5 - Azure AD Enrollment

4 - Azure AD Enrollment

3 - Azure AD Enrollment2 - Azure AD Enrollment1 - Azure AD Enrollment

11 - Azure AD Enrollment
notice here who Printer, Network Drives and WiFi settings have been pushed!

Here is the whole thing in a Sway:




How to sign a MSI file for deployment with Microsoft Intune

If you want to use Microsoft Intune to deploy a MSI file it needs to be signed by a Code Signing Certificate. Most MSI’s from software vendors are signed already, but if you created a custom MSI (e.g. Office 365) by wrapping an EXE then you need to sign that MSI.

Using a MSI will enable Intune to push that software using the MDM channel. All MDM joined PC’s will be able to recieve this software.

Scenario this covers: I want to use Microsoft Intune to deploy apps and exe files to PC’s e.g. Office 2016/Custom Software

Step 1 – Buy or get a code certificate. If you do not have it, buy it here:

Step 2 – Download and Install Windows 7 SDK to get the signtool.exe get the SDK from here:
->Accept all defaults and do not change anything. It will prompt errors
->Check that you have the signtool.exe in this folder:
C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin

Step 3 – Get your certificate exported in a PXF file. and put it in the same folder as your MSI file.

Step 4 – Run CMD as administrator and input this command:

“C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe” sign /v /f “c:\exemsi\HaukebergCert.pfx” /p “PASSWORD” /t /v “C:\exemsi\OfficeProPlus.msi

sign ok
The password has been removed


Now you are ready to deploy this MSI file through the MDM channel

Follow this guide to deploy the MSI file in Microsoft Intune MDM channel


IT DEV Connections
We are covering MDM channel here

Adapted from these posts:

Forgot login credentials and need to reset Windows 10 – Use Advanced Startup

If you are stuck on this screen and forgot your login there is a simple way to reset your device.

Logon screen and you can not log in.



Hold the “SHIFT” key and keep holding it while tapping/clicking on the power button and select restart



Advanced startup. Press troubleshoot and then press “Reset this PC” 

Thanks to:



Configuring Conditional Access to Exchange Online (365) with Intune

You can configure Microsoft Intune to block devices that do not comply with a “standard” access to Office 365 Exchange Online email.

Here is how:

  1. in a silverlight browser.
  2. Create a Compliance Policy
  3. Policy->Compliance Policy->Create New
compliance policy
I will demand a password of minimum 6 digits and 1 minutes before screenlock.
Setting the Conditional Access and blocking Exchange Active Sync
  1. Policy->Conditional Acces->Exchange Online Policy
  2. Click following:
    • Activate Policy for Conditional Access
    • Select Specific Platforms
    • Check iOS (my rules will now only apply here, rest can read email.
    • Check: Require Compliance for Mobile Device
    • Select “Block access to e-mail for devices not supported by Intune”
    • Select “All users”
    • Select “No exception users”

The iOS users will now have to enroll in order to read email and when they do they need to set a 6 digit password.

Caution with using Active Sync only:

  1. If the user has allready configured email, he might not be blocked.
  2. If the user has been associated with that device earlier, he might not be blocked.

Enrollment procedure:

  1. Enter Your email in the native mail client by going to settings
  2. You recive an email with instructions on how to get access to your mail.
Follow that instruction.


Azure Active Directory and Roaming Profiles

In Windows 10 you can join a machine to Azure AD instead of a local domain.


When you join Azure AD your account is given administrator privileges automatically. If you switch users by Ctrl+Alt+Del and Switch user, that user is set as a Standard user.


If you do not know who will use the computer, only the first user will be administrator, the rest will be standard users and can not install programs.


This action is default and can not be changed. Simply giving machines out to students will result in the first users becoming administrators. If you boot all machines before deployment and log in with your user, that user will be blocked after about 20 devices.



How to fix this? Take a look at this post:



Surface Pro 4 Backward Compatibility and Out of The Box

Thinking about the new Surface Pro 4? Cool. It’s a very well built device with a even better pen!

However these are some things you might want to think about before you buy.

  1. The Surface Pro 4 will fit in the old Surface Pro 3 dock, but not 100% More like 90%. It will charge but it sits wrong, a bit tilted to one side due to its thinner design.
    • EDIT: There is a free adapter which you can order from Microsoft to fix this. Get it here
  2. The Surface Pro 3 Keyboard fits the new SP4 but not 100% more like 90% as the new SP4 has a smaller bezel the keyboard overlaps the screen area. The magnet also will not clip on as tight.
    Magnet not 100% on

    Keyboard overlapping
  3. pdates, then updates, and some more updates. When you Buy a SP4 you have to update the device for at least 1-2 hours before its “done”
  4. Windows Hello, is not supported out of the Box and you need to run that 1-2 hours of update and then update again to receive the necessary firmware update for Windows Hello to work.
  5. Screen bleeding, the screen is not perfect black. There are some edge bleeding.

    Some minor bleeding of the light on the bottom
But you know what. Despite all this, the device is awsome and I love Windows Hello!
I just sit down in front of the camera and “whosh” it logs me in, every time!
I would recommend this device to all my family members and my business associates!

Why you should have the taskbar on top

If you are getting or own a Surface Pro 3 or Surface 3 its much better to have the taskbar on top.

Here are the two reasons I do it:

  1. Better Ergonomics – You lift your gaze instead of looking down you look up.
  2. (Most important) Easier to touch the taskbar when the keyboard is clipped on


Blog at

Up ↑

%d bloggers like this: