Murray

So yeah, I've applied for the free parallel job access and will await that side, but I really can't understand why the required web app isn't showing for the pipeline template. Not sure if I'm missing a permission, or it's a config thing.

Right now I've had to abandon pipelines, temporarily enable basic authentication for the web app when I need to do updates, then perform the upload via SFTP... which is super yucky. I've done this with AZ CLI previously, and it's another option, but I want this pipeline to work.

On that second one, I am the project owner with all rights in DevOps, and the same account currently has the Website Contributor role on the specific Azure Web App (via IAM), but that app never shows up in the dropdown for the required template steps. The subscription does, but not the web app.

Second, what permission or other requirements are needed to see an Azure Web App - within an active Azure Service Plan - when setting up a pipeline via template? I can see the subscription, but no web apps show in the next step. Using the template to build Python for Azure Web Apps.

Okay, time for stupid dev questions. First, does Azure DevOps really require a paid subscription, and/or approval (by application and days waiting) for a single limited license, for parallel job access in order to ex cute CI/CD pipeline actions? Tell me that ain't so?

When I click on my AUM "Machines", I can see the "Associated schedules" column, and I'm expecting 2 per server... but all new Arc-enabled servers end up with ALL the schedules, and that doesn't seem right. Everything in "Dynamic Scopes" looks good, but Resources isn't correct: Shows all new servers.

As you can imagine, I have Maintenance Configurations for installing updates and rebooting, installing and rebooting after a different grace period, installing but not rebooting, etc. I have all these policies and maintenance configs created and they seem to mostly work fine... but also not really.

I've asked this before, but didn't find any answers, so here we go again: When using Tags to define Dynamic Scopes in @azure.microsoft.com Update Manager, why is it that new Arc-enabled servers that I add end up in ALL the Maintenance Configurations as added Resources? I only want tagged ones.

Hmm, I've not had any LLM work for this. Maybe I'm just asking for things that are too complex, or have just had bad luck, but it ALWAYS hallucinates cmdlets, Graph API endpoints, and generally just outputs nonfunctional code or suggestions.

We don't really have the budget to give admins a second device. It's not best practise to use a VM for admin activities either, and doing admin logon first is a nope. So without Dual Enrollment admins are needing to use usernames & passwords, even for jump servers (RDP)... ewww!

We nuked AD FS a long time ago. And we're trying to move to cloud PKI as our existing solution wasn't set up the way I like and I need to start over anyway. We unlocked Cloud Kerberos Trust already, over the Hybrid Key Trust we had before. But no Dual Enrollment kinda sucks.

Ugh! I somehow forgot about this.
1. Windows Hello for Business Cloud Kerberos Trust is awesome, yay!
2. But Cloud Kerberos Trust configurations don't support Dual Enrollment for admins to use, you must use Certificate Trust instead.
3. Certificate trust requires AD FS.
4. Crying.

I noted that Dynamic Scopes state they are evaluated at run time, so does that mean they apply to all servers and are evaluated on the schedule start to see if the config should apply? Or is this some whacky bug that means they'll run all schedules (including reboots)?

When I go back to AUM and review the Machines page, I can see that all servers have all three schedules listed in the "Associated Schedules" column. And If I go back to the Machine configuration area, and into each config, the Resources area now contains all servers. What?

Each of these was created with no manually assigned Resources, but rather a Dynamic Scope that uses assigned server Tags I've created. If I edit the Dynamic Scope, the correct servers (based on the tags) appear. I thought this was all good, however...

I created three test schedules:
1. Apply Patch Wednesday updates, deferred 3 days, no automatic reboot.
2. Apply Patch Wednesday updates, deferred 3 days, with automatic reboot.
3. Apply definition updates every 6 hours, no reboot (because it isn't needed).

Alrighty, let's get this figured out: So in Azure Update Manager, if I define three update Maintenance configurations, and these use Dynamic Scopes based on Tags, then all servers will have ALL tags appear under "Associated Schedules" and will be evaluated at runtime?

But worse, in my case, step 8 doesn't work and I get a "Something went wrong" error and a list a couple of my other Microsoft accounts. I then need to click the "Use other device" option and repeat steps 4 through 8 a SECOND TIME before I can log in. Not sure how I can fix that issue, but it sucks.

This can't be the way.
1. Visit Entra and get MFA prompt
2. Select the passkey option to get a QR code
3. Grab phone, authenticate
4. Open Authenticator, authenticate
5. Tap button to begin scanning QR code
6. Tap OK on useless message
7. Tap account, authenticate
8. Page loads
Eeeesh!

This is the one where I set Connect Sync to Staging, disable sync, add custom inbound and outbound rules, ensure GWBv1 + v2 are disabled, perform a couple of Initial syncs, then re-enable. I guess this really confirms the "we don't have GWBv2 enabled" comment I made... and I was hoping this worked.

Thanks for the reply. The most recent update from support was to follow the Migration from GWBv2 doc, even though it didn't seem super relevant. I went through each of the prerequisites and 7 steps from the doc, screenshotting the process the entire way... and at the end still had timeout issues.

My understanding was that, like most modern Microsoft connectors and agents, the Agent establishes an secure outbound connection to the endpoint - in this case, Entra Cloud Sync endpoints - and essentially polls that for stuff to do... but there seems to be FW blocks from Entra to our external IP?

Hey Jef, any more thoughts on this one? I'm still stumped as to the possible cause, and the Microsoft Support guy seems even more lost than I am.

Interestingly, while pouring through our org firewall logs for another reason, it looks like Entra is trying to directly talk back to the Prov. Agent?

I had weird issues with WHfB when switching from Hybrid Key Trust to Cloud Kerberos Trust, random people had it just break for no good reason. Unfortunately, the fix was using CertUtil to wipe it out and start again rather than just a cheeky reboot. Passphrase LAPS will be a great improvement.

Yep, it sucks. In about 1 month, Microsoft has destroyed all trust and credibility that remained in our org. Between a bad OS release that causes failures to apply any new security updates, to completely breaking WHfB, and more. They definitely don't have anyone testing this stuff, do they?

Correct. We deployed the devices fresh with 24H2, then used TAP to set up WHfB using the PIN option. This was working fine for well over a month. The only thing to change between working and not was the firmware. No Quality Updates were installed in that period.

I find this attitude so incredibly frustrating. So, because you don't like the politics and antics of one person on a company leadership team, you want to see a good company and its 125,000+ employees ruined... all to try and send that one guy a "message"? That's awful. Find another way to protest.

It's hard to believe, but these simple USB-C to HDMI cables are so incredibly finicky, especially in 3 screen setups. We were lucky to find a heap of Dock 1 units cheap, so use them instead... and we're looking to use docks other than Surface ones going forward, for these reasons.

Not the TB4 dock, as that is far too expensive for us, but the Surface Dock 2 had the same issues with black screens, flickering, and glitching. Sadly, by far, the most reliable adaptor was the Microsoft one that they have stopped making. Some ALogic active adaptors worked also, but many don't...

Yep, all Windows 11 Education 24H2 in my case.