Author: Adam Fowler

Passwordless Sign-In with FIDO2 Security Key and Microsoft

We all know passwords are bad. Microsoft’s leading answer to this is Windows Hello – or Windows Hello for Business. Using a PIN or biometrics (fingerprint reader or facial recognition) is trying to move towards a passwordless world. We’ve still got a long way to go, but we’re off to a solid start with viable alternatives.

Source: Microsoft

FIDO2 Security Keys support true passwordless login, and supported devices can be used for both consumer Office 365, and Azure AD. eWBM makes these keys, and by the claim on their website are “world’s first and currently only FIDO2 Level 2 certified security keys”. They offered to send these out to Microsoft MVPs free of charge, so I took the opportunity to accept one, test it and write about my experience.

The eWBM key isn’t very large – on the smaller side of your standard USB flash drive. It’s designed to be plugged in (and comes in both USB-C and USB type A flavours) and then verified with a touch on the fingerprint reader.

To set up a key on Azure AD, it’s a matter of adding it as a sign in method, just like you would with other methods such as SMS or the Authenticator app. eWBM have a quick video on how to do this:

Once set up, using the key is pretty simple too. If you’re logging onto a site using your Azure AD account, instead of entering a password, you choose the ‘Sign in with a security key’ option, plug in and scan your fingerprint on the key, and you’re on.

If you’re wondering why you don’t even need to type the password, where you would with an SMS code – that’s because you’ve got two different authentication methods already built into the USB. Your unique fingerprint, and the unique USB key. Your fingerprint is tied to just that key, it won’t work anywhere else unless you configure another device separately. Combine that with needing to know which username those are tied to makes it a secure combination.

Source: Microsoft

The example above and what I’ve also tested, is a web login. There’s also a PC login option, but that’s currently in beta and you’ll need to be running a insider’s build of Windows 10 to try it.

I can see this working as an actual ‘password replacement’ solution because it provides less of an inconvenience than first logging in with a password, then using something else (SMS/Email/Code/Authenticator App). Instead it’s a single thing to do – plug in your USB key and put your fingerprint on it. The process of doing this is very quick, with the added benefit of being able to do it from any computer – web based sign ins will work from any PC.

A USB-C variant is also available and on it’s way to me, so you can pick from those two standards as to which is more fitting for your requirements.

eWBM sell the keys on their website and there should be more key makers on the way.

Update 28/02/2020

I’ve now received the USB-C version of the eWBM Goldengate Security Key – G320, pictured below against the G310.

Google Nest Mini Won’t Connect to 5Ghz Network

Update 21st February 2020:
I’ve now had Google Nest support confirm that 5ghz Channel 149 and higher isn’t supported – which to me is baffling that a device can be released in this state.

Original Post:
I received a Google Nest Mini as part of Google’s promotion to subscribers of YouTube Premium. A nice gesture, and I hadn’t actually jumpted into having a smart speaker at home myself. Beyond wondering what use I could actually get from it – it was free, so I ordered.

A few weeks later it arrived, and setup should have been simple. Power it on, get the Google Home app on a mobile device, and follow the bouncing ball to set up. I’d done this before for a Chromecast I have, which I could see in the Home setup and have connected to the home 5Ghz network – no issues there at all.

However, when going through the same setup for the Google Nest Mini, I couldn’t even see my 5Ghz home Wi-Fi network listed on my phone. Weird, I tried several things including adding the details of the network in manually. Nothing I tried would work. I also couldn’t get it connected to my 2.4Ghz home network, unless I picked my guest network. I’d had the same issue on a printer that wouldn’t connect and only supported 2.4Ghz; the cuplrit was the AiMesh ASUS setup I had (side note – I personally would recommend to avoid ASUS AiMesh as there’s multiple problems I experienced, it’s not user friendly and solutions that are half done in it such as menu options that display but aren’t supported, as I eventually had confirmed by ASUS support. That’s not to say you should avoid all ASUS solutions.).

That really wasn’t where I wanted to end up though – the Nest Mini streaming data from my 2.4Ghz non-meshed guest network. After a bunch of Googling on the issue, I saw a comment somewhere that said to try band 36. As a refresher on this – 2.4Ghz Wi-Fi has bands or channels from 1 to 11 – but there’s overlap between the bands and they interfere with each other, so you really only wan to use 1, 6 or 11. 5Ghz however, has many more. My 5Ghz network at home was set to ‘Auto’ – which should pick the least noisiest band. That resulted in band 149.

I changed my band from 149 to 36 – the lowest option available, and went through the Google Nest Mini setup yet again. This time, I could see my network! It went through the entire setup process seamlessly. For my own sanity, I tried jumping up to a band 165, higher than 149, reset the Mini, and tried setting it up again but without success. Jumped to band 44 this time, and again it worked perfectly.

5Ghz Wi-Fi Band Options

It seemed the lower channels were fine – from 36 to 48, but the higher bands the device just couldn’t see. Again, weirdly the Chromecast would successfully set up on any of these and was a much older device than my brand new Nest Mini.

I also know it’s not just me that has this problem, as @AjTechs also confirmed he had the same experience – no 5Ghz network visible on band 149, but was visible when he used band 44.

I tweeted about it of course because that’s what I do. The first fail was the frustrating plug design, that wouldn’t fit with any other standard plug I had next to it. It’s also not a USB charger, but a round connector of some sort.

@GoogleNest swooped in to attempt to save the day. They couldn’t answer that question, and after 1 1/2 hours of back and forth over DM, they really didn’t know what was going on still. They still couldn’t answer my original question, and didn’t get me any closer to proving the problem was any different to what I’d found myself.

If I get any more details I’ll update this post – but otherwise, if you’re having the same problem as me, then try a different band, and when that works, have fun reconnecting everything in your house back to Wi-Fi again :)

OneDrive PC Folder Backup and Desktop Shortcut Duplicates

PC Folder Backup (which was previously known as Known Folder Redirect) is a rather useful feature that’s been added into OneDrive. It allows the redirection of users Desktop, Documents and Pictures folder for a user to live in a folder in OneDrive under the user’s profile (e.g. C:\Users\bgates\OneDrive – Contoso\Desktop ). This in turn causes OneDrive to automatically sync the data to the user’s OneDrive cloud based storage, and works a bit like having a roaming profile, without the many issues that plague actual roaming profiles.

Stephen Rose wrote a great post on how it all works with screenshots, check that out if you’re still looking at testing this solution.

An issue that I’ve come across while rolling out, was the duplication of desktop shortcuts. The problem is that OneDrive won’t match files that are ‘identical’ unless they’re Office documents; a local file called test.lnk on your desktop, and another file in OneDrive in the Desktop folder called test.lnk from a previous sync on a different computer will result in the new one being called test – Copy.lnk, and the older one synced back – you now have a test.lnk and test – Copy.lnk file on your desktop.

This wouldn’t normally happen when you log onto a computer for the first time, but many companies deploy shortcuts (usually through Group Policy). What happens is, you log onto a PC for the first time, Group Policy deploys the shortcuts to the desktop you need, then OneDrive kicks in and starts its PC Folder Backup process. I had 4 copies of each shortcut we were deploying before I noticed the mess that my desktop had become!

I’m definitely not alone in this problem. People on answers.microsoft.com were complaining about it, and there’s a user voice idea with 212 votes at the time of posting on this same problem.

I asked around and was determined to work out a reasonable solution:

You can’t just block .lnk files from OneDrive without causing end user errors for everyone trying to automatically sync those.

You can run a script at startup to delete any “* – Copy*.lnk” file on the user’s desktop after logon, but that’s really a hack solution and an absolute last resort.

You can use Group Policy Preferences to delete any “* – Copy*.lnk” from the user’s desktop which is slightly better than a script, but it won’t run at the right time – the user will see duplicates for ~90 minutes after logging in before they get cleaned up, each time they log onto a new PC (which shouldn’t happen THAT often).

You can’t deploy shortcuts once through Group Policy, because the setting to ‘Run once and don’t reapply’ is a per user/per PC setting (unless you have roaming profiles, but you can’t do roaming profiles and PC Folder Backup at the same time unless the folders are excluded from one or the other) – so each time a user logs onto a PC for the first time, it’ll still trigger the shortcut deploys.

The best solution I came up with (and by that, I mean I asked in the Windows Admins Discord and someone said ‘just do it this way’), was to use the Public desktop rather than the user’s desktop.

The Public desktop (located by default in C:\Users\Public\Desktop) are files that everyone who logs onto a PC gets, and because they’re not part of the actual user’s desktop, they’re untouched by PC Folder Backup.

Because I had live shortcuts to clean up too, I first created and tested deleting copies as mentioned above through Group Policy Preferences. I then:

  • Replaced any global shortcut a user needed to %CommonDesktopDir%\file.lnk – not in logged-on user’s context
  • Deleted any existing shortcut deployed from %DesktopDir%\file.lnk in the logged-on user’s context
  • Replaced any shortcut a specific user group needed to %CommonDesktopDir%\file.lnk – not in logged-on user’s context, with item level targeting
  • Deleted any shortcut that was only being deployed to a specific user group, but out of the scope of the above item level targeting from %CommonDesktopDir%\file.lnk

This slightly messy but workable method means the shortcuts will get juggled around if only certain users should see them, and they’ll all live in the Public folder.

I’ll update this if things change with PC Folder Backup, but for the time being this lets the project continue, and users won’t be impacted with shortcut duplicates.

How to Automate FTP Uploads with PSFTP

Many vendors and companies still transfer data via FTP. It could be transactional data, user data, or a myriad of other things. Hopefully they’re using SFTP or FTPS (which are different ways of achieving secure FTP transmissions) rather than FTP, for similar data transfer security reasons on HTTP vs HTTPS.

A common use case I come across, is user management. Uploading basic user data like names, email addresses and employee numbers so a vendor can update records in their cloud based product for your staff to use. If you’re using a cloud service and don’t have user automation sorted – then ask them how you can achieve it – it’s much more enjoyable to set up automation, than do repeating mindless tasks.

Assuming you have details on what to send and where, you’ll need to work out how to automate FTP uploads. Note that this is a much less secure method – you’re saving the password in plain text. Alternatives do exist such as what’s demonstrated in this YouTube video below using a Public Key and Private Key Pair, but require the ability to create a .ssh folder on the FTP server. I’d rather do it this way:

Getting the other end to do what you want isn’t always possible in the real world, so you need to consider the risks if you need to save a password in plain text somewhere (saved in a Scheduled Task as you’ll see below). They’re obtainable if someone can get onto the server (or a backup of the server, or connect to Task Scheduler remotely), which should be heavily locked down anyway, and the password for this might be saved in a password database those same staff members have access to anyway.

If those credentials were obtained by another party, what could they do? If the FTP site cleans up the data instantly that’s uploaded, then they could potentially upload whatever they wanted. Look at a worst case and decide if you’re comfortable with having the account credentials saved this way, or need to find another approach.

Again, consider these risks, try to implement the most secure method you can, and raise any concerns with management/your boss. Assuming this is a scenario where you can’t do it more securely:

Instructions

First, you’ll need software. I use PSFTP – part of PuTTY, a free and open source solution. Download the full installer, as there’s a few components of PuTTY we need.

Next, you’ll need the login details of the FTP site:
Host: e.g. sftp.contoso.com
Username
Password

Open a Command Prompt, navigate to the location that contains sftp.exe and type:

sftp username@host -pw password

You’ll probably first be prompted with a message saying ‘The server’s host key is not cached in the registry’ with some details on the fingerprint. If you’re sure you’re connecting to the right server, you can say ‘y’ to ‘Store key in cache’. Once saved, you won’t be prompted for this on the same computer/user.

At this stage, we’re just making sure you can sign in and get past the key stage. If this works, you’ll now need to work on a batch file to pass through all the commands you want to do.

In this example, I’ll be going into a folder and uploading a file. Open notepad and type your commands, which you can first test in your active connection:

cd inbound
mput filename.csv
quit

Pretty simple stuff. Save your notepad file (we’ll call it batchfile.txt), and if you haven’t already disconnected from your SFTP session, do so with the ‘quit’ command.

Connect back to the SFTP site, but this time we’ll specify the batch file to rin after connecting:

sftp username@host -pw password -b batchfile.txt -batch

I’ve also added -batch on the end to specify it’s an automated batch job – this will cause SFTP to exit on a prompt, rather than be running forever waiting for an input. You can try without -batch first if you want to test and see the prompts, but you’ll need to run this command manually rather than triggering from a Scheduled Task.

If this works as expected, great! You can automate the SFTP task – the final step is to schedule it to run, which I usually use the native Scheduled Tasks in Windows to do.

If your scheduled task is running under a different account than what you tested with, then you’ll need to do that initial host key saving – easiest way is to launch Command Prompt as that user, and connect to the FTP site.

Poly Elara 60 Series Review

Poly offered to send me their Poly Elara 60 Series device to review. As I’m stuck on On-Premises Skype for Business with Enterprise Voice for the time being, but also use Microsoft Teams a lot, it was a product I was interested to try and accepted the opportunity; so here’s the review.

Poly Elara 60 Series, still with it’s protective plastic on.

Poly (who was formally known as Polycom, bought out by Plantronics, then rebranded to the ‘Poly’ name) has only been around for a short time in it’s new name, but those two companies have high regards in the general community on the quality of hardware they make. Both companies who’s devices with their previous names are on my desk, (namely a Polycom CX600 Lync Desk Phone and a Plantronics Savi 440 headset) are there because they’re products we piloted, tested, and have used for several years. We keep buying them because they do just work, and fit our use case really well.

This isn’t to discount other brands of course, but sticking with these products since deploying Lync 2010 back in 2012 says a lot. If they didn’t work well, we’d be using something different.

Back to the device this review’s acually about, the Poly Elara 60 Series. It’s a different use case to the above products I mentioned, and was an interesting process to use. I’m still using it right now as the earphones are perched on my head. I like the device, but it took me a bit to see what it was capable of and make it work for what I wanted.

The Poly Elara 60 Series is advertised as a “Mobile phone station that enhances smartphone collaboration”. The standard way you’d use this device is by first optionally placing your phone on the rubber stand on the right hand side that doubles as a wireless charging plate. I tested this with a Google Pixel XL 4 and a iPhone 8, both wirelessly charged.

The wireless charging mobile stand has 4 angles it can sit on, and just as a pure ‘when I’m working I put my phone here’ stand I’m quite happy with it. I can see what’s happening on my mobile, and I’m also charging the rather average Google Pixel 4 XL battery during the day.

If you don’t have a wireless charging mobile, there’s a gap in the plastic to allow a charging cable to be plugged into the bottom of the phone, while still lying flat against the charging pad.

Mobile phone holder aside, the Elara 60 Series can be paired to the mobile using Bluetooth. Standard stuff here to set up, but there’s also the Poly Elara 60 Series app for Android and iOS. This is how firmware updates are delivered to the Elara, but also adds the Microsoft Teams control functions from the Elara to the mobile phone.

Seperately, the Elara can be used as a media player. Whatever’s ready to go on your phone can be controlled from the Elara screen, and come out either from the downward facing speaker on the Poly, or the headset once it detects that it’s on your head.

And yes, the Elara has a dedicated Microsoft Teams button on it. It’ll flash if there’s a Teams notification to tell you about, and pressing it will… not launch Teams. At least from my testing it doesn’t. Maybe it’s an Android 10 thing, but I couldn’t get it to work properly, until I realised it just doesn’t work when on the home screen. From having any other app open it’s fine. Regardless this didn’t really fuss me, I’m find with using the phone to get to Teams when I want it than having a hot button, and I’m sure they’ll fine tune this in future updates to to the product. (Update – Poly have confirmed they’re waiting for a fix, but the workaround is to change the Teams App permissions under Phone Settings > Apps > Teams > Permissions – and make sure all are allowed)

The other buttons work as expected; mute, speaker volume. If my mobile rang through the carrier or a Teams call, I could put on the headphones to answer the call. I wouldn’t even have to press a button, it’d detect when the headset was on and then pick up the call (rather than when the headphones are undocked). When docked, the headset would charge. Docking and undocking the headset was easy, it just slid on and was a nice motion to do – no getting stuck or putting the headset in at the wrong angle.

The headset itself that came with my unit, was the Voyager Focus. You can purchase the Poly Elara 60 Series with or without a headset, which is great if you’ve already bought a compatible headset and don’t need another. Blackwire headsets are also supported.

The Voyager Focus I found to be very comfortable. It’s light, has several nice-to-have’s such as ANC, music playback control buttons and a mute button – but most importantly, it was comfortable to wear. I usually don’t like an on the ear style headset, but this is soft enough that it’s not squeezing into my ear. The design of the rubber and padded band that goes over your head also has a very light feel. The ANC worked well too – handy for someone who has noisy people around, or just wants to dull out background noise to focus on the task they’re doing.

So, this device acts as an extension to your mobile phone for it’s phone call functions, media player, and Microsoft Teams. Great if you’re doing it all off your mobile, but what about a computer?

I usually work off a desktop which has no Bluetooth, so the first thing I did was buy a USB dongle and plug it in. Then, I paired the Poly Elara 60 Series to my desktop running Windows 10. No extra apps required. The device shows up like any other audio device, a headest for both speakers and Microphone.

That’s great, I can use the headphones and mic from my PC. On my PC though, I’m using Skype for Business and I want to use the Elara 60 Series as my device. It doesn’t show up in Skype for Business as a device, but that’s OK. It still works fine when I use the ‘PC Mic and Speakers’ option to use whatever my Windows defaults are.

Once selected, it then knows about the device that Windows is using and lets you set volume levels if required.

I’ve been using it for a few weeks now on Skype for Business, and it works fine. Haven’t had an issue with audio quality or people hearing me. I do lose the ability to answer my mobile calls via the headset with this method – I could just run Skype for Business on my mobile, but what I’ve ended up doing is using the Poly as my mobile phone holder/charger, and the headset as my Skype for Business and PC microphone/speakers.

The Poly Elara 60 series remembers 8 different devices, but you can only be connected to one at a time. Switching between devices is fairly quick – I wouldn’t want to do it when trying to answer a call, but from the main screen it’s less than 5 seconds to press Devices > down arrow to the device I want > Connect, and be on the device I want.

I’m quite happy with this device overall, and I’ll continue to use it over the Plantronics Savi 440 (which shows as the D100-M in the above screenshots). I’m probably not using it the way it was initially designed, but that’s a credit to it that it’s flexible enough to be used in different ways.

For those who run Teams off their desktop or laptop and want a device to talk to the Teams client on their PC with extra controls; this may not be the solution you want. Dial controls don’t work on this device when plugged into a PC, it’s purely an audio device. But it does function in several ways that could still tick the boxes you’re after – a speaker phone, headset, phone charger and holder in a device that takes up a fairly small footprint on the desk.

If you were moving away from desk phones and had a soft phone client, with plans to move to Microsoft Teams later for a more mobile workforce, it also fits quite well. Your users need to be comfortable enough with phone pairing (which isn’t a big ask!) to set it up themselves. You might also have users who do just want a mobile phone controlling device – you don’t need to use Teams to use this, as it’ll use the keypad to make normal mobile calls once paired.

However, for someone who does live off their mobile, it’s a solid solution that would provide a professional desk setup.

It took me a while to get my head around the possible use cases and where the Poly Elara 60 Series works and doesn’t work – hopefully this helps others decide what they want. Feel free to ask any questions below!