Raw Support

Question: How do I create a specific leaf with a specific subfolder?
Answer: You can find Leaf documentation here https://ruffiansoftware.com/trees-and-leaves-or-leafs/. To create a leaf “Test” with a subfolder “InsideTest” create a leaf with the name “Test.InsideTest”.

Question: Is there a parameter to change the ‘Agent Name’?
Answer: There is no parameter to change the ‘Agent Name’ but there are parameters to set the RMMName and FriendlyName. These two strings can be anything you want to use to describe that agent and are used when searching for an agent in the TechIDClient. This is described in the https://ruffiansoftware.com/techidagent-windows-setup/ document.

Question: What do all the parameters exactly configure?
Answer: All the parameters only configure what will happen when the agent runs. So setting the OU will not have any effect until the agent is started and actually needs the OU, at which point it will be created.

Question: Is there a way to prevent being added to “All Domains”?
Answer: There is currently no way to prevent being added to “All Domains”. It is best practice to leave “All Domains” in a triplet for only access to everything, or not use it in a non-trivial setup.

Question: Why is my client install failing with the error, “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.”
Answer: Threatlocker app was blocking the install.

Question: Do you support international keyboard layouts?
Answer: Yes, and if you come across one we do not support, let us know and we will add it.

Question: What do I do when decommissioning an old DC and migrating to a new DC?
Answer: You can find support documentation for this situation here https://ruffiansoftware.com/migrate-domain-to-a-new-server

Question: Where can I find the latest Mac Client?
Answer: A macOS version of the TechClient is available on the AppStore by installing from the AppStore link or by searching for TechClient in the AppStore from a mac. There is also an iOS mobile version available in the AppStore.

Question: If a bad actor is able to shut everyone out of our TechID accounts, is there a way to force the password reset without being able to log in?
Answer: Yes, You can run DomainService.exe force, it will reset all passwords and make sure all accounts are active and enabled.

Question: During the install process for domains, the OU didn’t get created and user accounts, while created, were not granted domain admin rights, why is this happening?
Answer: This issue is almost always caused by a domain controller that is still referenced in AD and has been turned off without being demoted or removed from the remaining AD infrastructure. Some of these common issues are described here
https://ruffiansoftware.com/trouble-shooting-no-users-created-on-a-domain.

Question: How do we hide a decommissioned device that TechIDManager wasn’t removed?
Answer: The agent will get hidden from the TechID Client automatically in 7 days of no contact with the old agent. The information will still be available by right clicking and selecting “See Older Accounts”.
The agent will get hidden from the Management Console automatically in 1 month of no contact with the old agent. The information will still be available by clicking “show all” at the top of the Agents screen.

Question: I have a version of TechID that failed to configure correctly, but when I reinstall the incorrect settings still exist. How do I do a clean install, removing all previous settings?
Answer: Rename (or delete) the directory named “RuffianSoftware” in your users folder on that computer. When that directory is gone, the TechID Client will start the setup wizard when it starts.

Question: How do I uninstall the domain service?
Answer: Please go to https://ruffiansoftware.com/how-to-uninstall-domainservice-exe/ and follow the provided instructions.

Question: When I am attempting to push user and password over a screen connect remote session, it refuses to send any credentials. What could be causing this?
Answer: If you are using the desktop agent for screen connect it always “runs as admin” and that prevents sending of credentials. You can fix this by running TechIDManager as admin, right click and run as admin when you start the TechClient. This will allow the TechClient to send credentials to any level of permission window.

Question: Why is my RMMName not showing when configuring a Shared User Account?
Answer: To set the FriendlyName or RMMName use these command lines:
TechIDAgent.exe shareduser Administrator friendlyname “Jenny’s dev machine”
TechIDAgent.exe shareduser Administrator rmmname “867-5309”
With these above command lines, note how we first tell TechIDAgent the command line options apply to the shareduser Administrator instance and then we use the normal syntax for the FriendlyName or RMMName. Any option that can be set can be set instance specific. In summary, we must designate the shared user account before setting the RMMName.

Question: I have added the TechID Client to a new computer and followed the instructions here https://ruffiansoftware.com/putting-techclient-on-a-second-computer/, but now my Keys on my original device are no longer working. What could be the issue?
Answer: Make sure the TechID Client on the original device is updated to the current version. Some of the security protections that come with the newer versions, stop the older versions from working once they are enabled by using a newer version.

Question: When using the latest version of the TechID Manager iOS mobile app. I’m trying to set it up by scanning the QR code displayed in TechID Manager on my Windows laptop. On the mobile app, I tap the Scan Setup QR Code button, the camera opens but it doesn’t scan the QR code, why is it not scanning?
Answer: The newer version of the Mobile client requires a newer version of the Desktop clients to scan a new style QR code. The latest desktop version for windows can be found here https://ruffiansoftware.com/techidclient-windows-6-028/

You can simply run the install for the new version of the desktop TechIDClient and it will update the one you have installed. Once the new desktop version is installed, the QR code scanning for mobile will work.

Question: We are in the process of integrating tech stacks, Is it possible to have multiple primary instances?
Answer: It is only possible to have a single primary install (or base install as we call it now). The base install can be moved to a new tenant. In this situation, it is best to set up time with support to discuss options.

Question: Do linked installs require a GDAP relationship?
Answer: A GDAP relationship is not required between the base and link installs. A CSP relationship is not needed between the base and link installs. The only requirement for Base/Link relationship is that if the Link is to a GCC tenant than the Base must also be a GCC tenant.

Question: What do I do to install a new domain controller when the old DC fails? I had a physical DC that failed and I cannot get to the old DC to properly export and uninstall the service. I need to get the domain service up and running on the replacement DC.
Answer: You can install the DomainService as if on a new DC, the only option that really matters is the ClientGuid and the UserName to match the old DC, which you should be able to see on the Management Console. Once the new one is working, you can delete the old DC from the Management Console to remove it from techs’ TechClients.

Question: Is it possible to convert a LAPS Local agent to LAPS Domain?
Answer: Yes. You will need to tell the DomainService the name of the Domain Account to take over if the account has a different name. A command line like this:
DomainService.exe shareduser DomainAccountName clientid yourclientid will do the trick.

Question: How do you handle requests to promote or make changes to an accounts tenant?
Answer: To avoid the possibility of social engineering us to get to our clients, we don’t make changes in a clients tenant based on email requests. We are happy to get on a video call and help! To promote to admin, any of the managers who already have access to the Management Console, can click Client Options -> Manager Access and add their email in the New Manager Email area, and then click Add Manager.

Question: We have noticed that the Send function to automatically copy and paste the username and password doesn’t work with Ninja Remote, what can we do?
Answer: Ninja One has a robust RMM and remote connection tool. Many TechIDManager partners use it. To get the “Send Both” functionality to work with the built in remote connection tool you need to change one of the input options as follows.

This setting is not on by default. It needs to be changed only once on any Tech workstation. Once it’s changed once, it stays enabled and doesn’t matter what computer the tech connects to via Ninja Remote.

Settings > Additional Settings > “Change keyboard input to text mode”
This is covered here https://ruffiansoftware.com/ninja-remote-and-send-both/.

Question: Does the TechID Entra AD portion have a way to connect using the CSP GDAP, or does it require an install to each tenant separately?
Answer: The EntraID portion requires a Base installation done in one tenant (usually the MSPs own tenant), and Linked installations done in all other tenants. The linked installation require nothing else in the other tenants, no subscription, no CSP/GDAP connection, nothing. We choose not to depend on, or require, CSP GDAP to be setup to make it easier and fit a wide number of use cases. This is described in more detail here https://ruffiansoftware.com/entraid-azure-ad-install-instructions-primary-secondary/ and we can help setup TechIDManager on your EntraID tenants.

Question: I forgot my passphrase. Can you please provide instructions on how I may reset it.
Answer: Here are the instructions for that https://ruffiansoftware.com/replacing-a-lost-techs-encryption-key-or-forgotten-pass-phrase/.

Question: We have a client leaving us who we have setup with TechID into their Azure 365 and are wondering if you have any removal instructions to strip out the TechID services and Web App?
Answer: Here are the directions for removing from Azure: https://ruffiansoftware.com/how-to-uninstall-techidmanager-from-azure-or-entraid/

Question: Is there an option to **disable key exports** or control when it’s enabled?
Answer: You can prevent key export all together with an option on the Management Console.

Question: I’ve noticed that adding a tech id user to a windows ad group gets removed at the next sync. How do I allow that group membership to stay in place?
Answer: All of the group memberships for techs need to be defined in the Management Console as Rights. You can add that group membership as a Right and put it appropriate Right Group and Triplet for techs. It will then be assigned by TechIDManager and maintained. This should explain it.
https://ruffiansoftware.com/tech-domain-rights-groups-in-techidmangers-managementconsole-explained/.

Question: For a high security client, what exactly needs to be whitelisted in order for the agent to work?
Answer: From a client’s location where agents are installed only https://ch001.ruffiansoftware.com and the server host address listed in the Management Console,need to be white listed, and only for https.

Question: We need to bring up our production environment in a separate, isolated location, Since the DR system is a full clone of the original using AWS DRS, we will have two identical domain controllers running simultaneously. Will this cause conflicts in our TechID instance?
Answer: Bringing up a backup of a DC with TechIDManager running and access to the internet will cause issues. The two DCs will fight over the information stored on our servers. Both will try to set the passwords and save them to our servers. This will lead to the TechClient showing the most recently set password. Your options are to bring up the backup server, clear the domainguid on the backup server, force a domainservice run. The backup server will think it is new, and register with our servers as a new server. Then clone the group memberships of the backup server from the original server. Setting the rmmname (or friendlyname) to xyz-backup would probably be helpful also. Or, stop the Domain Services on both machines.

Question: Would it be possible to retain the protected user membership on disabled JIT users?
Answer: Yes, this is known as “GuaranteedRight”. The command line “GuaranteedRight” is described with the rest of the command line options here https://ruffiansoftware.com/setup-of-techidentitymanager-for-domainservice/.

Question: Do you have a way to set a lock out time on accounts when signed into through techID, so that it signs technicians out of the servers?
Answer: We don’t have a built in way to do that, mainly because our agent is only running on the DC and the tech could be logged into any number of machines that our agent isn’t running on.

Question: I will be offboarding a client and would like to pause LAPS password rotation and export the password list so I can provide local admin creds to the client just in case they need them. How would I do this?
Answer: To pause the rotation of a LAPS agent you can run the following command on that computer. Replace {name} with the correct name. “show” will list the correct name.
DomainService.exe SharedUser {name} DoNotRun
To restart the rotation of the password you can run
DomainService.exe SharedUser {name} DoRun
There is no direct export of a password list from TechID. The best way is to copy paste each account from the TechClient, once the agent has been set to “DoNotRun”.

Question: I’d like to identify the running version of DomainService.exe with a script. Is it stored in the registry, or available elsewhere?
Answer: In Powershell (Get-Item $filePath).VersionInfo.FileVersion
You can also tell from the agents page on the Management Console, or from the output of
DomainService.exe version

Question: Is the TechClient supported in non-persistent virtual desktop environments? Are there any special considerations or instructions for installation in these types of environments?
Answer: All information for the TechClient is stored in a folder in the users directory called RuffianSoftware. As long as that folder is copied to the machine that the user is logging into and the TechClient is installed, it will work just fine.

Question: Is there no way of having a vault just for managers?
Answer: The private key for the vault is sent to a tech and can only be used in the TechClient on their machines in combination with their existing private key. You should be both a manager and a tech, and should be able to create a vault for just the tech account that you have for yourself.

Question: If we set up JIT tech accounts for an Entra ID agent, how would we go about setting up the OTP MFA option (especially if JIT account credentials are removed after expiration?) Can you point me to a doc that explains OTP setup, or do we need to only use managed tech accounts with Entra agents?
Answer: The MFA setup with the JIT Azure/EntraID accounts stays with the account through the disable/enable cycles. Here is an article on setting it up with TechIDManager and TOTP. The push Authenticator App notification also stays through the disable/enable cycle of the accounts.
https://ruffiansoftware.com/totp-mfa-setup-for-entra-id-with-techidmanager/

Question: What is the .Net requirement for the server agent, AKA DomainAgent.exe?
Answer: The .Net requirement for the server agent is .Net 4.7.2

Question: What happens if the TechID services are offline during an on prem deployment? Will the local client display what it has in its cache?
Answer: The TechClient will indeed show the cached information, and the techs should be able to use that information to login, because our servers are not involved in the authentication process of the agents. The Agents will not rotate the credentials if they can’t reach the servers, so the credentials from yesterday will still be valid until the agents can reach the servers again. Just-In-Time accounts will not be able to enabled, or disabled.

Question: We have Tech ID deployed and working mostly with LAPS features. The current setup will create an account on the domain but we have a need to go a step further and setup just in time accounts for some outside support people. What is the easiest way to get there, what do I need to do to enable this.
Answer: In general, you add an instance configuration for a second DomainService on the domain (or machine), use the JustInTime flag on that instance as described in the page you reference, setup the outside support people in a specific TechGroup and create a triplet to give them access to just what you want them to have access to. Similar to the co-managed scenario described here https://ruffiansoftware.com/adding-a-co-managed-tech/

Question: Does the azure setup create a login for each technician, or can the same login be used by several technicians with access to the account?
Answer: The Azure agent creates unique accounts for each tech. The accounts, per Microsoft recommendation on admin accounts, are unlicensed so there is no additional cost associated with the accounts themselves. The cost is for the subscription to run TechIDManager in the Azure tenant.

Question: We have MFA configured in all our tenants. Does TechID also configure TOTP in Azure?
Answer: If a tech right clicks on the line for the account in the TechClient there is an option to “Edit OPT Secret” that will allow the techs to store, and generate, TOTPs from within the TechClient. They can also choose to setup push MFA to the Microsoft Authenticator on their phones. Both have a nice easy workflow once setup.

Question: Do you have resources on setting up the consumption plan and resource in Azure?
Answer: Here are instructions for setting up Pay-As-You-Go, with screen shots and all. https://ruffiansoftware.com/pay-as-you-go-setup-july-2024/

Question: How can I remove a deployment or instance of a Domain Service agent on a Domain Controller?
Answer: To remove an instance use the removeinstance command line with the name of the instance to remove. TechIDAgent.exe removeinstance Test_Instance

Question: Where can I find documentation on TechIDManager REST API?
Answer: The REST API documentation is available at https://chdoc.ruffiansoftware.com/swagger
Please feel free to contact us, explain what you are attempting to achieve and we are happy to provide example C# code.

Question: I am having trouble creating Leafs. Are there any conditions I should be aware of?
Answer: There are a few conditions for the leaf command to work.

The leaf must already exist in the Management Console when it is set on the DomainService.
1. It can be created in the “Agents” -> “Leaves” menu with “Create New Leaf”
2. We don’t allow the creation of leaves from the commanline because the ability to by script create a 1000 leaves by errors if too harmful.
Only DomainService 5.0 and newer support the “leaf” command.
If setting the leaf on an instance (or shareduser) then the commandline must specify that, since the leaf setting can be per instance.

DomainService.exe shareduser Bwitadmin leaf xxx.yyy.zzz

Question: I’m currently documenting our approach to CMMC and I’m on the Identification and Authentication controls. In these controls there’s a requirement for the cryptographic protection of passwords in storage and transit. Specifically, I’m focused on how the manager account’s passwords are cryptographically protected in storage for the self hosted management server. Could you please confirm how those local accounts have their passwords cryptographically protected in storage?
Answer: There is a white paper here: https://ruffiansoftware.com/whitepapers/ about the “Data Handling and Encryption…” that talks about the use of asymmetric encryption and where the keys exist and who has access.

The basic overview is that a Public Key specific to a tech is used to encrypt the information (passwords/usernames/OTP) for a tech. That information is always in its encrypted form until in memory on the tech’s computer where the matching Private Key of the tech is used to decrypt it. For the selfhosted instance you can look at the SQL table “Accounts” and the encrypted string that is all that is ever sent over the wire.

Question: I have had an agent who was fired and then rehired back on, Is there a way to re-enable him?
Answer: In the management Console you can change his status to Active in the Techs section. Since he is not active, you will need to click “Show All” at the top of the page to see his tech account, then the gear icon to see the details on his account, and then “Change to Active” . This will re-enable all his accounts and everything will work for him again.

Question: What happens if a computer is offline/disconnected. Is the local account password frozen until the computer connects to the internet. How does a technician resolve this?
Answer: If a computer is offline, then the accounts/passwords don’t change. The resolution for this varies depending on what happened to kick the machine offline. If the accounts are managed (not Just-In-Time) then they are valid to use and login with the last information from the connection of the computer to the internet. If the accounts are Just-In-Time, then they can’t be enabled until the computer is back online.

Question: What are the requirements to Selfhost TechIDManager?
Answer: For Selfhosting TechIDManager you will need 2 windows machines running Windows Server 2019 or better that are AWS T3.Medium or better. Each will need SQL Express 2017 or better. Each will need a valid SSL certificate for https. One will be “Management Console” (MC) and one will be “Central Host” (CH). The MC will need IIS and need to be accessible via https to any manager setup in TechIDManager. CH will need to be accessible via https from any tech’s computer, any agent computer, and the MC.

Question: Can we setup MFA into the management portal?
Answer: You can setup MFA in the Management Console, as well as use SSO from Entra ID to login to the Management Console.

Question: When installing the agent VIA a script. Is it possible to “bake in” the agent group name?
Answer: It is possible for the script to request inclusion in a particular Agent Group. If the Agent Group exists, that Agent is added to the requested Agent Group. The same thing can be done for a leaf.

Question: For AntiVirus, can you share the exclusions list that TechIDManager needs?
Answer: All Agents are signed with the same EV code signing certificate. Excluding that certificate should suffice. Otherwise these files need to be excluded, both of which should be in the same directory where the Domain Service is installed.
DomainService.exe
Newtonsoft.Json.dll

Question: We are having random AD Account Lockouts on some of our TechID Manager accounts. This has happened at various clients where one of my techs will call me and tell me his AD account is locked out. It’s happened about three times in the last two days. Any idea what is going on?
Answer: The most common cause of this is techs that are leaving sessions logged on overnight and the password change causing the account to get locked.
There are several ways to see what is locking an account in AD.
There are several good guides on finding the cause of account lockouts on the internet. Here is one that I have found to be useful.
https://www.azurehowtos.com/2023/10/Step%20by%20Step%20guide%20how%20to%20find%20source%20Computer%20and%20Application%20of%20Account%20lockout.html

Question: If I need to update some AzureAD Agent settings, can I do that from the function app environment variables? I need to update the FriendlyName for a couple of my agents for the sake of consistency.
Answer: You can change those settings in the Settings -> Environment Variables of the Azure Function. Make sure to click the series of apply/confirm buttons.

Question: I noticed yesterday the OU that stores the TechID administrator accounts is showing as “not available” when trying to access it through the Active Directory Users and Computers GUI. One of our technicians reports not being able to sign in with his TechID creds, but my TechID creds still work on that server. I just can’t access the OU anymore. Any ideas why this error is showing?
Answer: Check AD, run AD scan and cleanup, most likely there is some type of corruption.

Question: I am installing the TechID client on a new device and I have the Exported Key file. How do I install it on the new device?
Answer: After setting up the PassPhrase for the new device an “Import” button will appear on the left side of the setup wizard. Click that and choose the key file.

Question: For the Azure AD agent there is that additional Azure subscription that is required. How do people usually handle that? None of our clients have any Azure subscriptions existing. Do the MSP go in and create a subscription on their company card?
Answer: The azure agent costs about $0.25 a month to run in a tenant. When our MSP clients don’t already have a subscription, most MSPs setup a Pay-As-You-Go subscription with the MSP company card and set spending limits on the subscription.

The reason for being a function in Azure and requiring a subscription is to be able to do the account creation and management without us having to keep any access into your tenant. Since we don’t keep access into your clients’ tenants, that access can’t be stolen or abused. This is part of our belief in security being built into the design and architecture of our products.

Question: Do admin accounts replicated into a client Active Directory consume an Active Directory CAL?
Answer: There are many nuances to the licensing question as it pertains to AD and CALs. In general an active unique TechIDManager Tech’s account does take a CAL.
You can use our Just-In-Time accounts to only have the account active when needed for a tech, which lowers the concurrent licenses that are required.
You can use our LAPS implementation to share a single admin account and still get the password rotation and protect of the account and lower the licenses that are required.

Question: We had to use the domain LAPS option on a Windows Essential server. We have built out a new domain controller without Windows Essentials and want to go back to using TechID as we normally do. How would be best to do the install on the new server?
Answer: Install the DomainService as normal on the new server. Since you are planning on doing something different (PAM vs LAPS) you should let the DomainService create a new DomainGUI. Only if you were moving the instance, doing the same thing, and wanted to keep the history intact, should you set theDomainGUID on the new instance to match the old instance

Question: What must I do if the Azure function is deleted and reinstalled?
Answer: If the Azure function is deleted and reinstalled the “Call URL” for the function needs to be updated in the TechIDPortal. The “Call URL” can be found in the output of the installation script, or from the portal.azure.com. You can find documentation on this topic here https://ruffiansoftware.com/update-the-callurl-for-techidmanager-azuread/.

Question: What is the best way to remove a specific SharedUser entry from the DomainService.
Answer: There are a few options to remove that shared user from DomainService.
Cause the instance to not run but still be defined if you want to reuse it later:
DomainService.exe shareduser htlaps.#### donotrun
The version in pre-release https://ruffiansoftware.com/domainservice-version-4-046/ has an option for removing the shared user entries with
DomainService.exe RemoveShareUser htlaps.####
You can also remove the registry entries that define the shared user by deleting the entries in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\RuffianSoftware\TechIdentityManager\SharedUser\htlaps.####

Question: For an Azure installation can I change the RMM name if so, how?
Answer: The RMMName for a TechIDManager Azure agent is stored in a configuration variable for the Azure Function. The variable “TechIDManager.RMMName” at the bottom of this page https://ruffiansoftware.com/azure-ad-integration/ is a description of all the configuration parameters and how to get to them.

Question: Why is my account getting locked out?
Answer: The most common reasons for accounts getting locked are:
Repeated incorrect password attempts
Drive mapping using old credentials
Scheduled tasks
Programs or services using old credentials
Cached or saved credentials in Windows Credential Manager
If the user’s password is cached somewhere from their last connection and then the system auto tries to use the cached credential that can lock the account since TechIDManager is rotating the password daily.
If the software you are using to connect does an auto password fill based on the last connection, and the retry attempts before locking an account are low, then that can lock the account. Or if they have saved the password in a connection tool, that can also lock the account.

Question: I am getting an error that states, “Error. An error occurred while processing your request” when clicking into an Agent to check the settings and details. What does this mean?
Answer: This portal error is almost always timeouts from host to portal because the host is busy doing something. Most of the time, the user can close out everything and try again to resolve the issue.

Question: I have a user that is moving to a new computer but what if the user “forgot” to export the keys? Is there any way to set them up if this is the case?
Answer: In this situation we need do an “allow key change” process. This is outlined in this article https://ruffiansoftware.com/replacing-a-lost-techs-encryption-key-or-forgotten-pass-phrase/. You will need to follow the second section for “Without Backup of Keys.” It is the same process as if a user lost for forgot their passphrase.

Question: How do I migrate an AD from one controller to another when the old controller server is dead?

Answer: In this situation, the first step is to go to the TechIDPortal and locate the old agent under the Agents tab. Open the settings for that agent and copy the displayed DomainGuid. Because the original server is no longer available, we cannot retrieve its private key. Instead, we need to prepare the new Domain Controller to generate and register a new key during installation. To do this, click Clear Public Key in the same settings panel where the DomainGuid was found. Once that is done, you can proceed with installing the TechIDAgent on the new server. During installation, provide the copied DomainGuid and follow the standard install steps, skipping only the part where the private key would normally be imported.

Question: While updating our self-hosted servers, after copying the config file and running the update, we received an error.
“Unable to stop service, probably because it is not installed…No database found creating a new one…CREATE DATABASE permission denied in database ‘master’. “
What is causing this issue?

Answer: It was found that the account being used to complete the update didn’t have the correct permissions.

Question: After restarting a server that has been offline for an extensive period of time, one of my tech’s Immediately reinstalled her client. Afterwards the username and password for that agent showed blank. What is causing the issue?

Answer: In this issue the server still had the old server password that would be rotated at midnight but since she did a whole keychange reinstall, It couldn’t see the “old” password. The issue resolved itself once the server password rotated.

Question: I had a quick question about installing TechIDClient for one technician on two different devices using the same user. I have a technician that would like to install on his tablet as well as his laptop, but it seems that passwords only seem to show up on one of the devices when it is installed to both, almost as if the tablet is then not active after activating the laptop installation.Can one technician have more than one device active per user, or is this just something else on our end? If it is not possible, will that functionality be added in the future?

Answer: Installing the client on another computer isn’t an issue at all. With that being said, there is a process. You cannot just go and download it again, it needs the encryption key to show all of the passwords. Just follow this article https://ruffiansoftware.com/putting-techclient-on-a-second-computer/.

Question: For our internal tenant, when I try to access a user’s sign-in logs, audit logs and a few others, I get an error. My account, XXX.onmicrosoft.com, has already been granted the global admin role in our tenant. When I use our non-TechID GA account, it works fine. Is there some additional permissions that it needs?

Answer: To see/manage/access resources in a tenant, techs will need to self elevate their freshly created account (via these instructions https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin MAKE SURE TO SIGN OUT AND SIGN BACK IN), OR have roles granted by someone with existing access. It is our recommendation at this time that you self elevate. Granting rights on all resources automatically is something we are working on.

Question: My colleagues reported issues with their password not rotating for XXXX-XXXXX-XXXX. Is there anything that can be done from our end?

Answer: The error started June 4, 2024. That is the same day we disabled TLS 1.0/1.1 You can read about it in this article here. https://ruffiansoftware.com/end-of-life-for-tls-1-0-and-tls-1-1/. Also in the article is instructions for enabling TLS 1.2. Follow those instructions, enable TLS 1.2 and it will resolve your issue.

Question: I have a few question regarding setting up TechIDManager EntraID in MSP Tenant
– Is it always required to setup in MSP tenant first even if your only using it for handful of clients ?
– Once the Base install has been performed in the MSP Tenant what permission does it give ? Can it be used to give admin access into the MSP Tenant itself or only used to prepare for Link installation ?
– Is it still possible to use legacy version of TechID EntraID if we dont want to use the Base install ? What versions are legacy ?
– Is there any solution to exclude MFA on the TechID Entra users ?

Answer: So, yes and no. Under most circumstances the answer is yes. The only exception to that is if you do a legacy install. Legacy installs can be set in the Entra setup questions. One of the first questions asked in the install process is, “Is this a base install, Yes or No.” Answering No will default you to a legacy install. This also answers one of your later questions. Legacy Installs can be done with any version.
The Base install provides no permissions. In fact it doesn’t actually do anything without the link install. As a follow up, it cannot be used to give admin access into the MSP Tenant itself.
It is, you would just select No when asked if this is a base install, and all versions can be legacy.
No, but what you would want to do is set MFA inside of TechID Client, so there are no entries in the authenticator app. Here is an article that explains how to do this. https://ruffiansoftware.com/techidmanager-guide-totp-mfa-setup-for-entra-id-jit-accounts/. With that said, our prerelease version offers group configuration options. There may be a way to add those users to an exclusive group and configure EntraID to exclude MFA, but that would be done on your end and I would highly recommend against it.

Question: We’re considering changing RMM away from ConnectWise Automate/ScreenConnect to NinjaOne RMM with Remote. We’re able to send username and password using TechID to ScreenConnect, but it doesn’t work for NinjaOne Remote. We can still copy/paste passwords, etc. but it would be nice for the functionality to work the same way, if possible.

Answer: There is a setting you have to change that will allow that to work. Here is a quick article that explains and also gives screenshot of where to make that setting change. Let me know if you have any questions. https://ruffiansoftware.com/ninja-remote-and-send-both/

Question: I have a laptop and a desktop that I need TechIDManager on. How do I do that? I just had to allow keyexchange to install it on my laptop. Is that the right way to do it?

Answer: https://ruffiansoftware.com/putting-techclient-on-a-second-computer/

Question: Is it possible to append a suffix [ e.g. (XXX) ] on the Display Name for the Tech accounts being created in customer tenants?

Answer: This article has all the information you need for changing the names. https://ruffiansoftware.com/username-displayname-accountdescription-feature-in-techidagent-piece-of-techidmanager/

Question: How do I add an OTP code to a record.

Answer: You need to initiate a login to set it up. https://ruffiansoftware.com/totp-mfa-setup-for-entra-id-with-techidmanager/

Question: I enabled Microsoft SSO for my account, is there a way to turn off local authentication or does the account have to be deleted and re-created?

Answer: You can find all the info regarding setting SSO to the TechIDPortal here https://ruffiansoftware.com/sso-to-the-management-console/. On thing to note, to change a manager account from Any (or Local) to Microsoft, another manager must change it in the portal. We don’t allow a manager to change their own access because it would be way to easy to lock oneself out.

Question: Im contacting you to report an issue with TechID not showing the login credentials on my end when I setup a second computer.

Answer: There is a known issue where If you upgrade to a 6.0 client, but your previous machine was under a 6.0 version, it can cause some issue.

Question: Why am I getting an error when I run the EntraID setup script?

Answer: “The subscription is not registered to use namespace ‘Microsoft.Web’. See https://aka.ms/rps-not-found for how to register subscriptions. Exception Details: (MissingSubscriptionRegistration) The subscription is not registered to use namespace ‘Microsoft.Web’. See https://aka.ms/rps-not-found for how to register subscriptions.” Typically this is a permissions issue where the subscription hasn’t been granted the necessary permissions to access and utilize resources associated with a specific namespace or service within Azure.

Question: I just created a brand new tenant a few days ago and wanted to get it into Tech ID. There are only two accounts in it so far and both are GA’s. One has a Biz Prem license. I launched PS as myself and ran the TechIDManager.EntraID.Installer.exe (v5.583) to attach a commercial Azure tenant. I have attached the error message that I get immediately after I log into the tenant as prompted by the EXE.

Answer: There are a few possibilities as to why you are getting this error. First off, is the azure CLI up to date on that machine? run “az upgrade” from powershell to check. Second there is a directory c:\users\{user}\.azure that gets corrupt and can just be deleted, then try again. Third, there are options on the login screen to the azure tenant that comes up about “allow all apps” or “allow other apps”. That needs to be checked for the linker to work. Let me know if any of these fix the issue. Deleting the .Azure worked.

Question: We are starting the process of migrating to a new M365 tenant. We would like to convert our users with admin console access to the new M365 email domain. We have the SSO app configured, however when I go to register my new manager console account, I get the following error. Is this something support can help fix?

Answer: For existing managers with direct accounts in the TechIDPortal that want to convert to a “Microsoft” SSO login. The email of the current direct account and the Microsoft account must be the same, if they are not, use the “new manager” steps above for the new email.

Click “Settings” in the top right corner

Click “Personal data” in the middle

Click the red button for “Delete”

Confirm the delete of all personal data.

Click “Login”

Click the button for “Microsoft” under “Use another service to log in”

New manager signs in with “Microsoft” and registers that email.

New manager can now sign in with “Microsoft” on the login page and access the TechIDPortal.

Question: I have a question regarding Tech ID on a domain controller. We recently installed a new DC for a client, but the Tech ID software is still installed on the old server. Replication between the two DCs is working fine, but we’re planning to decommission the old one soon. Would you recommend installing Tech ID on the new server and then removing it from the old one? What’s the best approach to ensure a smooth transition?

Answer: I have two documents for you that explain the process. One is designed more for your situation, where you still have access to the old server. The other is incase that old server goes down and you no longer have access before you complete the switch over. Here is the first https://ruffiansoftware.com/migrate-domain-to-a-new-server/ and here is the second https://ruffiansoftware.com/migrate-domain-to-new-server-when-old-server-has-died/.

Question: One of our agents was homed on a server that has died and is not coming back to life, what is our process here? We wish to install the Tech ID software onto a newly spun up AD DC instead.

Answer: We took a little bit of time today to write up a how-to-article for your situation. You can find it here https://ruffiansoftware.com/migrate-domain-to-new-server-when-old-server-has-died/.

Share this:

Like this: