jhochwald/fix_adfs_for_Windows10_and_edge.ps1

## fix_adfs_for_Windows10_and_edge.ps1
<#
  Tweaked Version that prevents the Auth Pop-Up on non Windows devices a bit better
  These Devices should get the regular Forms based (HTML Page) instead.

  I was asked: Nope, 'Mozilla/5.0 (Windows NT' is correct, not an error ;-)
#>

# Execute this on your ADFS Server
# If you have more then one, use your primary ADFS server, this is essential!
Set-ADFSProperties -ExtendedProtectionTokenCheck None

# Should be:
# MSAuthHost/1.0/In-Domain
# MSIE 6.0
# MSIE 7.0
# MSIE 8.0
# MSIE 9.0
# MSIE 10.0
# Trident/7.0
# MSIPC
# Windows Rights Management Client

# Check the NTLM enables User Agents
Get-ADFSProperties | Select-Object  -ExpandProperty WIASupportedUserAgents

# Now we append the User Agent 'Windows NT 10.0; WOW64; Trident/7.0', 'Edge/1', 'Mozilla/5.0 (Windows NT' to the List
Set-ADFSProperties -WIASupportedUserAgents @('MSIE 6.0', 'MSIE 7.0', 'MSIE 8.0', 'MSIE 9.0', 'MSIE 10.0', 'Trident/7.0', 'MSIPC', 'Windows Rights Management Client', 'Windows NT 10.0; WOW64; Trident/7.0', 'Edge/1', 'Mozilla/5.0 (Windows NT')

# Optional: Handle the Fallback for non Windows devices a bit better
Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @( 'WindowsAuthentication', 'FormsAuthentication' ) -WindowsIntegratedFallbackEnabled $true

# Restart the ADFS services# If you have more then one ADFS Server, you need to execute that against all of them!
Restart-Service -Name adfssrv

# Check that the ADFS Service is running
Get-Service -Name adfssrv

# Check the NTLM enables User Agents
Get-ADFSProperties | Select-Object  -ExpandProperty WIASupportedUserAgents

# Now it should be:
# MSIE 6.0
# MSIE 7.0
# MSIE 8.0
# MSIE 9.0
# MSIE 10.0
# Trident/7.0
# MSIPC
# Windows Rights Management Client
# Windows NT 10.0; WOW64; Trident/7.0
# Edge/1
# Mozilla/5.0 (Windows NT

# More Info: https://technet.microsoft.com/en-us/library/ee892317.aspx
	<#
	Tweaked Version that prevents the Auth Pop-Up on non Windows devices a bit better
	These Devices should get the regular Forms based (HTML Page) instead.

	I was asked: Nope, 'Mozilla/5.0 (Windows NT' is correct, not an error ;-)
	#>

	# Execute this on your ADFS Server
	# If you have more then one, use your primary ADFS server, this is essential!
	Set-ADFSProperties -ExtendedProtectionTokenCheck None

	# Should be:
	# MSAuthHost/1.0/In-Domain
	# MSIE 6.0
	# MSIE 7.0
	# MSIE 8.0
	# MSIE 9.0
	# MSIE 10.0
	# Trident/7.0
	# MSIPC
	# Windows Rights Management Client

	# Check the NTLM enables User Agents
	Get-ADFSProperties \| Select-Object -ExpandProperty WIASupportedUserAgents

	# Now we append the User Agent 'Windows NT 10.0; WOW64; Trident/7.0', 'Edge/1', 'Mozilla/5.0 (Windows NT' to the List
	Set-ADFSProperties -WIASupportedUserAgents @('MSIE 6.0', 'MSIE 7.0', 'MSIE 8.0', 'MSIE 9.0', 'MSIE 10.0', 'Trident/7.0', 'MSIPC', 'Windows Rights Management Client', 'Windows NT 10.0; WOW64; Trident/7.0', 'Edge/1', 'Mozilla/5.0 (Windows NT')

	# Optional: Handle the Fallback for non Windows devices a bit better
	Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @( 'WindowsAuthentication', 'FormsAuthentication' ) -WindowsIntegratedFallbackEnabled $true

	# Restart the ADFS services# If you have more then one ADFS Server, you need to execute that against all of them!
	Restart-Service -Name adfssrv

	# Check that the ADFS Service is running
	Get-Service -Name adfssrv

	# Check the NTLM enables User Agents
	Get-ADFSProperties \| Select-Object -ExpandProperty WIASupportedUserAgents

	# Now it should be:
	# MSIE 6.0
	# MSIE 7.0
	# MSIE 8.0
	# MSIE 9.0
	# MSIE 10.0
	# Trident/7.0
	# MSIPC
	# Windows Rights Management Client
	# Windows NT 10.0; WOW64; Trident/7.0
	# Edge/1
	# Mozilla/5.0 (Windows NT

	# More Info: https://technet.microsoft.com/en-us/library/ee892317.aspx