Hive Active Heating PowerShell Control with PoSHive

Last week I announced PoSHue, my PowerShell 5 class for controlling and scripting Philips Hue lights – this week sees another announcement along the same lines.

I recently bought a Hive Active Heating system to remotely control my home’s heating and thought it would be pretty cool to be able to access that same level of control (and automation) using PowerShell.


PoSHive is the result. It’s another GitHub project meaning anyone can get a copy, fork it, branch and contribute.

UPDATE: It’s now also available from the PowerShell Gallery.


Install by simply using:


When you want to ensure you have the latest version:

Why would I want access to Hive using PowerShell? The purpose of this class is to enable you to use PowerShell (v5) scripting to exert more powerful logic control over the state of your heating system. In its basic form, it allows you to set the heating mode of the system and the temperature, including the Boost option, Holiday mode and even to advance the system to the next event. PoSHive offers most (if not all) the features exposed by the app and website but using only PowerShell.

I realised a different benefit for PoSHive as I was thinking about use cases and realised that it opens the Hive Ecosystem (heating only) to those with disabilities that means it’s hard or even impossible to use an app on a phone or the website simply due to impaired sight or the fine motor control that you may need to use a mouse or point with a finger. The app offers disabled users the chance to simply type commands and have the heating system respond to them. No fiddly apps or websites to contend with.

Here’s a basic example showing how to get the current temperature recorded by the thermostat. The first 4 lines of this script can even be included in your PowerShell profile so all you need to type is $Hive.Login()  and you’re logged on.



Please check out the project on GitHub and contribute if you can or just let me know how you use PoSHive in your script through the comments section below.

The project is not sanctioned by or affiliated with British Gas in any way and is based on API data formats and responses I’ve observed for my own Hive Active Heating system. The class is designed to work only with the Heating only Hive system (I don’t have the hot water system unfortunately) and is likely also not to work with Multi-zone Hive systems.


Philips Hue PowerShell

I’ve been quietly working on a little project (or two) of my own on GitHub since I got some Philips Hue lights a while back.

Philips makes accessing the bulbs programmatically very easy with the API that exists on the Bridge device but I wanted a scriptable solution to allow me to exert much more fine grained logic control over the states and colours of my lights.

Being pretty advanced with PowerShell (at least, I think I am), I set about writing a PowerShell interface (not a GUI) to allow me to access the properties and set the state of my Hue lights.

The result is a PowerShell 5 class that simplifies the interaction with Philips Hue bulbs and lights that I’ve dropped on to GitHub for use by any and all. I realise this is focussed purely on Windows users but that’s what I am and I use PowerShell extensively for other things too.

The project is called PoSHue and is located on GitHub.

It allows you to do things like this from PowerShell.

Feel free to have a look and see how you can use it. Just 4 lines and you’re off and running.


One example is something I’m using the classes for currently but is logically quite complicated. The script executes on a schedule, that schedule is set from the previous execution and is obtained from an API call to a service providing sunset times. The script turns the lights on just before sunset but only if me and/or my fiancee are home.

I then have a second script which is executed by the “turn lights on if it’s sunset and people are home” script which monitors if we go out. If we go out, the lights are turned off by this script and, so long as it’s before 23:00, the turn lights on only if we’re home script is executed again to wait for us to come home again.

Basically, the scripts work in conjunction and cyclically to ensure the lights don’t turn on before sunset and only when we’re home and they also turn the lights off if we go out but would turn them on again if we came home before 23:00.

Let me know if you’d be interested in seeing the scripts and tasks (yes they’re scheduled tasks that monitor for return events from the scripts!) and I’ll see what I can do about packaging them up somewhere.




Investigatory Powers Bill #IPBill

I celebrate by 500th post on my blog with a letter to my MP to decry the actions of Government and its intention to force the #IPBill through Parliament. I would urge anyone that cares about their privacy (not just what websites you visit!) to write to their MP asking them to challenge the Investigatory Powers Bill when it is debated in Parliament on the 14th March 2016. It has taken the Home Office just six weeks to publish two drafts of the IPBill and set a date for its debate – is that really enough time to properly understand the implications of this bill?

Know this – the most recent draft of the Bill grants the Police (any officer at any time!) to look up your Internet browsing history. Are you friends with a Police officer? Neighbours with one? (I am actually). Do you want them to know what websites you visit?

“Surveillance controls, and absolute surveillance controls absolutely.” — Page 1. Welcome to the Machine: Science, Surveillance, and the Culture of Control

Here is my letter.

Dear ​xxxx,

I write ​again ​to voice my serious concern at the intention to rush the Investigatory Powers Bill through Parliament without proper scrutiny.

The Home Office has been told to examine carefully the criticisms and recommendations of three Parliamentary committees. Less than three weeks since the release of the previous draft of the Investigatory Powers Bill is not enough time for a considered redrafting of the Bill and proves only that the Home Office has paid little attention to the criticisms made of the original Bill. The new Bill only has a few significant changes from the draft version and is a slap in the face for any democratic and free society.

The Bill reinforces the assumption of the security services (and seemingly Government) that everybody is a potential criminal. We are being forcefully relieved of the freedom to conduct our lives without scrutiny by an overbearing, overreaching state. The plan to monitor everybody’s Internet browsing history in order to catch a few criminals and terrorists amounts to bulk surveillance of an entire population and is a significant overreach of state powers – no other country in the world monitors and collects Internet browsing history to this extent and I am horrified that the UK wishes to be the first, under the auspices of increasing safety when no evidence can be provided to confirm this assertion.

The Bill is a huge step in the wrong direction away from democracy. It provides insufficient judicial oversight and assumes that the state and its actors are (and will continue to be) entirely trustworthy when it has been proven time and again that they are anything but. The Government’s purpose is to serve the citizens of this country and I am appalled at the continual battering ram of fear being used by the Government to drive through a piece of legislation that can be described as nothing but draconian.

“The premise [is] that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.” — Bruce Schneier, computer security and privacy specialist.

Who I talk to, when I talk to them, where I am, what time I’m awake at night, what websites I visit and when I visit them are all private matters that do not threaten national security and the availability of that information to the security services is useless – the Government is suggesting that only it, the security services and (now) Police should be the judge of that.

It concerns me greatly that the personal opinions of  a small number of individuals in positions of trust and the actions of just a few criminals are set to affect the private lives of tens of millions of innocent, law abiding people.

The social and democratic effects of implementing this digital Panopticon cannot be underestimated and I would urge you to consider the implications of allowing this Bill to pass through without a significant rewrite to properly address the failings highlighted by the three separate Parliamentary committees.

Yours sincerely

Lewis Roberts

PowerShell for DDNS (

I’ll just leave this here. I realise many would prefer alternatives to using scheduled tasks such as Windows services or built-in methods from more advanced routers (as I do) but I had a need to write PowerShell to run every hour and update a DynDNS domain if the current IP doesn’t match the DNS IP.

If you’re running this as a scheduled task, you must do it under the context of the same user that creates the credential file.PrtScr capture

Hope it’s useful for you.


Turn off Windows 10 OneDrive link in Explorer Sidebar

Quick couple of lines of PowerShell to turn off the OneDrive integration in Windows Explorer for those of us that use other providers and would like to recover the space taken by the OneDrive link.

Before: After:
onedrivebefore onedriveafter

As a full blown script with a little error checking.



-Oh, news from this week, I asked my (very dedicated) girlfriend of 7 years to marry me. She said yes. 🙂

Filtering objects from Azure Active Directory

Microsoft recently made Azure AD Connect generally available and in doing so introduced a method for filtering users based on their membership in a specific group. Unfortunately, this is considered a pilot mode for Azure AD Connect – this means that if you wish to permanently filter objects based on their group membership, you’ll forever be in pilot mode. Another caveat is that you cannot change this group easily. You would need to remove Azure AD Connect and re-install it to select a different group. Indeed if you upgraded from Azure Active Directory Sync Services as I did, this option is completely unavailable to you unless you’re willing to remove and re-install Azure AD Connect.

The reason, as far as I can ascertain, is that there is no attribute of a user object that looks like memberOf on which you can perform some logical decision with the Synchronization Rules Editor.

So how do we filter? There are three methods: Domain, OU and Attribute. In my getting started with Azure Active Directory Sync Services series earlier this year, I showed how to do both of these. The first, Domain, is the obvious one. If you want objects from a domain, you would attach to it during installation. The second, OU, is buried a little deeper inside miisclient.exe but it’s something I’ve demonstrated already in my getting started guide, so I’m not going to cover old ground. The third, Attribute, is what this post is about.

When I say user attribute, what do I mean? These:

Simply put, we’re able to filter objects that are to be synchronised with Azure AD using these attributes. I’m going to demonstrate how users can be filtered in the following steps and I’m also going to demonstrate a method of using PowerShell in conjunction with the attribute filtering rule to enable the use of group membership to identify who should get an Azure AD account – pseudo group filtering. Continue reading Filtering objects from Azure Active Directory

Integrating SimpleSAMLphp with ADFS 2012R2

In my previous two posts, I’ve discussed two solutions for using Azure Active Directory authentication from a bespoke PHP web application.

In the first post I essentially re-wrote an article that originally was written on the Azure website which unfortunately no longer seems valid (EDIT 07/2016: Has since been completely removed!). The solution written there used SimpleSAMLphp and libraries written by Microsoft to implement WS-Federation for authenticating custom PHP applications with Azure AD. My first post clears up some issues and demonstrates a more logical method of configuring SimpleSAMLphp on IIS.

In my second post, I showed a more elegant solution that did away with the Microsoft WS-Federation libraries and used only SimpleSAMLphp and SAML2 to authenticate a custom PHP application with Azure Active Directory. I also showed how you can configure an Azure application to pass through groups claims in the token.

In this third (and hopefully final) post, I’ll combine components of the two previous posts and demonstrate how you can use SimpleSAMLphp to integrate directly with ADFS 2012R2.


  • A working ADFS 2012R2 implementation.
    Apologies but this isn’t something I’ve blogged about yet (I will, soon). For now, there are plenty of fantastic articles on setting up ADFS out there but when you do it, make sure you’re setting up ADFS 2012R2 (It’s on Windows Server 2012R2 of course). Why am I telling you to set it up on Windows Server 2012R2? Simple, Alternate Login ID.
  • Access to a Linux box with an updated version of OpenSSL.
    OK, so strictly you don’t need a Linux box – it’s just easier if you have access to one. We need to generate a certificate and key for token signing purposes and fiddling with installations of OpenSSL on Windows isn’t something I want to document. Spin one up in Azure and bin it once you’re done with it!

Continue reading Integrating SimpleSAMLphp with ADFS 2012R2

Single Sign-on to Azure AD using SimpleSAMLphp

In my last mammoth post, I posted an update/re-write to an article originally written on the Azure website that used some libraries provided by Microsoft to enable custom PHP applications to sign-on to Azure AD using WS-Federation. In that post I described a method for installing and configuring SimpleSAMLphp to IIS that enables it to be used by any number of sites on the same server, all that’s required is to add a simple Virtual Directory to each site. If you want to configure SimpleSAMLphp on IIS, check that post out.

The intention with this post is to do away with Microsoft’s libraries altogether and use only SimpleSAMLphp in a more integrated way. The purpose is to avoid having to re-write a lot of functionality already provided by SimpleSAMLphp that’s likely to be missing from Microsoft’s libraries, and of course open up access to SimpleSAMLphp’s documented API.

I will assume you have configured SimpleSAMLphp already using the method documented in the last post. In order to proceed in this post, you also need to have configured an application within Azure Active Directory. Again, you can find instructions for that included in the previous post.

The largest difference with this post is, as I mentioned, better integration with SimpleSAMLphp – as such, there’s more configuration to complete within SimpleSAMLphp than there was in the previous post.

  • We’ll import federation data from our Azure application in to SimpleSAMLphp.
  • We’ll configure SimpleSAMLphp as a Service Provider.
  • We’ll create a little code to get us authenticating.

Continue reading Single Sign-on to Azure AD using SimpleSAMLphp

me, on scripting, trance and other subjects i enjoy