tag:blogger.com,1999:blog-25406327467809729392024-03-13T02:00:48.260-06:00Did You Restart?Computer System AdministrationAaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.comBlogger171125tag:blogger.com,1999:blog-2540632746780972939.post-59293038863285081402023-03-04T12:19:00.001-07:002023-03-04T12:19:09.944-07:00iPhone DFU mode recovery error 4010 - removing supervision<p> Recently I had some phones that had been supervised using Apple Configurator putting them into a business manager account. The business was closing doors and the devices needed removed from Apple Business Manager and the supervision removed.</p><p>Removing from Apple Business Manager is easy enough. Login and remove them, but this didn't actually remove the supervision from the device.</p><p>Backstory - these devices were older used devices that they wanted supervised. I came up with a method for building a virtual Mac OS machine in VMWare workstation and using Apple Configurator to then add the iOS device into the Apple business manager, thus supervising the device. Worked great and I had accomplished this a dozen times.</p><p>When the MDM product was removed it didn't remove the profile unfortunately. Being that the MDM was closed down and not recoverable (business closed... and account had been cancelled) the best option was to factory reset the devices, BUT the profile removed the option for factory reset! No problem, just connect in recovery mode to iTunes and restore/update. This process would error with "This device is supervised and cannot be connected to this computer". Yep, MDM profile that was still applied.</p><p>Time to move to DFU restore. During this process I would repeatedly get error 4010. I found several different items that can cause this error!</p><p>1. My newest laptop doesn't have USB ports, only USB-C. So I couldn't directly connect the lightning cable, instead I was using an adapter which it clearly didn't like.</p><p>2. I had another laptop with USB ports. Connecting to this laptop I found that I still got the error 4010 IF my business VPN was connected. I disconnected and for good measure also stopped the VPN client (Fortigate). </p><p>After moving to USB 3.0 port and ensuring the VPN was not running it worked like a charm. DFU Mode Restore/Update completed, and I was left with a device that no longer had MDM profiles, or supervision and no 4010 errors.</p>Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-79768454196907147642022-09-19T10:18:00.005-06:002022-09-21T15:36:35.654-06:00HP Spectre Convertable Laptop - restarts instead of shutdown<p>Had an old laptop to repurpse. Reinstalled windows, drivers, etc. Seemed to work fine except when I would shutdown the computer a minute later it would be sitting there on again. Argh.</p><p>Looking online for the HP Spectre x360 convertible models this seems to be a common issue. Found solutions with downgrading drivers (which does appear to work), etc. </p><p>Then luckily I found this answer by DJElectron: <a href="https://h30434.www3.hp.com/t5/Notebook-Hardware-and-Upgrade-Questions/HP-Spectre-X360-15-2017-model-does-not-shut-down-or-sleep/m-p/7142410/highlight/false#M517092">SOLVED!!! Re: HP Spectre X360 15 2017 model does not shut do... - Page 2 - HP Support Community - 5978451</a></p><p>So, resetting the CMOS by doing the following fixed the issue.</p><p></p><ol style="text-align: left;"><li>Shutdown the system by holding the power button</li><li>Press and hold Win+V</li><li>Power On System</li><li>Once light on power button comes on wait 10 seconds then release Win+V</li><li>Screen should say CMOS checksum invalid after a few moments. </li><li>Press Enter to reboot</li></ol><div>Highly frustrating issue with an easy fix :)</div><p></p><p><br /></p><p><br /></p>Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-3676089318782568032022-09-15T14:39:00.003-06:002022-09-21T15:39:47.651-06:00SQL to PowerApps without Premium Connector<p><b>Issue</b>: </p><p>We have an application (our primary one) that the licensing structure is based on active device connections. Problem, we have more devices than licenses. This isn't a big deal since due to scheduling not all devices are connecting at once.</p><p>But, when user 1 on device 1 goes home and forgets to close the app then user 2 on device 2 has an issue (provided the other licenses are already taken). Closing out User 1 is fairly easy (reboot the computer), but not when there are 10+ workstations and they don't know which ones using the license. It suddenly because a whack-a-mole game that they didn't want to play.</p><p><b>Idea</b>: </p><p>The license usage information is stored in a SQL table. So if we can make this information accessible they can see exactly where licenses are used. </p><p>Note: there are other ways to handle this, but they each had their own cons (ie auto logout of users on timer, etc). For now, simply reporting on it was the best option to make the whack-a-mole game quicker.</p><p>With PowerApps we could access the SQL table directly and tell the users! But wait, MS charges (IMO) a large amount of money for these types of connections. Can we do it without a premium connection? Yes, not as great, but it will do :)</p><p><b>Solution</b>: </p><p>The idea is to take this in multiple parts to end up with an end product that we put on the main SharePoint page so they can quickly see what workstations are up for whacking.</p><p></p><ol style="text-align: left;"><li>Export the data from SQL</li><li>Upload it to a SharePoint List</li><li>Display it in a pretty format</li></ol><p></p><p><br /></p><p><b><span style="font-size: medium;">1. Export from SQL </span></b></p><p>First up we need to get the data out of SQL into a format we can use. Also, we want to do this easily, I'm not interested in messing around all day with figuring out why I can't get the export to Excel to work or other variations. PowerShell has a SQL Module and there's Export-CSV, so that's easy.</p><p>We'll need the SQL PowerShell module: <a href="https://docs.microsoft.com/en-us/sql/powershell/download-sql-server-ps-module?view=sql-server-ver15">Download SQL Server PowerShell Module - SQL Server | Microsoft Docs</a>. In my case I already had it as I added it when I built the server and installed SQL.</p><p>Devart.com had a blog on this with a number of options and well written. Option 3 is what we are looking for <a href="https://blog.devart.com/how-to-export-sql-server-data-from-table-to-a-csv-file.html">How To Export SQL Server Data From Table To a CSV File (devart.com)</a></p><p></p><blockquote>Invoke-Sqlcmd -query 'Select WSID, ConnDate FROM mydb.myschema.connections;' -ServerInstance S-SQLDEV | Export-Csv -Path D:\Reports\connections.csv -NoTypeInformation</blockquote><p></p><p>Great, now I have a PowerShell script that I can schedule with Task Scheduler to run every so often, let's say 10 minutes, and dump a csv file for me. It's pretty lightweight so I'm not worried about the hit my SQL server will take from it.</p><p>Task Scheduler: </p><p>Under Program/Script enter Powershell.exe</p><p>For the "Add arguments" enter -ExecutionPolicy Bypass "D:\Scripts\MyScript.ps1" (of course using your path and script name)</p><p>And the account that runs the Scheduled task needs read permissions to the SQL Database in question (or you will get blank results).</p><p><b><br /></b></p><p><b><span style="font-size: medium;">2. Upload to SharePoint List</span></b></p><p>Okay, now we need to get our lovely csv to a SharePoint list. This is fairly easy, but there are some steps involved. In particular, we need PowerShell v7 and PnP PowerShell Module (at least I went this route). Also, I did this part on a different server as I didn't want to monkey around with uploading files to SharePoint on my SQL server. Instead, I used another PS script to move the file from the SQL server to my file server and then uploaded from there (optional step below).</p><p>Optional: as just stated, I didn't want this part on my SQL Server so I copied the file to a File Server first. I did this by added the below to my PS script on the SQL Server. (the service account used to run the scheduled task will need permissions at the remote location)</p><p></p><blockquote>Copy-Item -Path "Microsoft.PowerShell.Core\FileSystem::D:\Reports\connections.csv" -Destination "Microsoft.PowerShell.Core\FileSystem::\\FileServerName\D$\Scripts\Connections\connections.csv"</blockquote><p></p><p>I then proceeded with the rest of the steps on the File Server.</p><p>Installing PowerShell v7 is pretty easy... <a href="https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2#msi">Installing PowerShell on Windows - PowerShell | Microsoft Docs</a></p><p><b>Optional: PSv7 doesn't include the ISE anymore.</b> </p><p>Now they encourage you to use Visual Studio Code with the PowerShell Extension. <a href="https://code.visualstudio.com/download">Download Visual Studio Code - Mac, Linux, Windows</a></p><p>So I proceeded to download VSCode on my workstation so I can build the PSv7 script and run it on the File Server. (installed PSv7 on my workstation and the file server)</p><p>Once installed either install the PowerShell extension during the setup process or go to Settings (bottom left), Extensions and find / install.</p><p><b>SharePoint PnP PowerShell Module</b>:</p><p>I decided to use the PS PnP Modules as I felt that it greatly reduced complexity of the scripts.</p><p>Here's a great writeup of SharePoint PnP by June with connections instructions: <a href="https://adamtheautomator.com/sharepoint-pnp/">How to Use SharePoint PNP PowerShell Module in Office 365 (adamtheautomator.com)</a></p><p>Note: you'll want to run Install-Module "PnP.PowerShell" when logged in as the account that task scheduler will be set to run as or the script will fail.</p><p>I had issues using his directions for non-interactive connections. So, I used the following instead which I created a separate post for: <a href="https://blog.didyourestartyet.com/2022/09/powershell-pnp-connection-using-azure.html">Did You Restart?: PowerShell PnP connection using Azure AD App Registration and Certificates (didyourestartyet.com)</a></p><p><b>Import CSV to SharePoint List:</b></p><p>Now we can import our csv to a SharePoint List to use as our "free database". Salaudeen nails it with his post on SharePoint Diary. <a href="https://www.sharepointdiary.com/2015/09/import-csv-file-to-sharepoint-list-using-powershell.html">SharePoint Online: Import CSV File into SharePoint List using PowerShell - SharePoint Diary</a></p><p><span style="font-size: x-small;"><b>SharePoint List:</b></span> </p><p>First let's setup a List on our SharePoint site. I'm not going to detail these steps as you should be fairly familiar with this already. I will point out however that SharePoint forces creation of column "Title" with the required flag on. Rather than renaming this column I just went into the list settings, selected the column, and turned off the required flag. Then I leave the Title column blank and ignore it. </p><p>I also created the necessary columns in the SharePoint list to match the columns in the CSV. So in my case WSID and ConnDate.</p><p><b><span style="font-size: x-small;">PowerShell: </span></b></p><p>I used the second option from the SharePoint Diary with PnP and some slight modifications.</p><p></p><ol style="text-align: left;"><li>We need to initiate the non-interactive connection to SharePoint online</li><li>I wanted to replace the list each time, not add or update.</li></ol><p></p><p>Script is copied from the SharePoint Diary site linked above. I only added the connection and the line to get/delete all list contents.</p><p></p><blockquote><p>#Parameters</p><p>$SiteUrl = "https://contoso.sharepoint.com/sites/mysite"</p><p>$ListName = "Connections"</p><p>$CSVPath = "C:\Scripts\Connections\Connections.csv"</p><p>#Connect to SharePoint Online non-interactive</p><p>Connect-PnPOnline $SiteUrl -ClientId 'yourclientIDfromPowerShellStep' -Tenant 'contoso.onmicrosoft.com' -Thumbprint 'CertificateThumbprintfromPowerShellStep'</p><p>#Get the CSV file contents</p><p>$CSVData = Import-CsV -Path $CSVPath</p><p>#Get all contents of the list and delete it! No add or update</p><p>Get-PnPListItem -List $ListName | Remove-PnPListItem -Force</p><p>#Iterate through each Row in the CSV and import data to SharePoint Online List</p><p>ForEach ($Row in $CSVData)</p><p>{</p><p> Write-Host "Adding Contact $($Row.WSID)"</p><p> #Add List Items - Map with Internal Names of the Fields!</p><p> Add-PnPListItem -List $ListName -Values @{"WSID" = $($Row.WSID);</p><p> "ConnDate" = $($Row.ConnDate);</p><p> };</p><p>}</p><p>#Read more: https://www.sharepointdiary.com/2015/09/import-csv-file-to-sharepoint-list-using-powershell.html#ixzz7etuTjTh8</p><p></p></blockquote><p><br /></p><p>Awesome script. Great job Salaudeen.</p><p>Now all I had to do was save the script and make a scheduled task that runs as the user that I setup the Powershell PnP automation certificate under. Note: must also install-module "PnP.PowerShell" under that account.</p><p>Now, the csv is uploading to the List file and overwriting all contents at the schedule I set (really, we're deleting all content and then uploading the csv...)</p><p><br /></p><p>Since the data is now in a SharePoint List we can access it with PowerApps / PowerAutomate without paying for the premium connector. No, it's not real-time, but that hardly matters for some data.</p>Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-47519327465720647222022-09-15T14:17:00.004-06:002022-09-21T15:38:20.192-06:00PowerShell PnP connection using Azure AD App Registration and Certificates<p>I had a project I was working on where I wanted to automate uploading of a CSV file to SharePoint List. Of course with all the security changes and MFA I needed to find a way to do it securely. </p><p>That's when I found the following by June: <a href="https://adamtheautomator.com/sharepoint-pnp/">How to Use SharePoint PNP PowerShell Module in Office 365 (adamtheautomator.com)</a></p><p>Using his directions for the Non-Interactive didn't work for me... but it got me on the right track. Know that his directions may work fine and I just didn't do it right :)</p><p>I used the following to make this work:</p><p></p><ul style="text-align: left;"><li>PowerShell v7</li><li>Visual Studio Code (as replacement for ISE)</li><li>Windows Server 2016 and 2019, also replicated on Windows 10 and 11.</li></ul><div><br /></div><div>The following steps will be covered:</div><div><ol style="text-align: left;"><li>Create and import SSL Cert</li><li>Register App in Azure AD</li><li>Set app permissions</li><li>Set app certificate</li><li>Connection string for script</li></ol><div>Hopefully this will help me when I need to do it again in the future or anyone else that happens to read these notes!</div></div><div><br /></div><div>Note: don't forget to run Install-Module "PnP.PowerShell" </div><div><br /></div><div><b>Create the Self-Signed Certificate:</b></div><div><p>Create the self signed certificate. Other options can be used, these are the basics.</p><blockquote>New-SelfSignedCertificate -Subject "PowerShell PnP" -CertStoreLocation Cert:\CurrentUser\My</blockquote></div><p></p><p>This is going to generate a certificate thumbprint. Copy it into the next part.</p><p>Export the certificate as a CER and PFX</p><p></p><blockquote><p>Export-Certificate -Cert Cert:\CurrentUser\My\PasteThumbprintHere -Type Cert -FilePath PowerShellPnPM365App.cer</p><p>$password = ConvertTo-SecureString -String "UberSecurePasswordHere" -Force -AsPlainText</p><p>Export-PfxCertificate -Password $password -Cert Cert:\CurrentUser\My\PasteThumbprintHere -FilePath PowerShellPnPHost.pfx</p></blockquote><p></p><p>You now have a CER and PFX file. The CER will be uploaded to Azure AD. The PFX will be installed on the computer doing the automated scripting under the personal certificate store of the user account used for the automation.</p><p>Go ahead and login as the account that will be running the scripts. Then install the PFX certificate with the password you chose.</p><p>Copy the thumbprint as you'll use that in your script.</p><p><b>Setup Azure AD:</b></p><p>Jump over to your Azure AD admin center and navigate to "Azure Active Directory" and then "App Registrations" then "All applications"</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvsdhcJ3J0MCLg07ROIJ1NnwmTs9YMOrBPChJEnLgWAh5FhZpSfCfq1dmdMq9e6px5pmZRn10h4hdXkfHEwmcQ_HuuVqAribEqXlv1Knuo4ApUlBh8WhgpUWiVx_93V08sjHWr7uJ1Ybh_WxS8EGDBnZfJBmPHUCtGTvTIuRvTPRD25BEl8crGko8B/s860/AzureAd%20new%20app.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="384" data-original-width="860" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvsdhcJ3J0MCLg07ROIJ1NnwmTs9YMOrBPChJEnLgWAh5FhZpSfCfq1dmdMq9e6px5pmZRn10h4hdXkfHEwmcQ_HuuVqAribEqXlv1Knuo4ApUlBh8WhgpUWiVx_93V08sjHWr7uJ1Ybh_WxS8EGDBnZfJBmPHUCtGTvTIuRvTPRD25BEl8crGko8B/w732-h325/AzureAd%20new%20app.jpg" width="732" /></a></div>Click New Registration and give it a name. No Redirect URI is needed.<div><br /><p>This is going to give you a screen showing your new Application (client) ID and the Directory (tenant) ID. Copy these both down as you'll need them later.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwDZEf0Bj4Gy5sXhAtjbabtA-eXUfYVT2jZwOGNp6v5faMqWMEArUc7Iey5YfqmT1-7iLzRW7JtZuFY87N2eWCavgBycaPjz7ewjUWKd11UzGCxNiiJDD4U8cqwJhDIs5YTYLPCTgcyxZHPr_fijD_gFseX6X3cWBB28xP5S18qm3yZUfm8boB4ZrX/s1367/New%20App.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="599" data-original-width="1367" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwDZEf0Bj4Gy5sXhAtjbabtA-eXUfYVT2jZwOGNp6v5faMqWMEArUc7Iey5YfqmT1-7iLzRW7JtZuFY87N2eWCavgBycaPjz7ewjUWKd11UzGCxNiiJDD4U8cqwJhDIs5YTYLPCTgcyxZHPr_fijD_gFseX6X3cWBB28xP5S18qm3yZUfm8boB4ZrX/w709-h310/New%20App.jpg" width="709" /></a></div><br /><p>Click on Certificates and Secrets, and then click Certificates</p><p>Click upload certificate and select the CER that you created earlier. Notice the thumbprint should match what you had earlier.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLZPbDASXewZBmMDg90dGlVSr9dtLZ3zxV7sDc9mWHwzhTUVE-7Xou0735SHgpBYrPh0wxqmb1I5_qi7IAiJxd-D1sihwZyZ7V2oZ18-40e5Z8pLeTF2XCkPKgPYXrhcnZCv0wvZCsxnK_xv6SrOdnUQOLnuMMxkpnDry8Rx91wYQshWHukt6sUVDc/s1322/Certificate.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="555" data-original-width="1322" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLZPbDASXewZBmMDg90dGlVSr9dtLZ3zxV7sDc9mWHwzhTUVE-7Xou0735SHgpBYrPh0wxqmb1I5_qi7IAiJxd-D1sihwZyZ7V2oZ18-40e5Z8pLeTF2XCkPKgPYXrhcnZCv0wvZCsxnK_xv6SrOdnUQOLnuMMxkpnDry8Rx91wYQshWHukt6sUVDc/w736-h308/Certificate.jpg" width="736" /></a></div><br /><p>Now you can give your app permissions to the area you need. In my case I chose to use API Permissions. Click API Permissions, and then Add a Permission. Choose the area you want to add, in my case it was for a SharePoint list so I picked SharePoint.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGG7_W8nYJXooXbmQFbKqOUv_CxpIKGU4ztXx3ZTjV1VC7RZozQK5imAI5xFJeLeHT4JW2_R58OQiQcYLWVTAwl_AIVoNqhnH3L1U1vQu539OU4Zz1S453SgYLwAt-klwbY8JsBBHwlYiY7q-lV3xSQIA39mYslb2rBRSVufm5VTFR774nV30AJopG/s831/App%20Permission.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="497" data-original-width="831" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGG7_W8nYJXooXbmQFbKqOUv_CxpIKGU4ztXx3ZTjV1VC7RZozQK5imAI5xFJeLeHT4JW2_R58OQiQcYLWVTAwl_AIVoNqhnH3L1U1vQu539OU4Zz1S453SgYLwAt-klwbY8JsBBHwlYiY7q-lV3xSQIA39mYslb2rBRSVufm5VTFR774nV30AJopG/w640-h382/App%20Permission.jpg" width="640" /></a></div><p>I then wanted it to be application permissions as this was for automation.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaRtnvHLrEM1Qm-fKP7mS9906vaZlTyOvfJ_A-XdImXt3LZEzgZp6eO1QquDPyFfeZPO5fTXyhHd08jEWL3dvC74adtkRsfYslV0ZjGJUzrLfoiVsLVX1T4uqFeA4k-N4ojFdVZSDVL8DMHDXXmQf7zWi0oFUB1I3vfAyU92isY1HcmY9k1ir4SWPm/s849/App%20Delegation.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="849" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaRtnvHLrEM1Qm-fKP7mS9906vaZlTyOvfJ_A-XdImXt3LZEzgZp6eO1QquDPyFfeZPO5fTXyhHd08jEWL3dvC74adtkRsfYslV0ZjGJUzrLfoiVsLVX1T4uqFeA4k-N4ojFdVZSDVL8DMHDXXmQf7zWi0oFUB1I3vfAyU92isY1HcmY9k1ir4SWPm/w874-h352/App%20Delegation.jpg" width="874" /></a></div><p>Here you can choose to give access to Full Site control, or you can narrow it down further. I wanted to be somewhat granular in this case so I chose "Sites.Selected".</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg66ssdVG8ZMeDhvZ-EFWpMZWVouZo4Det3TPHIs05fq3LsEkkSjn2sNl1JsMZEYosy07yLIMP9qJrDR7XpwTFoqlgl6Fa-2mc0KNfV7DtRLkAtj-926xRCKo4M6KX-bIOoU9j1yB0VUSN79BQVy-QP32ZyPjjoeP9yHa45e8z9jVJ7-kfNvgrSKTWd/s827/Sites.Selected.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="434" data-original-width="827" height="353" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg66ssdVG8ZMeDhvZ-EFWpMZWVouZo4Det3TPHIs05fq3LsEkkSjn2sNl1JsMZEYosy07yLIMP9qJrDR7XpwTFoqlgl6Fa-2mc0KNfV7DtRLkAtj-926xRCKo4M6KX-bIOoU9j1yB0VUSN79BQVy-QP32ZyPjjoeP9yHa45e8z9jVJ7-kfNvgrSKTWd/w673-h353/Sites.Selected.jpg" width="673" /></a></div><br /><p>We now show the Sites.Selected, but notice the "Not Granted". I then click the "Grant admin consent for ...." to grant permission.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlzMsTHBJcNKhKIs_54662MApnVRkjhsFYyT4k28GEQtvhXrdAUb9Dj5GgGxJ-TIHwN3RA3-HjChYTN2pvtzrPZ9B_AGNzKnSM3kVQW537ay3muwJiTFY4T7v74UHTlqUwHRSW3cT0soflkwF3CV4010HJJClVSE1hLF-U-D8ZVf-8b9cjdzufmrFb/s1100/Permission%20grant.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="306" data-original-width="1100" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlzMsTHBJcNKhKIs_54662MApnVRkjhsFYyT4k28GEQtvhXrdAUb9Dj5GgGxJ-TIHwN3RA3-HjChYTN2pvtzrPZ9B_AGNzKnSM3kVQW537ay3muwJiTFY4T7v74UHTlqUwHRSW3cT0soflkwF3CV4010HJJClVSE1hLF-U-D8ZVf-8b9cjdzufmrFb/w1063-h297/Permission%20grant.jpg" width="1063" /></a></div>The checkmark went green and permission now showed granted.</div><div><br /></div><div>We also need to give permission to the specific site! If you click on the permission you'll see the following: <span face="az_ea_font, "Segoe UI", az_font, system-ui, -apple-system, BlinkMacSystemFont, Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif" style="background-color: white; color: #323130; font-size: 12px;">Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online.</span><br /><p>Let's hop back over to a PowerShell 7 window that has the PnP Module installed.</p><p></p><blockquote>Connect-PnPOnline -Url "https:contoso.sharepoint.com/sites/mysite" -PnPManagementShell</blockquote><p></p><p>You should be given a code to copy, and a link to a web browser login page. Open it and login with Global admin to give consent.</p><p></p><blockquote>Grant-PnPAzureAdAppSitePermission -AppID "Application(Client)ID Here" -DisplayName 'PowerShell PnP Automation' -Site "https://contoso.sharepoint.com/sites/mysite" -permissions Write</blockquote><p></p><p>You can double check using<br /></p><blockquote>Get-PnPAzureADappSitePermission</blockquote><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLII8xeM3v9pAUh4EIudQSqCw7E2Rpvvy5lrNOS8gvzFmwKlHfXTcIM6EqkLmrZx8kiRsUh_NMGzlqpGlrf7OsFtk0jvNSyq6kk05dyI4uDeai6CRQhBExzBVos6rmodsOdaMAt7nVEVLjl1kAiAbn_TlldGulUjW04FSWCN5IeXcsvzsgi7AKyCCv/s527/AppPermission.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="142" data-original-width="527" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLII8xeM3v9pAUh4EIudQSqCw7E2Rpvvy5lrNOS8gvzFmwKlHfXTcIM6EqkLmrZx8kiRsUh_NMGzlqpGlrf7OsFtk0jvNSyq6kk05dyI4uDeai6CRQhBExzBVos6rmodsOdaMAt7nVEVLjl1kAiAbn_TlldGulUjW04FSWCN5IeXcsvzsgi7AKyCCv/w837-h225/AppPermission.jpg" width="837" /></a></div><br /><p>Now we can test that all works for our script!</p><p><br /></p><p></p><blockquote><p>$SiteUrl = "https://contoso.sharepoint.com/sites/yoursite"</p><p>Connect-PnPOnline $SiteUrl -ClientId 'YourClientID" -Tenant 'contoso.onmicrosoft.com' -Thumbprint 'YourCertificatesThumbprint'</p></blockquote><p></p><div>It should connect with no errors if all is happy.</div><div>Then we can test with pulling a list of all the SharePoint Lists on that site...</div><div><blockquote>Get-PnPList</blockquote></div><p>You should see your sites Lists.</p><p>Happy Automating!</p><p><br /></p><p><br /></p><p><br /></p></div>Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-55897910027384261572022-07-01T13:38:00.001-06:002023-02-21T16:14:45.932-07:00Sage 300 ERP - ODBC error - Invalid Database SpecificationWe utilize Sage 300 ERP from a Windows RDSH environment. After upgrading to a 2019 environment and reinstalling Sage I had manually created the ODBC DSN. Unfortunately this caused errors for end users "Invalid Database Specification". <div>You'll find a lot of info that this is of course due to ODBC connection issues, and I kept finding that it referenced that the end users didn't have permission to access the SYSTEM DSN.</div><div>Fixes include making registry changes, using User DSN, ensuring you're using ODBCAD32, firewall issues, etc.</div><div><br /></div><div>None of these worked for me until I found a quick mention on a Sage user forum thread stating to "Run As Administrator" Sage 300 so it could create the ODBC connection itself.</div><div><br /></div><div>After I cleaned up the changes I had tried and deleted the ODBC I had manually created I did this and low and behold, that created the DSN and it works for end users. (see very last post)</div><div><a href="https://www.sagecity.com/us/sage300_erp/f/sage-300-general-discussion/174715/database-setup-unable-to-connect-to-database-error-49153">Database setup : Unable to connect to database error 49153 - General Discussion - Sage 300 - Sage City Community</a></div><div><br /></div><div>I despise Sage 300, I think it's poorly programmed from a Systems Administrator point of view. Maybe it's an "Accounting Software" thing as I greatly dislike Quickbooks desktop / enterprise as well, and a few other accounting software's I've worked with. </div><div>Oh well, it's installed and working now... until I deploy 2022...</div>Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-39333603007149616772022-06-06T17:49:00.002-06:002022-09-21T15:37:47.430-06:00Microsoft 365 Tenant Migration with AAD Connect reusing same domainRecently we had a need to migrate to a new tenant space largely due to COVID19 and extreme downsizing and company structure changes. I can't stress enough that a successful migration is about planning and staging before any of the migration has actually begun. Additionally, use AAD Connect to your advantage! Convert as many cloud only accounts to internally sync'd accounts as possible as this can save you a ton of work.<div><br /></div><div>Note: I'm not going over adding the necessary PowerShell modules Microsoft 365 that are needed.<br /><div><br /></div><div>This is not a comprehensive guide as each environment is going to have it's own unique areas, but this worked great for me and can be used as a template for someone else.<br /><div><br /></div><div>The migration had a few requirements.<div><ol style="text-align: left;"><li>We had an internal domain connected with AAD Connect - intdomain.com which was not the primary domain in tenant.</li><li>There were 8 domains total in the tenant used for various email accounts. 4 domains were moving, 4 were not. The intdomain.com was moving</li><li>A handful of users had a single user account with email addresses across all 8 domains!</li></ol><div>I found that planning for this was very complicated, but execution was actually very simple! Note that this was for under 50 users and I completed it solo. I'm sure it could be simplified farther with more scripts or tools. </div></div><div><br /></div><div><b>Planning / Staging:</b></div><div><br /></div><div>First I started with looking at all the different types of accounts and integrations that would be effected. In particular sorting through various service accounts setup for SMTP Auth when these accounts are both cloud only or internal sync. Additionally, some users are cloud only accounts.</div><div><br /></div><div>So to start, a handy export was needed from the Tenant - Users and Groups into csv. You can then change this file to xlsx and start adding more columns and add a filter. I recommend then adding columns for identifying which accounts are for SMTP Auth, break down which are AADSync (which is included in the export), which accounts need to have Forwards in place to new tenant, which domains are moving, etc.</div><div><br /></div><div>Now came pre-staging of the OLD environment. </div><div>Since I had accounts that had emails across all 8 domains I began to identify them and break them into 2 accounts. The one that had domains that would be moving set as Internal AD accounts. The ones not moving I created new cloud only accounts and setup forwards to their internal account. This could easily be scripted for large groups. I used Shared Mailboxes to save on cost. I used Forwarding instead of adding permissions to the shared mailbox so that after migration I wouldn't have to change them again.</div></div><div>I did the same thing for any Shared Mailboxes, Distribution groups, etc. Get everything for the domains that are moving converted to AAD Sync internal groups if possible! With this when you reconnect AAD Connect to the new tenant and do the first sync all of your work will be done for you.</div><div><br /></div><div>I also moved SharePoint and Onedrive. For SharePoint our sites were small and not built out, so a simple "Mover" migration was sufficient. You can find a link to mover in the SharePoint admin console under migration. I didn't actually migrate Onedrive, instead we handled that from the client computer end (ie disconnect then reconnect to new tenant and let it upload everything again).</div><div><br /></div><div><b>Create new Tenant:</b></div><div>You can create your new tenant at any point, you'll just need to add a valid license to it. Of course the tenant name will be yourname.onmicrosoft.com, make it a good one this time! Learn from my mistakes, DON'T make it the company name, who'd of figured those could change so often... marketing people... ;)</div><div>Create a user account for each user account that will be moving. This can easily be scripted. They will all have name.onmicrosoft.com for their username. </div><div>Note: we licensed ours several days prior to migration.</div><div><br /></div><div>I also added one AAD Premium P1 license and one Azure Information Protection Premium Plan 1 to the new tenant. This allowed us to do a lot of configuration to the environment prior to migration.</div><div>Ie, SharePoint pre-stage and config, Exchange rules and other config, Spam filter, and the gobs of other settings that I wanted locked down.</div><div><br /></div><div><b>Week prior to Migration:</b></div><div>We used BitTitan MigrationWiz to move our mailbox information. So, we did a pre-stage less 30 days 1 week prior to the go day.</div><div>I also informed everyone that everything was going to break on the "go" day. For simplicity sake we had each user leave their computer turned on so that we could manually fix their Teams, Onedrive, Outlook, Office apps, and MS Edge Sync on day of migration. This was doable for us do to our small user count. I'm sure there are better ways... More on what I did to fix each app at bottom.</div><div><br /></div><div>I also pulled all of the LegacyExchangeDN just in case I needed them. Easier now then later...</div><div><div></div><blockquote><div>Get-Mailbox | Select Name, PrimarySMTPAddress, LegacyExchangeDN | Export-Csv 'pathtofile\LegacyExchangeDN.csv' -NoTypeInformation</div><div>Get-DistributionGroup | Select Name, PrimarySMTPAddress, LegacyExchangeDN | Export-Csv 'pathtofile\LegacyExchangeDNgroups.csv' -NoTypeInformation</div></blockquote><div></div></div><div>Create a user migration List:</div><div>Also, I created a csv file of all my users I had pre-staged in the new tenant. On day of migration their UPN will need changed prior to reconnecting AADConnect and I wanted it done easy.</div><div>CSV file needs to have at least 2 columns with the following headers. Name this userCloud.csv</div><div>PrimarySMTPAddress and UPN</div><div>PrimarySMTPAddress is the username in the new tenant, ie jdoe@name.onmicrosoft.com</div><div>UPN is proper primary email address you will want them to have. ie jdoe@mydomain.com</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg0kdJ0Vms7Mc2Zv6XNQHBMQpjZy2-akHhjlXoywS58IhVu-TQHslROUM_P0Iyi2CV5cpLWxyuxcZQCBW7AAPOsNvliU-At9-ll1GR7q4TE8VWpjWUMnV1FkIe4tNFT1FbHPA4iiLk2AqzVZTTMWIdzlNhw7D1T32XhUndIy-YeBShk8FpZCy-G-w6o" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="72" data-original-width="469" height="49" src="https://blogger.googleusercontent.com/img/a/AVvXsEg0kdJ0Vms7Mc2Zv6XNQHBMQpjZy2-akHhjlXoywS58IhVu-TQHslROUM_P0Iyi2CV5cpLWxyuxcZQCBW7AAPOsNvliU-At9-ll1GR7q4TE8VWpjWUMnV1FkIe4tNFT1FbHPA4iiLk2AqzVZTTMWIdzlNhw7D1T32XhUndIy-YeBShk8FpZCy-G-w6o" width="320" /></a></div><br /></div><div><br /></div><div><br /></div><div><b>Day prior to Migration:</b></div><div>On the day prior I ran another Pre-Stage with MigrationWiz to get everything up to that day. I don't want to be sitting around for hours waiting for the final staging.</div><div><br /></div><div><b>Day of Migration:</b></div><div><ol style="text-align: left;"><li>Changed MX Records to an invalid record for each domain. This made any mail sent to us get "held" by the sending server for retry instead of giving back an NDR. I want all that mail to come through once I've moved the domains.</li><li>Run the final MigrationWiz, I also removed everyone's access from SharePoint. Wait for final pass to finish before proceeding!</li><li>Add an empty root OU to AD, this is temporary.</li><li>Run AADConnect configuration, and point it to that empty root OU you just created. When the sync runs there with be NOTHING to sync and so it will process this as removal of ALL of your AADSync objects. Just like that it removed everything for you so you can remove your domains.</li><li>Remove any objects that were cloud only objects for the moving domains. </li><li>Under Settings - Domains - click on each domain and go through the tabs, you'll see what objects are left on each domain. Once the domains that are moving are cleared of all objects you can delete each of the domains!</li><li>Now you can go to your new Tenant and add each domain. Hint: use a different web browser for each tenant so you're not having to constantly login and out. For PowerShell use 2 different VM's.</li><li>Now we're going to fix the UPN for all of the new Tenant pre staged users. You're going to use the CSV you created with Powershell</li><ol>$users = Import-Csv 'path to file\userCloud.csv'</ol><ol>foreach ($user in $users){Set-MsolUserPrincipalName -UserPrincipalName $user.PrimarySmtpAddress -NewUserPrincipalName $user.upn }</ol><li>Now all of the users in the new tentant have the proper accounts that MATCH their internal Active Directory UPN's. This way AADSync will automatically associate them properly.</li><li>Go back to AADSync and configure it to point to your proper OU's again. Let the sync run and bingo, you now see that it associated properly AND all your groups are back and created / populated with group membership.</li><li>Fix your MX Records and test! Don't forget to setup SPF, DKIM, DMARC again as needed.</li><li>Note that you need to create "cloud only" distribution groups and add membership back. If you converted them to Active Directory prior then they where automatically created by the sync</li><li>Test your emails setup out again! Send and Receive</li><li>Now it's time to fix apps</li></ol><div><br /></div></div><div><b>Fix Apps: </b></div><div><br /></div><div>I found this part to be the worst. Overall it went fine, but it's tedious.</div><div>Note this is for Windows 10 only. Other OS's may be different.</div><div>Some machines signing out in one place caused others to auto sign out. Some didn't, IDK.</div><div><ol style="text-align: left;"><li>I started with ensuring everything was closed.</li><li>Opened Control Panel, switch to small icons, open Mail, Show Profiles, Delete</li><li>Opened Excel (or Word), File, Account, Sign Out</li><li>Open Settings, Accounts, Accesss work or School, expand the account, Disconnect.</li><li>Also checked under Accounts, Email & Accounts, and removed anything I could. </li><li>Opened Edge browser, Settings, Sign Out of profile, Did not clear their favorites and other info.</li><li>Dumped linkes to SharePoint as I saw this (and added the new site)</li><li>Opened OneDrive and Unlink this PC (note it prompts that it will stop synching and a copy of the files will be left on the PC).</li><li>Open Teams and Sign out</li><li>Reboot</li><li>Open up each and setup new. Edge, OneDrive, SharePoint, Office, Teams. Note that GPO's or Azure AD can help do this automatically for you with SSO and device mgmt if you have it.</li></ol><div>Finally, notified users to sign out of Teams, SharePoint, Onedrive, etc on their mobile phones. In Outlook mobile app delete the account (for Onedrive connector too) and add back new.</div></div><div><br /></div><div><br /></div><div><b>Clean Up!</b></div><div><br /></div><div>At this point you should be back up and running. Time to just start combing through settings and objects and doing any cleanup that is necessary. Hopefully if you did this it went as well as mine did. </div><div><br /></div><div>Don't forget your scanners and other components that use SMTP Relay or alerting of that sort!</div><div>I'll also throw SharePoint in here, I had used Mover to move everything after the fact and then manually added back permissions. We weren't using a lot of SharePoint at the time so it wasn't a big deal. Of course, if you're using powerapps, powerautomiate, lots of SharePoint, and other then you'll want to spend more time than I did looking at these solutions. (we do now, and what a nightmare that would be all on its own!)</div><div><br /></div><div>Hopefully this helps someone.</div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div></div></div>Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-29285045790458302702022-01-12T10:01:00.002-07:002022-01-12T10:01:24.064-07:00Godaddy - new certificate crt and pem files, but need pfxMy brain mostly "seems" to be able to contain valuable information. But for some reason this piece of valuable (at least 1 - 4 times a year) is never retained. Each year I find myself pulling out the google foo to find a solution.<div><br /></div><div>The issue:</div><div>I'm either purchasing a new cert, changing an existing cert, renewing a cert, etc. I go to Godaddy, run through the process and get the download files. I'm given a CRT, PEM, and intermediate.p7b files.</div><div>I need a PFX file.</div><div><br /></div><div>Google foo always gives me plenty of articles about using openSSL typically. They typically involve running a command which looks promising, but I KNOW I didn't use openSSL last time...</div><div>I think my downfall with this is that I usually type in something like "Godaddy convert CRT to PFX". The missing part is that I actually have a PEM which is what's important to me here.</div><div><br /></div><div>Solution:</div><div>Since I typically generate the CSR from within one of my IIS instances all I have to do to get the PFX is go back to IIS. Complete the signing request, and when asked for the new file give it the PEM.</div><div>Now, right click and export to PFX, give it a password and finish my project.</div><div><br /></div><div><br /></div><div>Now next year (or month) when I can't remember this easy process for the 100th time hopefully my google foo will see my own post OR I'll finally commit this to memory.</div><div><br /></div><div>/wr mem</div><div><br /></div>Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-42151266572836060042021-10-21T10:41:00.005-06:002021-10-21T10:41:34.507-06:00NEC SV9100 inMail and Exchange Online / Microsoft 365<p><br /></p><p>We've utilized NEC SV9100 with inmail for voicemail for 5 years. We also utilize Microsoft Office 365 / Exchange Online. </p><p>Setting up the voicemail to email feature is fairly easy and there are lots of guides online to do so. For that matter, being in IT and setting up system SMTP for scanning, alerting, etc, etc, etc is like brushing my teeth. So, looking at the inmail settings for SMTP was enough to make me yawn, grab a cup of coffee to help stay away the boredom, and get to work.</p><p>Ten minutes later all done, tested, working... seemingly. I had put in the smtp.office365.com port 587, TLS, username, password, blah blah blah. In fact, I did this almost 3 or 4 years ago. </p><p>Fast forward to yesterday. Complaint comes in about "I've called and left a VM and no one contacted me". Of course, that triggers the CEO to call, leave a message, and then send out the email "Who got that message? call me". Quick looksee anddddd, well, no one got the message WTH. I call the number, leave a message and seconds later have the message. Call again, receive message. Start to suspect the number the CEO called or the classic "What did the user do wrong?". You know PEBKAC.</p><p>At this point I decide PEBKAC is wrong (since it's the CEO) and call into the VM box directly (which btw no one checks because it's an email forward only mailbox) and listen to the messages. I hear me testing, I hear me testing again, I hear a fax machine crap message, I hear the CEO asking for someone to call him... Definitely not a PEBKAC, but rather an OHCRAP.</p><p>After a quick chat with a friend that is an NEC Certified Tech I find that I'm not the first to see this issue. As soon as the words "inmail Office365 random issue" come out of my computer he stops me and responds with a resounding "Yesssss, we never recommend that". </p><p>Here's the thing, directly inputting an account into SMTP settings on inmail so that it can authenticate and send works and from my experience it almost always works. BUT when you can't lose an occasional random message from a customer, "almost" isn't good enough.</p><p>According to my friend and online searches the general accepted method is to use Gmail, local relay, or Option #2 or Option #3 of this document. (Note: I was using option #1)</p><p><a href="https://docs.microsoft.com/en-us/Exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365?redirectSourcePath=%252farticle%252fHow-to-set-up-a-multifunction-device-or-application-to-send-email-using-Office-365-69f58e99-c550-4274-ad18-c805d654b4c4">How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 | Microsoft Docs</a></p><p>Option #2 and Option #3 I see lots of comments online of working, but in my mind Option #1 looked like it was working to me.</p><p>In the end I decided to go the tried and true way that hasn't failed me yet IIS SMTP Relay. Alteratively using an onsite Exchange Server, HMailServer, or other reliable method would be acceptable. Basically, I wanted the mail to have a quick trip locally to an email Queue. With this I can even write a Powershell script to monitor it if desired. At the very least I'm not depending on some online authentication to occur between the NEC and Microsoft which could fail mid communication.</p><p>If you haven't setup IIS SMTP Relay before, well, it's pretty easy. Google how to install if you don't know. I'll give the quick config to make it work with the NEC. I usually do this on my Print Server or another lightly used server. Note that it does require installation of the role IIS.</p><p></p><ol style="text-align: left;"><li>Add a secondary IP address to the server (don't do this on a DC). I prefer to run each SMTP Relay on it's own dedicated IP.</li><li>Create a new home directory (will be used in later step). I usually put this in C:\Inetpub\New Name. The "new name" I typically make named the task that this relay would be for. IE, voicemail or NEC.</li><li>Open up Internet Information Services (IIS) 6.0 Manager (of course after you've installed the required roles)</li><li>Right click on the server name, New, SMTP Virtual Server<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBJjf8PfyNqkrD6BZe8aVoMFwycQ0N9IvTHrO2_l0_r4xBe11RTY7MFhikWQjfxtL1ckhCJH0Ny6qSJzbLChiTmaWFq6fPuppvMxD3gGPYdn6QmJbnMigwDix6P7VFXkMrEEWw2xewMqQ/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="398" data-original-width="420" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBJjf8PfyNqkrD6BZe8aVoMFwycQ0N9IvTHrO2_l0_r4xBe11RTY7MFhikWQjfxtL1ckhCJH0Ny6qSJzbLChiTmaWFq6fPuppvMxD3gGPYdn6QmJbnMigwDix6P7VFXkMrEEWw2xewMqQ/" width="253" /></a></div><br /></li><li>Give it a name. I like to name them the task followed by - and the last octet of the ip address assigned in step 1. Example: NEC - .44</li><li>Select the IP assigned to the server in Step 1</li><li>Select the Home directly we created in Step 2</li><li>Enter a domain name. I typically make this the servers FQDN. DO NOT make it the domain name of the email that these are going to. For instance, if the account you're emailing this to is voicemail@contoso.com then you would not want to enter contoso.com or the emails will go into the "drop" folder because it's a "local" address. In my case the FQDN is different than the email domain so I enter FQDN :) If your emails are going to the Drop folder (more on this in a minute) then check this.</li><li>OK and you'll be presented with a new pretty SMTP relay<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSMVyfB64p4yem-v4jb8MeQ2NJaq_t4G0ZNptBvKGPWRrUeAg1bvXzigWpQgLla8xSKB6Ge_95ARlRnogl3l8o0YMxU40udeRwRyfbG5pzakzrcwSBby7uf90ZZiJiD6G1yokz4r6i3N8/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="67" data-original-width="198" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSMVyfB64p4yem-v4jb8MeQ2NJaq_t4G0ZNptBvKGPWRrUeAg1bvXzigWpQgLla8xSKB6Ge_95ARlRnogl3l8o0YMxU40udeRwRyfbG5pzakzrcwSBby7uf90ZZiJiD6G1yokz4r6i3N8/" width="320" /></a></div><br /></li><li>Right click on the "NEC - .45" / virtual server and select properties</li><li>Ensure "Limit number of connects to" is unchecked</li><li>On Access tab, click Relay, Only the list of below, Add the NEC ip address, and I uncheck the "Allow all computers which...."</li><li>Messages tab. I change the limit message size and session size to 20480 (ie 20MB).</li><li>Delivery tab, I change the expiration timeout to 4 days. </li><ol><li>Outbound security. This will depend somewhat on where it's going, but in my case I require authentication. This will mostly depend on how you want to setup your SMTP Relay server using that previous link in my post. As you can see, we're moving the Microsoft Option 1, 2 or 3 to here. So the SMTP Relay is the one authenticating with Exchange online instead of the NEC.</li><ol><li>So, I change this to Basic Auth, enter the username of my Voicemail account, password</li><li>Check the TLS Encyrption option</li></ol><li>Outbound Connections, change TCP Port to 587</li><li>Advanced, change the Smart Host to smtp.office365.com</li><li>Hit OK to exit out of the properties.</li></ol><li>Restart the Simple Mail Transport Protocol service (not sure if this is required)</li><li>Now we test it.</li><li>Make a file on the desktop of the server or somewhere named Test email. Remove the file extension from it so that it's extensionless. </li><li>Open the file with Notepad or Notepad++</li><li>Enter the following 4 lines. Notice there are no spaces</li><ol><li>To:myemail@contoso.com</li><li>From:Voicemail@contoso.com</li><ol><li>If you're using Option 1 from MS then the email address entered must match EXACTLY the account you're using to send Voicemail.</li><li>Option 2 and 3 it must match any email address in your Exchange online environment. (so it can be a dist list), but note that means Step 14 Outbound security will be different as well. (maybe I'll change mine and update this post at a later date)</li></ol><li>Subject:Test</li><li>Test Test (this is line 4 which is the message body)<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIHGHdPEmE-f6enYbyBFHkm9fB-8jHC-3nvq3PRIDJFlGan4nTdw7fytHbalUROTEf8sIBA7ekq-Pp4reHZyTh8d7egujHrK9sEDIHgiiUpJP4LS45d9lgebkEAezB7rJ2z8VOcqEMQB0/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="123" data-original-width="303" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIHGHdPEmE-f6enYbyBFHkm9fB-8jHC-3nvq3PRIDJFlGan4nTdw7fytHbalUROTEf8sIBA7ekq-Pp4reHZyTh8d7egujHrK9sEDIHgiiUpJP4LS45d9lgebkEAezB7rJ2z8VOcqEMQB0/" width="320" /></a></div><br /></li></ol><li>Save the file</li><li>Create a copy of the file</li><li>Open up file explorer to C:\inetpub\voicemail\pickup and drag and drop the copy you just made into the folder.<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQGLytDElvMgRNSbDu7xuuXONvLJ5WfD-q_N633wW-YVg0BoxGE4e8HAiOuXGISV3EiZWCSYHW1hnPflx7kXVT2HonW_urtxom9TOLFOTPjsB7CzdeDaVEe7bW14kG-lV9usP7OZDzmbw/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="409" data-original-width="982" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQGLytDElvMgRNSbDu7xuuXONvLJ5WfD-q_N633wW-YVg0BoxGE4e8HAiOuXGISV3EiZWCSYHW1hnPflx7kXVT2HonW_urtxom9TOLFOTPjsB7CzdeDaVEe7bW14kG-lV9usP7OZDzmbw/w640-h266/image.png" width="640" /></a></div></li><li>It will instantly disappear.</li><li>Go to the C:\inetpub\voicemail\drop and badmail directories to see if it's there (hopefully not). If not then you probably got the email.</li><li>If it's in Queue then something doesn't match up properly and it's gone into retry mode. This could be that the credentials are wrong, no path out, you didn't setup Office 365 properly, etc. Basically, it can't deliver to Office 365. If you wait long enough (4 days) it will eventually move to badmail.</li><li>If it's in badmail, then most likely issue is the From email address doesn't match up properly and it was rejected. </li><li>If it's in Drop, then from my experience this typically means I forgot my own advice and made the smtp virtual server domain the same as my email domain. To fix this expand the tree, and in the right windows double click and change the domain.<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi11CjBhPZHg7Bwk6BhzGNMfLzZYuPfRh0UHLosZ8PhfQbqmnL4-DnesGlsdcLwsWZLAjlWRChF1nXz8gdd0-Vc3COTSCqe28Yb_BhYd_Lf192X5Cjv9XmHkM70qoOe-I7zAIhKjYwrRn8/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="199" data-original-width="702" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi11CjBhPZHg7Bwk6BhzGNMfLzZYuPfRh0UHLosZ8PhfQbqmnL4-DnesGlsdcLwsWZLAjlWRChF1nXz8gdd0-Vc3COTSCqe28Yb_BhYd_Lf192X5Cjv9XmHkM70qoOe-I7zAIhKjYwrRn8/w640-h182/image.png" width="640" /></a></div><br /></li></ol><p></p><p><br /></p><p><br /></p><p>So what was the point of this post? This is all over the googles if you search for it... I intend for this to be one more post that shows on the googles when people like me search to setup inmail with office365 so that others hopefully don't run into the random missing voicemail when all appears to be working OHCRAP moment. My failure is online so hopefully you don't have this failure.</p><p>Have a better option? Post it! </p>Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-83296828223811100932021-10-20T16:36:00.005-06:002022-01-12T11:16:32.287-07:00IIS 7 SSL Cert - There was an error while performing this operation<p>It was that exciting time of year again, SSL Cert renewal time! </p><p>I say exciting, because it never fails that when Cert renewal times comes up I hit my head against some issue (I suspect it's the exact same issue year after year and I just don't remember).</p><p>This time changing the cert in IIS 7 I'm greeted with "There was an error while performing this operation. Details: A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)</p><p>It should be noted that when this occurred the site went down! I was able to select the old cert and hit okay and all was well again. Select new cert, OK, and error with site down again.</p><p>NOTE: I have since found another way to produce this issue with it's own fix. I have modified the below with Fix 1 and Fix 2. You may have to do BOTH of the below as I recently discovered.</p><p>I found a lot of solutions out there and I'm sure they work, but I didn't see the easy one that worked for me. I also found some that say the solution is that you have to have "export private key" checked when importing the certificate (note that this IS NOT NEEDED).</p><p><br /></p><p>FIX 1: I had my certificate imported from a pfx without the option for export private key. It was stored under Local Computer - Web Hosting (this is true of the old cert and new cert).</p><p>In the binding screen I selected the "Localhost" certificate. Hit OK</p><p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZX5PSKPH9nOYcldly2ZcCIjAe_leXIpDUZLDk78Q6KTNRtqpMjWfmt8ZMpWKSOiVd8Pp-C62vphQUhCoruoRRjmZ-JdkTIMah8f7hEA0tRJDNNUvyQJ3tLRZGvOhS2uIIM6yLXBpm9rs/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="314" data-original-width="527" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZX5PSKPH9nOYcldly2ZcCIjAe_leXIpDUZLDk78Q6KTNRtqpMjWfmt8ZMpWKSOiVd8Pp-C62vphQUhCoruoRRjmZ-JdkTIMah8f7hEA0tRJDNNUvyQJ3tLRZGvOhS2uIIM6yLXBpm9rs/w400-h239/image.png" width="400" /></a></div><br /><br /></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p>I then immediately hit edit again. Selected the new certificate from the drop down and hit OK. Click Close, go to your site and verify it's using the new cert.</p><p><br /></p><p>FIX 2: I had a new certificate that I imported via the IIS Server Certificates option. No matter what I would continue to get the error following my directions above. I found a post online where a commenter mentioned that they had to import from MMC rather than IIS. Deleted the cert that I had imported via IIS. Had cmd open so went to it and typed MMC, File - Add/Remote Snap-in - Certificates - Computer Account - OK. Expand Web Hosting - Certificates. Right click import my new cert changing file type to *.* and selecting cert. DO NOT check the box for exportable.</p><p>Then went back to IIS and followed my FIX 1 steps. Worked great.</p><p><br /></p><p>No error, very minimal downtime (when localhost cert is selected). Happy happy</p><p>Now, will I remember this next year? Or remember to check my blog notes? Probably not.</p>Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-32445873904243073072020-07-16T08:43:00.002-06:002023-02-21T16:01:58.278-07:00Trend Micro Worry Free Business - very slow opening of appsWe recently switched from Webroot to Trend Micro Worry Free (I now believe this was a mistake). Almost immediately I started getting reports of "computer slowness" and started noticing this myself. Primarily I had issues with Onedrive having issues synchronizing, opening Chrome and Edge (chromium) very slow, clicking links in emails (again opening browsers) slow, logging into Windows after a reboot long delay, slow loading of additional tabs / webpages, and other areas.<br />
<br />
This appears to be a well known issue when using Trend Micro with "Unauthorized Change Prevention Service". Watching the task manager when doing many of the tasks and I could see this service jump to the top.<br />
Unfortunately, many of the TM options are dependent on this service, but at the end of the day I'm a firm believer that machines need to be speedy, so I disabled the service. Note: I also disabled the Behavior Monitoring as this is dependent on the service.<br />
<br />
If you're reading this while "thinking" of moving to Trend Micro I would advice you to take a test drive first. I've found several issues which support is working through, but it's been a bumpy road.<br />
<br />
<ol>
<li>Extreme slowdown when scheduled scans run (as opposed to what we're used to seeing with Webroot).</li>
<li>Unauthorized Change Prevention Service slowdown.</li>
<li>Issue with builds prior to 6.7.1319 being unable to restore to domain OU's.</li>
<li>Issue with many of our installs prior to 6.7.1319 being unable to update to latest build automatically - support still looking into issue.</li>
</ol>
Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-90732993293806007912020-06-02T21:24:00.000-06:002023-02-21T16:02:10.121-07:00Dot net 3.5 install errorI've had lots of issues in the past with being unable to install Dot Net 3.5 on Windows 10. Typically, I can easily load the Win10 ISO, mount it, and use DISM with the sources switch. Today I started encountering 2 laptops running Windows 10 that I continued to have issues and errors.<br />
<br />
ISO mounted and received "the source files can't be found". This was with the latest Win10 Iso download.<br />
<br />
Checked WSUS and feature on demand is checked.<br />
<br />
Easy fix is to bypass WSUS temporarily...<br />
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU<br />
UseWUServer set to 0<br />
Reboot<br />
Install Dot Net 3.5<br />
Set the reg key back to 1<br />
rebootAaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-92206305243875230432020-03-30T18:29:00.002-06:002023-02-21T16:13:14.393-07:00Windows Server 2016 RDSH - Start Menu stops workingOn our farm of Windows Server 2016 RDSH (Remote Desktop Session Host) I've had seemingly random issues with the start menu stopping working. This likely correlates with a Windows update being applied, but it's hard to tell as you do not always know immediately that it's stopped working (users complain days later or never complain and you notice when doing other maintenance, etc).<br />
<br />
Searching the internet you find a number of solutions, but the most crazy (in my opinion) solution I found was the one that actually worked! <br />
<br />
In this post user MrManual says to delete and recreate a registry key dealing with the Firewall. One, like me, would think this crazy and continue on trying all the other solutions only to have the issue remain (or return shortly).<br />
<br />
Finally, figuring it's best to try a crazy solution than rebuild the server I open powershell and give it a go:<br />
<br />
<span class="typ" style="background-color: #d0d0d0; border: 0px; color: #660066; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; white-space: pre;">Remove</span><span class="pun" style="background-color: #d0d0d0; border: 0px; color: #666600; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; white-space: pre;">-</span><span class="typ" style="background-color: #d0d0d0; border: 0px; color: #660066; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; white-space: pre;">Item</span><span class="pln" style="background-color: #d0d0d0; border: 0px; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; white-space: pre;"> </span><span class="str" style="background-color: #d0d0d0; border: 0px; color: #008800; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; white-space: pre;">"HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"</span><span class="pln" style="background-color: #d0d0d0; border: 0px; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; white-space: pre;">
</span><span class="typ" style="background-color: #d0d0d0; border: 0px; color: #660066; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; white-space: pre;">New</span><span class="pun" style="background-color: #d0d0d0; border: 0px; color: #666600; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; white-space: pre;">-</span><span class="typ" style="background-color: #d0d0d0; border: 0px; color: #660066; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; white-space: pre;">Item</span><span class="pln" style="background-color: #d0d0d0; border: 0px; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; white-space: pre;"> </span><span class="str" style="background-color: #d0d0d0; border: 0px; color: #008800; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; white-space: pre;">"HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"</span><br />
<br />
Click start menu and GASP it opens!<br />
<br />
Note: other ideas on the thread do work, but seemingly only temporary. I still suspect this to have something to do with the crappy UPD's.<br />
On the note of UPD's one might ask "if you hate UPD's so much why not switch to fxlogic? I mean, it is free afterall..."<br />
<a href="https://blogs.microsoft.com/blog/2018/11/19/microsoft-acquires-fslogix-to-enhance-the-office-365-virtualization-experience/">https://blogs.microsoft.com/blog/2018/11/19/microsoft-acquires-fslogix-to-enhance-the-office-365-virtualization-experience/</a><br />
<br />
<a href="https://www.brianmadden.com/opinion/Microsoft-FSLogix-free-to-all-customers">https://www.brianmadden.com/opinion/Microsoft-FSLogix-free-to-all-customers</a>Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com1tag:blogger.com,1999:blog-2540632746780972939.post-76888429568918709832020-03-21T19:45:00.001-06:002020-10-05T09:24:41.073-06:00Dell Latitude 7480 / 7490 loud fan issueWe have a lot of Dell Latitude 7480 / 7490 laptops deployed. When I first got them in we had lots of issues and complaints about the loud fan speed. Under load this is understandable, but many times this would be with no load. This is a common issue early on for these models as one can see from the numerous posts online:<br />
<br />
<a href="https://www.dell.com/community/Latitude/fan-noise-and-heat-Dell-Latitude-7490/td-p/7439643">https://www.dell.com/community/Latitude/fan-noise-and-heat-Dell-Latitude-7490/td-p/7439643</a><br />
<br />
<a href="https://www.dell.com/community/Latitude/Dell-7480-and-Dell-5480-fan-noise-and-heating-issue-on-more-than/td-p/6072570">https://www.dell.com/community/Latitude/Dell-7480-and-Dell-5480-fan-noise-and-heating-issue-on-more-than/td-p/6072570</a><br />
<br />
<a href="https://www.dell.com/community/Latitude/Latitude-7490-Overheating/td-p/6073431">https://www.dell.com/community/Latitude/Latitude-7490-Overheating/td-p/6073431</a><br />
<br />
<br />
In the past when I would get one of these laptops it was a matter of ensuring the BIOS was up to date and the issue would be gone. Lately, my own laptop (7490) started having high pitch fast fan noise. Of course I remembered right away that I had recently updated the BIOS to 1.13.1.<br />
I quickly decided to do a BIOS downgrade to 1.11.0 to see if that would help.<br />
<br />
No more loud fan noise at this point... Having issues with your fan always running top speed? Try an older BIOS version and call Dell rep to complain.<div><br /></div><div><br /></div><div>UPDATE:</div><div>I recently allowed a BIOS update to install and the issue came back on a Latitude 7490.</div><div>I then installed the Dell Power Manager application and found a section called "Thermal Management". Under this section you can choose "Quiet", this instantly made the computer more bearable. </div>Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-67187280062089438002019-09-15T13:21:00.003-06:002021-10-20T16:38:56.333-06:00Have a device (Roku or other) that won't connect to wifi?I have a sister-in-law that bought a new Roku express this weekend. She spent 4 hours fighting an issue where it wouldn't connect to her wifi claiming that the passcode is incorrect. She searched forums, called xfinity support, and Roku support all to no solution. She found that she should enter the MAC address in the router which didn't help. Reset her router passcode, but why when every other device is working on the wifi just fine with that passcode. Change the WPA2 AES settings to something else. Again why, the other devices are working fine.<br />
<br />
Finally she decides to call me. After about 20 seconds looking at her router settings I advise making the 2.4GHz and 5GHz wifi networks the same password. Since the Roku Express only supports 2.4GHz it's trying to connect to 2.4, but since they are different passcodes and the same SSID there is nothing indicating to her that she needs to enter the 2.4GHz passcode. In fact she didn't even know it or that there was ANY difference as Xfinity staff set it up.<br />
<br />
Immediately this resolved the issue<br />
<br />
Make them the same SSID and Passcode and let it just work. The device will connect to the frequency it wants / supports and the end user doesn't need to care. Or if you insist on different passcodes for some reason, make the SSID different as well as a visual indicator.Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-84866366460424408152019-06-27T16:07:00.002-06:002019-06-27T16:07:46.653-06:00Testing your website for weak ciphers and protocolsWith recent deployments and integrations of systems I have had to ensure that several websites are secure. After digging around and setting registry keys I figured someone else has done this already, so I started looking for a quick script.<div>
<br /></div>
<div>
One better I found this handy software:</div>
<div>
<a href="https://www.nartac.com/Products/IISCrypto">https://www.nartac.com/Products/IISCrypto</a></div>
<div>
<br /></div>
<div>
These guys have it setup so you can set the Schannel, and Cipher Suites plus orders.</div>
<div>
Then click the site scanner and you'll see the familiar Qualys SSL Labs site. <a href="https://www.ssllabs.com/ssltest/index.html">https://www.ssllabs.com/ssltest/index.html</a></div>
<div>
<br /></div>
<div>
<br /></div>
Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-72606380029868542422019-02-18T11:54:00.002-07:002023-02-21T16:13:25.418-07:00Wyse ThinOS and RD Gateway with Broker - External AccessThe other day I was able to get my hands on a Dell Wyse 3040 with ThinOS unit. I wanted to test out connecting to a Windows Remote Desktop Gateway with Connection Broker and RDSH from home. My intended end users are at remote sites with VPN connections, but I had other ideas for some remote workers to utilize these devices (without VMWare or Citrix) to connect in.<div>
<br /></div>
<div>
This post isn't about setting up RDSH, RDGateway, etc. This is in line with getting ThinOS 8.6+ working with your RD Gateway and RD Connection Broker to RDS Hosts. Something that in hind sight was very easy, but took me a bit to weed through the online posts, ini settings, etc.</div>
<div>
<br /></div>
<div>
I used Wyse Management Suite to configure the device (online trial). This has been a great option and works very well. For production I will be deploying WMS Standard onsite.</div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">Windows Remote Desktop environment layout:</span></b></div>
<div>
The environment consists of the following layout. </div>
<div>
<ul>
<li>All servers running Windows Server 2016</li>
<li>1 server with RD Gateway and Web installed together. We'll refer to this as rds.externaldomain.com</li>
<li>1 server with Connection Broker installed (NOT in HA config)</li>
<li>2 servers running RDSH and the desktop being published - Collection Name: Desktop Resources</li>
<li>Dell Wyse 3040 ThinOS 8.6_013 connected to my home network. NO VPN to main datacenter.</li>
</ul>
<div>
<b><span style="font-size: large;">Goal:</span> </b>To get the 3040 to connect through the rds.externaldomain.com and broker the connection to the proper RDSH server. I want it to prompt the user for login upon boot and upon disconnect to logout of the gateway and prompt for login again (Shared workstation).</div>
</div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">WYSE config:</span></b></div>
<div>
I'm going to break this down by section in the WMS portal. Then I will do my best to put the wnos.ini out. Obviously there are other areas to configure, I'm just giving the basics for the RDGateway to work.</div>
<div>
<br /></div>
<div>
<b>Security:</b></div>
<div>
Require Domain Login: First area of interest to me was to disable the "Require domain login". I want the thin client to load and prompt with the connection to the RD Gateway. </div>
<div>
<br /></div>
<div>
Certificates: Depending on the CA you used on your Gateway you'll need to import the certificates. I used Godaddy so I had to get the .cer for the Root and Secondary. This was as easy as going to my site, viewing the certs, and then downloading (copy to file) the GoDaddy Root CA and GoDaddy Secure CA to files. From there you will upload both files into Apps & Data tab under the File Repository (select certificate for the type).</div>
<div>
Now you can check the option for certs and you will see all of the certs you need listed.</div>
<div>
<br /></div>
<div>
Security Policy: I set mine to Full</div>
<div>
TLSCheckCN: enabled</div>
<div>
VNC: I turned on VNC to allow ease of testing</div>
<div>
<br /></div>
<div>
<b>Visual Experience:</b></div>
<div>
Action after all sessions exit: "sign off automatically"</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>Microsoft Broker:</b></div>
<div>
Broker Server: https://rds.externaldomain.com</div>
<div>
This should be set to your gateway server. Include the https:// but do not including anything past the FQDN.</div>
<div>
<br /></div>
<div>
Sessions to connect automatically: Desktop Resources</div>
<div>
This is the collection name. Since in this case I'm pushing out a collection of desktops there is only the collection name and not app names. </div>
<div>
<br /></div>
<div>
<b>Microsoft RDP Settings:</b></div>
<div>
Enable NLA: Enabled </div>
<div>
In my environment I have this on for all servers.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
That's it. Restart the device to apply and test it out. Notice that when you logout it puts the workstation back at the login screen, perfect for shared workstations!</div>
<div>
Note that I did NOT put any Direct RDP Connections in as this isn't needed.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
here's the devices wnos.ini as delivered from WMS.</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
Signon=Yes SaveLastDomainUser=no LastUserName=No<br />DisableDomain=Yes<br />FastDisconnect=No<br />AddCert="Go Daddy Root CA - G2.cer"<br />AddCert="Go Daddy Secure CA - G2.cer"<br />SignOn=No ExpireTime=0 RequireSmartCard=No SCRemovalBehavior=0 DisableGuest=No<br />SecurityPolicy=full SecuredNetworkProtocol=Yes TLSMinVersion=1 TLSMaxVersion=3 DNSFileServerDiscover=Yes TLSCheckCN=Yes<br />AutoSignoff=10 Shutdown=no Reboot=no<br />ShutdownCounter=0<br />SysMode=Classic toolbarclick=No ToolBarAutoQuit=No EnableLogonMainMenu=No<br />Desktop=No<br />AutoLoad=2 VerifySignature=yes<br />ConnectionBroker=MICROSOFT \<br />host=https://rds.externaldomain.com AutoConnectList="Desktop Resources"<br />SessionConfig=all \<br />Reconnect=0<br />SessionConfig=rdp \<br />EnableNLA=yes EnableRecord=no EnableRFX=yes EnableTSMM=no ForceSpan=no enablegfx=no EnableUDP=yes EnableVOR=yes USBRedirection=rdp defaultcolor=2 MaxBmpCache=128 RDPScreenAlign4=no AutoDetectNetwork=yes EnableRdpH264=yes </blockquote>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com1tag:blogger.com,1999:blog-2540632746780972939.post-11567747113669658892018-09-18T12:13:00.001-06:002018-09-18T15:34:52.341-06:00Office 365 "Belongs to:" incorrect / activationWhen re provisioning laptops and desktops that utilize Office 365 installations the subscription login doesn't update properly. Although this can be fixed as sugested by many by logging into the old users OWA account, Install Status, and deactivate this doesn't help any when the user account no longer exists.<br />
The user can wait the 31 days until it begins to complain that it's unlicensed, but that's not good product administration in my opinion. I don't want my users to have to worry about it, period.<br />
<br />
Logging out on the account page and logging back in also does not update the "belongs to" field.<br />
<br />
Options:<br />
<br />
<ul>
<li>Reinstall Office - wow, what a waste of time for something that should be easy</li>
<li>Do an online repair - Again, this works, but it takes awhile depending on your connection.</li>
<li>Run a quick script - YAY (but again, what the heck is MS thinking, this should be easy!)</li>
</ul>
<div>
Thanks to our good friends over at Spiceworks and in particular Marcragusa for this post.</div>
<div>
<a href="https://community.spiceworks.com/topic/1790625-how-to-change-office-365-desktop-install-licensee" target="_blank">https://community.spiceworks.com/topic/1790625-how-to-change-office-365-desktop-install-licensee</a></div>
<div>
<br /></div>
<div>
additionally, there is a lot out there covering this once you know its an issue.</div>
<div>
<a href="https://blogs.technet.microsoft.com/odsupport/2015/05/01/how-to-reset-an-office-365-install-to-the-initial-activationinstall-state/" target="_blank">https://blogs.technet.microsoft.com/odsupport/2015/05/01/how-to-reset-an-office-365-install-to-the-initial-activationinstall-state/</a></div>
<div>
<br /></div>
<div>
<span style="background-color: white; color: #333333; font-family: "open sans" , "arial" , sans-serif; font-size: 16px;">Open up a cmd prompt as administrator</span></div>
<div>
<ul>
<li>cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" /dstatus</li>
<li>then run</li>
<li>cscript.exe "%ProgramFiles(x86)%\Microsoft Office\Office16\ospp.vbs" /unpkey:XXXXX</li>
</ul>
</div>
<div>
<br />
I have to do this fairly often so I slapped together a weak powershell file with this. Since I'm not overly skilled with PS I have to retype the last 5 of the key back in, but at least I don't have to remember the commands. Maybe someone can take the output of the first one and pull out the last 5 for the second command automagically.<br />
<br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
Invoke-Command -ScriptBlock {cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus}</blockquote>
<blockquote class="tr_bq">
$prodkey = Read-Host "Enter the last 5 characters of the product key"</blockquote>
<blockquote class="tr_bq">
Invoke-Command -ScriptBlock {cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /unpkey:$prodkey} -ArgumentList $prodkey</blockquote>
</blockquote>
</div>
Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-2649114697944462032018-07-30T11:27:00.002-06:002019-10-16T16:20:58.967-06:00Office 365 Outlook prompts for passwordWe have a deployment of Office 365 with ADConnect SSO enabled. Additionally, with the implementation of modern authentication (MA) we have set the flag to true. <a href="https://support.office.com/en-gb/article/enable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662" target="_blank">https://support.office.com/en-gb/article/enable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662</a><br />
<div>
<br />
<div>
We also enabled MA for Skype online even though we do not use it fully currently.</div>
<div>
<a href="https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx">https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx</a></div>
<div>
<br /></div>
<div>
More info on Modern Authentication:</div>
<div>
<a href="https://support.office.com/en-us/article/using-office-365-modern-authentication-with-office-clients-776c0036-66fd-41cb-8928-5495c0f9168a">https://support.office.com/en-us/article/using-office-365-modern-authentication-with-office-clients-776c0036-66fd-41cb-8928-5495c0f9168a</a></div>
<div>
<br /></div>
<div>
We started seeing issues where Outlook would prompt for password, especially after password change. After much searching we found the following reg key that is recommended by MS when MA is utilized in order to force outlook to use MA.</div>
<div>
<a href="https://support.microsoft.com/en-us/help/3126599/outlook-prompts-for-password-when-modern-authentication-is-enabled">https://support.microsoft.com/en-us/help/3126599/outlook-prompts-for-password-when-modern-authentication-is-enabled</a></div>
<div>
<a href="https://support.microsoft.com/en-us/help/4041439/modern-authentication-configuration-requirements-for-transition-from-o">https://support.microsoft.com/en-us/help/4041439/modern-authentication-configuration-requirements-for-transition-from-o</a></div>
<div>
<br /></div>
<div>
We deployed the keys with GPO Preferences.</div>
<div>
Outlook:</div>
<div>
<span style="background-color: white; font-family: "segoe ui" , "segoeui" , "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;">HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover</span></div>
<div>
<span style="background-color: white; font-family: "segoe ui" , "segoeui" , "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;">Dword: 1</span></div>
<div>
<span style="background-color: white; font-family: "segoe ui" , "segoeui" , "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;"><br /></span></div>
<div>
<span style="font-family: "segoe ui" , "segoeui" , "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="background-color: white; font-size: 15px;">Skype for Business:</span></span></div>
<div>
<span style="background-color: white; font-family: "segoe ui" , "segoeui" , "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;">HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync\ AllowAdalForNonLyncIndependentOfLync</span></div>
<div>
<span style="background-color: white; font-family: "segoe ui" , "segoeui" , "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;">Dword: 1</span><br />
<span style="background-color: white; font-family: "segoe ui" , "segoeui" , "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;"><br /></span>
<span style="background-color: white; font-family: "segoe ui" , "segoeui" , "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;"><br /></span>
<span style="background-color: white; font-family: "segoe ui" , "segoeui" , "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;">Update: </span><br />
<span style="background-color: white; font-family: "segoe ui" , "segoeui" , "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;">We've had a few users where this issue started again. </span><br />
<span style="background-color: white; font-family: "segoe ui" , "segoeui" , "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 15px;">Settings - Accounts - Access Work or School - select user - disconnect. Fixes every time, instantly so far.</span></div>
</div>
Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-71541828695131792982018-07-11T08:38:00.000-06:002018-07-11T08:39:57.701-06:00Windows 10 Fall Creators Update 1709 fails to apply (update 1803 I experienced same issue)I recently had a number of Dell Latitude e7450 laptops that would rollback the installation of 1709. I also had several of the exact same model laptop that installed successfully.<br />
In most cases I would be left with no indication of why it failed. I attempted installation from WSUS, Windows Update Assistant, and Windows Media Creation to USB.<br />
<br />
I updated drivers, bios, all applications, removed AV (note had most succeed with AV), repair windows update, rename the softwaredistribution folder, etc, all to no effect.<br />
<br />
Only when using the Windows Media Creation tool and then running the update from USB did it give me any workable indication of what was going wrong. (double click setup from the USB drive)<br />
<br />
"We couldn't install Windows 10. We've set your PC back to the way it was right before you started installing. 0x8007042B - 0x3000D The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCsLttaB_Sj9-S5nA1dIr815cNzeijQVD2rhlzxi4xWKd6FQPaDf-T8nDb5-ZkKJCOM_nFJHeg1FijUPhYgpPAZ3kBcWUSCr2p3P1kvpMK_Ihm7f50Lyj8xgEvxjpQ8Gycwb6KIcTuAOo/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="558" data-original-width="704" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCsLttaB_Sj9-S5nA1dIr815cNzeijQVD2rhlzxi4xWKd6FQPaDf-T8nDb5-ZkKJCOM_nFJHeg1FijUPhYgpPAZ3kBcWUSCr2p3P1kvpMK_Ihm7f50Lyj8xgEvxjpQ8Gycwb6KIcTuAOo/s320/Capture.PNG" width="320" /></a></div>
<br />
<br />
That helps! MS even gives a "click here" for troubleshooting codes that pertain. Unfortunately, none of them are this code. Google foo gave some info and short time later I was looking at the C:\Windows\Panther\ folder. In particular the C:\Windows\Panther\NewOs\Panther\setuperr.log.<br />
<br />
Almost at the very bottom I found a line stating:<br />
Error WRITE, 0x000000B7 while gathering/applying object: File, C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk]. Will return 0[gle=0x00000002]<br />
Error 183 while applying object C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk]. Shell application requested abort[gle=0x00000002]<br />
Abandoning apply due to error for object: C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent [2017_09_1_3177.pdf.lnk][gle=0x00000002]<br />
Apply failed. Last error: 0x00000000<br />
<div>
<br /></div>
The recent folder under AppData\Roaming\Microsoft\Windows ended up being the issue for every computer that I had issues updating to 1709 or 1803!<br />
<br />
<br />
Cleanup profile:<br />
I went to the path in question and dumped the entire recent folder. Started upgrade again and success!<br />
What a pain, why can't the error descriptions be descriptive and helpful.<br />
<br />Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-87749878892101565062018-06-07T15:20:00.003-06:002018-07-11T08:40:54.566-06:00Office 365 - Add Shared Mailbox's Calendar to mobile deviceWith all the recent changes to Office 365 I found that it's become confusing as to how to easily add a Shared Mailbox OR Room Calendar to a users mobile device. This works for both Native iOS calendar app or the Outlook for iOS / Android app.<br />
<br />
This post goes over the new features<br />
<a href="https://support.office.com/en-us/article/calendar-sharing-in-office-365-b576ecc3-0945-4d75-85f1-5efafb8a37b4#bkmk_sharecalendar" target="_blank">Calendar Sharing in Office 365</a><br />
<br />
Additionally, this post goes over sharing your calendar!<br />
<a href="https://support.office.com/en-us/article/share-your-calendar-in-outlook-on-the-web-for-business-7ecef8ae-139c-40d9-bae2-a23977ee58d5" target="_blank">Share your calendar in Outlook on the web for business</a><br />
<br />
And finally, this has instructions for opening a shared mailbox in a seperate window so that you can access the necessary share button which is critical step.<br />
<a href="https://support.office.com/en-us/article/Open-and-use-a-shared-mailbox-in-Outlook-Web-App-bc127866-42be-4de7-92ae-1ef2f787fd5c" target="_blank">Open and use a shared mailbox in Outlook Web App</a><br />
<br />
Natively, when you create a new Shared or Room mailbox and assign delegates from the O365 Admin portal the new mailboxes / calendars will automatically show up in your Outlook for PC application after a short period. They do not however automatically show up on your mobile device. Instead, you must access the Shared / Room mailbox directly and add each user as a delegate which in turn emails an invitation to the users. The user must then accept the invite from the mobile device which will add it to all of their mobile devices.<br />
<br />
<br />
<br />
<ol>
<li>First, we've created the Shared mailbox we want and added the "members". This will automatically add the mailbox / calendar to those users Outlook for PC application. <div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk6W5ptW1SqV5aRLYsxG_zbVnDxR7ZGKS2ITax9xTkiYg2jwqX_Ui1_Z189vXKoz7Lpq8hpJdjyYic3EHoT1WH-WTVKh2_v0erUQByyMLNbtcoTLkiJroirg9Lpq2GlzU9C6Ove76MWYE/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="750" data-original-width="832" height="576" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk6W5ptW1SqV5aRLYsxG_zbVnDxR7ZGKS2ITax9xTkiYg2jwqX_Ui1_Z189vXKoz7Lpq8hpJdjyYic3EHoT1WH-WTVKh2_v0erUQByyMLNbtcoTLkiJroirg9Lpq2GlzU9C6Ove76MWYE/s640/1.PNG" width="640" /></a></div>
</li>
<li>Log into OWA with an account that has permission to the Shared Mailbox / Room that was just created. Click the user account in the top right corner. Click the "Open another mailbox..." option.<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl93YXoVbj4yZjAxBM7tqpD62Kz69J2JVbXNPPbkqCu74lHlZ8vlv0QBGl15lImjSmrVev2MhKi9Z435Hqs3ftmRss4mNdAikhydcGZKfFSKG-873snwE458L6sTvYyk6Q0vcJm7h-3to/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="471" data-original-width="363" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl93YXoVbj4yZjAxBM7tqpD62Kz69J2JVbXNPPbkqCu74lHlZ8vlv0QBGl15lImjSmrVev2MhKi9Z435Hqs3ftmRss4mNdAikhydcGZKfFSKG-873snwE458L6sTvYyk6Q0vcJm7h-3to/s400/2.PNG" width="307" /></a></div>
</li>
<li>Type in the name of the mailbox / room and ensure it finds it in the list. If you don't have the proper permissions then you'll get an error "Something went wrong". It can take some time after assigning permissions to yourself before they properly propagate.</li>
<li>The mailbox will open in a new window. Open the calendar.</li>
<li>Click the Share button at the top middle. This will open up the "Share this calendar:Calendar" window.</li>
<li>Search for the person you want to add and give them the proper permission level. Then click "Share"<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbsZPiWp2lBD36UgUUH3Mg1S5C_uIkz1yW7guKrD2ycOg7iSu0_FhK_c3Gr6L0TjUC0lY6AL-DAyDp3bcmclZXhDYa9xNdeRunN-IfmdWFIeKwl8ZZaT-2HILUxnMQFcqfJzFr1sFqwyE/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="579" data-original-width="685" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbsZPiWp2lBD36UgUUH3Mg1S5C_uIkz1yW7guKrD2ycOg7iSu0_FhK_c3Gr6L0TjUC0lY6AL-DAyDp3bcmclZXhDYa9xNdeRunN-IfmdWFIeKwl8ZZaT-2HILUxnMQFcqfJzFr1sFqwyE/s400/3.PNG" width="400" /></a></div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
This will send an email invitation to the user. They will need to open the email invitation from a mobile device!</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsKBLPR8PvJTWL7wPF-TbsKFD-grQ0yGq7yhZIWAYGauvWWmEu9cf6-DSLSJxgOMjntvXJDhvgID2UBhY-piYcCoeEk_-c1nPCWfobZu7xyaoL3xSlX64znzRpVcwIvY3ruY_MyBu7Z2Q/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="737" data-original-width="416" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsKBLPR8PvJTWL7wPF-TbsKFD-grQ0yGq7yhZIWAYGauvWWmEu9cf6-DSLSJxgOMjntvXJDhvgID2UBhY-piYcCoeEk_-c1nPCWfobZu7xyaoL3xSlX64znzRpVcwIvY3ruY_MyBu7Z2Q/s400/4.PNG" width="225" /></a></div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
From iOS native app the calendar is listed.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIjUyqNHyPQRzUo6IrqVtuv66fSA5aHqcXStWkuWusGRIkhY77HxQu-gML5x4pHNhArQETmEd0jKYbWJ4U055FWI_RXb6SZpBohCCfyH0aJcW4yZ7BXMjOSSTj47s2_QVvvkHpPDhzyso/s1600/6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="712" data-original-width="410" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIjUyqNHyPQRzUo6IrqVtuv66fSA5aHqcXStWkuWusGRIkhY77HxQu-gML5x4pHNhArQETmEd0jKYbWJ4U055FWI_RXb6SZpBohCCfyH0aJcW4yZ7BXMjOSSTj47s2_QVvvkHpPDhzyso/s400/6.PNG" width="230" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
</li>
<li>Or from the Outlook for iOS / Android<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMVbmSlB5tYxaLJehGQt8AKP5I79pAThskOhzqjeGTy8Dv8QHB2J89SbWjGLa1wx1EornwmJdSw1mbhU-IZcGSpIk9UODgZywTPShk0brI_xqBIBwyVk6iq-r_0uTKlVk21Ber2EP8GBE/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="723" data-original-width="404" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMVbmSlB5tYxaLJehGQt8AKP5I79pAThskOhzqjeGTy8Dv8QHB2J89SbWjGLa1wx1EornwmJdSw1mbhU-IZcGSpIk9UODgZywTPShk0brI_xqBIBwyVk6iq-r_0uTKlVk21Ber2EP8GBE/s400/5.PNG" width="222" /></a></div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
If the user wants to remove the calendar they can click on the i / information option on the right side (iOS) or settings gear (Outlook for iOS / Android) and at the bottom is the remove option.</div>
</li>
</ol>
<div>
<br /></div>
<div>
Hopefully MS will give the option of having these calendars auto deploy to mobile device same or similar to the way it does with outlook for PC in the future.</div>
Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-22388443525029764772018-03-29T10:56:00.002-06:002018-07-11T08:41:44.977-06:00Veeam Backup Error Code 32768Last night we received the following error on a previously working server.<br />
<div>
<br /></div>
<div>
<div>
Failed to create VM recovery checkpoint (mode: Veeam application-aware processing) Details: Job failed (''). Error code: '32768'.</div>
<div>
Failed to create VM recovery snapshot, VM ID 'f74ddb15-6900-4f62-ad2a-31ed600531f1'. </div>
</div>
<div>
<br /></div>
<div>
Environment:</div>
<div>
Host: Windows Server 2016</div>
<div>
VM: Windows Server 2016 - hosting Quickbooks database manager and Azure AD Connect</div>
<div>
<br /></div>
<div>
Changes:</div>
<div>
Several updates had been applied to the server the day prior. Additionally, AD Connect had been updated to version 1.1.750</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Additional error from eventvwr: </div>
<div>
<blockquote class="tr_bq">
<div>
Log Name: Application</div>
<div>
Source: VSS</div>
<div>
Event ID: 8229</div>
<div>
Task Category: None</div>
<div>
Level: Warning</div>
<div>
Keywords: Classic</div>
<div>
User: N/A</div>
<div>
Description:</div>
<div>
A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried,</div>
<div>
the error is likely to reoccur.</div>
<div>
. Changes that the writer made to the writer components while handling the event will not be available to the requester. Check the event log for related events from the application hosting the VSS writer. </div>
</blockquote>
<div>
<br /></div>
</div>
<div>
Some googling ended up with this hit: http://www.insidetechnologies.eu/en/blog/veeam-backup-replication-9-5-error-code-32768/</div>
<div>
<br /></div>
<div>
Open the appwiz.cpl, select "Microsoft SQL Server 2012 Express LocalDB" and repair. This will require a reboot.</div>
<div>
<br /></div>
<div>
We are now able to create checkpoints of the VM again without issue.</div>
Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com1tag:blogger.com,1999:blog-2540632746780972939.post-13347001452707143762017-11-01T11:03:00.002-06:002023-02-21T16:06:49.251-07:00Chrome Browser - prevent / restrict user sign inIn the past I've always forced my end users to use IE. This made sense as IE is integrated with Windows and could be heavily managed by GPO and other domain settings.<br />
More and more I found myself personally going to Chrome for tasks since it "worked better". So, I finally admitted (few years back actually) that maybe it makes sense for me to loosen up a bit and let the end users in on Chrome in the workplace as well.<br />
<br />
As with all good things come that pain in the arse with them as well. Google of course wants users to utilize it's services and logging into the Chrome site helps simplify this. But in the workplace this may not be a great thing to have end users purposely or accidentally logging into their personal Gmail (or even other company G Suite) accounts.<br />
<br />
One would think a simple google search would yield lots of results on how to prevent login to Chrome browser, but for me at least I only found lots of irrelevant junk. Perhaps I need to work on my googlefoo.<br />
<br />
At one time Chrome ADM templates had a settings called "Allow sign-in to chrome" or something to that respect. Fairly obvious and easy to find. That has since been removed.<br />
<br />
NOW there is a setting in the ADMX labeled "Restrict which users are allowed to sign in to Google Chrome". This is the new setting that we want. Found under the following after you add your ADMX template.<br />
Computer Configuration/Administrative Templates/Google/Google Chrome (also under User Config if that meets your needs better)<br />
<br />
Enable the setting, put in a bogus expression (or your organizations matching expression if you utilize Google business apps) and deploy to computers or users depending on your needs.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDrg0YTXo5SRQPp9RvIitETdAmLPWVUyJuZEpPbJINe_44EHQ_01NhOL9Dxxo5nW76TWrJTQvgypGnheH1VRZmCL9SD_LFp_Nrm9giuQ-OWGKX6mGPs-8mHo4aBwBWOyOd-DG6lESuuoQ/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="634" data-original-width="677" height="299" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDrg0YTXo5SRQPp9RvIitETdAmLPWVUyJuZEpPbJINe_44EHQ_01NhOL9Dxxo5nW76TWrJTQvgypGnheH1VRZmCL9SD_LFp_Nrm9giuQ-OWGKX6mGPs-8mHo4aBwBWOyOd-DG6lESuuoQ/s320/Capture.PNG" width="320" /></a></div>
<br />
<br />
Users can now attempt to login to Chrome and they are greeted with a lovely "you can't do that"<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjueAdoQFlhfF6B7sYiE9TGoMCeY5UH38umlpXRRbYrE8bvNduSi5M9Tp08_ZWyEbd1n1EyGCIZVwjjn8xds-kIYOYuhRDXbzmm8SjnN30eStLeBqCTqNFKV-fTXv1DyTKeLnrNlskIN58/s1600/login.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="171" data-original-width="468" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjueAdoQFlhfF6B7sYiE9TGoMCeY5UH38umlpXRRbYrE8bvNduSi5M9Tp08_ZWyEbd1n1EyGCIZVwjjn8xds-kIYOYuhRDXbzmm8SjnN30eStLeBqCTqNFKV-fTXv1DyTKeLnrNlskIN58/s320/login.PNG" width="320" /></a></div>
<br />
<br />
Funny enough I found that I could go to other Google services, for instance blogspot, and login. But then once I tried to go away from blogspot to say, gmail, it choked.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLAeMy03Qkhhu1ugkPFRlMgfzUB0UYu7xkFUZejhtrS620Y0-mqD4FvQhZJ2ndMN7dfUmc0RJljLG5q9oGSxp3I4_lH6elX1UDM-auTx8PVKJJOTZsZ4w7wQh_HFT8UaCiaEu1ao0_H5Y/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="229" data-original-width="833" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLAeMy03Qkhhu1ugkPFRlMgfzUB0UYu7xkFUZejhtrS620Y0-mqD4FvQhZJ2ndMN7dfUmc0RJljLG5q9oGSxp3I4_lH6elX1UDM-auTx8PVKJJOTZsZ4w7wQh_HFT8UaCiaEu1ao0_H5Y/s320/Capture.PNG" width="320" /></a></div>
<br />Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-62069527205014606662016-11-02T17:18:00.000-06:002018-07-17T08:30:00.914-06:00Powershell - FSMO RolesViewing FSMO with Powershell<br />
Get-ADDomainController -Filter * | ForEach-Object {$_.Name; $_.OperationMasterRoles; Write-Host}<br />
<br />
<br />
Transfering FSMO roles with Powershell<br />
Move-ADDirectoryServerOperationMasterRole -Identity servername -OperationMasterRole InfrastructureMaster, RIDMaster, DomainNamingMaster, PDCEmulator, SchemaMasterAaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-13512816365584785342016-07-19T10:18:00.000-06:002023-02-21T16:14:16.834-07:00WSUS Error: Connection Error after KB3148812 and KB3159706After getting a WSUS server up to date the console no longer worked.<br />
<div>
<br /></div>
<div>
The error is very uninformative...</div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVpaOw6-6UnPS_UqIiZWUaILB8B-rmasK3DHtmzXUMzaiAjRdqorzrzCLzBvDgC2B9mUoAKAnk0t3mfhMadNhaMmcpL5Spjr-uPUUnRULvs4RaiTvowoxJAH-beRYz-DOIzMZzerJHqwk/s1600/WSUSError.png" imageanchor="1"><img border="0" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVpaOw6-6UnPS_UqIiZWUaILB8B-rmasK3DHtmzXUMzaiAjRdqorzrzCLzBvDgC2B9mUoAKAnk0t3mfhMadNhaMmcpL5Spjr-uPUUnRULvs4RaiTvowoxJAH-beRYz-DOIzMZzerJHqwk/s640/WSUSError.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div>
Log Name: System</div>
<div>
Source: Service Control Manager</div>
<div>
Date: 7/18/2016 10:39:15 AM</div>
<div>
Event ID: 7034</div>
<div>
Task Category: None</div>
<div>
Level: Error</div>
<div>
Keywords: Classic</div>
<div>
User: N/A</div>
<div>
Computer: </div>
<div>
Description:</div>
<div>
The WSUS Service service terminated unexpectedly. It has done this 3 time(s).</div>
<div>
<br /></div>
</div>
<div>
<br /></div>
<div>
The proper fix for both of these KB's which you SHOULD install:</div>
<div>
https://support.microsoft.com/en-us/kb/3159706</div>
<div>
<br /></div>
<div>
Also, don't forget that if you are not using SSL for WSUS you should be!</div>
Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0tag:blogger.com,1999:blog-2540632746780972939.post-65360369837154062872016-07-05T10:59:00.001-06:002018-07-17T08:30:30.478-06:00Remove iPhone Native appsWith our recent iPhone re-deployment there where several native apps that I wanted to remove. This is pretty easy to do with Apple Configurator and XenMobile. This requires the phone to be supervised. Supervised mode can be set with Apple Configurator or if you sign up for Apple DEP. Supervising the phone will wipe it.<br />
<br />
<br />
<ol>
<li>Ensure Apple Configurator is version 2.x</li>
<li>Click File - New Profile</li>
<li>Restrictions - Configure - Apps tab</li>
<li>Under "Restrict App Usage"</li>
<li>Set to "Do not allow some apps"</li>
<li>Click the plus sign</li>
<li>Type the App name you want to remove and choose it</li>
<li>File - Save - name it and save it</li>
</ol>
<div>
Now you have a profile for the app(s) that will remove them. You just need to upload this into XenMobile (or other MDM) and apply it to your devices. Can also be applied straight from Apple Configurator. I prefer to not use the Configurator to apply ANY configuration and instead push it through MDM. This allows easier removal of profiles and policies.</div>
<div>
<br /></div>
<div>
XenMobile - do this from the Mac with Apple Configurator on it.</div>
<div>
<ol>
<li>Under Configure - Device Policies - Add</li>
<li>More - Custom - Import iOS & Mac OS X Profile</li>
<li>Name it and then browse to the newly created and saved profile.</li>
<li>Assign to the proper delivery policy and you're all set!</li>
</ol>
<div>
Sit back and watch the native app disappear.</div>
</div>
<div>
<br /></div>
<div>
How to get the native app back? Just remove the profile.</div>
<br />
<br />Aaronhttp://www.blogger.com/profile/11988413478336085670noreply@blogger.com0