Avoid Cisco Meraki for S2S VPN with Azure

Just got off a phone call with some engineers at Microsoft who informed me that both Cisco and Microsoft have mutually agreed that using a Cisco Meraki firewall is not recommended for creating site to site (S2S) VPN tunnels to Microsoft Azure.

The issue is the Phase 1 IKE Timeout value that the Meraki uses is not supported.

This was rumored to be fixed in late 2016, and then later in a firmware update in February 2017, but as of yet, we have not seen it yet.

If anyone has updated information on this please post it in the comments as I have a few clients running the Meraki’s.

Thanks,

Joe

Error 1603 when Installing Skype for Business Server 2015

Make sure you select ‘don’t check for updates right now’ otherwise you will get an error later “failure code 1603
Error returned while installing OcsMcu.msi, code 1603. Error Message: A fatal error occurred during installation”

The solution was to uninstall just the Skype components from control panel and then re-run setup. Only took 10 minutes so wasn’t too big of a deal. But now we must remember to manually apply the latest cumulative updates after the installation completes =)

The Uninstall order (for what it is worth) is the following:

(First uninstall XMPP then proceed with uninstalling the core components last). It is not necessary to remove all the language packs and local SQL instances (at least in my case it wasn’t).

Hopefully Microsoft fixes this bug because the ‘connect to the internet to check for updates’ feature is very nice and a huge time saver.

Reference: https://social.technet.microsoft.com/Forums/ie/en-US/42e284fb-ae07-424c-9ed3-07b6a85748da/skype-for-business-server-components-install-fails-when-patching-ocsmcumsi?forum=sfbfr

Windows Information Protection

Windows Information Protection is a feature of Windows 10 Anniversary Update that helps protect corporation information by encrypting data using the Encrypted File System.

This is not to be confused with Azure Information Protection (which was rebranded from Azure Rights Management Services RMS).

How WIP works

Enterprise data is automatically encrypted after it’s downloaded to a device from SharePoint, a network share, or an enterprise web location, while using a WIP-protected device or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.

A WIP Policy includes a list of applications that are allowed to access corporate data. This list of apps is implemented through AppLocker functionality.

Requirements

Requires Intune or SCCM Policy

Devices requires Windows 10 Anniversary Update or devices that are enrolled with Intune or a supported 3rd party MDM (I was unable to find a list of supported 3rd party MDMs).

Limitations

  • Files encrypted with WIP cannot be shared externally. Each user would need the ability to disable WIP on a particular file and then re-encrypt the file using a separate technology such as Azure Information Protection.
  • All clients in your environment must be running Windows 10 Anniversary update or a mobile device managed by Intune or supported 3rd party MDM. For example, a Mac OSX machine that downloads data from SharePoint, a file share, or wherever, is not going to be protected by WIP and therefore that employee can bypass WIP and leak sensitive information. Think of WIP as a client side solution that is only truly effective when all client systems fit the mold.
  • WIP is not compatible with Direct Access. The workaround is to replace DirectAccess with Windows 10 Always-ON VPN for client access to Intranet instead.*
  • WIP is not compatible with Network Isolation (IPSEC feature).
  • Cortana must be disabled otherwise Cortana can leak encrypted information*
  • WIP is not compatible with shared workstations.* One user per device.
  • Marriage/Separation name changes can disrupt WIP. Workaround: Disable WIP before changing someone’s first or last name.* This is pretty time intensive as it requires decrypting all files that were protected by WIP.
  • Internet Explorer 11 with webpages using ActiveX controls can cause data leakage. Work-around is to use Microsoft Edge browser. Issue is that not all websites are compatible with Edge.*
  • There are only 11 applications that are considered WIP “Enlightened Apps” (see list below). All other apps will force encryption on all data saved, which cannot be shared externally unless the user manually removes the encryption and re-encrypts with AIP.

*https://technet.microsoft.com/en-us/itpro/windows/keep-secure/limitations-with-wip

References

Original Announcement from 6/29/2016

https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/introducing-windows-information-protection/

Official Documentation for WIP

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-enterprise-data-using-wip

WIP “Enlightened Apps”

  • Microsoft Edge
  • Internet Explorer 11
  • Microsoft People
  • Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
  • Microsoft Photos
  • Groove Music
  • Notepad
  • Microsoft Paint
  • Microsoft Movies & TV
  • Microsoft Messaging
  • Microsoft Remote Desktop

*These apps allow you to save things as personal (unencrypted). All other applications not listed will encrypt everything 100% with EFS encryption.

 

Patriot Guidance

Use Azure Information Protection and Avoid WIP unless you have a regulatory reason that justifies the effort to deploy WIP because of its restrictive encryption policy and only 11 apps allow the user to save things without encryption. One look at the implementation page (here) below shows how difficult an implementation would be, and more so to maintain.

Extension Dialing (aka) Tenant Dial Plans in Skype for Business Online

Microsoft has announced that “Tenant Dial plans” are now in Public Preview in Office 365 Cloud PBX. This is relevant for companies that migrate to Office 365 Cloud PBX (Skype for Business Online) and come from legacy PBX environments that include dial plans, such as a “4-digit” or “5-digit” dial-plan. For example, dial 1234 for Jim in California, or 51234 for Juan in Mexico.

Another scenario where this is useful is when users want to dial a shorter number for outside calls. For example, in the United States, you may want to dial a 7 digit number instead of the full 10 digits including your area code. Tenant Dial Plans allow you to do this.

For example, you can create a rule that looks for 7 digits ‘^(\d{7})$’ and prepends the E.164 prefix, along with the country code and area code: ‘+1425$1’

So that if 5551234 is dialed by the end-user, the actual number sent out would be +14255551234.

TIP: A normalization rule like this would be considered a ‘tenant-user’ plan because it would need to be applied on a per-user basis, since you can’t assume that all users in that country dialing 7 digits will always want a Seattle area code.

Sign-up for Tenant Dial Plans at Skype Preview  http://skypepreview.com

To learn more, watch the Skype Academy training video (26 minutes) here:

https://www.youtube.com/watch?v=sA4p77Shmns&index=1&list=PLH5ElbTc1hWTsunfXvNVnDFCJCCzrL3R9

Lessons Learned from watching the video above:

  • Only supported for Soft clients because the firmware running on existing handsets were designed when this feature was not supported
  • Administrative interface is powershell, but a GUI was promised “in a few months” according to the Skype Academy training
  • The application of Tenant Dial plans are different than how they are deployed in an on-premises Skype deployment. For example, in the on-premises deployment, dial plans are applied based on the most specific one first, ex: User, then Pool, then Site, then Global. If a user dial plan is assigned, then all other dial plans are ignored. In the case of these new Cloud PBX Tenant dial plans, the “Service Country” dial plan is always applied, and it is merged together with one of two options: a tenant-user dial plan OR a tenant-global dial plan.
  • Before you can use tenant dial plans in your Cloud PBX tenant, you must first configure hybrid users to consume the tenant dial plan, for example:
    set-cstenanthybridconfiguration -useonpremdialplan $false

OneDrive NGSC for SharePoint Team sites is now GA

Yesterday 1/24/17, Microsoft announced (here) that the OneDrive Next Generation Sync Client (NGSC) which replaces the older Groove.exe sync client now supports syncing SharePoint Online document libraries (sorry, no NGSC for on-premises SharePoint).

First verify that the build number is 17.3.6743.1212

It is supposed to automatically update but you can also download it from: http://onedrive.com/download

If you were previously participating in the preview build so that you could test out this feature, you previously had to deploy a registry key called “TeamSitesPreview” to enable syncing SharePoint Team sites.

Now, as long as you have the client build 17.3.6743.1212, then the registry key is no longer necessary.

However, if you don’t have the registry key then you will need to change a brand new setting that just appeared in the SharePoint Online Admin Center called Sync Client for SharePoint.
As you can see in the screen shot below, the setting for ‘Sync Client for SharePoint’ defaults to ‘start the old client’.

Important: This needs to be changed to ‘start the new client.’

So if you don’t have access to your SharePoint tenant to change the default sync client for SharePoint to use the new client, you can use the registry key to override it locally on your system.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive]

“TeamSiteSyncPreview”=dword:00000001

 

Tip: If you are in there modifying the tenant, you might as well change the “OneDrive Sync Button” is set to “Start the new client.”

These changes take several hours to propagate. To check that they’ve propagated, go to a SharePoint Online site and click Sync. In the browser dialog box that confirms the request to open a program, the “Program” should appear as “Microsoft OneDrive” and the “Address” should start with “odopen://”

Troubleshooting

If you see either the OneDrive Setup Wizard or a dialog box asking “Which library do you want to sync?” after clicking “Allow” in Internet Explorer, then see Known issues for instructions on how to enable SharePoint site setup in Internet Explorer. There is a known issue that is actively being investigated by Microsoft: If you are using Windows 7 and your SharePoint Online site is still using the classic UI rather than the new modern UI, then you will need to use Edge, Chrome or Firefox until the integration issue with Internet Explorer is resolved.

 

On a Mac, you may find that you need to perform these additional steps:

  1. If you are currently using the OneDrive Mac Store app, you must first uninstall it before installing the latest build of the new OneDrive sync client.
    1. Open Finder and Search for “OneDrive.app” or “OneDriveDF.app” from “This Mac.”
    2. Move all returned items to the trash.
    3. Once you’ve removed the Mac Store app, you can install the preview build of the new OneDrive sync client.
  2. Exit the new OneDrive sync client by clicking on the OneDrive cloud icon in the Menu bar and selecting Quit OneDrive.
  3. Open a terminal window by using cmd+space and searching for “Terminal.”
  4. Run the following commands:
  5. Defaults write com.microsoft.OneDrive TeamSiteSyncPreview -bool True
  6. Defaults write com.microsoft.OneDriveUpdate Tier Team
  7. Killall cfprefsd
  8. Restart the sync client and log in again if prompted.

Reference: https://support.office.com/en-us/article/Enable-users-to-sync-SharePoint-files-with-the-new-OneDrive-sync-client-22e1f635-fb89-49e0-a176-edab26f69614?ui=en-US&rs=en-US&ad=US

How to restrict Office 365 Groups Creation to IT Department Only

Currently, an Office 365 Group can be created in OWA, the Outlook 2016 Client, Office 365 Planner, SharePoint, Microsoft Teams and PowerBI.

You may want to restrict Office 365 Group Creation to a group of authorized users (example: the IT Department): for testing, preparing support desk & training materials, etc. Then when ready, you can add additional authorized users to this group. Decide if you will use an existing Office 365 Group or Distribution Group, or create a new group, ex: “O365GroupCreators.” The catch is that the group cannot have other groups in it, group members must be users directly added.

Note: Users with higher tenant roles will always have the ability to create O365 Groups (ex: Global Admins).

Instructions:

Uninstall preview versions of Azure Active Directory Powershell

Download and install Azure Active Directory Powershell v1.1.130.0 Preview from Connect:

http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185

Launch Azure Active Directory Powershell, then run these commands:

  1. Connect-MSOLService
  2. Set-MsolCompanySettings – UsersPermissionToCreateGroupsEnabled $True
    ^^If this is set to $false, then the settings below will not take effect.
  3. $template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
  4. $setting = $template.CreateSettingsObject()
  5. New-MsolSettings –SettingsObject $setting
  6. $group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”}
  7. $settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
  8. $singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
  9. $value = $singlesettings.GetSettingsValue()
  10. $value[“EnableGroupCreation”] = “false”
  11. $value[“GroupCreationAllowedGroupId”] = $group.ObjectId
  12. Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

References:

https://support.office.com/en-us/article/Manage-Office-365-Group-Creation-4c46c8cb-17d0-44b5-9776-005fced8e618?ui=en-US&rs=en-US&ad=US

http://drewmadelung.com/managing-office-365-group-creation-via-azure-ad/

Sample Office 365 Group Syntax:

https://github.com/dmadelung/O365GroupsScripts/blob/master/DrewsO365GroupsScripts.ps1

OneDrive Admin Center First Look

[Post Updated 12/19 to correct the statement on Device Access with MAM settings]

At the Ignite conference, Microsoft announced (Here) that a new OneDrive Admin Center was coming before the end of 2016. It’s here now!

 

Accessing the new Admin Center is available via the hyperlink below for Office 365 tenants configured for ‘First Release.’ It is currently in preview ‘aka Beta’ and will eventually get added into the Admin menu. Until then, you need to access it via direct URL:

https://admin.onedrive.com

 

Here are my first impressions of the new admin center.

  • Better visibility into some settings that were previously only available through PowerShell

 

  • Some new MDM capabilities that previously required an Intune license

 

  • Nicely summarized Compliance Page with links for Auditing, DLP, Retention, eDiscovery, and Alerting. (No new capabilities, but it’s informative, educational and convenient to have them all listed for OneDrive Admin)

 

  • Several new settings are available in the OneDrive Admin Center that were previously not exposed in the SharePoint Admin Center:
    • Default Storage (ability to increase from 1TB to 5TB) (was previously only available in PowerShell)
      • Days to retain files in OneDrive after a user account is marked for deletion (was previously only available in PowerShell)
      • NEW Features: Device Access
        • Control access based on network location (this was briefly available in the SharePoint Admin center but was subsequently removed, but still configurable in PowerShell).
        • Control access from apps that can’t enforce device-based restrictions
        • Mobile Application Management (Requires Intune License, as this uses the Intune API to change the Intune MAM settings).

      • Allowing syncing only on PC’s joined to specific domains (was previously only available in PowerShell) here is a TechNet article on how to enumerate domain guids.
        • Block sync on Mac OSX (was previously only available in PowerShell)
      • Block syncing of specific file types (was previously only available in PowerShell)
  • Eleven OneDrive settings are not yet available in the OneDrive Admin Center (use the SharePoint Admin Center to manage these OneDrive settings)
    • External users must accept sharing invites using the same account that the invites were sent to
    • custom link expiration dates
    • Configuring the OneDrive experience (New or Classic)
    • Controlling whether all users or only specific users will get OneDrive sites created when a SharePoint license is assigned
    • Notifications (external sharing, or mobile push)
    • Show/Hide OneDrive Button
    • Script Setting that controls whether or not the ‘Copy to SharePoint’ button will appear in OneDrive
    • Ability to enable/disable IRM for OneDrive Globally
    • Ability to enable/disable IRM for individual OneDrive Sites
    • My Site Cleanup Access Delegation
    • My Site Cleanup Secondary Owner
    • My Site Secondary Admin
  • The following OneDrive settings are still only available in PowerShell and have not yet been surfaced in the SharePoint or OneDrive web admin interfaces:
    • Get-SPOTenant | ft ProvisionSharedWithEveryoneFolder
    • Get-SPOTenant | ft ShowEveryoneExceptExternalUsersClaim
    • Get-SPOTenant | ft ShowEveryoneClaim
    • Get-SPOTenant | ft ShowAllUsersClaim
    • Get-SPOTenantSyncClientRestriction | ft OptOutOfGrooveBlock
    • Get-SPOTenantSyncClientRestriction | ft OptOutOfGrooveSoftBlock
    • Get-SPOExternalUser

 

 

Here is a side-by-side comparison with the settings available in the existing SharePoint Admin Center (that apply to OneDrive)

Setting SharePoint Admin Center OneDrive Admin Center
Sharing outside your organization Same Capabilities
Anonymous Links Expiration Setting Unable to specify custom expiration date
Default Link Type Same Capabilities
Limit External sharing using domains Checkbox Same Capabilities
Prevent external users from sharing files they don’t own Checkbox Same Capabilities
External users must accept sharing invites using the same account that the invites were sent to Checkbox [Not Available]
Notifications [Not Available]
Show or Hide Options [Not Available]
OneDrive for Business experience [Not Available]
OneDrive Sync Button Same
Mobile Push Notifications – OneDrive for Business [Not Available]
Custom Scripts (determines whether or not the ‘Copy to SharePoint’ feature will be available in OneDrive) [Not Available]
Enable/Disable IRM for OneDrive [Not Available]
My Site Cleanup Access Delegation [Not Available]
My Site Cleanup Secondary Owner [Not Available]
My Site Secondary Admin [Not Available]
Controlling whether all users or only specific users will get OneDrive sites created when a SharePoint license is assigned [Not Available]
Delegating access to a OneDrive Site SharePoint Admin Center > User Profiles > User Profiles > Find the profile

Right Click > Manage site collection owners

This is not available in the OneDrive Admin Center, however, it was recently added to the main ‘Active Users’ options

SIP 500 internal server error “from or target user pool or deployment assignment is incompatible with split-domain traffic type”

Problem: User could not transfer a phone call.

Symptom: Bogus error message about split-domain traffic, with almost no articles on the internet or forums to help. Equally bogus error message was “request target is not assigned to a pool or deployment and is not a server GRUU”

Solution: Disable SIP Refer on the SFB Trunk

Explanation: Not all SBC gateways support SIP Refer, but this is the default option when creating a trunk in Skype for Business.

How to prevent Cortana from mining your web browsing history

When Cortana is enabled, information such as your calendar, contacts, speech, handwriting patterns, typing history, location, and browsing history are sent to Microsoft so that Cortana can provide recommendations.

Disabling Cortana is not as easy as you might think. In Windows 10 RTM, you could disable Cortana as shown in the screen shot below.

However, the Windows 10 Anniversary update, this toggle was removed. Home users now have to use the registry to disable Cortana, but business users can use group policy as described (here) and (here).

However, in my case, Cortana continued to send information to Microsoft. Task Manager shows she is still lurking…

 

You have to admit, that is a little creepy, right?

 

It turns out that you have to also go to the Bing settings page and clear your personal info and then turn Cortana off there too (Kudos to this Windows Central article for the tip).

https://www.bing.com/account/personalization

Click on Search History Page

Then click the Off button

Cortana is no longer leaking information but as you can see from her CPU counter in Task Manager’s “App History”, she is still alive.

At least she isn’t leaking information though! That is 1 for the Humans and 0.5 for the Robots. Hopefully that doesn’t make her mad and send her AI friend Morgan after me.

 

 

Outlook gets “Play” Button for Microsoft Cloud PBX VoiceMail

Recently, while checking my voicemail in Cloud PBX, I noticed that I now have the Play button in Outlook

Now instead of opening up the .MP3 attachment to listen to voicemails, I can simply click the play button.

image

The ‘play on phone’ button errors out, but the Edit Notes button works.

This feature became enabled when the “Microsoft Exchange Add-in” was added as a COM Add-in inside Outlook

SNAGHTML1017d3c

The timestamp on UmOutlookAddin.dll is July 31, 2016

image

I have not been able to find any announcement about this new capability.