mav2124
4 May 2023

DIY MTR System

So I’ve recently been setting up some Microsoft Teams Rooms and with the current shortage of hardware and working remotely it’s sometimes difficult to get hold of hardware for testing. 

I’m still working out some the kinks but I thought I would share how far I’ve got so far. This guide is to primarily designed to help us techies with testing deployment configuations, if you deploy within your business then you might have some head aches and I would always recommend buying certifited Teams room equipement. 

This just allows us techies to work on this without hunting down equipement, you can also run this as a VM on Hyper-V using the same guide however, connecting webcams and audio are a pain trying to pass them through VM’s and I haven’t worked out how to setup a display to view the camera feed. But still good for testing Intune configurations and rules. 

Design 

This is the configuration I decided to go with, I did use the front USB port with the Sennheiser SP20 to try and enhance the audio. 

Picture: Design

Kit List – I used 

  • Intel NUC – i3, 8GB RAM, 120GB SSD 
  • 24″ Monitor 
  • 34″ Monitor 
  • Built-in speakers (Monitor) 
  • Logitech Brio – 4k Webcamera 
  • Windows 10 Enterprise 
  • Microsoft Teams Room Standard or Office 365 E3/E5 License 
  • Wireless Keyboard and Mouse 

Image: Nuc

Getting the NUC ready and installing Teams 

Download and install Windows 10 Enterprise on the Intel nuc as you normally would do a Windows install using the Microsoft Create Image tool.

Download and Install – SRS Deployment Kit which can be downloaded from the Microsoft website here 

Installation is a pretty straight forward next, next, next and finish. 

Image: Desktop Installation

Run Powershell as an Administrator and run the following commands 

Set-ExecutionPolicy Unrestricted 

MD C:\Recovery\OEM 

& ‘C:\Program Files (x86)\Skype Room System Deployment Kit\RecoveryTool.ps1’ (or the install directory if you changed during the install) 

Select option 2

Resetting the computer to boot from Teams Kiosk mode 

Once you have completed the powershell complete a reset of the computer using, remove everything, local install and then reset. 

This is going to take sometime, it could have been because I was running an i3 and i5 might be faster. 

Image: Recovery

 

Logging into Teams 

Once the computer has started you should find the base MTR is installed however you are stuck on the ELUA screen. 

Image: Logging into Teams

Click Exit and should take you back to the login display. The default password for the Administrator should be set to s4b 

Navigate to C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState. 

There you will need to add the following SkypeSettings.xml file, I’ve attached a copy which you can reduce down to the MTR login credentials. These need to be incorrect ane not active credentials. test@test.com will have the desired effect. 

SkypeSettings.xml 

Restart the nuc from Windows, this time it should boot into the login screen. Click on the more … and you can now configured the MTR login details. 

If everything is licensed correctly you should be signed in and ready for calls. 

Below was my first test call using Teams on my mobile and my demo setup. 

Demo\Test Call 

MS Teams – DIY MTR 

MS Teams view from mobile device 

Troubleshooting: 

  • Incorrect Windows Build: Needed at least 20H2 
  • During reset I had an issue, using advanced features I did another reset and selected cloud install, I believe this was linked to point one. 
  • SkypeSettings.xml I tried using fewer settings in this file but found it created more issues at the start up. 
  • Audio defaults did not pick upscreen 
  • Second screen (Video\Presentation screen not displaying) – Turned out to be an issue with the intel drivers on the nuc. Reinstalled drivers downloaded from the intel website resolved these issues. 

Possible Improvements: 

  • HDMI port from the nuc was the primary screen for making calls I might look to replace this with a smaller screen such as a 13.3. 
  • Possibly a touch screen might allow for a more interactive feel. 
  • The USB-C to HDMI was the screen that I could use for the video feed, allowed for a single screen. Maybe a USB docking station could allow for dual screen. (As I have an i3, I don’t think dual screens would work for me) 
No Comments InMS TEAMS
mav2124
29 March 2023

Deploying local admin permission via Intune

It’s been a while since last posting…

I recently recieved a request from a customer where they wanted to deploy local Administrator permission to individual devices via Intune. They didn’t want to purchase any other software or licenses for example Just In Time which is currently in preview.

Endpoint Secuirty via Account Protection policies only allow the ability to assign a group to local administrators which will then apply to all devices or a group of devices.

Creating multiple policies per device didn’t seem to make much sense to me, so I decided to go with PowerShell. Our current deployment of the 365 tenancy seems to be hit or miss using the Script function from Intune so i’ve deployed using the Win32_APP option.

Create a PowerShell Script using the following short commands.

#Author: James Millard
#Version: 1.0
#Notes: Designed to be deployed via Intune to allow a single user to recieve local admin permissions to device, they are currently logged into.
#This will apply to any users that are logged into the computer at the time of running so should not be used a shared device.

$USERNAME = (Get-Wmiobject -Class Win32_Computersystem).Username
net localgroup administrators /add $USERNAME

#Confirmation
New-Item -Path "C:\Windows\debug\AAD-Admin-1.txt"

 

Log into https://endpoint.microsoft.com and navigate to APPs – Windows

Upload the application you’ve just created using the IntuneWinUtil

 

Complete the normal steps of completing the App Information > Program

Install command: powershell.exe -executionpolicy bypass -File .\AzureAD-Set-LocalAdmin-1.ps1

Make sure the Install behavior is set to System rather than User, otherwise this will be unlikely to work.

   

 

To help confirm the script was able to run and confirm it had completed I added the following as a detection method.

Create a group and assign it to the users, you wish to deploy it too. You can make it a required application for deployment however I prefer to make it an enrolled application.

The reason for this is that once allocated you can contact the user and request them to complete the install, once confirmed the install has been sucessful the user can then be removed from the group to reduce the chance of the user adding themselves to multiple groups.

I have set to all users as this is just my demo tenant and not too worried about all my users adding local admin rights 🙂

Once the has opened the company portal they should should be able to locate the application to install and run through the install process.

Once the install has completed we should now be able to see the logged on users within the local administrators.

Hopefully this helps you, I’m also planning on adding the remove function to this which will be the same process just with an updated version of removing the users permissions.

 

No Comments InAzure Intune Powershell
mav2124
8 August 2022

Microsoft Teams Lobby Issues

Microsoft Teams Lobby Issues

There has been an issue where users are unable to join meetings when going through the lobby feature. When the person tries to connect the lobby Team freeze’s and then the audio service of the application crashes and restarts.

From the people already in the meetings perspective they can see the person join even with a camera feed active but no audio comes through then they see the person disconnect.

This issue appears to limited to the Dell Latitude 3420 model. After some analysis it appears to be between the hand off of Microsoft Team with the audio driver which then causes the crash.

Things already tried:

Uninstall/Reinstall Teams

Clear Teams Cache

Intel 11th Gen – Intel Smart Sound Solution Drivers

Teams Islands mode into Teams Only Mode

Latests update pack

WireShark Captures

Teams Support Logs deep dive.

 

Resolution:

Speaking with the build team we had the latest drivers on our laptop image, however these were the latest audio drivers based on the Dell driver build pack which is used within SCCM.

After trying various drivers including Intel Audio Smart Sound, BIOS and audio drivers they without any effect attention was directed else way to investigate for a period of time but on the 08/07/2022 Dell released a new audio driver which has resolved the issue. Realtek High Defintion 6.0.9363.1, A14

Some of the fixes and enhancement discribed the problem perfectly and so far this appears to have resolved the issue.

– Fixed the issue where the audio connection does not get switched to headset during Voice over Internet Protocol (VOIP) calls or audio playback.
– Fixed the issue where the audio connection drops during Voice over Internet Protocol (VOIP) calls.

 

I know people are experiencing this issue on bot the Dell 3420 and the Dell 5420 so I hope this helps with some other people experiencing this issue.

No Comments InMS TEAMS
mav2124
1 June 2022

Deploying MTR Custom Wallpaper via Intune

Recently I’ve been working on a way to deploy a Windows MTR custom wallpaper via Intune. 

Most of the solutions I found relied on using a PowerShell script to copy files from a local folder share. When working with a local AD infrastructure and your MTR’s might be Azure AD joined or just enrolled into Intune making folder share permissions difficult. If you are also looking to deploy this over multiple locations cities or even countries then you probably won’t have access to a centeral file share.

Before we get started with the Intune section we need to configure our wallpaper image. I will be using the template files from Microsoft found here: Microsoft Teams SkypeSettings.xml remote configuration

You will need a text editor such as Notepad\Notepad++ and an application which can read photoshop files, this can be PhotoShop however I used paint.net with a PS plugin.

Configuring the SkypeSettings.xml for wallpaper deployment

Although we aren’t really using the Custom Theme Color, I found the deployment doesn’t actually work without it, I am assuming there is a bit of a hangover from some of the earlier Sykpe for Business settings.

<SkypeSettings>
<Theming>
<ThemeName>Custom</ThemeName>
<CustomThemeImageUrl>wallpaper.png</CustomThemeImageUrl>
<CustomThemeColor>
<RedComponent>100</RedComponent>
<GreenComponent>100</GreenComponent>
<BlueComponent>100</BlueComponent>
</CustomThemeColor>
</Theming>
</SkypeSettings>

 

Creating a Teams Theme Template

Microsoft Teams Theming Template

When creating the images we need to make sure our final resolution is 3840 x 1080 the reason for this is if you have a dual display device it will need to using 2x 1920×1080 so it doesn’t stretch the wallpaper.

Open the template in Paint.Net.

           

Delete all the extra background layers leaving the Your theme here, where you can now insert your wallpaper image.

The template allows you to view what your displays will be like, and make you aware of time positioning, room name, etc

This will help you avoid poor choices in wallpaper colour schemes.

Once your are happy with with your choosen option deselect all the layers apart from your choosen wallpaper.

Image > Flatten  and then File > Save As wallpaper.png

Create an cmd file using notepad

install.cmd

xcopy SkypeSettings.xml “C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState” /y
xcopy wallpaper.png “C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState” /y
xcopy 0.txt “C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState” /y

Confirmation File

Because of the way which the SkypeSettings.xml and the wallpaper.png is moved after the settings are detected, we want to have a file to indicate that the installation has been a success.

Now we are creating a txt file and call it 0.txt (You can choose some text to go into it) the reason we are creating this file is as comfirmation that our installation script has executed on the remote device.

Create an Intune installer

Ensure all your files are in the correct directory before creating the installer.

Create the intune installer package ready for uploading.

Upload the Intune installer to EndPoint Manager.

Microsoft EndPoint Manager

App > Windows > Add > Win32 > Select

Upload the Application package you have just created

App Information: Name, Description and Publisher and the only manditory fields that need to be completed.

Add the Install command which will launch the installer. I haven’t created a uninstall command at the moment as i’m still testing but, it will be a delete comman to clear the custom theme wallpaper folder from the local state folder.

Select an OS architecture and minimum OS, I select 1909 as that is the minimum version I generally see on MTR devices.

Create a detection rule for 0.txt file to verify if the installation is successful.

Select a group that is linked to your devices.

Your installer is now created and should deploy to the enrolled devices. It will take affect after the next reboot which you can schedule or allow the nightly reboot to manage it.

Hope this guide helps you in your deployment and excuse the mess of my desk room.

No Comments InAzure MS TEAMS
mav2124
24 April 2022

Migrating Mailbox over 500GB (G Suite to Office 365)

Orginally Posted 27-11-2020

I was looking at a migration from G Suite to Microsoft 365 for a client previously that has several mailboxes which are larger than 100GB with the largest being over 500GB.

Obviously this is much larger than the default size on Exchange online of a E3 or Exchange PLan 2 license under normal capacity.

The issue I faced was the fact no attempt at management was set and users were able to constantly add to their mailbox, if your reading this you already know the struggle get someone to retrospectively sort their mailbox.

Retention policies is where we can start this migration, where we can start with if it’s X old then archive, once everything is migration we can then review policies to manage the previously unmanaged mailboxes.

But the question still lies, how the hell do I migrate it?

As I need to replicate this process on at least 20-25 mailboxes, I decided to take on the challange by migration and archiving at the same time.

Check the correct licenses are applied before you start.

We create a retention TAG

Open Exchange Admin Center (EAC)

Navigate to Compliance Management > Retention TAG > Apllied automatically to entire mailbox (default)

We create the rention tag we want to apply, You can create a default tag which are applied by admin or personal tags which give the user control.

Create a new retention policy ready and apply to the mailboxes your migrating.

We now need to allow for the archives to go over 100GB, so we need to enable auto expanding archive which simply done with some powershell.

Connect to ExchangeOnline

Enable-mailbox it.guy@theitguy.org.uk -Autoexpanding

You can also apply this for the whole organisation with the following

Set-OrganizationConfig -AutoExpandingArchive

Check that the correct retetion policy is applied.

Get-Mailbox -Identity “IT Guy” | Format-List DisplayName, LitigationHoldEnabled, LitigationHoldDate, LitigationHoldOwner, LitigationHoldDuration, RetentionPolicy.

 

Get-MailboxStatistics it.guy@theitguy.org.uk -Archive | Format-List DisplayName, TotalItems, TotalItemSize, ItemCount

Run the migration as normal and cross your fingers.

It worked great for me but needed some monitoring, you need to allow time for the policies to apply and when your into the autoexpanding archive Microsoft will only allow it to grow by about 10Gb a day to prevent people using them as a backup of leavers emails which I have seen before.

You will need to run the migration task a multiple times depending on the size of your mailbox you are trying to migrate.

 

Note: I found that the rention policies from the compiance center will overide the Rention Policies created in Exchange Admin Center.

 

 

No Comments InExchange Office 365
mav2124
13 April 2022

Office 365 – Sending from Alias or Proxy Address

21 May 2021

After many years, Microsoft are now enabling send emails as an alias\proxyaddress which is associated with your 365 email address.

It was announced quietly on the 365 Roadmap that in June the update would be coming, please see roadmap link below.

https://www.microsoft.com/en-ie/microsoft-365/roadmap?filters=&searchterms=59437

What are Alias’?

Alias’s are used in a variety of way, commonly when a company creates a new section they want to explore or when they’ve purchased\merged companies together.

In some cases it can be a brand change and is often required to email old contacts which they might be used to.

Exsisting workarounds:

You have been able to work around using groups and shared mailboxes but often people would like to just do it from the client without having to switch mailboxes, or create rules to avoid getting duplicate emails.

Although the feature doesn’t seem to be availible until June to command appear to be there at present in order to enable it. Please see the below.

How to Enable sending as an alias:

Launch PowerShell

Connect-ExchangeOnline

Set-OrganizationConfig -SendFromAliasEnabled $True

Confirm the change has been made:

Get-OrganizationConfig| ft SendFromAliasEnabled

Allow a good 24hrs before you expect to see the change, all being well you should be able to start sending from your alias addresses.

No Comments InExchange Powershell
mav2124
13 April 2022

Enable Microsoft Teams live events through Powershell

With the impact of COVID19 alot of people are trying to enable live events. I have found it difficult to access some the Teams functionality through the admin web interface with some of my clients.

So this is a quick guide how to do it through PowerShell.

Download and Install

https://www.microsoft.com/en-gb/download/details.aspx?id=39366

Open PowerShell as an Administrator

Import-module SkypeOnlineConnector

Start a sessions with MicrosoftTeams

$teamsSession = New-CsOnlineSession

Import-PSSession $teamsSession

We can now start looking at our policies and settings

Get-CsTeamsMeetingBroadcastPolicy -identity Global

Identity : Global
Description :
AllowBroadcastScheduling : True
AllowBroadcastTranscription : False
BroadcastAttendeeVisibilityMode : EveryoneInCompany
BroadcastRecordingMode : AlwaysEnabled

I wanted to open up our live events to everyone for a client.

Set-CsTeamsMeetingBroadcastPolicy -Identity Global -BroadcastAttendeeVisibility Everyone

Check settings Afterwards

Get-CsTeamsMeetingBroadcastPolicy -identity Global

Identity : Global
Description :
AllowBroadcastScheduling : True
AllowBroadcastTranscription : False
BroadcastAttendeeVisibilityMode : Everyone
BroadcastRecordingMode : AlwaysEnabled

No Comments InMS TEAMS
mav2124
9 December 2019

Changing IT with MS Cloud and Windows Virtual Desktop

Microsoft 365 and Azure have become powerful and tools which allows companies to start asking do we need on premises equipment anymore?

With Windows 7 and Windows Server 2008 R2 becoming end of life in January it becomes the point where business look at their IT looking to future proof. “They never told us it was going end of life” Yet previous conversation go along the lines of “we still have 12 months to sort it”

On Premises

These are just some of things you will need in an on-premises solution for a SME or Large businesses which you get out of the box with Azure.

Server hardware Firewall
Server grade switches Multiple internet connections
Virtual machine management software Electricity
UPS battery Backup generator
Server redundancy Backups
Antivirus/Firewall IT staff to manage/configure
Air conditioning

Once you start considering these costs it becomes clearer why people are adopting the cloud so much. It also means you have more space onsite and you can simplify your office configuration as you would only require a configured data network.

Left = Just part of what is required
Right = What it could be

 

Windows Virtual Desktop

There has always been a requirement for on-premises servers with the most common reasons being compliance, legacy applications or staff need to access large files regularly.

With Windows Virtual Desktop end users are able to log into a remote desktop with all their applications installed and then access resources within the Azure network with unmatched speed that most businesses could afford on premises.

One of the benefits of this is that staff can work anywhere whilst still being able to work in the same way, it also means that people with poor internet connection can still work effectively and efficiently where ever they are.

This also allows applications to be installed and deployed to a large group of people without visiting computers to check software has installed correctly.

Cost Savings

Some of the cost savings which can be taken into consideration with this:

  • Reduced cost of hardware (Laptops)
  • Servers – Paying for what you need now.
  • Scale machine performance as needed
  • Reduced setup and build time
  • Reduced downtime
  • IT maintenance time saved
  • Public IP addresses available

Offices will only require a reliable internet connection and this can even be reduced in some cases. If you were handling large architectural CAD files these would take a substantial amount of time to transfer between offices.

However if both offices could work from Windows Virtual Desktop then they would be available almost instantly via blob storage which can also grow as your requirements.

This allows IT teams to focus on the future of how to help the business streamline their work and become more productive. This then reduces the amount of time of basic admin tasks. Is that server in warranty, hard drive has failed, backup tapes have become corrupted and many more.

 

No Comments InAzure Office 365
mav2124
28 November 2019

Domain Trust Relationship Issue

I’ve found an issue with a Domain Trust Relationship which keeps failing to the default policy every 90 days or so.

The symptoms were temporarily fixed with Powershell easily, however this just gives you 90 days till you next have to enter it in again.

Reset-ComputerMachinePassword -server server01 -credential domain\username

This saves the hassel of removing from the domain and re-adding and is a much better way of managing the issues, but doesn’t help with solving the problem.

So lets get down to the problem and analysing the issue.

repadmin /showreps

dcdiag /test:checksecurityerror /replsource:dc03

These results all came back as expected, I then realised that he location with the computers which were regularly affected had a domain controller operating with two DHCP scopes however the server was only configured with one. 

For example:

  • 192.168.1.1/24 – Scope 1
  • 192.168.2.1/24 – Scope 2
  • DC 192.168.1.5/24

Although AD Sites had both subnets listed, Scope 2 was unable to communicate correctly with the server for authentication. Especially if a computer remained on Scope 2 longer than 90 days, which wasn’t diffiuclt due to the size of the pools.

There are two possible solutions for this.

  1. Add another network adapter on Scope 2. e.g. 192.168.2.5/24
  2. Modify the subnet from /24 to /23 which would increase the amount of subnets and IP addresses under one scope.

I was lucky as at the time I was redesigning the network for additional security, which allowed me to implement both of the above to help with future proofing. Separating Server and Client subnets whilst also increasing the subnet growth if required in the future.

No Comments InActive Directory Networking
mav2124
6 September 2019

Delete a deleted user from Office 365

In the event you need to delete a user account from Office 365 maybe a recreated user from on-premises which is conflicting and you need to clear the old user account.

First connect to your Office 365 subscription with PowerShell.

Connect with user accounts

$UserCredential = Get-Credential

Run the following PowerShell

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking

You can delete the mailbox using the following command

Remove-Mailbox -Identity <mailbox identity>

You can view the list of users which are currently in your deleted folder. This folder is deleted after 30 days, but this is incase you need to delete sooner.

Connect-MsolService

Get-MsolUser –ReturnDeletedUsers

To deleted the user account run the following.

Remove-MsolUser -UserPrincipalName joe.bloggs@domain.com -RemoveFromRecycleBin

No Comments InOffice 365 Powershell