An easy way to manage your organization with Intune

Next up Intune

Since some time Microsoft has been promoting lots of companies to go with Intune. Most of these companies want to use a solution like Intune but sometime already have a system in place which takes care of their mobile devices. Think about Airwatch or Mobile Iron. Most of the time Intune gets compared with Mobile Iron or Airwatch but what most companies do not know is that Intune is not just about mobile devices. It can do lots more than that.

Where to start with Intune

As mentioned before lots of companies do not know where to start with Intune. One of the most asked question I get at customers is do I start with MDM for mobile devices or do I start with MAM and what is the difference. And how do i make sure i enroll the devices without big impact to my users.

First of all the best thing you can do is start with a simple pilot for Mobile Application Management (MAM). Based on a azureAD group. What MAM does is, it manages the applications you make available within Intune for you mobile devices. If you start with this i recommend to just select all the applications from the Microsoft Office 365 subscription.

You can do this within the App protection policies.

intune apps

As you can see my selection of apps are put in just for Android devices. This comes because i have created two policies. One for Android and One for IOS. The reason for this is that i can manage both type of devices separately. For instance if i want to add apps like Google Maps (Android) or Safari (Apple) you can manage these just for these device types.

*make sure you assign your policies to just a few of you, not for the entire company when testing.

Mobile application management (MAM)

As written above you can implement Mobile application management pretty easy. Just make sure you have the right licenses (EM+S E3 or EM+S E5 or Intune). and you are good to go. But what does Mobile application management actually do.

Basically MAM manages the applications you offer to your users as a service to use. This means that a user which has for example a private device can use Outlook for IOS/Android with corporate email in a safe way. The user just need to install the application from the Google playstore or Itunes. The users will be guided thru the process and will end up with a safe working version of outlook with his corporate email.

With the policies you have created you have set some properties to prevent options like; Copy from email to phone storage, open Urls from email into unmanaged browser, Save attachments to non managed storage.

Mobile Device Management (MDM)

What is mobile device management (MDM), MDM is a way of securing the device a user gets from his company. Most of the time i advise this option when a company has company phones which they give to their employees. In this case the device is owned by the company so there is a possibility that you want to do more with the device then just manage the applications like in MAM. Things you can do more then you can do with MAM  are;

  • Device encryption
  • Push company owned apps
  • Install applications from Itunes or Google playstore
  • Wipe entire device instead of just the managed applications
  • Push certificates and WiFi profiles
  • And lots more

I hope this gives you some insights on MAM and MDM. In my opinion these are the best options to start with when starting with Intune. But you can imagine there are lots more feature you can do with Intune. Think about enrolling Windows 10 devices with autopilot, so you can really give you customers a seamless out-of-the-box-experience (OOBE). Even Co-management is possible these days.  In the following blogs i will guid you thru the implementation of some of these features and possibilities.

If you have some ideas for a blogpost regarding Intune that you needs to be worked out please let me know. And i will try if i can create a tutorial for this.

Also do not forget to check my other blogs @j3rmeyer.nl

 

Running Hybrid Configuration Wizard (HCW) for the first time

Hybrid Configuration Wizard (HCW)

Every time when i have to implement a Hybrid Scenario or HCW at a customer i caught myself of using a different blog as a safety guidance. I do this so i do not make a mistake or forget something during the configuration of  the Hybrid Configuration Wizard. Here are some things you should consider before moving forward and configuring this peace of software.

There are two useful blogs that i have found so far which cover the load. Both of these blogs cover the same solution.

Code two and Practical 365

But before running the Hybrid configuration wizard you should think about what kind of hybrid scenario you would like to have and maintain. Do you go for the short or Long term Hybrid

Hybrid exchange

Short or Long term Hybrid

At the last Techsummit conference in Amsterdam Michael von Hybrid had a great session about this. You can find his Techsummit slides here. Since i have seen this session I am always discussing these topics with the customer so they know what they can expect from their Exchange Hybrid scenario. And they know how to manage their environment in a hybrid situation.

Want to read my other blogposts?

Mailbox migration hangs on TotalStalledDueToWriteThrottle

TotalStalledDueToWriteThrottle

Mailbox migration can take a long time to finish. Most of the time this can be a pain when there is a lot of pressure on the migration project.

To get more insights in these issue you can execute the command bellow to get an overview of what is going on with your mailbox move.

Get-MoveRequest | get-MoveRequestStatistics

or

(Get-MoveRequestStatistics <id> -IncludeReport).Report.TargetThrottles

As you can see in the print screen there are a lot of TotalStalledDueTo…  These error occur most of the time due to an error on the back-end of the Microsoft services.

TotalStalledDueToWriteThrottle

Common mailbox migration issues

Some of you might know this but Microsoft is handling a queue for moving and migrating company mailboxes and user placeholders that want to on board. This will hit most of the services of office 365 like Exchange online and Azure AD.

Microsoft is doing this to make sure everybody has the same performance and expectations to migrate, they do this so their services will not be overloaded with move requests.

There is no solution for these error messages the only thing you can do is create a ticket for Microsoft.  But we have seen that most of the time the Microsoft Fasttrack  team is not using the migrationbatch method or MRS replication. They are just using the individual request. The reason for that is (cause they are easier to manage)

Note: just keep raising to tickets, just to make a signal to Microsoft.

Source: Thanks Michel de Rooij and Thomas Verwer to bring this to our attention.

 

How to disable Office Groups and Teams creation the right way.

Why disable groups/ teams creation

Some companies want to permit access to group and our teams creation. There can be many reasons for this. For instance you want to disable the creation of groups and teams to be more in control over these features.

To do this the right way it is recommended that only certain users are able to create groups and teams. In order to perform this it is rather recommended to create a Universal Security Group (which is mail enabled). This group will be used only for group and team creation.

First steps

As mentioned before it is recommended to create a Universal Security Group (which is mail enabled). When you have Azure AD Connect in place you should create this group on-premise and sync this over to Azure AD. That means that you management will maintain On-premise.

You can also create this group in Azure AD itself. If that is your way to go you should just create a security group in Azure AD. Please understand that your management will be in AzureAD/ Office 365.

The Script

To disable the group/ teams creation you can run the script bellow from the Azure AD PowerShell module

$Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
If ( !( $Settings)) {
# No Group.Unified object found, create new settings object from template
Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Select-Object -ExpandProperty Values
$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
$Template | Select-Object -ExpandProperty Values
$Settings = $Template.CreateDirectorySetting()
}
$Settings[‘EnableGroupCreation’] = ‘false’
$Settings[‘AllowToAddGuests’] = ‘false’
$Settings[‘GroupCreationAllowedGroupId’] = ( Get-AzureADGroup -SearchString ‘Office365GroupTeamsAdmins‘).ObjectId
If ( Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} ) {
Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Set-AzureADDirectorySetting -DirectorySetting $Settings
}
Else {
New-AzureADDirectorySetting -DirectorySetting $Settings
}

And make sure there is a Synced universal mail enabled security group with the name Office365GroupTeamsAdmins. Because  the user must be in the group Office365GroupTeamsAdmins to create groups and teams so all other users are not permitted.
Thanks to Michel de Rooij for this script

What to do with public folders when moving to Exchange Online

Moving to Exchange online

Sometimes a migration to office 365 can be difficult when it comes to Public folders. When the plan is to migrate from for instance Exchange 2010 to office 365 Exchange Online a discussion must be made. What to do with the public folders? In my opinion there are 3 scenario’s that can be discussed. In this blog post i will write down these 3 scenario’s .

A little bit of history

For youngsters in IT like myself it is pretty hard to understand what public folders are and what they do. This comes because we never worked with them or have used them. Luckily there are lots of experienced Microsoft Professionals like my colleague Michel de Rooij.  Who can explain this perfectly.

So what is a public folder: According to TechTarget a public folder In Microsoft Outlook, a public folder is a folder created to share information with others. The owner of a public folder can set privileges so that only a select group of users have access to the folder, or the folder can be made available to everyone on the network who uses the same mail client. Public folders in Outlook can contain contacts, calendar items, messages, journal entries, or Outlook Forms.

What to do with Public Folder Scenario’s

In the scenario’s bellow i will write down 3 scenario’s what to do with public folders. In these options i will also keep notice that most companies want to get rid of their public folders.

Scenario 1: Migrate public folder to modern public folders

Microsoft has published a article on Technet on how to migrate legacy public folders to modern public folders on Office 365. In this case Microsoft just continues the support on public folders when they are migrated to Office 365.

The migration itself has some limitations which i will summarize bellow.

  • Exchange 2010 Sp3 or higher is needed
  • Legacy public folder cannot be larger the 2 GB
  • Public folder cannot contain \ or other strange symbols
  • Modern public folders are not accessible for legacy (on-premise) users
  • All users need to be migrated first
  • Max 1000 public folders allowed
  • Big bang migration with downtime

As you can see there are some limitations and difficulties. These difficulties are most of all in managing expectation at the business side cause public folders need to be cleaned or renamed.

Scenario 2: Migrate public folder to Office 365 groups

The second scenario is to migrate the legacy public folders to Office 365 groups. Microsoft has described this in the following Technet article. When moving public folders to Office 365 groups there are some difficulties that need to be managed first before you can start the migration.
One of these difficulties is that it is only possible to migrate the email and calendar items to an Office 365 group.

Bellow you find the summary of limitations.

  • All users must be migrated to Office 365 before you begin
  • Work process for end user will change ( they will use a office group instead of public folder)
  • Office 365 groups are not accessible for legacy users
  • Only mail and calendar items are supported
  • Maximum size of Public folder can be 25 GB to migrate
  • Phased migration is possible when using a > Exchange 2013 server
  • Downtime

Scenario 3: Do not migrate public folder to Office 365

When you have Exchange 2010 in a hybrid setup it is possible to configure the public folders co-existing. This means that the public folder stay where they are, but are accessible from on-premise and from online. There are some limitations, one of these limitations is that it is not possible to open this public folder from Outlook.office365.com/owa.

Remember i told you in the beginning that there is probably a scenario on how to get rid of the Public Folders? Well this is in my opinion the best and most business friendly way to do it.

Therefor just make sure the co-existing is in place. So next up you put the public folders in read only. and give the users a Shared mailbox, Office 365 group or even a team as their new place to collaborate from.

One last thing keep in mind that when you go for this option you have to keep your on-premise environment for a little bit longer before you decommission it.

Export all mailboxes with their sizes to TXT or CSV with Powershell

Export mailboxes

Most of the time when you are into a Mailbox migration project you have this phase that you need to inventory the amount of user mailboxes. With their size. Do you want to perform such action you need to use Exchange Powershell to be able to get these kind of data out of Exchange.

Powershell

To export this mailbox data out of exchange you can use the command Get-MailboxStatistics -identity “sAMACCOUNTNAME” | fl. This will give you a complete list of the output matched with the j3rmeyer account/ mailbox in exchange.

If you look further you notice that there is actually only one useful unique attribute (so you can match this later on with Active Directory). That one attribute is the ‘MailboxGuid’.

To get this data i a useful way out of exchange the best thing to do is combine this data together with the DisplayName.

The script

In this script i will combine the Display name with the MailboxGuid and the total size of the mailbox in MB. This is not all i want i want to export all the mailboxes on that specified Exchange server. To do that you need to give in the Server name instead of the identity of the user.

Below you will find the script i use to export such data:

Get-MailboxStatistics -server “DATABASESERVERNAME” | Sort-Object TotalItemSize -Descending | ft DisplayName,

mailboxguid, @{label=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}},ItemCount > c:\temp\mailbox_sizes_

emailboxserver.txt

So when you want to change the output file into an Excel CSV file instead of TXT. It is possible use the Powershell script below to perform such action:

Get-MailboxStatistics -server “DATABASESERVERNAME” | Sort-Object TotalItemSize -Descending | ft DisplayName,

mailboxguid, @{label=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}},ItemCount | Out-File C:\temp\mailbox_sizes_emailserver.csv

 

Cheat sheet with all Ports and rules needed for a Skype 2015 Onpremise environment

Skype For Business Ports

As in my previous post i will share a cheat sheet with you. This time the cheat sheet refers to a Skype For Business Onpremise implementation. To make things easier for myself, I created an overview of all ports and ip adresses that hits firewalls and network of customers.

TThe document is mentions as a cheat sheet this means that you can adjust it and present it to the customers network team.

Overview

There are always some requirements.

  • External IP adresses for remote Subdomains
  • Access to EXternal DNS
  • This Drawing does not contain the Office webapp server

Skype Ports

Please let me know if you are missing some things.

Cheat sheet with all Ports and rules needed for a Exchange Hybrid Infrastructure

Exchange Hybrid Ports Cheat Sheet

When working with Exchange I sometimes come to clients who already have a hybrid exchange configured environment. In many cases this is when the hybrid configuration does not work. To make things easier for myself, I created an overview that eliminates the pain of firewalls and networks.

To help you guys out in these situations i share my ports overview document with you, The document is mentions as a cheat sheet this means that you can adjust it and present it to the customers network team.

Overview

There are always some requirements for a Exchange hybrid environment

  • External IP for a seperate Hybrid flow that resolves to hybrid.domain.nl
  • You need to be sure that the hybrid server is part of the mail environment
  • Make sure autodiscover is set the right way
  • The Exchange server which is used for the Hybrid configuration needs to be in the LAN
  • Do NOT forget the Exchange online and Exchange online protection URL’s
  • If you do not have an external IP use the external IP of the autodiscover.
hybrid exchange ports cheat sheet
hybrid exchange ports cheat sheet

 

Click here to read other posts for more Exchange related posts.

 

Monitor Windows AD and Azure AD Health with Microsoft OMS

What is Microsoft Operation Management Suite (OMS)

Oms (Microsoft Operations Management Suite) is Microsoft’s cloud-based IT management solution that helps you manage and protect your on-premises and cloud infrastructure. In this case we will use OMS to monitor and sort of “manage” Azure AD connect and Azure AD identities.

Before we start with OMS

Bore we start there are some requirements.

  1.  We need a Valid OMS Subscription – OMS has different level of subscriptions. It is depending on the OMS services you use and amount of data you uploaded. Ther is a free version which provides 500mb daily upload and 7-days of data retention.
  2. Direct Connection to Azure AD
  3. Domain Administrator Account in order to install the agent in the domain controllers we need to have Domain Administrator privileges.
  4. Global admin account to perform some actions in Azure AD

How to enable OMS as an AD Solutions 

Log in to OMS https://login.mms.microsoft.com/signin.aspx?ref=ms_mms as OMS administrator

Click on Solution Gallery

By default, AD Assessment solution is enabled. In order to enable AD Replication Status  click on the tile from the solution list and then click on Add.

Install OMS Agents 
Next step of the configuration is to install monitoring agent in domain controllers and get them connected with OMS.
1. Log in to the domain controller as domain administrator
2. Log in to OMS portal
3. Go to Settings > Connected Sources > Windows Servers > click on Download Windows Agent (64bit). it will download the monitoring agent to the system.
4. Once it is download, double click on the setup and start the installation process.
5. In first windows of the wizard click Next to begin the installation.
6. In next window read and accept the licenses terms.
7. In next window, we can select where it should install. If there is on changes click Next to Continue.
8. In next window, it asks where it will connect to. In our scenario, it will connect to OMS directly.
9. In next window, it asks about OMS Workspace ID and Key. it can be found in OMS portal in Settings > Connected Sources > Windows Servers. if this server is behind proxy server, we also can specify the proxy setting in this window. Once relevant info provided click on Next to continue.
 10. In next window, it asks how I need to check agent updates. It is recommended to use windows updates option. Once selection has made, Click Next.
11. In confirmation page, click Install to begin the installation.
12. Follow same steps for other domain controllers.
13. After few minutes, we can see the newly added servers are connected as data source under Settings > Connected Sources > Windows Servers

How to view analyzed Data

After a few minutes, OMS will start to collect data and virtualize the findings. To view this data, log in to OMS portal and click on relevant solution gallery tile in home page. You will find your analysed/ assessed servers there. You also get a quick overview and some recommendations for these servers.
Once click on the tile it brings you to a page where it displays more details about its findings. You will get a nice overview with all the collected data and it even provides you some fixes

 How to collect Windows logs for Analysis

Using OMS, we also can collect windows logs and use OMS analyzing capabilities to analyze those. When this enabled, OMS space usage and bandwidth usage on organization end will be higher. In order to collect logs,
1. Log in to OMS portal
2. Go to Settings > Data > Windows Event Logs
3. In the box, you can search for the relevant log file name and add it to the list. We also can select which type of events to extract. Once selection is made click Save.
After few minutes, you can start to see the events under log search option. In their using queries we can filter out the data. Also, we can setup email alerts based on the specific events.
*source http://www.rebeladmin.com/

Where is the Bitlocker Key stored within Microsoft Azure AD

Storing your Bitlocker key

When you enroll your  Windows 10 devices with  Microsoft Intune, you have the posibility to store your Bitlocker recovery keys in Azure AD. There are two ways to store the Bitlocker key the proper way

  1. Store the Bitlocker key into Active Directory (on-premise)
  2. Store the Key Into Azure AD (Cloud)

When you use the Azure AD join and activate Bitlocker, you get the option to store the Recovery Key in Azure AD. When you walk through the Join or register the device wizard.

The Key will be stored in the Cloud/ Azure AD. To get these keys in the Classic Azure Portal follow the steps below

Classic Azure Portal steps

  1. Open Azure AD in the Management Portal https://manage.windowsazure.com
  2. Open the Users tab and search/browse for the account you need to find recovery key for, then open it.
  3. Go to the Devices tab, and in the View box, select Devices.
  4. Select the affected device, and click View Details.

All registed recovery keys should be visible

(New) Azure Portal

Most of you will probably use the (new) azure Portal, to find the keys here is a little different but not to much. Follow the steps bellow to get the recovery keys from Azure AD

  1. Open Azure AD in the Management Portal https://portal.azure.com
  2. Open the Users and Groups blade and find the user involved.
  3. Go to his registred devices of the user.
  4. Click on the Device where you need the key from,

You will find the recovery key at the bottom of the device information