ENABLE MICROSOFT KAIZALA COMPLIANCE

Kaizala is a simple and secure mobile chat app for work. If you need more information about the product, navigate to the product description https://products.office.com/en/business/microsoft-kaizala.
During May 2019, Microsoft started to rollout the Kaizala admin management portal worldwide. To reach the portal, open your browser and browse to manage.kaiza.la.

If you would like to enable the complaint settings, you need to meet some pre-requisites. Those pre-requisites you can find on flowing page:

https://docs.microsoft.com/en-us/Office365/Kaizala/backup-export-org-data#prerequisites

If you check your current licences trough PowerShell, you will see that there is no Kaizala Licence assigned, even if you use Microsoft 365 licences (SPE_E3):

Connect-AzureAD
$userUPN="your admin account here"

$licensePlanList = Get-AzureADSubscribedSku

$userList = Get-AzureADUser -ObjectID $userUPN | Select -ExpandProperty AssignedLicenses | Select SkuID 

$userList | ForEach { $sku=$_.SkuId ; $licensePlanList | ForEach { If ( $sku -eq $_.ObjectId.substring($_.ObjectId.length - 36, 36) ) { Write-Host $_.SkuPartNumber } } }

Output from the script:

This results in the following error message if you try to enable the compliance for Kaizala:
Error : “Please make sure your organization has Kaizala Pro, Microsoft Exchange and Microsoft SharePoint licenses.”

To enable the compliance on the portal, you need a Kaizala Pro licence.
I started a trial on the page https://products.office.com/en/business/microsoft-kaizala and assigend a licence to my admin account:

Shows as Kaizala_Standrad licence
Assigend is a Kaizala Pro licence to the admin account

However, after correcting the licence for the admin account, I was able to configure the compliance settings within the Kaizala portal.

Let me know if you have similar experience or facing other issues.

SPEAKING AT EXPERTS LIVE SWITZERLAND 2019

I’m excited to be chosen as a speaker at Experts Live Switzerland 2019. Experts Live Switzerland 2019 will take place on June 20 in the Workspace Welle 7 in Bern Switzerland. Experts Live Switzerland is a one-day event with 17 sessions in three parallel tracks focusing on Microsoft Cloud, Datacenter and Modern Workplace opics, with Microsoft MVPs, speakers from Microsoft and other industry experts.

I am happy to speak about Modern Workplace and how you can move from a classic or legacy deployment to a new Modern Device deployment. This will cover some Microsoft 365 features like Windows 10, Autopilot & Intune.

Check out the Experts Live Switzerland for more detailed information’s. Would be cool to see you there!

Speaking at Microsoft Tech Summit & Experts Live in Switzerland

The Microsoft community year 2019 starts very soon, also in Switzerland. In the USA the Experts Live US in Austin and the Midwest Management Summit (MMS) are just around the corner.
In the most beautiful capital of the world, Bern, interesting Microsoft community events will take place this year. I am proud to be a part of it.

Microsoft Tech Summit 2019
The Microsoft Tech Summit will take place on April 3 & 4.
The first keynote will be held by Scott Hanselmann, Partner Program Manager & Web Developer at Microsoft: The Microsoft Open Source Cinematic Universe. Also on this day, further information about the Microsoft Datacenters in Switzerland will be presented. I’m looking forward to my session on April 4th where I’ll be happy to share some tips and tricks about Microsoft 365, Autopilot and Intune! Hope to see you there!
Microsoft Tech Summit 2019

Experts Live Switzerland
A bit later this year, in June, exactly at 20th, the Experts Live Switzerland will takes place. Organized by districtUP located in Bern. The event will again take place at Welle 7 directly at the train station. I will speaking about Modern Workplace Management. The one day event and the sessions are held in German. Details will follow soon on my blog or directly under on the Experts Live webpage: www.expertslive.ch

This will be a great start into the community year 2019! So, see YOU there!

Organize a Shared Mailbox and aliases using Inbox rules

Quickly configure and manage a shared mailbox using the Outlook for the Web or PowerShell.

Since several versions of Exchange Server and Office 365 you can use shared mailboxes to provide users access to a centralized mailbox.

In this quick post I would like to show how you can easily organize incoming emails if you also have configured different aliases for the shared mailbox.

Let’s say you have a shared mailbox called info@mydomain.com and you have configured several aliases like marketing@mydomain.com and events@mydomain.com.

From there you would like to move incoming mails directly to sub folders in your info@ mailbox. In a shared mailbox this is only possible using the message header. There are two ways to achieve this goal. First using Outlook / Outlook for the web and / or PowerShell. 

CONFIGURATION with Outlook for the Web

Make sure you have the right permissions to manage the mailbox and open the shared mailbox (link to how-to).

Select Settings search for options and choose Message options – Choose your message options

  • Select Inbox and sweep rules and create a new inbox rule
  • Give a Name to the rule. Browse to When the message arrives, and or matches all of these conditions – It includes these words – in the message header – type in your alias for the mailbox (alias@mydomain.com)
  • Browse the condition Do all of the following – Move the message to a folder… Select your folder where the message should be moved to
  • If needed select Stop processing more rules and save (OK) the rule
  • The final result should look like this:

CONFIGURATION with PowerShell

First connect to Exchange Online using PowerShell. If you’re not familiar with connecting to Exchange Online using PoSh. please refer to this link.

Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber

If you like to add a new alias to your mailbox, you can use the Set-Mailbox cmdlet like this command:

 Set-Mailbox "info" -EmailAddresses @{add="alias@mydomain.com"}

Use the New-InboxRule cmdlet to organize the shared mailbox by adding new rules. Make sure the subfolders exist in the mailbox:

New-InboxRule -Name ""yourAlias"@mydomain.com - Move to "YourFolderName"" -Mailbox info -HeaderContainsWords "alias@mydomain.com" -MoveToFolder ":\Inbox\YourFolderName" -StopProcessingRules $false

There are much more settings to add. Feel free to post a comment to contribute this post!

KB4464330 For Windows 10 Version 1809 Released By Microsoft

Microsoft releases KB4464330 for Windows 10 version 1809 to fix the issue that resulted in the deletion of user profile when upgrading to the OS Version 1809. After the release of Windows 10 1809 (October update), many users reported a serious issue with this update. As the users started to install the latest update, they reported that the upgrade process is wiping out their data from user profile. This included documents, pictures, and personal files along with other installed programs. After the upgrade, the data was not found and this annoyed the Windows 10 users.

The statement from Microsoft:

“We have paused the rollout of the Windows 10 October 2018 Update (version 1809)* for all users as we investigate isolated reports of users missing some files after updating.”

https://support.microsoft.com/en-us/help/4464619/windows-10-update-history

After a week now, MS released an update for the issue.  The updated will be delivered by your Update Management solution, like WSUS or Windows Updated for Business. For a manually download visit the MS Update catalog: catalog http://www.catalog.update.microsoft.com/Search.aspx?q=KB4464330%20

2018-10-11 13_04_09-Settings

This KB addresses following changes:

  • Addresses an issue where an incorrect timing calculation may prematurely delete user profiles on devices subject to the “Delete user profiles older than a specified number of day” group policy.
  • Security updates to Windows Kernel, Microsoft Graphics Component, Microsoft Scripting Engine, Internet Explorer, Windows Storage and Filesystems, Windows Linux, Windows Wireless Networking, Windows MSXML, the Microsoft JET Database Engine, Windows Peripherals, Microsoft Edge, Windows Media Player, and Internet Explorer.

https://support.microsoft.com/en-us/help/4464330/windows-10-update-kb4464330

 

Configure Device Registration with Azure AD Connect

Azure AD Connect is a great tool to On-board your On-Premise Identities to the Azure Cloud. If you like to use a Hybrid Join of your Windows 10 Devices – Local Domain join & Azure AD join – you can configure Device Registration. What is the benefit if you enable this option?

PREPARE

Since a few version back of Azure AD Connect it allows you to use the wizard to configure the necessary options for you. First of all, make sure you use the latest version of Azure AD Connect. You can also check the Auto-Upgrade Option of the engine by using the PowerShell command on the server where AAD Connect is installed:

Get-ADSyncAutoUpgrade
Further information can found here.

CONFIGURE AZURE AD CONNECT

Run Azure AD Connect – Configure – and select “Configure device options”

2018-08-15 19_29_00-Window

On the “Overview” page click Next.
On the “Connect to Azure” page enter your Global Admin credentials and click Next.
On the “Device options” page select “Configure Hybrid Azure AD Join” and click Next.

2018-08-16 12_57_27-192.168.1.4 - Remote Desktop Connection

On the next step you will configure the Service Connection Point (SCP) to help your Windows 10 devices to find the necessary Azure Tenant information’s. To configure the SCP you need to provide Enterprise Admin Credentials. If you cannot provide this credentials during the wizard, you will be able to download the script to set the SCP in a later phase or offline.

2018-08-16 13_01_08-192.168.1.4 - Remote Desktop Connection

This step helps you also to verify your current configuration. AAD Connect is checking the configured configuration on your AD. You can manually to that by browsing your ADSI Editor. Connect to the configuration naming context and then load the CN:   “CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=xy,DC=xy”

2018-08-16 13_16_52-192.168.1.4 - Remote Desktop Connection

Back to the wizard, provide the Enterprise Admin credentials and click “Next”.

2018-08-16 13_09_18-192.168.1.4 - Remote Desktop Connection

Device Registration is also supported for Windows Downlevel Devices, like Windows 10 prior 1607 build, Windows 8.1, 8 & 7. For further information regarding downlevel devices visit the docs.microsoft.com page.

2018-08-16 13_10_51-192.168.1.4 - Remote Desktop Connection

This will configure the Device Registration for a Hybrid Join. Click configure.

2018-08-16 13_14_01-192.168.1.4 - Remote Desktop Connection

This will complete your On-Prem configuration for Device Registration.

2018-08-16 13_43_25-192.168.1.4 - Remote Desktop Connection

POST CONFIGURATION TASKS

https://docs.microsoft.com/de-ch/azure/active-directory/connect/active-directory-azure-ad-connect-hybrid-azure-ad-join-post-config-tasks

Check out point 10 on the post tasks. You should create a GPO to make sure your devices getting Hybrid joined in Azure:

  • Create a new GPO and Name it
  • Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration
  • Select : Register domain-joined computers as devices
  • OK
  • Link the policy to your Windows 10 Devices

 

Fix for File Explorer crash when using “Send To – Mail recipient” context menu

Some of you maybe noticed, that the option Send to –> Mail recipient in the context menu  from Windows 10 (several Builds) can cause crashing the File Explorer.
This is in combination with Office365 and Click-To-Run as the application is based on an App-V technology. The bug is not new and should really be fixed in a next CU of Windows 10, please MS. There is a very easy fix for that. Use a registry key to get it sorted. This is tested on many Windows 10 Enterprise 1709 Build.

Registry Key value:
*******************************************************************

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ClickToRun\OverRide]
“AllowJitvInAppvVirtualizedProcess”=dword:00000001

*******************************************************************
As always: Be careful when you do changes in the registry.

Copy the value from the reg key above to a notepad and save it as “FixSendToMail.reg”. Double click the reg file and import ist to the client with the issue. This will fix it immediately.

You can also add this step directly in your ConfigMgr Tasksequence. Just make sure you add the step after installing Office365. Use the reg key above and add it to your Customization Package for Windows 10.
Run a command line step in your Tasksequence by using the command bellow:

*******************************************************************
regedit.exe /s FixSendToMail.reg
*******************************************************************

2017-12-07 13_17_07

Hope this helps.

Cheers, Al

 

 

Recap on a great Configuration Manager Community Event (#CMCE1710) in Zurich

Yesterday the CMCE1710 event took place in Zurich, hosted by Mirko. It was a great community event with huge community power and great technical content delivered by the EM&S MVPs Roger Zander, Ronny de Jong and Mirko Colemberg.

http://configmgr.ch/

Why I do the recap?

With this short blog post, I would like to call more attention on events like that! Specially for people in the Workplace Engineering and Office365 business. If you attend CMCE or other similar great Events, you will get a lot of information about new technologies, best practices. Having a chance to place your questions directly during the sessions to the experts about your current issues or opportunities. A similar Event in Switzerland is the Experts Live Café held in Bern.

What was the content?

First, the content was great! My first session attending, I gave Matrix42 another chance to satisfy me about their Enterprise Manager (EM). The EM is not a tool that replaces ConfigMgr, this was very important to David König – Chef Program Manager of the EM. The tool should help you to easy manage complicated tasks in ConfigMgr. Specially with Reports, Role Based Access and Rollout Plans. Matrix42 made a great effort with the new End-User Agent based on a Chrome Engine. This is how ConfigMgr should notify users in a modern way.

 

2017-10-19 10_26_19-IMG_20171018_085553.jpg ‎- Photos.gif


After a break, I was attending the Session from Ronny de Jong, MVP EM&S. As always, great content delivered here! Ronny was talking about all the possibilities of ConfigMgr and Cloud Services. ConfigMgr has currently nine direct connections to Azure based Applications. One topic he talked about, was the ConfigMgr Cloud Management Gateway(CMG). In my point of view, each customer with Mobile Users – doesn’t matter if they use a Laptop, Surface Book or Tablets – should use a Cloud Management Gateway. The Setup is much easier than the old way to get Internet based clients attached to your ConfigMgr Hierarchy. You don’t need any servers in your DMZ (you need an Azure Subscription instead) and the certificate handling is much more easier. If you not have looked at the CMG, do it now!

 

2017-10-19 10_18_34-IMG_20171018_101701.jpg ‎- Photos
Ronny in Action!

The whole afternoon was just great, with real stuff and information delivered by David James (Director of Engineering ConfigMgr Microsoft Redmond), also known on Twitter as @djammmer.

David presented his personal IT career during the last years, specially at Microsoft and how the product changed from SMS to ConfigMgr. A really great story with a lot of great people working on that product. He took questions by the beginning and answers directly during the whole afternoon. Some topics where Telemetry Data, Co-Management with Intune, a REST-API currently in TP, Cloud Management Gateway and Client Health.  I’m not able to cover everything here because this should be a short recap. But one of my favorite question from David to the audience was: “Do you think ConfigMgr is dead? Then raise your hand(s)”.  Not one hand was raised!


David explained how many times SCCM was declared as dead but the history says something different!

2017-10-19 10_17_08-IMG_20171018_133658.jpg ‎- Photos.gif
Full house at CMCE1710

For me, it was a great honor to meet David personally, the director of the tool I mostly have in front of me: System Center Configuration Manager #ConfigMgr #SCCM. Thanks for being here!

2017-10-19 10_10_12-IMG_20171018_162753.jpg ‎- Photos
From the right: Martin Wüthrich, itnetX – Jakob Filipovsky, itnetX, David James, Microsoft – Roger Zander, itnetX, Alain Schneiter, itnetX

Thanks to Mirko for the great Event!

 

 

 

Microsoft Intune: Enable remote control for Android Devices using the TeamViewer connector

Today I played around with my Android device and Intune using the remote control option in Intune. The initial reason was, that my sister was calling me yesterday to help her out with her new Huawei Android phone. She tried to configure her Office365 account and was not able to do so. Of course, I helped her, but using remote control on the phone would be much cooler :-).

So I logged in to the Azure Portal, went to “Intune” and under Devices I found the Option “Setup” TeamViewer Connector.

2017-09-03 13_31_21-Microsoft Edge

Before you can use TeamViewer to remote control your devices, you have to create an account or use an existing one to authorize Intune with TeamViewer. Go through the sign-in page from TeamViewer and authorize Intune. Make sure that the Connection Status in the portal is set to “Active”. 

Don’t miss the message in the connector:
“The TeamViewer service allows users of Intune-managed Android devices to get remote assistance from their IT administrator. Create TeamViewer sessions by first associating Intune with your TeamViewer account and then authorizing it to work with Intune. If you don’t yet have a TeamViewer account you will need to create one. “

After that, It would probably make sense to deploy the Andoird TeamVewer Quick Support app to all Android Devices from your Company. This can be done by creating an app in the portal an assign it to the devices. This is not covered in this blog post.

2017-09-03 13_47_12-Microsoft Edge

How can you now initiate a remote session?

On your Windows 10 Desktop machine download and install (or just run) the latest version of TeamViewer. In my case it is TV 12. After that, sign-in to the application with the user account you created earlier in the post:

2017-09-03 13_50_44-Microsoft Edge

Go to the Intune Portal, select the device you like to remote control, go to Overview and there on the upper right hand you will find the three-dot option “…More”. Select “New Remote Assistance Session”.

2017-09-03 13_54_56-Microsoft Edge

This will initiate a new session to your Android Device. Click “Yes”.

2017-09-03 13_59_51-Dashboard - Microsoft Azure and 5 more pages -[InPrivate] ‎- Microsoft Edge

The user will have to go to the Company Portal and accept the request. The request is displayed in the notifications area of the Company Portal App.

2017-09-03 14_02_18-s14-162-233 - TeamViewer

TeamViewer Desktop creates a new category for you called “Intune” with all your remote control requests out from Intune. Just double click the invitation you recieved and from there you’re able to remote control the users device.

2017-09-03 14_04_17-Computers & Contacts

Be aware that the user will need to accept and confirm the session again. Now you can remote Control the Android device out from your TeamViewer Software. Very cool.

2017-09-03 14_08_22-s14-162-233 - TeamViewer

A great and nice option which should be used for remote supporting your android devices!

 

#ConfigMgr and Unknown Computer – SMSPXE.log displays a “Rejected” entry

Hi everybody!

Let’s talk about Unknown Computer Support in ConfigMgr Current Branch. I’m personally not a big fan of this feature, but some customer have a requirement to enable this option and that’s OK .

In one case we had to enable this because the customer missed to get a hardware list from his hardware vendor and was not able to do a bulk import of the devices to ConfigMgr. So we decided to build a service which is using PowerShell in a WIM to create a computer asset in the CMDB. The other reason to enable “Unknown Computer” support can be, the issue with DELL SMBIOS GUIDs.
If you boot some DELL devices (also new models like Latitude 7280), you receive a different SMBIOS GUID on the Screen of the Device compared to the one you get with WMI or in the SMSPXE.log of the Distribution Point. Here an example:

DELL Screen:
2017-07-05 21_38_52-20170705_124207.jpg ‎- Photos

SMSPXE.log
2017-07-05 21_39_27

This can be a reasons to enable Unknown Computer support. But I’m still not a fan of. Why? Normally when you PXE boot a Unknown Computer it will create a new entry in the Console called “Unknown”. To find all the current Unknown devices select the Devices and filter them by “Unknown”:

2017-07-05 21_31_19-srvitsm33vm - Remote Desktop Connection - __Remote

But not all devices are listet – for some reason and I couldn’t find out why. Reply to me if you have some information’s about.

If you now would like to boot the device again as Unknown, you won’t be able and the SMSPXE.log will show you a “Rejected” message for the specific SMBIOS GUID.

No advertisement found, No boot action, Rejected, Not serviced
 2017-07-05 21_43_34-Remote

You can do any queries to find the MAC or the SMBIOS GUID of the device in the Console (GUI), but you won’t find any entries.
To get that sorted, start the SQL Management Studio and navigate to your CM_SiteCode Database. There select “Tables” and scroll down to the table called dbo.LastPXEAdvertisement. You can right click the table and show the first 1000 entries. This will list you a few entries and hopefully your SMBIOS will be listet there.

Run the following query to get your SMBIOS GUID (for your own use, change the bold entries, DB name and GUID)

select * from [CM_ABC].[dbo].[LastPXEAdvertisement]
where
SMBIOS_GUID = ‘4C4C4544-0037-4E10-8047-B4C04F425331

To delete the PXE flag for the Unknown device run the following script:
Be careful with deleting entries from any databases. This is a workaround. Make sure you’re aware what you do!

delete from [CM_M01].[dbo].[LastPXEAdvertisement]
where
SMBIOS_GUID = ‘4C4C4544-0037-4E10-8047-B4C04F425331

This is how you will be able to boot the device again as Unknown Computer. Each PXE flag also get an Advertisement ID from your deployed Task Sequence. You can find this entry in the same table called LastPXEAdvertisementID.

Hope this helps.