ddamir's technical blog

Windows 365 is a relatively new cloud service from Microsoft. After Office 365 and Microsoft 365 SKUs that provide full set of productivity apps, as well as management tools, Windows 365 provides a cloud PC that you can connect to and use from any place. This PC is joined to your Azure AD, your local AD DS or, in some scenarios, to both.

Windows 365 comes in two SKU options – business and enterprise. While business version is pretty simple to configure and provision (you basically just need to associate a license to a user and sign in to windows365.microsoft.com), if you choose Enterprise SKU you will need to invest some more time to have things up and running. Main difference between business and enterprise version of Windows 365 is in provisioning and management approach. While business version is being provisioned automatically by Microsoft, without many options to configure, for enterprise version you need to use Endpoint Manager and configure provision policies. After provisioning, enterprise version of Windows 365 will be fully managed by Endpoint Manager. But that’s not the only difference. For enterprise version, you also have the ability to perform hybrid to your local AD DS, and be able to access both on-premises and cloud resources with same set of credentials and from same cloud PC. That’s actually a scenario that provides full benefits of having cloud PC.

Having a single Windows PC in cloud, joined to both AD DS and Azure AD, with ability to access both local and cloud resources can be a great benefit especially for companies that don’t have remote access solutions in place, and have resources stored both locally and in cloud. Let’s see what we need to have to implement Windows 365 in such scenario. First, you need to choose and purchase appropriate license. Windows 365 Enterprise is available in Basic, Standard and Premium SKUs. Basically, these SKUs differ in hardware configuration and supported software, but from provisioning and management aspect they are the same. After you purchase a license, you need to assign it to the end user. You can use Azure AD or Microsoft 365 admin center for this, in the same way as for any other license.

Now you need to include Endpoint Manager. To implement Windows 365 Enterprise, it is not enough just to assign license. To provision a Windows 365 PC, and be able to perform hybrid join to both your local AD DS and Azure AD, as well as to access both on-premise and cloud resources, you need to configure several items.

When you navigate to Devices section in Endpoint Manager in the left pane you will see Windows 365 in Provisioning section. When you click on Windows 365, several new tabs will appear on the right side. First, and most important, is to create on-premise network connection. This is mandatory. You need to assign existing Azure virtual network, that can be used to communicate with your on-premise environment as well as with your cloud resources (such as VMs in Azure and similar). You can’t use Endpoint Manager to create such network. This virtual network must already exist, and you need to use Azure portal to create it. In the Endpoint Manager, you only need to select appropriate Azure subscription, Resource group, virtual network and appropriate subnet within virtual network. After that, you need to provide admin credentials for your local AD DS and let Endpoint manager perform several checks to ensure if this network can be used for Windows 365 purposes.Most deployments fail on this step of checking virtual network capabilities, so let’s dig in to that a bit deeper.

To properly prepare virtual network for Windows 365 Enterprise deployment, you need to clearly understand requirements for this virtual network. Let’s imagine a typical scenario – you have local AD DS with two domain controllers, a file server and few other resources. You also have an Azure tenant with few VMs or other resources, as well as Microsoft 365 tenant used for productivity services. We need to deploy Windows 365 PC so the user can access all these resources by signing in just once.

First, we need to have a connection between on-premise and Azure resources. In most cases, this is done by deploying site-to-site VPN in Azure. For that, you need to create virtual network gateway in Azure, and configure site-to-site connection object to your on-premises network. In most cases, this is not very complex task to do, as Azure supports most common site-to-site VPN configurations. You’ll also need to create local network gateway object, to define address space (public IP) of your on-premise environment. After you established Azure site-to-site VPN, you need to connect that object to your Azure virtual network. This will enable devices and resources in your Azure virtual network to communicate to your on-premise environment by using site-to-site VPN between Azure and your local environment.

There is one more important thing you should do on your Azure virtual network. You need to configure DNS servers so that resources located in your Azure virtual network can resolve your local DNS names. This is mandatory for Windows 365 deployment. By default, each Azure virtual network is using Azure provided DNS servers, however, these DNS servers are not capable of resolving your local DNS names, and your network check for Windows 365 will fail. So, you should navigate to your Azure virtual network, then to DNS servers section, select custom and then configure your DNS servers. It is recommended that you configure one public DNS server (Microsoft, Google or something else) and one private DNS server for your local network. Most likely, that will be a DNS server on your AD DS domain controller or dedicated DNS server deployed locally. As a results of proper DNS configuration, you need to be able to resolve your local domain resource from a resource located in Azure virtual network. For example, a VM in Azure virtual network should be able to resolve the name of your local AD DS domain.

After you setup DNS, you need to take care of few more things. Endpoint Manager check will also verify if computer account can be created in your local AD DS. For hybrid Azure AD join, Windows 365 computer account will be created both in your local AD DS as well as in Azure AD. You need to provide appropriate account for this, most likely with local AD DS administrator privileges, but not neccessarily.

Also, you need to make sure that Azure AD sync is in place which means that your local AD DS is synchronized with Azure AD. Only accounts synced from local AD DS can be used for Windows 365 PCs. Checks performed in Endpoint Manager when creating network configuration are shown here:

It is ok to have warnings on few places, but you should not have errors, as in that case network cannot be used.

After you passed network checks, you need to create provisioning policy. Creating provisioning policy is a simple task, if you have prepared everything in advance. Most important is to have properly configured and verified network connection as described before. In a first step, you need to configure provisioning policy name, select join type (in this scenario it should be Hybrid Azure AD Join) and select network connection that is correctly verified by EndPoint Manager. After selecting Azure virtual network connetion, you should choose image that you want to deploy to Windows 365 PC. You can choose your own image, or pre-created image from gallery. In the next step, you should choose language and group of users that this provision policy will be applied to. Remember, users in this group (Endpoint Manager group) should by users synced from your local AD DS to Azure AD.

After provisionig policy is created, if everything goes fine, provisioning of Windows 365 PC will start. After 15-20 minutes, user can go to windows365.microsoft.com and sign in with credentials for user account that is a member of group configured in provisioning policy. If Windows 365 policy is assigned to account, user will see the cloud PC as shown here:

From this point, you can choose to directly sign in to Windows 365 PC by using browser, or you can download connection files to use in Remote Desktop app on PC, Android, Mac or iOS devices.

I had kind of weird situation few days ago, when Teams meeting add-in in Outlook just disappeared for no visible reason. Not having that add-in in Outlook actually prevents you from scheduling Teams meeting from Outlook, which not a nice situation. You surely can do it directly from Teams calendar, but that might not be so convenient for several reasons. I first tried some common and known troubleshooting steps. I restarted Teams app, as well as Outlook, tried to reinstall Teams, but nothing helped. The only option was to reinstall Office apps, but I was not in the mood for that for several reasons, so I decided to dig deeper into this issue. On another computer, where Teams meeting add-in was present and working, I opened Outlook, switch to Options and opened Add-ins console. There, I was able to locate Teams meeting files location, like you can see on the following screenshot:

As you can see, it is located in within AppData folder in your user profile. AppData folder is hidden by deafult, so you need to set folder options to actually see it.

When you browse to the folder where Teams meeting add-in is located you can find install log file. It is called meeting-addin-install-logs. When you open it, you can see what was going on with this add-in. However, you can also find a command that is being executed for Teams add-in installation.

This command is:

regsvr32.exe /s /n /i:user "C:\Users\userprofilename\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.20077.4\x64\Microsoft.Teams.AddinLoader.dll"

So, I closed the Outlook and I ran command prompt with elevated privileges, and executed this command. After I got command prompt back again, I restarted the Outlook and – Teams add-in was there again .

Take care!

Kako je prethodni post sa uputstvima za kreiranje i korištenje besplatnog personalnog Teams tenanta imao jako veliku posjećenost, preko svih mojih očekivanja, nastavljamo u sličnom tonu, za opšte dobro .

Kako sam primijetio da se obrazovne institucije na vrlo različite načine snalaze sa online nastavom, neke sa Teams-om, neke bez Teams-a, odlučio sam da se još malo pozabavim kreiranjem uputstava. Inicijalno, na to me je potakla želja da jednom vrtiću pomognem da se preko Teams-a djeca druže sa učiteljicama. Nakon kreiranja i konfiguracije EDU O365 A1 tenanta, te podešavanja Teams platforme, shvatio sam da korištenje ove platforme treba nekako približiti i učiteljicama a i roditeljima djece, kako bi se online druženja uspješno odvijala. Očekivano, vrlo malo njih je imalo raniji kontakt sa ovom platformom. To je rezultiralo sa uputstvima koja postavljam u ovom postu i na osnovu kojih je pomenuti vrtić uspješno uspostavio online druženja. Jedno je namijenjeno organizatorima sastanaka na Teams-u, a drugo onima koji se na Teams spajaju kao korisnici. Uputstva su pravljena za vrtić, ali sam ih naknadno malo generalizirao, kako bi se mogla lako koristiti i za škole.

Pošto me je dosta ljudi pitalo za ovo, postavljam ih ovdje i iskreno se nadam da će nekome pomoći u ovoj, za sve nas neočekivanoj situaciji. Uputstva ne sadrže dio koji se odnosi na kreiranje Teams-a tenanta na Office 365 A1 paketu – to je dio koji će svakako odraditi neko u IT-u. Srećom, i ta procedura nije teška i dosta lako se završi. Ako imate problema sa ovim, slobodno se javite, pokušat ću pomoći.

Uputstvo za organizatore Teams sastanaka

Uputstvo za učesnike Teams sastanaka

Link za besplatan trial Office 365 A1

(This post is only in Bosnian/Serbian/Croatian)

Da bih pomogao onima koji danas, vjerovatno više nego ikad, trebaju neku online komunikaciju iz bilo kojih razloga, a ne raspolažu potrebnim vještinama da to omoguće sami, napisao sam ovo uputstvo.

Pomoću koraka opisanih u ovom dokumentu, možete iskoristiti Microsoft inicijativu za besplatno korištenje Teams softvera u svrhu online komunikacije. Na ovaj način se možete brzo i lako povezati sa svima koji imaju Internet konekciju.

Teams aplikaciju za PC računar, Mac ili mobilni telefon možete besplatno skinuti sa Microsoft Teams stranice ili sa iOS/Android app store-a.

Uputstvo koje je tema ovog posta, možete skinuti ovdje.

Having an Azure AD as your additional or main directory is a good thing. Unlike AD DS, which is built having primarily on-premises environments in mind, Azure AD is much more flexible and more adoptable to today’s hybrid environments. As most of us probably know, Azure AD serves as a directory and as authentication/authorization mechanism for most of services running on Azure. Most commonly, it is used by Office 365. However, it is even more interesting when you use it together with your local AD DS environment. Synchronization between AD DS and Azure AD is very easy to setup – if you don’t need much customization, you can do it in literally few clicks. On the other hand, if you want to customize it or do some fine tuning – you have plenty of options for that.

In this post, I want to emphasize some less known things and facts regarding passwords and attributes of user accounts when using Azure AD in hybrid environment, with locally deployed AD DS.
One of the things that are so desperately missing from AD DS is self-service password reset. Sure, you can implement it on the AD DS if you deploy Microsoft Identity Manager, but usually it’s not worth so much. Azure AD provides you with this functionality out-of-the-box. However, in hybrid, if you use Azure AD Premium P1 or P2, you can use this functionality even for your local AD DS. All you have to do is to configure self-service password reset in Azure AD admin portal, while having password-write back enabled by Azure AD Connect (followed by few PS commands executed locally to set appropriate permissions to write passwords).

 

Self-service password reset functionality gives users the option to reset their own password without requiring intervention by an administrator. To reset a password, users must do additional authentication of their identity. The following alternative authentication methods are available – Email, Mobile phone, Office phone, Security questions. These alternative authentication methods must be setup by user before actually using this functionality. You can find very good resources on SSPR here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-overview and for password write back, see here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

Users can change their passwords via the login page or user settings in Office 365, and have them written back to on-premises AD DS, when you deploy Office 365 in hybrid scenario.

Let’s see few more useful things about user accounts when used in hybrid environment:

• If you accidentally delete a user account and a directory synchronization cycle runs, this action will delete the user in Office 365. However, if you have the recycle bin feature enabled in AD DS, you can recover the account from the recycle bin, and the link between accounts is re-established. If you do not have the recycle bin enabled, you might need to create another account with a new GUID.

• Synchronized user accounts that you delete from your local AD DS will also appear in Deleted users section in Office 365 admin center. However, if you restore this type of deleted user account, it will reappear as account created in cloud and will not be synchronized with local AD DS anymore.

• Password policy that you configure in the Office 365 applies to user accounts created in Office 365. However, if you synchronize user accounts from your local AD DS, these accounts will be affected by password policy that you configure by using Group Policy in your local domain. Password settings from your local AD DS override password settings in Office 365, for synchronized accounts.

• You should be aware that for synchronized user accounts with password hash sync, their corresponding cloud account password is set to Never Expire. This means that a user can continue to sign in to Office 365 by using a synchronized password that is expired in your on-premises AD DS. Cloud password for such user is updated when a user changes the password in the on-premises environment.

• If you have user accounts in your local AD DS that are set to expire at some time, as part of user account management, you should know that accountExpires attribute is not synchronized to Office 365. Because of this, an expired account in your local AD DS, configured for password hash synchronization will still be active in Office 365. It is recommended in this scenario that you have a workflow action that runs a PowerShell script that disables the user’s account in the Office 365.

 

During discussions with our clients regarding Office 365 plans, I realized that most of the people are not aware of differences in Office client apps that comes with different Office 365 plans. Instead, most people think that all Office 365 plans, that include Office client apps, actually contain same Office client applications (Word, Excel, Outlook,…). For example, Office 365 E3 contains Office client apps as well as Office 365 Business Premium. However, these are not the same (although very similar) Office client apps. This misunderstanding can sometimes lead to wrong licensing decisions and/or missing functionalities. And that’s the reason I’m writing this post.

So, if you decided to license your Office client applications through Office 365 (instead of buying standalone Office package), you should know that we are basically talking about two, very similar but still different, licensing options – Office 365 ProPlus and Office 365 Business. Both can be purchased separately, or as a part of some Office 365 plans.

Office 365 Business is also integrated in Office 365 Business Premium. Similarly, Office 365 ProPlus is integrated in Office 365 Enterprise E3 and E5 license plans.

Although Office 365 ProPlus and Office 365 Business provide very similar functionalities and features, they are not the same product. Users tend to think that Office applications provided in the Office 365 ProPlus package are exactly the same, as the Office applications in Office 365 Business; this is because both versions are installed in a same way and provide almost the same user experience.

Both Office 365 ProPlus and Office 365 Business provide Office client apps such as Word, Excel, PowerPoint, Outlook, Publisher, and Skype for Business. Also, in both versions, you can use these apps on up to five devices per user, and in both versions you have the ability to get Office updates as long as you have valid license.

However, there are number of differences between Office 365 ProPlus and Office 365 Business.

The most important differences are:

• Office 365 Business can be deployed on up to 300 users per organization, while Office 365 ProPlus does not have such a limitation.

• Office 365 ProPlus provides Microsoft Skype for Business application while Office 365 Business does not.

• Office 365 ProPlus allows you to run Office client apps in virtual desktop scenario, while Office 365 Business does not allow this.

• Office 365 ProPlus supports features for archiving and compliance such as Exchange Online and SharePoint Online Archiving and Compliance, while Office 365 Business does not. Besides, you can integrate Office client apps from Office 365 ProPlus with Azure Information Protection. Client applications from Office 365 Business does not fully support integration with Azure Information Protection.

• Office 365 ProPlus supports Group Policy–based deployment configuration. This is not possible with Office 365 Business.

• Office 365 ProPlus provides InfoPath Designer application while Office 365 Business does not. Also, Power Query, Power Pivot and Power View are not supported in Office 365 Business.

As you can see, most of differences are not visible to the end user, but admins should be aware of these differences – especially in medium sized companies that usually go with Office 365 Business Premium as their choice. And yes, this is usually good choice for small and mid-sized companies unless you need some functionality that is available only in Office 365 ProPlus and not in Office 365 Business. For example, if you are running a 100 users company and plan to go with Office 365, you’ll probably think about Office 365 Business Premium. However, if you go this way, and later decide that you want to deploy Azure Information Protection to your clients and have it integrated in Office apps – you will not be able to do that. If you run into this scenario (or already have it) you will need to buy your users Office 365 ProPlus or E3 license.

 

One of the most common things that almost everyone does is to set out of office (aka. OOF – if you want to know why it is not OOO, see here) message to his/her mailbox account, when leaving the office or workplace for some time.
Some people do it when they plan to be absent for few days or more, some do it even when they are not there for a half of day. And while some try to provide genuine messages with more or less sense of humor (yes, I mean these 404-like messages), most of these messages are typical in a way that 90% of them contain a phrase “limited email or Internet access”. This is mostly used as an excuse for not replying as fast as usual. These days, while I’m on a mini vacation (and out of office), I’m thinking about does this really make sense anymore. Are we really having limited Internet access while we are out of office? Or we have even more Internet access than we usually consume, while on regular activities in the office? It is enough to look people around you, and the answer is pretty clear – being out office, on a vacation or a business trip, actually does not limit our Internet or email access. On the contrary, we mostly doing everything we can to have the Internet access most of the time. Today, it is almost impossible to find a café, restaurant or hotel without Internet access for guests. Some of these facilities care more about their WiFi quality than about their toilets. If you are attending a conference or some business event – free Internet access is mandatory. Yes, sometimes it does not work so fast, and you might not be able to watch HD Youtube videos, but we are talking about email here. You’re not taking your laptop with you? Even if that’s true (which I doubt) how many emails you actually read on your laptop today, not to mention old fashioned desktops? Speaking for myself, I read at least half of my emails on my phone. I also respond to many of them from my phone – when I realized that, I decided that I need a phone with bigger screen.

So, it’s not about being limited with Internet access (and you know it J). Is it about time that we have to answer emails while out of office? Not for me. If I’m on a business trip, I usually have more time for emails than when I’m at my office. My usual working day is full of meetings, and very often, I don’t even open my laptop before afternoon, not mention evenings when I spend time with my family. Actually, when I’m out of office for some business trip, I have more time to read and respond to emails (and I do get a lot of them). I know quite a few people that are faster to respond on email while they are out of office than when they are in the office (whatever that means). Because of this, I’m seriously thinking to start using In-the-office automatic reply for myself. I just need some time to figure out some genuine message that will not make people think I’m crazy.

On vacation, I read emails at least once a day. It is my choice, not saying it’s a right thing to do. It is just that I’ve realized that this is less stressful thing to do, than to have 1000+ unread emails when I’m back. I fully respect those who like to disconnect from email, it just does not work for me.

If it is not about time, and definitely not about having limited Internet access, is it about our willingness to respond to email while out of office? I think it is. Having OOF message on your mailbox is actually a nice way to say “Yes, I’ve probably red your email in about 15 minutes after you sent it, but will not respond for some time because I’m out of office”. If it is an email that requires some action from you, this kind of excuse worth even more J. And because you’re out of office, most people will restrain from calling you on the phone (personally, I dislike phone calls most of the time).
Let me know what you think, in your comments.

***

These days I’m using Office365 Delve more and more. What really looks very interesting there is My Analytics part. If you didn’t try it so far, and you’re using Office365, I strongly recommend that you do. Among other things, Delve will actually tell you how do you manage your time and especially how you manage your emails. You might be surprised when you look at it. And maybe you realize that you need in-the-office automatic replies more than you think.

 

When you move mailboxes from one Exchange organization to another, you need to perform several preparation steps, as I wrote before on my blog. However, you can still face several strange issues. One of the issues I have found few days ago was quite strange. When creating migration batch, user object was left in Syncing state for a long time and eventually end up in Failed state. Exploring the migration log discovered this message “Relinquishing job because of large delays due to unfavorable server health or budget limitations”. Not descriptive at all. After some time, I realized that ContentIndexState of the database where source mailbox resides is in Failed state. From that point, things were quite easy to resolve. Run the EMS and execute following cmdlets:

Stop-Service MSExchangeFastSearch
Stop-Service HostControllerService

to stop these two services. After the services are stopped, go to the folder where your mailbox database is stored and delete the Exchange content index catalog for the database (it is in the same folders as database, named as database GUID). After you do it, start the

MSExchangeFastSearch and HostControllerService services by using Start-Service cmdlets. When they are up and running, create and start migration batch again. It will work without issues.