Windows 10 Fall Creators Update

Windows 10 Fall Creators Update was released and I want to point at some enterprise features we could rely on (most of them are in Client Hyper-V feature).
Please refer to Windows 10 Blog to read about all the new features added with this release.

Ransomware protections.

Microsoft are introducing Windows Defender Exploit Guard that helps protect files from unauthorized changes by nefarious applications and your applications from unknown exploits. Additionally, Windows Defender Antivirus now has specific safeguards in place, along with default enhanced coverage that is delivered instantly via the cloud protection service. These and other security technologies protect against persistent ransomware campaigns like Cerber, Locky, and Spora, as well as global outbreaks like WannaCry, and Petya. Read More

Outlook mobile end of support for iOS 9

Outlook for iOS
Apple iOS 11

Due to the rapid changes of mobile device OS and Office 365 specifications, Microsoft release a communication to inform us to update your Apple devices to a new iOS version to have a better Outlook for iOS compatibility:

With the release of iOS 11, we want to remind you that Outlook for iOS is supported only in the last two releases of iOS. This means new app updates to Outlook will now only be supported on devices with iOS 10 or iOS 11.
How does this affect me?
You are receiving this message because our reporting indicates one or more users in your organization are using Outlook for iOS on iOS 9.

Devices with iOS 9 are no longer be supported. While older versions of Outlook will still work on devices running iOS 9, these devices will not get new app updates after build 2.48. Users can expect a degraded experience of the Outlook for iOS app over time, if they do not stay up-to-date.
What do I need to do to prepare for this change?
We encourage you to stay up-to-date to maintain the best Office 365 experience.

Rif.: https://products.office.com/en-us/office-system-requirements#Mobile-devices-section

Certification Authority Enhanced RPC security

Certification Authority 2012/2012R2 and XP clients

Some Customers still have Windows XP though it is in End of Support since 8 April 2014. I found one of this *#$%§ clients where I have an 802.1x implementation with an Enterprise Certification Authority with Windows Server 2012 R2.

Why I detailed my configuration? Because Windows 2012 and newer raised RPC security settings even on PKI CA and this cause failing certificate requests on Windows XP/Windows Server 2003.
When trying to issue certificate on Windows XP I got the error “The certificate request failed. The permissions on this certification authority do not allow the current user to enroll for certificates. ”

At first glance it has to be Permissions issue but when I verify them on CA and on the template level they are ok. If we go to the “Failed Request” container on CA we cannot see any request which has been denied by the CA. This is because the request is never delivered to the server.

So how to let Windows XP enroll certificates from Windows 2012/2012R2 Certification Authority?

  1. Upgrade Windows clients to higher OS as XP is not supported anymore
  2. Disable Enhanced RPC security for certificate requests

In my case, the first option wasn’t viable.

Read More

AD FS & Office 365 Multi Domain Federation

Often happen that a customer has more then one email domain in his On-Premises infrastructure. This should be considered when you plan to deploy AD FS Services to enable Single Sign-On with Office 365.
With the newest version of Azure AD Connect, steps to federate On Premises AD DS with Azure AD is fully automated though it assumes that the domain specified during the wizard steps is the only one domain you want to federate (If you need an overview of Azure AD Connect step-by-step configuration, please refer to Microsoft Docs here).

This will cause disruption of users login to Office 365 apps. To solve this situation you need to change the federation mode configured by the wizard manually using Powershell and set it to a Multi Domain federation. Read More

Hyper-V object was not found error

The scenario: Windows Server 2016 with Hyper-V role enabled.

When I pop out Powershell and try to get a list of VM i run in this error:

get-vm : Hyper-V encountered an error trying to access an object on computer 'S-HV01' because the object was not
found. The object might have been deleted. Verify that the Virtual Machine Management service on the computer is
running.
At line:1 char:1
+ get-vm
+ ~~~~~~
 + CategoryInfo : ObjectNotFound: (:) [Get-VM], VirtualizationException
 + FullyQualifiedErrorId : ObjectNotFound,Microsoft.HyperV.PowerShell.Commands.GetVM

The same happen if I try to use Hyper-V Manager and connect to localhost.

Even the Event Viewer didn’t record any error/warning.

Rebuild WMI solve the problem. Run the command

MOFCOMP %SYSTEMROOT%\System32\WindowsVirtualization.V2.mof

Exchange OWA Access Error 500

Sometime happen strange things. In the past days I faced a really weird issue with a migration from Exchange 2010 to Exchange 2016 for a customer.

I was at the point in which Exchange 2016 should be inserted as frontend server for all communications: all the load balancer Kemp (LAN and DMZ) was switched and all the checks was ok.
SMTP, ActiveSync, Outlook Anywhere, Autodiscover ECP and OWA was ok and the authentication between servers works fine. SMTP mail flow inbound and outbound moved to brand new servers.  I also tested some mailbox migration and access to OWA and ECP.

That’s was fine, mailbox migration time! Customer’s IT responsible start to migrate some test mailbox before start a massive migration and after a couple of day they had problem to access to Outlook Web Access.  It’s my turn to check which is the problem.

Read More

Rebuild Exchange Content Index

Sometimes happen that Exchange Database Content Index switch from Healthy to Fail. The first behaviors the users experiences is a fail on Search in their Outlook client (even if on Premises and Outlook Web Access).

Usually this fail go unnoticed when everything else is working fine however they will eventually begin to cause problems if you have a Database Availability Group (DAG) in place, for example by preventing database switchovers, thus it’s a good practice to monitor the status.
To achieve monitoring, I’m using a specific powershell sensor when customers have active Monitoring Services (in my case Peassler PRTG), otherwise here you could download an usefull script provided by Paul Cunningham to use as your needs. Read More