• SurfaceHub – Fantastic but pricey, but by far the best device here, simple to use and just works out of the box ~$14k if you can get hold of one, but might be worth waiting now for V2.
• Ascendo Vibe – Not bad, has touch screen, Windows 10 under the hood, bit glitchy and Miracast currently has a known issue and was unusable and laggy ~$4k
• BlueJeans – Software solution I watched on Dolby hardware. Supported dual screens and web-based screen scaring meant it worked on any device. Requirement for an on-premise server to manage part of this setup meant it was never really an option.
• PolyCom Trio 8800 – The option I ended up with. You use your own TV, no touch screen of course, but supports AirPlay and Miracast, works as a Bluetooth speaker phone, webcam included, displays upcoming meetings on the display, simple to use, background and phone can fully customised and branded ~$1500. At this price I can kit out almost all the meeting rooms for the same price as one Surface Hub unit.

For the Trio 8800 (Note that the 8500 version even though it uses the same Visual+ box does not support Miracast and Airplay) I simply purchased a “Common Area Phone” license in 365.

Next was tricky, all I needed was a calling plan to allow dial out via PSTN, but this is bought via the Add-ons section which I didn’t have showing. (Using calling credits would be preferred, there is a UserVoice thread for this so please Vote up!)

After a case with MS, it turns out that I need to buy a qualifying license first via MS and then I have the options available, all my licenses are purchased via a partner and so I could buy the calling plan, very odd.

Please be aware that in order to see the Add-ins button , you need to have at least one of the main subscriptions (Business Premium, Business Essentials, Enterprise E1, E3, E5, ProPlus directly from us – Admin > Billing > Purchase services.
Even if you have any of the subscriptions above purchased from a partner, the Add-ins button will not be available in the portal.
If you have any questions or concerns, please let me know.

The room itself already existed in 365 so I had to assign a password to this account and then assign the correct licenses:

$credential = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchanged -ConectionUri https://outlook.office365.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection
Import-PSSession $session
$passwd = ConvertTo-SecureString -String  -AsPlainText -Force
Set-Mailbox -Identity “” -EnableRoomMailboxAccount $true -RoomMailboxPassword $passwd
Remove-PSSession $session

The post Polycom Trio 8800 Visual+ with Office 365 and PSTN appeared first on dave.harris.uno.

In short, the office document template files are stored in SharePoint in a document library, as .dotx, .xltx and .potx.

Then you can change the office settings to show the personal templates by default and point them to your SharePoint location with some basic registry changes.

For Intune, simply deploy this PowerShell script to all devices:

Set-Location "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Set-Location ZoneMap\Domains
New-Item tennant.sharepoint.com
Set-Location tennant.sharepoint.com
New-ItemProperty . -Name https -Value 2 -Type DWORD

$ie = New-Object -com InternetExplorer.Application 
$ie.visible=$false
$ie.navigate("https://tennant.sharepoint.com/branding/templates") 
start-sleep 10

New-ItemProperty -Path HKCU:\Software\Microsoft\Office\16.0\Word\Options -Name PersonalTemplates –Force -Value "\\tennant.sharepoint.com@SSL\DavWWWRoot\Branding\Templates" -PropertyType "ExpandString"
New-ItemProperty -Path HKCU:\Software\Microsoft\Office\16.0\PowerPoint\Options -Name PersonalTemplates –Force -Value "\\tennant.sharepoint.com@SSL\DavWWWRoot\Branding\Templates" -PropertyType "ExpandString"

New-ItemProperty -Path HKCU:\Software\Microsoft\Office\16.0\Word\Options -Name officestartdefaulttab –Force -Value 1 -PropertyType "DWord"
New-ItemProperty -Path HKCU:\Software\Microsoft\Office\16.0\PowerPoint\Options -Name officestartdefaulttab –Force -Value 1 -PropertyType "DWord"

For Group Policy, I set the following as a login script for the user and then set the registry items in the GPO:

Set-Location "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Set-Location ZoneMap\Domains
New-Item tennant.sharepoint.com
Set-Location tennant.sharepoint.com
New-ItemProperty . -Name https -Value 2 -Type DWORD

$ie = New-Object -com InternetExplorer.Application 
$ie.visible=$false
$ie.navigate("https://tennant.sharepoint.com/branding/templates") 
start-sleep 10

Enjoy!

The post Deploying Office Document Templates with Intune and Group Policy appeared first on dave.harris.uno.

The obvious answer was via USB (PXE booting from WDS had been my choice previously but that would require a machine or VM, and new machines need to be built across many locations, and I’m trying to keep this really simple)

First step is to create a bootable USB stick using the media creation tool.

With that installed, I then popped my AutoUnattend.xml file on the root of the memory stick. This takes care of all the options and also installs any software and adds the Wi-Fi.

I then created a folder within “sources” on the USB stick called “$oem$” and within that a folder called “$1”. Within that I created a folder called “Company” and within that “Scripts”, “Software” and “Configs”. ie:

e:\sources\$oem$\$1\Company\scripts

Anything in $oem$\$1 will be added to the c:\ root of your fresh install, so I added stuff here that I needed to reference in the latter stage of the build.

I added in the Wi-Fi key so it would auto-connect to that, that was simple a case of exporting the current key to and XML file with:

netsh wlan export profile “WiFi Name” folder=c:\temp

And this is then added with:

netsh wlan add profile filename=”c:\Company\Configs\WiFi-Company.xml”

The cleverness then comes in the form of Chocolcatey which goes off and always gets the latest packages and installs them all silently, saving me all the hassle of keeping them updated and working out all the various switches and configs to install them silently. This is called in the AutoUnattend file with:

<CommandLine>”c:\Company\Scripts\chocolatey.bat”</CommandLine>

This batch file looks as follows:

"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"
choco install adobereader-update -y
choco install notepadplusplus.install -y
choco install googlechrome -y
choco install office365proplus -y
choco install microsoft-teams -y

@echo off

REM Get Computer Manufacturer
FOR /F "tokens=2 delims='='" %%A in ('wmic ComputerSystem Get Manufacturer /value') do SET manufacturer=%%A

IF "%manufacturer%"=="Microsoft Corporation" (
    ECHO Microsoft Machine
)

IF "%manufacturer%"=="Dell Inc." (
    ECHO Dell Machine
    choco install dellcommandupdate -y
)

IF "%manufacturer%"=="LENOVO" (
    ECHO Lenovo Machine
    choco install lenovo-thinkvantage-system-update -y
)

It installs some software that is machine specific too, ie the Dell update software, only on Dell machines.

It then deletes the files I added and reboots the machine as the last steps (8 & 9)
Start to finish it took about 20 minutes to completely rebuild a machine this way, pretty cool.

The post USB Windows Deployment with AutoUnattend and Chocolatey appeared first on dave.harris.uno.

Navigate to: Computer Configuration > Administrative Templates > system > Credentials Delegation > Encryption Oracle Remediation.

Edit the local policy and set “Encryption Oracle Remediation” to “Vulnerable”.

This is just a quick fix, obviously, you should get everything patched ASAP and set this back to “Not Configured”.

References:

• https://www.virtualizationhowto.com/2018/05/windows-10-rdp-credssp-encryption-oracle-remediation-error-fix/

The post This could be due to CredSSP encryption oracle remidiation appeared first on dave.harris.uno.

Rather than doing it manually and copying the links from each page, I ended up writing some PowerShell, which may or may not slightly violate the TOC’s, so this is purely for educational use, ok? (The sleep is to prevent the Search Engines blocking you, which will happen if you make too many requests in a short space of time)

#variables
$mydomain = "www.mydomain.com"
$sleepinterval = 4
$loopmax = 30

#scrape google
clear-host
for ($i=0; $i -le $loopmax; $i++){
    start-sleep $sleepinterval
    $url = "https://www.google.com/search?q=site:$mydomain&start=" + $i*10
    ((Invoke-WebRequest –Uri $url).Links | Where-Object {$_.href -like “*://$mydomain*”} ).href | ForEach-Object {
    $temp = $_
    $temp = $temp.split(":")
    $temp2 = $temp[4]
        try{
            $temp2.replace("//","").split("%")[0]
        }catch{
        }
    }
}

#scrape bing
clear-host
for ($i=0; $i -le $loopmax; $i++){
    start-sleep $sleepinterval
    $page = ($i*10)+1
    $url = "https://www.bing.com/search?q=site%3a$mydomain&sp=1&first=$page" 
    #write-host $url
    ((Invoke-WebRequest –Uri $url).Links | Where-Object {$_.href -like “*://$mydomain*”} ).href | ForEach-Object {
    write-host $_
    }
}

The post Exporting Google and Bing Results with PowerShell appeared first on dave.harris.uno.

I couldn’t find an easy way to change this via GPO, I don’t ever modify my vanilla image but instead perform all post image configuration using GPO.

After a bit of digging, I found the registry entry to control this was:

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$de${08bcda64-e0b9-4793-b135-2fe3549a3d8b}$$windows.data.unifiedtile.startglobalproperties\Current
However, the random string after $de$ was different on each laptop, and I couldn't find another reference to this random string anywhere, almost like it was put in to stop automated modification of its contents. Looking at 1709 build it seems to be under:

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$$windows.data.unifiedtile.startglobalproperties\CurrentWhich would have been far easier to reference and change.

Anyway, on the 1803 build, with all the items turned off, the REG_BINARY value became:

"02,00,00,00,FB,F1,44,D5,EE,EC,D3,01,00,00,00,00,43,42,01,00,C2,3C,01,C2,46,01,C5,5A,01,00"

So, I ended up writing a PowerShell script to find the key I wanted and sett the value so that all the icons were removed. It;’s worth noting that you then need to log off and back on for this to take effect. (or just kill explorer.exe of course)

Oddly, trying to Set-ItemPropery I couldn’t get to work, so I ended up removing the Data key and then creating it again with the value to clear all the icons.

Get-ChildItem "HKCU:\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\" -Recurse | Where-Object {$_.pspath -like "*.startglobalproperties"} | ForEach-Object { 

$NoIcons = "02,00,00,00,FB,F1,44,D5,EE,EC,D3,01,00,00,00,00,43,42,01,00,C2,3C,01,C2,46,01,C5,5A,01,00"
$RegPath = $_.pspath + "\current"
$AttrName  = "Data"
$hexified = $NoIcons .Split(',') | % { "0x$_"}

Get-Item -path $regPath | Remove-ItemProperty -Name $AttrName
New-ItemProperty -Path $RegPath -Name $AttrName -PropertyType Binary -Value ([byte[]]$hexified) 

This is then deployed a Login script with the parameters “-executionpolicy Bypass”

References:     

• https://fleexlab.blogspot.co.uk/2017/05/the-windows-cloudstore.html

The post Windows 1803 “Choose which folders appear on start” GPO appeared first on dave.harris.uno.

The plan was some like this:

A master task that would run every Tuesday morning (we play on a Monday evening).Find out if the day of the game Monday next week is a bank holiday, if it is, post a Teamer message saying this and leave it there until the next week. If not, login to Teamer.net and create an event for the next week. Then send the notifications to all players. Then create a secondary task to check teamer every hour to see how many people have confirmed that they can play.  My magic number variable was set at 10. So, If the number of people confirmed LT 10, exit. However also check that if the current date time GT 14:00 on the day of the game then cancel the game on teamer and add the reason of “Not enough players”. Also, cancel this secondary scheduled task. If the number of confirmed players GE 10, then login to the website for the sports hall and check that it is available for the time we want. If it isn’t, cancel the game on teamer and give the reason of “Hall unavailable”. If it is available then add a message on Teamer to book the hall ASAP. In both these cases, cancel the second scheduled task. Pretty simple.

I won’t paste all the code, but here are some snippets:

Logging in to the website

$url = "https://teamer.net/session/new"
$username = "email@domain.com" 
$password = "mypassy" 
$magicnumber = 10

#login to teamer 
$ie = New-Object -com InternetExplorer.Application 
start-sleep 2
$ie.visible=$true
$ie.navigate($url) 
while($ie.ReadyState -ne 4) {start-sleep -m 100} 
$ie.document.getElementById("email").value= $username 
$ie.document.getElementById("password").value = $password 
$ie.document.forms(0).submit()
start-sleep 5 

Find out if next week is a bank holiday and set date time variables

$result = Invoke-WebRequest "https://www.gov.uk/bank-holidays.json" -Method Get | convertfrom-json
$nextmonday = (Get-Date).AddDays(6).ToString("yyyy-MM-dd")
$nextmonday_teamerformat = (Get-Date).AddDays(6).ToString("dd/MM/yyyy 20:50")

$gameonbh = $false
foreach($event in $result."england-and-wales".events)
{
    if($event.date -eq $nextmonday){
        $gameonbh = $true
    }
}

Click Add Event and Populate

#open add event window
    $Click=$ie.document.getElementByID("Stop6")
    $Click.click();
    while($ie.ReadyState -ne 4) {start-sleep -m 100} 
    start-sleep 5 

    #enter details
    $ie.document.getElementByID("ane_the_event_type").value = "Training" 
    $ie.document.getElementByID("datepicker_event_date").value = $nextmonday_teamerformat
    $ie.document.getElementByID("new_event_venue").value = "Sports Hall, UK"
    
    $ie.document.getElementByID("new_keyword").value = "Place, Postcode, UK"
    $ie.document.getElementByID("new_event_non_game_description").value = "£5 per player" 

    #sumbit event
    $Click=$ie.Document.getElementsByTagname("button") | Where-Object {$_.type -eq "submit" -and $_.ClassName -eq "btn btn-primary btn-m pull-right"} 
    $Click.click();

Kill IE

   $shellapp = New-Object -ComObject "Shell.Application"
    $ShellWindows = $shellapp.Windows()
    for ($i = 0; $i -lt $ShellWindows.Count; $i++)
    {
    if ($ShellWindows.Item($i).FullName -like "*iexplore.exe")
    {
    $ie = $ShellWindows.Item($i)
    $ie.quit()
    [System.Runtime.Interopservices.Marshal]::ReleaseComObject($ie)
    }
    }

If anyone wants a copy of the full code, just drop me a line.

The post No API, no problem. Logging into websites with PowerShell appeared first on dave.harris.uno.

The first step is to update Azure AD Connect to sync the specified extension attributes. Once they have been uploaded you can then use the useful graph explorer to get the ID’s you need.

Navigate to https://graphexplorer.azurewebsites.net and login.

Pop in a query along the lines of: https://graph.windows.net/mydomain.com/users/username@mydomain.com

Scroll to the bottom and you will see the extension attributes that you need.

From the Crossware portal you can then create a new field from Active Directory:

The only issue I found is that if you later edit that field, it truncates the AD Attribute data to the first 50 characters and then, of course, it won’t work. I’ve contacted Crossware about this so hopefully, that’s a simple fix for them.

References:

• http://wiki.crossware.co.nz/wiki/signature/o365_v4_UI2wiki.nsf/dx/Azure_Active_Directory_Extension_attributes

The post Adding Extension Attributes to Crossware Email Signatures appeared first on dave.harris.uno.

With a bit of TreeSize, I spotted over 7GB of log files located in: C:\Windows\System32\CertLog

Whilst they can safely be deleted (assuming everything is in good order of course), I didn’t really need them going forward and so the simple fix was to change the logging level with:

certutil -setreg ca:\loglevel 0

• 0 CERTLOG_MINIMAL
• 1 CERTLOG_TERSE
• 2 CERTLOG_ERROR
• 3 CERTLOG_WARNING (Default)
• 4 CERTLOG_VERBOSE

The post System32\CertLog Folder Size appeared first on dave.harris.uno.

Tried the obvious restart and clearing cached credentials. I came across this post which seems to have helped in this one case. In short by modifying the WAM, Web Account Manager settings.

By adding this reg entry and then restarting Outlook, all was good again. I will keep monitoring the issue, but so far it seems to be an isolated case.

By default, Microsoft Office 365 ProPlus (2016 version) uses Azure Active Directory Authentication Library (ADAL) framework-based authentication. Starting in build 16.0.7967, Office uses Web Account Manager (WAM) for sign-in workflows on Windows builds later than 15000 (Windows Version 1703, build 15063.138). 
Workaround:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"DisableADALatopWAMOverride"=dword:00000001 
The regkey disables WAM use in Office, which can degrade the auth experience (users will see legacy UI and may be prompted more in other cases, so it's only recommended if the situation is blocking). We highly recommend deleting the regkey once the fix is out.
The fix for Windows 10 should be shipped early next year, I%u2019m now trying to check ETA.

The post Exchange Online MFA and Outlook 2016 Password Repeatedly Prompts appeared first on dave.harris.uno.