Do I really really need a new SSL certificate for Office 365 ?

When migrating to Office 365 from on premise Exchange, you may be following the hybrid route where an Exchange server is placed on site to act as a broker or intermediary between the Office 365 mail organisation and the on premise org.

For the on premise Exchange servers, you may well have a wildcard SSL certificate in place which serves you very well thank you very much. When you stand up your hybrid server, its easy to think “I know, I’ll just use my wildcard cert, that’s good enough as it will cover any names I need”.

Well, no, it doesn’t actually. Microsoft do have a list of pre-reqs for deploying the hybrid role at https://docs.microsoft.com/en-us/Exchange/hybrid-deployment-prerequisites where they make it nice and clear:

pic5

The important word there is must. It’s so important that the name used for autodiscover (usually autodiscover.yourdomain.com) is present in the SAN portion of the certificate that they even repeat the advice under the certificate requirements section at https://docs.microsoft.com/en-us/Exchange/certificate-requirements.

pic6

What happens if you are feeling brave and still want to use that wildcard certificate for your Exchange hybrid server ? All sorts of weird things. For a start, you will get certificate errors mentioning the name of the underlying host…. even though that’s not mentioned in autodiscover.

pic8

On top of that, you’re free busy information might not work instead displaying “Free / Busy information is not available”

pic7

So, do yourself a favour and buy yourself a nice shiny new cert with all of the names you need on it…. it’s far cheaper in the long run than to spend ages troubleshooting why things aren’t working… as I learned the hard way.

Block Store in Office 2016

When you install Office 2016, your users gain access to the Microsoft Store (no reason not to try and sell when you can, right, am I right, am I right ?)

You may not want to have your user base downloading and installing applications onto your internal estate. So, how do you disable the behaviour ?

Microsoft have provided a GPO to turn off the store / remove the button but it only works in Outlook !

This GPO setting is available in the User Configuration section at Microsoft Outlook 2016 –> Outlook Options –> Other. Enable the policy “Hide the Office Store button”

Pic1

Like I say, it’s under “Outlook Options” so only affects Outlook. How to disable for other Office Applications ?

The article at https://docs.microsoft.com/en-us/previous-versions/office/office-2013-resource-kit/cc178992(v=office.15) does prove a reg key (for 2013) that will block access to the stores and this will likely work for 2016 (with an appropriate adjustment to the path of the key for 2016 to access). However, there is a simpler way.

Just use GPOs to drive the “Trust Center” to not allow Store Apps to start. This setting is at  Microsoft Outlook 2016 –> Security Settings –> Trust Center –> Trusted Catalogs. IN there is a value “Block Office Store” – simply enable that.

Pic2

Now, when users access the store, rather than getting this 👇

pic3

Users will see this 👇

pic4

i.e. the Store button is still visible but they cannot download or use apps from the Microsoft Store but you, as an administrator, can still release applications you do want them to use to them.

Configure Windows Defender Antivirus exclusions on Windows Server 2016 | Microsoft Docs

Great article on Windows Server 2016 includes automatic exclusions, based on server role. You can also add custom exclusions but be aware there are some caveats such as folder exclusions are recursive whether you like it or not. Also, these exclusions are there by default (you can disable them with PowerShell) but they AREN’T exposed in the GUI…. so you wouldnt know that hey are there !

While I have links on my links page to the exclusions, this is a nice article as it shows you what Microsoft now apply by default ni case you want the same exclusions for your vendor of choice.

Configure Windows Defender Antivirus exclusions on Windows Server 2016 | Microsoft Docs

Trouble getting OneDrive to start up on Windows 10 login ?

If One Drive will not start when you log in to Windows 10, that’s because they’ve changed the way in which auto-launched applications start on logon. Not only do you have to tock the check box in OneDrive, you also have to enable it at startup which, fortunately, is very easy to do.

  1. Go to task manager
  2. Click on the “Startup” tab
  3. Select “Microsoft OneDrive”
  4. Click on Enable
  5. Reboot and you are good to go

 

 

Connecting to Azure with PowerShell

There’s been lots of posts about this in the past by various people so here’s my contribution.

Below is a screenshot of the steps I take.

You can see that I have powershellget installed as part of PowerShell but I don’t, yet, have the Azure module downloaded or installed so I Get that module and then I install that module.

I have had to force it to install alongside the one that’s already on my machine. When I run the Get-Module command, I still don’t “see” the Azure model and so I must import it at which point it is then available for use.

Once the module has been downloaded, installed and imported (the three steps that need to be performed when connecting for the first time) I can them move on to making a connection to Azure.

NOTE: Once the Azure module has been downloaded and installed, it only needs to be imported for future connections just like any other PowerShell module on your computer.

To connect in, I enter the “Login-AzureRMAccount” command which pops up the “modern” logon dialog box.

After being successfully authenticated, my subscription details are played back to me and I can then manage Azure from the command line.

Of course, the much easier way is to simply download the MSI installer from the Azure web site (https://azure.microsoft.com/en-gb/downloads/) under the command line tools section ;>)

Hope this helps you out.