Category: Microsoft

Beginning with Windows 10 1511, Windows based computers will attempt to automatically register with Azure Active Directory. For this to succeed some configuration is required (I won’t go into this detail, but you can find official steps here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup).

When trying to setup some new thin clients using Windows Embedded 8.1 Industry Enterprise, we ran into a problem where the Lync 2013 VDI Plugin would not work. The Lync 2013 VDI plug-in would successfully pair with the Lync 2013 Client (green check box in the lower right hand corner of the client) but the Lync client would error saying that there was no Audio Devices available.

If you are running production load on an IIS server that is also running Windows Server 2016 and you are running Windows Defender/Endpoint Protection with Real-Time Protection enabled on this server; you may find that MsMpEng.exe (Windows Antimalware service) is taking a lot of CPU and causing IIS performance issues.

When deploying RemoteFX, we found several settings that had to be tweaked in order to achieve usable performance. I have found some of this information is not really talked about in the documentation.

First, it is important to set Power settings both in BIOS of the Hyper-V host, to Max Performance. It is also a good idea, to set the Power Settings in Windows to Performance as well. (Windows can control some BIOS power settings depending on how to BIOS is configured, but I still find it is better to simple set both to Max Performance in RemoteFX systems).

Secondly, do not use the Legacy NIC with the RemoteFX adapter. We found huge amounts of lag when using RemoteFX and the Legacy NIC. If you need legacy NIC for PXE, it is recommended to switch to the standard NIC once the machine is ready for production.

Hopefully these two things will help you see performance improvements in your RemoteFX VDI environments. In our case, performance was about 10x better according to graphical benchmark tests.

When you setup a room account you create the account as a “room mailbox” in Exchange.  This is done in the Exchange Management Console (Recipient Configuration > Mailbox > New Mailbox…).

This creates a special AD account with special attributes.  These properties can be figured two ways.  First (recommended), through the Exchange Management Shell (powershell integration of Exchange).  Second is through OWA (this requires you granting yourself Full Mailbox Access to your regular account and then using the connect to mailbox feature in OWA to connect to the resource).  Once connected, in options, there is a resource setting page.

When managing with the Shell, you can use the “Set-MailboxCalendarSettings” cmdlet to manage resource mailboxes.  Here is a reference of the available parameters: http://technet.microsoft.com/en-us/library/bb124987(EXCHG.80).aspx

Here is a common example of using the command with a new resource mailbox:

Set-MailboxCalendarSettings conferenceroom100 -Automate Processing AutoAccept -DeleteSubject $False -DeleteComments $False -AllBookInPolicy $False -BookInPolicy:finance,hr

You can use the following cmdlet example to view all configured properties:

Get-MailboxCalendarSettings conferenceroom100 | fl

You can also convert existing mailboxes to room mailboxes using the following cmdlet example:

set-mailbox conferenceroom100 -Type Room

This last cmdlet example will report the current type of a mailbox, this is useful when verifying success of the above cmdlet

get-mailbox conferenceroom100 | select Name, IsResource

Once a mailbox is configured this way, you can book a resource in Exchange 2007 directly as a room.

Applies to: Exchange 2007

Update: This has been fixed in Exchange 2010 SP1 Rollup 3

We recently ran into an issue when trying to apply the latest rollups for Exchange 2010 SP1. We never had this problem with the rollups on Exchange 2007.

What happens when the update fails, it rolls back, but it leaves all dependent services in a “Disabled” state (when it fails it does not reset its services back to the way they were, which is very bad). To find out which services it changed, the easiest way is to look in the System Event Log and see which services were modified.

This issue occurs when you have the “PowerShell Execution Policy” defined in group policy. You can find this policy in the Group Policy Management Editor under: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell > Turn on Script Execution.

The only workaround I could find is to temporarily disable your GPO that configures this policy on your Exchange server (or exclude your Exchange servers from the policy). After the patch has completed successfully, the policy can (should) be re-applied. Hopefully Microsoft will fix this for future rollups.

Update 3/2: Today Microsoft has released an update to resolve this problem (KB3041687). The update brings the client version to 4.7.209. You can find more about the update here: http://support2.microsoft.com/kb/3041687

This last Tuesday (February 12, 2015) Microsoft released a platform update to Endpoint Protection (4.7.205). This update appears to have a major issue with Windows 8.1/Windows Server 2012 R2. I have not seen these issues in Windows 7. In my environment, I saw two problems with the update.

First, the update actually failed to install when installing other updates. This also caused all other updates that were being ran to also fail and would not complete until rebooting the system. Secondly, once I got the update actually installed (by installing it standalone), downloads began to fail in Internet Explorer, stating that the file has been deleted . It has also reported that this affects Chrome as well, but not Firefox.

The only solution is to uninstall and reinstall without the update. Even disabling scanning of downloads does not help. Currently waiting to hear something

If you are running production load on an IIS server that is also running Windows Server 2016 and you are running Windows Defender/Endpoint Protection with Real-Time Protection enabled on this server; you may find that MsMpEng.exe (Windows Antimalware service) is taking a lot of CPU and causing IIS performance issues.

Fortunately the solution is relatively simple. After some trial and error, I was able to find that the Real-Time Protection setting: “Scan all downloaded files and enable exploit protection for Internet Explorer” was the culprit. Simply changing this setting to “No” immediately solved the problem.

I have found this setting does not appear to cause issues in Windows Server 2008 R2, 2012 or 2012 R2, only 2016. Also, in Server 2016, this setting is not exposed via the UI on the server and must be managed via System Center Configuration Manager (or manually edit the registry).

I did not notice an issue on IIS servers with low load (as Windows Defender could keep up), but once started having hundreds/thousands of connections to the IIS server, MsMpEng.exe (the Windows Antimalware service) would immediately peg CPU to 100%.

When trying to set up the Azure Active Directory Rights Management Server Connector, I ran into some problems when trying to install the Connector in relation to the credentials to connect to Azure RMS.

I followed the Microsoft steps at https://technet.microsoft.com/en-us/library/dn375964.aspx to create a new account and grant this account “ConnectorAdministrator” permissions. Note: If you are an account that does not have an email address, you must use the ObjectID parameter in order to add the account to the ConnectorAdministrator role. You can get this information by using the Azure Active Directory cmdlet Get-MSOLUser.

Once I had my account created and permissions granted, I tried to use this account in the Microsoft Rights Management Connector setup wizard. Here, I kept getting an Invalid Username and Password error. I tested my new user account via the Office 365 portal and it worked fine. I also double and triple checked the password and confirmed it was correct. I then tried using some new passwords and found that a different password worked. This implies that there must be a bug in the setup wizard. In my case, the character that was causing the failure was a “&” symbol. If the password for the account contains a “&” symbol, the wizard will fail the login. Apparently there is an issue with the password field handling certain symbols. I didn’t try every symbol combination but I found others characters that worked fine.

So, if you have problems running this setup wizard, check your passwords and consider trying passwords that contain different characters.

To locate and retrieve the BitLocker Recovery Password for a computer in Active Directory, follow these steps:

Start > Run > adsiedit.msc
Expand the tree and select the computer name:
DC=,DC=
OU=
CN=
Double-click (or right-click > Properties) the entry in the right pane (i.e. CN=T-)
Scroll down and locate “msFVE-RecoveryPassword”
Double-click (or left-click > Edit) the attribute to see the Recovery Password
Use the Recovery Password to unlock the computer
If the Recovery Password is required due to the replacement of the motherboard or other core hardware, you will need to decrypt and re-encrypt the hard drive in order to avoid needing the Recovery Password at every boot.