Surface Pro 4 Black Screen

On my Surface Pro 4, I have found that it does not always wake up from sleep mode. It sometimes comes up with a black screen, even though the keyboard backlight is lit up.

The fix is to power down hard (press and hold the power button for 30 seconds). Then after it is completely off, press and hold the volume UP button (F6) and then while still holding it, press and hold the power button with both keys pressed down for 15 seconds.

http://answers.microsoft.com/en-us/surface/forum/surfpro4-surfdrivers/surface-pro-4-screen-wont-wake-from-sleep/aed66dc7-289a-4300-a167-ab8394b7df06

Also, while searching for a fix, I also came across another helpful article with fixes for the Surface Pro 4.

http://www.gottabemobile.com/2015/11/09/9-surface-pro-4-problems-fixes/

Containers in Windows Server 2016

Mark Russinovich demonstrates containers in Windows Server 2016. There are enhancements to the windows 2016 server kernel that allows multiple instances of user mode processes.

https://azure.microsoft.com/en-us/blog/an-early-look-containers-windows-server-2016-hyper-v-and-azure-with-mark-russinovich/

After watching the 15 minute video, here is the quiz:  what is the difference between a Windows Server 2016 Container and a Windows Server 2016 HyperV Container?

Answer: Hyper-V Containers provide isolation whereas Server 2016 Containers do not isolate the container processes form the host.

Which is right for you? A HyperV container or a Windows Server container?  Mark answers that question at 9:45.

When does a Windows Server container make sense over a HyperV container? It seems that when you do not require isolation, you would use Windows Server Containers.

Both of the above options are relevant for on-premises data centers. A 3rd option to evaluate is Azure Container Services, which is what cloud first companies will select first.

Is Microsoft changing the promise of Unlimited Storage for OneDrive for Business?

[Update 12/16/2015 – This has been answered! Microsoft will keep the promise of unlimited storage for OneDrive for Business! See this blog post from Microsoft for more details:
https://blogs.office.com/2015/12/16/onedrive-for-business-update-on-storage-plans-and-next-generation-sync-client/]

I’ve been asked that question a lot lately because of some recent headlines. The official answer today is that you get 1 Terabyte of storage. This is from the official service description (here).

However, almost exactly 12 months ago, Microsoft announced “Today, storage limits just became a thing of the past with Office 365.  OneDrive and OneDrive for Business will now offer unlimited storage—at no additional cost—to our Office 365 consumer and business customers.”

Reference: https://blogs.office.com/2014/10/27/onedrive-now-unlimited-storage-office-365-subscribers/

Reference #2: https://blog.onedrive.com/office-365-onedrive-unlimited-storage/

On the official Microsoft Roadmap site the Unlimited storage promise is still listed as “In Development”

“Moving forward, all Office 365 customers will get unlimited OneDrive storage at no additional cost. In the meantime, get started using your 1 TB of storage today by backing up all those work files kicking around on your PC – with the knowledge that even more storage is on its way!”

http://success.office.com/en-us/roadmap

Then recently, Microsoft announced that the consumer versions will be limited to a 1TB limit and will not get the ‘unlimited’ promise.

Reference: https://blog.onedrive.com/onedrive_changes_FAQ/

According to a prominent Microsoft reporter, Microsoft could be releasing a revised roadmap by the end of November 2015.

http://www.zdnet.com/article/microsofts-onedrive-for-business-will-unlimited-storage-promises-disappear/

Even if Microsoft was to keep OneDrive at the current limit of 1TB, that would still be enough for each business user to store 1 million Office documents or 330,000 photos, based on an average file size of 7Mb per document, and an average photo quality of 9 megapixels.

Azure AD Connect Password Sync fails for multiple forests

In two different environments I have reproduced behavior where Azure AD Connect does not synchronize passwords when it is configured for multiple source AD forests.

The fix has been to change the ‘Configure Directory Partitions’ credential setting from ‘Use default forest credentials’ to ‘Alternate credentials for this directory partition’

No service restart or reboot required. The way to test it is to reset a password and then monitor the Application event log on the Azure AD Connect Server. Within 2 to 3 minutes you should see an event log entry that the password has been successfully set.

image

How to see console output from a VM in Azure IaaS

Earlier this month (Sep ‘15) Microsoft announced a new diagnostic capability for VMs running in IaaS – the ability to see serial and console output from a running Virtual Machine. We take this capability for granted when we host our own data center, but having this capability for VM’s running in the public cloud is useful when troubleshooting boot failures.

This capability is available for new and existing version 2.0 virtual machines (aka Azure Resource Manager (ARM) created in the preview portal.

stackSelector

Then toggle the monitoring option

enableMonitoring

Note, screenshots and output can take up to 10 minutes to appear in your storage account.

Troubleshooting OneDrive for Business Synchronization Problems

The current ODFB synchronization engine is based on groove.exe and msosync.exe.   If you see OneDrive.exe in your task manager, that is the consumer edition synchronization engine for Onedrive.

SNAGHTML1492143

When OneDrive for Business is healthy, the icon in the task tray will not display a useful troubleshooting option “View synchronization problems”

image

However, as soon as you have a file that will not synchronize, this icon will indicate a yellow exclamation point.

image

The first troubleshooting step is to right-click this icon and select ‘View sync problems…’

image

This will usually tell you why the file will not synchronize. In this case, it was because the file name contained an unsupported character “#”. As of 9/15/2015, here is the list of unsupported characters: \ , / , : , * , ? , ” , < , > , | , # , %  (Reference MS KB 2933738). Also, files cannot begin with a period “.” or a “tilde “~”.  Note: In the MS KB article linked above, there is a “Fix it tool” that can rename invalid filenames automatically.
Note: Microsoft’s roadmap site, roadmap.office.com, lists that the # and % characters will eventually be supported. 

image

Another reason why a file may not migrate is if it exceeds 2GB, which is the current maximum file size. This is also on the roadmap to eventually increase to 10GB per file.

Other limitations:

  • File names must be less than 256 characters
  • Folder names must be less than 250 characters
  • The combination of the Folder + Filename must be less than 250 characters
  • The total number of files synchronized must be less than 20,000. Note: Microsoft has publically stated that they are working on increasing this in the next generation synchronization engine (currently in beta as of 9/15/2015).
Outlook PST files

Whereas PST files aren’t actively blocked by OneDrive for Business, syncing PST files that are in an open state isn’t supported. If you decide to sync PST files (for example, an archive PST file that you don’t load or view in Outlook), they can’t be in an open state at any time by any application while they’re in the OneDrive for Business sync folder. A PST file that’s connected to Outlook will be updated regularly and therefore if synchronized, can result in too much network traffic and growth of the Office File Cache on your local drive.

OneNote notebooks

Because OneNote notebooks have their own sync mechanism, they aren’t synced by the OneDrive for Business sync client. You can upload OneNote notebooks to a SharePoint Online page. However, they won’t sync with through the OneDrive for Business sync client application. Additionally, if you add a OneNote notebook to a local folder that syncs with SharePoint Online, the notebook won’t sync with the SharePoint site and may cause other sync errors within the local folder.

 

Open Files

This is a big one. If you create a file in your OneDrive synchronization library, and attempt to open that file before it finishes synchronizing, you will get an error message within the application.

Other Gotchas

If you plan on migrating user file shares to OneDrive for Business (using 3rd party software) then keep in mind that the total file share size for each individual user should be less than the available hard disk space on the end-user’s computer. Otherwise, when they attempt to synchronize it, then they will fail.   For example, the user may have a 32GB SSD drive on their Surface Pro tablet, and they may have 100GB of files on their file share. If that file share is migrated to ODFB, and the user clicks the Sync button in their ODFB folder, they will fill up their hard disk and synchronization will fail. It gets worse – I have observed behavior where you attempt to remove these files from the local hard drive, only to replicate that as a deletion task in ODFB. Fortunately, the files should be able to be recovered in the ODFB recycle bin.  For now, just be aware of this issue and wait for the next generation synchronization engine, which may have the ‘selective sync’ option where the end-user can select which folders to synchronize.

Troubleshooting Methodology

1. Check the ‘View synchronization errors’ first to see if the problem is simple to resolve

2. Self-help articles that solve common problems like those explained above are found (here) and (here). If it is not simple, then the next step is to clean the cache with this command:

“Groove.exe /clean ”

Note: DO NOT use the /ALL command as described in this article (here). This is pretty destructive as described in this article here:
https://support.microsoft.com/en-us/kb/982279

3. Navigate to the hidden cache folder and shift-delete all the files inside this folder (delete the files inside this folder but leave the OfficeFileCache folder intact)

C:\Users\%username%\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\

Follow this forum post: https://community.office365.com/en-us/f/154/t/281017

as it lists which processes to stop and then delete the contents of this folder:

C:\Users\%username%\AppData\Local\Microsoft\Office\Spw

Last resort method

If the above does not fix it, here is the last resort method of fixing synchronization problems: 

1. Remove Office 2013 completely from the computer by using the fix it tool in the article: http://support.microsoft.com/kb/2739501. Then, the cache data and registry information can be removed automatically.

2. Clear all related windows credentials by running the following command in Command Prompt:

rundll32.exe keymgr.dll, KRShowKeyMgr

3. Reinstall the latest version of Office.

Disclaimer

I’m optimistic that many synchronization problems will be alleviated in the next generation synchronization engine due out in Q4 2015. Until then, hopefully the steps above will be helpful. Please note: this post is provided without warranty, and is for educational purposes only (use at your own risk –> always backup your files before performing any of these steps).

Pre-Sales Script to identify Microsoft Technology

Before speaking to a customer, it is often helpful to understand what technology they may have deployed.

By checking for the existence of DNS records in Public DNS, you can get a good idea on the email system and whether they have an Office 365 tenant established, whether they use ADFS and whether Lync or Skype have been deployed.

Peter Schmidt (MVP) authored a script on the Technet script gallery called Get-Office365DNSRecords.ps1. I enhanced the script to include more error checking and to check for common ADFS records.

For example, when checking Microsoft.com you find lots of Microsoft technology deployed.

image

However, when checking Google.com, you can see they have not been an adopter of Microsoft technology.  Hmm… wonder why.

image

Reports

In addition to the on-screen information, this script also outputs two files: results.txt and report.csv. The text file contains the DNS records that were found and the CSV file contains a formatted report of each service that was found for each domain name checked.

Download

Download from the Script Center on TechNet here
Tips:

– Remember to set the execution policy to allow unsigned PowerShell scripts, and that has to be done in an elevated PowerShell session.

– You may need to unblock the script (see this article for more information on how to unblock)

 

Limiting access to Executive Mailboxes in Exchange Online

In my last blog post, I wrote about how the new workload specific role feature in Office 365 grants too much administrative ability when you simply want to restrict access to VIP mailboxes.

In this blog post, I will describe how you can create management “Scopes” to define boundaries so that external helpdesk organizations will not have the ability to manage your executives.

Exclusive scopes are a special type of explicit management scope that can be associated with management role assignments. Exclusive scopes are designed to enable situations where you have a group of highly valuable objects, such as a CEO mailbox, and you want to tightly control who has access to manage those objects…
This behavior is similar to how a deny access control entry (ACE) on an Active Directory access control list (ACL) functions.”

This example creates an exclusive recipient filter-based scope that matches any user with “Executives” in the AD department field (this has to be run in a remote powershell session against Exchange Online):

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { Department -Eq “Executives” } –Exclusive

or based on Job Tile

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { Title –like “*Executive*” } –Exclusive

Or based on a custom attribute (you get the idea…

New-ManagementScope “Executive Users Exclusive Scope” -RecipientRestrictionFilter { CustomAttribute5 –eq “VIP” } –Exclusive

image

The next step is to assign the exclusive management to a group of highly trusted administrators. Anyone not on the list cannot manage the VIP mailboxes.

New-RoleGroup -Name “VIP Mailbox Administrators” -Roles “Mail Recipients”

At this point you can add add users or security groups into the VIP Mailbox Administrators role group.

image

Finally, this next command glues the RoleGroup to the Exclusive scope filter:

New-ManagementRoleAssignment -Name “VIP Mailbox Administrators” -SecurityGroup “VIP Mailbox Administrators” -Role “Mail Recipients” –ExclusiveRecipientWriteScope “Executive Users Exclusive Scope”

image

 

Going a step further…

The above commands lock out an external helpdesk from being able to manage your executives. But what if you want to restrict your external helpdesk even further, so that the actions they take on the rest of your users are limited as well?

You can create a custom role assignment for your external helpdesk that enables them to manage certain things but not others. For example, if you want to give them the ability to manage Archive rules, you would grant them the  “Retention Management” role.

If you want your external helpdesk to manage ActiveSync policies on mailboxes and remotely wipe lost devices, see this article for more information.

In addition to “Retention Management” and the custom ActiveSync role described above, the other fine-grained roles to consider granting to your external helpdesk would be:

– UM Mailboxes (allows external helpdesk to enable voicemail on new mailboxes)

– View-only Recipients

– View-only configuration (this allows the external helpdesk to view non-recipient configuration such as transport config)

– Distribution Groups (this allows the external helpdesk to create distribution groups)

– Legal Hold (this allows the external helpdesk to place a mailbox on Legal Hold)

– Retention Management (this enables the external helpdesk to setup and manage Archives roles)

Note: If you stop here, the external helpdesk does not have enough permission to grant themselves the “full mailbox” permission to read the inbox contents of the VIP mailboxes, or any mailbox for that matter. By default, there is an implicit deny ACL that prevents an Exchange Admin from having full-mailbox access to read the contents of a mailbox. If you want the external access to be able to read the inbox of any end-user, then a nightly scheduled task can explicitly grant full-mailbox permission to all mailboxes except for the 5 VIP users, because there is already an implicit deny for all admins on the 5 VIP mailboxes. I would not recommend doing this as it should be exceptionally rare when a helpdesk user needs to read the contents of someone’s mailbox. You can consider having them escalate to the internal helpdesk when this need occurs and then it can be controlled.

The external helpdesk would manage Exchange by logging in directly to the ECP here:
https://outlook.office365.com/ecp

This is great – but what if you need your external helpdesk to add or remove O365 licenses? No problem – you can grant them the “User Management Role” in the O365 Admin Portal. This is a great role because it does not have any corresponding role mapping in Exchange Online. So you won’t be giving them any additional privs on mailboxes with this role.

The “User Management Role” in the O365 Admin portal is also how you would allow your external helpdesk to create a mailbox. This is because by simply assigning an Exchange Online license to a user – this is the actual step that does the mailbox creation.

One of my colleagues recommends this SaaS provider “delegate365.com” that can also create exclusive management scopes for you without you having to be an Exchange expert to set this all up. For example, you would just have your external helpdesk logon to delegate365.com to access some but not all of your users. They offer a 30 day free trial that you can use to evaluate whether it would meet your specific needs.

How to use the Workload-specific roles for delegated administration of Office 365

Many customers would like to reduce the number of Office 365 Global Admins to a small handful, while granting service specific admin roles to designated administrators.

Workload-specific admin roles began rolling out on June 11th, 2015 and provide more flexibility to organizations that want to structure admin access to Exchange Admin Center, SharePoint Admin Center, and Skype for Business Admin Center. For example, an Exchange admin will no longer require Office 365 global admin rights to manage Exchange Online. You can now give your SharePoint admin the ability to manage SharePoint site collections without giving them rights over your Exchange environment.

I’m going to grant John Doe the Limited Admin role of Exchange Administrator.

image

In addition to being an Exchange Administrator, John will also have the ability to perform six tasks in the Office 365 Admin portal:

  • View organization and user information
  • Manage support tickets
  • View users and roles
  • View user licenses
  • View service health and message center posts
  • Manage reporting

Limiting Access to Executive Mailboxes

Now, let’s assume a company wants to grant Exchange Administrators access to all mailboxes except a group of VIP users. In this case, you should not grant the user the limited role of Exchange Administrator, because that would give them too much access (Organizational Administration – the highest rights within Exchange). Instead of granting them rights within the Office 365 Admin Portal, you should instead create a role in the Exchange Admin center such as “View-Only Organization Management” and then grant them full mailbox access on all users except for the VIP users. This script could be scheduled to run as a scheduled task so that these limited admins would be granted access to new employees (or you would update the new employee onboarding account creation process to grant these admins full mailbox access to the new employees).

For these limited admins, they will not logon to the Office 365 Admin center (portal.office.com) but instead they will logon directly to the Exchange Online Control Panel at https://outlook.office365.com/ecp

June 2015 Office 2016 Update Breaks OneNote

After applying the June update to Office 2016 (Preview) 16.0.4201.1002, my OneNote notebooks would not open. The error message was that there were no accounts associated with an active Office 365 subscription. This was a bogus error because all my other Office Applications worked fine, and it only affected OneNote. I deactivated Office from the Portal, and then re-activated it – with no improvement.

The fix was to go into Control Panel and launch an Office Repair (The Online Option, not the Quick Repair).

image