Category Archives: Microsoft

Messaging and Collaboration, Sharepoint.. etc

Changing RDWeb default Port on Windows Server 2019

Story:

When you install RDS on a server which already uses the port 443, you will get the following error when you try to access RDWeb main page.

Reason for this is the server you installed RDWeb on is most likely already using the port 443 or something else.

Error Message:

When trying to access RDWeb on the same server you’ll get the following error:

Service Unavailable

Http Error 503. The Service is unavailable

clip_image001

Troubleshooting

To Troubleshoot, Let’s see what is using the port 443.

Run CMD or PowerShell as an Administrator and type the following command

Netstat -anbo | findstr 443

clip_image002

Changing Port to 1443 or 8443

Let’s try changing the Port using the RD Gateway Manager

From the Gateway Manager click on the Properties on the right pane > Go to Transport Settings Tab and change the HTTPS port to 1443 or 8443

clip_image003

Changing Ports using Registry

Navigate to and make sure you first take a backup (Export the key)

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core]

Change the following registry value

IsUdpEnabled REG_DWORD 0

clip_image004

Backup and change the following port value to the intended one

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core]

HttpsPort REG_DWORD (8443)

Change the base to Decimal to type the write port number.

clip_image005

Restart Service

From PowerShell restart the service

net stop tsgateway
net start tsgateway

clip_image006

Let’s see the listening port 8443

From PowerShell type

Netstat -anbo | findstr 8443

Netstat -anbo | findstr 8443

clip_image007

Let’s go to the main page and see if it works..

Voila! Finally it worked

clip_image008

clip_image009

Brightmail does not deliver email to Distribution group members

The Story

Note: This article assumes you have Brightmail Gateway

When you try to send an email to a particular Exchange Distribution group Group@domain.com the result is either users don’t exist or you might get the following error if you test with Microsoft Test connectivity online tool.

Error:

The server returned status code 554 – Transaction failed. The server response was: 5.7.1 Delivery not authorized

Other related errors

‘554 5.7.1: You are not allowed to connect’

clip_image001

Cause:

Because the group has been cached in the Symantec gateway with its old members, The result could be an error that users don’t exist or delivery is not authorized.

Solution:

To solve this problem, You need to go to Brightmail gateway Administration > Directory Integration and click on your AD Directory > Advanced and hit on Clear Cache.

This would cleared the cached group and take the most recently updated group and its members.

This should resolve the problem.

clip_image002

How to clear the DDS cache in Messaging Gateway

https://knowledge.broadcom.com/external/article?legacyId=tech132131

Skype for Business IM integration with Exchange 2016 OWA–Part 2

This article is a completion of Part 1, Click here to go to Part 1

Configuration Steps – Part 2

7. On Exchange: Enable OWA VD Instant Messaging
8. On Exchange: Enable Messaging on OWA Policy
9. On Exchange: Create Enterprise Application for Skype Pool.
10. On Exchange: Create new SettingOverride for Skype for Business.
11- Generate a new Certificate for Exchange IM
12. Assign the newly imported certificate to IIS Exchange Back End site
13. On Exchange: Restart the WebAppPool
14. Log out and sign back in to OWA to Check
15. Troubleshooting methods

    7- On Exchange Server: Enable OWA VD Instant Messaging

    Part of enabling IM integration between Exchange and SfB is to enable OWA Virtual Directory to allow this. The below cmdlet does the job for you on all your Exchange Servers

    From Exchange, Launch Exchange Management and run the following cmdlet

    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingEnabled $true -InstantMessagingType Ocs

    clip_image001[6]_thumb

    8- On Exchange: Enable Messaging on OWA Policy

    Run the following to enable Messaging for Owa Policy

    Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -InstantMessagingEnabled $true -InstantMessagingType Ocs

    clip_image001[6]_thumb[1]

    9- On Exchange: Create Enterprise Application for Skype Pool.

      From Exchange Management shell Run the following cmdlet

      Cd $exscripts

      .\Configure-EnterprisePartnerApplication.ps1 -AuthMetadataUrl “https://sbg-pool01.domain.com/metadata/json/1” -ApplicationType Lync

      The AuthMetadataUrl is going to be your local Skype for Business Pool URL. This URL should work in your Exchange server without any Certificate error. Meaning that the certificate assigned to your Skype for Business pool should already be imported to Exchange Servers to trust this URL.

      image_thumb[14]

        If your previous configuration is correct then you should see the “The Configuration has Succeeded” Message.

          10- On Exchange: Create new SettingOverride for Skype for Business.

          Notes:

          • To configure the same settings on all Exchange 2016 and Exchange 2019 servers in the Active Directory forest, don’t use the Server parameter.

          New-SettingOverride -Name “<UniqueOverrideName>” -Component OwaServer -Section IMSettings -Parameters @(“IMServerName=<Skype server/pool  name>”,”IMCertificateThumbprint=<Certificate Thumbprint>”) -Reason “<DescriptiveReason>” [-Server <ServerName>]

          The Thumbprint you use here will define if whether IM will work or not as this what secures the communication between Exchange and Skype. If you use the wrong certificate your Integration will fail and users wont be able to login to IM through OWA.

          11- Generate a new Certificate for Exchange IM

          IMPORTANT NOTE:

          In order for IM in OWA to work the certificate you will generate must have its common name set as mail.domain.com to match the configuration.

          Using Digicert tool on Exchange Server I will generate the CSR of the new certificate

          Click on Create CSR

          image_thumb[15]

          Choose SSL certificate type and make sure you choose Mail.domain.com as CN

          In the SANs type all of the involved servers (Skype for Business Frontends, Mailbox servers in FQDN and in Hostnames as in the screenshot below). and click on Generate

          image_thumb[16]

          • Go to your CA Server’s CertSRV URL and copy the CSR code there to generate the new certificate.
          • Import the new certificate to the current server, then export it in PFX format and import it to all the Exchange Servers you’re planning to use.

          image_thumb[18]

          • After importing the certificate I will verify that I can see the private key

          image_thumb[19]

          Click on the Details and copy the Thumbprint or from MMC right click the certificate > Properties give it a friendly name e.g. (IM) and then from Exchange Management shell you can copy the Thumbprint directly.

          Get-ExchangeCertificate | select thumbprint,friendlyName

          image_thumb[20]

          Now use the previous script to create the setting Override for OwaServer.

          Things you can change are in bold “Name, IM Servername Value, and the Thumbprint value”.

          New-SettingOverride -Name “IM Override” -Component OwaServer -Section IMSettings -Parameters @(“IMServerName=SBG-Pool01.domain.com“,”IMCertificateThumbprint= 28E4B1BA0F2FCB1535AF199F02A64EFC78367F2D“) -Reason “Configure IM”

          image_thumb[21]

          If you enter the server parameter to use a single server you can change that by using. Note that you must not use FQDN but rather only the server’s hostname.

          Get-SettingOverride | Set-SettingOverride -Server sbg-mx01,sbg-mx02

          image_thumb[22]

          This should generate an event ID 112 on Exchange servers involved in the deployment.

          clip_image001[9]_thumb

            12. Assign the newly imported certificate to IIS Exchange Back End site

            Once the certificate is in the server store, You will be able to easily find in from IIS and bind it to the Exchange Back End site.

            This is the most crucial step to get IM to work in OWA. Don’t worry about breaking up Exchange Sites or Powershell. If you have added Exchange Servers Hostnames and FQDNs in this certificate then you should be good.

            • Now Launch IIS
            • Click on Exchange Back End
            • Select Binding
            • Click on the 444 port and edit
            • Select the newly generated certificate that has the mail.domain.com as CN. (This certificate must also have all Exchange Servers hostnames and FQDNs set as SANs)

            image_thumb[23]

            image_thumb[24]

            Make sure you change the backend cert to the new on all the involved Exchange Servers.

            13. On Exchange: Restart the WebAppPool

            Restart-WebAppPool MSExchangeOWAAppPool

            image_thumb[25]

              14. Log out and sign back in to OWA to Check

              Log out of OWA and back in and check if you are able to Login to IM . It should normally sign you in automatically but in case of an error then you should see it.

              image_thumb[29]

              In case of an error you should see the following.

              image_thumb[27]

              If it works then you should see the presence

              image_thumb[28]

              15. Troubleshooting Methods

              If you follow the above steps correctly then it should work especially when applying the right certificate for your Exchange Back End IIS part however if you face an error then you should do the following steps to troubleshoot the error

              • Set the Eventlog for Instant Messaging on Exchange from Low to High

              Set-EventLogLevel -Identity “sbg-mx01\MSExchange OWA\InstantMessage” -Level High

              image_thumb[30]

              • Look in the following path for errors

              C:\Program Files\Microsoft\Exchange Server\V15\Logging\OWA\InstantMessaging

              • Check the Healthset of the OWA Instant Messaging.

              Get-ServerHealth -HealthSet OWA.Protocol.Dep -Server sbg-mx01 | Format-Table Name, AlertValue –Auto

              image_thumb[31]

              Get-MonitoringItemIdentity -Server sbg-mx01 -Identity OWA.Protocol.Dep | Format-Table Identity,ItemType,Name -Auto

                image_thumb[32]

                Ref

                https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-im-integration-with-owa?view=exchserver-2019

                https://docs.microsoft.com/en-us/exchange/high-availability/managed-availability/health-sets?view=exchserver-2019

                Skype for Business IM integration with Exchange 2016 OWA–Part 1

                The Story

                A good and detailed documentation is everything we need to implement any kind of project especially if it’s an integration between two different servers that perform different roles.

                And with PKI involved the complications multiply thus a good article write up is what we need.

                Previously I have tried a test lab with Skype for Business 2015/2019 IM Integration with Exchange 2016/2019 and the result was a complete failure and endless search for what’s missing to get IM to work from OWA?

                image

                ERROR

                Upon completion of the steps mentioned in Microsoft’s Official documentation and after restarting Exchange IIS or OWAAppPool you will see this when you try to login to OWA with your user

                There’s a problem with instant messaging. Please try again later.

                image

                MS Official Documentation

                In their Official documentation Microsoft says that the certificate in question must be trusted by all the servers involved meaning Skype for Business Frontend and Mailbox Servers.

                Meanwhile this is true, it still would not get the IM to login/work although it might drop the initialize event ID 112 in the event log.

                clip_image001

                Here is what MS says about the certificate.

                Exchange and Skype for Business integration requires server certificates that are trusted by all of the servers involved. The procedures in this topic assume that you already have the required certificates. For more information, see Plan to integrate Skype for Business Server 2015 and Exchange. The required IM certificate thumbprint refers to the Exchange Server certificate assigned to the IIS service.

                REF URL: https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-im-integration-with-owa?view=exchserver-2019#what-do-you-need-to-know-before-you-begin

                image

                Step by Step Deployment

                To do things the way that should get this to work, I will detail steps one by one so we can be sure to get the positive results we are all waiting for when dealing with Exchange and Skype for Business.

                Exchange IM URL 1: mail.domain.com

                Skype for Business Pool FQDN: SBG-Pool01.domain.com

                Autodiscover URL : Autodiscover.Domain.com

                Prerequisites

                1. For Default and Web Service Internal, Your Skype for Business Frontend Server/Pool must use a certificate that is generated from an internal CA which you can use later to generate Exchange’s IM Certificate.
                2. UCMA must be installed (Doesn’t matter if version 4 or 5) both are supposed to work with Exchange 2016.
                3. Local Certification Authority must already be deployed in the domain.

                Configuration Steps – Part 1

                1. On SfB: Set CsAuthConfiguration Autodiscover URL for Skype server to find Exchange Autodiscover
                2. On SfB: Get-CsSite to see what is the current site ID.
                3. On Exchange: Check AutodiscoverServiceInternalURI
                4. On SfB: Create new Partner
                5. On SfB: Create new Trusted Application Pool
                6. On SfB: Create new Trusted Application ID

                Configuration Steps – Part 2

                7. On Exchange: Enable OWA VD Instant Messaging
                8. On Exchange: Enable Messaging on OWA Policy
                9. On Exchange: Create Enterprise Application for Skype Pool.
                10. On Exchange: Create new SettingOverride for Skype for Business.
                11- Generate a new Certificate for Exchange IM
                12. Assign the newly imported certificate to IIS Exchange Back End site
                13. On Exchange: Restart the WebAppPool
                14. Log out and sign back in to OWA to Check
                15. Troubleshooting methods

                Prerequisites

                1- Update or Create Server Default and Web Service Internal Certificate for SfB Pool servers

                The certificate installed on the Skype for Business Pool Frontend servers must be generated from a local Certification Authority which can be trusted by Exchange Server services.

                The Certificate generated for Skype for Business pool as in the below screenshot is generated from my CA and includes the names of the servers:

                • Skype for Business Pool
                • Skype for Business Frontend FQDNs
                • Exchange Servers
                • Autodiscover FQDN
                • Lyncdiscover.domains.com
                • Lyncdiscoverinternal.domains.com
                • sip.domains.com
                • meet.domains.com
                • dialin.domain.com
                • External.domain.com

                image

                image

                2- UCMA must be installed

                On both Exchange and Skype for Business servers I already have UCMA 4.0 version installed, but if you don’t have it or have an older version then you can’t continue without it.

                image

                3- Make sure you have a Local Certification Authority deployed in your domain.

                Configuration Steps – Part 1

                1- On SfB: Set CsAuthConfiguration Autodiscover URL for Skype server to find Exchange Autodiscover

                For Skype for Business Server to find Exchange Autodiscover Service point and to be able to authenticate servers we’ll be using the below cmdlet

                This enables both servers to authenticate and share information when needed and without user’s interference.

                Set-CsOauthConfiguration -ExchangeAutodiscoverUrl https://autodiscover.domain.com/autodiscover/autodiscover.svc

                image

                image

                Ref:

                https://docs.microsoft.com/en-us/powershell/module/skype/set-csoauthconfiguration?view=skype-ps

                2- On SfB: Get-CsSite to see what is the current site ID.

                Getting a site ID will be useful for later use to setup the Trusted Application Pool.

                On Skype for Business Management shell. Type the following

                Get-CsSite

                So the Site ID is 1. I will keep this for later use

                image

                3- On Exchange: Check AutodiscoverServiceInternalURI

                Specify the AutodiscoverServiceInternalURI for internal Autodiscover service. Make sure it points to your public URL and certificate not the internal one otherwise your users will get a certificate error through Outlook and might cause IM chat not to work.

                The Cmdlet would be

                Get-ClientAccessService | Set-ClientAccessService –AutoDiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml

                image

                4- On SfB: Create new Partner Application

                On Skype for Business Server, Launch Management Shell and use this cmdlet to add Exchange as a trusted Application to the SfB topology.

                New-CsPartnerApplication -Identity Exchange -ApplicationTrustLevel Full -MetadataUrl “https://autodiscover.domain.com/autodiscover/metadata/json/1

                image

                5- On SfB: Create new Trusted Application Pool

                New-CsTrustedApplicationPool -Identity mail.domain.com -Registrar sbg-pool01.domain.com -Site 1 -RequiresReplication $false

                image

                6- On SfB: Create new Trusted Application ID

                From SfB Management Shell run the following cmdlet .

                New-CsTrustedApplication -ApplicationId OutlookWebAccess -TrustedApplicationPoolFqdn mail.domain.com -Port 5199

                image

                Finally

                clip_image001[4]

                Click on the link below for Part 2

                Skype for Business IM integration with Exchange 2016 OWA–Part 2

                an Exchange mailbox was mistakenly migrated over another user’s object used by another user

                The Story

                If you ever used Prepare moverequest command to migrate a user and forgot to use ADMT to rewrite user’s properties with the old attributes. You might have used ADMT again to rewrite the properties.

                If you use ADMT you will need to exclude all Exchange Attributes from the source since its already copied using Prepare-move request script however, in some cases some people do make mistakes and you might have came through the same mistake my colleague  have done during one of these extremely complicated Cross forest Migrations where you’d prepare a CSV files through PowerShell and names wouldn’t match Sam accounts.

                Don’t Panic

                If however, you forgot again to exclude the Exchange attributes while using ADMT then you most likely wont see the user in the Target forest which will cause to panic thinking the user is gone .. But no the user is not gone don’t panic.

                When you look for the user’s mailbox on the target forest after the move request is completed you’ll get an error reporting the user can’t be found

                image

                Solution

                To fix the problem you’ll need to change to attributes only for this migrated user. (In the target forest after user mailbox move is completed).

                The attributes are

                msExchRecipientDisplayType    1073741824
                msExchRecipientTypeDetails    128

                The wrong Attributes are as following.

                image

                You will need to fix them to look like the following

                image

                Once you apply the change you’ll need to wait for a minute or few depending on your AD replication speed.
                The problem will be then solved

                image

                Microsoft Exchange 2010 SP3 Link HACKED

                Update: Microsoft replied to me and fixed the link. see screenshot below

                WATCH Microsoft Exchange URL Hacked

                If you have Exchange 2010 SP3 and planning to download the latest Rollup , Google will take you to the following link

                https://www.microsoft.com/en-us/download/details.aspx?id=100910

                Once you click on that link to download the RollUp update, You might want to check the system requirements links and that would list two main links

                image

                The Exchange 2010 Prerequisites link will first redirect you to this URL which has an expired certificate.

                http://www.microsoftpinpoint.com/

                And that will then redirect you to this link (Seems to be a Chinese website)

                http://123.wo80.com/

                Luckily the antivirus managed to catch and block this page however, on any server that’s not running any antivirus this would certainly infect the server.

                Phishing Alert!

                image

                image

                Video here

                Contacting Microsoft

                After I got in contact with Microsoft about the issue. Microsoft replied stating they have informed their security team and fixed the issue.

                Reset Azure VM Admin password with Domain Controller installed

                Active Directory Admin Password

                We had a security lab on Azure with 12 machines, It included 2 DCs and 10 other machines of different OS and had RDP closed on all the machines except one machine to use.

                The Password was set for something simple however it seems that someone has changed it and no one was able to access the domain controller anymore nor any of the machines.

                I had another user created for backup but it seems that user was also changed.

                The usual method of resetting Azure VM is going through portal or PowerShell

                Resetting Via Azure Portal

                When you try to reset the password from Azure Virtual machine itself. If the VM has Domain Controller it will fail to reset the password with the following error:

                Failed to reset RDP configuration

                VM has reported a failure when processing extension ‘enablevmaccess’. Error message: “VMAccess Extension does not support Domain Controller.” More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot

                image

                Through PowerShell

                To reset a password, we first need to define the VM we’re working with. To do this, we can use the Get-AzureRmVm cmdlet. I’ll go ahead and assign variables to both the VM name and the resource group since we’ll need to reference those later, as well.

                $vmName = 'YOURVMNAMEHERE'
                $resourceGroupName = 'YOURRGHERE'
                $vm = Get-AzureRmVm -Name $vmName -ResourceGroupName $resourceGroupName

                Next, we’ll need some way to pass the username and password into the script. A great way to do that is through the Get-Credential cmdlet.

                $credential = Get-Credential

                Once the credential is saved, we can then execute the command to actually make the password change using the variables we set earlier. Notice we had to use the GetNetworkCredential() method on the pscredential object. This method will not work if the credential is retrieved from another computer or from another user account. This shouldn’t be a problem, though, since you’re likely to execute this in a single script.

                $extensionParams = @{
                    'VMName' = $vmName
                    'Username' = $Credential.UserName
                    'Password' = $Credential.GetNetworkCredential().Password
                    'ResourceGroupName' = $resourceGroupName
                    'Name' = 'AdminPasswordReset'
                    'Location' = $vm.Location
                }
                
                $result = Set-AzureRmVMAccessExtension @extensionParams

                Once this completed (hopefully successfully), the VM will need to be rebooted. We can do that by using the Restart-AzureRmVm cmdlet.

                $vm | Restart-AzureRmVM

                While this PowerShell script might work with a normal VM, It will not work with a DC and would result in the same error as in the portal.

                Solution

                The solution is to write a script which would run through the CustomScriptExtension that you can deploy from the Azure Portal on the intended VM that has the Domain Controller Deployed on it.

                Once you get the script ready to change the administrator Password you can upload the script and deploy it.

                Let’s get the script ready and demonstrate these steps one by one.

                – On my Computer I will write a tiny script that will say

                Net User domainadmin Adm!nPassw0rd1

                image

                – Save the file on your desktop for later use. Go to Azure Portal, Virtual Machines and select your Domain Controller.

                – Go to Extensions.

                – Click on Add

                image

                – Select Custom script Extension

                image

                – Click Create

                – Browse the PowerShell script on your Desktop.

                – Select Storage Account

                – Select an existing container or create new one

                – Upload the file to the container

                image

                image

                image

                image

                image

                Result

                Once deployed, it’ll take few mins to reset the password and you don’t have to restart the server.

                Through PowerShell

                image

                After this I was able to access the machine again using the new password in the script.

                ref:

                https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-windows#troubleshoot-vm-extensions

                https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command

                https://mcpmag.com/articles/2017/12/13/azure-vm-password-with-powershell.aspx

                https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/reset-local-password-without-agent

                Microsoft Exchange Vulnerability affects all Exchange versions

                image

                CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

                Security Vulnerability

                Date of Publishing: February/11/2020

                Microsoft has announced a vulnerability has been found in all Exchange Server 2010 through 2019 versions, The vulnerability allows an attack to send a specially crafted request to the affected server in order to exploit it.

                When could this happen?

                A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

                Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

                The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.

                Affected Versions:

                • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
                • Microsoft Exchange Server 2013 Cumulative Update 23   
                • Microsoft Exchange Server 2016 Cumulative Update 14   
                • Microsoft Exchange Server 2016 Cumulative Update 15   
                • Microsoft Exchange Server 2019 Cumulative Update 3   
                • Microsoft Exchange Server 2019 Cumulative Update 4

                image

                Solution:

                Until now Microsoft has not provided any solution or work around to cover this vulnerability.

                Mitigations

                Microsoft has not identified any mitigating factors for this vulnerability.

                Workarounds

                Microsoft has not identified any workarounds for this vulnerability.

                NOTE:

                Keep an eye on the below link for any change

                https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

                Microsoft Windows 10 security updates KB4532695 and KB4528760 causes TPM driver to fail and results in windows 10 BSOD

                Update: For the solution scroll to the end of the page.

                Windows 10 Update :

                Yesterday and today Microsoft released KB4532695 and KB4528760 causes TPM 2.0 driver to stop functioning and causes BSOD with error “Memory Management” Issue.

                clip_image001

                image

                Windows Hello Face Authentication

                In the first KB Microsoft says they have improved the accuracy of Windows Hello Face authentication however this would cause your PIN to be reset, TPM driver stop functioning and BitLocker to change in Pause state.

                Check KB Article here

                clip_image001[4]

                image

                The BSOD will generate an event ID 1001 stating the bugcheck code and saves a dump. ( I haven’t analyzed that yet).

                clip_image001[6]

                After Uninstalling the updates it was a no go but at least the Memory Management BSOD stopped..

                Interesting thing is that not just TPM stopped, now even Virtual Box says no Virtualization Capabilities supported on my Device which I had over 20 VMs on it and was working fine also before these updates.

                The TPM is indeed firmware as it’s fixed on the board..

                In the event viewer related to Device Manager (Trusted Platform Module 2.0) I see couple of errors sourced from Kernel-PnP and UserPnp

                KernelPnp error

                Device ACPI\MSFT0101\1 had a problem starting.

                Driver Name: tpm.inf
                Class Guid: {d94ee5d8-d189-4994-83d2-f68d7d41b0e6}
                Service: TPM
                Lower Filters:
                Upper Filters:
                Problem: 0xA
                Problem Status: 0xC0000001

                —-

                Device ACPI\MSFT0101\1 was configured.

                Driver Name: tpm.inf
                Class Guid: {d94ee5d8-d189-4994-83d2-f68d7d41b0e6}
                Driver Date: 06/21/2006
                Driver Version: 10.0.18362.267
                Driver Provider: Microsoft
                Driver Section: Tpm2BaseInstall
                Driver Rank: 0xFF0002
                Matching Device Id: *MSFT0101
                Outranked Drivers: tpm.inf:ACPI\MSFT0101:00FF0001
                Device Updated: true
                Parent Device: ACPI_HAL\PNP0C08\0

                —-

                UserPnp (Informational event) happens after Kernel-Pnp fail

                Driver Management concluded the process to install driver tpm.inf_amd64_aaaa339206cb706e for Device Instance ID ACPI\MSFT0101\1 with the following status: 0x0.

                Solution:

                After two days of struggling I managed to find the solution.

                Disable Device Guard from Group Policy and PowerShell.

                • To disable from PowerShell you’ll need to download the Device Guard and Credential Guard hardware readiness tool which contains a script that would disable/enable Device Guard.
                • Use the following cmdlet .\DG_Readiness_Tool_v3.6.ps1 -Disable after extracting the the DG readiness tools from the link below

                https://www.microsoft.com/en-us/download/details.aspx?id=53337

                • From Run type gpedit.msc and launch Group Policy then navigate to Computer Configuration > Administrative Templates > System > Device Guard and set “Turn On Virtualization Based Security” To Not Configured.

                Once this is done, Restart your Computer and Press F3 to disable Device Gaurd twice. When restarting the Computer will restart again and you’ll see that your TPM is back to normal.

                Upgrading Exchange Online PowerShell to V2 Module

                Managing Exchange Online

                If you have Exchange Online and your users are MFA enabled then you most likely will be using Exchange Online’ s ECP (Exchange Control Panel or Admin Center) to connect to Exchange Online PowerShell through the Hybrid Windows since this is the only supported way with MFA.

                image

                Clicking on Configure would install the PowerShell Module of Exchange Online which looks like the below screenshot.

                image

                New PowerShell with MFA support

                If you have launched Exchange Online PowerShell today then you most likely have noticed there’s a red line stating the possibility to try the new (Preview Version) of Exchange PowerShell V2 .

                Microsoft has recently released a new version of Exchange Online PowerShell Module which supports MFA and can be run directly from your computer without the need to login to Exchange Online Admin Center and download any files from there.  Check details in this link

                As stated in the article, the Module is just in preview so it has some known and maybe unknown bugs as well.

                How to Install it?

                The installation process is pretty straightforward, Launch Windows PowerShel as an Administrator (It’s required for the installation).

                Run these 4 cmdlets

                Set-ExecutionPolicy RemoteSigned
                Install-Module PowershellGet –Force
                Update-Module PowershellGet
                Install-Module -Name ExchangeOnlineManagement

                image

                You might get a warning that the Module you’re about to install is from an Untrusted Repository, Accept it by typing Y and hit enter

                Type the following cmdlet to ensure that Exchange Online Management module is installed

                Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement

                image

                Connecting to Exchange Online

                To connect to Exchange Online, Run the following cmdlet along with the new parameter –EnableErrorReporting which gives the ability to record all the cmdlets that you have run along with errors generated as well.

                Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath e:\ExchOnlineLogs.txt -LogLevel All

                image

                image

                After connecting, I am going to try and run two commands the Old Cmdlets and New Cmdlet and see the difference between them:

                Get-CASMailbox -ResultSize 10
                Get-EXOCasMailbox -ResultSize 10
                

                image

                The new Cmdlet has much more details, although it says that it runs faster but it took few seconds more than the old one to run (Probably first time).

                image

                After you run those two Cmdlets, There will be two files generated in the log directory which we have pointed the parameter to save files to.

                The CSV files have details about the two cmdlets and the HTTP Method they are utilizing in order to connect along the Request and response latency.

                imageimage

                This new version seems to be extremely useful esp in environments where such deep details are needed for troubleshooting issues.

                Stay tuned for more

                Reference:

                https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell-v2/exchange-online-powershell-v2?view=exchange-ps