Why does Teams not install for my users?

Microsoft released in October last year a MSI-installation package of Teams, making it easy to deploy Teams to computers in your organization. As you know Teams (for some unknown reason) installs directly into your profile. I suspect they have designed it this way to make sure everyone can install the application, even if you’re not an local administrator on your computer, you do have sufficient rights to your profile to perform a installation of Microsoft Teams.

Since I work primarily with Citrix, and could see the that Microsoft Teams is growing in popularity, I started to investigate if I could make it to work in a Citrix environment. But that is another story, you can read my blog post on how I installed Teams in our Citrix environment here!

Teams is supposed to install when a user logs on to the server, it will automatically install the latest Teams available to your profile and then start it. But in some cases I have seen an issue after installing the Teams wide Installer, the users simply does not get anything installed. A function this installer has is that it checks your profile for traces of Teams, if it detects part of Teams it will not try to install it again (if it’s not an update that is), and if the user uninstalled Teams it will still detect some left-overs and will therefore not install Teams again. With that said, you need to make sure your profile is clean from Teams. Unfortunately this was not the case here. It simply did not install!

To understand why this might happened you need to know how some multi-user environments are designed, from a security perspective!

If you are like us, security oriented, you might have disabled Run and Run Once witch is used by some applications to auto-start, or to continue a installation after a restart, and is unfortunately very popular place to auto-start viruses and other malware. It is then common to disable this.

This is exactly the place Microsoft Teams specify the value that starts the Teams installation for a user, if its disabled, nothing will ever happened!

There is however a really easy way around this:

You probably already thought about this by now but there is a tiny detail that will make it work exactly as it was supposed to:

  1. Create a Shortcut – Name it Install Teams (or something else if you like)
  2. Target the Teams.exe file with this specific argument: ”C:\Program Files (x86)\Teams Installer\Teams.exe” –checkInstall –source=default
  3. Save it, and place it in the Startup folder in the Start Menu.

The last argument in the Target path (–CheckInstall –source=default) is the reason Teams knows if you have it installed and keeps it updated.

I hope this easy little trick has been helpful, please make a comment if you feel like it or have some questions!



Move Software Updates to Intune with Co-management

To move on with the transition towards Modern Management we can use Co-management in SCCM to decide where settings are coming from. In this specific scenario we will do a switch from Software Updates via SCCM to Intune controlled Software Updates for one test client. I will show you the following steps.

  1. How to setup the Co-management connection in SCCM
  2. How to configure the Co-management connection to be able to switch Software updates from SCCM to a pilot Intune group
  3. How to configure a Windows 10 Update Ring in Intune and assign to a group
  4. How to verify that the client are getting the correct settings

Prerequisites for this scenario:

  • A test client (in my case running 1809)
  • SCCM environment (in my case running 1810)
  • Intune environment
  • Hybrid Azure AD Joined device
  • An Intune group with the test client as a member
  • Company Portal installed on a client

Step 1 and 2 – This step in done in SCCM console

\Administration\Overview\Cloud Services\Co-management

1.Co-management > Configure Co-management

2. Next

3. Sign in

4. Logon with an Intune Administrator (Global administrator in my case)

5. Next

6. Automatic enrollment in Intune > Pilot

7. Next

8. Workloads > Switch Windows Updates policies to Pilot Intune

9. Pilot collection > Choose a collection with your test client

10. Next

11. Done

 

Step 3 – This step is done in Intune

https://devicemanagement.portal.azure.com

1. Software updates

2. Windows 10 Update Rings

3. Create

4. Name: SU-Windows 10-Test

5. Description: Software Update – Test group

6. Settings
Below are an example, please configure it so it fits your environment

7. Assignments

8. Select groups to include > Group with test client

9. Save

 

Step 4 – This step is done on the test client

1. Open Company Portal

2. Settings > Sync

3. Run > control update

4. View configured update polices

5. Look under Policies set on your device – here we want to see that settings are coming from Mobile Device Management as below

6. Be sure to turn off any GPO:s that might turn off access to Windows Updates

7. Done

This is how you make the switch over to Intune and as you can see it doesn’t require that much.

If you have any questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.

 



PVS-Accelerator

Introduction

PVS-Accelerator is a feature for Citrix Hypervisor (previously named XenServer). The feature utilizes the local storage and RAM on Dom0 on each Citrix Hypervisor and caches read requests from a provisioned target device. It saves network, CPU and Provisioning host disk I/O resources, effectively improving performance. Overall your storage and network should see an improvement if they are under heavy load today. [1]

Network Bandwidth Utilization
Network Bandwidth Utilization [2]

PVS-Accelerator helps with improved end-user experience, accelerated VM boots and boot storm, simplified scale-out by adding more hypervisor hosts and fewer provisioning servers are needed.

Prerequisites

  • XenServer PVS-Accelerator feature is only available in Citrix Hypervisor 7.1 and Provisioning 7.13 or later
  • PVS-Accelerator is available for customer with XenServer Enterprise Edition or if you have XenDesktop/XenApp licenses
  • If you have a Citrix Hypervisor 7.1 <, Provisioning 7.13 < and XenApp/XenDesktop you should be able to utilize the feature without any extra license or upgrades in considerations [3]

Considerations

There is no need to reboot XS host to enable PVS-accelerator. Unless you have less than 4 GB on Dom0, which is required to enable the feature. Also notice that the recommended Cache Size on storage repository is 5 GB for every vDisk version actively provisioned.

PVS-Acceleration configuration
PVS-Acceleration configuration
  • PVS-Accelerator only caches reads from vDisk, but not writes or reads from a write cache. Support is for vDisks with any non-persistent write cache type, but not “Cache on Server, Persistent” or “Cache on device hard disk persisted” write cache type
  • If you have more than one virtual network interface (VIF), make sure that the first VIF of a VM is used for connecting to the Provisioning Server
  • If you have multiple Provisioning servers that are deployed with HA and the same VHD, but have different file system timestamps, data may be cached multiple times. Due to this limitation, Citrix recommends using VHDX format, rather than VHD for vDisks
  • If you are running a 10 GBe network or just a few streamed VMs you will probably not notice a big difference

Advantages

  • Lower network utilization
  • Faster VM Boot time (Around 60%)
  • Higher Provisioning server density
  • Improved logon time
  • Helps with a saturated network or branch office
Average VM Boot Time
Average VM Boot Time
Source: Virtualfeller.com [4]

How to install

Installation is pretty straight-forward. You can download the PVS-Accelerator Supplemental Pack at https://download.citrix.com (requires Citrix account).

  • Path: Downloads / Citrix Hypervisor (XenServer) / XenServer 7.1 LTSR or above (Any Edition) / Optional Components / PVS Accelerator Supplemental Pack
  • Download and install the .iso file from XenCenter
XenCenter - Install Update
XenCenter – Install Update
XenServer - Select updatre
XenServer – Select Update

A new tab will appear in XenCenter console. Select your Hypervisor pool and click the PVS tab. Configure the PVS-Accelerator by naming your site and cache configuration. [5]

Configure PVS Accelerator
Configure PVS-Accelerator

Next step is to go back to the Provisioning Console and create your VMs with PVS-Accelerator. You do this by right-clicking on your site and running the Setup Wizard. You cannot do this on your existing provisioned targets. The short explanation is that PVS-Accelerated VMs is tied to Provisioning servers with a UUID on the XenServer.

Note: If you were to re-install the XenServer where PVS-Accelerated VMs was enabled, Provisioning Services will become out of sync and you will need to delete previously configured VMs associated with the cache configuration, including host. And reconfigure PVS-Accelerator and setup the cache again. [6]

Provisioning Console - Streamed VM Setup Wizard
Provisioning Console – Streamed VM Setup Wizard

Be sure to select ”Enable PVS-Accelerator for all Virtual Machines” when configuring the number of VMs and their resources.

Provisioning Console - Enable PVS-Accelerator
Provisioning Console – Enable PVS-Accelerator
Provisioning Console - Streamed VM Wizard
Provisioning Console – Streamed VM Wizard

Verify that the PVS-Accelerator status is Caching your VMs from the XenCenter > Pool > PVS tab.

XenCenter - PVS Tab
XenCenter – PVS Tab

References

[1] https://docs.citrix.com/en-us/xenserver/current-release/storage/pvs.html

[2] https://www.youtube.com/watch?v=l_vhMf3SFks

[3] https://support.citrix.com/article/CTX220746″>

[4] https://virtualfeller.com/2017/03/07/provisioning-services-accelerator

[5] https://support.citrix.com/article/CTX220735

[6] https://docs.citrix.com/en-us/provisioning/7-15/install/configure-accelerator.html



BIND CERTIFICATES TO CAPTIVE PORTAL IN ARUBA CENTRAL

When creating a new Guest Splash Page with either Anonymous, Authenticated or Facebook WiFi the users will encounter an certificate-error after authentication to the Captive Portal.

This is because the users is redirected by standard to securelogin.arubanetworks.com or securelogin.hpe.com which uses the built-in certificate contained in Aruba Central.

Since you will most likely have external users connecting to your Guest Network you will be required to use a trusted 3rd party CA. I will not cover the steps to retrieve the certificates in this example.

Start by uploading you Server and CA certificate in Aruba Central by going to Global Settings > Certificates. Press + to upload the certificate

After the certificates are uploaded the list should look something like this

To bind the certificates to your Captive Portal go to Wireless Management (Choose the correct group you want to make the changes on) > Security > Certificate Usage. On Captive Portal – select your new Server Certificate and change the Certificate Authority to the CA certificate that you previously uploaded.

As a last step we need to change the Common Name in the Guest Splash Page. Go to Guest Access -> Splash Page and open your created page. Activate ”Override Common Name” and enter the FQDN that matches your certificate’s CN.

When this is finished you are good to go, the certificate warning should now be gone!



Intune – Administrative Templates (Preview) are here

Microsoft has now released their Administrative Templates (Preview) for Intune which makes it a lot more simple to use settings like controlling a OneDrive setup, changing Office settings or configure Internet Explorer.

So where do you find this new functionality?

  1. Login to the Intune Management Portal
  2. Go to Device Configuration > Profiles > Create profile
    • Name: Enter a Profile name
    • Platform: Windows 10 and later
    • Profile type: Administrative Templates (Preview)
  3. Select Create
  4. Select Settings
    • Here you can see a list of all the available Administrative Templates that can be configured (please see the complete list below as of right now)
  5. Start configure your desired settings
  6. Save
  7. Assign to a group
  8. Done
SETTING NAME PATH
Access data sources across domains\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Access data sources across domains\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
All Processes\Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install
All Processes\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions
All Processes\Windows Components\Internet Explorer\Security Features\Restrict File Download
All Processes\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation
Allow active scripting\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow background saves\Microsoft Publisher 2016\Publisher Options\Save
Allow background saves\Microsoft Word 2016\Word Options\Advanced
Allow binary and script behaviors\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow cut, copy or paste operations from the clipboard via script\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow cut, copy or paste operations from the clipboard via script\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow drag and drop or copy and paste files\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow drag and drop or copy and paste files\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow file downloads\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow font downloads\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow font downloads\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow loading of XAML files\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow loading of XAML files\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow META REFRESH\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow only approved domains to use ActiveX controls without prompt\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow only approved domains to use ActiveX controls without prompt\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow only approved domains to use the TDC ActiveX control\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow only approved domains to use the TDC ActiveX control\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow printers to be published\Printers
Allow Remote Shell Access\Windows Components\Windows Remote Shell
Allow script-initiated windows without size or position constraints\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow script-initiated windows without size or position constraints\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow scripting of Internet Explorer WebBrowser controls\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow scripting of Internet Explorer WebBrowser controls\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow scriptlets\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow scriptlets\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow software to run or install even if the signature is invalid\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Allow standby states (S1-S3) when sleeping (plugged in)\System\Power Management\Sleep Settings
Allow syncing OneDrive accounts for only specific organizations\System\OneDrive
Allow text to be dragged and dropped\Microsoft PowerPoint 2016\PowerPoint Options\Advanced
Allow text to be dragged and dropped\Microsoft Publisher 2016\Publisher Options\Advanced
Allow Trusted Locations on the network\Microsoft Excel 2016\Excel Options\Security\Trust Center\Trusted Locations
Allow updates to status bar via script\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow updates to status bar via script\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow users to connect remotely by using Remote Desktop Services\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
Always prompt for password upon connection\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Auto Save every\Microsoft Project 2016\Project Options\Save\Auto Save Options
Automatic prompting for file downloads\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Automatic prompting for file downloads\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Automatically receive small updates to improve reliability\Microsoft Office 2016\Privacy\Trust Center
AutoRecover delay\Microsoft Excel 2016\Excel Options\Save
AutoRecover files\Microsoft Word 2016\Word Options\Advanced\File Locations
AutoRecover save location\Microsoft Excel 2016\Excel Options\Save
AutoRecover time\Microsoft Excel 2016\Excel Options\Save
Block additional file extensions for OLE embedding\Microsoft Office 2016\Security Settings
Block macros from running in Office files from the Internet\Microsoft Word 2016\Word Options\Security\Trust Center
Block macros from running in Office files from the Internet\Microsoft Visio 2016\Visio Options\Security\Trust Center
Block macros from running in Office files from the Internet\Microsoft Excel 2016\Excel Options\Security\Trust Center
Block macros from running in Office files from the Internet\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center
Block social network contact synchronization\Microsoft Outlook 2016\Outlook Social Connector
Block specific social network providers\Microsoft Outlook 2016\Outlook Social Connector
Block syncing OneDrive accounts for specific organizations\System\OneDrive
Block the Office Store\Microsoft Office 2016\Security Settings\Trust Center\Trusted Catalogs
Boot-Start Driver Initialization Policy\System\Early Launch Antimalware
Capitalize first letter of sentence\Microsoft Office 2016\Tools | AutoCorrect Options… (Excel, PowerPoint and Access)
Capitalize first letter of sentence\Microsoft Word 2016\Word Options\Proofing\AutoCorrect
Capitalize names of days\Microsoft Word 2016\Word Options\Proofing\AutoCorrect
Capitalize names of days\Microsoft Office 2016\Tools | AutoCorrect Options… (Excel, PowerPoint and Access)
Check ActiveX objects\Microsoft Office 2016\Security Settings
Check for server certificate revocation\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Check for signatures on downloaded programs\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Check grammar with spelling\Microsoft Word 2016\Word Options\Proofing
Check grammar with spelling\Microsoft PowerPoint 2016\PowerPoint Options\Proofing
Check OLE objects\Microsoft Office 2016\Security Settings
Check spelling as you type\Microsoft Publisher 2016\Publisher Options\Proofing
Check spelling as you type\Microsoft PowerPoint 2016\PowerPoint Options\Proofing
Coauthoring and in-app sharing for Office files\System\OneDrive
Configure Solicited Remote Assistance\System\Remote Assistance
Control Event Log behavior when the log file reaches its maximum size\Windows Components\Event Log Service\Application
Correct accidental usage of cAPS LOCK key\Microsoft Word 2016\Word Options\Proofing\AutoCorrect
Correct accidental use of cAPS LOCK key\Microsoft Office 2016\Tools | AutoCorrect Options… (Excel, PowerPoint and Access)
Correct TWo INitial CApitals\Microsoft Word 2016\Word Options\Proofing\AutoCorrect
Correct TWo INitial CApitals\Microsoft Office 2016\Tools | AutoCorrect Options… (Excel, PowerPoint and Access)
Customize consent settings\Windows Components\Windows Error Reporting\Consent
Customize warning messages\System\Remote Assistance
Default file format\Microsoft Excel 2016\Excel Options\Save
Default file format\Microsoft PowerPoint 2016\PowerPoint Options\Save
Default file location\Microsoft Excel 2016\Excel Options\Save
Default location for OST files\Microsoft Outlook 2016\Miscellaneous\PST Settings
Default location for PST files\Microsoft Outlook 2016\Miscellaneous\PST Settings
Delay updating OneDrive.exe until the second release wave\System\OneDrive
Disable All ActiveX\Microsoft Office 2016\Security Settings
Disable changing home page settings\Windows Components\Internet Explorer
Disable First Run Movie\Microsoft Office 2016\First Run
Disable Office connections to social networks\Microsoft Outlook 2016\Outlook Social Connector
Disable Opt-in Wizard on first run\Microsoft Office 2016\Privacy\Trust Center
Disable Reading Pane Compose\Microsoft Outlook 2016\Outlook Options\Mail\Compose Messages
Disable the Office Start screen for Access\Microsoft Access 2016\Miscellaneous
Disable the Office Start screen for Project\Microsoft Project 2016\Miscellaneous
Disable the Office Start screen for Publisher\Microsoft Publisher 2016\Miscellaneous
Disable the Office Start screen for Word\Microsoft Word 2016\Miscellaneous
Disable Weather Bar\Microsoft Outlook 2016\Outlook Options\Preferences\Calendar Options
Disable Windows Error Reporting\Windows Components\Windows Error Reporting
Disallow Autoplay for non-volume devices \Windows Components\AutoPlay Policies
Display Error Notification \Windows Components\Windows Error Reporting
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled \Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Do not allow drive redirection \Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
Do not allow passwords to be saved \Windows Components\Remote Desktop Services\Remote Desktop Connection Client
Do not allow Windows to activate Enhanced Storage devices \System\Enhanced Storage Access
Do not display network selection UI \System\Logon
Do not display the password reveal button \Windows Components\Credential User Interface
Do not display the reading pane \Microsoft Outlook 2016\Outlook Options\Other
Do not preserve zone information in file attachments \Windows Components\Attachment Manager
Do not send additional data \Windows Components\Windows Error Reporting
Do not show social network info-bars \Microsoft Outlook 2016\Outlook Social Connector
Don’t run antimalware programs against ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
Don’t run antimalware programs against ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Don’t run antimalware programs against ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
Don’t run antimalware programs against ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Download signed ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Download signed ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Download unsigned ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Download unsigned ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Enable Automatic Updates \Microsoft Office 2016 (Machine)\Updates
Enable Customer Experience Improvement Program \Microsoft Office 2016\Privacy\Trust Center
Enable dragging of content from different domains across windows \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Enable dragging of content from different domains across windows \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Enable dragging of content from different domains within a window \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Enable dragging of content from different domains within a window \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Enable MIME Sniffing \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Enable MIME Sniffing \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Enable OneDrive Files On-Demand \System\OneDrive
Enable RPC Endpoint Mapper Client Authentication \System\Remote Procedure Call
Enumerate administrator accounts on elevation \Windows Components\Credential User Interface
General \Microsoft Outlook 2016\Outlook Options\Spelling
Hardened UNC Paths \Network\Network Provider
Hide option to enable or disable updates \Microsoft Office 2016 (Machine)\Updates
Hide the Office Store button \Microsoft Outlook 2016\Outlook Options\Other
Hide Update Notifications \Microsoft Office 2016 (Machine)\Updates
Ignore words in UPPERCASE \Microsoft Office 2016\Tools | Options | Spelling
Ignore words with numbers \Microsoft Office 2016\Tools | Options | Spelling
Improve Proofing Tools \Microsoft Office 2016\Tools | Options | Spelling\Proofing Data Collection
Include local path when user is uploading files to a server \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Include local path when user is uploading files to a server \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Initialize and script ActiveX controls not marked as safe \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Initialize and script ActiveX controls not marked as safe \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Initialize and script ActiveX controls not marked as safe \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
Initialize and script ActiveX controls not marked as safe \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
Internet Explorer Processes \Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction
Internet Explorer Processes \Windows Components\Internet Explorer\Security Features\Binary Behavior Security Restriction
Internet Explorer Processes \Windows Components\Internet Explorer\Security Features\Mime Sniffing Safety Feature
Internet Explorer Processes \Windows Components\Internet Explorer\Security Features\Notification bar
Intranet Sites: Include all network paths (UNCs) \Windows Components\Internet Explorer\Internet Control Panel\Security Page
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Large PST: Absolute maximum size \Microsoft Outlook 2016\Miscellaneous\PST Settings
Large PST: Size to disable adding new content \Microsoft Outlook 2016\Miscellaneous\PST Settings
Launching applications and files in an IFRAME \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Launching applications and files in an IFRAME \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Legacy PST: Absolute maximum size \Microsoft Outlook 2016\Miscellaneous\PST Settings
Legacy PST: Size to disable adding new content \Microsoft Outlook 2016\Miscellaneous\PST Settings
Logon options \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Logon options \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Migrate Pre-existing TeamSites with OneDrive Files On-Demand \System\OneDrive
Navigate windows and frames across different domains \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Navigate windows and frames across different domains \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Notify antivirus programs when opening attachments \Windows Components\Attachment Manager
Online Content Options \Microsoft Office 2016\Tools | Options | General | Service Options…\Online Content
Open e-mail attachments in Reading View \Microsoft Word 2016\Word Options\General
Permanently remove all deleted content from PST and OST files \Microsoft Outlook 2016\Miscellaneous\PST Settings
Point and Print Restrictions \Printers
Point and Print Restrictions \Control Panel\Printers
Prevent display of the user interface for critical errors \Windows Components\Windows Error Reporting
Prevent enabling lock screen slide show \Control Panel\Personalization
Prevent ignoring certificate errors \Windows Components\Internet Explorer\Internet Control Panel
Prevent installation of devices that match any of these device IDs \System\Device Installation\Device Installation Restrictions
Prevent installation of devices using drivers that match these device setup classes \System\Device Installation\Device Installation Restrictions
Prevent managing SmartScreen Filter \Windows Components\Internet Explorer
Prevent OneDrive from generating network traffic until the user signs in to OneDrive \System\OneDrive
Prevent per-user installation of ActiveX controls \Windows Components\Internet Explorer
Prevent users from adding new content to existing PST files \Microsoft Outlook 2016\Miscellaneous\PST Settings
Prevent users from changing the location of their OneDrive folder \System\OneDrive
Prevent users from synchronizing personal OneDrive accounts \System\OneDrive
Prevent users from using the remote file fetch feature to access files on the computer \System\OneDrive
Prohibit User from manually redirecting Profile Folders \Desktop
Remove ”Run this time” button for outdated ActiveX controls in Internet Explorer \Windows Components\Internet Explorer\Security Features\Add-on Management
Replace text as you type \Microsoft Word 2016\Word Options\Proofing\AutoCorrect
Replace text as you type \Microsoft Office 2016\Tools | AutoCorrect Options… (Excel, PowerPoint and Access)
Require a password when a computer wakes (on battery) \System\Power Management\Sleep Settings
Require a password when a computer wakes (plugged in) \System\Power Management\Sleep Settings
Require secure RPC communication \Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Restrict Unauthenticated RPC clients \System\Remote Procedure Call
Run .NET Framework-reliant components not signed with Authenticode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Run .NET Framework-reliant components not signed with Authenticode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Run .NET Framework-reliant components signed with Authenticode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Run .NET Framework-reliant components signed with Authenticode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Run ActiveX controls and plugins \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Save AutoRecover info \Microsoft Excel 2016\Excel Options\Save
Save AutoRecover info \Microsoft Word 2016\Word Options\Save
Save AutoRecover info \Microsoft PowerPoint 2016\PowerPoint Options\Save
Save AutoRecover info every (minutes) \Microsoft Publisher 2016\Publisher Options\Save
Save Interval \Microsoft Project 2016\Project Options\Save\Auto Save Options
Script ActiveX controls marked safe for scripting \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Scripting of Java applets \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Security Zones: Do not allow users to add/delete sites \Windows Components\Internet Explorer
Security Zones: Do not allow users to change policies \Windows Components\Internet Explorer
Service Level Options \Microsoft Office 2016\Tools | Options | General | Service Options…\Online Content
Set client connection encryption level \Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Set maximum Kerberos SSPI context token buffer size \System\Kerberos
Set the default behavior for AutoRun \Windows Components\AutoPlay Policies
Set the default location for the OneDrive folder \System\OneDrive
Set the maximum download bandwidth that OneDrive.exe uses \System\OneDrive
Set the maximum percentage of upload bandwidth that OneDrive.exe uses \System\OneDrive
Set the maximum upload bandwidth that OneDrive.exe uses \System\OneDrive
Show security warning for potentially unsafe files \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Show security warning for potentially unsafe files \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Silently configure OneDrive using the primary Windows account \System\OneDrive
Specify the maximum log file size (KB) \Windows Components\Event Log Service\Application
Specify the maximum log file size (KB) \Windows Components\Event Log Service\Security
Specify the maximum log file size (KB) \Windows Components\Event Log Service\System
Specify use of ActiveX Installer Service for installation of ActiveX controls \Windows Components\Internet Explorer
Target Version \Microsoft Office 2016 (Machine)\Updates
The maximum size of a user’s OneDrive for Business before they will be prompted to choose which folders are downloaded \System\OneDrive
Turn off app notifications on the lock screen \System\Logon
Turn off Autoplay \Windows Components\AutoPlay Policies
Turn off blocking of outdated ActiveX controls for Internet Explorer \Windows Components\Internet Explorer\Security Features\Add-on Management
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains \Windows Components\Internet Explorer\Security Features\Add-on Management
Turn off Crash Detection \Windows Components\Internet Explorer
Turn off downloading of print drivers over HTTP \System\Internet Communication Management\Internet Communication settings
Turn off Internet download for Web publishing and online ordering wizards \System\Internet Communication Management\Internet Communication settings
Turn off Outlook Social Connector \Microsoft Outlook 2016\Outlook Social Connector
Turn off picture password sign-in \System\Logon
Turn off printing over HTTP \System\Internet Communication Management\Internet Communication settings
Turn off Protected View for attachments opened from Outlook \Microsoft Excel 2016\Excel Options\Security\Trust Center\Protected View
Turn off Protected View for attachments opened from Outlook \Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center\Protected View
Turn off System Restore \System\System Restore
Turn off the Security Settings Check feature \Windows Components\Internet Explorer
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows \Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn on certificate address mismatch warning \Windows Components\Internet Explorer\Internet Control Panel\Security Page
Turn on convenience PIN sign-in \System\Logon
Turn on Cross-Site Scripting Filter \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Turn on Enhanced Protected Mode \Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn on Protected Mode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Turn on Protected Mode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Turn on session logging \System\Remote Assistance
Turn on SmartScreen Filter scan \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
Turn on SmartScreen Filter scan \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Turn on SmartScreen Filter scan \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Turn on SmartScreen Filter scan \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Turn on the auto-complete feature for user names and passwords on forms \Windows Components\Internet Explorer
Typing replaces selected text \Microsoft Word 2016\Word Options\Advanced
Update Channel \Microsoft Office 2016 (Machine)\Updates
Update Deadline \Microsoft Office 2016 (Machine)\Updates
Update Path \Microsoft Office 2016 (Machine)\Updates
Use CTRL + Click to follow hyperlink \Microsoft Word 2016\Word Options\Advanced
Use Pop-up Blocker \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Use Pop-up Blocker \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Userdata persistence \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Userdata persistence \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Users can choose how to handle Office files in conflict \System\OneDrive
VBA Macro Notification Settings \Microsoft Excel 2016\Excel Options\Security\Trust Center
VBA Macro Notification Settings \Microsoft Access 2016\Application Settings\Security\Trust Center
VBA Macro Notification Settings \Microsoft Project 2016\Project Options\Security\Trust Center
VBA Macro Notification Settings \Microsoft Visio 2016\Visio Options\Security\Trust Center
VBA Macro Notification Settings \Microsoft Publisher 2016\Security\Trust Center
VBA Macro Notification Settings \Microsoft Word 2016\Word Options\Security\Trust Center
VBA Macro Notification Settings \Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center
Weather Bar Update Frequency \Microsoft Outlook 2016\Outlook Options\Preferences\Calendar Options
Weather Service URL \Microsoft Outlook 2016\Outlook Options\Preferences\Calendar Options
Web sites in less privileged Web content zones can navigate into this zone \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Web sites in less privileged Web content zones can navigate into this zone \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
When formatting, automatically format entire word \Microsoft Publisher 2016\Publisher Options\Advanced
When selecting, automatically select entire word \Microsoft PowerPoint 2016\PowerPoint Options\Advanced
When selecting, automatically select entire word \Microsoft Publisher 2016\Publisher Options\Advanced

If you have any questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.

Happy configuring!



How to manually crash your VM on a XenServer

Sometimes you need to simulate or provoke a crash on a Virtual Machine to either verify a problem or get a Memory Dump to have a closer look at whats is happening with the Virtual Machine. The thing is, its quite tricky to do that manually. Lucky for you there is a quite simple way to achieve this on a XenServer and I will show every step of the way.

When your Virtual Machine (VM) is at the desired state you should do the following steps:

  1. Find out the VM ID the XenServer has provided the VM, this changes when rebooted so you need to make sure every time you do this, you cannot use the same ID again. First make note of the Virtual Machine UUID, you can find it under ”General” for the specific VM.

2. Now we need to find out the ID the XenServer provided for this specific VM. Go the the XenServer Console (the host of the VM) and type the following: list_domains 

As you can see it lists all the VM on this XenServer, and you will also see the ID provided correlated to the UUID. Make sure you have the correct ID and type the following: xen-hvmcrash <ID> (without the brackets). 

Congratulations, You have now successfully crashed the Virtual Machine!



Manage your corporate devices using Citrix Endpoint Management

Let’s say you’ve bought in 50 new iPad devices that you want to deploy to your users, and you have acquired a new mobile application that you want your users to start using on these devices. This is a fairly common scenario for businesses and companies. But how do you do this in a fast and secure way?

By using Mobile Device Management (MDM), Mobile Application Management (MAM) and Citrix Endpoint Management (formerly XenMobile Services) in this case, we can configure these devices to fit our needs, without any end user interaction whatsoever.

For this scenario, we want the iPads configured in the following way:

  1. Automatically download and install the business application
  2. Restrictions, WiFi and application layout of the start screen configured
  3. Deployed into the system automatically

These requirements are easily configured using Endpoint Management. By using using polices and synchronization to Apples services we create a seamless experience for the end user.

1. Automatically download and install the business applications

First off, we need to do some configuration to get the application out to our devices. Using the Apple Volume Purchase Program (VPP), we can automatically install applications without any user interaction or Apple ID login. You enroll to the program on Apples web page, where you after enrollment download a token and upload it to your Endpoint Management console. It then automatically syncs down any applications you buy from the App Store into your Endpoint environment, ready to be pushed out to any devices automatically. So when the application is in your system and set as required, it automatically gets intalled on the devices. More information on Apples VPP program can be found here.

2. Configure the devices using device policies

With the use of Endpoint Management policies, we can configure the devices the way we want them. By creating a restriction policy and applying it to the devices, we can control what is and what isn’t allowed to do on the device. We can for example not allow applications to be downloaded, camera used or Siri activated, as shown in the screenshot below. There are many, many more restrictions that can be made. This is a good feature to use, when you don’t want the end users changing configuration and settings on the devices.

Restriction Policy

To get the devices automatically connected to the network, we make use of a WiFi policy. We pre-configure the device to automatically connect to a specific SSID using the configured WPA2 key:

WiFi Policy

By configuring a Home Screen Layout layout policy, we can control where the applications get placed on the device, as well as create folders for specifics applications to be placed in. This can be handy if we want the same look and layout on all the devices:

Layout Policy

3. Deployment

To enroll a large number of iOS devices, you can use Apples Device Enrollment Program (DEP). You submit the serial number of the devices purchased from Apple or an authorized seller to DEP to configure and enroll the devices. They are then automatically enrolled into your Endpoint Management and users can start using them right out of the box. More information on Apples DEP program can be found here

When the users now start the device for the first time, all the configurations and policies applied to the device will be configured automatically without any configuration requirements. By using MDM, MAM and Endpoint Management, we can really simplify the challenges that comes with administering mobile devices.



How to handle pinned start menu apps in Windows 10

As I have been working with customizing Windows 10 for a while now, it has never worked against me this much. However, sometimes Windows do have its ways of working against you. With challenges like these you get the opportunity to spend a lot of time coming up with a solution. So this blog post is about my battle with the start menu of Windows 10 Professional. If you are here for the quick solution, skip to the bottom and the TL;DR section.

The Problem:

I have been able to customize the start menu of Windows 10 with ease since version 1511 with the Export / Import-StartLayout cmdlet. But this time I got a request to remove all the pinned apps on the right side of the start menu. A colleague discussed this and he told me he had done a similar solution inside a Citrix Virtual Desktop, and he spent quite the amount of time with this, I thought this would be much easier than it turned out to be. So the requested start menu should at the end look something like this upcoming picture, with the following demands:

  • No pinned apps on the right box or the start menu
  • In the task bar, have Chrome & Explorer pinned. 

This was the requested layout

To begin with, I created an XML file with just Chrome & Explorer pinned in the task bar, and having set the <DefaultLayoutOverride LayoutCustomizationRestrictionType=”OnlySpecifiedGroups”> . My thought was that this would give me a clean start menu, but this was my first failed attempt. The colleague of mine who preciously had a similar issue in a Citrix environment had during his research time come across this post containing a script called ”Pin-Apps”. This script contained a Unpin function which turned out to be very helpful. So I started adapting my work after this script. But this is where I came across my second setback. First, I was not able to have this script and the Import-StartLayout-script in the same logon script, nor having one script on startup, and one on login, so I had to think of a way configure this in my isolated lab environment.

Luckily, I’ve been working a lot with OS-deployment, so I created a Task Sequence containing the Import-StartLayout-script, which managed to run successfully together with my login-script containing the Pin-Apps script. But here I came across my third setback, which by far had the most impact and was the one I spent the most time struggling with. For some reason I was not able to remove bloatware, such as Candy Crush, Minecraft etc. The script ran successfully, but every time, the outcome looked like this

Some applications would not be removed

I could not understand why these applications would not be removed. I have had to deal with bloat ware before, but then it was just to remove them with Appx-cmdlets. I checked Get-AppxPackage & Get-AppxProvisionedPackage, and ran Remove-AppxPackage and Remove-AppxProvisionedPackage several times, but these apps were not removable and did not show up until I manually selected them, and they started downloading (as shown on the application in the top right corner on the picture). So apparently they were either links or shortcuts to the Windows Store. This is works if you are using Windows 10 Enterprise. 

This is where I started going deep. The apps were all published in the Windows AppStore, so I started looking for any kind of possibilities, with help from Powershell, to by force download all apps in the Windows Store. I spent a lot of time with this, but without any success. So I had to rethink my plan. There was no way to have the bloat ware-applications to be downloaded by force, there was no way to remove them by removing them with Appx-cmdlets, and there was no way to have a clean start menu with a XML-file. This gave me the idea. If you can’t beat them, join them. There was no way to actively remove all the applications from the start menu of a Windows 10 Professional, but replacing them worked.

The solution:

As I have yet to find any other way of removing the superfluous applications, creating a new XML replacing the start menu with some random default applications was the only successful way for me. To list these applications, go to Shell:AppsFolder or shell:::{4234d49b-0245-)4df3-b780-3893943456e1} in file explorer.

Applications can be found here

I just chose to pin some of the applications which were default on my start menu, that I knew was very much removable, exported these to a new XML which turned out to it look like this:

From here I had to modify the Pin-Apps script to make it more suitable for a Swedish operating system, and added a register key so it would not run more than once on each user. If you want to lock down the right side of the start menu, you just set or create the LockedStartLayout registry key, located under both HKEY_Local_Machine & HKEY_Current_User\Software\Policies\Microsoft\Windows\Explorer, to 1

If you are running another OS language than Swedish or English, to find the verb for unpin, simply save an application name to the variable $appname (as an example I will use Windows Powershell) and run the following part: 

This will give you all the verbs which are applied to this application. In this case ”Unpin from Start” is present.

After modifying the necessary bits I added it to a PowerShell logon script GPO with the parameter -UnpinAll, with the .ps1 file located inside the GPO repository, making sure it’s accessible for everyone.

 

TL;DR: 

If you are running Windows 10 Professional, you need to replace applications in the start menu before removing them, as a suggestion running in a Task Sequence of some kind setting the default start menu layout and then have a GPO to run the PowerShell script stated above.

If you are running Windows 10 Enterprise, just use the Logon script GPO and you will be fine. If you still have some unwanted applications, run a script removing built-in apps (for example this Invoke-RemoveBuiltinApps )

If you have any questions or thoughts about this post, feel free to email me at johan.nilsson@xenit.se



Create Threat Exceptions for specific traffic

At some point you might encounter a false-positive threat that you want to make an exception for. If you know a file is safe if its downloaded from a specific place but you don’t want other files classified with the same threat ID/name to be whitelisted, you can create a separate security profile.

Start by identifying the traffic and where it’s blocked. In this example the file got blocked by the vulnerability protection-profile.

Click on the magnifying class to see more detailed information and find the threat ID.

If we look in the detailed section we can see that the threat ID is 39040 for this threat-name.

Go to Objects > Security Profile > Vulnerability Protection. Since we want to specify what traffic this is whitelisted on we need to create a separate profile so the current security policys is unaffected.

Clone the profile that are currently used for this kind of traffic and rename it properly. Go to the exceptions-tab and select ”Show all signatures”. Type the threat ID, press enter and enable the signature.
Press on the current action (default (alert)) and change it to allow or leave it at default. In this example I will select default (alert) since I still want it to be logged.

When this is done we can either add it to a new Security Profile Group or add it directly to a new Security Policy. Here we will add it directly to a security policy.

Create a new Security Policy above the one that blocked the file.

Specify you source adress and destination.
In the actions-tab, select Profile Type: Profiles and under Vulnerability Protection: <The profile you created>

Commit and verify that the traffic hits the correct Security Policy and is logged with alert.

Be very cautious when you create exceptions and always make sure you only allow the traffic you intended. Always make sure you look at alternative ways before creating an exception.

The same method can be applied on different security profiles.

 



Teams is replacing Skype for Business – how does it (really) work for the user?

Most of us know Teams is replacing Skype for Business in Office 365. There is no official end date but we see indications. Microsoft is no longer adding Skype for Business for new tenants with less than 500 users and they say Teams is now complete. Yesterday we also saw the first indication that Microsoft is starting to switch active tenants to Teams – so you better be ready!

Looking at the official Microsoft documentation, all is green and good. Just switch and you will experience all the goodness of Teams. But how does it really work and look for the end user? I assume you already know how Teams works and looks and the way to migrate – this blog post is just how it works for the end-user when it comes to interoperability with Skype for Business.

Important note: This might change on short bases and here is the Microsoft official documentation on interoperability.

So assume you’re in a all SfB environment and considering using Teams. You verify you are in Coexistance mode: Islands which means users are able to use both Skype for Business and Teams simultaneously:

You decide to switch one of your users (let’s call him Ben) to TeamsOnly mode – that’s what we did and the rest of the users are still in SfB, but remember, there is nothing stopping all the other users to start using Teams, they just have to go to https://teams.microsoft.com and they can use SfB and Teams at the same time.

Internal communication within tenant

First if Ben tries to start the SfB client, he will get:

But we shouldn’t uninstall the SfB client – keep on reading…

  • If both users are in Teams (in case some other users have found out they can use Teams) you will get the full experience so I will not go into details there.
  • Ben will be able to receive and reply to messages received from Sfb users within the Teams client.
  • Screen sharing and file transfer is not supported between Teams and Skype for Business – you need to create a meeting for that.

There is one caveat here, if the other user has ever started Teams weeks/months ago, they are considered to be ”activated in Teams” which means Ben no longer can initiate a new SfB conversation with that user. Ben can only initiate a new conversation with the other user in Teams and if that user is no longer using Teams (for example if they decided they didn’t like it), they will not receive it. However, if the other users initiates chat from SfB to Ben, Ben will be able to reply to SfB.

And the absolutely best feature is that you have persistent chat experience over all devices so you can initiate a chat session in a web browser on your laptop, continue in the fat client on your desktop and keep the whole thread in your mobile device.

So in short, we would recommend to keep interoperability period as short as possible because some of the confusion it creates…

External communication

So imagine all your users are in Teams. But you will see that many other organizations are still in SfB in Office 365 or even SfB on-premises which means they will ”never” get Teams – how do you communicate with them?

  • Again, if both users are in Teams you will get the full experience so I will not go into details there.
  • Ben will be able to both initiate, receive and reply to SfB chat sessions.
  • Ben can’t initiate screen sharing nor file transfers to SfB users – a meeting is required for that.
  • Ben can still join SfB meetings, that’s what the SfB client is used for – or, of course, he could use the SfB Web App. So we don’t see that going away very soon.
  • If the other user (still on SfB) initiates a screen sharing or file transfer to Ben, it is not supported and the official answer is that the user should receive the following message so a meeting is required. We have found that the message is actually received in Ben’s SfB client if he has it logged in and active in the background and he will actually be able to receive the file and see the screen sharing session. YMMV.

Ben will also realize that as long as his Office 365 ProPlus is updated, the New Skype Meeting choice will be removed and New Teams Meeting will be the only choice.

This is just one part of the story, the big difference is the way that Teams can be more than what SfB was when it comes to collaboration. You need to develop a plan for how to communicate this to your users… You might also have other dependencies with SfB like conference room equipment like Skype Room Systems and integration with PBX.

Interoperability between SfB and Teams might not be the best in the world, but we also see Microsoft is pushing Teams and from Ignite sessions, we see that the user experience during interoperability will not change much – what we see is what we get and we better adapt and inform our users so this is clear.