This blogg has moved...

This blog has been migrated and modernized - you will automatically be forwarded to https://skotheimsvik.no where all existing content has been imported and new content will be published.

Thank you for your patience and understanding during this migration!

The new multiple administrative approvals experience

Imagine a compromised administrative account going wild in your Intune environment. Wouldn't it be great to protect your configuration with a second factor, like MFA? Join me while I experience the new Multiple Administrative Approvals (MAA) feature for Intune which is out in public preview! 

By using Intune access polices we can require a second administrative account to approve changes in the environment before they are applied to the production environment. This can give associations to MFA (Multi Factor Authentication), but let's welcome MAA (Multiple Administrative Approvals) instead.

HP Connect for Intune, Part2: BIOS Authentication

This is part 2 in my series of blog posts covering HP Connect for Intune. The first post covered how to get the BIOS patched to the latest release. Today I cover the BIOS authentication, which is an important aspect of managing, controlling and securing Windows devices. If the BIOS can be accessed without authentication, a local or remote user may be able to disable basic security features, perhaps introducing malware early into the startup process that Windows may not protect against.  

The ultimate goal is to have a security boundary covering all aspects from chip to cloud. An UEFI BIOS is the chip containing the hardware start-up code and many settings that should be secured prior to booting into a Windows Operation System. We will manage the BIOS security limiting setting changes only to users or administrators with knowledge of the authentication mechanism. 

Please note: This is not a sponsored post!

The new Microsoft Store Experience

There is a new integration available between Microsoft Intune and the Microsoft Store for managing app installations from the cloud. This allows admins to easily browse, deploy and monitor applications. The new feature is powered by WinGet, the new windows package manager. I will explore this new feature in this blog post.

Intune has for a long time been great at getting policies and aps on to devices. The challenge has been to get new applications ready for provision in Intune. Whit this new feature, Independent Software Vendors (ISV) can publish and maintain their packages directly to this solution. This will ease the process and the burden of application management. 

With direct access to the apps in Intune, they can easily be made available fast and easy for user's self-service through the Company Portal. This is perfect for locked down environments where users have no local admin rights on their computers 

Let Intune stimulate mobile updates

Mobile devices can be a challenging asset to manage and keep secure with their many variations in ownership, management and operating systems. This blog post will give you some ideas on how you can enforce a minimum version of the operating system on the mobile phones accessing the company's data in Microsoft 365.

The cell phone is for many users the edge of privacy where they can accept the company's administration. At the same time, it is important for the company to have control over its data and applications. 

An important prerequisite must be set from the orgranization - Yes, users can have access to data, under defined conditions. One important security measure is to ensure updated software regardless of management mode. Let us dive into the condition of having updated operative systems on the mobile device accessing company data.

Create AAD Licensing groups by Graph API

Group based licensing in Microsoft 365 is not a new feature, but still a feature a lot of organizations is missing out on. Assigning licenses to groups instead of directly to users provides advantages related to automation, overview and more. Information of this is easily available on net, but I have been missing an automated way of providing uniform groups for the purpose.

Assigning licenses to users by group membership in Azure Active directory is consistently documented at Microsoft Learn and at several other online locations. The advantages of this are therefore not specifically mentioned in this blog post. 

This blog post will focus on the creation of the groups in a uniform and automated way. Repeating manual tasks are not desired in a larger environment. This leads to small differences and configuration drift. By automating, we arrive at a uniform standard platform as quickly as possible.

Branding your tenant and managed endpoints

A clear brand builds identity and affiliation. Microsoft 365 and Endpoint Manager has a rich set of tools for customizing your brand into the products. This will look nice and integrated, and it will help the end users detect security attacks. Let's take a deep dive into the possibilities associated with branding your tenant and endpoints!

A brand is a name, term, design, symbol or any other feature that distinguishes one company's good or service from those of other companies. Brands are used for recognition, creating values and identification. A brand is the sum of all expressions by which an entity (person, organization, company, business unit, city, nation, etc.) intends to be recognized.

With a workforce spread all over the modern hybrid workplace, it is more important than ever to spread the love of the company's brand. This blogpost will focus on how your brand can be incorporated to Microsoft 365 and all endpoints by Microsoft Endpoint Manager.

Building a MEMpowered LAB environment

In my early days as consultant within Microsoft technologies, I had complete lab environments running as virtual machines on heavy workstation laptops. Through the years as I have migrated to a cloud first philosophy, my lab environments have followed along. Working mainly with Microsoft 365 and Microsoft Endpoint Manager, my lab environments are now cloud based. 

I still remember making a decision moving from high performance laptops hosting all my virtualized lab environments. Looking back to my first switch to a lightweight Surface, I don't regret. The new light weighted devices powered by the cloud has been fantastic in my everyday work life. But - I still need environments to test and verify technologies and ideas before putting them to production. This blog post will cover some ways to build lab environments for the cloud based Microsoft solutions.

Unboxing: Philips P-Line 499P9H 49" DQHD SuperWide 32:

When spending hours, days, months and lifetime in front of a computer, a good monitor is essential for the workplace. Personally I prefer large monitors with huge resolution to get enough space to work efficiently with Microsoft 365, Endpoint Manager, scripting and automation. Traditionally I have used 3 to 4 monitors lined up. I will now share my experience after migrating to one single superwide screen. will it fulfill my needs and expectations out of the box, or do I need to do some hacks?

Please note: This is not a sponsored post!

The Philips 499P9H Hard Facts

The monitor I am installing is the Philips P-Line 499P9H 49" DQHD UltraWide 32:9 Curved which is like two full-size QHD monitors in one with its 5120x1440 resolution. It has a built in USB-C docking station and a pop-up webcam supporting Windows Hello!

Automating Teams voice reporting of users (2:2)

This is a follow up on my last blog post covering automated teams voice assignment for users. This time I will cover how the mentioned routine has been expanded to do reporting in PowerBI to show evolution and distribution throughout the lifetime of the service.

After running my routine of automated voice assignment in Teams for a while, I felt the need to have an overview of the solution and how it evolved.

Automating Teams voice assignment for users (1:2)

In order to manage voice and phone number assignments in Microsoft Teams, you need at least Teams Communications Administrator role. This role does however have more privileges than most organizations want to assign to their first line staff. This blog post will cover a way for first line to automate voice activation of users with the granularity necessary to cover several technologies such as Direct Routing and Operator Connect.

The main idea is to let first line operators use the tools they have access to when managing users without the demand of acquiring extra privileges.

By adding the Teams phone number in E.164 format to the users telephoneNumber field in AD/AAD and assigning the user as member of a defined security group, I have enough information to automate the Teams voice assignment for the user. This could also include license assignment through the group membership.

Find where your colleagues are on a floor plan

Microsoft Search helps users find relevant content, the right answers or people. Search administrators use their knowledge of the organization and its users to make it easy for users to find the relevant content. This blog post will cover how you can prepare information about employees in order to place them on a floor plan for the office buildings. 

This type of setup is part of my mindset of using as many features as possible from the Microsoft 365 licenses, often triggered through configuration and maintenance of information which provides value throughout the product line.

This kind of functionality will add value when searching for colleagues in the office landscape, or even when searching for the closest meeting room.

Autopilot - Device deadlock between two tenants

After wiping a Windows10 Autopilot device from Microsoft Endpoint Manager, we got welcomed to the correct tenant by name and logo. When signing in with a current licensed user, we got the message saying "That username looks like it belongs to another organization. try signing in again or start over with a different account". Time to troubleshoot!

The background for the wipe was to repurpose the device for a new user. 

Windows Autopilot is managed and maintained by Microsoft in a backend database that associates hashes with customer tenants. This time I got a schizophrenic device dealing with two tenants.

Disable "Do Not Send a Response" option in Outlook with MDM

When users select the option to not send a response when accepting a meeting invite in Microsoft Outlook, their response is not visible for the invitee. This makes it troublesome to keep track of attendees for the meeting. This is why many organizations want to disable this option. 

If someone replies to a meeting invite by using the "Do Not Send a Response" option, the action is marked in the users calendar, but it will not reflect in the meeting tracking visible for invitees.

The problem has been present for a long time, and there has been some information available on how this can be solved by use of Group Policies in legacy Active Directory environments. Here's how to remove the option to not send a response on meeting invites using Configuration Policies in Microsoft Endpoint Manager and a Settings Catalog profile type.

Posten inn i Homey

Inspirert av lærdommen fra prosjektet med å få Min renovasjon inn i Homey har jeg kastet meg over Posten sin løsning for å se om jeg kan få lest inn postbudets rute som variabler i min Homey.

Posten.no

Posten leverer nå ut post annenhver dag. Dette betyr postombæring mandag, onsdag og fredag den ene uken og tirsdag og torsdag den andre uken. Det kan jo være mulig å enkelt reprodusere denne takten ved hjelp av oddetall og partalls uker. Men - posten har jo laget en egen webside hvor man kan slå opp når man kan forvente post utlevert: https://www.posten.no/levering-av-post. Dette betyr kanskje at det kan oppstå uregelmessigheter her - og det må jo fanges opp av et smart hus.

Automatic file upload from legacy server to Microsoft 365

Companies that have gone through several generations of IT systems will have to make their cloud journey in small steps - system by system. Devices and document storage are quickly moved to Microsoft 365. Special Line of Business systems may take longer to cloudify. This can present challenges in making data from dinosaur systems available to users of the modern Microsoft 365 platform.

The challenge from a real world scenario

I was challenged by a customer with a production environment running in an old on premises environment while all users and endpoints had converted to Microsoft 365. They had challenges in reaching reports that were produced on premises and needed a solution to have this data automatically uploaded to Sharepoint for easy and modern access. Challenge accepted!

HP Connect for Intune, Part1: BIOS Update

To be certain we have a secure system from chip to cloud, it is fundamental to boot device from a trusted BIOS - often referred as secure boot. HP Connect for Microsoft Endpoint Manager is a cloud application designed to ease the management of UEFI BIOS on supported HP systems. This blog post will cover updating the BIOS on HP devices using MEM.

We need to have control of the boot environment of our managed devices

Please note: This is not a sponsored post!

Fortinet VPN Profile distribution with MDM

Fortinet Document Library has a documented routine for distributing the FortiClient application with Intune to Microsoft Windows. This routine is working Ok, but it is missing information on how to distribute the VPN profiles to the client. This will be the topic for this post.

Installation of the FortiClient application

Please read and follow the document in Fortinet Document Library covering the topic of configuring the FortiClient application in Intune. During this routing you need to download the current FortiClient VPN client and start the downloaded EXE file to download the actual MSI installation. This could be wise to do in a Windows Sandbox environment. You will find the MSI file in the newest folder with {randomguid} name under %localappdata%\Temp\.

After this routine has been setup and you have the app distributed to a group and installed, you will find the application available in the system tray on the devices.

FortiClient without VPN profile

The problem here, is the missing VPN profile for connecting your client to the service.

Min Renovasjon inn i Homey

Jeg har lenge ønsket å få informasjon fra vårt renovasjonsselskap RIR inn i mitt smarthus slik at jeg kan få målrettet varsel om dette sammen med annen varsling som huset gir oss. I forbindelse med at Homey slapp funksjonen advanced flow 01.07.2022, kom det ett innlegg i facebook gruppen Athom Homey Norge fra Vegard Hamar som viste en metodikk for å få dette på plass. Det krevde litt spekulasjon for å kunne gjenskape dette. Legger her ut mine notater slik at kanskje flere kan ha glede av dette.

Min Renovasjon

Vårt renovasjonsselskap RIR benytter løsningen Min Renovasjon for varsling av tømmedager. Vegard Hamar skriver i sitt Facebook innlegg at han har hentet inspirasjon fra et GitHub prosjekt for Home Assistant som går mot Min Renovasjon. 

Install printers from AD printserver on AAD joined computers

When you go from a traditional IT operation model to modern based on Azure AD and Endpoint Manager, you will have a migration period with resources in both camps. Typically, endpoints first go to the cloud while well-established services lag behind. 

This does not have to tie the endpoints to the ground. You can move your computers to pure Azure AD join, and still have access to on-premises services in Active Directory as long as the identities are hybrid. 

Some tend to use Hybrid Azure AD Join (HAADJ) since they have some legacy traditions of device and application management. HAADJ can thus be tempting, but in the long run it will give more headache than pleasure. The best approach is to move the endpoints to pure Azure AD Join devices and then put more effort into adapting to the new operational environment offered by Microsoft Endpoint Manager.

Printers and print servers are one example of services that tends to be strongly attached to the premises, even though there are great alternatives in the cloud with Microsoft Universal Print or 3rd parties like Printix. With the hybrid identity signed in to the Azure AD joined Windows device, you can also use the existing Active Directory joined print server. I have created a Powershell script which can be used with Microsoft Endpoint Manager to distribute printers on a print server to Azure AD joined computers. This can be a great approach to make the move to the cloud more resilient, even though you will lose much of the borderless functions from a pure cloud-based print solution.

The script is available on my GitHub. 

Windows 11 - Customize the Start menu layout

I believe the workday can be a tad less cluttered if certain stuff have a fixed placement. In a managed environment there might be interesting to have a customized start menu layout for all users giving a default set of pinned apps in a fixed order. This blog post will walk you through the routine of setting this up on Windows 11 by use of Microsoft Endpoint Manager.

Note: A customized start menu layout overwrites the entire existing layout. A partial locked layout like offered on Windows 10 is not available on Windows 11. The layout can be changed by the user.

Create a JSON settings file

Set up your preferred Start menu layout on an existing Windows 11 computer. Pin the apps you like on the start menu and arrange the order of these apps.

Configure a preferred start menu layout on an existing Windows 11 device

Start Windows Powershell and export the configuration to a JSON file.

Windows 11 - Custom theme with MEM

If your company has a strong branding profile, you might be interested in assigning a custom desktop theme pack to your Windows 11 computers reflecting your brand. I have put together a simple routine for distributing a deskthemepack with Microsoft Endpoint Manager.

Design your preferred theme

Use the Settings app on a Windows 11 computer to design your preferred desktop theme. After setting a preferred background, sounds, colors and mouse cursors, you can save this as a named theme.

You now have this as a theme on your computer which can be exported for sharing. Save this as a file on your computer.

Rename computers with countrycode in Intune

During an engagement at a customer there was a demand of having all computers in Endpoint Manager/Intune renamed to a naming standard including the two character ISO country code from the device owner followed by the serial number of the device. This was solved by using Graph API in a Powershell script running in an Azure Runbook.

The mission

The mission is to have all Windows devices in Microsoft Endpoint Manager follow a specified naming standard giving the device a unique name consisting of a country code and the device serial - ie: NO-132435465768. The solution must address existing and new devices.

The challenge with this design is related to compiling a device name consisting of the country code found at the user owning the device and the serial found on the device it self. I have found examples online for renaming endpoints, but these did not get hold of the country codes from the user to use as part of the new device name. Some of these examples include:

• Using OMAURI as explained by Carson Cloud
• Using part of UPN in proactive remediations as explained by Matt Setchell
• Using part of UPN in a script as explained by Maurice Daly

New devices - autopilot profiles

During the initial phase of this project, I did design a configuration for Autopilot allowing the devices to start out with the correct device name upon the initial onboarding. This was based on several group tags matched with corresponding AutoPilot profiles. A specialized menu was built in order to ease the hash collection and at the same time have the group tag specified.

Menu used for selecting country code when getting the hardware hash code

This did work as expected for new computers. The CSV hash file got a Grouptag specified pr. device based on the operators choice when collecting the hash. When uploaded to Intune, the Grouptag did match with an Azure dynamic device group which in turn was targeted towards the corresponding autopilot profile setting the correct name on the device.

Although this was a full-blown technical solution, it didn't live up to the expectations of easy implementation from the first line helpdesk. The setup was therefore reversed leaving one common autopilot profile for each and every windows device in the tenant.

Existing devices - renaming with script

Initially this was thought as a one shot run to rename existing devices. As the first phase of naming new machines during Autopilot was neglected, the challenge is somewhat extended to do renaming of devices on a regular basis. This has led to a Powershell script running in an Azure Runbook on a schedule once pr. day.

Pseudo code

The script has a hash table with current countries. The script will recure the country list selecting all users belonging to each country and further on list each device belonging to those users. Attributes from the user gives access to information about the country, while attributes from the device gives information about the serial number. The script takes into account the maximum length of 15 characters for computer names. This gives the fundaments for renaming the computer to the given naming standard. A rename will be initiated if the existing computer name differs from the standard.

Azure App Registration

The script authenticates through an Azure App Registration which has the following Microsoft Graph API application permissions:

• DeviceManagementManagedDevices.PrivilegedOperations.All
• DeviceManagementManagedDevices.ReadWrite.All
• Directory.Read.All
• User.Read

The app secret for the app registration is created with powershell in order to have extra life time:

    $startDate = Get-Date

    $endDate = $startDate.AddYears(9)

    $ObjectID = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'

    $aadAppsecret01 = New-AzureADApplicationPasswordCredential -ObjectId $ObjectID -StartDate $startDate -EndDate $endDate

    ($aadAppSecret01).Value

Azure Runbook

The TenantID, ClientID and ClientSecret from the app registration are stored as encrypted variables in the Azure Runbook.

Encrypted variables stored in the runbook

The runbook does have most of the modules loaded already, except for the Microsoft.Graph.Authentication module which has to be added from the Gallery.

The script can now be added, published and linked to a schedule in the runbook. The script is available on my Github, and it has some comments throughout the code describing the process.

<#

  .NOTES

  ===========================================================================

   Created on:      09.05.2022

   Created by:      Simon Skotheimsvik

   Filename:        MEM-ChangeOfComputerNames-Runbook.ps1

  ===========================================================================

 

  .DESCRIPTION

    This script uses the Graph API to bulk rename Windows devices. It can for

    example be used in a scenario where autopilot default naming has been used

    and a new standardised naming convention has been agreed upon. This Script

    will use the Country Code from the owning users Azure Account. It can be

    modified to use other user variables as well.

    The script is designed to run unattended in an Azure Runbook.

     

  .EXAMPLE

    MEM-ChangeOfComputerNames-Runbook.ps1

#>

$GLOBAL:DebugPreference="Continue"

$Countries = @{

    Norway = "NO"

    Vietnam = "VN"

    Brazil = "BR"

    Chile = "CL"

    Croatia = "HR"

    India = "IN"

    Italy = "IT"

    Poland = "PL"

    Romania = "RO"

    Singapore = "SG"

    Canada = "CA"

}

# CONNECT TO GRAPH WITH AZURE APP-REGISTRATION STORED AS ENCRYPTED VARIABLES

$TenantId = Get-AutomationVariable -Name 'Computer_Rename_TenantID'

$ClientId = Get-AutomationVariable -Name 'Computer_Rename_ClientID'

$ClientSecret = Get-AutomationVariable -Name 'Computer_Rename_ClientSecret'

# Create a hashtable for the body, the data needed for the token request

# The variables used are explained above

$Body = @{

    'tenant' = $TenantId

    'client_id' = $ClientId

    'scope' = 'https://graph.microsoft.com/.default'

    'client_secret' = $ClientSecret

    'grant_type' = 'client_credentials'

}

# Assemble a hashtable for splatting parameters, for readability

# The tenant id is used in the uri of the request as well as the body

$Params = @{

    'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"

    'Method' = 'Post'

    'Body' = $Body

    'ContentType' = 'application/x-www-form-urlencoded'

}

$AuthResponse = Invoke-RestMethod @Params

$Headers = @{

    'Authorization' = "Bearer $($AuthResponse.access_token)"

}

# Connect-MgGraph with Token in order to be able to post a computer renaming

$connection = Invoke-RestMethod `

    -Uri https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token `

    -Method POST `

    -Body $body

 

$token = $connection.access_token

Connect-MgGraph -AccessToken $token

write-output "Authentication finished"

############################################################

# ROUTINE FOR RENAMING USERS AUTOPILOT DEVICES

############################################################

foreach ($CountryCode in $Countries.keys) {

    write-output "Working on country $CountryCode"

    $Country = $CountryCode

    $CountryCode = $($Countries[$Country])

    $MaxSerialLength = (15 - $CountryCode.get_Length())-1 #Max 15 characters allowed in devicename. Calculate length of serial# part.

    $userList = $Null

    # Get all users with the current country code. Use paging in order to get more than 999 which is max pr query

    $UsersURL = 'https://graph.microsoft.com/v1.0/users?$filter=startswith(country,'''+ $Country +''')&$top=999'

    While ($UsersURL -ne $Null) {

        $data = (Invoke-WebRequest -Headers $Headers -Uri $UsersURL -UseBasicParsing) | ConvertFrom-Json

        $userList += $data.Value

        $UsersURL = $data.'@Odata.NextLink'    

    }

    # Get all managed devices for each user

    foreach ($User in $UserList) {

        $upn = $User.userPrincipalName

        write-output "- Focus on user $upn"

        $DeviceList = $Null

        $deviceURL = 'https://graph.microsoft.com/v1.0/users/'+ $User.userPrincipalName +'/managedDevices?$filter=startswith(operatingSystem,''Windows'')'

        $DeviceList = (Invoke-RestMethod -Uri $deviceURL -Headers $Headers).value

        $NoOfDevices = $DeviceList.Count

        write-output "- $NoOfDevices device(s) found"

        foreach ($Device in $DeviceList) {

            $CurrentDeviceName = $Device.deviceName

            write-output "--- Focus on device $CurrentDeviceName"

            $OS = $Device.operatingSystem

            $DeviceID = $Device.id

            $FullSerial = $Device.serialNumber

            # Max 15 characters allowed in devicename - Some devices have to long serialnumber

            if ($FullSerial.get_Length() -gt $MaxSerialLength) {

                $DeviceSerial = $FullSerial.substring($FullSerial.get_Length()-$MaxSerialLength)

                write-output "---- Serial too long - shortened!"

            }

            else {

                $DeviceSerial = $FullSerial

            }

            # Calculates new devicename in format NO-12345678

            $CalculatedDeviceName = $CountryCode.ToUpper() + '-' + $DeviceSerial

           

            # Virtual computers have the text "SerialNumber" as serialnumber...

            if (($CurrentDeviceName -ne $CalculatedDeviceName) -and ($DeviceSerial -ne "SerialNumber")) {

                write-warning "---- Device $CurrentDeviceName needs to be renamed to $CalculatedDeviceName"

                # Calculate graph api url's

                $Resource = "deviceManagement/managedDevices/$DeviceID/setDeviceName"

                $GraphApiVersion = "beta"

                $URI = "https://graph.microsoft.com/$GraphApiVersion/$($Resource)"

                $JSONPayload = @{

                "deviceName" = $CalculatedDeviceName

                }

                $convertedJSONPayLoad = $JSONPayload | ConvertTo-Json

               

                #Send change to Graph.

                Invoke-MgGraphRequest -Uri $URI -Method POST -Body $convertedJSONPayLoad -Verbose -ErrorAction Continue

            }

            else {

                write-output "---- $CurrentDeviceName will not be renamed"

            }

        }

    }

}

Verify the results

When running the script, all outputs can be found in the logs, and all renamed computers are logged as warnings:

Feedback from the script with renamed computers found as warnings

This is reflected on the device in the Microsoft Endpoint Manager:

Device waiting to be renamed

As with other renaming requests in Microsoft Endpoint Manager, it requires the device to reboot before all registers (AzureAD, Intune, AutoPilot, Device) are up to date.

Device rename confirmed in the portal

Summary

This routine will effectively and automatically rename devices on a given schedule as long as the app secret is valid. The script can be altered to mix and match variables from user and device in order to create the corresponding device name for your naming convention. You can for example use information from the user like department, company, region, postalcode as a part of the computername.

No extra charge for the mistakes - solution shared as it is - use it at your own risk.

Thanks for reading - please share and comment.

Reduce background noice in Teams Room System

It has been a while since Microsoft released their machine learning based noise suppression for Microsoft Teams. With this setting available all background noise like shuffling papers, slamming doors, barking dogs, and so on are effectively reduced. This technology has quickly fallen into our pattern of use - which in turn has led to expectations of finding this in the meeting rooms

The new hybrid workspace is the hottest trend right now. At any time, a hybrid workplace will consist of both remote workers and in-office workers. Synchronizing these groups of employees into a cohesive, collaborative unit can be quite a challenge in order to not leave one group feeling anonymized or voiceless. 

Microsoft Teams rooms should bring organizations closer to the ideal of hybrid work giving remote side workers the same opportunities to actively participate in the meeting. We see constant developments to support this, like the recent Front Row Layout for meetings. 

As a remote worker, I often find unintentional noise from meeting rooms to be the biggest disturbance in meetings. This can be all from paperwork, pens and fingers drumming on the table, cups and cutlery, small talk and meeting in meetings. I am therefore happy to finally see machine-based noise cancellation available on the Teams Rooms System.

When in a call, settings for noise suppression are now found on the meeting room controller:

Click on the image for a larger view

Teams offers three levels of noise suppression to help keep meeting participants focused. These settings can be changed at any time. For the Teams desktop app and iOS, the settings carries over to the next meeting or call once they are changed. This is not yet the case for Teams Room System. 

The noise suppression feature can be enabled or disabled on the Teams Room Device by use of the NoiseSuppressionDefault variable found in an XML Configuration file as described here. 

Click on the image for a larger view

The article describes several settings and how these can be implemented on devices in small and large scale. The documentation does not state how to set Low or High as the default setting. This has been discussed in this Twitter thread, where @MauroB94454117 states that the code implemented is ahead of documentation at this time. The documentation is missing the part on how to force noise suppression to Low or High settings. This is done with the following variables in the XML file which are tested and found Ok:

0 = Off
1 = Auto
2 = Low
3= High 

The following XML file gave me the highest level of noise suppression as the default state:

<SkypeSettings>

  <NoiseSuppressionDefault>3</NoiseSuppressionDefault>

</SkypeSettings>

 These are small steps to a better hybrid workspace in the modern workplace!

Hardware based noise suppression

Logitech Rally cameras are also introducing AI noise suppression enhancement algorithms in their firmware version 1.1.167. This is to improve video conferencing experience for remote participants. This update is available for download from the Logi webpages.

Normally updates of firmware and software brings new features and better security, but it also seems to introduce new unintentional problems - or "features". There are information in the community stating that the Logitech Rally Cameras might get problem with exposure and focus after updating. You can read about this on a fresh twitter message dialogue from Matt Ellis, Ilya Bukshteyn and Randy Chapman:

15.08.2022 - Video demo

Today a great video demo on this feature was released by ISDM Solutions - take a look here: https://youtu.be/gVvspCd0FaA 

Veeam Backup for M365 Automatic Reporting in PowerBI

Those of you which has read through the Microsoft services agreement might have noticed paragraph 6b where Microsoft recommends that you regularly backup your content and data that you store on the services using third-party apps and services. One example of such third party tool popular by managed service providers is the Veeam Backup for Microsoft 365. This blog post will explain how you can get automatic reporting on licenses and sizes used by this application.

Please note: This is not a sponsored post!

Data Deletion

Data deletion can occur when an attacker deletes your data, usually in a way that makes recovery difficult, if not impossible. A variant of this type of attack includes ransomware. With ransomware, an attacker compromises the network, encrypts data, and then demands a payment to get the key to decrypt the data. This may equate to data deletion since a successful extraction of payment often leads to more targeting by the attacker. Attacker motivations for data deletion covering the tracks of an attack, attempting to do irreparable harm to your business, or simply trying to spite you or your employees

Preventing data deletion

Other than the protection mechanisms you should employ to prevent account breach an elevation of privileges, your core prevention strategy should be to ensure you have sufficient redundancies built into your data management processes to minimize the impact of data deletion. Data in Microsoft 365 is made redundant for maximum availability by the service. However, it's still possible for an attacker to delete data from SharePoint sites and recycle bins, making it almost impossible to recover. There is also examples of bugs where data has been deleted from Teams and Sharepoint. Therefore, it's critical that you have a process for backing up mission critical data to offline stores - just like the Microsoft Services Agreement states.

Veeam Backup for Microsoft Office 365

Veeam Backup for Microsoft 365 is one application which can help eliminate the risk of losing access and control over your Office 365 data, including Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams. This product is often used by managed service providers offering their services to customers. One challenge will be to automate a reporting solution showing the usage of the service related to license and storage on repositories.

Report automation

Niels Engelen has described a way to automatically send reports from Veeam by email. This is a simple approach to the standard functionality where PDF report will be sent by e-mail. It just didn't fit my expectations for reporting. 

PowerShell data harvesting

I have studied the Veeam Backup for Microsoft 365 PowerShell Reference and made a script counting all licenses, data usage and repository usage on a daily basis. This data is prepared in a JSON format and uploaded to an Azure Cosmos Database. The Azure Cosmos Database is quite inexpensive for this kind of usage. 

The following query will list all licensed users in a JSON format before uploading each record to the Cosmos database.

# Get VBO Licensed users, convert to JSON and upload to CosmosDB

$CosmosDBCollectionID = 'VeeamBackupLicenses'

$LicensedUser = Get-VBOLicensedUser

$output = foreach ($user in $LicensedUser) {

    $LastBackupDate = (($user.LastBackupDate).toString()).Split(" ")[0]

    $id = $([Guid]::NewGuid().ToString())

    $doc = [pscustomobject]@{

        id               = $id

        Username         = $user.UserName

        LastBackupDate   = $LastBackupDate

        Year             = (($LastBackupDate).toString()).Split(".")[2]

        Month            = (($LastBackupDate).toString()).Split(".")[1]

        LicenseState     = $user.LicenseState

        OrganizationName = $user.OrganizationName

    }

    $document = $doc | ConvertTo-json | Out-String

    # Writing data to CosmosDB

    New-CosmosDbDocument -Context $cosmosDbContext -CollectionId $CosmosDBCollectionID -DocumentBody $document -PartitionKey $id -Encoding UTF-8

}

The next query will get the usage pr. organization and upload this to a CosmosDB in JSON format:

# Get VBO Usage pr Organization, convert to JSON and upload to CosmosDB

$CosmosDBCollectionID = 'VeeamBackupUsage'

$Organizations = Get-VBOOrganization

$Date = get-date -Format "dd.MM.yyyy"

$UsageOutput = foreach ($Org in $Organizations) {

    $UsageData = Get-VBOUsageData -Organization $Org

    # Need to handle the fact that a customer can have data in several repositories

    foreach ($Usage in $UsageData) {

        $id = $([Guid]::NewGuid().ToString())

        $UsedSpaceGb = [MATH]::Round((($Usage.UsedSpace) / 1024 / 1024 / 1024), 1)

        $Udoc = [pscustomobject]@{

            id               = $id

            Date             = $Date

            RepositoryId     = $Usage.RepositoryId

            UsedSpaceB       = $Usage.UsedSpace

            UsedSpaceGB      = $UsedSpaceGb

            OrganizationName = $Usage.Organization.DisplayName

            OrganizationMSID = ($Usage.Organization.Id.Value).Split(":")[0]

        }

        $Udocument = $Udoc | ConvertTo-json | Out-String

        # Writing data to CosmosDB

        New-CosmosDbDocument -Context $cosmosDbContext -CollectionId $CosmosDBCollectionID -DocumentBody $Udocument -PartitionKey $id -Encoding UTF-8

    }

}

The third query will get information about the repositories defined in Veeam Backup for Microsoft 365 and upload this in JSON format to the Cosmos Database. The original data values from the queries are in bytes format.

# Get VBO Repositories, convert to JSON and upload to CosmosDB

$CosmosDBCollectionID = 'VeeamBackupRepositories'

$Repositories = Get-VBORepository

$Date = get-date -Format "dd.MM.yyyy"

$RepositoryOutput = foreach ($Repo in $Repositories) {

    $id = $([Guid]::NewGuid().ToString())

    $RepoCapacityTb = [MATH]::Round((($Repo.Capacity) / 1024 / 1024 / 1024 / 1024), 1)

    $RepoFreeSpaceTb = [MATH]::Round((($Repo.FreeSpace) / 1024 / 1024 / 1024 / 1024), 1)

    $Rdoc = [pscustomobject]@{

        id                    = $id

        Date                  = $Date

        RepositoryId          = $Repo.Id.Guid

        RepoName              = $Repo.Name

        RepoPath              = $Repo.Path

        RepoCapacityB         = $Repo.Capacity

        RepoCapacityTB        = $RepoCapacityTb

        RepoFreeSpaceB        = $Repo.FreeSpace

        RepoFreeSpaceTB       = $RepoFreeSpaceTb

        RepoRetentionType     = $Repo.RetentionType

        RepoRetentionPeriod   = $Repo.RetentionPeriod

        RepoRetentionFreqType = $Repo.RetentionFrequencyType

    }

    $Rdocument = $Rdoc | ConvertTo-json | Out-String

    # Writing data to CosmosDB

    New-CosmosDbDocument -Context $cosmosDbContext -CollectionId $CosmosDBCollectionID -DocumentBody $Rdocument -PartitionKey $id -Encoding UTF-8

}

These different Powershell parts are coordinated and scheduled to run as powershell scripts on a regular basis on the Veeam backup servers.

  <Actions Context="Author">

    <Exec>

      <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>

      <Arguments>-ExecutionPolicy bypass -file "C:\Simon\CountVeeam365LicensesDailyToPowerBI.ps1"</Arguments>

    </Exec>

  </Actions>

PowerBI data analyzis

Using PowerBI Desktop, it is easy to connect to the Cosmos Database. With the data loaded into Microsoft PowerBI you can do further manipulations of the data using DAX queries. One example could be to calculate the difference between capacity and free space for the repositories in order to get the used space pr. repository. This could be done like this which will return a separate column with the result ready to use in the report:

RepoUsedSpaceB = CALCULATE(SUM(VeeamRepositories[RepoCapacityB]))-CALCULATE(SUM(VeeamRepositories[RepoFreeSpaceB]))

I have also made a calculation of consumed GB pr user in each company. This is done in two steps. First I calculate number of users pr. company:

AntallBrukere = DISTINCTCOUNT(VeeamLisenser[Bruker])

Then I calculate consumed GB pr user in the company:

GBprBruker = SUM(VeeamUsage[UsedSpaceGB])/Kalkulasjonstabell[AntallBrukere]

Using Power BI we can easily create several reports to visualize the status of the service.

Example of monthly report of all companies and users protected by Veeam 365 Backup which can be the basis for invoicing where this is based on the number of users in the system pr. company.

Example of historical development of backup up users pr. company by Veeam 365 backup.

Example of gigabyte compared to number of users pr. company protected by Veeam 365 backup.

Example of usage of the calculated column for GB pr User. Infinity comes from stored data for customers which have terminated their contract where data still exists. This has been removed from the graph with a visuals filter displaying only companies with more than 0 users.

Example of report for repositories with forecast in the Veeam 365 backup service.

This gives a fully automated always up to date reporting solution showing current usage and historical development related to the provided service, license usage and storage consumptions. The reports can easily be filtered by clicking on the values and graphs giving the consumer of the reports the ability to select the desired view. 

The animation is blured to protect the data exposed in the report

If you upload your PowerBI report to the online PowerBI service, you can set the dataset to automatically update directly from the Cosmos Database. This will allow for online consumption of the report from all your devices. One idea could be to add it as a tab in a suitable team channel in Microsoft Teams giving easy access for everyone interested in the topic.

I do believe someone could have interest in the PowerBI Report file, but unfortunately this can't be shared because my reports contains PII data. 

Conclusion

I hope this could inspire someone to dive into data capturing and report building. If you have thoughts, ideas, comments or ideas after reading this far, please add a comment.