From 0943e65daeca3fd182ae64e02469b69c57559cd4 Mon Sep 17 00:00:00 2001 From: Eric Scherlinger <35633680+ericsche@users.noreply.github.com> Date: Tue, 20 Feb 2018 11:39:22 +0100 Subject: [PATCH 1/3] Update online-deployment-surface-hub-device-accounts.md Updated documentation for: new azure AD PowerShell module update 2 commands for Skype Improved prereq with download link. --- ...-deployment-surface-hub-device-accounts.md | 40 +++++++++++++------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index 6dc990e855..f8dd53e34e 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -25,7 +25,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow Be sure you have the right permissions set to run the associated cmdlets. ```PowerShell - Set-ExecutionPolicy Unrestricted + Set-ExecutionPolicy RemoteSigned $org='contoso.microsoft.com' $cred=Get-Credential admin@$org $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection @@ -70,37 +70,52 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow ``` 5. Connect to Azure AD. - + + You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command : + + ```PowerShell + Install-Module -Name AzureAD + ``` You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. ```PowerShell - Connect-MsolService -Credential $cred + Import-Module AzureAD + Connect-AzureAD -Credential $cred ``` 6. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. ```PowerShell - Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true + Set-AzureADUser -ObjectId "HUB01@contoso.com" -PasswordPolicies "DisablePasswordExpiration" ``` 7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online). - Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant. + Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. - Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*). + Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable. ```PowerShell - Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation "US" - Get-MsolAccountSku - Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense + Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US" + + Get-AzureADSubscribedSku | Select Sku*,*Units + $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense + $License.SkuId = SkuId You selected + + $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses + $AssignedLicenses.AddLicenses = $License + $AssignedLicenses.RemoveLicenses = @() + + Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses ``` 8. Enable the device account with Skype for Business. + If you do not have the Skype for Business Powershell module installed, you can download it [here](http://go.microsoft.com/fwlink/?LinkId=294688). - Start by creating a remote PowerShell session from a PC. ```PowerShell - Import-Module LyncOnlineConnector + Import-Module SkypeOnlineConnector $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` @@ -108,12 +123,13 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*): ```PowerShell - Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool* + (Get-CsTenant).TenantPoolExtension ``` OR by setting a variable ```PowerShell - $strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool + $strRegistrarPool = (Get-CsTenant).TenantPoolExtension + $strRegistrarPool = $strRegistrarPool[0].Substring($strRegistrarPool[0].IndexOf(':') + 1) ``` - Enable the Surface Hub account with the following cmdlet: From 5f40eb058946949aca8ad3e340242ce65b603214 Mon Sep 17 00:00:00 2001 From: Eric Scherlinger <35633680+ericsche@users.noreply.github.com> Date: Tue, 20 Feb 2018 18:14:39 +0100 Subject: [PATCH 2/3] Update hybrid-deployment-surface-hub-device-accounts.md Updated for Azure AD plus optimized some commands --- ...-deployment-surface-hub-device-accounts.md | 117 +++++++++++------- 1 file changed, 72 insertions(+), 45 deletions(-) diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index 1281d6ae51..7eb0a87af9 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -38,11 +38,11 @@ Use this procedure if you use Exchange on-premises. -3. Enable the remote mailbox. +2. Enable the remote mailbox. Open your on-premises Exchange Management Shell with administrator permissions, and run this cmdlet. - ```ps1 + ```PowerShell Enable-RemoteMailbox 'HUB01@contoso.com' -RemoteRoutingAddress 'HUB01@contoso.com' -Room ``` >[!NOTE] @@ -54,7 +54,7 @@ Use this procedure if you use Exchange on-premises. > >msExchRecipientTypeDetails = 8589934592 -2. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online. +3. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online. 4. Connect to Microsoft Exchange Online and set some properties for the account in Office 365. @@ -62,8 +62,8 @@ Use this procedure if you use Exchange on-premises. The next steps will be run on your Office 365 tenant. - ```ps1 - Set-ExecutionPolicy Unrestricted + ```PowerShell + Set-ExecutionPolicy RemoteSigned $cred=Get-Credential -Message "Please use your Office 365 admin credentials" $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $sess @@ -77,13 +77,13 @@ Use this procedure if you use Exchange on-premises. If you haven’t created a compatible policy yet, use the following cmdlet—-this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. - ```ps1 + ```PowerShell $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false ``` Once you have a compatible policy, then you will need to apply the policy to the device account. - ```ps1 + ```PowerShell Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id ``` @@ -91,31 +91,44 @@ Use this procedure if you use Exchange on-premises. Setting Exchange properties on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. - ```ps1 + ```PowerShell Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse 'This is a Surface Hub room!' ``` 7. Connect to Azure AD. + You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command : + ```PowerShell + Install-Module -Name AzureAD + ``` + You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. - ```ps1 - Connect-MsolService -Credential $cred + ```PowerShell + Import-Module AzureAD + Connect-AzureAD -Credential $cred ``` - 8. Assign an Office 365 license. The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. + + You can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. - Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant. + Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable. - Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*). - - ```ps1 - Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US' - Get-MsolAccountSku - Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense + ```PowerShell + Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US" + + Get-AzureADSubscribedSku | Select Sku*,*Units + $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense + $License.SkuId = SkuId You selected + + $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses + $AssignedLicenses.AddLicenses = $License + $AssignedLicenses.RemoveLicenses = @() + + Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses ``` Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-premises](#skype-for-business-on-premises), or [Skype for Business hybrid](#skype-for-business-hybrid). @@ -144,25 +157,25 @@ The following table lists the Office 365 plans and Skype for Business options. 1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment. - ```ps1 - Import-Module LyncOnlineConnector + ```PowerShell + Import-Module SkypeOnlineConnector $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: - ```ps1 + ```PowerShell Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName ``` If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: - ```ps1 + ```PowerShell Get-CsOnlineUser -Identity ‘HUB01@contoso.com’| fl *registrarpool* ``` -2. Assign Skype for Business license to your Surface Hub account. +3. Assign Skype for Business license to your Surface Hub account. Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device. @@ -215,10 +228,10 @@ Use this procedure if you use Exchange online. Start a remote PowerShell session on a PC and connect to Exchange. Be sure you have the right permissions set to run the associated cmdlets. - ```ps1 - Set-ExecutionPolicy Unrestricted + ```PowerShell + Set-ExecutionPolicy RemoteSigned $cred=Get-Credential -Message "Please use your Office 365 admin credentials" - $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/ps1-liveid/ -Credential $cred -Authentication Basic -AllowRedirection + $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $sess ``` @@ -228,13 +241,13 @@ Use this procedure if you use Exchange online. If you're changing an existing resource mailbox: - ```ps1 + ```PowerShell Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` If you’re creating a new resource mailbox: - ```ps1 + ```PowerShell New-Mailbox -MicrosoftOnlineServicesID 'HUB01@contoso.com' -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` @@ -246,13 +259,13 @@ Use this procedure if you use Exchange online. If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. - ```ps1 + ```PowerShell $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false ``` Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too. - ```ps1 + ```PowerShell Set-Mailbox 'HUB01@contoso.com' -Type Regular Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id Set-Mailbox 'HUB01@contoso.com' -Type Room @@ -264,7 +277,7 @@ Use this procedure if you use Exchange online. Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. - ```ps1 + ```PowerShell Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!" ``` @@ -294,24 +307,38 @@ Use this procedure if you use Exchange online. 7. Connect to Azure AD. + You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command : + + ```PowerShell + Install-Module -Name AzureAD + ``` You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. - ```ps1 - Connect-MsolService -Credential $cred + ```PowerShell + Import-Module AzureAD + Connect-AzureAD -Credential $cred ``` 8. Assign an Office 365 license. The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. - Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant. + Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. - Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*). + Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable. - ```ps1 - Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US' - Get-MsolAccountSku - Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense + ```PowerShell + Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US" + + Get-AzureADSubscribedSku | Select Sku*,*Units + $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense + $License.SkuId = SkuId You selected + + $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses + $AssignedLicenses.AddLicenses = $License + $AssignedLicenses.RemoveLicenses = @() + + Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses ``` Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-premises](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid). @@ -323,22 +350,22 @@ In order to enable Skype for Business, your environment will need to meet the [p 1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC. - ``` - Import-Module LyncOnlineConnector + ```PowerShell + Import-Module SkypeOnlineConnector $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: - ``` + ```PowerShell Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName ``` If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: - ``` + ```PowerShell Get-CsOnlineUser -Identity 'HUB01@contoso.com'| fl *registrarpool* ``` @@ -368,7 +395,7 @@ For validation, you should be able to use any Skype for Business client (PC, And To run this cmdlet, you will need to connect to one of the Skype front-ends. Open the Skype PowerShell and run: -``` +```PowerShell Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool registrarpoolfqdn -SipAddressType UserPrincipalName ``` @@ -383,7 +410,7 @@ In a hybrid Skype environment, you have to create the user on-premises first, th In order to have a functional Surface Hub account in a Skype hybrid configuration, create the Skype account as a normal user type account, instead of creating the account as a meetingroom. First follow the Exchange steps - either [online](#exchange-online) or [on-premises](#exchange-on-premises) - and, instead of enabling the user for Skype for Business Online as described, [enable the account](https://technet.microsoft.com/library/gg398711.aspx) on the on-premises Skype server: -``` +```PowerShell Enable-CsUser -Identity 'HUB01@contoso.com' -RegistrarPool "registrarpoolfqdn" -SipAddressType UserPrincipalName ``` From a58bfa63afd8b14dbfb378490db586926957f40f Mon Sep 17 00:00:00 2001 From: Michael Gruben-Trejo Date: Wed, 21 Feb 2018 06:53:25 -0800 Subject: [PATCH 3/3] Use Full Path for Security Options Previously, the path to "Security Options" was defined as `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options`. However, there is no such path. There is a path `Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`, at which interactive logon settings may be found. Accordingly, add `Policies` to the path to complete the path. --- ...ve-logon-prompt-user-to-change-password-before-expiration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index 86e3a1b15f..b32948c986 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -34,7 +34,7 @@ The **Interactive logon: Prompt user to change password before expiration** poli ### Location -Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options +Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options ### Default values