Office came with my new PC - but where is it?

by Ed Sparks

Many  people buy Microsoft Office with their PCs, seeing as this is really the only way to get a highly discounted deal on the software.  Of course, in true Microsoft fashion, this is saddled with all sorts of restrictions that it is non-transferable and the like.

However, what if you're simply rebuilding the same PC and the software isn't on the image?   You don't have a disk with the 2013-era OEM versions.

Thankfully there's now a relatively easy way to download these direct from Microsoft.

Simply visit this website, login with an existing or new Microsoft Account and download.  You'll still need the license key from your PC maker that was included in the box.  You kept that right?

Photo credit add-in-express.com

Photo credit add-in-express.com

Exchange internal anonymous relay done the right way

by Ed Sparks

UPDATED: May 2017

Allow internal SMTP email relay, bypass the junk filters, and make it all work right the first time.

Update: This guidance is still valid up to and including Exchange 2016, but the steps below refer to Exchange 2010. Newer versions use the same types of permissions, but most operations must be done through Exchange PowerShell.

A common scenario for server admins is allowing internal servers to safely relay anonymous emails for alerts, logs, or internal application notifications through Exchange, and ensure the messages are delivered correctly to users.

Beginning with Exchange 2007 Microsoft made changes which made this a better and more controlled process than previous versions, but also made two confusing and distinct ways to configure: the "Externally secured" method and the "anonymous" method. 

Both have their pluses and minuses, but our recommendation is always the latter, as it makes identifying emails that were submitted anonymously (and therefore potentially untrusted) more obvious. Why? Messages submitted in this fashion will advise Outlook not to resolve the sender address to a Display Name. Rather, it only shows the exact (and often completely random) sender from the host SMTP session's envelope. Equally importantly, using this method the end-to-end anti-junk mail configuration will work correctly across both Exchange and Outlook's various filters. 

Microsoft's provides this Technet article which covers how to configure both methods on the Exchange server, but unfortunately gives no context or explanation as to why an admin would choose one or the other. We've written this article based on our experience and testing, to provide the missing details.

Configuration Guidance for Anonymous Method:
We will follow the steps in the article section Grant the relay permission to anonymous connection

  1. In EMC at the Organization/Hub Transport node under the Anti-Spam tab, ensure that the IP Allow List and Content Filter are enabled. These features together actually do the work to make the messages quasi-trusted and stamp the "SCL -1" rating.  Failing to enable both will result in messages not correctly bypassing filters.
    If you don't see these options you might have to run the script to enable Anti-spam features on your server.
     
  2. You may use either the EMS or the EMC (Under Server Configuration/Hub Transport node) to create a new Receive Connector and define the appropriate remote networks or hosts that will be able to use this new connection.
    Note: Be sure you don't leave this new connector accepting connections from all IPs, as this is a security risk for mailicious staff or malware that may get lose on your network. All conenctions to Exchange should be secured or from known systems only.
     
  3. Next, assign the appropriate AD Permission of Ms-Exch-SMTP-Accept-Any-Recipient via the Exchange Management Shell.  At this point, DO NOT follow the rest of the steps under Configure the Receive connector as externally secured, as this method will not be used.
     
  4. Under Server Configuration/Hub Transport switch to the Anti-spam tab. and open the IP Allow List
     
  5. Duplicate the list of hosts that you had enabled to send through your new Receive Connector here. This ensures that both server and client-side anti-spam are bypassed, and the X-SCL -1 header is stamped for Outlook's later use.

Email will now be accepted and relayed through your new connector and will always go directly to the Inbox of users in Outlook/OWA. 


Why Not Externally Secured? 
While this method is easier to configure - just click the checkbox in the EMC - it has two negatives. The first is the previously mentioned display name resolving in Outlook (via the AD Permission "ResolveP2")  With this permission Exchange will consider submitted emails to be authenticated (which they're not), and subsequently resolves the SMTP address to a display name if possible. This is a bad practice in our opinion, as it tricks the end-user into believing this is trusted sender.

The second, and more frustrating problem, is that Exchange will not stamp SCL headers into the message, so the Outlook client-side filtering will be applied (if enabled).  As more-often than not server alerts and backup log messages will look very spammy, they will promptly get turfed into the Junk Email folder. As Outlook thinks it is being helpful deciding on its own, rather than looking at what Exchange rated the message, when in fact it's just creating unhappy users and admins.

Further Reading
What happens when you make your new Receive Connector Externally Secured?

This will be granting several rights including the ability to send on behalf of users in the organization, the ability to ResolveP2 (that is, make it so that the messages appear to be sent from within the organization rather than anonymously), bypass anti-spam, and bypass size limits. The default "Externally Secured" permissions are as follows:

MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain}
MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Anti-Spam}
MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Message-Size-Limit}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Exch50}
MS Exchange\Externally Secured Servers {ms-Exch-Accept-Headers-Routing}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Submit}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender}

This is telling Exchange to ignore internal security checks because these servers are trusted, which goes against the ethos of an anonymous relay point.

What happens when you add the Relay Permission instead?
This option grants the minimum amount of required privileges to the Receive Connector for accepting messages from and to anyone, and must be done consciously through the Exchange Shell, rather than clicking a checkbox.

Accepted Domains, Safe Senders List and You
http://blogs.technet.com/b/exchange/archive/2011/07/08/accepted-domains-safe-senders-list-and-you.aspx

Exchange anti-spam myths revealed
http://blogs.technet.com/b/exchange/archive/2009/11/13/exchange-anti-spam-myths-revealed.aspx

The saga of the "Junk Email" Folder - putting the puzzle together
http://www.exchangeinbox.com/article.aspx?i=155

 

Need your Exchange Server to work day and night, and not worry?
Planning an Office 365 Migration?
Contact us today.

Microsoft: we have a (patching) problem

by Ed Sparks

Since Microsoft created (and mostly perfected) Windows, and then Microsoft Update years ago, followed by standardizing on the now legendary Patch Tuesdays, Enterprise has been able to rely on consistent and quality monthly patches.

Sadly, this appears to have gone off the rails badly in the past few months.  As Exchange consultants we had clearly noted this with a number of Cumulative Updates for the past year or two that were getting released, promptly making a mess of things, and being pulled and re-released sometimes two and three times.  When we're talking software that supports large corporate installations, this has been concerning and unacceptable.  Now the rot appears to have spread across the company.  Clearly the resource shuffling, and loss of many long-term staff at Microsoft is hitting home.  Not only does this make for a tremendous amount of testing and re-work when things go bad, it undermines the years of hard-earned trust in the company very quickly.

We've been complaining for a while, but a recent quick search of the internet shows the wider community is now beating this drum as well.

This has even culminated in an open letter to (thankfully finally  ousted) Steve Ballmer by Susan Bradley of Patchmanagement.org:

"On behalf of everyone in this community, may I respectfully request that you assign someone in a management position to investigate what is going on with quality control with patch testing lately?" 
"This month in particular leaves me deeply disturbed that issues that should have been found before these updates were released are being found by us - your customers - after they are released and we are having to deal with the aftermath,"
"Bottom line, sir, this is unacceptable to all of us in the patching community, and quite frankly, it should be just as unacceptable to you."

http://msmvps.com/blogs/bradley/archive/2013/09/11/dear-mr-ballmer-my-email-today.aspx

Here's just a sample of the growing chorus of discontent: 

http://www.techcentral.ie/article.aspx?id=22661

http://www.aidanfinn.com/?p=15507

http://www.zdnet.com/why-all-the-errors-in-microsoft-updates-lately-7000020628/

http://windowsitpro.com/industry/microsoft-better-positioned-support-failed-update-releases-identify-failures-beforehand

Microsoft - PLEASE FIX YOUR PATCHING PROBLEM! 

F5 F6 F7 F8 Red Green. Where are my IE Settings?

by Ed Sparks

Another gem from our friends at Microsoft - this time from the always-a-disaster Group Policy team.

Don't get me wrong, I still think Group Policy is a superbly useful management technology baked for free into Windows. and generally very well supported by Microsoft.  However, the (in)consistentcy of the implementation between OS versions and various product teams at the company is appalling and ridiculous.

This was most recently illustrated while implementing some GPOs for a client needing to manage Internet Explorer.  (Let's give an honourable mention to the IE 10/11 GPO debacle while we're at it) .

In order to have the settings take effect when using the IE Preferences section of a GPO, the vast majority of the items you click on or change HAVE NO EFFECT - unless - SERIOUSLY - you press F5 F6 F7 F8 to toggle the enablement of the sections between various states.  Of course nowhere in the help text does it give any indication this is the case apart from some obscure red squiggly lines or circles that show up under various settings.  No right click, no checkbox.  Nope. F5 6-7-8.

A complete disaster of discovererability and design.  

What happens if you don't randomly think to press these arbitrary keys?  Well your GPO just goes into the bit bucket.  Of course the Group Policy Result on your client will show it as being implemented, but it just magically doesn't. 

Beautifully done Microsoft! 

The Technet article of hilarity:
http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx

Do you see the red line?  Didn't think so.

Do you see the red line?  Didn't think so.

Microsoft's Nokia purchase: interesting perspective

by Ed Sparks

From a former Microsoft employee, this is a very good read on the Microsoft-Nokia marriage... 

I suspect Ballmer and the board had their finger on the “acquire” button all along, mainly to ward off a competitive acquisition or to save Nokia from drowning and leaving Microsoft with no one to throw a Windows Phone-shaped life preserver to. A year ago, saving Nokia may have seemed less crucial, had it come to that. After all, Microsoft could just build its own hardware and forget the whole software licensing side of things altogether if it needed to (unlike the PC market and big Windows, they really had nothing to lose by doing this). I don’t think it was plan A. Maybe B or C. But in light of the Surface write-down, I think that contingency suddenly seemed a whole lot more risky, and that finger over the acquire button got twitchy.

Full article: 

http://brandonlive.com/2013/09/04/did-the-surface-write-off-cause-microsoft-to-buy-nokia/

Source: http://brandonlive.com/2013/09/04/did-the-...

Windows Server 2012 - Roles, Features and 0x80073701

by Ed Sparks

Windows loves to throw endless curve balls to us administrators.

The latest?  Server Manager would throw an exception - 0x80073701 - and refuse to install various features as a result.   Most notably, this seems to occur with any feature that use .NET (such as the framework itself, or Group Policy Management Console).

We went on the usual adventures into c:\windows\logs\cbs\cbs.log to look around, and found all sorts of errors.  Uninstalled some patches that looked questionable, ran the 

sfc /scannow

and  

DISM /Online /Cleanup-Image /RestoreHealth.  

No dice.

Further examination of the cbs.log found some references to language packs that the Windows Installer couldn't find.  

This is a US English version of Windows, with nothing much special installed.   

Sure enough, we found Spanish and Japanese display languages were somehow installed on the server! 

Removing these has resolved our issues, and the features and roles now install normally. 

How?  From the start screen or Run dialog type: 

lpksetup.exe

(yes, it's hidden by default).   

A dialog will open where you can verify and remove languages. 

We've yet to figure out how these languages got onto the system, or why they would cause problems, as it was our understanding the whole component language nature of Windows  - particularly in the 8/2012 era - was to resolve all this mess.  

As usual, with most things Windows Installer, it just ends up causing a bigger headache. We can't help but still think the  Component Store/WinSxS continues to be one of the worst engineered parts of Windows.

 

Update: 
In another case we found we had to actually install  a language pack, in order to get the right packages onto the system so that the feature addition would complete.  The cbs.log file showed missing packages with KO-KR in the name.  This indicated the installer was looking for Korean language pack files.

A quick trip to Control Panel-Clock, Language and Region-Add a Language and we could select and then install the Korean language.  Tip: double click on the language when it's added to the list to auto-download from Microsoft. 

language_01[1].png

Outlook's Disappearing Ribbon

by Ed Sparks

Microsoft CRM users beware!  There appears to be a strange bug in a few of the builds of the CRM for Outlook plugin that is causing Outlook's (and in some cases all of Office's) Ribbons to disappear.  

When this occurs, the end-user gets an Outlook window that has all of the normal message and folder views, but no buttons or icons anywhere to perform any actions. The one exception is the Quick Access Toolbar remains.  Obviously, this makes Outlook a somewhat less useful tool!  No amount of resetting toolbar/ribbon or add-in settings proved useful in attempting to resolve this issue. 

Thankfully, Microsoft has now published an article about the cause.  In discussing further with them, it apparently relates mostly to users that have upgraded through a few versions of Office on their systems, and some residual registry keys. 

In our case, we've only seen this with CRM, but this is useful knowledge as another place to look if your Outlook ribbons and toolbars have gone the way of the dodo. 

The Outlook ribbon disappears from Microsoft Outlook when you use the Microsoft Dynamics CRM Client for Microsoft Office Outlook