Friday, 25 April 2014

Lync Hosting Pack version 2 now officially supports Lync 2013 CU4

Great news to all LHPv2 hosters, Microsoft have confirmed with me that Lync 2013 CU4 is now officially supported for Lync 2013 LHPv2.

There appears to be no official page up yet on the announcement, and it is possible they may never be, but I have confirmed it is now supported by Microsoft and I am including their test upgrade document.

Grab CU4 here  and finally approve it for your WSUS patching teams without fear or rebuilding an entire LHPv2 platform :-)

Grab the CU4 test document here.


Oliver Moazzezi - MVP Exchange Server

Thursday, 24 April 2014

Disk Monitoring override changes and improvements in Exchange 2013 SP1 Managed Availability

Many will question their love affair with Managed Availability and whether they find it a worthwhile feature set or a hinderence to their daily Exchange 2013 tasks. However in principle it is a sound investment in the evolution of Exchange and will only improve with time.

One of the many monitoring probes in Managed Availability is the ability to monitor the free space on drives that house Exchange databases.

By default the free space threshold is 200GB. Because many people regularly went under this metric on free space many administrators simply set an override on the monitoring probe to turn it off altogether. Effectively removing the probe altogether and not report on free space at all.

Pre-SP1 the command to override the monitoring probe was:

Add-ServerMonitoringOverride -Identity "MailboxSpace\StorageLogicalDriveSpaceEscalate" -Server 'server' –ItemType "Responder" -PropertyName Enabled -PropertyValue 0

 However in Exchange 2013 SP1 this command has changed and is now based on the 'Add-GlobalMonitoringOverride' cmdlet. So many administrators found with new SP1 deployments they could no longer turn the probe off. 

The new command for SP1 is:

Add-GlobalMonitoringOverride -Identity "MailboxSpace\StorageLogicalDriveSpaceEscalate" -ItemType "Responder" -PropertyName Enabled -PropertyValue 0 -ApplyVersion "15.0.847.32"

Note: you must always use -ApplyVersion which applies an unlimited duration to the server version that matches the output, otherwise you need to specify -Duration which has a maximum application of 90 days.

 A fantastic inclusion in SP1 is also the ability to change the default 200GB free space setting. You can now customize this to a size of your choosing by adding the following reg key:


This will allow you to set a more 'real world' value for your environment and taylor the metric to your environments needs. As an example if you are using 500GB disks and you manage your Exchange organisaton well, you may very well want the setting well below the default 200GB threshold. Allowing you to keep the monitoring probe enabled and in use.

Take care,

Oliver Moazzezi - MVP Exchange Server

Monday, 14 April 2014

Document finger printing with DLP in Exchange 2013 SP1

Exchange 2013 SP1 has introduced many new features, one of these features is document finger printing for Data Loss Prevention.

DLP is available to administrators via the EAC or through a set of Powershell commands.

In the EAC Data Loss Prevention sits under compliance management

With Exchange 2013 SP1 we can immediately see the impact document finger printing has made in the EAC as it is clearly visible to the administrator.

So let's create a document finger print from a document template.

I  have created in Microsoft Word a simple document template with a detailed page footer. With document finger printing we can upload this template into DLP, and then any documents that are sent by a user that match the heuristics of my template will trigger DLP into action.

Let's upload my document to DLP. I click on 'Manage document fingerprints'

I select Add and give the new document finger print a name and description

I select add to upload my document template

Once uploaded (and note I can upload multiple documents) click 'save'

So I now have a document finger print uploaded and can see it under 'Oliver Test'

However upon closing the window I am back to data loss prevention and no DLP policies are configured

This is because we now have to create one, matching it against our document finger printing template we have just created.

Click + to create a new DLP policy rule and select 'New customer DLP policy'

Give the new custom policy a name, set it to enabled, and leave it for the time being as 'Test DLP policy without Policy Tips'

Once saved we need to open it

We can now specify some rules. Select rules in the left pane

We'll add a new rule

I will create a rule based on 'Notify sender when sensitive information is sent outside the organization'

I am leaving the rule for this demo purpose on it's defaults and will drill into 'Select sensitive information types' as shown above

From here I can add my document finger print template policy rule

Once added it is appended to the sensitive information types. Note I can add more If I wished, simplifying the possible need to add additional DLP policies.

We must now create some rules

I am choosing to create an incident report and send it to someone in my organisation

And include certain message properties I am interested in

So what happens if someone send an email with a document that matches my template?

Once the sender has sent the email, the person or group chosen in the rule to be alerted if someone sends a document matching the finger print are alerted immediately

You can see it includes the message properties I selected and also a copy of the email – which I specified in the custom DLP policy.

This is a fantastic feature in Exchange 2013 SP1 that allows organisations to create DLP finger prints for all corporate documents and then create DLP policy workflows to ensure they are controlled and managed in the enterprise with Exchange 2013 Data Loss Prevention.

DLP requires an Enterprise CAL for use, but the cost of the CAL versus the additional cost via third party tools to achieve the same functionality may actually make the CAL up sell and native support the best option for organisations looking to implement this feature.

For more information on Data Loss Prevention document finger printing in Exchange Server 2013 SP1 please see the following articles

For a comprehensive list of DLP powershell cmdlets see:

Take care,

Oliver Moazzezi - MVP Exchange Server

Wednesday, 2 April 2014

Rolling back the Unified Contact Store

The first blog of April '14. Rather than get down at not being at MEC I thought I would do something positive and push this out. Enjoy.

Exchange 2013 and Lync 2013 work better together. Microsoft have made strong ground in ensuring these premium server products are a strong coupling when deploying both together – better together is the terminology that we hear here, and indeed that is true. In fact there's a strong coupling of a range of server products; Exchange, Lync and Sharepoint and the assumption can only be this will continue to improve in the next waves.

Lync and Exchange require a few different setup configurations for all elements to work correctly. We have the entire Trusted Application Pool setup for Exchange IM integration into OWA (I blogged it here), and we have the oAuth intergration to provide the Unified Contact Store, or UCS, as well as other features like Online meeting creation in OWA and allowing Lync IM archiving into Exchange.

Today I don't want to go into detail on covering oAuth integration between Exchange and Lync , this has been covered many times in blogs in the last few months. However I wanted to concentrate rolling back the Unified Contact Store to users, or at least a subset of users and this hasn't been covered before.

The Unified Contact Store instructs Lync to place all contacts for Lync enabled users into Exchange, or specifically the users Exchange mailbox, providing they have a policy that allows it.

Let's take a look in Outlook Web App to see what I'm talking about:

So it's a great feature and it makes a lot of sense. Why would you want to revoke it? Well that's a good question, so here's a few examples.

You might be in a hybrid configuration with Office365 where UCS with Lync on-premise is not supported
The user might not have a mailbox at all, or be on a legacy version of Exchange (different but means you must have UCS and non UCS policies in place and know when to use them)
The user might have corruption in their mailbox causing multiple Lync contacts or similiar, so you might want to roll it back for the user whilst you fix their mailbox

So taking that on board, let's take a look at my user, Test1. (I am looking at 'configuration information' by holding ctrl and right clicking the lync icon in the system tray)

We can see the UCS is enabled. It explicitly states under 'UCS Connectivity State' that 'Exchange connection Active', and the Contact List Provider is 'UCS'. Fantastic.

So what do we have to do to revoke UCS for my Test1 user? Read on.

   1. First of all we need to create, if one doesn't exist already, a policy that does not allow UCS.

       Check to see what your policies are Get-CsUserServicesPolicy

I     I only have a Global one here and you can see UCS is allowed. So let's create a new one that does not have UCS enabled.

   2. Create a new policy with New-CsUserServicesPolicy –Identity UCSdisable –UcsAllowed $false Call it whatever you want but you will likely want to clarify it has UCS disabled.

   3. We now need to push our UCSdisable policy to our test user Grant-CsUserServicesPolicy –Identity –PolicyName UCSdisable

   4. Let us confirm they have the policy that denies UCS Get-CsOnlineUser |select SipAddress, UserServicesPolicy

   5. Finally we roll back UCS on the user. This takes the Lync contacts from the Exchange mailbox and places them back into Lync. Invoke-CsUcsRollback –Identity

   6. It may take a good 10 minutes (or longer if you have hundreds of Lync contacts) before this process completes. But when checking the Lync client of the user you should then be able to confirm UCS is disabled

And that's the process completed. You can then define in certain scenarios who can have UCS enabled and who has to continue to use Lync Server as their Contact List Provider dependant on your needs, or just document the steps for your DR plans.

One thing to note is that if you invoke the rollback from UCS to Lync but you do not give the user a disabled policy for UCS, after 7 days Lync will then start pushing all contacts back into Exchange.

Take care,
Oliver Moazzezi - MVP Exchange Server