March 2016 Quarterly Updates for Exchange Released

Microsoft today released the latest Cumulative Updates for Exchange 2007, 2010, 2013 and 2016.

New for Exchange 2016 only, is the option to download the updates as a single ISO file instead of a self-extracting package.  Copying a single ISO over the network from one server to another is quicker and more efficient than copying the self-extracting package or the thousands of extracted files.

Updates of note this time around:

  • Updated OWA S/MIME Control certificate
  • New distribution package for Exchange 2016
  • Change to mailbox anchoring for remote PowerShell
  • 17 new languages supported for OWA
  • Support for Standalone Hybrid Configuration Wizard in Exchange 2010

Microsoft is working on building in support for .Net 4.6.1 in the next quarter’s Cumulative Updates.  So, avoid installing that version of .Net on ANY Exchange server for the time being.

For more info and download links for the updates, follow the links below:

As a side note, yesterday (March 14th, 2016) marked the 20th anniversary of the first public version of Exchange (v4.0) Released To Manufacturing (RMT’d).

It’s been a long journey from the old MS Mail to Exchange Online/Office 365.  Here’s to the next 20 years!

Happy Birthday Exchange Server!

Disable Audio/Video functionality for Skype Users via PowerShell

Like my previous post on Exchange Mailbox Protocols, many companies limit the ability of some of their users (but not all of them) to use the audio/video functionality built into Skype for Business Online.  Normally, this occurs in office environments that don’t have the internet bandwidth to support all that A/V traffic for a large number of users, so they limit that use to those who need it or executives, VIPs.

Unfortunately, it’s not possible to create a SIP profile that enables/disables the protocols for any user to which its assigned. Therefore, administrators must disable this functionality for each individual user.  This is easily done for one or two users via the administrative console web page, but doing this in bulk requires PowerShell.

To help alleviate this, I’ve created a script that leverages security groups in Azure AD (and on-premises AD if they are synchronized via DirSync) as a way to indicate which users should be allowed the use of Audio/Video functionality in Skype for Business Online.

By default, the script will assume your group is named Office365-AllowSkypeAV, but you could use any group name you want and feed that to the script via a command-line parameter.

When run, the script will disable AudioVideo functionality for ANY user who is NOT a member of the above referenced groups.

This script also leverages my WriteTo-Log function so that a running log can be generated keeping track of each change made to each user for auditing purposes.

Finally, there are optional command-line parameters (-From, -To, -SMTPServer) that can be used to ensure the log is emailed to an address of your choice after completing.

You can download the script here.

Disable Exchange Mailbox Protocols via PowerShell Script

Many companies limit the ability of some of their users (but not all of them) to leverage all of the default protocols enabled for accessing a mailbox in Office 365/Exchange Online while still allow them to connect with Outlook via MAPI.

Unfortunately, it’s not possible to create an OWA profile or a POP profile, for example, that enables/disables the protocols for any user to which its assigned. Therefore, administrators must disable these protocols for each individual user at the CASMailbox-level.

To help alleviate this, I’ve created a script that leverages security groups in Azure AD (and on-premises AD if they are synchronized via DirSync) as a way to indicate which users should be allowed the use of a certain protocol.

By default, the script will assume your groups are named as listed below, but you could use any group name you want and feed that to the script via a command-line parameter.

  • Office365-AllowActiveSync
  • Office365-AllowOWA-Device
  • Office365-AllowIMAP
  • Office365-AllowPOP

When run, the script will disable the protocols for ANY user who is NOT a member of the above referenced groups.

This script also leverages my WriteTo-Log function so that a running log can be generated keeping track of each change made to each user’s mailbox for auditing purposes.

Finally, there are optional command-line parameters (-From, -To, -SMTPServer) that can be used to ensure the log is emailed to an address of your choice after completing.

You can download the script here.

PowerShell WriteTo-Log Function

*** UPDATED! ***

I’ve discovered that if I used this function as I’d designed it originally, I couldn’t use it in a script that ran as a scheduled task since there’s no History in the $MyInvocation variable to draw from to name the log file.  So I re-wrote the function to accomodate this in the following way:

  1. If NO -Logfile parameter is passed to the function within a script, it will automatically name the resulting log file as originally described below
  2. If the -Logfile parameter IS passed to the function within a script, it will use the string value passed to it as the log file name to write to.
  3. If a $Script:Logfile variable is defined in the body of the script, and the -Logfile parameter is NOT passed in the script, the function will always use that string value defined.

This allows me to write a script and configure it to run as a scheduled task.  Then I just define a $Script:Logfile variable once at the beginning of the script like this:

$Script:Logfile = ‘.\’+(Get-Date).ToString(‘yyyyMMdd-HHmm’)+”-MyLogFileName.log”

This insures my script always uses the same log file name while it’s running and doesn’t have to rely on HistoryID.


I write a LOT of PowerShell scripts for my clients on almost every engagement I’m on.  It’s not unusual for one of those scripts to execute a command or lots of commands against a lot of user accounts.

In order to ensure I can keep track of what changes are being made to which users, and when the change was made, it’s helpful to have a log file for each execution of a script.

That’s why I wrote my own PowerShell function called WriteTo-Log.  This function creates a log file named with the date & time of the script execution, then the file name of the script (minus the extension) and adds a .log extension and places that log file in the same directory from which the script was executed. (note – not the same directory the script resides, but the directory from which the script was executed)

Example file name: .\2016-01-12-03.22-test-script.log

If you prefer the script use a different file name, you can use the -FileName parameter and pass your own file name to the script each time you invoke the function.

Each time the function is called, a new line is added to the log file with a date/time stamp and whatever string you pass to the function.  You can also add Foreground and Background color formatting and use the optional -OutputToScreen switch parameter to also echo the line out to the screen for easy review.

Example log entry: 2016-01-12 03.22.32 : Found a file!

The function can be easily copied/pasted at the beginning of every script I write.  Then whenever the script takes an action on a user account, I can execute my WriteTo-Log function and pass to it the details of the user and any success/fail results.

I’ve found that running this function in the ISE can cause problems because the ISE doesn’t like or support the Foreground & Background parameters the way I have implemented them.  For best results, save your script to a .ps1 and run it in a separate PowerShell window.

You can find the script an an example use below.  You can also find the script in the TechNet Gallery

Sample usage:


$processes = Get-Process
WriteTo-Log ("Found "+$processes.Count+" processes running") -OutputToScreen -ForegroundColor Green
foreach ($process in $processes) {
WriteTo-Log $process.processname -OutputToScreen -ForegroundColor Yellow
}

You can get the script here.

Update Send Connector SSL Certificate for Hybrid Configuration

​Recently had a customer with an Exchange 2013 Hybrid config require updating an expired SSL certificate.  When they imported the new certificate and assigned it SMTP services, mail flow from on-premises to Office 365 stopped.

This was because the on-premises send connector to Office 365 was still configured to look for that expired certificate (which had also been deleted already).

The fix was to perform the following:

  1. Open Exchange Management Shell on the on-premises Exchange server
  2. Run Get-ExchangeCertificate, and note the Thumbprint of the correct certificate to be used. 
  3. Run $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>
  4. Set a new variable and assign it the concatenated values of the Issuer and Subject values of the certificate (must also include <I> and <S> before each field):
    $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
  5. Update the send connector with the new values
    Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert

After completing this, any queued mail destined for the Office 365 tenant should begin flowing

Determine Office 365 Public Folder Hierarchy Limit

​Last month, in June 2014, the Exchange Team announced that Office 365 would soon have the public folder hierarchy folder count limit raised from 10,000 folders to 100,000 folders.  This limit increase would begin to take effect in July, 2014.

But how can you tell what your tenant’s current folder count limit is?

  1. Open a remote PowerShell session to your Office 365 tenant
  2. Run the following command:
    Get-Mailbox -PublicFolder | Get-MailboxStatistics | fl FolderHierarchy*

The command will return the following results:

FolderHierarchyChildrenCountWarningQuota : 9000
FolderHierarchyChildrenCountReceiveQuota : 10000

FolderHierarchyDepthWarningQuota         : 250
FolderHierarchyDepthReceiveQuota         : 300

Once the FolderHierarchyChildrenCountReceiveQuota is raised to 100000, you’ll know your tenant has been updated.

If your tenant does not have a public folder mailbox created yet, you can run the command without the -PublicFolder parameter and replace it with any mailbox identity.