Did You Know: Exchange 2013 SP1 & Command Logging: #MSExchange #iammec

The release of Microsoft Exchange 2013 introduced new feature sets to the core software and sadly removed some. One of the features removed from the product was the ability to see what PowerShell cmdlets were being executed by the Exchange Management Console (EMC). This feature proved to be very useful for administrators to learn PowerShell and to understand how repetitive tasks accomplished in the EMC could be scripted.

The product group listened to user feedback and with the release of SP1 included cmdlet logging in the Exchange Admin Center (EAC). The cmdlet logging functionality will allow you to view up to 500 commands that have been executed from the EAC. The one caveat is that the logging window within the EAC will need to remain open in order to capture the commands.

The command-logging feature requires that you log into the EAC with rights such as the Organization Management privilege and select the drop down menu on the right side as indicated below.

Screen Shot 2014-04-23 at 1.32.39 PM

By selecting the ‘Show Command Logging’ feature a new EAC window will open. This window will need to remain open while working in the EAC in order for these cmdlets to be logged.

Screen Shot 2014-04-23 at 1.34.05 PM

To illustrate how this functionality works, let’s double click on the user Ray Lewis within the EAC and see what the command-logging window captures.

Screen Shot 2014-04-23 at 1.40.16 PM

After double clicking on the user Ray Lewis seven different cmdlets are logged as show below. The following cmdlets are actually executed by the EAC: Get-Mailbox, Get-User, Get-SharingPolicy, GetRoleAssignmentPolicy, Get-RetentionPolicy, Get-AddressBookPolicy and Get-UserPrincipalNamesSuffix.

Screen Shot 2014-04-23 at 1.40.29 PM

Within the command-logging window if we select one of the cmdlets, the actual PowerShell command executed is listed in the bottom pane. This allows for the administrator to copy and paste commands that are relevant for them.

Screen Shot 2014-04-23 at 1.40.52 PM

The command-logging functionality is a welcome addition back into Microsoft Exchange and is certainly a clear indicator that the product group is indeed listening to your feedback!


003 Geeks With A Blog Podcast – I Think My Heart is Bleeding. #podcast #MSExchange #tech

Subscribe in iTunes!

Show notes:

Heartbleed – 02:57

Amazon Acquires Comixology – 15:42

Office for iPad – 20:28

Google Glass Purchase – 25:28

Google buys Titan Aerospace – 33:54

MS SQL now a 5 billion dollar a year business – 38:36

As the the world of Exchange turns – Exchange News

Azure AD Sync Services – 41:06

Updating Exchange 2013 Anti-malware agent from a non-internet connected server – 41:57

MAPI over HTTP and .NET – 44:07

Managed Store Performance – 45:05

BUILD Update – 46:38

Windows Phone 8.1 – 47:15

Windows 8.1 Update – 58:37

Microsoft drops support Windows 8.1 Support – 1:06:28

Universal Apps – 1:12:20

Did You Know: MAPI over HTTP and .NET: #MSExchange #iammec

Do all the great additions of Exchange 2013 SP1 have you thinking about turning on MAPI over HTTP? If so, are you running .NET Framework 4.5.1? The release notes for this framework mention that performance and reliability improvements are provided. New performance features such as ASP.NET app suspension and multi-core JIT improvements are now available; for instance, ASP.NET app suspension allows IIS 8.5 and Windows 2012 R2 to suspend sites based on request timeout values, thus freeing up CPU and memory on the server. When a suspended site is requested, the site is then loaded up into memory allowing for accelerated performance.

The Exchange Team echoes the performance improvements of .NET Framework 4.5.1 for 2013 SP1 customers in their latest blog post. Specifically, if MAPI over HTTP is going to be used within your messaging environment, then it is “critical” to install .NET Framework 4.5.1. The reason stated in this blog post is that the framework contains “important fixes that impact both performance and scalability of MAPI over HTTP at the CAS layer.”


Windows Phone 8.1 Released to Developers: #windowsphone

Windows Phone 8.1 has been released to developers this morning! If you are a Windows Phone developer you can now start to stream the download.  Joe Belfiore has also provided notification via twitter:

Microsoft is right on time with this release based on the promised timeframes made at Build.

Get ready to download and test Cortana (U.S only), skinned tiles and a revised notification center.

Windows Phone 8.1 Coming Today to Developer Preview #WindowsPhone

Per this upcoming post from Microsoft, Windows 8.1 should be hitting the phones registered for developer preview TODAY, April 14th! Happy downloading.


Here is the link to how to sign up for a free developer preview account for those interested, but have not signed up yet.


Remember the Migration!

Now that Exchange 2013 SP1 (15.00.0847.032) has been released, those that work as consultants will start to see a spike in billable hours. The reason being is that our enterprise customers will now seek to begin migration projects. While the validity of that best practice has fallen by the wayside many years ago, I still experience many customers standing their ground about not executing a large-scale migration project until SP1 of the product has been released. Certain habits are difficult to break no matter how hard we challenge that line of reasoning during the pre sales process. Just to highlight the diligence around patching a messaging infrastructure, I’m sure all those that have installed 2013 SP1 have also installed the required post SP1 fixes.

Humor aside, this is a good time to review several salient reminders that were pointed out during the Microsoft Exchange Conference concerning mailbox migrations to 2013.

  • Exchange 2013 has changed the methodology in which a user’s actual mailbox size is reported. Now, a more precise calculation is used which reports back all properties of a user’s mailbox and not a partial set of properties like in the legacy versions. According to Microsoft, the net effect of this change is that legacy Exchange users that are migrated into 2013 will see the “reported” size of their mailbox increase around 30%. It is important to note that the physical size on disk has not increased; rather the logical reporting size of the mailbox has increased. This means that legacy users close to their quota (~75%) will require additional attention prior to migration. Users that are close to their quota within the legacy environment and then are moved to 2013 most likely will exceed their enforced quota. An unanticipated effect may be that the user cannot send or receive new mail after migration. This is of course dependent on what the configured quota restrictions in place are. A simple fix is to increase the quotas by 30% at the database level (or mailbox) on the legacy Exchange system prior to migration. Remember to check the following limits on your legacy Exchange databases: Issue warning at (GB), Prohibit send at (GB), and Prohibit send and receive at (GB). You can verify your configured database limits prior to migration by using the following PowerShell command: Get-MailboxDatabase <database name> | fl *quota*.
  • During migration projects for larger enterprise customers, any production impacting changes will need to be coordinated through a change review board. These changes are then approved through a committee vote and scheduled for a precise start and end time. During an approved change, a conference bridge is setup (with a cast of thousands) where you will need to announce when you are making a change, when the change is completed, and when the change has been tested. Don’t be the consultant that requests the DNS team to make a change to an A record for a namespace cutover only to realize the TTL is set to 86400 seconds (24 hours) while on the bridge. I guarantee that you will never forget that mistake. As part of your steps during a namespace cutover, make sure to verify and document the TTL of all relevant DNS records. If the TTL is set to a longer than desired time, then change the TTL of these DNS records 24 hours prior to the actual scheduled namespace cutover.
  • It is important to review how the Offline Address Book (OAB) within your legacy Exchange environment is configured. Many mailbox databases have a setting of $null for their default OAB. This configuration simply means that the default OAB is used. However, when the first Exchange 2013 Mailbox server is introduced into the environment a new ‘default’ OAB is created. This means the Exchange 2013 will now be responsible for generating and distributing the OAB. This becomes problematic if your environment has a large OAB (some are 100 MB+) with thousands of Outlook clients distributed over many types of networks with varying degrees of available bandwidth. Yes – think about how popular you will be with the network team on Monday morning when 10,000 users open up Outlook and initiate a full OAB download at the same time. Brutal. The easy work around is to configure all legacy Exchange databases with the legacy OAB prior to install Exchange 2013. The following PowerShell command can help: Set-MailboxDatabase –Identity <database name> -OfflineAddressBook “<default OAB Name>.” For a more detailed explanation of this situation read the article written by fellow Microsoft Certified Master (and MVP) Andrew Higginbotham.
  • The timing of when to swing the SMTP endpoint from the legacy Exchange infrastructure to 2013 is often discussed. The best practice for larger migrations is to make this change once 50% of users have been move to 2013.
  • Some scenarios can benefit from installing newly built Exchange 2013 servers into an empty Active Directory Site. This will allow you to configure the 2013 environment fully, while providing a logical separation from internal domain joined clients AutoDiscover SCP requests. The 2013 servers can be moved to the production Active Directory site once you have completed all necessary configuration steps.
  • Don’t forget all the great tools that Microsoft provides us with to help with migrations! We have the:

Hopefully, some of these reminders can help you to avoid being the consultant that has to request an emergency extension to a change control window because you forgot something!

Now where is my Exchange 2013 post SP1 project plan…


Windows Phone 8.1 Security and MDM Part 8 – MDM Settings in Windows Phone 8.1

Windows Phone 8.1 Security and MDM Part 8
Anyone who knows me can tell you how much I all things mobile and how to secure and mange those deices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management. Here is a chart from the white papers on MDM and EAS polcies, and what features and settings you can now manage in Windows Phone 8.1 with each.


Windows Phone 8.1 Security Overview


Windows Phone 8.1 MDM Overview



Windows Phone 8.1 Security and MDM Part 7 – Remote Inventory and Assistance and Device Retirement

Windows Phone 8.1 Security and MDM Part 7
Anyone who knows me can tell you how much I all things mobile and how to secure and mange those deices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management. Here is some additional informational excerpts from the white papers on Remote Inventory and Assistance and Device Retirement.

Windows Phone 8.1 Security Overview
Windows Phone 8.1 MDM Overview

Remote Inventory and Assistance

Mobile devices rarely remain stationary, and they may rarely connect to your organization’s intranet. This means you need to manage and provide support for devices remotely. Windows Phone includes the Remote Inventory and Remote Assistance features to help keep on-the-go users productive in their job roles.
Remote Inventory
Remote Inventory helps you better manage devices by providing in-depth information about each device.

Windows Phone 8 and Windows Phone 8.1

Installed enterprise apps
Device name
Device ID
OS platform type
Firmware version
OS version
Device local time
Processor type
Device model
Device manufacturer
Device processor architecture
Device language

New information in Windows Phone 8.1 only

Phone number
Roaming status
Wi-Fi IP address
Wi-Fi DNS suffix and subnet mask

Your MDM system collects the inventory information remotely from the device, then you can use the reporting capabilities of your MDM system to analyze device resources and information. Using this information, you can determine the current hardware and software resources of the device, which helps you keep track of which devices are current with updates.

Device Retirement

Device retirement (un-enrollment) is the last phase of the device life cycle. Typically, mobile device retirement is a complex and difficult process for organizations. When the device is no longer needed, any corporate data must be removed (wiped) from the phone. BYOD scenarios make retirement even more complex, because the user might have personal data on the device that they want to keep. So, organizations must remove their data without affecting the user’s data.
If the device is lost or stolen, the organization must remove any corporate data from the device, as well. For these scenarios, device retirement must be done remotely, because authorized users won’t have physical access to the device.
You can remotely remove all corporate data from a Windows Phone device without affecting the existing user data. IT pros or the device’s user can initiate device retirement. When the retirement is completed, the device is returned to a consumer state. The following list offers some of the corporate data removed from a device when it is retired:

Email accounts
Enterprise-issued certificates
Network profiles
Enterprise-deployed apps
Any data associated with the enterprise-deployed apps
Enterprise-issued device policies

Note All of these features are in addition to the software and hardware factory reset features of the device, which people can use to restore the device to the factory configuration.

The policies that are available for managing device retirement include:

Disable user manual MDM un-enrollment
Disable user manual MDM software and hardware factory reset

Your MDM system can set these policies on devices as required (see the “Configuration policies management” section earlier in this guide). For BYOD device, user may want to retire the device as well. When the user retire a device, you MDM system receives a report from the device that user is retiring the device. Use this information to perform additional analysis, if necessary.
For more information about the policies used to manage device retirement (un-enrollment) in Windows Phone, see http://go.microsoft.com/fwlink/?LinkId=394996.

Windows Phone 8.1 Security and MDM Part 6 – Email Message and Account Management

Windows Phone 8.1 Security and MDM Part 6
Anyone who knows me can tell you how much I all things mobile and how to secure and mange those deices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management. Here is some additional informational excerpts from the white papers on Email Message and Account Management.

Windows Phone 8.1 Security Overview
Windows Phone 8.1 MDM Overview

Email Account Management

Probably one of the most important services for users is email. Today, most users are unable to perform their normal job functions without email, and mobile users are no exception. In fact, they are even more dependent on email to maintain communication while on the move.
Windows Phone allows your MDM system to manage user email accounts. You can push specific email accounts to devices as well as prevent users from adding personal email accounts, which helps ensure that organization-owned devices are used for their intended purpose and also prevents users from getting malware from unprotected email accounts.

Email Message Management

You can use your MDM system to manage the email accounts and connectivity to your mail system, but what about the management of the email messages themselves? You can use EAS services that Microsoft Exchange Server provides in conjunction with your MDM system to manage email messages. Table 2 lists the policies that MDM and EAS support as well as and the policies that only EAS supports.