About Nick Aquino

Nick Aquino has dropped the mic.

Office 365 Integration with SCCM…..

2017-11-20T02:02:27-04:00November 20th, 2017|Azure, blog, Configuration Manager, Micrsoft Cloud Solution Provider, Office 365, System Center|

Deploying Office or Office 365 has traditionally been a challenge in most corporate environments.  The file types have changed, components have been added/removed, content size isn’t the most manageable, and the amount of business processes that rely on the productivity suite of products requires close management of the deployment to ensure that work can continue once the newer version is deployed.

Microsoft System Center Configuration Manager (SCCM) — as of version 1602 — integrates with Office 365 to offer the ability to deploy the Office 365 productivity suite natively with SCCM.  The feature is called Office 365 Client Management and is found in the Software Library of the SCCM Console.  Here’s a snapshot of what it looks like:

On the left, you have your Office 365 Folder with Office 365 Updates included.  When in the folder view, you can see a summary of the number of O365 clients and their versions.  If you notice the scroll-bar indicates there’s more to see…

The different sections can be summarized as such:

  1. Number of O365 Clients in total
  2. The breakdown and summarization of the different versions in the environment
  3. A button which will initiate a wizard to create an O365 client deployment package
  4. A chart indicating the number of systems running different languages of O365
  5. A button to create an Automatic Deployment Rule
  6. Another option to create client settings (These are standard SCCM Client settings, nothing special pertaining to O365)
  7. The number of systems configured to the different update Channels for Office 365 client management
  8. If ADRs were created, they would show in this section

I’ve had some great experiences working with the Office 365 Client management integration with SCCM.  The ability to create a single package to support multiple different languages has taken my packaging time and reduced it to minutes.

In addition to providing a built-in package creation utility, SCCM also manages and services O365 packages moving forward.  The updates are all provided through SCCM’s native Software Update technology but are provided to you in a separate node in the console so that you can view only the updates pertaining to the 365 clients in your environment.  This makes it very easy to identify required and installed updates for your managed systems.

As for what’s needed to manage updates for O365 within SCCM:

Requirements for using Configuration Manager to manage Office 365 client updates

To enable Configuration Manager to manage Office 365 client updates, you need the following (summarized from link above):

  • System Center Configuration Manager, update 1602 or later
  • An Office 365 client – Office 365 ProPlus, Visio Pro for Office 365, Project Online Desktop Client, or Office 365 Business
  • Supported channel version for Office 365 client. For more details, see Version and build numbers of update channel releases for Office 365 clients
  • Windows Server Update Services (WSUS) 4.0  — You can’t use WSUS by itself to deploy these updates. You need to use WSUS in conjunction with Configuration Manager
  • On the computers that have the Office 365 client installed, the Office COM object is enabled

All in all, I have to say that I’m very impressed with the integration of Office 365 Client Management into SCCM.  SCCM has been a very powerful tool and to add the ability to manage the productivity suite natively in SCCM will ensure that admins in large environments can spend more time managing than packaging.

Good Job Microsoft!

Error Code 0xC1900208 and Workaround…

2017-07-27T01:15:46-04:00August 2nd, 2017|blog, Windows 10|

Windows 10 Compatibility checks + Intel Display Adapters + KB4022719 = 0xC1900208

If you’re in the middle of upgrade testing, you may be very well versed in the 0xC1900208 error code, which indicates a compatibility check failure for the Windows 10 in-place upgrade process.  When reviewing the compatibility results, you may find that your system reports you’ll have issues with your display adapter in Windows 10.  The block is a hard block and the upgrade will not proceed.

The failure may be due to the June Rollup KB4022719, which takes one step forward and resolves a compatibility issue with AMD display adapters, but also creates a new compatibility failure for Intel Display adapters.

Microsoft has not noted this in the comments and do not seem to be issuing any fixes yet.  The recommendation is to uninstall the display adapters as opposed to uninstalling the security updates.

I was recently at a customer site where this issue presented itself on HP 850 Model G1/G2/G3 devices and a workaround needed to be developed for their in-place upgrades to succeed.  Instead of asking users to uninstall the display adapter and driver manually prior to the upgrade, we decided to take advantage of the devcon.exe file that comes with the Windows Driver Kit.

A Link to DevCon.exe information: https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon

High-Level Steps

Three steps were required to provide this workaround:

  1. Device Installation settings must be configured to never install driver software from Windows Update (as in the figure below).  This prevents the system from connecting online and reinstalling the driver after you uninstall.
  2. The display adapter needs to be removed.
  3. The OEM driver needs to be deleted.

Additional Details

Step 1 can be automated in a task sequence step using the REG command:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching /t REG_DWORD /v SearchOrderConfig /d 0x0 /f

For steps 2 and 3, a custom script was developed in PowerShell that utilizes devcon.exe to remove the associated display adapter and delete the OEM driver associated with the specific hardware.  The commands are as follows:

Devcon.exe remove <hardware ID>

Devcon.exe dp_delete <OEMDriver.INF>

To Find the Hardware ID for the models that are failing to pass the compatibility checks, we simply opened device manager and viewed the properties of the display adapter causing the issue.  On the details tab, you can review the Hardware ID property and grab the ID listed first in the list (see figure below).

Once we obtained the hardware ID, we then parsed through all drivers using the following command and scriptomagically grabbed the appropriate INF file name to delete.  The Command to parse is devcon.exe dp_enum.

So a quick sample of the commands would be as follows:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching /t REG_DWORD /v SearchOrderConfig /d 0x0 /f

devcon.exe remove "*pci\ven_8086&dev_1616&subsys_2216103c&rev_09*"

devcon.exe dp_delete OEM56.inf

The reg add command replaces whatever value is in the SearchOrderConfig with the appropriate value to tell the system NOT to go to windows update for driver updates.  The second command will remove the device associated with the hardware ID you specified.  The third command will remove the driver associated with the display adapter.  Note that in the above list of commands, OEM56.inf is just an example.  You will need to enumerate all your installed devices to determine which INF file to remove.

So, in summary:

Intel Display Adapters in, at least, certain HP models, no longer pass compatibility checks with Windows 10 v1703.  You must turn off automatic updating of display adapters in Windows, remove the display adapter, remove the driver associated with the display adapter (so that it will not find the local copy), and then run your upgrade.  Doing so will allow your system to pass the compatibility check that is now failing since the June Rollup was deployed.

Hopefully this will save some of you the headaches and troubleshooting steps we ran into.

Happy Upgrading!


Office 365 and Bing Maps – Issue and Fix

2017-07-27T00:00:55-04:00July 21st, 2017|blog, Office 365|

Bing Maps Add-in to Office 365 changes the message body for emails received with addresses in them

Recently, I noticed that most of the emails I open and read are requesting me to save as the body has changed.  The message text is “The body of the message <subject> has been changed.  Want to save your changes to this message?”

The issue is that I’ve not changed any part of the message.  I’ve simply opened it and then closed it.  After further investigation, I’ve found that the Bing Maps add-in is modifying the body of the message by replacing any address with a link.

To avoid this behavior, and the annoying message for every email that you open with an address, simply open Outlook, Navigate to File > Manage Add-ins, login with your Office 365 account, and disable the Bing Maps Add-in.  This may take a few minutes to take effect, but a restart should not be required.

This applies to, at least, version 1706 (Build 8229.2086) of the Microsoft Office 365 release.  I’ve read this may also happen with some older versions as well but have not tested.


Mobile Application Management with Intune

2017-07-27T00:00:55-04:00June 2nd, 2017|blog, Intune, Mobility|

Mobile Application Management (MAM) is a feature that’s not new.  However, Microsoft is always improving on the MAM capabilities, and today Intune supports multiple operating systems on Mobile devices.  This is not an easy feat; since Microsoft are bound by the APIs that these other platforms offer, such as iOS and Android.  These non-Microsoft operating systems are the most prevalent on mobile devices today; and with greater access to corporate data, this poses a threat to data protection and leakage.


We’ve all used application policies from Microsoft’s wide range of applications that have been for many years.  For example:

  • GPOs control where icons are, where data is saved, what drives are mapped, etc.
  • Configuration manager is used to push software out to authorized users and remove applications from those who are not
  • Active Directory provides a way to secure data on the network with Groups and Users

…And while Microsoft released Intune quite a few years back, I’ve only recently become a real fan since I’ve started using Mobile Application Management without enrollment.  Let’s take a quick look at how MAM allows you to offer access to corporate data without compromising too much of that flexibility that users enjoy by choosing their own device platform and bringing their own devices to work.


There’s nothing new with the concept of “Bring your own device” (BYOD); it’s a concept that’s been around for quite some time.   Users can bring their own devices and use them for daily business when a cell phone is needed to do just that.  Traditionally, users would logon to a segmented Wi-Fi network that has no access to the corporate network.  This allowed IT admins to avoid having to manage additional network access to the company resources and provide an open network for these devices as well as guests visiting their offices.  However, with many companies moving data and apps to “the Cloud”, the focus is no longer about segmenting networks, and is instead more focused on protecting the data.

Traditional office apps like Word, Excel, and PowerPoint have been available on mobile devices for quite some time now too, but they commonly required sending the documents to your phone and then opening them.  With Office 365, SharePoint online, and OneDrive, these apps now have access to a massive amount of your corporate data.  Without protecting this data when accessed on a mobile device, a user could download sensitive company information on their mobile device unencrypted and unprotected from prying eyes.  This is where I think Mobile Application Management really starts to come into play.

A Real-World Example

Intune’s Mobile Application Management provides the capabilities to protect your sensitive information on the device, wherever that device is, whether it is in a hotel half-way across the world, left behind in a taxi cab, or picked from the pocket of your CEO.  The device may be compromised but the data is secure.  This is due to the way application management protects the data on the device.  Let me provide you with an example:

Bob’s a CEO of an organization that provides financial information to customers across the financial markets.  The details of the finances can make or break a company’s stock profile if they were to be leaked.  Bob uses an iPhone to read emails and open documents on his device while traveling the subway in New York City.  During a busy morning, he’s shuffling to make it to his next appointment and accidentally drops his phone while exiting the train.

Because of a rich set of policies that Bob’s admin has configured with MAM, the data Bob accesses is not allowed to be stored on the device; and after 5 attempts to unlock the phone unsuccessfully, the corporate apps and data would be wiped.  Even if they were to guess the PIN on Bob’s phone, they would still have to guess his credentials; which are required to open any of the company apps that Bob uses.  It’s important to understand that:

  • The data is not on the device
  • There’s a high-probability that someone would automatically wipe the device by guessing the PIN wrong 5 times
  • By the time Bob realizes he’s lost his phone, a quick call to his IT Department triggers the admin to send a remote wipe request to his device AND receives a confirmation of success

That was just one example and there are many more features that MAM can enable to protect your data.

Bringing MAM Home

Mobile Application Management is easy to enable and deploy to your users.  With proper communication and process, your company data will be secured.  Don’t wait for one of your end-users to accidentally leak sensitive information that could make or break your organization’s reputation.  Identify those that are using mobile devices and protect them sooner than later.

Why use Cloud App Security when my firewall already does this?

2017-07-27T00:00:58-04:00April 12th, 2017|blog, Cloud, Microsoft, Micrsoft Cloud Solution Provider|

Microsoft’s new Cloud App Security (CAS) is a new product feature that comes with Microsoft’s Enterprise Mobility + Security E5 line of products.  The solution is a cloud-based application model built on Azure Active Directory but can also be used independently, although the dataset will not be as rich.

The idea is for customers to be able to gain deep insight into what apps their end-users are consuming, identify data drift and leakage, be able to “sanction” or “unsanctioned” applications, and even generate a block script to block those unsanctioned apps at the firewall level.  There are two paths to gathering this data:  Firewall Logs and Connected apps.


You can discover information by manually importing firewall logs or even setup a connector VM which will gather the logs and upload them to the CAS for you.  This is not much different than technologies offered by the firewall providers themselves and, in many cases, will not provide as quick of a reaction as you’d receive from those vendor provided solutions.  The connector, by default, uploads logs from the firewall every 20 minutes and imports those into the CAS.

What I believe separates Cloud App Security different from the firewall provider solutions is that it integrates with Connected apps.  A Connected app is an application where CAS leverages APIs provided by the cloud provider.  Each provider has its own framework and limitations, so the functionality for each may depend on how much the provider has extended the API.

There are currently few Connected Apps that CAS supports but I’ve found that the biggest bang for your buck will be the Office 365 suite of applications.  This allows the CAS to see usage of the standard suite of Office apps and your Azure AD connected users.


With the data gathered from the Connected apps, you can see information on File usage, owner information, app name, Collaborators, and more.  You will be able to tell who is accessing what files and who those files have been shared with.  You can drill down on particular user activity and see all of the apps and traffic volumes for their particular usage.

The Cloud Discovery Dashboard provides a rich view of information from a graphical perspective including dashboard items like App Categories which highlight usage based on categories such as CRM, Collaboration, Accounting, Storage apps, and more.  Other items on the dashboard show top discovered apps, top users, and even a geographical map of usage based on where the apps are being used.


Through alerts you may be made aware of Risky IP addresses, Mass downloads, New Cloud app usage, and more.  If a particular user is a concern, you even have the ability to suspend usage of a particular connected app for a particular user.  This adds a layer of security that a standard firewall report may not provide – especially if the user roams to another location off-premise where your firewall is not present.

Using the policies feature, I can set an alert, notify the user and CC their manager, or even suspend the user based on the several configuration policies that are available to me via the console.  This allows me to mitigate threats as they happen instead of waiting for a review of alerts or logs, possibly days or even weeks after the events occurred.

To summarize on Microsoft’s Cloud App Security, I would have to say that they are opening the door to rich integration with cloud based apps and providing another avenue to secure your corporate data.  With the deep integration of Office 365, those that have the E5 licensing should definitely take advantage of this product.  Even those interested, but not licensed can subscribe for a trial version and use the firewall discovery solution to get an immediate view of what’s being used internally.  This will allow your organization to have that much-needed discussion on BYOD and the security risks that ultimately partner with an open door policy.

If setup properly, adding Cloud App Security to your environment can greatly increase the level of security your organization has regarding the mobility of your data and users!

For More information, review the following useful links: