If a computer is in an Active Directory Domain environment with Exchange On-Prem installed, Outlook clients might connect to local Exchange instead of Exchange Online, because they query Active Directory first.

This Registry key will avoid SCP Lookup in Active Directory.

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover
DWORD ExcludeSCPLookup 1

If you are curious, SCP is located here (you can view it with ADSIEdit inside the Configuration Partition):

CN=Services, CN=Microsoft Exchange,CN=Organization, CN=Administrative Groups,CN=Exchange Administrative Group, CN=Servers,CN=YourServer,CN=Protocols,CN=Autodiscover,

References:

https://jacob.gardiner-moon.co.uk/2016/06/13/outlook-autodiscover-connecting-local-exchange-server-instead-office-365/

So here is a challenge I had to face today: I created a virtual machine (VM) in Azure from a custom image that was previously Sysprep’d by me. The image contained several applications intended to run on a RDSH (Remote Desktop Session Host) for Citrix Virtual Apps and Desktops (former XenApp), so the RDS role was also installed. The VM was not part of the domain, it was in a Workgroup and it could not reach the RDS license server. Which meant: I could not RDP into the machine to perform Domain Join. And if you already have some experience with Microsoft Azure, you will know that there is no Remote Console like in VMware or Hyper-V.

The VM was still reachable over the network. So here are four PowerShell commands that allowed me to remotely perform a Domain Join on that particular machine. Nothing fancy, but it might come in handy.

$Server=”10.10.10.10″

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value $Server -Confirm:$false -Force

This credential variable stores the local username and password of the computer. Something like computername\admin along with the password.

$Cred = Get-Credential

Add-Computer -DomainName “ajni.lab” -Restart

After executing the last command you will be prompted to insert domain credentials. The user obviously must have the right to create computers in the domain.

What is DNS over HTTPS ? Well it’s basically an encrypted way of querying DNS. Normally DNS uses port 53 to communicate with the server and query the name we want. But all of that traffic is in plain-text and thus it is very easy to poison that communication. DNS over HTTPS is secure because it uses certificates to encrypt traffic (just like HTTPS websites).

Mozilla Firefox makes it very easy to enable this feature. Just open the settings and search for “DNS over HTTPS”:

In the connection settings enable DNS over HTTPS. You could also add a custom provider. Here is a good list: https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

Microsoft Edge does not have a user-friendly way of activating the feature (yet).

In the edge://flags/ search for “DNS” and you will find the corresponding setting:

Unfortunately Microsoft Edge does not allow custom providers. Hopefully they will one day.

I was trying to enable Bitlocker on my C: drive, but unfortunately my PC does not have a physical TPM chip built-in. Turns out there is a way to enable Bitlocker Drive Encryption without the TPM chip with help of Group Policies.

Open Local Group Policies (gpedit.msc) > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > Require additional authentication at starutp

Enable this Policy and leave the default settings.

Now in Windows Explorer, Bitlocker can be turned on:

Because there is no TPM chip available, we either have the option to enter a password every time the OS boots or unlock the drive with a USB flash drive.

There are a few options for saving the recovery key. If you save it to your Microsoft Account, it can be accessed on this Microsoft site: https://account.microsoft.com/devices/recoverykey

Select the first option if you just re-installed Windows.

New should be better right?

Your PC will be restarted.

At boot, this is the prompt you’ll get:

Don’t forget to secure your Bitlocker Recovery Key just in case something breaks. You’ll need that long string.

Links:

https://support.microsoft.com/en-us/help/4530477/windows-10-finding-your-bitlocker-recovery-key

https://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/

I got tasked with installing a brand new Windows Server 2019 with the Remote Desktop Services (RDS) role. It was a pretty straightforward installation, but minor things might work differently compared to previous versions of Windows Server (I was migrating off Windows Server 2012 R2).

Start by adding the RDS role through Server Manager.

Select the RDS installation:

I went for the Quick Start because my deployment is fairly basic.

Session-based deployment enables multi-session support on the server.

The server should be automatically selected.

The three roles (RD Connection Broker, RD Web Access and RD Session Host) will be installed.

After the installation a license warning will be shown in the Notification Center.

Two things are needed in order for licensing to work properly: The license server and licensing mode.
In a production environment, usually there is a separate server hosting the RDS Licensing service.

Server Manager > Remote Desktop Services > Overview > Tasks > Edit Deployment properties

I had problems with the licensing mode not being applied properly. This registry key worked wonderfully though:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Licensing Core
DWORD LicensingMode
4 = Per user
2 = Per Device

The license server can be also set through the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters\LicenseServers
REG_MULTI_SZ SpecifiedLicenseServers = license.ajni.lab

With RD Licensing Diagnoser you can check for potential errors (can be opened through Server Manager > Tools > Remote Desktop Services).

Now on to the last step: Create a custom device collection.

Server Manager > Remote Desktop Services > Collections > Tasks > Create Session Collection

This is also pretty straight forward stuff.

Make sure you select the server by moving it to the right with the arrow.

In a production environment a custom group should be used to control the number of permitted users.

User profile disks were not needed in my environment.

After the creation, there are some things that should be changed in the Collection properties (Server Manager > Remote Desktop Services > Collections > Collection Name):

These are my specific settings, you should change the parameters based on your experience or leave them at their default values.

Older clients might have problems with these security settings (like Network Level Authentication – NLA)

Do not forget to apply the changes.

Bonus:

If you have specific AD user attributes, like the home folder or program auto-start, they will not work because of changes made to RDS 2016/2019. You can read this article from Microsoft’s website: https://support.microsoft.com/en-us/help/3200967/changes-to-remote-connection-manager-in-windows-server

Following registry entries will tell the Remote Desktop Session Host (RDSH) to query AD DS for RDP profile settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Name: fQueryUserConfigFromDC
Type: Reg_DWORD
Value: 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp
Name: fQueryUserConfigFromDC
Type: Reg_DWORD