SharePoint Stuff



UDP and TCP port tester / Skype for Business Testing

Written by Luke Smith. Posted in Microsoft

Recently I have been working with a customer who has Skype for Business Online (SfB) part of Office 365. The customer is successfully using the Skype for Business client (Windows\mac) and is extending the use of SfB to their meeting rooms using the Polycom RealPresence Trio 8800 (UC Software version: 5.5.2.11217).

ISSUE:
The Polycom fails to connect to SfB on the corporate network, however works from a home network or guest WiFi.

PROBLEM:
Different to the SfB client (works over TCP port 443) the Polycom requires UDP outbound to Office 365 this is used for accessing a time server (NTP – UDP port 123) and Lync Edge services (SIP\A&V range of ports 5060\61, 3478\81, 50,000\40)

TESTING:
Using the PowerShell script porttest.ps1 you can test the outbound UDP ports to SfB:

Test-Port -comp 0.uk.pool.ntp.org -port 123 -UDPtimeout 10000
Test-Port -comp config.edge.skype.com -port 3478 -UDPtimeout 10000
Test-Port -comp config.edge.skype.com -port 50019 -UDPtimeout 10000
Test-Port -comp config.edge.skype.com -port 5060 -UDPtimeout 10000
Test-Port -comp config.edge.skype.com -port 5061 -UDPtimeout 10000

Failed Output:

Server : 0.uk.pool.ntp.org
Port : 123
TypePort : UDP
Open : False
Notes : Unable to verify if port is open or if host is unavailable.

Server : config.edge.skype.com
Port : 3478
TypePort : TCP
Open : False
Notes : Connection to Port Timed Out

Server : config.edge.skype.com
Port : 50019
TypePort : TCP
Open : False
Notes : Connection to Port Timed Out

Server : config.edge.skype.com
Port : 5060
TypePort : TCP
Open : False
Notes : Connection to Port Timed Out

Server : config.edge.skype.com
Port : 5061
TypePort : TCP
Open : False
Notes : Connection to Port Timed Out

RESOLUTION:

Allow UDP outbound from the firewall to Office 365. more information here:
Polycom Ports
Office 365 Ports and URLs

Azure AD DS Hybrid with Azure AD and Intune MDM Q&A

Written by Luke Smith. Posted in Microsoft

Q1: Why can’t I “factory reset” my Windows 10 device even though it’s listed in Intune under “Azure AD Devices”, however the device is not listed in All Devices
A1: Azure AD Join devices don’t allow you to factory reset. Your device needs to be enrolled with Intune MDM before the device can be “factor reset”. To enable Intune MDM run though the following
1. Enable Intune MDM integration with Azure AD: https://docs.microsoft.com/en-us/intune/windows-enroll
2. License user for EMS (AD Premium and Intune required): https://docs.microsoft.com/en-us/intune/licenses-assign
3. Device Enrolment: https://docs.microsoft.com/en-us/intune-user-help/enroll-your-w10-phone-or-w10-pc-windows
4. To force intune MDM enrolment you can install the company portal app from the Microsoft Store: https://www.microsoft.com/en-gb/store/p/company-portal/9wzdncrfj3pz
NB: if joining windows AD DS and Azure AD see Q3:

Q2: Can I factory reset a Windows 10 device which is Windows AD DS Joined, Azure AD Joined and Intune MDM Managed
A2: Yes, to configure please see Q3

Q3: can I automatically enrol a windows 10 windows AD DS joined device into MDM and Azure AD
A3; Yes, however you need to be using build 1709 or above, for more information please see : https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup and
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

Q4: Is it possible to add the BitLocker Protector key to AzureAD? even if you enabled BitLocker before the device was Azure AD Join?
A4: Yes, the following PowerShell will need to be executed:

Add-BitLockerKeyProtector -MountPoint “C:” -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint “C:”
BackupToAAD-BitLockerKeyProtector -MountPoint “C:” -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

Further information:

Intune make sure the DNS CNAMEs are created: https://docs.microsoft.com/en-us/intune/windows-enroll#simplify-windows-enrollment-without-azure-ad-premium
Intune Factory reset\Remove company data descriptions: https://docs.microsoft.com/en-us/intune/devices-wipe
Intune Non-windows updates: https://docs.microsoft.com/en-us/intune/whats-new
Intune device compliance policies: https://docs.microsoft.com/en-us/intune/device-compliance-get-started
BitLocker Management: https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-management-for-enterprises