Testing Office365 Mail Rules

Recently I had to implement a tag for external emails. However, I wanted to test it out first and see what would be tagged.

I created my rule and set these settings:

Audit this rule… should be checked off but can be set to “Not specified” while the mode should be Test without Policy Tips.

Ok the rule.

Wait a day, then go to to the Reports section of Office365 Security & Compliance Center. On the Dashboard, click on the Exchange transport rule section.

Once there, click the dropdown for “Show data for” and choose your transport rule. This will only list transport rules where you have checked off Audit this rule with severity level: . No matter the setting, that must be checked off or you won’t see results here!

That’s it. Filter by sender, date, etc. and you’ll see the emails affected by the rule. Happy hunting!

Using the New Exchange Admin Center (2020 Edition)

I’ve noted this as the 2020 edition because simply… Microsoft loves to change their GUIs and portals. If you’ve worked with Office365 for a long time, you can remember the BPOS days and all the subsequent portals.

Anywho, the link for Exchange Admin is more in-line with the Sharepoint and Teams admin portals and is easier to remember: https://admin.exchange.microsoft.com/

As of this writing, it’s… pretty blank when you arrive there. You can still run message traces through here. One of the bigger changes is they’ve combined User and Shared Mailboxes under Mailboxes and put distribution lists and Office365 groups under Groups. Resource Mailboxes are under Resources.

As of now, I still work out of PowerShell or the old admin center. This will probably be finished by late next year… just in time for the next version of the EAC to apprear.

Getting Inbox or Mailbox Rules in Office365 via Powershell

First, login to your tenant via Powershell using Microsoft’s new Exchange V2 Powershell module.

We’re going to be using the Get-InboxRule commandlet. If you run it outright, you’ll see a limited list of Inbox rules across your tenant. To narrow things down, you can use Get-InboxRule -Mailbox [user] to get rules for a specific user. Using the -Identity parameter will not work for this! Identity is for specifying specific Inbox rules. You can use wildcards, so you could do Get-InboxRule -Mailbox jeff*

The results will be:

From here, you can use the -Identity parameter to get information on specific rules such as their date of creation, what they actually do, and more!

Check it out.

Huge Log Files in Microsoft Teams AppData

This was a fun one… I have a VM spun up in Microsoft Azure with one user who reported their 128GB Drive was filled.

I ran wiztree, my favorite tool, and found that in the AppData\Roaming\Microsoft\Teams folder, there were multiple files starting with old_logs that were 13mb big… except for one that was 103GB big! Deleted it and was on my way.

Activate macOS VNC Over SSH

I ran into this one today while working on a personal project. I had SSH access to a Mac Mini running Big Sur that I didn’t have hooked up to a monitor or keyboard. After digging around, I found I could enable VNC access via these commands.

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resouces/kickstart \
 -activate -configure -access -on \
 -configure -allowAccessFor -allUsers \
 -configure -restart -agent -privs -all

If that doesn’t work, this will set a custom password not tied to any user account:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \
-activate -configure -access -on \
-clientopts -setvnclegacy -vnclegacy yes \
-clientopts -setvncpw -vncpw mypasswd \
-restart -agent -privs -all

When you’re done (since you don’t want to leave it enabled 24/7 for security reasons), disable with:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \
-deactivate -configure -access -off

Using Get-Hotfix in Powershell to Gather Information

Quick and easy to use, Get-Hotfix can give you a bird’s eye view or can be used to quickly determine if a specific patch is installed.

Without arguments, Get-HotFix shows installed updates, including date

Get-HotFix -HotFixID id will show information for a specific hotfix

You can also filter by install date if you are encountering issues.

Changing PHP Version in StableHost

Looking for how to change the active version of PHP in StableHost? Scroll down to the SOFTWARE section. For me, it was the last option. Hit Select PHP Version .

On the ensuing screen, next to Current PHP version choose your version! You can also select your PHP extensions / addons

And that’s it! Once you’ve chosen your PHP version you’ll receive a confirmation and that’s it. Enjoy!

Issues Upgrading Windows 10 Pro to Enterprise with AzureAD and E5 Licenses

A client of ours wanted to upgrade their Windows 10 Professional licenses to Windows 10 Enterprise by way of E5 licensing in Office365 / Azure Active Directory.

Most computers worked fine, but a few just didn’t work and upgrade as they should have. There isn’t a lot of documentation on this, so I thought I’d put out there what worked for us and what we found. I ended up opening a ticket with Microsoft Escalated Support and worked with a rep over a few weeks.

First and foremost, make sure in Office365 that the E5 license has the option checked off for Windows 10 Enterprise.

First Troubleshooting Recommendation: dsregcmd

Run dsregcmd /status on the affected machine as the logged in user (and not a System or admin account).

If WamDefaultSet : ERROR and / or AzureAdPrt : NO are found, these would indicate an issue on Azure’s end. You want to see both answered with YES. These fields indicate whether the user has successfully authenticated to Azure AD when signing in to the device.

If the values are NO, it could be due to:

  • Bad storage key in the TPM associated with the device upon registration (check the KeySignTest while running elevated).
  • Alternate Login ID
  • HTTP Proxy not found

ConnectWise Control Management

It seems that in this Covid world I’ve become very good at troubleshooting and using ConnectWise Control, specifically the cloud-hosted version. Since ConnectWise appears to be shaping itself for sale, it has cut jobs which has clearly affected the level of support I’ve been receiving at all hours.

Let’s begin with configuring mail sending settings with Office365 and ConnectWise Control (formerly ScreenConnect).

Simply put, use these settings!

  • smtp.office365.com
  • Port 587 w/SSL option
  • Email account credentials and set your default from / to address