Monthly archives "November 2014"

How to Enable Azure RMS Protection for Exchange Online Emails

Joe Kuster

Here’s a nifty one from the trenches. Azure RMS works out of the box with Exchange installed locally through the RMS Sharing App. However, it won’t, by default, work with your Exchange Online transport rules via Office 365, nor will it work with RMS enabled email apps on Mobile such as TouchDown or Titus. The fix is just a few steps of PowerShell.

Open PowerShell and type the following and enter your O365 global administrator credentials

$UserCredential = Get-Credential


Start a session with O365 with the following command. There is a different ConnectionUri for China.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic –AllowRedirection


Import the session

Import-PSSession $Session


Configure the RMS Key Sharing Location (this is the key location for North America, see link for other locations)

Set-IRMConfiguration -RMSOnlineKeySharingLocation


Import the Trusted Publisher Domain (TPD)

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”


Close your session

Remove-PSSession $Session


More on Configuring the IRM Keys:

Windows 10 RTM Kernel Version Number: It’s not the 6.4 you’re expecting

Joe Kuster

Strictly still in rumor, but as of 11/24/14 Arstechnica is reporting that Windows 10 will feature a veritable true up for the bewildering Windows Versioning code we always have to look up. In a move that indicates the core change from 8.1 to 10, the new versioning code at release is anticipated to be 10.0

If that’s true, the Configuration Manager query for collections of Windows 10 systems will be:

    SELECT * FROM SMS_R_System WHERE OperatingSystemNameAndVersion LIKE ‘%Workstation 10.0’

For the Windows 10 Technical Preview, continue using the following:

    SELECT * FROM SMS_R_System WHERE OperatingSystemNameAndVersion LIKE ‘%Workstation 6.4’

A Quick Heads up, Apple Configurator is Required for Microsoft Intune / EMS to Enable iOS Kiosk Mode

Joe Kuster

Just a super quick note since this is so new:


After working through this issue to prep my new series of demos, it appears that the iOS device (iPad / iPod / iPhone) must be configured to enable Supervised Mode via Apple Configurator before the Intune settings for Kiosk mode will take effect.


Since the Apple Configurator software only runs on a Mac, I’m currently scrambling for access to one and will document the process.


Azure AD Sync – Password Write-back Error During Install

Joe Kuster

I ran into an interesting EMS issue today when enabling Azure AD Sync. During the configuration wizard after I installed AADSync, selecting to enable bi-directional, I encountered an error at the last step saying password sync could not be enabled.

I haven’t been able to identify the root cause, but a workaround is:

  1. Reboot the AADSync server
  2. Open Task Scheduler
  3. Disable the AADSync Task
  4. Re-run the Directory Sync tool
  5. Use the same settings (making sure to use a account as your global administrator)
  6. Write-back configuration succeeds.

New Intune features coming this week!

Joe Kuster

The Intune team will be rolling out a service update between November 17, 2014 and November 19, 2014 that introduces new capabilities to Intune standalone (cloud only).


For me there are serveral in it that are client requested / required features including:


  • VPN/Wifi/certs/Email for Android / iOS
  • Per-App VPN
  • Kiosk modes for iOS and KNOX
  • App install allowed/deny list


Steps to Enable Multi-Factor Authentication for an Individual User

Joe Kuster

Log into Azure with admin credentials

Open Active Directory


Click on the Domain you want to manage


Click on Users

Click on Manage MultiFactor Auth


Select the Desired user to enable


Click Enable


Click Enable multi-factor auth


The next time the user logs in they will be prompted to configure Multi-Factor Authentication (MFA)



The user will then be asked to verify and log in again using MFA


New Azure RMS compatible apps!

Joe Kuster

Sometime in the last week, Microsoft silently added a few new apps including TouchDown which offers enterprise email capabilities on Android, iOS and Samsung Knox. One of the most troubling issues for Azure RMS has been the lack of non-Office apps and a complete lack of anything for mobile RMS, so this is great news.

2014-11-13 07_40_35-Microsoft RMS

A new version of the RMS Sharing app was also pushed out today.

Configuration Manager build fails with “Recovery” 0xc0000428

Joe Kuster

When building a Windows 8 or 8.1 VM, most commonly when running a build and capture task sequence, you may encounter the following:




Your PC needs to be repaired

The operating system couldn’t be loaded because the digital signature of a file couldn’t be verified.


Error code: 0xc0000428

You’ll need to use the recovery tools on your installation media. If you don’t have any installation media (like a disc or USB device), contact your system administrator or PC manufacturer.

Press Enter to try again

Press F8 for Startup Settings



Your boot image’s defined scratch space is too large for the virtual machine’s startup memory. Increase to at least 1GB and retry.

Office Outlook / Excel Interop calls breaking (solved)

Joe Kuster


Background: I had a client who was using Office 2010, but after deploying Lync 2013 standalone into their environment, various Office related issues kept cropping up. It turns out that when any standalone office product is installed, it created the interoperability calls for the rest of the suite. This would lead to Office trying to pass actions from one application (Word to Outlook for example) using incorrect paths.

This was identified when a user was using the built in Send Worksheet function and was receiving errors. She could use the send workbook fine, it only cropped up when trying to send the current active worksheet. This error seems to be present in all builds (verified on my machine as well).



Steps to replicate

1.       Add the “Send to Mail Recipient” command to the toolbar

2.       Click on “Send to Mail Recipient” Selecting “Send the current sheet as the message body”

Deleting the following key seems to solve the issue as long as the correct Outlook 2010 (Version 14.0) key is left intact:

I couldn’t find this fix documented anywhere but lots of people have the issue with no resolution. It may not be the best approach, but it works.

The below Office 2013 registry keys that should be removed for optimal InterOp call compatibility if only Lync 2013 is installed:















If conflicts crop up elsewhere, the following should be considered for removal:

Object Library



Office Graph



Active X Data Objects






Outlook View Control












MBAM 2.5 Installation Notes (placeholder)

Joe Kuster
Create Cache is no longer installed, so it cannot be optimized.
Config Manager integration issues
MBAM supported computers collection query has an error in the TPM query – change to like “%1.2%” and it resolves the issue.
Change timing from incremental and 12 hours to every hour
Change baseline compliance evaluations from 12 hours to every 30 minutes
Ensure both server services are cycled and client hardware inventory is cycled after MOF updates via sms_def.mof and configuration.mof