Deploy Office 2019 via GPO

With the advent of Office 2019, Microsoft has moved away from GPO deployment via MSI. There is no MSI of Office, Visio, Project, etc available to download anymore. Microsoft is moving toward using SCCM or the Office Deployment tool. I was tasked with coming up with a method for deploying Office via GPO in a fully automated manner.

There may be more than one way to accomplish GPO deployment of Office, and I do not claim to have the best method. It took me quite a bit of research and troubleshooting to get this method to work. I hope it helps someone looking to accomplish the same thing I was.

First off, head over to Microsoft and download the Office Deployment Tool (ODT) HERE. Run the executable and extract the files to a directory.

Next, use the Microsoft tool for generating an XML file HERE. Set your preferences, in my case, it was a volume license MAK copy of Visio 2019. Export the XML file and place it in the directory where you extracted the ODT.

The XML file I used to deploy Visio 2019 using a volume license looked like this:

<Configuration ID="xxxxxxxxxxxxxxxxxxxxxxx"> <Add OfficeClientEdition="64" Channel="PerpetualVL2019" SourcePath="\\server\ODT\" AllowCdnFallback="TRUE" ForceUpgrade="TRUE"> <Product ID="VisioPro2019Volume" PIDKEY="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"> <Language ID="en-us" /> <ExcludeApp ID="Groove" /> <ExcludeApp ID="OneDrive" /> </Product> </Add> <Property Name="SharedComputerLicensing" Value="0" /> <Property Name="PinIconsToTaskbar" Value="TRUE" /> <Property Name="SCLCacheOverride" Value="0" /> <Property Name="AUTOACTIVATE" Value="TRUE" /> <Updates Enabled="TRUE" /> <RemoveMSI /> <AppSettings> <Setup Name="Company" Value="Company" /> </AppSettings> <Display Level="None" AcceptEULA="TRUE" /> <Logging Level="Standard" Path="" /> </Configuration> Read More

Cisco – Define default GW based on source

Was recently working on a project for a client where the client needed to route traffic from a specific network over a T1 and send the rest of the traffic out the default gateway of the router.  In order to accomplish the task I configured policy based routing on the 2911 as follows:

interface GigabitEthernet0/0.4

encapsulation dot1q 4

ip address

ip policy route-map NoDSL

access-list 101 permit any

route-map NoDSL 10

match ip address 101

set ip default next-hop

Cisco has a pretty good example configuration white paper:

The route map policy didn’t seem to apply correctly, as traffic was hitting the default route instead of my defined next hop.  I enabled debugging and found the issue.  Debug output was showing the following:
R1#debug ip policy

R1#debug ip packet 101 detail

*May 26 14:45:21.359: IP: s= (GigabitEthernet0/0.4), d=, len 84, FIB policy match

*May 26 14:45:21.359: IP: s= (GigabitEthernet0/0.4), d=, len 84, FIB

policy rejected(explicit route) Read More

Skype for Business 2015 – Mobility clients not able to find contacts

I was recently asked to look in to a Skype for Business 2015 infrastructure due to reported 2013 mobility client issues.  The infrastructure consisted of a standard edition front end, edge server and KEMP load master reverse proxy.  The issue was that mobility clients could not search for contacts and could not see certain status messages.  All other features were working and users could chat/make calls.

Testing with shows green across the board.  If you are dealing with this issue, start with this tool and run the following tests:

  • Skype for Business remote connectivity test
  • Skype for Business autodiscover test
  • Exchange server ActiveSync autodiscover test

Testing with Microsoft Lync Connectivity Analyzer showed ready for 2013 mobility client.

After examining the Lync Front End server event log, I found event 32054, LS Storage service:

Storage Service had an EWS Autodiscovery Failure.  The underlying connection was closed.  Could not establish a trust relationship SSL/TLS.

The issue would seem to be the published autodiscover Uri for Exchange not matching the installed certificate on the Exchange 2016 DAG members.  The Uri in the event log was reporting autodiscover.domain.local.  The certificates and all other services in the infrastructure were pointing to  On the Exchange server, running powershell Get-ClientAccessService | fl AutoDiscoverServiceInternalUri will display the currently assigned URLs.

Issuing a Set-CsClientAccessService -Identity exchange.domain.local -AutoDiscoverServiceInternalUri for both servers in the Exchange DAG solved the mobility client address book issue.

Back from the Dead – Virtualizing DOA Laptops

Simple post on restoring dead laptops using virtualization.  Some people ask me: “Is there any way to bring a laptop back from the dead?” or “I dropped my laptop in the toilet and now it wont start! How do I get to my important stuff?”.   The answer is not exactly simple, but it is effective in most cases.  If you need access to the OS for some reason prior to restoring data on a new system, it may be possible to restore the laptop and boot it as a VM.

First off, you need to remove the physical hard drive from the device.  You will want the primary (boot) disk.  You may also need the secondary hard drives if you installed critical apps in non-standard locations.

Second, you need a hard-drive caddy of some sort. Something like this: would work just fine.  Any enclosure will due.

Third, you need a working computer to plug the enclosure in to.  This will mount the OS drive as an external drive on the chosen machine.  We need to convert this drive to a format virtualization programs will understand.  The most common of which is Virtual Hard Disk (VHD/VHDX) format.  To do this, we need a program like Disk2vhd

Run Disk2vhd, check the appropriate partitions from the connected external drive.  Choose a location with enough space and name your VHD.  Un-check VHDX if you intend to use VirtualBox as the VM player.

Once the VHD is created, install a VM player.  I will be using VirtualBox in this example.

Run VirtualBox and create new VM.  Choose the OS settings from the drop downs.  This must match the version of the OS that was running on the old machine.  If you don’t know the exact version, one way to check is to inspect the ntoskrnl file under /Windows/System32/, look at details and find the product version number.  Reference the version number here: and here:

Select your memory amount and boot the VM.  The old OS should boot fine and install all new drivers needed.  You may need to perform some system repair, or OS repair due to driver conflicts but most of the time the boot is clean.


Cisco 7960G 3.x Firmware Upgrade Issues

Working on a project to bring a batch of Cisco 7960G phones online with a newer 7.1 CUCM server.  The issue is that the phones were donated, and although new in the box they were using just about every firmware version from 3.x to 8.x, SCCP and SIP.  The newer revisions were simple enough to manually upgrade via TFTP, but the 3.x revisions absolutely would not upgrade. We tried upgrading from 3.x to 5.x, 7.x, etc with no luck.  We would have liked to upgrade them from 3.1 to a newer 3.x revision, but all of those files from Cisco are packaged in an exe intended for CME.  This limited our options.  Finally found an obscure way to get around the UAL conflicts.

Workaround upgrade from 3.x to 7.x SIP then back to SCCP.

You will need the following things:

  • A switch isolated from the production network
  • A TFTP server (TFTPD32)
  • A DHCP server (either the switch or using TFTPD32)
  • Cisco P0S3-07-4-00 SIP zip from Cisco support or here:
  • Cisco 8.1(1) SCCP zip from Cisco support
  • Cisco 8.1(2) SCCP zip from Cisco support
  • Read More

    Exchange 2013 ECP – :-( Something Went Wrong

    Fresh deployment of Exchange 2013.  As you try to connect to the management console https://localhost/ecp/ with a valid administrator account, it redirects to OWA and responds with “:-( Something Went Wrong, A problem occurred when trying to use your mailbox.”

    This seems to be related to left over Exchange attributes in Active Directory.  I tried everything from a multitude of TechNet articles including the following:

  • Rebuilding the ECP front end and back end (Reference)
  • Adding appropriate permissions to the administrator account
  • Connecting directly to the back end by using port 444
  • Messing with certificates (Reference)
  • Many articles mentioned having CAS and MBX roles installed, but these were installed on the same machine at the same time
  • Manually creating the administrator mailbox using the exchange shell
  • Read More

    Exchange 2013 Schema Prep – ADC Found

    Installing a new Exchange 2013 deployment on an existing domain with questionable history.  The existing domain had untold number of previous Exchange deployments with remnants scattered throughout Active Directory.  After using ADSI edit to manually remove all instances of the old Exchange servers, running a schema prep runs in to an error about an existing Active Directory Connector.  Microsoft suggests (TechNet) disabling the ADC service on the running computer, then uninstalling the service using the exchange server installation CD.  In this situation of course the detected ADC was probably on a computer that was long ago trashed or removed.

    Lots of websites describe the method for removing ADCs from AD using ADSIedit.



    Open ADSIedit
    Expand Configuration –> Services –> Microsoft Exchange –> Active Directory Connections
    Delete ADC under Active Directory Connections
    Replicate changes to all Domain Controllers

    Running the Schema prep another time results in the same error:

    After some digging we found the rogue connector buried in Active Directory Sites and Services.

    Open the sites and services mmc and look for any machines that aren’t active servers.  Delete anything that doesn’t belong and run the tool again.  It should finish successfully.

    Cisco Stackwise Port Flapping

    I recently was confronted with a stack of six Cisco 3750X switches that were experiencing intermittent outages.  The symptoms were random, but included switches being removed from the stack randomly, PoE drops, and full blown switch crashes with reloads.  If anyone has worked with Cisco stacks, you know how long it takes the entire stack to reload and elect a new master.

    Troubleshooting the situation, I found that the switch stackwise ports were flapping.  All of them were reporting up/down notifications at random intervals.

    I brought the stack down, removed all of the stack cables and brought the stack up one switch at a time.  I wanted to test the physical stack cables as I assumed there must one or more cables with issues.

    By connecting the stackwise cable in a loop on the master, one can verify the physical operation of each cable.

    SM: Detected stack cables at PORT1 PORT2

    %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state UP

    %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state UP

    Switch# show switch stack-ports

    Switch# Port 1       Port 2   ——–    ——       ——     1           Ok           Ok

    I monitored each cable for 5 minutes until satisfied that there was no issue.  However; one cable when connected began to flap up/down.

    %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN

    %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state UP

    %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN Read More

    Polycom RMX 2000 and Lync 2010

    Continuing from my previous post on integrating an existing Polycom system with Microsoft Lync 2010, I will run down the process for integrating a Polycom RMX bridge.  The process is much more difficult than integrating the Polycom endpoints as it requires creating a trusted application within the Lync server, running some shell commands, generating certificates and RMX configuration changes.  Once the integration is complete you can create SIP enabled meeting rooms accessible by Lync users and Polycom endpoints alike.

    1. DNS – Making sure the Lync server can contact the RMX by name

    Head over to the RMX admin console, under rarely used, find IP Network services.  Go to the properties of the management network, and click the DNS tab.  Fill in the name, domain, and DNS server fields.

    When the setting is changed, the RMX will need to reboot.  Unfortunately you will be rebooting the RMX a LOT throughout this process.

    Next we head over to your DNS server and create a static DNS record in the primary domain lookup zone, and the primary SIP domain lookup zone (these may be the same depending on your Lync deployment).  Create an A record using the name you chose in the previous step, that points to the signaling IP of the RMX (not the management IP).

    I will have created a record for domain.local and (SIP domain).  You will want to test your DNS settings using nslookup and by pinging the FQDN of the RMX from the Lync 2010 server.

    2. Creating a trusted application pool on the Lync server

    Head over to the Lync 2010 server and fire up the topology builder.  We want to create a trusted application pool for the RMX.  Polycom and Microsoft reccomend using a pool as best practice to allow for future expansion.  If you add another RMX in the future, users can simply dial the pool name.  Expand the trusted application pool tree, and chose new application pool.

    Chose a pool name  (this does not have to resolve in DNS, and is for organization and dialing purposes within Lync only).  Make sure to select multiple computer pool even if you only have on device at this time.

    Next you need to define the computers in the pool, in this case you want to use the FQDN of your RMX bridge.

    Publish the topology once you are done configuring the pool.  Note that you will get an error about the RMX not being a domain member.  You can ignore this.  Open up the Lync 2010 console and check your topology tab.  Make sure the new computer and pool is listed.  You will see a red X on replication (this is normal).

    Now we need to run some shell commands to make RMX a trusted host.

    $route=New-CsStaticRoute -TLSRoute -Destination “th-rmx.domain.local” -port 5061 -matchuri “” -UseDefaultCertificate $true

    Destination = The RMX computer

    MatchURI = The pool name

    Now we need to SET the route we just added:
    Set-CsStaticRoutingConfiguration -Identity global -Route @{Add=$route}

    Next we need to create the trusted application:

    New-CsTrustedApplication -ApplicationId 

    polycom Read More

    Polycom HDX 7/8000 and Lync 2010

    Recently I have been working on integrating an existing Polycom video conferencing system with a new Lync 2010 deployment.  As it turns out the newer software releases for Polycom have made great progress towards making the integration of Polycom systems with Lync easier.  I say easier, because it still isn’t exactly easy.  There are many cool features of integrating Polycom and Lync.  By using a Polycom RMX, one can have continuous presence using the meeting room format.  This is something that was sadly left out of Lync 2010.  As most people who have used Lync 2010 will tell you, it doesn’t do a very good job of switching between active speakers.

    Integrating Polycom HDX 7000 and 8000 endpoints is VERY straight forward.  The only problem is if you don’t have multipoint licenses you can only have a one-to-one call with a Polycom endpoint.  Hence the reason for an RMX.

    Requirements for integrating an HDX 7000/800 with Lync 2010:

    First off you will need a valid user account in Active Directory for each HDX endpoint.  As an example, we are creating a user called “Polycom LA”, for our Los Angeles HDX 7000.  We will use polycomla@domain.local as the logon name.  Make sure password never expires and user cannot change password fields are checked. When this user is created, it will automatically be assigned a logon name in our valid SIP domain of

    For further organization we use Active Directory groups to organize Lync users.  Later, we push these groups to the contact lists of Lync users with powershell.  For this example we are creating a universal security group called “wgrp-polycom”.

    Now we need to activate this new AD user on our Lync front end server.  Using the Lync server management shell: PS C:\>Enable-CsUser -Identity “Polycom LA” -RegistrarPool lync01.domain.local -SipAddressType SamAccountName -Sipdomain

    Just for the heck of it, and to allow easy visual identification of the Lync user as an actual Polycom system and not a human being, we add an AD image of a Polycom camera.  This corporate image will trickle down to Lync and make it look really slick.  You can use any free AD image attribute editor for this.

    Finally, we need to configure the HDX with a SIP connection to the Lync 2010 server.  The thing to note here is the difference between User Name and Domain User Name.  The User Name field should contain the username for the primary SIP domain “”, and the Domain User Name should be the AD logon account polycomla@domain.local.

    Now we can test the Polycom configuration by heading to the global directory and searching for a user.  If the integration with Lync 2010 is working correctly you should be able to find any active Lync users and call them directly.  You should also be able to find other polycom units if they were Lync enabled.  Pretty cool huh?

    You can check the status of the registration with Lync on the unit itself or through the web interface, and the registrar server should have a green up arrow.

    In my next post I will be going over the integration of an RMX 2000, including the issues I ran in to with the RMX being unable to contact the Lync SIP server.