Microsoft

Outlook Search Results Won’t Delete

I ran into this issue when migrating users to Exchange Online, while running Outlook 2016 MSI 32 bit.

Once a user is on Exchange Online, Outlook starts leveraging the power of FAST search. This search occurs on the Exchange Online end, rather than the device end, and is designed to give quicker results while being more reliable than Windows Desktop Search. There’s a great write-up on this on Microsoft’s TechCommunity that goes into much more detail.

It does depend what sort of search you do as to whether it’ll use FAST or Windows Desktop Search too, but the most basic of searches will use FAST. There’s also timeouts and speed checks that can force it to fail back to Windows Desktop Search.

However, there are some catches with this search from my testing. If you do an email search and decide to delete one of the emails in the results, it appears that nothing has happened. You can delete and delete, right click, press the delete key, click the X to delete and it all appears to do the same – nothing. In the background though, it has actually deleted your email, it just doesn’t display this in any way. It’s like the search results are a static result and won’t update on an action like this.

This behavior can be confusing for a user, especially when they’re used to seeing emails disappear and react when something’s done to them.

There’s another catch that depending on your environment, might be more of a deal breaker. If you use the category field, flag, or extra fields, for example when filing a document into a DMS system, those aren’t displayed or updated in a FAST search. If your users need this to effectively manage their emails, then it’s worth looking at just disabling FAST search via Outlook altogether.

As mentioned in the above post and this Technet article, there’s a single registry setting that can disable FAST search:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Search

Value name: DisableServerAssistedSearch

Value type: REG_DWORD

Value: 1

A restart of Outlook is needed after this change, and users won’t be alerted of anything different. Search will just start using Windows Desktop Search (which was always running anyway) and not know any better.

OneDrive for Business Rollout Considerations

If you’re managing OneDrive for Business in your organisation, there’s a lot to consider – more than what you’d think until you start looking into it. I’ve just gone through this, so thought it was a good time to document and share what I found with my recommendations.

There’s two major areas to review settings in:

admin.onedrive.com

You may not know this even exists as it’s still in preview, as OneDrive for Business fully functions without ever having to go here. The OneDrive admin center at https://admin.onedrive.com/ has some nice settings worth checking out. Some of the settings were already available in other areas, but this gives a central point to manage them.

Sharing: Under the Sharing section, there’s a few settings I’d recommend changing. The defaults are much more open – allowing users to create shareable links that don’t require a sign-in (which is really a bad idea when you’re sharing work information!), as well as the default link type being ‘Shareable: Anyone with the link’.

I’d recommend having the default ‘Direct: Specific people’ when sharing a link, and restricting the ability to have anonymous shareable links at all. This way ensures that data only gets shared to the people the end user chooses, and nobody else.

Sync: ‘Allow syncing only on PCs joined to specific domains’ is off by default, and you’ll need to look up your domain’s GUID to enter it in. This is good for data leakage, do you really want someone’s home PC automatically downloading all work data? This won’t block them from accessing OneDrive information at all as it’s available via web and Android/iOS apps, but none of those solutions automatically sync content. You can also block Mac OS if you don’t manage any in your company.

There’s also the option of blocking syncing of specific file types – I can’t think of a particular reason for this though. OneDrive already has AV built into it, as does your PC with Windows Defender, AND you should have Applocker in place to block running unwanted executables… but it’s still worth noting the option.

Storage: The default ‘Days to retain files in OneDrive once a user account has marked for deletion’ might be missing a word, but it’s default value is 30. You can go all the way up to 3650, which is 10 years minus a few days for leap years. I don’t have to worry about this data or pay extra for it, so I’d rather have it retained just in case.

There’s also another option where on departure, the manager based on the AD/AAD field of the departing user will be granted access to their OneDrive, which is a nice automated way of having someone check the contents in case anything needs to be saved out. That setting lives in the SharePoint Admin center, fully described in the above link.

Device Access: Worth noting that you can restrict access from certain IP addresses, but in the real world I don’t see many companies doing this unless you really want to keep your OneDrive data internal.

If you’re in a position to disable this other option though, removing the ‘Allow access from apps that don’t use modern authentication’ is good security wise, and ties into my other post Protect Your Office 365 Accounts By Disabling Basic Authentication.

There are other options in the OneDrive for Business Admin Center, but nothing I personally considered changing.

Group Policy

This is probably where you’ve already started. Make sure you’ve deployed the latest ADMX files, and review all the settings. Here’s the key ones I’d recommend looking at, some are computer based and some user:

Enable OneDrive Files On-Demand: This makes just the stubs of files download to the OneDrive client, then download the full file when requested. There might be some pushback on not having instant access to a file when wanted, but when you tie this into Known Folder Redirection (below) and have users that move around a lot, this should save bandwidth and disk space across your fleet. I have this one enabled.

Prevent users from using the remote file fetch feature to access files on the computer: I’d definitely have this one off as it lets users access the entire contents of any PC they’re signed into (where their account also has access to the local files of course), remotely. It could easily lead to data leakage when you’re opening up such a big door.

Delay updating OneDrive.exe until the second release wave: If OneDrive becomes important to your users (which it should, yet again with Known Folder Redirection), then you probably want to avoid getting a new release that has a bug. Sit back and wait for the second release wave to make sure you’re getting a more stable update each time. Enabled with maybe a few users having this Disabled for piloting/testing.

Prevent users from synchronizing personal OneDrive accounts: I enabled this one, as with the above settings I’ve already allowed a method that users can get and work on the files they want from anywhere. I can also monitor this and produce logs if required. Someone’s personal OneDrive I have no visiblity or control over, and there’s really no need to allow this.

Silently move Windows known folders to OneDrive: Once you’re ready and fully deployed with OneDrive, this is the next great feature to check out. It deserves it’s own blog post later, but you can silently configure the user’s Desktop, Documents and Pictures folders to live in OneDrive, rather than the local PC. This lets users access the same data wherever they log into, with the extra benefit of doing it in the background after the user logs in – no login delays. It’s like having an important part of roaming profiles, without the headaches. More info here: https://docs.microsoft.com/en-us/onedrive/redirect-known-folders

If you’d originally disabled OneDrive via GPO through the policy Prevent the usage of OneDrive for file storage then just disabling that policy should be enough, as long as you still have OneDriveSetup.exe running at login via the Run registry hive against the user. If you removed that, you may have to add it back in.

I found this method to be useful – to create the value HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run – Reg_SZ value type OneDriveSetup with value data C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup – but only applying this if the OneDrive registry value didn’t exist. OneDriveSetup should remove itself if successfully run, and will also create OneDrive meaning the setup key won’t get put back again.

If you see what a new user gets the first time they log in assuming no OneDrive cleanup has happened, is the exact same OneDriveSetup key as above. In my testing, having other switches against OneDriveSetup caused issues.

Access An Exchange Online Mailbox Without a License

This is just a quick one. Most Office 365 admins will hopefully have a separate admin account to perform higher level tasks, compared to their normal user account.

Because of this, the admin accounts shouldn’t need any licensing, because they’re not being used like a normal user. One person shouldn’t need to have two sets of licenses – but there are some problems that can come up because of this.

For example, if you want to use your admin account to access someone’s mailbox, that can be difficult when you don’t have a mailbox yourself to log onto, to then open another user’s mailbox. Outlook can be used to work around this, where you set up a profile for the email address of the user you want to access, but enter your admin credentials when prompted:

Your Name is just a display name field, email address needs to be the user’s email. Don’t enter a password here and click ‘Next’
This login page will start by showing the user’s email address, use the option ‘Sign in with another account’ and use your admin account.

The above works OK, but is a little time consuming if you’re accessing a mailbox for a quick check.

If you try to go to Outlook Online, you’ll get a message saying your admin account doesn’t have a license or a mailbox. To get around this, you’ll need to use a URL like:

https://outlook.office.com/owa/user@mydomain.com/?offline=disabled

so it jumps straight to that user’s mailbox, assuming you have access rights to it, and have waited a few minutes for the rights to apply.

Using the URL method is really quick way of accessing another user’s mailbox without needing a license yourself.

Disable Windows Defender Summaries via Registry

Windows Defender does some great stuff, but in my opinion one of the more ‘noisy’ things it doesin Windows 10 is provide a frequent notification to say it’s working but hasn’t found anything.

Many users may find this notification unnecessary and breaking their work focus just to be told that their PC is fine. Especially in a business environment, they’d think that is someone else’s problem.

Windows Defender Security Center Settings

A user can turn these off themselves of course, in the Windows Defender Security Settings page under Virus & threat protection notifications. It’s possible to turn off all informational notifications, or untick certain types.

Although there is an inbuilt Group Policy to also turn off informational notifications, to me I’d still want users knowing a threat was found or something was blocked – those are useful to the user. However the recent activity and scan results is the one I’d suggest disabling, but there’s no Group Policy for that.

Luckily this is just a single registry key which I’ve found through using Procmon:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection\

REG_DWORD: SummaryNotificationDisabled

Value: 1 (decimal)

This setting can be rolled out through Group Policy (even as a run once and don’t reapply) if you’d like users to have control over turning the setting on.

Microsoft Software Ready For Betting?

If there’s one thing difficult to accuse modern American tech companies of, it’s inadequate preparation. While the consumer-facing sides of these companies deal with exciting products, software updates, and things of this nature, the same companies are constantly working behind the scenes in order to enrich their offerings. This includes development, marketing, maintenance, and perhaps most interestingly, concept consolidation and patent acquisition.

There are constant examples of major tech companies quietly filing patents long before a product actually goes to market, from a given type of screen for a mobile phone to current rumors of Apple’s designs for augmented reality glasses.

One recent example of this that seems to have flown under the radar is Microsoft’s file for Patent No. 0125691. This came to light late in 2016, with notes that the patent application includes words and phrases like “real-time” and “determine payout of event” that appear to point toward a gambling application. Said one article on the development, it could be a critical piece of a future with widespread legal gambling in the United States.

In 2016, that still sounded very much like a future, because there was little publicly evident momentum toward establishing legal betting beyond places like Nevada and New Jersey. That all changed early in 2018 however, when a Supreme Court decision altered the betting landscape significantly. It remains up to individual states to legalize the activity (and you can track their progress here), but to put it in clear terms, it’s now legal to make it legal, if that makes sense. And that means the environment Microsoft appears to have been preparing for with this particular patent is closer to materializing than we might have once believed.

As to what that environment will look like, and what sort of activity Microsoft could ultimately get involved with, we might best look to examples set in countries where sports betting is legal. This has been the case in the UK for some time for instance, and the same can be said of Australia. In these countries there are numerous betting sites available, and they tend to be accessible both online and via mobile. It may well be that Microsoft is aiming for the higher end of all this as well.

It’s recommended that people looking for modern betting sites pay attention to in-play services, which essentially allow for real-time gambling and decision-making, but which aren’t necessarily available through some older platforms. Given that the patent, as mentioned, references the term “real-time,” it would appear that Microsoft is up-to-date on what bettors look for in modern sites or applications.

It’s still not crystal clear how or when the patent might be used. But we may find out sooner than we thought thanks to the progress of legal betting in the U.S., and it certainly sounds as if the tech giant is going to have its own services available in this area.