Lync/SfB: Different scenarios using EnableSkypeUI option

The Lync/SfB Client April 2015 update introduced the new SkypeUI. For some this post may be late, but we still see some confusion on what we have to do before applying the update or which scenarios are available.

The article in the link below describes the configuration that we need to do:

Configure the client experience with Skype for Business
https://technet.microsoft.com/en-us/library/dn954919(v=ocs.15).aspx

After reading the article, we know that the EnableSkypeUI option in the Client Policy is only available in the following versions:

Version Cumulative Update KB Article
Lync Server 2010 4.0.7577.710 February 2015 KB3030726
Lync Server 2013 5.0.8308.857 December 2014 KB3018158
Skype for Business Server 2015 RTM NA NA

In that same article is also mentioned that we can add a registry key to avoid users to have the SkypeUI on the first run, and then be prompted to Restart the client:

skype4bui01

This registry value will be overwritten every time we sign in to Lync/Skype4B, with the value received by the in-band provisioning. If our Lync/Skype4B Servers are running an older version than the required one, then the value will be set to 00 00 00 00. This also means that if we change the registry key to 00 00 00 01, we get the SkypeUI to be displayed on the next start. On the contrary, if the EnableSkypeUI is not set to $true in the Client Policy, the value is overwritten and we get the prompt to Restart the client.

We then have the following table to help to explain each possible scenario:

Backend Client Policy Without $true $false
Lync Server 2010 LyncUI (*) SkypeUI LyncUI (*)
Lync Server 2013 LyncUI (*) SkypeUI LyncUI (*)
Skype for Business Server 2015 SkypeUI SkypeUI LyncUI (*)

* The user will get a restart prompt in case the EnableSkypeUI registry key is not configured.

Furthermore, if we want to keep using the LyncUI and avoid users seeing the tutorial, we need to configure the following registry keys:

reg add HKCU\Software\Microsoft\Office\Lync /v EnableSkypeUI /t REG_BINARY /d 00000000 /f

reg add HKCU\Software\Microsoft\Office15.0\Lync /v IsBasicTutorialSeenByUser /t REG_DWORD /d 1 /f

https://technet.microsoft.com/en-us/library/cc742162.aspx

Lync/SfB Server: Checking for duplicate entries in the Active Directory Configuration Partition

While troubleshooting the issue described in Checking for “ms-RTC-SIP-TrustedServer” multiple Active Directory entries with PowerShell, we encountered more duplicates for the same server, so we decided to compile all in one place.

Like in our previous post Checks to do in the Lync/SfB Certificate Store, this list will also be updated and, again, you are welcome to add a comment with a test you think that should be included in it.

Note: Replace DC=gears,DC=lab with the value for your domain.

Global Setting (msRTCSIP-TrustedServer)

Get-ItemProperty -Path “AD:CN=*,CN=Global Settings,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-TrustedServerFQDN,objectClass,whenChanged,whenCreated | Group-Object -Property msRTCSIP-TrustedServerFQDN | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | ?{$_.objectClass -eq “msRTCSIP-TrustedServer”} | Select cn,msRTCSIP-TrustedServerFQDN,whenChanged,whenCreated | ft -AutoSize

Pools (msRTCSIP-PoolDisplayName)

Get-ItemProperty -Path “AD:CN=*,CN=Pools,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-PoolDisplayName,objectClass,whenChanged,whenCreated | Group-Object -Property msRTCSIP-PoolDisplayName | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | ?{$_.objectClass -eq “msRTCSIP-Pool”} | Select cn,msRTCSIP-PoolDisplayName,whenChanged,whenCreated | ft -AutoSize

Trusted MCUs (msRTCSIP-TrustedMCU)

Get-ItemProperty -Path “AD:CN=*,CN=Trusted MCUs,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-TrustedMCUFQDN,msRTCSIP-MCUType,objectClass,whenChanged,whenCreated | Group-Object -Property msRTCSIP-TrustedMCUFQDN,msRTCSIP-MCUType| Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | ?{$_.objectClass -eq “msRTCSIP-TrustedMCU”} | Select cn,msRTCSIP-TrustedMCUFQDN,msRTCSIP-MCUType,whenChanged,whenCreated | ft -AutoSize

Trusted Services (msRTCSIP-TrustedService)

Get-ItemProperty -Path “AD:CN=*,CN=Trusted Services,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType,objectClass,whenChanged,whenCreated | Group-Object -Property msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | ?{$_.objectClass -eq “msRTCSIP-TrustedService”} | Select cn,msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType,whenChanged,whenCreated | ft -AutoSize

Trusted WebComponentsServers (msRTCSIP-TrustedWebComponentsServer)

Get-ItemProperty -Path “AD:CN=*,CN=Trusted WebComponentsServers,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-TrustedWebComponentsServerFQDN,objectClass,whenChanged,whenCreated | Group-Object -Property msRTCSIP-TrustedWebComponentsServerFQDN | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | ?{$_.objectClass -eq “msRTCSIP-TrustedWebComponentsServer”} | Select cn,msRTCSIP-TrustedWebComponentsServerFQDN,whenChanged,whenCreated | ft -AutoSize

Skype for Business Server 2015 Cumulative Update List: July 2018

With the first release of an update for Skype for Business Server 2015, it is a good opportunity to publish a list of Cumulative Updates. We will try to keep it updated as soon as a new Cumulative Update is released.

Like in the previous versions, this list will include the version for the Core Components. This is because not all components are updated when we apply a Cumulative Update.

The previous lists for the Lync Server can be found in the following links:

Lync Server 2010 Cumulative Update List

Lync Server 2013 Cumulative Update List

We already made a post on how to check the component version using PowerShell:

Skype for Business Server 2015 Component Version using PowerShell

Skype for Business Server Component Version using Get-CsServerPatchVersion – Requires version 6.0.9319.102 or above)

The latest updates for Skype for Business Server 2015 and how to update each server role is described here:

Updates for Skype for Business Server 2015

Download the latest Cumulative Update for Skype for Business Server 2015

Here is the table with the list of updates:

Version Cumulative Update KB Article
6.0.9319.534 July 2018 (CU7) http://support.microsoft.com/kb/4340904
6.0.9319.516 March 2018 (CU6 HF2) http://support.microsoft.com/kb/4086059
6.0.9319.514 January 2018 (CU6 HF1) http://support.microsoft.com/kb/4074701
6.0.9319.510 December 2017 (CU6) http://support.microsoft.com/kb/4036312
6.0.9319.281 May 2017 (CU5) http://support.microsoft.com/kb/4012621
6.0.9319.277 February 2017 (CU4 HF1) http://support.microsoft.com/kb/3207506
6.0.9319.272 November 2016 (CU4) http://support.microsoft.com/kb/3199093
6.0.9319.259 June 2016 (CU3) http://support.microsoft.com/kb/3149227
6.0.9319.235 March 2016 (CU2) http://support.microsoft.com/kb/3134260
6.0.9319.102 November 2015 (CU1) http://support.microsoft.com/kb/3097645
6.0.9319.88 September 2015 http://support.microsoft.com/kb/3098601
6.0.9319.55 June 2015 http://support.microsoft.com/kb/3061059
6.0.9319.0 RTM NA

Checks to do in the Lync/SfB Server Certificate Store

The checks described in this article are the result of what we normally check during troubleshooting. Some of these already have specific error events, but the objective here is to try to avoid that these events occur.

We plan to keep the post updated and add more checks that we identify as useful. Also, we kindly ask you to add a comment with a test you think that could make a good addition to the list.

Check #1 – Misplaced certificates in Trusted Root CA

Some of us already experienced issues related to having misplaced certificates in Trusted Root CA. In Windows Server 2012, it started to check misplaced certificates and it affected Lync Server 2013:

Lync Server 2013 Front-End service cannot start in Windows Server 2012
https://support.microsoft.com/en-us/kb/2795828

In order to check this, we can use the PowerShell cmdlet mentioned in the above article or this one instead:

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Select Issuer, Subject, Thumbprint | fl

To solve this we need to move the certificate to the proper Store. In this case, we should move it to the Intermediate Certification Authority.

Check #2 – Duplicates in Trusted Root CA

Although this should affect Lync/Skype4B, it is better to check and delete the duplicates:

Get-Childitem cert:\LocalMachine\root | Group-Object -Property Thumbprint | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | Select FriendlyName, Issuer, Subject, Thumbprint | fl

Check #3 – More than 100 certificates in Trusted Root CA

This is really important, as it may cause sign-in issues for users. Most of the time, we have less than 50 certificates.

Get-Childitem cert:\LocalMachine\root | Measure

To solve this we have to keep just the certificates that we need. In a Front End, this is actually an easy task, but in a Edge Server we need to be more careful, since the federation with other Lync/Sfb Server environments might get broken if we delete the wrong certificate.

Check #4 – Root CA certificates in Personal Store

Just to have things nice and tidy, we should move these certificates to the Trusted Root CA. But before that, it’s recommended to check whether they are already there, otherwise we might end up with duplicates.

Get-Childitem cert:\LocalMachine\my -Recurse | Where-Object {$_.Issuer -eq $_.Subject} | Select FriendlyName, Issuer, Subject, Thumbprint | fl

Check #5 – Duplicated Friendly Name

Usually, we add different Friendly Names so it gets easier to assign the certificate. In this case, however, it actually gets to be a requirement:

Note: Each certificate Friendly Name must be unique in the computer store.

Certificate requirements for internal servers in Lync Server 2013
https://technet.microsoft.com/en-us/library/gg398094(v=ocs.15).aspx

Again, a simple PowerShell cmdlet:

Get-Childitem cert:\LocalMachine\my | Group-Object -Property FriendlyName | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | Select FriendlyName, Issuer, Subject, Thumbprint | fl

Check #6 – Misplaced Root CA certificates in Intermediate CA store (Suggested in the comments)

Get-ChildItem Cert:\LocalMachine\CA | Where-Object {$_.Issuer -eq $_.Subject} | Select Issuer, Subject, Thumbprint | fl

Checking for “ms-RTC-SIP-TrustedServer” multiple Active Directory entries with PowerShell

While publishing and enabling a topology, we were getting this error:

Enable-CsTopology: Multiple Active Directory entries were found for type”ms-RTC-SIP-TrustedServer” with ID “<SERVER FQDN>”.

The publishing was successful but then the enabling was showing this error.

The next step was to check the duplicates in the Active Directory Configuration Partition. For those who have already browsed this, you probably know it has too many entries:

dupTrustedService01

An easy way to check duplicates is to use PowerShell. For this we need a server/desktop with the Active Directory PowerShell module installed, because the AD:\ won’t be available if we don’t load the AD module:

dupTrustedService02

Get-ItemProperty : Cannot find drive. A drive with the name ‘AD’ does not exist.
At line:1 char:1
+ Get-ItemProperty -Path “AD:CN=*,CN=Trusted Services,CN=RTC Service,CN=Services, …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (AD:String) [Get-ItemProperty], DriveNotFoundException
+ FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand

To import the Active Directory module simply run:

Import-Module ActiveDirectory

dupTrustedService03

And to check the duplicates we use the following PowerShell cmdlet:

Get-ItemProperty -Path “AD:CN=*,CN=Trusted Services,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType,whenCreated,whenChanged | Group-Object -Property msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | Select cn,msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType,whenCreated,whenChanged | ft -AutoSize

Note: Replace DC=gears,DC=lab with the value for your domain.

dupTrustedService04

Now we know which values are duplicated. Please take special attention when changing values in the Active Directory Configuration partition, as you should have a backup of all values before doing any change.

Lastly, a special thanks to the blog Hey, Scripting Guy for this post:

Hey, Scripting Guy! How Can I Use Windows PowerShell to Retrieve the Non-Unique Items in a List?
http://blogs.technet.com/b/heyscriptingguy/archive/2008/01/31/how-can-i-use-windows-powershell-to-retrieve-the-non-unique-items-in-a-list.aspx

Lync 2013 won’t change to Skype4B when deployed using OCT

We found out that there is a scenario where the icon isn’t changed to Skype for Business after the April 2015 update.

skype4bicon01

The Start Menu shortcut was also Lync 2013:

skype4bicon02

While troubleshooting the issue, we discovered that the C:\Windows\Installer\{91150000-0011-0000-1000-0000000FF1CE}\ folder contained two different files with Lync and Skype4B icons:

skype4bicon03

After testing it, we discovered that the root cause for this issue was due to Lync 2013 being installed with a customized shortcut using Office Customization Tool (OCT):

skype4bicon04

There are 3 known workarounds, the first two will require redeploy but they are permanent. The last workaround is temporary and an update or repair will revert the changes made by the script.

1) Redeploy Office 2013 using OCT

If we don’t change the shortcut location in OCT, we will only get the lyncicon.exe in the Windows Installer folder. Also, this issue happens with Office 2013 and Lync 2013 Standalone.

2) Redeploy Office 2013 using config.xml

A good alternative to OCT is to use a config.xml in order to customize the installation, but with this method, however, we cannot change the shortcut location:

Config.xml file reference for Office 2013
https://technet.microsoft.com/en-us/library/cc179195.aspx

3) Run a script after every update

The final workaround is to use a script after every client update that will change the icons files. As an example here are the PowerShell cmdlets (requires elevated permissions) to change the icon and description:

$shortcutLocation = “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Office 2013\”
$oldShortcut = “Lync 2013.lnk”
$newShortcut = “Skype for Business 2015.lnk”
$iconComment = “Connect with people everywhere through voice and video calls, Skype Meetings, and IM.”

# Create a copy of the Shortcut:
Rename-Item $shortcutLocation$oldShortcut $newShortcut

# Change the new shortcut settings
$shell = New-Object -COM WScript.Shell
$shortcut = $shell.CreateShortcut($shortcutLocation+$newShortcut)
$shortcut.Description = $iconcomment
$shortcut.Save()

#Get the Icon Name and Folder
$iconlocation = $shortcut.IconLocation
$tempInd = $iconlocation.indexof(“Icon”)

$iconName = $iconlocation.substring($tempInd,$iconlocation.indexof(“.exe”)-$tempInd )
$iconFolder = $iconlocation.substring(0,$tempInd)

#Change the icon:
Rename-Item $iconFolder$iconName”.exe” $iconFolder$iconName”_old.exe”
Copy-Item  $iconFolder”lyncicon.exe” $iconFolder$iconName”.exe”  -force

skype4bicon05

Now we have the Skype for Business 2015 icon:

skype4bicon06

And also the Skype for Business 2015 shortcut in the Start Menu:

skype4bicon07

Changing back to Lync 2013 Icon after the April 2015 update

Some of us were surprised by the Lync 2013/Skype for Business Client update, since this security update also included the Skype4B User Interface. Lync/Skype4B administrators could still use the recently added EnableSkypeUI setting to the Client Policy in order to manage which UI they want the user to see.

In our Lync Lab, we have it configured to False and the user is able to see the Lync 2013 UI. The icon, however, is still Skype for Business:

lyncicon01

As this can cause confusion in some users, the purpose of this article is to show a workaround to this. Keep in mind that future client updates will change the icon again.

In the Start Menu, we had this:

lyncicon02

The folder location is “%ProgramData%\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013”.

lyncicon03

Note: In our lab, the folder is C:\Windows\Installer\{90150000-0011-0000-0000-0000000FF1CE}, and we can check were the file is with this:

Get-ChildItem -Path C:\Windows\Installer -Filter lyncicon.exe -Recurse

lyncicon04

We need to get the icon before the update and copy it with the name lyncoldicon.exe to the same folder. Although we can copy it to another folder, it’s preferable to keep all icons in the same location:

lyncicon05

It’s a good practice to keep both icons because we may want to change back to Skype for Business icon.

In a PowerShell window with elevated permissions, we run the following cmdlets:

$shortcutLocation = “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\”
$newShortcut = “Lync 2013.lnk”
$oldShortcut = “Skype for Business 2015.lnk”
$iconLocation = “C:\Windows\Installer\{90150000-0011-0000-0000-0000000FF1CE}\”
$iconComment = “Connect with people everywhere through voice and video calls, Lync Meetings, and IM.”

#Change the icon:
Rename-Item $iconLocation”lyncicon.exe” $iconLocation”skypeicon.exe”
Rename-Item  $iconLocation”lyncoldicon.exe” $iconLocation”lyncicon.exe” -force

# Create a copy of the Shortcut:
Rename-Item $shortcutLocation$oldShortcut $newShortcut

# Change the new shortcut settings
$shell = New-Object -COM WScript.Shell
$shortcut = $shell.CreateShortcut($shortcutLocation+$newShortcut)
$shortcut.Description = $iconcomment
$shortcut.Save()

lyncicon06a

Note: All scripts should be extensively tested before being applied in a production environment.

After running the cmdlets, the Start Menu should change to this:

lyncicon07

And after a reboot the icon will also change in the TaskBar:

lyncicon08

To rollback the changes:

$shortcutLocation = “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\”
$oldShortcut = “Lync 2013.lnk”
$newShortcut = “Skype for Business 2015.lnk”
$iconLocation = “C:\Windows\Installer\{90150000-0011-0000-0000-0000000FF1CE}\”
$iconComment = “Connect with people everywhere through voice and video calls, Skype Meetings, and IM.”

#Change the icon:
Rename-Item $iconLocation”lyncicon.exe” $iconLocation”lyncoldicon.exe”
Rename-Item  $iconLocation”skypeicon.exe” $iconLocation”lyncicon.exe” -force

# Create a copy of the Shortcut:
Rename-Item $shortcutLocation$oldShortcut $newShortcut

# Change the new shortcut settings
$shell = New-Object -COM WScript.Shell
$shortcut = $shell.CreateShortcut($shortcutLocation+$newShortcut)
$shortcut.Description = $iconcomment
$shortcut.Save()

lyncicon09a