Skype for Business: How to setup QoS at client side?

Well there are 2 ways you could perform this is by editing the client’s computer (local group policy) or push the settings using group policy management.

Anyway, both of these methods or steps are similar and simple to setup.

*Note: A wrong value can causes the QoS not running correct

Steps for local group policy;

  1. Make sure you are login as local administrator on your computer
  2. Go to > Start > Search > Group policy
  3. At the group policy > computer configuration > Windows settings > policy QoS settings
  4. Create new policy
  5. Just follow the below image to create total of 5 QoS policies


6. During creating the policy, just change which is necessary. Leave the others as default.

7. Do a restart of the computer (I always do this)

Steps for  GPM;

  1. Open GPM
  2. Create a new GPO and name it
  3. Right click the GPO and click edit
  4. At the group policy > computer configuration > Windows settings > policy QoS settings
  5. Create new policy
  6. Just follow the below image to create total of 5 QoS policies


7. Link this GPO to the OU you wish to have this GPO implemented

8. After that remember to do gpupdate /force on both the server and the client computer

For testing;
1. Install wireshark

2. Select the network you connected and Start the wireshark (Start Capture traffic)

3. Start your skype for business audio call or video call, or both within the same network. Do a peer-to-peer communication.

4. Talk to the audio or make some sound for a minute or 2.

5. End the skype for business call (audio or video)

6. Stop your wireshark

7. Save your traffic

8. You should be able to see your QoS is working





Windows 10: How to setup Windows Hello?

This blog is based on my experience on how to setup windows hello. I really like to capture every single steps or actions are performed, because it is much easier for me (beginner) and end users to understand.


Please go through this blog first “


Before implementing, please do go through and understand the steps given below. Each steps are given clear elaboration on how to perform it. Skipping a step will causes you confusion.

Here are the steps by steps;

For administrator;

At end user’s computer

  1. Run Command prompt as Administrator at end user’s computer
  2. Type in the following commands;
Gpupdate /force
  1. Close Command prompt, once all policies has updated

OR, At the AD server

  • Open Group Policy Management
  • At the OU where the windows hello GPO is created for
  • Right click on the OU and click on the force gpupdate on all active computers

For end users;

After successfully updated the group policy on the end user side.

  1. Go to > Start
  2. Click on the > Setting
    • Then it will direct you to the setting interface;
    • hello2
  1. Click on > Accounts
  2. At the left-side bar
    • Select > Sign-in Options
    • hello3
  3. Scroll down and find PIN
    • Select > Add
    • hello4
  4. After that it will prompt you to enter your computer login password
    • hello5
  5. After successfully authenticate your credential, then enter convenience PIN number
    • hello6.png
  6. After enter the PIN number, your PIN status will change into something like below image;
    • hello7.png
  7. Scroll back up and find ‘Face Recognition’
    • Select > Set up
    • hello8
  8. A ‘Welcome’ interface will appear;
    • Select > Get started
    • hello9
  9. Enter the PIN, that you had set for yourself earlier;
    • hello10.png
  10. After successfully authenticate your PIN number, a face recognition interface will appear;
    • Place your face in-front of the camera where it can detect your face
    • hello11.png
  11. After that a successful interface will appear;
    • Select > Close
    • hello12.png
  1. To give it a try out;
    • Sign out from your computer account and you will see a different interface like the image below;
    • hello13.png


Active Directory & Read-Only Domain Controller: Unable to login into RODC

Sometimes the environment will have problems such as, network down, RPC is disconnected or even worst problems that you couldn’t imagine. These which would definitely causes login problems. For now I would like to only pin point on RODC. Usually inexperience engineers, will not notice that there is a most important feature has to be enable at the RODC.

That is the Password Replication Policy or you could call it the Password cache.

Yes, there are some environment where all the user’s are pointing to RODC instead of the DC.  Anything happens to the RODC will lead to huge complaints from the users and the person whom is supporting the back end will definitely get the blame.

So is better to avoid the trouble even though how good or stable is the environment. Here are the articles you could refer to;


AD & GPO: How to enable or configure Windows Hello?

To create this GPO is pretty simple, just by creating a new GPO or you could reuse a existing GPO (Not the default GPO).

*Note: Windows Hello only works with Windows Server 2016 and Surface Pro, Windows 10

Here are the simple steps;

  1. At the Group Policy Management > Group Policy Objects > right click to create a new policy/edit the existing policy
  2.  The image below is basically the policy to enable Windows Hello featuregpowinhello.JPG
  3. After this, remember to link the gpo to the OU that you wish it will take the gpo
  4. Remember to also do a “gpupdate /force” at both the server and computer side.
    • Open cmd > type the command “gpupdate /force”
  5. There is a gpupdate function with one push, but you have to make sure that the user’s computer are connected.
    • In the GPMC > select the OU > right click > select GPO Update policy
      • This will update all the objects inside that particular OU

AD & GPO: Why password/account policy is not working?

To those are newbie to GPO (Group Policy Objects) or Group policy management, your mentor sure told you to not configure default domain policy and instead they will tell you to create a new GPO.

Here is something you should know, Not all policy settings are workable under newly create GPO”. This means that there are still dependencies with Default GPOs. Even you’ve try to enable “Enforce” or “Block Inheritance”, the Default GPO will always there running. Thus, always research and understand in-dept of GPO.

Below is the supporting article is the answer to you.



AD & DNS: RODC not appear as Name Server?

Why ONLY the writable domain controller (RWDC) appear as “Name Server” in the DNS?

Why Read-only domain controller appears as “Host(A)” in the DNS?

*Note: This is a normal behavior



Office 365: Enable Litigation Hold

Litigation hold is a feature in Exchange Online (EOP), to hold on a mailbox even license has been removed or user has deleted. There is also duration setting for how long to hold on the mailbox. The mailbox will stick at Microsoft server forever (unlimited duration).

Why litigation hold? To prevent lost of mailbox with accidental deletion, hold for auditing and act as backup. Anyway, easier for audits to audit/inspect the user mailbox. It is indeed recommended to enable this feature.


For a user;

  1. Go to > EOP > Recipients > mailbox
    • step1
  2. Select a user
    • step2
  3. Double click to access to properties, and click on mailbox features, scroll down  and find “Litigation hold” (now is Disabled)
    • step3.PNG
  4. Click enable and save
    • step4.PNG
  5. If you wish to set duration of the hold should last, you could enter the specify number of days. (Yes,  they take in as Days)
    • * If you want it to be unlimited then just leave that box blank and click save
    • step5.PNG
  6. After enable the litigation hold, and it will prompt “this will take effect after 60 minutes”

For all user mailboxes;

*Azure Power Shell is required 

  1. Open Azure Power Shell > Connect to Exchange Online
#This command run once (for permission purposes)
Set-ExecutionPolicy Unassigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

2. Next run the following command to Get only User Mailboxes and enable the litigation hold

a. Unlimited

Get-Mailbox -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -litigationholdenabled $true


Get-Mailbox -RecipientTypeDetails usermailbox | Set-Mailbox -litigationholdenabled $true


Get-Mailbox -RecipientTypeDetails usermailbox |  where {$_.litigationholdenabled -eq $false} | Set-Mailbox -litigationholdenabled $true

b. With Duration specified

Get-Mailbox -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -litigationholdenabled $true -litigationholdduration 365

How to check whether litigation is working?

The interface way;

  1. Take a test mailbox with licensed and litigation hold enabled
  2. Remove test license
  3. Wait for half an hour
  4. Go to > EOP > Recipients > Mailbox
  5. At the search box > key in user’s name
  6. Click Refresh icon
  7. You can see that the user mailbox is still there

*Note: At the AD, if you’ve move the user account to another OU which is unsync OU, the user will not appear in the EOP mailbox, instead it will appear as “Deleted mailbox”. This is a normal behaviour. The mailbox is not deleted, it is still attach with the Microsoft server. So don’t worry.

The Power Shell way;

  1. Run this Get Command, to retrieve user mailbox with litigation hold enabled
Get-Mailbox -Filter {RecipientTypeDetails -eq "UserMailbox"} | where {$_.LitigationHoldEnabled -eq $true} | FL


Get-Mailbox -RecipientTypeDetails “UserMailbox” | where {$_.LitigationHoldEnabled -eq $true}





Office 365: How to assign license to Specific Users with all service plans included

Tired of assigning license one by one to the user? With this script you can assign to all or only specific users. But first you need to know what are your License ID in the Azure AD.

*Make sure you have the Azure Power Shell installed to your computer

*Scripts below are modifiable 

Here are the steps below;
1. Open Azure Power Shell > Connect to your Office 365 Azure


2. Getting the type of subscriptions




3. Now with the view of subscriptions you have on your office 365, you can now identify which subscription you want to enable for your users. To know which subscription is their actual display name, you could compare it on your Office 365 portal > Subscription details

4. For now we will take AccountSkuID: domain:ENTERPRISEPACK (E3 package) as our example;

*Note: This script will only Add License and it wont remove other existing license that had assigned to the user(with multiple license)

a. This is the method of using the csv file to assign license for the user OR convert users from license A to License B, where the csv file contain columns of UPN, UsageLocation and License that you want to enable for your users

#Get .csv file of users
$users = import-csv .\userList.csv -delimiter ","
foreach ($user in $users)
Set-MsolUser -UserPrincipalName $upn -UsageLocation $usagelocation
Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses $SKU

This is how inside of the csv looks like;

UPN: User principal Name

Usage Location: Location of country

SKU: License type


b. Or if you want unlicensed users to be assign with license, you could run

Get-MsolUser | where {$_.isLicensed -eq $false} | Set-MsolUser -AddLicenses "domain:ENTERPRISEPACK"

5. To know whether the script works, you could try the below type of reassurance;

a. Get Command, to view whether the once unlicensed user now is already licensed is appearing in the unlicensed list

Get-MsolUser | where {$_.isLicensed -eq $false}

b. You could check in the Office 365 portal by creating a custom view > specific license type

c. You could check in the Office 365 portal by choosing > Unlicensed. To view whether the “Just only licensed user” is in the unlicensed list.


AD & Office 365: Hard Matching Immutable ID

When do we need to do hard matching? During a migration of users (which already in Office 365) from old domain(AD) to a new domain(AD), and from old AADC to a new AADC.

Why do we need to configure the immutable ID? When a user object is replicated or migrated using ADMT from old domain to new domain, their objectGUID will change and the immutable ID in Office 365 is the old immutable ID from the old domain’s user’s objectGUID. The only impact if you don’t configure the immutable ID, is when you provision the new AADC it will give you an error: “AttributeMustBeUnique”, and will not allow you to sync up to Office 365, until the error has resolved (this part make sure your dirsync duplication feature is true).

What is Immutable ID? Immutable ID is a unique identity(primary key) attribute for Office 365. At the Active Directory, it is called objectGUID. Basically, immutable ID is retrieve from objectGUID. The difference between this ID is their value, objectGUID is converted to a Base64 value for immutable ID.

*To perform hard matching make sure you have Azure module Power Shell installed to your computer. The script given below can be modify if needed.

Here are the steps to successfully complete hard matching;

  1. Disable the directory sync in Office 365
    • Open Azure Power Shell


Set-MsolDirSyncEnabled -EnableDirsync $false

  1. Wait for all users in Office 365 their status change to “in cloud”
    • This takes up 48 hours to 72 hours for the disable to complete
    • *Note: If the specific user’s status is already “in cloud”, don’t have to disable the dirsync.
  2. While waiting for the dirsync to disable, do a ADMT to migrate the user from old domain to the new domain in a target OU.
  3. Next, export csv file with list of users from Office 365 and new domain (user objects): Total csv file: 2
    • Included attributes to export are: User principal name and the object guid (on premise).
    • For O365, just export the user principal name.

#Run this script in the new domain (AD, Windows Power Shell)

#This script is to show user principal name and objectGUID of a user object based on a specific OU

$list = import-csv .\userlist.csv

foreach ($i in $list){

$upn = $i.UPN

$guid = (Get-ADUser -f * {cn -eq $upn} -pr objectguid).objectguid

write-host $guid


  1. Copy the objectGUID from the Power Shell and paste into the csv file.
  2. Compare both csv file to eliminate user that is not in the Office 365 csv file.
  3. Finalize the csv file
    • Columns include: user principal name and object guid
  4. Run a power shell to remove the unrelated user from the target OU based on the final csv file (Optional)
    • Reference:
  5. Run the following commands to convert the object guid into the new immutable id
  6. Copy and Paste the new immutable id into the finalize csv file
  7. DirSync has completely Disabled, is when the DirSync status in the Office 365 portal is gone.
DirSync Status will hide when dirsync has completely disabled

12. At the Azure Power Shell > Remove old immutable id

$users = import-csv .\list.csv -delimiter “,”

foreach ($i in $users)


$upn = $i.userprincipalname

Set-MsolUser -userprincipalname $upn -Immutableid “$null”


13. Convert the objectGUID to immutable ID

$list = import-csv .\list.csv -delimiter “,”

foreach ($i in $list){
$upn = $i.userprincipalname
$guid = [GUID]$i.objectguid
$bytearray = $guid.tobytearray()
$immutableID = [system.convert]::ToBase64String($bytearray)
write-host $immutableID


14. Copy the new immutable id from power shell and paste into the final csv

15. Set new immutable id using the final csv file

$users = import-csv .\list.csv -delimiter “,”

foreach ($i in $users)


$upn = $i.userprincipalname

$guid = $i.objectguid

$immutableid = $i.immutableid

Set-MsolUser -userprincipalname $upn -Immutableid $immutableid


16. After finishing setting the immutable id,

  • Start back the dirsync

Set-MsolDirSyncEnabled -EnableDirsync $true

17. Run the delta sync at the AADC

Start-ADSyncSyncCycle -PolicyType Delta

18. The End



Outlook: How to hide “Do Not Forward”

There some customers who are very particular with security and compliance or rights management service. They also would wish to hide all default RMS templates such as, – confidential, – confidential (View Only) and Do Not Forward, and have their own. Thus, it is easy to hide the – confidential and – confidential (View Only) templates using the Azure classic portal. However, based on many article I researched on hiding or disable the “Do Not Forward” permission in the Outlook have said “You cannot hide or remove Do Not Forward because it is based on the Office”. So, I came by this article (Reference: to resolve this hiding of “Do Not Forward” feature by modifying the registry of the Office. This method applies to version of Outlook 2010 to Outlook 2016 and can also done via GPO.

Modify using registry;

  1. Open Registry edit (regedit.exe) > HKEY_CURRENT_USER > Software > Microsoft > Office > 16.0 > Common > DRM
  2. Create a new > DWORD(32bit)
  3. Name the registry: DisableDNF
  4. Double click on the registry > enter value ‘1’
  5. Close the registry
  6. Close and relaunch the Outlook

After relaunch the Outlook, you could see whether the given method works is creating a new email > options > permission toggle, the “Do Not Forward” has grey out or disable.

Create a new registry
Do Not Forward is grey out