Hi guys and girls, hope you are doing well, as the pandemic is still on-going, hope that you guys are keeping cleanliness and safety first.
Today’s topic is about exchange migration of mailboxes from on-premises to Office 365. This issue is where the legacy windows client or legacy office apps has issue with their outlook applications keeps prompting for credentials and showing disconnection. The issue also do happen to Windows 10 machines but not as aggressive as the Windows 7 machines.
This environment has the following items,
Exchange server: 1 unit, version 2013, CU23 (latest)
Windows client: Combination of Windows 7 and Windows 10
Office applications: Combination of 2013, 2016, 2019 and Microsoft 365 apps for business in both windows 7 and windows 10 categories
Migration method: Remote move migration
Hybrid establishment: Yes
Microsoft 365 license: Business standard/basic
As we all know that the major pre-requisites must met before starting the hybrid and perform migration.
We notice intermittent connections while running the Wireshark on Windows 7 with M365 business apps, while trying to login using the migrated account credential on an Outlook app. We ran a re-creation of the outlook profile and the prompt for credential has stops. This is definitely not the right solution. Solutions is dependent with what caused the issue.
At first we suspected something got to do whitelisting on the network layer but we had confirmed that the whitelisting are correctly configured. Next, we suspected something go to do with compatibility on windows with/or office apps version. This is not a very good idea. After quick research, I came about modern authentication could be the caused, and there where I had an idea on suggesting to turn off the security default in Azure portal and then turn off the modern authentication in Office 3655 tenant. After 10 to 15 mins, the intermittent connections no longer shows up on the Wireshark.
Modern authentication is enabled by default for every new Office 365 tenants, so please be aware if your environment has legacy windows client running or legacy office applications, do consider to turn them off first before proceeding to deploy Microsoft 365 apps.
Modern authentication was the one the interfered with the machines and it kept challenging the users to key in credentials due to the compatibility was not met. Once the modern authentication is turn off, the environment now is running basic authentication.
So I am testing Autopilot in my lab environment, consist a Hyper-V with its Virtual Machines. Well I am doing a manual registration, so how do I export the device information that is required my VM to be register for Autopilot?
I already have a VM running Windows 10 Pro, and I ran this script to export and automatic import the device information to be register into autopilot. However, I wasn’t running the script before Out-of-the-box-experience (OOBE) happen, so to make Autopilot work on my VM, I had to reset my VM.
Once the VM has reset, it ask for region, language of my keyboard and next it shows a welcome page with the Display name and the company name. So I key in the email address and password of the user and also setup the PIN. However, I just notice that I set this user with the Standard permission only. Thus, the administrator account is disabled and I keep getting the RDP permission error prompt due to the user account is not in the RDP group in the VM.
Example of the prompt;
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted the right manually.
How I troubleshoot this;
Is to run MMC as administrator > File > Add/Remove Snap-in
Key in your Office 365 admin account (an account with permission that can manage device)
Select Local Users and Groups > Add
Select Local computer > Finish > Ok
Expand the local users and groups > Users > Right click Administrator > Uncheck Account is disabled
Reset the local Administrator password too
Select Groups > Right click on the remote desktop users > Add > Authenticated users > Ok
Sign out and Sign in again
These steps should help you from getting the prompt again.
Please take note that I am doing this in Lab environment. In production, by right not to enabled administrator account and not to do any changes to the local users and groups.
This blog is based on my experience on how to setup windows hello. I really like to capture every single steps or actions are performed, because it is much easier for me (beginner) and end users to understand.