News Categories
Announcement (9) Amy Babinchak (64) Tips (1) SBS 2011 (6) Windows Essentials 2012 (4) Edwin Sarmiento (28) SQL Server (22) SQL Server 2012 (6) SQL Server Clustering (3) SQL Server Disaster Recovery (6) Windows Server 2008 Clustering (1) log shipping (1) Brian Higgins (3) Uncategorized (42) Hyper-V (67) Virtualization (13) Windows 8 (13) Cisco VPN Client (1) Windows Server 2012 (24) Friend of TT (4) Hangout (2) Office365 (4) DNS (8) Jeremy (7) Cliff Galiher (3) Active Directory (12) ClearOS (4) Linux (4) presentations (2) SQL PASS (6) Chris Matthews (4) Printers (2) SharePoint (8) SQL Server Administration (7) Windows PowerShell (3) recovery model (1) sql server databases (1) Dave Shackelford (7) SMB Nation (1) Steve (1) Boon Tee (5) Kevin Royalty (3) Lee Wilbur (2) Philip Elder (10) SMBKitchen Crew (31) Susan Bradley (15) AlwaysOn (1) AlwaysOn Availability Groups (4) readable secondaries (1) row versioning (1) undocumented (1) The Project (2) Webinar (3) Enterprise for SMB Project (9) Security (25) Remote Desktop Connection for Mac (1) Remote Desktop Services (8) Windows Server 2008 (1) Exchange (15) Powershell (6) Microsoft (15) Performance (7) data types (1) Server 2012 (1) monitoring (1) DevTeach (1) SQL Server High Availability and Disaster Recovery (5) Clusters (44) Hyper-V Server 2012 (2) Business Principles (26) Cost of Doing Business (13) DHCP (7) sbs (15) Windows Server (30) SMBKitchen (26) Windows Server 2008 R2 (4) StorageCraft (1) P2V (1) ShadowProtect (6) StorageCraft ShadowProtect (1) VHDs (1) Intel RAID (2) Intel Server System R2208GZ (1) Intel Server Systems (17) RAID (2) SAS (2) SATA (2) Server Hardware (12) Microsoft Licensing (2) OEM (2) System Builder Tips (4) Intel (5) Intel Channel Partner Program (4) Intel Product Support (10) Intel Server Boards (2) Intel Server Manager (2) Cloud (26) IT Solutions (2) On-Premises (20) SMB (9) WIndows Azure (2) StorageSpaces (1) Error (47) Error Fix (35) Intel Desktop Boards (2) Intel SSDs (2) SSD (2) Business Opportunity (17) Data Security (11) Identity Security (7) Information Security (14) Privacy (2) Intel Modular Server (6) Promise (2) Storage Systems (9) Live ID (2) Microsoft ID (4) User Profiles (2) Articles (2) Building Client Relationships (6) DBCC IND (2) DBCC PAGE (2) filtered indexes (2) SQL Server Index Internals (2) training (11) Adobe (3) Internet Street Smart (8) Intel Storage Systems (2) LSI Corp (2) LSI SAS6160 Switch (2) Storage Spaces (7) Firmware Update (2) Product Support (7) Hybrid Cloud Solutions (3) Server Core (2) MAXDOP (1) SharePoint 2013 (1) SharePoint best practices (1) SQL Server Authentication (1) Family (5) Alternatives (1) SBS 2011 Standard (4) Microsoft Small Business Specialist Community (2) Microsoft Surface (2) SBSC (2) Networking (4) Availability Groups (3) CANITPro (1) HA/DR (1) Step-By-Step: Creating a SQL Server 2012 AlwaysOn Availability Group (1) webcast (1) VMWare (2) Conferences (2) Client Focus (2) Disaster Recovery (6) Error Workaround (8) Troubleshooting (4) Logitech (2) Product Review (7) Windows Features (4) XBox Music (2) SBS 2008 All Editions (4) MDOP (2) Microsoft Desktop Optimization Pack (2) Software Assurance (2) W2012E (6) Windows Server 2012 Essentials (6) Internet Explorer (3) USB 3.0 (2) USB Hard Drive (2) Bug Report (2) Microsoft Office 365 (5) sharepoint online (2) BitLocker (2) Windows (2) Microsoft Update (3) Swing Migration (2) Windows Update (4) Outlook (2) Group Policy (9) WS2012e (2) WSUS (3) Office (3) Microsoft Downloads (5) Microsoft Office (3) DRP (3) Virtual Machines (2) Virtual Server Hardware (2) online course (1) SQL Server learning (7) 2 Factor Authentication (2) 2FA (2) PASS Summit 2013 (4) SQLPASS (5) Contest (1) e-learning (1) Udemy (1) smbtechfest (1) backups (2) PASS Summit First Timers (3) IIS (2) RD Gateway (4) RD RemoteApp (2) RDWeb (4) Remote Desktop Connection (2) Remote Web Access (2) Remote Web Workplace (2) Cryptolocker (6) Backup (4) Restore (2) CryptoLocker (1) AuthAnvil (1) SBS 2003 (1) SBS Migration (1) Windows Server 2012 R2 (9) Documentation (1) IE 11 (4) testimonials (11) SQL Server 2008 (1) Best Practices (1) Support (1) Intel Xeon Processor (1) RemoteApp (1) Android (1) iOS (1) Hyper-V Replica (2) PowerShell (2) SBS (3) Break (1) Business Intelligence (1) Excel 2013 (1) Power Map (1) Power Query (1) PowerBI (1) MultiPoint (2) Surface (1) Net Neutrality (1) Opinion (2) ASP (9) HP (2) Scale-Out File Server (8) SOFS (10) Windows Phone (1) Updates (1) Intel NUC (1) Intuit (1) QuickBooks (1) Office364 (1) Intel Server Systems;Hyper-V (1) Firewall (1) Patching (1) Mobile (1) Mobility (1) sharepoint (1) Microsoft Security (1) Beta (1) Storage Replication (1) outlook (1) Hyper-V Setup (3) JBOD (1) Azure (1) PCI (1) PCI DSS (1) PII (1) POS (1) MicroStaff (2) Catherine Barr (2) Third Tier (1) BeTheCloud (1) BrainExplosion (1) LookAWhale (1) Manuel (1) Rayanne (3) SuperSecretNews (1) TechYourBooks (3) Managed Services (1) Training (1) E-mail (1)
RSS Feed
Microsoft turns data storage upside down
Posted by Amy Babinchak on 07 August 2018 05:01 PM

Understanding how SharePoint and OneDrive for Business are related

SharePoint and OneDrive for Business are linked. SharePoint is the data storage location and OneDrive for Business is the client that manages the sync process. That part is pretty easy to understand. But to confuse the matter, Microsoft gave OneDrive for Business the user’s own private storage space, which although it is stored in SharePoint does not draw from your SharePoint storage quota.

You can think of the OneDrive for Business personal storage location as the user folder from the on-premises world. SharePoint is the storage location where these “user folders” reside and can be thought of as the equivalent of the server from the on-premises world. “User folders” do not take up any of your SharePoint organizational quota.

In addition to syncing and storing your own private files, the OneDrive for Business client can also sync corporate data stored elsewhere in SharePoint. So this client provides access to files in both locations. Best of all you can choose what you “see” in your OneDrive for Business client and what you are going to sync locally to your computer.

To muddy the waters just a bit more, Microsoft recently announced that One Drive for Business will soon start to offer the option to automatically sync your local profile default data locations such as the documents and pictures folders. And it will also have one-button ransomware protection for your files.

So now we’re storing personal data, bits of the user profile, and we’re syncing locally some or all of the data in SharePoint. But we’re still upside down from how business has historically stored data because our corporate space is smaller than the personal space. Basically, if you want to store all of your data in Office 365, then you’ve got some reorganizing to do and some educating of your staff to do so they know where to store things now.

Thinking it through

Knowing that we have more space for private files than we have for general corporate data means that we have to think about how data is going to be stored in the cloud. Or you could purchase more SharePoint data storage space and not think about it. But let’s see how we might rethink data storage and convert it into the cloud model from the on-premises model of data storage.

To do this we’re going to first fix up our data to make sure that we have naming conventions that will be accepted in the cloud. Then we’ll look at archiving. Finally, we’re going to take a look at who really needs access to files and think about how modern applications and the cloud might mean we can organize them differently.

Ready to migrate files into OneDrive for Business?

You‘ll need to be aware of a few limitations when deciding to migrate your files into OneDrive for Business. The biggest gotchas for my clients have been file-naming conventions and total character length. But there’s also a file size cap and a few file types that aren’t allowed too. So you might need to do some data massaging before you migrate.

Here’s what you need to know:

These are the characters that aren’t allowed in your file names: <, >, :, ", |, ?, *, /, \

These are the file names that aren’t allowed: Icon .lock CON PRN AUX NUL COM1 COM2 COM3 COM4 COM5 COM6 COM7 COM8 COM9 LPT1 LPT2 LPT3 LPT4 LPT5 LPT6 LPT7 LPT8 LPT9.

Any filename starting with ~$ or desktop.ini and anything with this string of characters _vti_.

These are the folder names that are not allowed: _t _w _vti_ and forms when it is at the root level.

Each file must be less than 15GB in size, which, honestly, should never be a problem. This is data file storage after all, not database storage.

The total file path must be under 400 characters. This one is likely to catch many people.

Fixing file names

I can’t do a better job at providing a smooth easy solution for fixing the file-naming conventions than Nik D’Agostino, product marketing manager at Lowry Solutions, has in his fabulous article on LinkedIn. So I’ve pulled this information from his article for you.

1) Download the Bulk Rename Utility Tool and extract it.

2) Uncheck all of the group except for 3 and 12.
data storage
3) Make sure folders, files and subfolders are selected under group 12.
data storage
4) Fill out group 3 with the characters you want to find and replace. I recommend replacing each of the following characters \ / : * ? " < > | # % with a dash or space.

5) Navigate to the folder whose contents you want to rename (in this case the folder we copied to our desktop) in the left window pane then make sure you select all of the files, folders, and subfolders you want to rename by selecting them in the right window pane and click the Rename button.

6) Repeat this rename process individually for each of the following invalid characters: \ / : * ? " < > | # %.
data storage

Archive your data

Many businesses are carrying around a lot of data that they really probably don’t need but can’t bear to part with. In my experience, this actually makes up the bulk of data currently sitting on servers. When hard drives got cheap, data volumes went up. Because we’re moving to the cloud it might not make sense to take all of the legacies forward with us. This might be a hard sell but consider leaving some of it behind.

You have a couple of options for this:

  1. Archive the oldest files permanently onto external disks and file them away.
  2. Archive the files you probably won’t need but can’t part with just yet into an Azure file store location or purchase additional SharePoint space and put them into an archive document library.

Azure offers SMB shares to file storage locations. Since these are archived files you are thinking that you probably won’t need you can just map a few people to the SMB share. The cost of SMB file storage in Azure is pretty reasonable. It will cost you around $.10 per GB plus some small transaction costs but it will be quickly accessible and you can map a drive to it which is incredibly convenient.

Microsoft also offers Block Blob archive storage for $.002 per GB, but if you need to read it, be aware that you have to pull the entire blob out of the archive for around $26 for the operation and it will take a number of hours before it begins (as many as 15 hours). If you truly just want to store the data for the long term, $.002 is the least expensive way to do it.

The other option is to purchase additional space for SharePoint. This simply expands your data storage space in SharePoint and you can distribute it among sites and libraries however you like. But this is the most expensive option at $.20 per GB.

Start the discussion

Now that you know what the costs are going to be, it’s time to determine how much of your data is actually archive data. Azure says that archive data must not have been accessed for at least 180 days. But I’ll guess that most businesses have data that hasn’t been accessed for 180 days, one year, two years, or even five years. You’ve probably not looked at your data in this way before, but now it is the time.

Back in 2014, the Scripting Guy wrote up a simple script called Get-Neglected files that uses PowerShell to gather a list of files that haven’t been written to since period of time that you define. I recommend using this method. He uses the file property LastWriteTime to determine when the last time the file changed which is exactly what you’ll be after when determining which of your files are truly archive material.

Use the | to export the data into a CSV file where you can then calculate the amount of drive space that you’re going to need for your archive and for your working data.

Reevaluating folder depth for cloud compatibility

Now for the hard part. Deep complex folder/file structures don’t work very well in the cloud. The website rule of thumb that people won’t click more than twice to get to something very nearly applies to cloud-stored files too. Yes, it’s a whole new world. Yes, this means changing the way that businesses think of their data. The benefit of this exercise is that it is also going to expose teams that you didn’t realize existed in your organization, even though they don’t think of themselves in that way. As you go through and look at the folders, see who has access to them and who is actually using them to discuss whether the structure needs to be as deep and complex as it is. You’re going to find that most folders are accessed by just a few people and those people are entering the folder structure at different points to avoid the click, click, click, click drill-down process. We want to expose those points as they are logical places to break the chain. Further, you’re also going to expose areas of your folder structure that are only used by one person. Those should be moved into their OneDrive for Business personal storage location.

More motivation for simple folder structures

The limitation that my clients have the toughest problem staying under is the 400-character file path limit. Remember that your file path isn’t just the folder depth but that it also includes the SharePoint online URL too. For many businesses, this will mean a reevaluation of their folder structure to make it suitable for cloud storage and will give you some leverage when talking to staff about reevaluating how they are storing and naming files.

This can be a painful process, but is it a bad thing? I don’t think so. Often the current folder structure was grown on-premises over a long period of time and as Microsoft Office began to support longer and longer character limits file and folder names got longer too. The information explosion has also caused workers to give files descriptive names which are also longer. So we have some sacred cows to deal with during this migration. You are going to get a lot of pushback and unwillingness to sit down and hash through this process. But the end result will be worth it. A shorter pathed flatter file/folder structure is much easier to navigate on mobile devices. Since your cloud files will end up being viewed not only in OneDrive but also Microsoft Teams, SharePoint and other Office 365 applications, people will find that a flatter structure benefits everyone.

Migrating the data

Microsoft has produced a great migration tool for getting your data from on-premises and into SharePoint. You can read about it here. It allows you to pick a folder from your server and populate it into the SharePoint library of your choice.
It is very interesting to note that Microsoft recommends standing up several virtual machines to support the data transfer process. This will let you get multiple upload streams going at once. Take note, too, of the upload speeds. This is probably not something that you’re going to accomplish over a single weekend.

Type of metadata Examples Average customer experience
Light ISO files, video files 2 TB/day
Medium List items, Office files (~1.5MB) 1 TB/day
Heavy List items with custom columns, small files (~50kb) 250 GB /day

Data storage bottom line: Think it through before you go

The actual data move is going to be the least of your problems. In this case, the real work is all in the data preparation and getting the business truly ready for a move into the cloud. It’s your skill at consulting and working through internal politics that is going to make or break this project. Microsoft has turned data storage thinking on its head by providing huge personal storage and small corporate storage with their plans. If you want to make that work and utilize the included storage, then you’ll have some work to do.


About Third Tier

Open a ticket with us! Established in 2008, Third Tier only works for IT Professionals by providing them with access to advanced support services. No one can know it all these days, so we give IT pros a place to go to get the hands on support they need in areas they normally don’t work in or problems they’ve never encountered. We also work on projects, fix their accounting practices and do many, many migrations and other installations. Our staff covers a wide range of technologies.




Read more »

Running your business with intention means becoming a futurist
Posted by Amy Babinchak on 26 July 2018 12:40 PM

This might conjure up an image of Carl Sagan and his famously wonderful misquote, “billions and billions of stars and each one may be a sun to someone” but the real definition of a futurist is “a person who studies the future and makes predictions about it based on current trends.” If you’re a business owner that is not a futurist then your business is likely to miss trends that could make you more money or worse put you out of business. So how do you become a futurist?

Going out of business

We’ve all seen it happen. A place that we visited or depended upon the past is now out of business. No one goes out of business intentionally. They go out of business because of a lack in intention. They were happy with their situation and somehow thought in a changing world that it would go on forever.

You know the types, “people will always have televisions so they will always need television repair”. While it is true that people still have televisions and some of them have very expensive televisions, it doesn’t follow that they call for repair on them. Unbelievably even those giant 65” televisions are disposable and don’t require maintenance during their life span like tube televisions did.

In the recent past, the phrase, “people will always have televisions so they will always need television repair” was true and people built their business on that truism. But something changed that made that truism no longer true. A futurist would see that writing on the wall before their competition and will have shifted their business before the competition did.

A futurist that owned a television repair shop would have seen that when televisions made the switch from tube to electronics that demand for repair was going to diminish. They would have diversified their business into other technologies. Perhaps they could have gone into commercial signage? The market was pretty big back then and it’s only getting bigger as time passes.

Digital signage growth market

As you can see from the graph, commercial signage is a growing industry and it uses some of the same skills that a television repair person has. They have the base of knowledge from which to build from, learn a new industry and continue to have a thriving business and career ahead of them.

But if they were not futurists and were not running their business with intention, then they likely went out of business. If you’re hockey person you’ll recognize this trait as skating to where the puck is going to be. Because hockey is such a fast paced game and the puck is faster than a human skater a good player need to see the future and be at the place where the puck is going to be rather than trying to chase after it. No one gets to the pros that way.

The problem with solving problems

Perhaps you’re a heads down technical type. You just like to solve problems. People call with a problem with their computer and you are there for them to save the day. You get it fixed right, quickly and on the first call. Your customers love you. Businesses will always have computers and users will always get error messages they don’t understand so someone like me will need to be there for them to get it fixed.

I recently interviewed a heads down, get it fixed quickly very highly competent technical guy. He had lots of energy. At his previous job had the highest ticket close rate with the shortest time on ticket of anyone else at the company. He knew everything we threw at him but he was unemployed in a hot market and so I asked what happened to his job. He was very animated and happy to tell me all about how his previous employer was amazingly stupid. The employer was unhappy that he wasn’t generating new business on those calls, didn’t take the time to chat with the person that called and that he had refused to attend training on a phone system they sold because he felt it was too much like sales. He was incredulous that he was being asked to do someone else’s job while his was job to get things fixed. We didn’t hire him. I image that he things that we are incredibly stupid too.

We didn’t hire him because he had no future. He wasn’t trainable and he just wanted to solve problems but he was incapable of seeing the bigger picture of helping the client’s business succeed. My business is built around the idea that IT has no purpose other than to make business great. It’s our mantra. You can’t make a business great if you only spend your time solving problems but fail to see the bigger picture. And if you can’t see the bigger picture then there’s no way you can be a futurist.

Many IT business owners are like this person I interviewed. While they may have moved their business from break-fix to MSP they are still focused on fixing things that are broken. All they really did was change the payment model they did not modernize their approach to business. This is because most IT businesses are started by technical people that were frustrated by a previous employer. They wanted to do things their way, which is fine, but if you aren’t a futurist able to see trends and make predictions then you’ll end up like the many television repair businesses that are no longer.

To be an intentional business owner, you need to continually be in training so you can predict where your business needs to be.

There’s no class on the future

Training isn’t just for your staff. It’s for the business owner too. You need to read because there’s no class you can take on the future. Read is a four-letter word for some people. They think that they don’t have the time to read but without reading there’s no way you are going to be able to run an intentional business that it headed toward a fruitful future. Nor will you ever become a futurist.

The future is everyone’s best guess. You will need to read technical blogs to see what the latest updates are for the type of tech you support. This will allow you to understand the roadmap, read between the lines and stay ahead of the curve. You’ll need to read about cutting edge technology. You need to read general news articles on trends in business in order to stay knowledgeable on what others in your industry are doing and where they are headed. You need to read economic articles to learn where the economy is heading because this will affect your bottom line too. You need to read general business management articles to learn new techniques for employee motivation, education, laws and policies. Just reading is a big part of a business owners job and is the only way to be able to make informed long term strategic decisions for your business.

That may sound like a lot, but it really boils down to these three things.

  • Technical Trends and Roadmaps
  • Economic status of the service area and nation
  • Business management

Together these topics will allow you to form a world view of your industry. With this world view you will be able to predict the future, position your business for that future and continue to have a thriving business.

A futurist in action and intention

A futurist has to have the right people behind them. You can attempt to lead your employees into the future but if they don’t understand why they are making these changes then they are unlikely to adopt them. They will be fighting the changes all the way.

Those heads down technical people may be great at getting things done but they won’t be great for your business long term unless they can also see the future. So don’t forget your staff. Bring them along into the future with you. Tell them your vision and get their buy in. The result will be a business with purpose moving confidently into the future.


About Third Tier

Open a ticket with us! Established in 2008, Third Tier only works for IT Professionals by providing them with access to advanced support services. No one can know it all these days, so we give IT pros a place to go to get the hands on support they need in areas they normally don’t work in or problems they’ve never encountered. We also work on projects, fix their accounting practices and do many, many migrations and other installations. Our staff covers a wide range of technologies.




Read more »

Speaking: Join me in San Diego
Posted by Amy Babinchak on 13 July 2018 07:57 AM

Join me in San Diego for an all security focused conference. I'll be speaking on how to integrate these offerings into your business

Image may contain: Amy Babinchak, smiling, text

Read more »

Configuring the newly updated Office365/Microsoft365 email encryption
Posted by Amy Babinchak on 10 July 2018 01:39 PM

The ability to encrypt email is a critical feature. So much information gets sent via email — corporate secrets like specifications, private content like pretty much anything from your accountant or lawyer, or maybe just something you’d like to keep between you and the recipient. Email encryption is a fact of life. Recently, Microsoft moved email encryption into Azure but instead of being called Office 365 email encryption, it’s now Azure Information Protection (AIP).

In doing so, they also simplified the process for users. Reading an encrypted message no longer requires the person receiving it to open an attachment. Instead, they will click on the link in the body of the email. And when a reply is made to the email, the original sender does not have to do anything to open that reply. It is decrypted for viewing automatically. If they send a reply it will again be encrypted automatically. Messages can be encrypted between internal users too. And they’ve even made the third-party authentication easier to use too.

3rd party authentication
However, while simplifying the email encryption process for users, they’ve added to the workload of administrators because you need to set up your email encryption again to use the new version.

What follows is a step-by-step guide for completely configuring or reconfiguring email encryption in your Office 365 tenant.

I like to start from a clean slate, so for this reason, I’m going to recommend that you remove any encryption rules you previously created from Exchange. After that disable encryption, wait 30 minutes then reenable it. This will make sure that your tenant gets switched over to the new version.

To do that, go to the admin portal/ Settings/Services and add-ons. Click on Azure information protection and disable it. Don’t forget to turn it back on 30 minutes later.

For tenants not previously configured for email encryption

Go to the admin portal/ Settings/Services and add-ons. Click on Azure Information Protection and enable it. It should take effect immediately but you might want to wait 30 minutes just to be sure.

For tenants created after February 2018

Azure Information Protection should be enabled by default so you won’t need to turn it on. You can move straight into configuration.

Check that AIP is working

Before we try to configure anything, let’s take a moment to make sure that it’s working correctly. You’ll need PowerShell for all of the configurations from here on out. First you need to connect to your Exchange Online Service. Be sure to run PowerShell as an administrator then run the following commands.

Set-ExecutionPolicy RemoteSigned [when it asks for a no, yes or all, select all] 
$UserCredential = Get-Credential [you’ll get a pop-up authentication window. Enter your global admin credentials] 
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

You should now be connected to the tenant. Now run the test. Make sure you use an active mailbox for the test, not just the admin account. Oftentimes the admin account does not have a mailbox anyway.

Test-IRMConfiguration -Sender
Results : Acquiring RMS Templates …
– PASS: RMS Templates acquired. Templates available: youdomain – Confidential View Only, yourdomain – Confidential, Do Not
Verifying encryption …
– PASS: Encryption verified successfully.
Verifying decryption …
– PASS: Decryption verified successfully.
Verifying IRM is enabled …
– PASS: IRM verified successfully.

We’re ready to configure

Now that we know that AIP is working, we are ready to configure it. There are several pieces to this. There’s creating the rule for when encryption gets applied to an email, allowing attachments to be unencrypted by the recipient, customizing the email, and optionally setting up a super-admin to decrypt messages and files encrypted by your staff. Leave your PowerShell session open until you’ve completed the entire process.

Create an Exchange rule

You need a mail rule to tell Exchange when you expect messages to be encrypted. The rule I suggest uses a keyword to trigger the encryption. In the example that follows, when the word securemail is present anywhere in the email, Exchange will encrypt the message.

Open the Exchange online administrator console.

Go to Mailflow/Rules.

Click the arrow next to the + sign and choose Add new Rule type Apply Office 365 Message Encryption and rights protection to messages.

email encryption

Name the rule Encrypt on Demand or anything that you’ll remember.

setup your mail encryption rule

In the Apply this rule if…box select The subject or body includes the word securemail (or any other word of your choosing but it will need to be a word that someone won’t type by accident).

In the Do the following…box select Apply Office 365 Message Encryption and rights protection to the message with and select the Encrypt template

Admin control for attachments

By default, attachments to your encrypted email are also encrypted and can’t be opened outside of your company. They say that there is an option to change this but I don’t think that your users will feel that way. It is very common that the reason for sending an encrypted message is because of the content of the attachment. Microsoft’s reasoning for not making this the default setting is that once decrypted the message is plainly available to the recipient to do with as they choose.

To allow the downloading of attachments without protection for Encrypt-only:

Set-IRMConfiguration -DecryptAttachmentFromPortal $true

Customize the appearance of the encrypted email

By default, the email message gives the recipient that phishy feeling, so you will want to customize the content to indicate that they email is legitimate. In addition, I recommend that anyone using encryption get in the habit of first sending a regular email letting them know that an encrypted email is about to follow.

Here I am simply sharing Microsoft’s instructions for these customizations. I’ve added a couple of tips to their chart and provided a sample.

To customize this feature of the encryption experience Use these commands
Default text that accompanies encrypted email messages. The default text appears above the instructions for viewing encrypted messages Set-OMEConfiguration –Identity <OMEConfigurationIdParameter> -EmailText “<String up to 1024 characters>”Example:Set-OMEConfiguration -Identity “OME Configuration” -EmailText “Encrypted message from Your Company secure messaging system.”
Disclaimer statement in the email that contains the encrypted message. Set-OMEConfiguration –Identity <OMEConfigurationIdParameter> -DisclaimerText “<Disclaimer statement. String of up to 1024 characters.>”Example:Set-OMEConfiguration -Identity “OME Configuration” -DisclaimerText “This message has been encrypted by Your Company because it contain sensitive information intended for the addressed recipient only.”
Text that appears at the top of the encrypted mail viewing portal Set-OMEConfiguration –Identity <OMEConfigurationIdParameter> –PortalText “<Text for your portal. String of up to 128 characters.>”Example:Set-OMEConfiguration -Identity “OME Configuration” -PortalText “Your Company secure email portal.”
Logo: We will likely have to make one up. I like to use GIMP. Any editor can be used. This is very small so often the real corporate logo cannot be used but instead just the name of the company would be appropriate. Set-OMEConfiguration –Identity <OMEConfigurationIdParameter> –Image <Byte[]>Example:Set-OMEConfiguration -Identity “OME configuration” -Image (Get-Content “C:\Temp\logo.png” –Encoding byte)



Supported file formats: .png, .jpg, .bmp, or .tiffOptimal size of logo file: less than 40 KBOptimal size of logo image: 170×70 pixels

Background color: this setting is not needed unless the company really objects to blue. Blue is the default color. Set-OMEConfiguration –Identity <OMEConfigurationIdParameter> –BackgroundColor “<Hexadecimal color code>”Example:Set-OMEConfiguration -Identity “OME Configuration” -BackgroundColor “#ffffff”

When you get all done it should look something like this. In the sample below you can see where each of the text items is located in the message.

email encryption

Setting up the super-admin

A super-admin is necessary to decrypt messages that anyone may have encrypted. Do note that it is also possible to encrypt files as well as email. Files in SharePoint and OneDrive can be stored encrypted at rest, and this super-admin will have decrypt control over those too.

This super-admin is a very powerful tool. You do not have to set them up before you need it. You can add the super-admin when needed and remove it when not needed. It would be more secure to do so. However, in a company where turnover is a regular occurrence, you might find that you need it more often than you don’t.

To set up your super-admin, run the following commands. Items in brackets are my comments and are not part of the command.

connect-aadrmservice [connects you to Azure AD. When you run this command you will be prompted to authenticate again. This is because you are changing services. Previously we were connected to Exchange Online, now we’re connecting to Azure AD]
enable-aadrmsuperuserfeature [enables the feature]
Get-AadrmSuperUser [shows you if there are any users already set up as a super admin]
get-aadrmsuperusergroup [shows you if there are any groups already set up as a super admin]
If there are any users already set up, verify that they should be there if not remove them using the remove-aadresuperuser -email <address> command or aadresuperusergroup if it’s a group you want to remove.
add-aadrmsuperuser -emailadress <email address> [adds a user as a super admin]

Finally, test email encryption with a real user

Now for the all-important testing phase. There’s plenty of room for error in everything that we’ve done above so don’t let this go without testing. Please find a friendly user in your company to test with.

  • Send an email with securemail in the subject line to your account. And reply. Make sure the email can be opened.
  • Send an email to a public email address such as Gmail or Yahoo. And reply. Make sure the email can be opened.
  • Send an email with an attachment and make sure that both internal and external users are able to open it.

It took a lot longer to write this and much longer to read it then it takes to implement. In my MSP practice, we are completing these tasks in under an hour including the customization piece that is the longest part of the whole configuration due to the logo customizations that it requires. But this time is an hour well spent. Email encryption will protect the information that needs protecting and make email a much better resource for communicating sensitive information.


About Third Tier

Open a ticket with us! Established in 2008, Third Tier only works for IT Professionals by providing them with access to advanced support services. No one can know it all these days, so we give IT pros a place to go to get the hands on support they need in areas they normally don’t work in or problems they’ve never encountered. We also work on projects, fix their accounting practices and do many, many migrations and other installations. Our staff covers a wide range of technologies.




Read more »

Solved: SSL cert not working as expected
Posted by Amy Babinchak on 05 July 2018 04:22 PM

Often the problems we work on aren't obscure but rather they are every tasks that you might not perform everyday. Sometime can be done quickly if you do it frequently. When it's something you're not as familiar with, well that's when you lose money trying to figure it out. Consider opening a ticket with us instead and let us help you out.


Client: I have been requested to renew an SSL Certicate on a Windows Server 2012 R2 Running Exchange 2010. I have gone through the steps, completed the Go Daddy renewal and installed the Cert on the server, but when i do the SSL Checker or use other tools for verification they cannot find the Cert on the server. Email is no longer working on mobile phones

ThirdTier: Assigned the new cert to the IIS service in the Exchange console, then found that the SSL port forwarding rule on the NetGear Firewall was missing.



About Third Tier

Established in 2008, Third Tier only works for IT Professionals by providing them with access to advanced support services. No one can know it all these days, so we give IT pros a place to go to get the hands on support they need in areas they normally don’t work in or problems they’ve never encountered. We also work on projects, fix their accounting practices and do many, many migrations and other installations. Our staff covers a wide range of technologies.




Read more »

Solved: intermittent server slowdown
Posted by Amy Babinchak on 25 June 2018 04:32 PM

At Third Tier we help IT Professionals solve problems big and small. When you need an extra set of eye or an extra set of hands remember that we're here for you. In this case we advised and the client did the work. We're happy to work either way. We can some or all of the work it is entirely up to you. We treat you like the IT professional you are.

Client: I have a WS2K12 R2 Server that every 3 to 6 months experiences a significant slow down. It usually lasts 36 to 72 hours and then all is normal again. I'm looking for someone to help me identify what is causing the slowdown so I can prevent or predict it in the future. This client has only one server, so it's the DC and handles DHCP and DNS. It does File and Print services and hosts two Windows 7 VMs via Hyper-V. It also hosts Sage 100 Contractor, Sage Paperless Construction, and Sage Estimating. Each of these Sage products runs a SQL Express instance. There are two backup programs installed: Retrospect for standard data and server backups and Altaro for VM backups.

Third Tier then asked a bunch of questions in one session try to narrow down the scope and reviewed the logs. We determined that the server was under warranty with Dell and that there had been a lot of firmware updates issued but not applied. 

Third Tier: Update iDRAC, PERC controller, NICs, Driver then firmware, Hard Drive firmware and BIOS. Always a good idea to keep the Dell OMSA up to date as well to easily show issues/alerts/logs of the server. Install a Time Server. w32tm /config / /syncfromflags:MANUAL. Meanwhile the client also modified the VM performance type. Run SFC scan and correct any corrupt files.


About Third Tier

Established in 2008, Third Tier only works for IT Professionals by providing them with access to advanced support services. No one can know it all these days, so we give IT pros a place to go to get the hands on support they need in areas they normally don’t work in or problems they’ve never encountered. We also work on projects, fix their accounting practices and do many, many migrations and other installations. Our staff covers a wide range of technologies.




Read more »

Help Desk Software by Kayako Fusion