Microsoft Teams – Configure your Surface Pro device as your personal meeting room

As we all are working remotely from home ,Microsoft Teams has been an extraordinary assistance for all of us in boosting our productivity and keeping us stay connected in this pandemic situation. We are in Teams Remote meeting for almost everyday to complete our daily chores. Well the vast majority of individuals are having a office setup scenario at this point, however its less likely we have setup our own personal meeting room equipment . Most likely we are attending the meetings and doing the works from the same device.

This wasn’t the case before but since we are almost having very frequent remote meetings every day its a good idea to have one personal meeting room device for the below reasons :

  1. You have your laptop with multiple excel sheets, Word Documents , PDFs, Browsers etc., always and you do not need to switch between camera screen and your work thats going on.
  2. There are 2 screens where one is fully focused only for work and other is dedicated only for Meetings.

There are loads of items in the market which is available in a competitive pricing , yet my thought in this blog is to demonstrate that we have a very good option to convert Windows compatible tablet or a Surface Pro into a personal meeting room just in case if you have additional device which has been hibernated for quite a long time.

In this example we are going with the below scenario where :

The Surface Pro will be prepared to equip and host the Microsoft Teams Meeting Room. Below are the prerequisites that needs to be completed for this installation.

  1. Create the associated Resource accounts for the Room Systems.
  2. Create the Provisioning package that is required for the device account staging to the office 365 and Azure.
  3. We will Join the Device to the Azure AD, so this device is kept as managed and action can be taken when required. Later we can onboard the device to Intune for device management and monitoring action.

In order to first begin we need to create the device account as per this Microsoft Documentation

Be sure to follow the documentation because this account needs to be enabled. So in our example the below account has been created for our Testing.

Assign the required license. If we are having Office 365 E3 or E5 it will continue to work. Can refer more about licensing over here

Ideally Microsoft Teams Rooms Application runs on a Touch Screen Control Panel with suitable Computing resources. Then it would have a Dock where we will have the HDMI inputs/Outputs and USB ports to connect the Associated Peripherals. So there is a hardware requirements in place where there are Microsoft certified products in the Market . So typically these certified products from vendors comes with preinstalled software with the latest Teams App version based on the purchase date of the product and a supported windows version in them as per this link

Since in our scenario we do not have the supported OS version and the Teams App Present on the Surface Hub we need to follow the below procedure as per this documentation

We need to run the CreateSRSmedia.Ps1 script from a windows 10 PC that will create the installation media that has Latest MSI installer of Microsoft Teams Rooms App and install the correct version of the Windows Version that is required.

When we run the script the initial stage will show like below .

It prompts for few questions. Here in our example have chosen OEM since its Surface Pro

In the next screen it asks for the drivers that is required for this installation. I have chosen none in our case since we can download the Surface Pro drivers according to our version from here and place them on the USB flash drive after the media is created at the end of this process.

Post that it will ask us to provide the flash drive. Make sure the flash drive is minimum 16 GB and hooked in during this stage.

Finally at this stage we will be requested to provide the path of the windows installation media it expects an IOT version of Windows enterprise media plus the product key of the OEM of the Surface Pro.

Once after this is completed the required installation media for the Teams Room System is successfully created.

Installation of the Room System on Surface Pro:

Now having the media prepared the next step is to prepare the installation process.

The installation process is pretty simple.

Turn off the Device Keep holding the Power button plus Volume down button. Once the Windows Icon Loads just release the power button and the keep holding the Volume down button until you see this screen.

After a while we can see that the installation have been started and the we will see the below screen.

The installation process did not take that much long time more than 15 minutes in my case and we are almost to the final stage of the installation process.

The devices reboots two times and finally we see this screen

If you select the region we will reach this stage and this is the Teams Room App that is installed successfully as expected. Over here just click on exit because one important step is to make sure we are connected in the internet for successful Azure AD join operation to be completed.

After this exit screen we get the below option usually we get 2 accounts Skype and Administrator

The Administrator default password is sfb with which we can login. We can reset this password after first login. With this we can ensure the device is connected to the internet. There is a whole process to get this automated via XML deployment for more number of devices in a large scale environments . Since its for personal device we are doing this manually over here.

So over here for the xml deployment we are mentioning only the Teams, Exchange Online Account details , Device settings and Few meeting options and placing the xml file in the below location.


This location is unique for all Teams Room devices. This is the place from where the Teams app picks up the configuration after the next time it reboots and deletes the xml file.

Join them in Azure AD for Device Management:

There are multiple options to manage this device. Since its a Teams Meeting room and consuming the Microsoft Cloud Services its a good idea to keep this device fully managed via Azure AD. The easier step is to create the Provisioning package by following this Link

There are more number of options to enable settings over here but in our example we are just changing the device name, Enrolling them on Azure AD and finally creating one local Admin account. So in the account management just select Enroll in Azure AD, fetch the bulk token and at this point of writing this blog bulk token retrieval can be only from a Global Admin account. And more importantly we have to handle with care on these bulk tokens and anyone with this token they would be able to join the device to our tenant.

So when we switch to advanced editor, we could see there are lots of option to customize based on our requirement which will definitely help based on the bulk deployment scenarios.

In our case only Device Name, Network turn it off since its a surface pro, Bulk Token for Azure AD join , Local Admin User Name and Password.

After we click on finish and can see the files that have been created as a part of the above task. We need to copy only the file that is in .ppkg format into a USB flash drive.

Once the ppkg file is created just plug the USB in the Surface Pro , Make sure that you are connected to the internet. After that go to access work or school and select ,add or remove the provisioning package and click on the package that is present on the USB.

No we will reach the below screen with the information that the package is going to perform.

Upon a successful completion, finally we could see that the device is Azure AD joined via the provisioning package method in the Azure AD portal.

The device will reboot for 2 times and after that we could see the Surface Pro has completely changed to an Azure AD managed and a Teams Room Device.

Finally we could see that the Surface Pro has completely changed to a friendly meeting room device.

Finally we could go ahead send a meeting request and its accepted.

From the participant side this is another normal device we could see the Meet-Room NL Camera is Working. Not to confuse me seeing on both the cameras since the testing is from the same room and me sitting in between the cameras 🙂

From the Surface Room Device Side, we only see below because it expects an external monitor to be connected to this Room System Console to show the participants. At this moment i do not have the docking station hence unable to see the participants on the additional monitor. So we should actually hook up a hdmi cable and connect them to a monitor to view the participants since this will behave like an operating console.

We also see the Together Mode and Large Gallery view on the Teams Room App which is a nice feature.

You can also buy a surface docking station and connect the USB C to HDMI cable , connect them to a Monitor. In addition we can also connect a Logitech Brio which will work as a content camera which helps a lot in the white board presentation and sharing them with the remote participants during the meeting. Also with the other USB port we can connect an external camera as well.


Sathish Veerapandian

Microsoft Teams – Apply Sensitivity Labels to secure content in Microsoft Teams

Classification of data is always an important factor for any organization to protect their data and to make sure only the right people have the access to the right documents. Couple of years back we went through the Azure Information Protection on this blog through which we can classify the sensitivity of any organization documents and leverage them on the Microsoft 365 Applications. Previously in Microsoft 365 only had the built in retention labels through which only the classification of the documents was possible. During this time in order to apply more protection like auto classification and enforce the policy the Azure information Classic Client and Azure Information Protection was utilized.

Its very important to note at this point that the Azure Information Protection Classic client and the Label Management from the Azure Portal are deprecated from March 31 2021.

It has been a quite long time that Microsoft supports sensitivity labels in addition to retention labels, so all action can be completed from the same location from Microsoft Information protection in the Compliance Center. Microsoft recommends to utilize to new Unified labeling and upgrade the clients to new unified labeling client.

Microsoft activates the Azure Rights Management service for these subscriptions if the tenant is using Exchange Online. The service will be activated for you if AutomaticServiceUpdateEnabled is True in Get-IRMConfiguration.

And in our case we can see all the labels that was present in Azure Information Protection is visible over here in the Compliance Center.

Now with MIP we have got the option to restrict access to the content by using the sensitivity labels.

If you are new to the AIP and haven’t activated the Azure Rights Management service below steps needs to be followed as per this blog and activated based on your requirement. This is the first step to get the sensitivity labels working for Microsoft Teams.

Considerably more number of people are working from home remotely for more than a year its very important to note that the data is not present only within the office network anymore. We can utilize the Microsoft Information Protection to apply the sensitivity labels on Microsoft Teams.

We will look into on how to apply the Sensitivity labels to Microsoft Teams on this post. As well all know Office 365 Group is the core component of Microsoft Teams Channels we need to first assign the sensitivity labels to the Microsoft 365 Groups by following this Microsoft Documentation.

Upon a successful completion we should see EnableMIPLabels value to be set as True.

The next step is to synchronize the sensitivity labels to AzureAD with this documentation

Once the below command is completed the sensitivity labels can be used to apply for the Office 365 Groups.

We can login to the Compliance center – In our example we are creating the new sensitivity label.

And now we can see the option to apply the sensitivity labels to Groups & Sites. We could also notice that we have option to protect the Teams.

In the next screen we get this information. Its very important to note that this setting is applicable only for labels emails and office files. When we choose the option Groups & Sites these options will be greyed out at this point.

For groups and sites we have the below options. Its important to note that they are applied only on the container level and not inherited to the files stored in them.

We have these options set privacy level in the labelled Teams.

So in the next screen we have the option to define external sharing and device access settings. And for the unmanaged devices we have options like providing web-only limited access. With web-only access they can only view them with no ability to download, print or sync files.

And for the external sharing we still do have the options to control them with the below configuration. Like for instance the guest users must sign in or provide a verification code is a nice feature.

Once above options are selected we receive the below message. One important point to note over here is that once the Labels are created they are not automatically applied. We have to publish them via a Label Policy.

The next step is to publish them by choosing the appropriate one from the list. If we chose a new label that was created then it could appear in 1 hour interval. However if we choose an existing one like adding the groups and sites to the old label and try to publish them its taking more than 12 hours at this point. The Microsoft document states that publishing a modified label will take around 24 hours.

So we have option to choose and apply them to a group or a user.

Here we have option to apply this label as default to groups and sites or provide the option users to apply to their groups or sites. Ideally its not a good idea to apply this as a default label in most of the scenarios because in that case it will not allow users to choose the option while creating the Team.

Finally we can give it a name and them publish them. In our case for this demo purpose have created few more labels , policies and have published them.

Now the Teams Client Experience:

So when the user now goes and click on create a Team the client experience have changed totally. The default options are greyed out and have been replaced with sensitivity.

And when we clicked on the drop down we see all of the Labels created and published over the compliance center. This gives us a great benefit to tweak and customize our Team creation by controlling the data in a better way.

I’ve always been a fan of ADRMS solutions and it has helped us a lot especially to protect our content and that has helped many of the organizations to classify their documents which has been a great benefit in all aspects right from completing a successful Audit and protecting the data.

The way Microsoft Information protection have evolved is astonishing and with the current security for instance with encrypt files in word documents , do not forward emails , allow limited web only access is a great feature and definitely helps us a lot in streamlining things in security and compliance perspective.


Sathish Veerapandian

Cloud DLP and Regulatory Compliance: 3 Things You Must Know

This article was originally published at

It’s well-established that a data breach is an extremely costly event. By some estimates, a data leak can cost a small to medium-sized business more than $7.68 million per incident.

Compliance regimes may seem burdensome, but the goal of these policies is to prevent a devastating data breach that can bankrupt a business and cause myriad problems for consumers. It’s important to understand the differences between compliance and security, as well as how data loss prevention (DLP) allows your organization to accomplish both objectives efficiently and affordably.

Here’s what you need to know about cloud DLP and prevalent compliance policies like HIPAA, GDPR, and others.

Cloud compliance vs. cloud security: what’s the difference?

Cloud compliance and cloud security overlap, but these are two different areas of practice. Cloud compliance refers to the regulations and policies designed to protect individuals and companies from the impact of data loss. More specifically, compliance focuses on the type of data collected and stored by a business, as well as the regulatory frameworks that apply to data protection. Cloud security is made up of the physical tools and platforms that protect and defend customer and company data. This could include software like VPNs, DLP platforms like Nightfall, and tools like multifactor authentication. Cloud security also requires action-oriented cloud security policies that are updated regularly to reflect changes in the business and new online threats

security vs compliance

[Read more: Network, Endpoint, and Cloud DLP: A Quick Guide]

Achieving cloud compliance could mean that your organization must meet requirements set by a few different regulations, depending on what industry you’re in. It’s important to understand the most common compliance regimes and design your cloud security system to meet — and exceed — those policies.

Most common data compliance requirements

There are five main compliance regulations that govern how a company collects, stores, and uses data. These regulations work at the state, federal, or international level to spell out the type of data that needs protection, as well as set forth the penalties for those companies that misuse or fail to follow the legislation.

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This federal law governs how companies in the health insurance industry secure patients’ personal medical information. Title 2 of HIPAA specifically relates to information privacy and security. HIPAA requires that access to all electronic health records be restricted to those with valid reasons for viewing those records. This restriction applies not only to data that is stored — e.g., data at rest — but also data in motion and in use. Encryption, secure file transfer, and strong access controls are key.

PCI DSS stands for Payment Card Industry Data Security Standard. This is an industry set of standards that rules how companies handle and protect customer credit and debit card data. If your business accepts any non-cash payments, it’s likely you will have to meet PCI DSS standards. Luckily, the PCI compliance is relatively prescriptive: there are 12 requirements that you must meet, from having a firewall to regularly testing network security.

GDPR is one of the most recent compliance regimes passed in 2018 by the European Union. The General Data Protection Regulation aims to protect consumer privacy by mandating companies to be transparent about the data they collect, regulate how companies process data, and to improve reporting of data breaches. GDPR compliance has many requirements, but in practice, it comes down to obtaining an individual’s consent to collect data and minimizing the amount of data stored by your business.

[Read more: How Understanding User Privacy Can Improve Your Cybersecurity]The CCPA, California Consumer Privacy Act, began to take effect in July 2020. It’s seen as one of the most demanding pieces of privacy legislation in recent history. The CCPA will require developing comprehensive data discovery and data security programs organization-wide. Companies will need to know how data is used, where it’s stored, and who has access to it. This will often require building consistent security processes with the help of tools like privileged access management, securely configured firewalls, and application security controls like data loss prevention.

Luckily, the CCPA applies only to: “companies that have gross annual revenues above $25 million; those that buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices; or businesses that derive 50% or more of their annual revenue from selling consumers’ personal information.”

[Read more: Over Half of Orgs are Struggling with CCPA Compliance as Enforcement Begins]

Last but not least, SOX is short for the Sarbanes-Oxley Act of 2002. SOX compliance is primarily concerned with protecting financial information of public companies, and defines what financial data must be kept for a certain amount of time. “Spreadsheets, emails, IMs, recorded phone calls and financial transactions will all need to be preserved for at least five years in case auditors require them, so it’s essential the right management systems are in place,” explains one expert.

With so many different legislations to adhere to, what’s the easiest way for a company to protect its data? A comprehensive cloud DLP solution can help meet requirements of each of these compliance regulations efficiently and effectively.

How cloud DLP helps you stay compliant 

Keeping up with data security compliance is impossible without help, especially within cloud applications — and this is where a cloud DLP solution comes into play. A tool like Nightfall can monitor and provide visibility into your data and systems, filter data streams to restrict suspicious or unidentified activity, log data for incident response and auditing, and pull everything together to help you prevent customer data from falling into the wrong hands.

Compliance regimes like GDPR, CCPA, HIPAA, and PCI DSS require effective management & protection of customer data to keep consumers safe. Nightfall can help you first discover and classify sensitive customer data like PII, PHI, and PCI that many compliance regimes identify as data that must be protected. The tool also gives you a quick way to remediate issues by taking actions like notifying admins and quarantining or deleting data. This reduces the risk of losing or exposing sensitive customer data and reinforces your commitment to protecting this information.

HIPAA compliance is one of the hardest benchmarks to achieve, especially for health industry companies that have shifted to working remotely. Nightfall is essential for ensuring HIPAA compliance within SaaS applications like Slack and is critical to development teams scaling healthcare applications within a production environment. Read our case studies to see how we help companies like Galileo Health and Springbuk maintain HIPAA compliance.


Tegan Johnson

Part3 – Setup the PSTN Trunk for the Direct Routing Configuration for Microsoft Teams

Continuing the previous article now we’ll go through the next steps that is required to complete the enterprise voice configuration. Now we have setup the AudioCodes SBC , configured SIP trunk from Office 365 to SBC the next step is to setup PSTN trunk from the SBC to the Telephony Provider.

If there is already an existing setup then this part is not required because the configuration will be already present in that case. In this article we will have a look at how to configure the PSTN Trunk for a new telephony provider.

There are multiple PSTN Sip Providers that we can use to complete this configuration. In our case we have chosen Telnyx as the PSTN Sip Provider for this demo purpose. They provide us the flexibility to purchase numbers as low as 10 USD and hence have chosen this for our testing.

Over here we are not going to deep dive much into Telnyx configuration since our task is to create a PSTN Trunk between them and our SBC. So we will go through only the steps that is required to complete the Direct Routing Configuration.

The moment when we subscribe with Telnyx they provide an advance credit of 10 USD and a portal like below. As per the Telnyx documentation we need to create a new SIP connection to our SBC in the below section where we could see they have a SIP connection with their backend system as a default setup.

So over here have created a new SIP connection to the SBC as below. In order to proceed click on Add SIP connection. Added a name Teams SIP Connection Type – FQDN – Provide the SBC published FQDN – Keep the rest default – Finally use the authentication type credentials and use their login details that was received when registered and click save.

Now we have the inbound/outbound configuration that needs to be completed and have to choose number format, SIP Transport Protocol, SIP region based on our requirement.

And the moment when we expand the expert settings we could see the audio/video codec types that we need to choose based on our requirement.

And for the outbound have to choose the correct country where the number have been purchased.

Finally we need to create the outbound voice profile and whitelist the country where the call will be done. The outbound connection type can be selected as FQDN since we have the available SBC FQDN for the Direct Routing which will be published in the internet.

Whitelist of the country can be done by just searching for the appropriate country over the Available Regions and Countries section on the left and adding them to the selected regions and countries over the right side. FQDN connections need to chosen from the Connection’s outbound settings in the SIP Connections section of the portal which is shown in the outbound tab in SIP connection section.

Finally we need to purchase the numbers from them and setup a DID to a SIP connection. This is mandatorily required to receive the inbound calls from the PSTN Provider. We can navigate to numbers choose the number that needs to be setup as DID . Navigate to connection or app and choose the SIP connection that was created between Telnyx and the SBC. There is option to assign multiple DIDs to a single SIP connection , however since its our testing we have used only one in our example.

Having completed the configuration on the SIP provider portal, we need to setup few more configuration on the SBC part.

There are 3 configurations that needs to be completed on the SBC part.

  1. Sip Proxy
  2. IP Group
  3. Define Coders

Now we need to setup proxy sets to establish outbound and inbound connections from the SBC.

The appropriate ipaddress have to be chosen based on the location as per this information. In the Proxy addresses add the appropriate Ip addresses in the new proxy set type. The Transport type must be UDP. In our example have selected TCP and UDP for testing purposes.

Now we need to define the IP Group to denote the source and destination of the calls and associate them with the proxy sets created for the PSTN Trunk.

Having completed this the final step is to define the coders that is supported by Telnyx. This can be completed by navigating to the coders & profiles and selecting the coder groups.

The moment when it is completed we are ready to assign the number to the Teams Client. On a successful number assignment as per this article we get the assigned number.

And we receive the dial pad as below with the number.

Having reached this state the there are few scenarios that are not getting successful and may be it might require additional tweaking in my test environment which I haven’t visited for a quite long time. An inbound call is not getting successful. The SBC is not responding to Inbound INVITE from Telnyx even though it is listening on the port.

I will test further on the configuration and probably update the results in the upcoming posts. Similarly depending on your requirements, you may need to set more configurations such as IP profiles ,Routing , Additional Codecs and Proxy Sets.


Sathish Veerapandian

Upgrade the Surface Hub 2s from Windows 10 Team OS version RS2 (build 1703) to Windows 10 Team OS version 20H (build 2020) and Enable them for Microsoft Teams

Microsoft Teams Room devices are a great way to have virtual meetings that provides us a amazing meeting experiences. This especially helps a lot in sharing content, collaborate easily and increases the work efficiency more subsequently by viably utilizing the Microsoft Teams Meetings. Surface Hub 2s have been a great fully integrated windows device capable of organizing the remote meetings, enhanced collaboration with the white board and provides great video quality with its astounding 4k camera.

So as per this article the Surface Hubs that are running Windows 10 Team OS version RS2 (build 1703) might reach end of support by March 16th 2021. So here we will go through the steps on how to update the Surface Hub 2s devices that are currently running Windows 10 Team OS version RS2 to Windows 10 Team OS 20H.

As per this article there are 3 options to achieve this via Windows Update, Windows Update for Business and Bare Metal Recovery.

We have the first 2 options which was not successful. So we decided to move to the last option Bare Metal Recovery. Currently the devices were on Exchange Online with Skype Accounts. Subsequently our next plan is to move them to Teams once the upgrade is completed.

Summing up below was the scenario in our deployment:
1) Exchange Online Accounts to fetch the calendar and show the availability.
2) Skype accounts to host the meetings.
3) Local AD joined.

Once it is downloaded all we need to do is to unzip the downloaded package – Copy them to USB in FAT32 – Allocation Size Unit Default. Plugin to the USB of Surface Hub – Press the Power Button and the Volume Down Key at the same time

Performing the upgrade (Bare Metal Recovery)

So starting up the Bare Metal Recovery all we need is to navigate to the below URL Use the below link and choose Windows 10 Team Update – Enter the Serial Number of the Surface Hub – Choose the version Windows 10 Team version – Download

After a few minutes we will see the language selection menu. Tap on the preferred language setting to make a choice.

The next screen we will get the keyboard selection menu. Tap on the preferred keyboard setting to make a choice.

Now we have to choose the Bare Metal Recovery method. Tap on ‘Recover from a drive’.

Choose for the option ‘Fully clean the drive’.

And start the recovery by selecting the ‘Recovery’ button.

The Surface Hub will restart 3 times. The first restart will show the progress of the recovery process.

The second restart will show the progress of device driver setup.

The 3rd restart will show us the ‘Out-of-the-Box’ setup screen for a Surface-Hub.

Setup the Surface-Hub

Now we have successfully upgraded the Surface-Hub to Windows 10 Team OS 20H we can proceed with the initial setup of the Surface-Hub. In the language select menu select the language of choice and press ‘Yes’.

Now we have to wait until Cortana has ended the introduction before we can continue with the Region Select menu.

Select the region of choice and select ‘Yes’.

Select the keyboard of choice.

And skip (for now) a second keyboard layout.

Now we have to wait for the EULA message

Accept the EULA to continue the setup.

Now we have to setup the device account. Since we are behind a proxy, we have to authenticate to the local AD. For this we use the following naming convention: <FQDN Domain Name\SamAccountName> Example: x.y.z/samaccountname

Important point to note here is that the Surface Hubs require Mobile Device Mailbox Policy in the past for the old version.

The good news is if the mailbox is hosted on Exchange Online it does work with EWS.

On the next screen we can accept the settings and continue.

When there are no issues during this setup part we will be noticed a successful setup.

Next we have to do is to give the device a name. In the first field we enter user friendly information. The second field is used for the device name which will be used to join the Surface Hub to the local Active Directory.

Next we choose for ADDS

Here we have to use a username with Domain Admin access

Before the device can be managed we have to add the securiy group in which the users are place for administering the Surface Hubs.

In the upcoming 8 steps you will see options to send diagnostic data, enable device location, Improve typing, etc. It is totally dependent on our choice to elect them. Personally I feel it is not that benificial for any meeting room device to send this type of data. Especially for customers from Europe has to decide on their on based the GDPR regulations.

Meanwhile we have to wait for the setup to be finished.

Configuring the Surface Hub for first use

Before we can use the Surface Hub for Teams Meetings we have to configure the Surface Hub using the Settings Menu. To open the Surface Hub Settings menu we have to press the Windows button, select ‘All apps’, and in the list we have to scroll down and select the ‘Settings’ option.

Enter your credentials. These username has to be in the Security Group we have setup earlier in this blog.

Choose for Surface Hub menu.

And notice that the sync-state of the account is showing ‘Account is up to date’.

In the sidebar menu select the option ‘Device Management’. Add the device account using the UPN and select ‘Continue’.

Again we have to use the SamAccountName information using the naming convention x.y.x\samaccountname

And when everything goes well, we have a successful setup.

In the sidebar menu we then choose Calling & Audio.

In this field we have to set the online domain suffix information

Before we can continue we have to restart the Surface Hub. In the right below corner we now touch the UP arrow. Choose Restart and Restart now to

When the Surface Hub is back again we have to update all applications using the MS Store. So we again we enter the Settings > Surface Hub > Apps & features and select ‘Open Store’.

In the right upper corner select the hamburger menu (3 dots) and choose the option ‘Downloads and updates’.

Now in the second screen select the option ‘Get Updates’. When all the updates are installed restart the Surface Hub again.

Now we create a Teams meeting to see if the calendar update will show the upcoming meetings.

Finally Teams meetings is successful on Surface Hub running Windows 10 Teams OS version 20H.

We could see the gallery view, large gallery view and the Together mode.

We attempted the same approach we have used a couple of Months back. However the upgrade was not successful. With the new version build available now the Bare Metal Recovery process is successful.

Just feel free to share your thoughts on this topic.


Ewald Hollestelle

Script to move bulk users to Teams Only mode from On Premise Skype for Business Servers

When we enable Teams for Skype for Business Hybrid users the final stage of action is to move the actual on premise Skype for Business Account to Office 365 to make them to Teams only mode. As more organization are adopting the Microsoft Teams in a full fast track approach the last stage of migration is to move all the local accounts to Teams Only Mode.

This script will help in moving the users on batches to Teams Only Mode from an input csv file. It also provides the time taken to complete the batch on screen once the migration is completed.

Example below:

Measure-Command {
param( [string] $UsersList = $(Read-Host -prompt `
    “Input the CSV File with Location”))
$Users = Import-Csv $UsersList -Delimiter ";"

#To Connect to Teams. Make sure you have the new Teams Module installed.

$pwd = "enteryourpasswordhere";
$securepwd = ConvertTo-SecureString $pwd -AsPlainText -Force;
$cred = New-Object Management.Automation.PSCredential ($admin.Replace('sip:', ''), $securepwd);
Import-Module MicrosoftTeams

#Initialize parameters and variables.

$sip= $users.SipAddress
$count = $users.count

write-host "We have found" $count "Users to Migrate" -foregroundcolor Yellow -backgroundcolor Black
$pauseSeconds = 10
$Sleep = 20

Write-Host "Pausing for " $pauseSeconds " seconds to verify your count..." -ForegroundColor Yellow
Start-Sleep -s $pauseSeconds

#To Enable Logging and store them for failed migration and any errors.

$transcriptname = “MoveCSUserStatus” + `
    (Get-Date -format s).Replace(“:”,”-“) +”.txt”
Start-Transcript $transcriptname

#Take export of SFB enabled users before move.

$Users | % {get-csuser -Identity $_.SipAddress} | Where-object {$_.Enabled -eq $True} | Select-object  SamAccountName,sipaddress,Enabled,EnterpriseVoiceEnabled | Out-File SFBUsersBeforeMove.csv -append          
#Hosted Migration Override URL - Use the correct URL based on your tenant
$URL= ""

#Initiate Move-CsUser Operation.

foreach ($user in $users) {
Move-CsUser -Identity $user.SipAddress -Target -HostedMigrationOverrideUrl $URL  -MoveToTeams -BypassAudioConferencingCheck -BypassEnterpriseVoiceCheck -Confirm:$False -credential $cred

#Pause for 20 seconds 

Start-Sleep -s $sleep 

#Validate the Move and complete Successfully Moved and Failed Users.

$loop = foreach ($user in $users) {
Get-CsOnlineUser -Identity $user.sipaddress | Select-object  sipaddress,hostingprovider,TeamsUpgradeEffectiveMode,RegistrarPool} 
$loop| Out-File TeamsOnlyMigrationStatus.csv -append

#Validate the meeting Migration status
$loop = foreach ($user in $users) {
Get-CsMeetingMigrationStatus -Identity $user.sipaddress | Select-Object UserPrincipalName,State,MigrationType,LastMessage,FailedMeetings}
$loop| Out-File MeetingMigrationStatus.csv -append

Write-Host "Migration Script Completed Please Refer Transcript File for any Errors" -ForegroundColor Green

#Close the sessions.
get-pssession | remove-pssession  

#Send Email report to Notify the Migration have completed - Mention your SMTP server
#Send-MailMessage -from "" -to ""-subject "TeamsOnlyMigrationTaskCompleted: No File" -body "Teams Only Migration Batch have been completed.Please refer log file Location for further information" -SmtpServer "Mention your SMTP Server" 


  1. Make sure that you whitelist the traffic to office365 services to establish successful connection to the SFBO session.
  2. If there are multiple number of users recommended to split up the batches and execute them from 2 servers.
  3. Ensure the SSL traffic inspection, IP connection limits are excluded from Firewall/Proxy from the network side.
  4. Moving this from a shared bandwidth might be a bit slower and moving this from a temporary dedicated IP address might provide a better performance.
  5. This script uses -UseOauth switch. Make sure the Onpremise SFB servers are patched to the required version. Else use the legacy option by removing this switch. Recommended to run this first with few users list verify based on your environment and then later run for bulk users.


Sathish Veerapandian

Part 2 – Configure AudioCodes SBC for Microsoft Teams Direct Routing

Continuing the previous article there are few more steps to complete the configuration of the Direct Routing with the office 365 tenant and in this article we will run through those steps.

Currently the SBC is up and running configured with the certificates and required SBC DNS records now the next step is to enable the direct routing. Well there are two options to enable the Direct Routing via skype online powershell session or via the Microsoft Teams Admin center. In our example we will try to enable them via the Teams admin center.

Before doing this make sure to meet the network prerequisite that is required for Direct Routing and have written an article about the same almost a year ago.

Login to the admin portal with the appropriate credentials.

Enter the DNS name of the SBC that was configured in our case its

Subsequently we must add all the required information over here. One important point to note over here is that the SIP signaling port that is present by default is port 5067. The Direct Routing SIP Trunk can be configured only by using a TLS connection. We can choose the SIP port any port of our choice. If we try to configure the port 5060 it will not work since the TCP connectivity is not supported due to security reasons.

Enabling SIP option defines if an SBC will or won’t send SIP options messages and will be included in the monitoring. Rest of all the information have to be enabled as per the requirement. Also look into Location based routing and media optimization based on the requirement. Once done click on save and the configuration is complete.

But we could see that the SBC status shows error message and the configuration seems to be unsuccessful. Even after the configuration is completed even after loading the named certificate, intermediate and the root on the audiocodes we could see that the TLS connectivity status still shows as inactive. In addition to that we also see the SIP option status shows us the warning message as well.

Now further drill down into the logs gives us more additional information of the reason why it is failing. Still we we do have the correct certificates uploaded but the connection seems not completed.

So the initial thought was the issue with the firewall however the firewall connectivity was already completed and could ping the SBC on port 5061.

When looking into the audiocodes documentation came to know that in addition to the normal named certificate for the DNS Name its mandatory to upload the Baltimore Trusted Root Certificates. This is mandatorily required for establishing a Mutual TLS Connection with the Microsoft Teams Network.

So the DNS name of Microsoft Teams is using this certificate provided from baltimore and hence this import is required for establishing the mutual TLS connection.

We can Download the certificate from and follow the same procedure stated on previous article part 1 to import them on the Audiocodes SBC and make sure they are present on the Trusted Root Certificates.

The first part that we need to complete before the certificate validation is to ensure that the NTP server is setup correctly. This is a mandatory requirement for these two remote parties validating the certificates for setting up the mutual TLS connection between them.

You can go to setup – Administration – Time & Date and configure your NTP server.

Further to the NTP server there are few more configurations that need to be performed on the AudioCodes SBC which we will see below.

Configure the Proxy Sets: Add Microsoft SIP PSTN FQDNs

We have 3 Microsoft FQDNs as of now and all of them needs to be added over here and make sure the transport type is set to TLS.

Navigate to SetUp – Signaling & Media – Proxy Sets and add the 3 FQDNs over here.

SIP Interfaces:

We need to configure SIP interfaces for Teams Direct Routing as well. Configure as below. Keep the Enable TCP Keepalive option. SetUp- Signaling & Media – Core Entities – SIP Interfaces

Media Realms:

We need to configure Media Realms for Teams Direct Routing. Configure the settings as below. Select the default media realm as No. SetUp – Signaling & Media – Core Entities – Media Realms

Configure IP Groups:

Configure IP Groups as below – Make sure the Topology location is set as Up

In the Advanced make sure to mention the SBC published external FQDN. Keep the classify by proxy set Disable and keep the Client Forking Mode as Sequential.

Configure Coder Groups:
We need to add the supported coder groups for the leg SBC and the Direct Routing Configuration.
Teams supports OPUS and SILK Coders.

Inorder to configure the coder groups navigate to SetUp- Signaling & Media – Coders & Profiles – Coder Groups and mention the below values for Teams Direct Routing Leg. Later you might need to configure one for the SIP Trunk based on the coders they support.

Its mandatory to enable the SIP options for the SBC to monitor and for that we need to enable some configurations on the session border controller. In order to do that go to Setup- Signaling & Media – SBC – Routing – IP-to-IP Routing and configure all the required routing as per your requirement.

So we need to make sure other options are configured as per the documentation of the Audiocodes. Finally after the all the steps are done we can see the Teams Direct Routing Configuration is showing successful in the Teams Admin Center.

In our example we have 1 SBC, 1 Voice Routes and 0 SBCs with Issues which is a good sign. Since we didn’t initiate any real traffic we could see the message no data.

We do have a very good option to validate the pairing between the Audiocodes SBC and our Tenant Direct Routing. We can see the connectivity is successfully established over here and we can see that the status is showing online without any issues.

Now we have completed the Direct Routing And established the connectivity between SBC and the Teams Tenant there are lot more other configurations that needs to be performed on the SBC to complete the entire enterprise voice configuration. We will look into those on the upcoming articles.


Sathish Veerapandian

Part 1 – Configure AudioCodes SBC for Microsoft Teams Direct Routing

Microsoft have been providing us the option bring your own sip trunk for enabling the enterprise voice functionality. With Microsoft Teams Direct Routing we can provide the phone system to Teams users ,connect the SIP Trunks and use the local telecommunications provider. This option provides most of the customers for an easy transition to Microsoft Teams in parallel by utilizing the existing infrastructure and moving the users to the new system.

In order to leverage this functionality we need to setup certified session border controllers. Previously there is an article written which can be referred to check the readiness and steps that is required to configure Direct Routing in Microsoft Teams.

In this article series we will see on setting up audiocodes session border controller that will help in configuring the Direct Routing.

There are multiple ways to achieve this and we have an option to configure this from the Azure Market place. We will see on configuring this from the Azure Market Place.

First prerequisite is we need a valid azure subscription. Login to Azure and search in the Azure Market Place for Audio Codes.

Below are the results that we receive and there are few options for us to select over here. For instance we do have an SAAS offering that is fully managed in Azure. For a full setup we have Mediant Virtual Edition Session Border Controller and Cloud Edition Session Border Controller. The Mediant CE edition is more robust ,utilizes the full cloud elasticity and can scale up and down based on the demand. The VE is more of a Virtual edition that can be built easily on Orchestration Solutions and available in the Azure Market place for easier deployments. More information on the description can be found here

Here in this example we choose to use the Virtual Edition Session Border Controller. There are few important key take aways to note down here. While creating it is not allowing us to add them on an existing resource Group and it mandates us to create a new resource group or any existing resource group that is empty. And one more important thing is that the virtual machine name must be all lower case because in the network settings it doesn’t allow to create the dns name with the upper characters.

Next in the virtual machine settings we have the option to choose the computing size. And we have options to choose the OS versions. Here have chosen the latest os version. The cloud-init file is an optional file that can be chosen for automatic provisioning.

Next is the network settings where it provides us the option to set up the NIC interfaces based upon our requirement. Since in this case its a demo we are going with the network interfaces option 1. One more important thing here is that the public ip address has to be static . It picks up the setting static from this template however its better to verify them from the NIC settings once the VM has been deployed.

Finally it comes to the validation screen where we can check all the required settings and click on create.

Once it has been created we see all the required resources have been populated.

You can also see the DNS name that has been created with the static IP

Now when we login to the SBC DNS name we get the Audiocodes console that is ready for configuration.

Now this is running the next important thing is create an A record in the Public DNS and point that to this public ip address. One more important tip here is that this name that has been selected the domain has to be registered in the Office 365 portal.

The next important thing is the certificates configuration on the Mediant SBC. Create a certificate from the public CA and upload them from here Ip Network – Security and TLS Contexts.

In my case im using a certificate that has been provided by digicert for this domain that we are testing. Make sure the file is in password protected and pfx format.

Click on change certificate. There are multiple options to upload the certificate. Here we are choosing the last option upload the certificates from your computer in PFX format and with a password and select load file.

After a successful load file we see the message that states the upload is successful and here we see the red save alert that forces us to update the modified configuration.

We can also see the associated root and intermediate certificates of digicert have been populated over here in the trusted root certificates section.

Finally we have to upload the same certificate in pem format for the SBC

We get the below message after a successful upload of the pem file.

Now we have completed half of the initial readiness of the direct routing configuration and in the next blog we will go through the next steps of the further configuration.

Thanks & Regards

Sathish Veerapandian

Move users to Teams only mode from on premise Skype for business environment

This article outlines the technical steps that is required to move an on premise skype for business account to Teams only mode. There are lot of other factors that needs to be considered before making this change and this step can only be a final stage almost in any environment.

If there is any PSTN integration with Skype for Business on-premise environment then these factors needs to be planned and executed in stages before phasing out Skype for Business On-premise and moving users to Teams Only Mode. These features and functionalities needs to be transferred completely to Microsoft Teams.

If you are moving from a Skype for Business 2015 environment, ensure that the supported CU version admin tools is Skype for Business Server 2015 with CU8.

In this example I have built a lab on my environment which has my local Directory identities below test accounts synched to the Azure AD.

And I have a standard Skype for Business 2015 environment running in the local active directory environment.

The next step is to configure the skype for business hybrid to the office 365 tenant where we are going to perform the move operation.

There are three simple steps involved in this procedure first part is to configure federation with the below command from the Skype for business server management shell.

Set-CSAccessEdgeConfiguration -AllowOutsideUsers $True -AllowFederatedUsers $True -EnablePartnerDiscovery $True -UseDnsSrvRouting

Next step is to configure shared sip address space with Office 365 tenant. In order to do that the first step is to check if there is already hosting provider enabled and just in case if its present can we must remove them with the below command.

Get-CsHostingProvider | ?{ $_.ProxyFqdn -eq “” } | Remove-CsHostingProvider

And the next step is to enable the hosting provider with the below command.

New-CsHostingProvider -Identity Office365 -ProxyFqdn “” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl

As we can see executing both the commands were successful in my case.

Now we’ve made the required change on the on-premise Skype for Business environment we need to make the same change on the Office 365 tenant by enabling the shared sip address space with the below command.

Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

In the below example I have connected to Teams powershell session and have performed this task.

Once we have performed the server and tenant configuration now its very important that we need to allow requested URLs that will be resolved from the Management server where we are performing the operation.

The tenant URL for your subscription needs to be identified as per this Article . And this URL needs to be whitelisted on the outbound connection.

Get-CsTenant|ft identity

So in my tenant as per the article the hostedmigrationoverrideurl is


Now need the required permissions to make this operation. The Skype On premise admin account will require a minimum of csserver administrator role. For Online permission we must have Skype for business Admin and user administrator role. In my case i attempted with Global Admin Credentials so not exactly sure about the behavior when we move directly to Teams only mode with granular permissions. It works with the split permission accounts OnPrem\Cloud with sessions established to SFBOnPrem and SFBO modules from the same PowerShell.

One more important thing to notify here is that the user that we are performing the move operation must have the appropriate license on the Office 365 so that the account gets enrolled on the Teams service.

Establishing the session:

Launch the PowerShell on the management server where you have the SFB admin tools installed and have connectivity to SFB on prem FE and required tenant to establish the PowerShell session to the new Teams Module. Make sure you install the Teams Module on the management server this as per this information.



Import the SFB powershell module on the same session. Since I have opened this session from a local SFB admin account I did not store the on prem credentials in this session.

Performing the move

We can perform the move with the below command. One important point to note here is that post CU8 the move operation will succeed only with the modern authentication by using the switch -UseOauth


Move-CsUser -Identity -MovetoTeams -Target -Credential $cred -HostedMigrationOverrideUrl $url -UseOAuthBypassAudioConferencingCheck

In the below case we can see that the move operation is successful.

In the move results log as well we get few useful information which provides us the time taken for move user preparation, start time and few more information that might be helpful.

On validation we can see that the moved users are showing as homed in office365 and no longer present in SFB on premise environment.

And in the Teams we can see that the user has been migrated successfully to Teams mode directly.

Now the initial setup is completed script can be created to move the accounts in batches.

Schedule Microsoft Teams Live Events from an external app OBS Studio

With Microsoft Teams Live Events ,we have an alternative to stream them from outside encoding sources. There are few advantages of playing out this activity from an external application. We can customize the presentation deck by including various sources and there is an option to include multiple cameras and cumulate them on the same deck.

So here I caught some eye over this subject to investigate this alternative from an open source free tool OBS Studio . The installer can be downloaded and installed on the PC from where we are going to stream the live event from this app OBS Studio. And they are present in the list of Supported Encoders provided by Microsoft.

Well before we setup the OBS studio the mandatory part is we need to schedule a live event to generate the URL to build up the connection between them.

So created live event with org wide option.

In the next screen choose the option external app or device.

The moment when the live event is created we could see the server ingest url is been generated. So now the required url to establish the connection from OBS has been generated here we need to populate this value on the OBS studio app.

From the OBS Studio app navigate to settings

Navigate to stream – in the service select Custom and populate the server URL that was copied from the generated live event. Its mandatory to paste the stream key over here. You can paste some random numbers and that will become your stream key. This part is completed and you can click on apply.

Customization of the presentation Deck

Now we need to go to scene and create a new scene.

Once that is done we have option to add the source. We could see over here that there are ample of options available over here to modify our presentation deck.

Furthermore when selected the video capture device , we do have the opportunity to add multiple cameras over here with our own customization.

When further drilled down into the configure video option we can see options. I was able to change zoom, focus and exposure and might change here based on the camera that is connected.

We have options to add images, media and browsers which might be beneficial during the live event from the same deck. For instance below is an example to add the media video. The tool really seems to be powerful in providing additional options on customization of the deck.

Once the customization is done we are good to go to start the setup.

After that we click on start streaming from the OBS Studio. Once the session is started we can see the frames per second ratio which is ready to stream on Teams Live events.

Then from Teams live event you can click on start event.

Finally we can see the live events streaming from external encoder app. Below is a sample where we can see the state it says encoder preview and the customized deck with images and browser page.


Sathish Veerapandian

%d bloggers like this: