Saturday, September 23, 2017

Domain re-join shortcut trick

We've all had it. A system with domain authentication issues. Usually its the Secure Channel.


or way back



 but sometimes its worse like the machine object being "accidentally" deleted.

For me to resolve these, I just login with cached credentials and run some PowerShell like

 Test-ComputerSecureChannel -repair  

or in worse case when the object is not present

 add-computer -Domainname domain.mycompany.com –cred “MYCOMPANY\kevin.fason”  

No matter how many times I lead these tech horses to water they just wont drink up PS1 cmd-lets.  I notice my techs will just rejoin it to the domain via the GUI. They MUST use the mouse for whatever reason. The accepted way is to remove it from the domain and make it a member of a workgroup, then join back to the domain with reboots in between and enabling a local admin account etc.

Instead of going through all that, did you know you can just enter the NetBIOS name of the domain? The system perceives this as you moving the system from one domain to another, even though its technically the same one, your just using the legacy NetBIOS name vs the FQDN of the domain.

Here is an example normally showing the FQDN of the domain:


Just change it to the NetBIOS and select OK. One reboot. all done. After the reboot it will revert to the FQDN domain name.


If you do not know what it is you can open a command/powershell prompt and type 'set USER' and it will tell both names via the USERDNSDOMAIN (FQDN)and USERDOMAIN (NetBIOS) variables. 

Or if you must use that mouse, you can open ADUC, right click the domain and select properties. Right on the general tab you will see it listed under 'Domain name (pre-Windows 2000).

Who knows how long this will work as forest/domain functional levels are uplifted.



Thursday, July 27, 2017

ConfigMgr Upgrade Readiness Connector Setup



NOTE 07.27.2017 - I thought I posted this a while back so hopefully the steps and screenshots are still valid. I'll go validate when I have some time.

---

We are using Windows Upgrade Readiness to accelerate our transition from our legacy versions of Windows to 10 v1607. As we recently updated ConfigMgr to 1610 I wanted to make use of the connector available in SCCM for it.

To give a brief overview, we have the Readiness Scripts Deployment folder (with our info) in an SCCM package with the deployment set to run the BAT file. The deployment has a recurring assignment schedule to run once a month, the week before our monthly patch cycle. Its ran on all workstation OS' including Windows 10) as it is expected to be used well past our 7/8.1 migration to 10 but also from one build version to another in Windows 10 itself as Readiness lets you pick the destination version to work against. Quite handy. Definitely keep up on the teams blog if you use it and the team itself is great with communication and interaction with the world. I've had great conversations with them over this offering.

Here is a sample of the end result that you can see in the ConfigMgr console.I'll cover this more later.



So for the setup of the connector, the documentation was a bit more generic then I would have liked, especially around the OMS and Azure bits, so I did struggle a little on it so here is how I set it up. There are three basic steps to it:

  1. Create an Application in Azure for SCCM to use, think of it as the username/password
  2. Enable permissions to the OMS instance Upgrade Readiness is in
  3. Setup the ConfigMgr to Windows Upgrade Readiness connector

This assumes you have Readiness already setup in OMS. I prefer the older manage web console to the newer portal one so thats where I perform the first step.


Step 1


Log in to the Manage portal and navigate to Active Directory on the left pane. Then click on your AD instance under name.


After that you select APPLICATIONS at the top



Then select Add at the bottom



Choose Add an Application my organization is developing


Give it a useful name such as ConfigMgrUpgradeReadiness and click on the right arrow.


Now you have to create two URLs, neither of which are used so enter whatever you want



Now you can create the Client ID and key that ConfigMgr uses to pull data. You can think of this as the username and password that ConfigMgr uses.

Select your newly created Application and click Configure at the top. This takes you to its customization.



Two parts here. First is  to copy the CLIENT ID somewhere as you will need it. Second is to select the duration of the key as 1 or 2 years. Once saved it will show you the key. you will want to copy the key as well. I would suggest you retain the client ID and key somewhere such as a password manager as you may need it long term. If not then you have to come back here and generate a new one.



Note that you only get ONE opportunity to copy the key. Once you leave this page the key will not be shown (as above) and you will have to generate a new one. You are now done with overall step 1.


Step 2


For step two you need to give this app the correct permissions. This was removed from the manage portal a while ago so over to the new portal. Select Resource Groups on the left pane.

As shown below you will select the Resource Group the Upgrade Readiness is located in (mms-eus in this example) then Access Control (IAM) on page 2 and finally +Add on page 3.


You will then select or search for the name of the Azure AD app you created earlier and grant it Contributor rights. This was my struggle. I originally thought you had to give rights to the domain SCCM service account thinking it was what ConfigMgr accessed OMS with. This is shown above highlighted in yellow.

Step 2 is complete and its onto Step 3, setting up the connector in ConfigMgr.

Step 3


For this you goto the SCCM Console and navigate to \Administration\Overview\Cloud Services\Upgrade Analytics Connector. Note it has not been updated to 'Readiness' yet.




Simply right click Upgrade Analytics Connector and choose Create Connection to Upgrade Analytics.

Enter the relevant information you saved from step 1 above which is the Client ID and secret key along with your Azure Tenant name, generally mycompany.onmicrosoft.com. Once done select Verify then Next.




Note this screenshot is AFTER I already entered it and you'll see the Client secret key: field is blank. If you ever go into here you will have to re-enter the key. You remembered to save it right?

If you setup the permissions correct you will be shown with the required information. This screenshot is post setup also.


Thats it., SCCM will now pull from Windows Upgrade Readiness. You can view information about it in the DMPDownloader.log located in your SCCMInstallFolder\Logs. While I suggest you save the key and Client ID somewhere, it is located in this log file but the logs may have rotated by the time you need either of them.

This is a sample of a normal run. The last line I do not like and wish it could be changed. Upgrade Readiness updates daily, however SCCM will download from it only once a week (10080 minutes) so your data is that old.


Final Thoughts


Once it has imported into SCCM you can act on it. Just goto \Monitoring\Overview\Upgrade Analytics. Per my initial screenshot, it shows readiness information for the All Workstations collection I've created. Just select any collections in your environment that are device based to work against.


At the bottom you can select the pull down and create collections based on the "buckets" that are in Upgrade Readiness. I have created several that in turn have the in-place TS advertised to them as available. It does create these with 'All Systems' as the limiting collection so I have changed that to use more appropriate ones to coordinate with any implementation schedules.

My firm has a small team that spends time every few days in the Upgrade Readiness OMS website so as systems are marked as ready in the Readiness tool then flows via the connector into ConfigMgr Collections to get Windows 10 in-place advertised to that endpoint as being available. Awesome right?

-Kevin

Monday, July 24, 2017

ESXi Windows Server Backup Tool Bare Metal Restore

I have a small single host ESXi on a Dell PowerEdge R710 (popular for homelab) that I support for family. It has all the normal stuff on it:

  • Windows Domain Controller with DHCP
  • Windows Domain Controller
  • General Purpose server for WSUS, MDT and what not. 
  • Multiple MDT Build and Capture 
  • Multiple Windows 10 Insider Preview
  • ???

All normal homelab stuff. Recently there was a power loss event, that while it lasted only a few minutes; and should not have been noticed, hadcaused the battery in the UPS that protects this host to blow up, literally, so all the VMs and the host went down hard.

There is an physical Ubuntu Linux server and network equipment that is on a different (matching) UPS and it controls both UPS' so if a power loss happens it will SSH into the ESXi host and pause the VMs and shut it down gracefully if needed. Sooooooo did not plan for batteries exploding.

While we recently bought VMWare vSphere Essentials, which gives us the backup API, its not in use just yet. When both the host and the VMs were setup it used the free license so everything else used free options. Therefore to protect the "critical" Windows Server VMs, we used the built in Windows Server backup tool and did a daily Full Server backup. These are sent to a UNC path on the above Linux server as it has lots of space and is external. Due to limitations in the built in backup software only a single full backup is done so no incremental.

So upon bypassing the UPS and bringing the host and VMs back up, one of the Domain Controllers was not happy and kept blue screening and in a restart loop.


Solutions on this error were to go through Directory Services Repair Mode. Thankfully this was the DC that is only a DC, no FSMO roles or duties so was pretty disposable. Since the backup is ran daily it was less then 24 hours old I decided to do a bare metal restore instead since its been a while since I did a restore exorcise.

First step was to shut it down and take a snapshop so I can revert and go the Repair Mode route if I chose to. Then boot the VM from the 2012R2 Install ISO.

Select Next on the initial dialog


Then Repair your computer at the bottom



then Troubleshoot



and then finally System Image Recovery



Since my backup is not local and on a Linux server it will error out so we need to get connected to Samba on the Linux box.


Choose Cancel to close this dialog then select Next to proceed




Then you click on Advanced... so you can enter a UNC path.


Here you would locate a backup on the network, however the second option reminded me that I used VMXNET3 for the NIC on this VM and the driver is not in the 2012 R2 install media since its installed by the VMWare Tools. 



If you try to attach to the UNC path you will just get an error since there is no NIC present in this PE instance. You can verify further by going to a Command Prompt in Advanced Options and using ipconfig etc.


previously wrote on where to source the drivers but that meant getting a source (floppy or CD) mounted on this broken VM. There is a simpler solution for ESXi. I edited the VM and added a second NIC that is supported by the media, which in this case is an E1000e.


After giving a few seconds for DHCP to kick in I selected Back until I could select Advanced... again then select Search for a system image on the network which then asks if you want to bring the network up.



Select yes and enter the UNC to your backups


and of course credentials to get at the backups


Now we have all our Server Backups so we can select the one we want and then Next 



It then asks us which volumes to restore. Since its a DC and only has the one so we select it and Next again.


Since it is bare-metal and going to the same "hardware" you just need to select Next here as we have nothing to change.


And now we are at the confirmation dialog. Finally! Just have to select Finish and let it restore.


Nope, still one more dialog to be sure we are REALLY ready to restore. Select Yes.



Away it goes.



This is weird. Got an error on the restore. I would get this error again each time I tried but in different spots so the backup seemed good to me still.


This is such a generic error I thought it may be NIC related so I went back to ESXi and created a small drive on the multipurpose Server VM



and then copied the backup to it. Note you need to create a folder in the root called WindowsImageBackup then place the systems backup folder in it. Once completed, I unmounted it from that VM and mounted to this broken VM



and ran through the wizard again. All live, the PE instance was seeing all the hardware changes I was making. This time the wizard found it at the beginning since it was local to the VM so I did not have to go through Advanced like before.


After selecting Next you are taken to the Choose additional restore options dialog and its the same from there on out like above, just no errors this time!


Once complete it restarted and the restored server booted back up in its earlier state.


I did however interrupt the restart and unmounted the restore volume and deleted the e1000e NIC I attached. I looked at the event logs to make sure AD replication was happy and then after a couple days I removed the snapshot I took in the beginning. 

Without the ESXi parts at play, Windows Server backup can be a free yet powerful tool to backup servers and restore them. On physical hardware you could copy the backup to a USB if you had the same NIC issues.

Now to work a process around exploding UPS batteries. As a preventative measure, I did copy out the same day backups of the other two servers in case they had this happen but am happy to say they have been running great since this incident happened several weeks ago. Until I have time to research free ESXi backup options that work with my VMWare Essentials license I have added these backups to my rsnapshot.conf on the Linux box to get quasi incremental backups.

-Kevin


Tuesday, July 4, 2017

Windows 10 ConfigMgr Collections

I've been creating alot of Windows 10 focused collections in SCCM so thought I would gather what I have here. Mostly for me, but also to share with the world. I'll update as I add other ones and tweak these queries. If you have any share them with me!

The main one is to look for Windows 10 specifically. It should be pretty commonly known. I'm not one to use the 'All Systems' built-in collection so I have a parent called 'All Workstations' which contains all endpoints that are not Servers. I set the initial Windows 10 collection below to limit from that collection.

All Windows 10 Systems

 select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System where OperatingSystemNameandVersion like '%Workstation 10.0%'  

Individual Versions. These all reference the above as the limiting collection. They are the same exception the version at the end.

All Windows 10 v1507 Workstations (10.0.10240)

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Build like '10.0.10240%'  

All Windows 10 v1511 Workstations (10.0.10586)

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Build like '10.0.10586%'  

All Windows 10 v1607 Workstations (10.0.14393)

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Build like '10.0.14393%'  

All Windows 10 v1703 Workstations (10.0.15063)

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Build like '10.0.15063%'  

These show the branches. These are the same except for SMS_R_System.OSBranch difference.

All Windows 10 Current Branch (CB)

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like '%Workstation 10.0%' and SMS_R_System.OSBranch = '0'  

All Windows 10 Current Branch for Business (CBB)

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like '%Workstation 10.0%' and SMS_R_System.OSBranch = '1'  

All Windows 10 Long Term Service Branch (LTSB)

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like '%Workstation 10.0%' and SMS_R_System.OSBranch = '2'  

These are neat ones. They show which ones that have expiring info around Servicing. They are all the same except SMS_WindowsServicingStates.State.

All Windows 10 Servicing Current

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System LEFT OUTER JOIN SMS_WindowsServicingStates ON SMS_WindowsServicingStates.Build = SMS_R_System.build01 AND SMS_WindowsServicingStates.branch = SMS_R_System.osbranch01 where SMS_WindowsServicingStates.State = '2'  

All Windows 10 Servicing Expiring Soon

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System LEFT OUTER JOIN SMS_WindowsServicingStates ON SMS_WindowsServicingStates.Build = SMS_R_System.build01 AND SMS_WindowsServicingStates.branch = SMS_R_System.osbranch01 where SMS_WindowsServicingStates.State = '3'  

All Windows 10 Servicing Expired


 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System LEFT OUTER JOIN SMS_WindowsServicingStates ON SMS_WindowsServicingStates.Build = SMS_R_System.build01 AND SMS_WindowsServicingStates.branch = SMS_R_System.osbranch01 where SMS_WindowsServicingStates.State = '4'  

For Editions you can use these to capture Pro vs Enterprise etc. I dont use Education but it should be easy to adapt also.

All Windows 10 Enterprise Edition

 select distinct SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_OPERATING_SYSTEM.Caption = "Microsoft Windows 10 Enterprise"  

All Windows 10 Pro Edition

 select distinct SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_OPERATING_SYSTEM.Caption = "Microsoft Windows 10 Pro"  

For the Insider Preview versions I'm still figuring out a nice query for it. In the mean time. I just created a collection that is limited to the initial Windows 10 collection. It in turn has an include for the same Windows 10 collection and excludes for the versions above. (1507, 1511, and 1607 currently). When the Creators Update is released its version would need to be added as an exclusion.

Everything above uses the initial Windows 10 collection as limiting. Once any useful ones are created , you can have all sorts of fun by taking the initial query above and using other limiting collections such as bit-level (64-bit vs 32-bit), or platforms like mobile vs desktop or Dell, Lenovo, and what not to isolate further.

Then of course there is Windows 2016

 select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System where OperatingSystemNameandVersion like '%Server 10%'  



Monday, June 26, 2017

WSUS 2012 R2 Maintenance Automation

One of my most popular posts is WSUS automated maintenance, however it is centered on Server 2008 / 2008 R2. A friend asked me how I was doing it on Server 2012 R2 WSUS version 6.3 so I thought I would share that with the rest of the world. Server 2012 aka 6.2 should be no different.

I wont cover the reasons as they are explored in my above post as well as other places on the Internet, such as Jasons link below. This post is simply what I do to keep a 2012 R2 WSUS happy and fast. As before I perform 3 basic steps:

  • Decline Itanium Updates
  • Cleanup Wizard
  • Re-Index Database

Decline Itanium Updates


The first bullet is handled by a Powershell script Jason Sandys wrote. You just pass all the options to the script.

 powershell.exe "C:\Scripts\WSUSServerCleanup\Decline-OtherUpdates.ps1 -UpdateServer YourWSUSServer -Port 8530 -DeclineBeta -DeclineItanium"  

Cleanup Wizard


Second is a cleanup wizard script. I have moved to this one by Trevor Jones as my previous one didn't support 2012 R2 WSUS all that well. Jasons Script can do much of this, however Trevor's generates a nice HTML based email that you can send to yourself to see what it did.

You configure settings within the PS1 file for servers, contact email and SMTP smarthost and whatnot. I have single WSUS servers that I manage in this example howver several WSUS instances email me so I added the servername to the subject line.


  $WSUSServers = @(  
   "YOURWSUSSERVER"  
   )  
 # Mail settings  
 $smtpserver = "smtp.yourdomain.com"  
 $MailSubject = "YOURWSUSERVER WSUS Cleanup Report"  
 $MailRecipients = "ITHelpDesk@yourdomain.com"  
 $FromAddress = "YourWSUSServer@yourdomain.com"  

Then just run it:

 powershell.exe "c:\Scripts\WSUSServerCleanup\WSUSServerCleanupReport.PS1"




Re-Index Database


Same as before I use the Scripting Guys Cleanup Script. You can find the WsusDBMaintenance script here, however doing a Re-Index is a little more complex and needs to be ran on each WSUS server from the parent on down. If you use Windows Internal Database (default for WSUS) then this applies.

Firstly, you have to install some prereqs as the sqlcmd called in the re-index script needs to be present. Microsoft provides it separately so you do not have to install a full edition of MS SQL to get it. Install MS SQL Server Native Client and then install the sqlcmd tool to your server. Below are links for version 13.1 that works on 2012 R2. Install with defaults. Note the versions must match.



then run this. Note the -S switch changed for 2012R2 WSUS from 2008 R2.

 sqlcmd -E -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i "C:\Scripts\WSUSServerCleanupReport\WsusDBMaintenance.sql"  

For 2008 R2 I would get an email of the output of sqlcmd. I stopped as I looked at it once and never again. My previous post has details around this if you want to do it.


Schedule



As far as schedule, I now just run a single batch file on the WSUS server with all three steps as compared to running separately. I run it as a scheduled task the first Tue of the month so things are clean when Update Tuesday rolls around. 



Closing


Just as I wish Microsoft would split out Itanium from X86/AMD64, I also wish that WSUS would list Windows 10 versions separately instead of all together. As of right now if you choose Windows 10 updates you get 1511, 1607, and 1703 versions. Say for an environment that no longer has 1511 in it, why are we keeping updates for it? I have been thinking of using Jasons script to also decline all the Windows 10 version 1511 cumulatives in this example as he has a switch for '-DeclineOther' that takes a string so should do this.

Next up is Server 2016.

-Kevin





Tuesday, May 30, 2017

Tabulate OS Counts from Active Directory

For a couple smaller environments without ConfigMgr I wanted to know the versions of Windows, specifically the build # of Windows 10 so I knew counts of each version to target updates via WSUS or manually.

Over on the TechNet Gallery I found something that was real close written by Brian Arnold. The script will look at AD and count all OS versions and email it. I have this running on a monthly basis. Good "Executive Overview".

CountName
4Windows 10 Pro, 10.0 (10586)
3Windows 10 Pro, 10.0 (14393)
1Windows 2000 Professional, 5.0 (2195)
1Windows 7 Professional, 6.1 (7601)
1Windows 7 Ultimate, 6.1 (7601)
3Windows Server 2012 R2 Standard, 6.3 (9600)

I ended up modifying it a little as shown above. The bordering was not working right and I wanted to also get the version for Windows 10 in addition the friendly name. The script will spit to the console as well as email. I'm not that good with PS1 scripts so someone can do way better then my attempt. All credit to Brian.

The scheduled task is pretty simple:

 powershell.exe -ExecutionPolicy Bypass "Path\To\\CountOS\Get-OSCounts.ps1"  


Download

This script is provided as-is, no warranty is provided or implied.The author is NOT responsible for any damages or data loss that may occur through the use of this script.  Always test, test, test before rolling anything into a production environment.

You can obtain my modified version here.

Tuesday, April 25, 2017

Publish Exchange Online Calendar to Android

As with many firms out there, mobile devices fall into a BYOD strategy so I have come to really like the Outlook app for Android as it "containerizes" my work email. Over the years, I have tried them all from Touchdown to Boxer (formally Enhanced Email) and settled on Outlook currently. However they generally use ActiveSync so any security rules ActiveSync enables can take over the device. It is MY device, not my firms.

With that said though, unlike many people I use my work calendar for work related entries and my personal Google calendar (hosted on G Suite) for personal stuff, Android pulls from there. So my work calendar will just show a PTO block (marked out of office) for that appointment time (plus travel and what not) and my personal calendar shows all the details. Keeps things nice and separated.

The problem is that I live out of my mobile device so one thing I am challenged by using the Outlook app, is the calendar. While Outlook publishes contacts to the phone, that is all, nothing else. Strangely the old Outlook.com app would publish the calendar to the system though. I use and love a fantastic app app called Business Calendar Pro to manage all my calendars as well as give me one pane of glass via its widgets. All color coded and pretty.

On my Moto X (2014) I had both Outlook and Boxer syncing which means Boxer uses ActiveSync so it took over my phone but I got the calendar for my single pane as a compromise. Ick but I lived with it until recently when Samsung gave me a shiny new Galaxy S8 to use for a bit so I thought I would set it up differently, especially now that we have migrated to Exchange Online via Office365.

Sure enough there is a useful option out there, as long as your Office365 admin does not disable it, called Calendar Sharing. Very easy to setup though the process may change as Microsoft does change the Office365 online experience but as of this writing it is quick and easy.

Share Process


1. Access your Calendar via one of several methods:


2. Click the gear icon in upper right



3. Under Your App Settings, select Calendar


4. On the left choose Calendar publishing


5. Configure permissions by choosing either 'Full Details' or 'Limited Details'. The difference is Limited only shows day/time whereas full shows everything in the body such as Skype dial in info. Click Save when done.


6. Copy the ICS link a tthe bottom as you'll need it later.

7. Navigate over to your Google Calendar and on the left you will find Other Calendars. Hover over it and click the down arrow and choose Add by URL then paste the URL from step 6.


Now you have your Exchange Online calendar present in Google Calendar as Read Only. You can select the down arrow and rename, change the color etc. I have mine turned off on the web calendar as I only want it on my phone. Additionally I renamed to my company.


8. After your phone does its next sync, goto your favorite calendar app (mine being Business Calendar Pro) on your phone and enable the calendar. Bam! There it is.

Two things to point out again.


  1. This feature can be disabled by your Office365 Admin(s)
  2. It is read only
Since Outlook Online Calendar publishes as ICS or HTML you can use in other solutions as well.