21 June 2017

Connect to Exchange Online with MFA enabled

Been searching a little while before I got this thru my skull.

I had enabled MFA for my account over at Exchange Online and tried to connect to the remote PowerShell. Immediately my screen turned red.
New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com 
failed with the following error message : [ClientAccessServer=VI1PR0101CA0080,
b0595.eurprd10.prod.outlook.com RequestId=d3099d49-9287-419a-b22f-91e1bf7b888d,
TimeStamp=6/21/2017 10:43:42 AM] Access Denied For more information, see the 
about_Remote_Troubleshooting Help topic.

The access denied error is what triggered me to search for the MFA solution, because in the Office Portal I could log in just fine.

After some searching on the web I came across this:
This just recently became available (for as far as I know), prior MFA had to be disabled for the Organisation Management account. Which is a terrible idea of course.

After installing the Exchange Online Remote PowerShell Module you get a new icon in your start menu.
After starting the new PowerShell module you're greated by this:
As you can see there's a new way to connect to Exchange Online with MFA enabled on your command.
The Connect-EXOPSSession is the new way, and a new commandlet not available in any of the installed modules the PowerShell Module directory.
I tried to find what module is explicitly loaded but was unsuccessful.
I think it downloads the module directly from the cloud, right after starting the module a black screen is briefly displayed and then the PowerShell window is shown.

Change Hyper-V Network Category from Public to Private with Powershell

This is one of those things that you can do multiple ways.
In my case however the normal routine of changing the network category type from Public to Private didn't work because my machine is domain joined.

When trying to create a HomeGroup you get this on a domain joined machine:
So PowerShell saves the day once again.
First see what adapters you have and what their current category is:
Name             : domain.lan            
InterfaceAlias   : vEthernet (External LAN Virtual Switch)            
InterfaceIndex   : 22            
NetworkCategory  : DomainAuthenticated            
IPv4Connectivity : Internet            
IPv6Connectivity : Internet            
Name             : Unidentified network            
InterfaceAlias   : vEthernet (Internal Virtual Switch)            
InterfaceIndex   : 8            
NetworkCategory  : Public            
IPv4Connectivity : NoTraffic            
IPv6Connectivity : NoTraffic

Then set the adapter to category private:
Set-NetConnectionProfile -InterfaceIndex 8 -NetworkCategory Private

Check the settings:
Name             : domain.lan            
InterfaceAlias   : vEthernet (External LAN Virtual Switch)            
InterfaceIndex   : 22            
NetworkCategory  : DomainAuthenticated            
IPv4Connectivity : Internet            
IPv6Connectivity : Internet            
Name             : Unidentified network            
InterfaceAlias   : vEthernet (Internal Virtual Switch)            
InterfaceIndex   : 8            
NetworkCategory  : Private            
IPv4Connectivity : NoTraffic            
IPv6Connectivity : NoTraffic

19 June 2017

Remote PowerShell login Office365, SkypeForBusiness Online, SharePoint Online, Exchange Online, Security and how to disconnect

Remote PowerShell login Office 365 all modules

Requisites login into Office 365 Skype for Business Online are:

· Running OS must be 64bit

· Microsoft .NET Framework 4.5.x

· PowerShell Version 3.0 or higher
(if you need to install Version 3.0+, download and install Windows Management Framework 4.0: https://www.microsoft.com/en-us/download/details.aspx?id=40855)

You need to install the modules that are required for Office 365, SharePoint Online, and Skype for Business Online:
Microsoft Online Service Sign-in Assistant for IT Professionals RTW
Windows Azure Active Directory Module for Windows PowerShell (64-bit version)

Download the Windows PowerShell module for Skype for Business Online
After installation copy the SkypeOnline and the LyncOnline module folders found in:
C:\Program Files\Common Files\Skype for Business Online\Modules
This is because when running Import-Module SkypeOnline the modules can not be found.
By copying them to the default module directory for PowerShell they can be found and load right up.


Set-ExecutionPolicy RemoteSigned

$credential = Get-Credential
Connect-MsolService -Credential $credential


Import-Module SkypeOnlineConnector
$SfBoSession = New-CsOnlineSession -Credential $credential
Import-PSSession $SfBoSession


Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
Connect-SPOService -Url https://domainhost-admin.sharepoint.com -credential $credential


$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection
Import-PSSession $exchangeSession -DisableNameChecking


$ccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection
Import-PSSession $ccSession -Prefix cc


Remove-PSSession $sfboSession
Remove-PSSession $exchangeSession
Remove-PSSession $ccSession
There is no disconnect or remove session option for MSOL, just close the PowerShell window.

12 June 2017

Free Azure documentation

After searching for some info on office365 i came across this page:

On this page all of Azure's services are displayed categorized by service type.
By clicking one of the subject for instance Storage and the choosing Backup you're presented a page where you can browse in a technet kind of way.
But it also display's a button "Download pdf"

In the pdf is everything that's on the webpage, so you can read it offline. Nice.
I created a list with the most interesting services (for myself that is) for quick downloading:





enterprise integration


monitoring + management




security + identity




web + mobile


24 May 2017

Skype for Business 2015 Frontend Service won't start - Don't disable TLS 1.0 Event ID: 32192 & 32179

Finally figured it out.
Our Skype for Business 2015 Server Front-End service wouldn't start, it kept displaying "Starting".
The event-viewer kept filling up with:
Event ID: 32192

Closing routing group service due to an error.

Calling ReportFault on routing group {3C86EE90-FB81-5FC0-9B41-2C787B4ACC20} with FaultType 2 and ReasonCode 3. Error code: 0x00000000(ERROR_SUCCESS)
Cause: This may indicate a problem with the routing group. Please examine the server event logs and traces to identify the cause.
Run the commandlet Get-CsPoolFabricState -RoutingGroup [ROUTING GROUP] and make sure quorum is achieved. If the Pool is running and the Front-End is just started, this is normal for some time. If the error persists while the Front-End is running, restart the server.

Event ID: 32179

Request to sync data from backup store for routing group {353B9BC5-A12D-578B-BAD5-F7F8BD5E02FC} was throttled due to pending requests.
Cause: This can happen when a Pool is re-started, and should go away automatically.

Turns out TLS 1.0 was disabled but this would be effective after the first reboot.
So when we rebooted for the latest WSUS updates it got activated and thereby killing the RTCSRV.exe service.

You can find the key here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0|Server
REG_DWORD - Enabled
Value: ffffffff (decimal: 4294967295)

The disabled value is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0|Server
REG_DWORD - Enabled
Value: 0(decimal: 0)

23 May 2017

Start Menu locations - Or add a simple Start Menu yourself without 3rd party tools

I keep forgetting the path to the Start Menu:
"C:\Program Data\Microsoft\Windows\Start Menu\Programs"

This is the same for Windows 7 up to Windows 10, and for Server 2012 to Server 2016.

But, wouldn't it be nice to have some sort of start menu without installing some malware/spyware infested tool? Then this quick fix is for you:

  • Display "Hidden items" on your C: Drive.
  • Open File Explorer and browse to your C: Drive. 
  • On the View tab, check the "Hidden items" checkbox.
  • Add a New Toolbar on your Taskbar.
  • Right-click on a blank area of your Taskbar and select Toolbars > New Toolbars.
  • Browse to the Start Menu\Programs folder.
  • In the New Toolbar dialog box, browse to the "C:\Program Data\Microsoft\Windows\Start Menu\Programs" folder. 
  • Click the "Select Folder" button.
  • Click the "Select Folder" button to add the new Toolbar to your Taskbar.

Here's what it looks like:

19 May 2017

Find all the KB's for Wannacry with PowerShell

I know this stuff is all over the place, but still could come in handy:

Check to see if the necessary Microsoft KB's are installed on your computer or server to protect you from "Wannacry":

#Current list of all the hotfixes from https://technet.microsoft.com/en-us/library/security/ms17-010.aspx            
$hotfixes = "KB3205409", "KB3210720", "KB3210721", "KB3212646", "KB3213986", "KB4012212", "KB4012213", "KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012218", "KB4012220", "KB4012598", "KB4012606", "KB4013198", "KB4013389", "KB4013429", "KB4015217", "KB4015438", "KB4015546", "KB4015547", "KB4015548", "KB4015549", "KB4015550", "KB4015551", "KB4015552", "KB4015553", "KB4015554", "KB4016635", "KB4019213", "KB4019214", "KB4019215", "KB4019216", "KB4019263", "KB4019264", "KB4019472", "KB4015221", "KB4019474", "KB4015219", "KB4019473"            
#Check the computer it's run on if any of the listed hotfixes are present            
$hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID"            
#Confirms whether hotfix is found or not            
if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID})            
"Found HotFix: " + $hotfix.HotFixID            
} else {            
"Didn't Find HotFix"            

If you are running Windows 10 Creator Update (Winver: 1703) you are good to go, as this build is not affected by Wannacry.

17 May 2017

PSGallery module gone - add it back to PowerShell-ISE

Unable to add modules from the PSGallery provider

When your Package provider list is empty:
Get-PackageProvider -ListAvailable

Run CMD.exe as an administrator and run the following command:
@powershell -NoProfile -ExecutionPolicy Bypass -Command "iex 
((new-object net.webclient).DownloadString('https://chocolatey.org/
install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

Close the CMD window, now you have a PS Repository:
PS C:\windows\system32> Get-PSRepository            
Name                      InstallationPolicy   SourceLocation
---------                 ------------------   --------------   
PSGallery                 Trusted              https://www.powershellgallery.com/api/v2/

Set the PSGallery as trusted:
PS C:\windows\system32> Set-PackageSource -Name PSGallery -Trusted               
Name                             ProviderName     IsTrusted  Location            
---------                        -------------    ---------  --------                                                                                                                                  
PSGallery                        PowerShellGet    True       https://www.powershellgallery.com/api/v2/

11 May 2017

Bitlocker everything - Store your bitlockerkeys in Onedrive

I was fooling around with bitlocker the other day and needed a way to store my bitlocker key other than on an external drive or USB drive and especially something else than printing them.

Right click on the physical drive you want to bitlocker and select "Turn on bitlocker".
Then your asked where the bitlocker recovery key has to be stored.
The first options that is presented turned out to be the most excellent one.

Save to your cloud domain account.
Now you might think that you need an Azure joined machine, this is partially correct.
If your machine is Azure Active Directory domain joined your bitlocker keys are stored in the "Devices" section in your account, you can the key under the details of your device.

But if you're not Azure domain joined but do have a Onedrive account setup than it will save your bitlocker key in your Onedrive.

Eureka, this means there is no more reason to not use bitlocker on your personal computers.
Knowing that in the case of theft or loss your data will not be compromised.
And the recovery key can be accessed fairly easy through this site:


Now this site is not accessible from your onedrive site directly, you won't find a link to it there, you have to know it and type it.

Here's what it looks like:

20 April 2017

Forward email to external domain - Exchange 2013 & Exchange 2016

By default email forwarding to an external domain is disabled on an out of the box Exchange 2013/2016 installation.
There are a lot of  blogs/threads/comments on the web that say to create a transport rule or to create a contact. Both of these will not work because autoforward to external domains is disabled (see below)

If you look in the message tracking logs you will find the following line:

To be able to do this for a specific domain only you can do the following:

Check your current settings:
Name                           DomainName                                   AllowedOOFType
----                           ----------                                   --------------
Default                        *                                            External

Check the auto forward settings:
Get-RemoteDomain | fl autofor*
AutoForwardEnabled : False

Add a new remote domain to allow forwarding to:
New-RemoteDomain -Name description -DomainName yourremotedomain.com

Check the auto forward settings for the new domain:
Get-RemoteDomain -Identity yourremotedomain | FL auto*            
AutoReplyEnabled   : True                        
AutoForwardEnabled : True

After doing all this you can create a rule in Outlook or OWA to forward an email to this particular domain only.

31 March 2017

Get-HealthReport - Get your daily dose of builtin Exchange HealthReport checks in your mailbox

Fooking for some stuff about Skype for Business I came across a great post by Joakim Storrank over at https://sysadminblogger.wordpress.com/

He had a few scripts he uses for monitoring, 2 he mentions I use as well but the third caught my eye.

It was a great oneliner (gotta love those) about the builtin HealthReport checks for Exchange.
The thing is that it was for 1 server and I have several so I made some adjustments and look here now it can be used for an array of servers.

Thanks Joakim, and check out his post about the Health Checking / Monitoring Exchange Server 2013/2016

Run it as a scheduled task daily with these arguments:
powershell.exe -noprofile - file "C:\_Scripts\Get-HealthReport\Get-HealthReport.ps1"

Note the spaces around "Style" for the table, I had some trouble getting the code to display correctly.

The Script:
## Get-HealthReport            
## Purpose: Sends report on the builtin Exchange HealthReport commandlets            
## Author: Edwin van Brenk            
## Date: 30 march 2017            
## Version: 1.0            
## Credits go to Joakim Storrank for his excellent oneliner: 
## https://sysadminblogger.wordpress.com/2017/03/13/health-checking-monitoring-exchange-server-20132016/            
#Load Exchange 2013 Module             
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn            
#SMTP options for sending the report email            
$smtpServer = "smtp.domain.com"            
$smtpFrom = "Get-HealthReport@domain.com"            
$smtpTo = "username@domain.com"            
$messageSubject = "Get-HealthReport $Computers"            
$logPath = "C:\_Scripts\Get-HealthReport\"            
# Build table for html files, remove the space around "Style"            
$style = "< style >BODY{font-family: Arial; font-size: 10pt;}"            
$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"            
$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"            
$style = $style + "TD{border: 1px solid black; padding: 5px; }"            
$style = $style + "</ style >"            
# End HTML Output file style            
$Date = Get-Date -Format dd-MM-yyyy            
## The Servers to test            
$Computers = "server1","server2","server3","server4"
# Start the Script            
Foreach($computer in $Computers)            
# Choose what you want to see, all status' or everything but healthy or everything but healthy and disabled by commenting out the desired line            
#$GetStuff = Get-HealthReport -Server $Computer | Select server,state,healthset,alertvalue,lasttransitiontime,monitorcount #-AutoSize            
#$GetStuff = Get-HealthReport -Server $Computer | where {$_.alertvalue -ne “Healthy” -and $_.AlertValue -ne “Disabled”}  | Select server,state,healthset,alertvalue,lasttransitiontime,monitorcount #-AutoSize            
$GetStuff = Get-HealthReport -Server $Computer | where {$_.alertvalue -ne “Healthy”} | Select server,state,healthset,alertvalue,lasttransitiontime,monitorcount #-AutoSize            
$GetStuff | ConvertTo-Html -head $style -body "Get-HealthReport from $Computer" | Out-File "$logPath\$Computer-$Date.html"            
# Remove previously created combined.html            
Remove-Item $logPath\combined.html            
#Combine all the html files in to one file               
Get-Content -path $logPath\*.html | Add-Content -Path $logPath\combined.html            
#Send email message            
Send-Mailmessage -To $smtpto -From $smtpfrom -SmtpServer $smtpserver -Subject $messagesubject -Body (Get-Content $logpath\combined.html | Out-String) -BodyasHtml            
# Remove all html files to prevent filling the disk            
Remove-Item $logpath\*.html

14 March 2017

Skype Online New-CsOnlineSession - Create a shortcut for your Online Sessions

The way to connect to Skype Online according to Microsoft:

Import-Module SkypeOnlineConnector            
$cred = Get-Credential            
$CSSession = New-CsOnlineSession -Credential $cred            
Import-PSSession $CSSession -AllowClobber

While this works, it can be done faster:

Create a RemoteSkypeOnlineSession.ps1 file and paste the above in it and save it preferably in OneDrive.
Then on your desktop create new shortcut and point the source to the saved file in OneDrive.

Adjust the "Target" with this:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command ". 'C:\Users\YourUsername\OneDrive\PowerShell\RemotePSSession\RemoteSkypeOnlineSession.ps1'"

When the Shortcut has been edited shift right click it and select "Run as a Administrator".
Enter your credentials and the PowerShell console will load the Exchange command-lets.

When you're finished with the session don't forget to exit the session, otherwise all the Powershell session will be used and there will be none left when you try to start another session.
There are 3 sessions per Admin account, and a total of 9 sessions per tenant.

Get-Psssession | fl id,session            
Remove-Psssession - id id-number  

Or use:        
Remove-psssession -name Sessionname

Skype Online authenticating proxy - 407 Proxy Authentication Required

When trying to sign in to Skype Online from the Skype for Business (2015) Control panel sitting behind an authenticating proxy you may receive the following:

You need to setup your proxy to allow the nececsary sites to be accessed without authentication.
Going through your proxy log you can see what sites are connected to.
These are the once that where accessed at my site. 


Yours could be different, there are quite a lot of sites and ip addresses linked with Skype Online, Office365 and Exchange Online as you can see here:


After allowing all these sites through your proxy you should be able to login to Skype Online with your tenant ID.

28 February 2017

Windows 10 Store not opening

When clicking the Store app in Windows 10 (version 1607) nothing happens.
This could be because of the anniversary update.

There are several method to resolve this, for me number 4 worked.

Possible solution 1

Right-click the start button, select "Command prompt (Admin)" and type wsreset.exe. Didn't work for me, I was getting: "You'll need a new app to open this ms-windows-store".
A possible error that you can get is this:

Possible solution 2

Start an elevated PowerShell:
Set-ExecutionPolicy Unrestricted -Force

And then
Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\WinStore\AppxManifest.XML

Didn't work for me either. I got this:Cannot find path 'C:\WINDOWS\WinStore\AppxManifest.XML' because it does not exist.
I simply had no "WinStore" folder in my "C:\Windows". Possibility for this is that the WinStore folder is located in "C:\Program Files\WindowsApps"

Possible solution 3

Start an elevated PowerShell:
Set-ExecutionPolicy Unrestricted -Force

For me it was this that worked:
Get-AppXPackage | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
For others it could be this:
Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Finally, it worked.

If none of the above solutions works for you - create a new administrator user and repeat the steps under the new account. You will have to transfer all the existing data to the new user profile from the old one.

To remove the Store completely:
Get-AppxPackage -AllUsers | Remove-AppxPackage
Find the Windows Store Location:
Get-AppxPackage -AllUsers
To reinstall the Windows 10 Store:
Add-AppxPackage -DisableDevelopmentMode -Register "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\AppXManifest.xml"

14 February 2017

Add Color coded PowerShell code to your Blogger page

I wanted a nicer way to show PowerShell code on my page here.
So after a little bit of searching a came across the PowerShell ISE.
Now thats nothing new, but what i didn't know is that you can add "add ons" to the ISE and with that it becomes even more fun.

To be able to add color coded PowerShell code to your blog install the module "IsePackV2"

If you haven't set Chocolatey and PSGallery as Packagesource and trusted them then run:
Get-PackageProvider -Name PSGallery -Force           
Set-PackageSource -Name PSGallery -Trusted            
Get-PackageProvider -Name Chocolatey -Force            
Set-PackageSource -Name Chocolatey -Trusted

This Add on needs some additional modules so we'll install all in one go.
You can run this in PowerShell Ise or regular PowerShell but both must be run with elevated permissions:
Install-Module IsePackV2 -AllowClobber            
Install-Module ShowUI -AllowClobber            
Install-Module RoughDraft -AllowClobber            
Install-Module Pipeworks -AllowClobber            
Install-Module EZOut -AllowClobber            
Install-Module ScriptCop -AllowClobber            
Import-Module IsePackV2

When running the PowerShell ISE as Administrator and running Import-Module IsePackV2 there will be some error. I don't know where it comes from, i'll have to look in to that later.
But for now the thing your looking for is the add on we just added.

The way this is as follows.
Your type some stuff in the script pane in the ISE.

Select and copy it, go to Add-ons -> IsePack -> Edit -> Copy-ColoredAsHtml.
As soon as you click "Copy-ColoredAsHtml" it on your clipboard.
Now go to your blog editor and paste the text in the Html editor page:

And then it will look like this on your blog:

Load Exchange 2013 PowerShell Cmdlets when starting PowerShell ISE everytime

Start PowerShell ISE with an account that has administrative privileges.CAUTION: Make sure that you start Windows PowerShell ISE, which is 64-bit, rather than Windows PowerShell ISE (x86) which is 32-bit.

Enter the command test-path $profile. This will either return a True or a False.
If it returns False then you can create a profile for yourself using the following command.

if (!(test-path $profile)) {new-item -type file -path $profile -force}

The path to the profile is provided, e.g. C:\Users\SP_Admin\Documents\WindowsPowerShell. The name of the file is also provided, e.g. Microsoft.PowerShellISE_profile.ps1.

Open the .ps1 file in Notepad. The file will be blank. Enter the following command and then save the file (File, Save). Make sure that the file is saved with the original .PS1 extension and not .txt.

Add-PSsnapin *Exchange* -ErrorAction SilentlyContinue

Close and restart the PowerShell ISE. Your Exchange PowerShell cmdlets should now be available to you. Verify this by typing any Exchange PowerShell cmdlet. For example type the following command.
Get-ExchangeServer | fl name,edition,admindisplayversion

And you can add some other's ofcourse:
Import-Module IsePackV2 -Force

12 February 2017

Steps for renewing NDES Service Certificates

Well this was a life saver once again, being on vacation the moment this was implemented, and the supplied documentation by the 3rd party that did that being insufficient, this saved my a s s.
And as stated by the blogger "chdelay" there's not a lot of info to be found on this matter.

For those organizations that used the Network Device Enrollment Service run into the process for renewing the certificates for NDES. I never was able to find good instructions on how to do this. So, I had no choice but to create my own. The steps in this blog posting cover how to renew the certificates used by the Network Device Enrollment Service. You will need to be logged in as an Enterprise Admin for most of the steps outlined in this posting.

Step 1: First give the NDES Server Read and Enroll permission to the CEP Encryption Certificate Template.

Step 2: Open the certificates MMC targeted to the computer. Expand Personal. Right-click on Certificates. From the context menu select All Tasks then Renew Certificate with New Key…

Step 3: On the Before You Begin page of the wizard, click Next.

Step 4: On the Request Certificates page, click Enroll.

Step 5: On the final page of the wizard, click Finish.

Step 6: Open Certmgr.msc as a user that has Read and Enroll permissions to the Exchange Enrollment Certificate Template. Expand Personal, right click on Certificates. Select All Tasks, and then Request New Certificate…

Step 7: On the Before You Begin page, click Next.

Step 8: On the Select Certificate Enrollment Policy page, click Next.

Step 9: Select the Exchange Enrollment Agent certificate template, and click the More information is required to enroll for this certificate. Click here to configure settings. link.

You will want to user the same Subject Name that is in your current Exchange Enrollment certificate. The following steps illustrate the steps needed to do this. You can find the current subject name by opening the Certificates MMC targeted to the local machine and then open the existing Exchange Enrollment Agent certificate. In my example the name was CN=FCNDES01-MSCEP-RA,C=US.
Step 10: Under Subject Name ensure that Common Name is selected and under Value enter the common name that is in your existing certificate. Then click Add.

Step 11: Change the Type to Country and under Type the country code that is your existing Exchange Enrollment Agent certificate.

Step 12: Click Add

Step 13: On the Private Key tab, select Make private key exportable. Then click OK.

Step 14: Then click Enroll.

Step 15: Right-click on the Exchange Enrollment certificate in the users personal store. Select Export…

Step 16: When the Certificate Export Wizard opens, click Next.

Step 17: On the Export Private Key page, select Yes, export the private key.

Step 18: On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX)

Step 19: On the Password page, enter a password and click Next.

Step 20: On the File to Export page, click the Browse… button. Select the file name and save location. When finished click Next.

Step 21: n the final page of the wizard, click Finish.

Step 22: Then click OK.

Step 23: In the Certificate MMC on the NDES Server that is targeted to the computer, expand Personal. Right-click on Certificates. From the context menu, select All Tasks and then Import…

Step 24: On the Welcome page, click Next.

Step 25: Browse to the PFX file you previously created, and click Next.

Step 26: On the Password page, enter the password associated with the PFX file.

Step 27: On the Certificate Store page, click Next.

Step 28: On the final page of the wizard, click Finish.

Step 29: Then click OK.

Step 30: In the Certificate MMC on the NDES Server that is targeted to the computer, expand Personal. Right-click on the old Exchange Enrollment certificate, and select Delete.

Step 31: Then click Yes, to accept the deletion.

Step 32: Right click on the new Exchange Enrollment certificate. From the context menu, select All Tasks then Manage Private Keys…

Step 33: Add the NDES service account and ensure that it just has Read permission. Click OK.

Step 34: Right click on the new CEP Encryption certificate. From the context menu, select All Tasks then Manage Private Keys…

Step 35: Add the NDES service account and ensure that it just has Read permission. Click OK.

Step 36: Reset IIS using iisreset command.