September 2015 Update for Skype for Business Server 2015

Following the release of the MS15-104 security update, Microsoft released the first CU for Skype for Business Server 2015, as described in KB3061064.

The CU includes the following patches:

  • KB 3090687 September 2015 update for Skype for Business Server 2015, Core Components
  • KB 3080355 MS15-104: Description of the security update for Skype for Business Server 2015 (Web Components Server): September 8, 2015
  • KB 3080352 MS15-104: Description of the security update for Skype for Business Server 2015 (Enterprise Web App): September 8, 2015
  • KB 3063353 June 2015 cumulative update 6.0.9319.55 for Skype for Business Server 2015 and Unified Communications Managed API 5.0 Runtime
  • KB 3063352 June 2015 cumulative update 6.0.9319.55 for Skype for Business Server 2015, Response Group Service
  • KB 3061059 June 2015 cumulative update 6.0.9319.55 for Skype for Business Server 2015 (Front End server and Edge server)

The link to the CU installer and some of the updates is currently broken but the download is available here.

Skype for Business Server Response Groups Migration Gotcha

Noticed something weird during a recent upgrade to from Lync Server 2013 to a new Skype for Business Server pool.

I was double-checking my self against Greig Sheridan‘s very detailed guide and as expected, everything worked just fine.
We tested and confirmed that calls are coming through and the response groups are all working as expected – that was easy.

The next week I’m getting a phone call saying the Response Groups’ managers can’t change some of the settings they used to be able to.
Checking AD permissions – OK.
Opening the Workflow – I can’t see the managers and the workflow is set to “Unmanaged”.

I thought it was just a misconfiguration but then I checked the “Get-CsRgsWorkflow” export we did earlier (Never underestimate documenting!) and all workflows that were set to “Managed: True” are now set to “Managed: False“.

I thought it was a bug, but no – it’s by design. I couldn’t see it in the migration documents (nor thought I should look for it!) but the Microsoft planning document for Skype for Business Server 2015 states very clearly vaguely that “When you migrate response groups from a prior version to Skype for Business Server, the type is set to Unmanaged.”
Here, check for yourself.

I’m not sure if this is the behaviour when performing an in-place upgrade to Skype for Business, but assuming it is.

Reset \ Fix Skype for Business and Lync accounts …And a bonus!

Every now and then I run into one account that has something weird about it. Usually it would display an old phone number even when you changed the phone number in AD, ran Update-CsAddressBook and deleted all old records you had.
However, when looking at the user’s contact card you’ll still see the old number AND the new number, resulting in users dialling the wrong number, resulting in call failures, resulting in service desk calls, do I need to go further…?

I read various workaround involving running various scripts against the RTC database, and to be honest – there are some thing I’d rather not touch.

Workaround for the “corrupted” users would normally be disabling them and then re-enabling the for Skype for Business \ Lync.
This will do the trick, BUT has a huge downside: if you didn’t export the users’ data they’ll lose all of their groups, favourites, contacts, etc. Also, you’ll have to re-apply the user’s policies, line URI, private numbers, etc.
This is both time consuming and would require to schedule a maintenance window as the user is going to be kicked out.

So, came up with the following script:


  1. You’ll provide the user’s sip address.
  2. The system will confirm the user’s name so you’re happy to move on.
  3. The user’s data will be exported to a folder on your local C drive (Path is always C:\y0av\users\<username>)
  4. The user’s Get-CsUser data will be exported to a text file in the same folder so you can compare the settings once you’re done.
  5. The user will be disabled, and the script will run Update-CsUserDatabase and pause for 15 seconds.
  6. The user will then be enabled and the script will pause for another 15 seconds. The purpose of the pauses is to allow for the changes to set in. I tested various environments and 30 seconds seems like enough time. I’ll add the option to change the pause in future versions.
  7. The user’s polices will be re-applied.
  8. The system will run Update-CsUserDatabase and Update-CsAddressBook to reflect the changes.
  9. The user’s data dump is saved in the C:\y0av\users folder, and you can manually delete it if you feel you no longer need it.


What’s missing?

  • If the user is configured with a Private Line you’ll have to use the script with the -PrivateLine switch.
  • PIN must be reset for the user after the account is recreated.
  • Conference ID will change – any recurring Skype for Business \ Lync meetings must be re-sent.

What’s the bonus?

All the tests I made show that the script runs fast enough to not interfere with the user’s activity; I ran this against a user during a call, the script completed and the call never disconnected.
Try this on a test account before killing someone’s call in your organization… 🙂


Policies this script will save and re-apply:

Hosted Voicemail (True or False)
Archiving Policy
CallViaWork Policy
Client Policy
ClientVersion Policy
Conferencing Policy
External Access Policy
Hosted Voicemail Policy
Location Policy
Mobility Policy
Persistent Chat Policy
Pin Policy
Presence Policy
Third Party Video System Policy
User Services Policy
Voice Policy
Voice Routing Policy

To run the script for a user with a private line, run:

S4BUserRepair.ps1 -PrivateLine

Download the script here.

Request and Enroll Multi-SAN certificates on Windows Server 2012

In one of my recent deployments, the customer asked to keep the existing naming convention of his domain, keeping it as “SRV_SVC_01.domain.local”. If you’ve been around long enough, you know that names that contain underscores ( _ ) are a little frowned upon. Windows will ask you if you really want to use this name when you changed the machine’s name, but will let you go through with it.

The bigger issue started when I tried configuring an IIS ARR web farm on to publish an Office Web Apps Server for this one. IIS will not accept underscores in names so that presented an issue. Also, the Office Web Apps server was already configured and published in the topology so changing the name now wasn’t really an option. Usually I’ll just create some random name and add that to the host file on the IIS ARR box, but since we’re using HTTPS here, the published name (the name the IIS ARR machine is accessing) must natch the name on the certificate. The only solution I though of was to use a multi SAN certificate.

By default, requesting a domain certificate sing the IIS wizard will generate a certificate with the server’s CN and you’ll be able to bind this to the HTTPS port of the server. Unfortunately, there’s no way to add additional names to this request.

The workaround – Manually submit a Web Server certificate request.

Let’s cover these steps:

Open the local machine’s certificate console and request a new certificate:


Run through the next screens until you reach the certificate template choice. Most of the odds are you’ll see this:


Hit “Show all templates” and scroll down to “Web Server”, you won’t be happy to see the following:

WebServerWell, how do we do that now…

Log on to your CA and open the Certification Authority management console, scroll down to “Certificate Templates”, right-click it and choose “Manage”:

ManageOn the new “Certificate Template Console”, locate your Web Server template, right-click it and choose “Properties”:


On the Web Server window, click the Security tab. Add the Computer you’re trying to enroll the certificate for (user accounts can’t be used here since we’re enrolling on behalf of the machine), then tick the “Enroll” box:


Now go back to the machine and try to re-enroll the certificate; You’ll see that you now have the Web Server certificate template available:


Tick Web Server certificate box and click on the “More information required….” link.
In the new window, do the following:
For the Subject Name – choose “Common name” for “Type” and enter your server’s FQDN in the value field, than click “Add”.
For Alternative names – choose DNS and enter the FQDN (or FQDNs) you’d like to use in the value field and click “Add”:


When done, click OK and then “Enroll” on the next window. This will initiate the certificate request. When enrolled. you’ll see the following:


You’ll now see the certificate in the Personal certificate store of the machine:



Skype for Business conferencing disclaimer

This isn’t a new feature, but one I was recently asked about so I thought it’s worth mentioning again.

When we’re sending a Skype for Business meeting invite (either as a planned meeting via Outlook or as an ad-hoc meeting) we can configure the server to send a meeting disclaimer to all meetings (unfortunately this can only be set at a global level and will affect all of your meetings) to confirm the users joining the meeting have agreed to the T&Cs of the meeting and ticked a box to accept them and join the meeting.

The experience is pretty much identical across all platforms:

Skype for Business client:


Lync MX client:


Skype for Business mobile client:


Skype for Business Web App:


users who dial in to the meeting will not hear the disclaimer.

To set the disclaimer we run a pretty simple command:

Set-CsConferenceDisclaimer -Header “Welcome to” -Body “Meetings are pure fun with Skype for Business”




Skype for Business Server – Assign User policies to AD groups

This is an update to a previous version of this tool written by myself and Guy Bachar.
The updated version can now run (and was tested!) on both Lync server 2010 and 2013, and Skype for Business Server.

Run this tool from Lync Management Shell or Skype for Business Management Shell.

Note you will need to run this tool with Local Admin permissions (You will be prompted for elevation automatically if not) and you must have ADDS RSAT installed so you can use the Active Directory PowerShell Module.
You will be asked to provide an Active Directory Group name. Type the Display Name of the group, the tool will reply with the CN of the group, confirming you chose the right group:

Choose Group

Then choose the type of policy (or dial plan) you want to assign this group, there are 14 options:
1     Voice Policy
2     Client Policy
3     External Access Policy
4     Mobility Policy
5     Archiving Policy
6     Hosted Voicemail Policy
7     Client Version Policy
8     Conferencing Policy
9     Voice Routing Policy
10     Location Policy
11     PIN Policy
12     Presence Policy
13     Persistent Chat Policy
14     Dial Plan

After choosing one of the 14 options, you’ll be asked whether you want to assign the global policy to this group or choose from the existing user policies:

Choose from policies

If you choose 1 (This is always the Global policy), that will be assigned to the group.
If you choose 2, a new sub-menu will open, detailing the policies you can assign:

External Access

You will then be asked to confirm the change and the policy will be assigned the group.

The tool can be downloaded here.




What did the July 2015 update for Lync 2013 and Skype for Business fix?


  • CPU usage is reduced when emoticon animations are active in multiple conversations in Skype for Business or Lync 2013:
    Occurs when you send or receive emoticon animations. The emoticons keep animating, and that overuses CPU resources.
  • Add the click-to-call feature for RCC-enabled users from the contact card in Skype for Business or Lync 2013:
    If you enabled remote call control (RCC) for an account in Microsoft Lync 2013 or in Microsoft Outlook 2013,  the phone number hyperlink of the contact is not clickable.
  • Active Directory contact’s name is changed to the phone number in the contact list of Skype for Business or Lync 2013:
    Occurs when a contact has no email or SIP address and only has a display name and a phone number in Active Directory.
  • Typed characters take a long time to display in the message input box in Skype for Business or Lync 2013:
    Might occur on a computer that has more than 15 conversations opened in Microsoft Lync 2013.
  • Chinese Contact Group name is displayed in garbled characters in Skype for Business or Lync 2013 (How can you tell?!?!?):
    Occurs on various scenarios involving Exchange Server.
  • An update to the user interface for group contact counts in contact lists in Skype for Business or Lync 2013:
    This update simplifies contact lists view to only display the total number of contacts in a group instead of the online/total number in Microsoft Lync 2013.


Server 2012 or 2012R2 Blue Screen when installing Skype for Business or Lync Servers

Published earlier by Microsoft, a Stop error D1 when will occur when you start front-end services on Skype for Business Server 2015-based servers. This will also affect Microsoft Lync Server 2013 Enterprise Edition pools that have at least two front-end servers in Windows Server 2012. This will mostly impact organizations that will perform an in-place upgrade to Skype for Business Server 2015.

This is due to a bug on in Windows Server 2012 and Windows Server 2012 R2. The trigger is a TDI filter driver on the machine that may be used by some antivirus and VPN software.

To resolve this issue for Windows Server 2012 you will need to install the hotfix described in KB2957927 on all Lync 2013 Servers that are installed on Windows Server 2012.

Do determine if you have such a driver installed on your system, look for event 16001 on your system log.
A faster way of finding it out will be running the following command command from an elevated PowerShell window:

get-eventlog -logname system  | ?{$_.eventid -eq "16001"}

Source: Microsoft.

Managing Private Numbers in Skype for Business Server 2015

Private numbers are a great thing. They can be used as various scenarios where a person needs a direct private line that’s not published in the contact card and isn’t displayed when you dial out. This is not to be mistaken for Response Groups Agent Anonymity, where agents can call on behalf of themselves or on behalf of the Response Group’s number.

Incoming Private Call notification

What’s the difference?
Well, first, you can only manage Private Lines via PowerShell. Use the Set-CsUser -PrivateLine cmdlet to assign a user with a private line. When you’ll run the Get-CsUser cmdlet against that user you’ll get everything… Except for the user’s private number. We must use the explicit Get-CsUser | fl -PrivateLine cmdlet to get the user’s private number:

PS C:\Windows\system32> get-csuser yoav.barzilay@y0av.local | fl

Identity : CN=Yoav Barzilay,OU=Users,DC=y0av,DC=local
VoicePolicy : Non Restricted
VoiceRoutingPolicy :
ConferencingPolicy : Allowed
PresencePolicy :
DialPlan :
LocationPolicy :
ClientPolicy :
ClientVersionPolicy :
ArchivingPolicy :
ExchangeArchivingPolicy : Uninitialized
PinPolicy :
ExternalAccessPolicy : Skype Directory enabled
MobilityPolicy :
PersistentChatPolicy : Persistent Chat Enabled
UserServicesPolicy : AllowUnifiedContactStore
CallViaWorkPolicy :
ThirdPartyVideoSystemPolicy :
HostedVoiceMail : True
HostedVoicemailPolicy : ExchOnline365UM
HostingProvider : SRV:
RegistrarPool : S4bPool1.y0av.local
Enabled : True
SipAddress : sip:Yoav.Barzilay@y0av.local
LineURI : tel:+35864117539;ext=7539
EnterpriseVoiceEnabled : True
ExUmEnabled : False
HomeServer : CN=Lc Services,CN=Microsoft,CN=2:6,CN=Pools,CN=RTC
DisplayName : Yoav Barzilay
SamAccountName : yoav.barzilay

Now if I run the | fl (or | ft) switch with the right parameters, I’ll get what I’m looking for:

PS C:\Windows\system32> Get-CsUser yoav.barzilay@y0av.local | fl Name, LineURI, PrivateLine

Name        : Yoav Barzilay
LineURI     : tel:+353864117539;ext=7539
PrivateLine : tel:+353857560598;ext=0598

Additionally, Private Numbers have a different behaviour and rules than Primary Lines:

  • You can assign only one private line to a user.
  • You cannot assign an additional voice mailbox to a private line. However, unanswered calls will be diverted to the voice mailbox if one is configured.
  • Unless you decide to push it to the address book, Private Lines are never published on your contact card.
  • call forwarding, team call, delegation, team ring, Group Call Pickup, and Response Groups don’t work with Private Lines. Call park and call pickup will work normally.
  • When a call arrives to your private line it will display a “Private Number” notification when the call comes in and will have a different ring sound.
  • Are you set to “Do Not Disturb”? calls to your private will ignore this setting and will go through anyway.
  • Simultaneous ring, if enabled, is enabled on both the Primary and the Private lines.
  • Private numbers must be between 3 and 15 numbers in length and must be preceded with the “TEL:” prefix.

So how do you set a number for a user?

Quite simply, to be honest: just run the following:

Set-CsUser -PrivateLine "tel:<user's Private number>"


Set-CsUser -PrivateLine "tel:+353987654321;ext=4321"

To help you identify all the users in your organization that are configured with a private number, I built the following script:
Run it from your PC (Not from the server!), where you have PowerShell 3.0 or higher and Excel 2010 at least.
The script might require you to change your PS execution policy.
To run the script just start it from an elevated PowerShell Window:

Enter Pool DQDN

The script will then ask you for your Skype for Business Admin credentials to connect to the remote PowerShell on the server:


The script will run with Excel in the background and will open the file when it’s ready:



Please note this script only shows users configured with Private Numbers. If you’re looking for a way to display all your existing users and devices, please check this post.

Download the Skype for Business Private Numbers Script here.