Deploying Skype Room System on a Surface Pro 4

1.       Overview

This guide will walk thru creating and installing a custom Skype Room System installation image on a Surface Pro 4. There is an optional section for the creation of a custom theme as well.

2.       Pre-Requisites

a.       Hardware

The official hardware requirements can be found in this article. For my deployment, I have a Surface Pro 4 with a Core i5 processor, 4 gb RAM, and 128gb disk. The article mentions using a bootable USB key that’s at least 32gb. However, I created the install media on a 16gb key without issue. My SP4 plugs into a Logitech SmartDock for additional power and USB ports. I recommend using a USB keyboard and mouse to perform the on-screen setup once the install media is finished installing.

b.       Software

Here is a list of files and their locations that I used to create the install media. Throughout this process, I found this to be the most confusing part with the small bit of documentation I found online:

File Name	Link
MSU for KB4056892	Download
SRS Media Creation Script	Download
SRS Deployment Kit	Download
Surface Pro 4 Drivers*	Download
Win 10 Enterprise Build v1709	None – Purchase a licensed copy

*In my case, I needed the ‘SurfacePro4_Win10_16299_1801701_1.msi’ file, specifically.

Put all of these files into the same directory before running the SRS Media Creation Script from a PowerShell window.

c.       Accounts

Depending on the type of deployment (hybrid, online, on-prem), these guides will walk thru how to create and configure the account needed.

3.       Build Process

a.       Media Creation Script

As I mentioned in step 2B, make sure all the files needed to create the install media are in the same the folder. Plug in a FAT32 file-system formatted USB key into the machine creating the install media. Once the USB key is recognized by the machine, run the ‘CreateSRSMedia.ps1’ script from PowerShell as an administrator.

The script will prompt multiple times for input:

1.       First prompt: What type of customer are you? OEM or Enterprise. I typed, ‘Enterprise’ and hit enter. 

 2.  Second prompt: You are currently building an image with NO pre-installed language packs. Are you ABSOLUTELY SURE this what you intended? Type ‘YES,’ and don’t worry because the build will include its own language packs.

3.       Third prompt: Drive letters to create the install media on will be listed. In my case, the USB key was listed as option ‘0’ drive E:\, so I type ‘0’ and hit enter.

4 .       Fourth prompt: Enter the root path of your Windows Install Media. Mount the Win 10 Enterprise iso by double clicking on it. In my case, double clicking the file created drive ‘F:\’ so I typed in ‘F:\’ for this prompt and hit enter.

After the fourth prompt, the media creation script will run and output its progress in your PowerShell window. It took me roughly 1-1.5 hours for the script to finish, so feel free to get something to eat, get coffee, etc., but make sure the script can still run in your absence.

  

   












   



b .        Installing Media from USB

Shut down the Surface Pro 4 and connect the AC adapter to power. Next, take the install media created on the USB key in step 3a and plug into the Surface Pro 4. Hold the volume down key on the SP4, then hold and release the power button. The SP4 will boot into the boot selection menu. Modify the boot order so it boots off the USB key. Press the volume down key to navigate to the boot order, then select the USB to change the order. Save the boot order before allowing the device to boot off USB.

The SP4 will run thru the install media on its own and power down once it is done. Once it’s powered down, remove the USB key and plug it into a docking station (ex: Logitech SmartDock). When SP4 is powered on, it will walk thru selecting a language and logging into S4B with the account created in step 2c. If any devices are hooked up as part of your SRS (ex: phone, mic, camera) then select each of those devices to use for audio, video, etc.

c.       Installing a Certificate

I had issues with the S4B account signing in because the SP4 needs a certificate installed. When the SRS is installed, two accounts are created on the device. The ‘Skype’ account runs the SRS application that powers the room system functionality. The ‘Administrator’ account is a local admin account that allows a login to the Win 10 machine running on the backend. Login to the Win 10 machine to install the certificate.

On the SRS home screen, select the gear icon in the bottom right hand corner of the screen and select ‘Settings’. Login with the Administrator account password which is ‘sfb’ by default. Once logged in, select ‘Windows Settings’ on the left side of the screen and then click on the ‘Windows Administrator Login’ button on the right side. Select the ‘Administrator’ account on the Win 10 login screen and enter the default password again to sign into Win 10. I accessed the internal CA certsrv site for my organization via a web browser and downloaded the certificate chain to the root and intermediate cert stores.

Sign out of the Win 10 machine Administrator account. The Win 10 login screen will appear, and then select the Skype account to restart the SRS application. The Skype account will auto-login once selected.

4.       Custom Theme (Optional)

My organization wanted the company logo to appear in the background of the main display screen. The screen background is known as a ‘theme’ and can be adjusted from the device. Select the gear image in the bottom right hand corner of the SRS screen and then choose ‘Settings,’ then login with the default admin password (password: sfb) and select ‘Theming’. The ‘custom’ theme will be modified to set the background image as the company logo.

There’s an excellent post from Tobie Fysh on the requirements to create a custom theme. Tobie graciously includes his own XML and image files as an example of what needs to be uploaded.

To hit a few highlights of the article, make sure to do the following:

1. Set the image size to 3840x1080.

2. Upload the XML and image file to C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState.

3. DO NOT change the text in the <ThemeName> tag to something other than ‘Custom’ and make sure to include the full path to file in the <CustomThemeImageURL> tag (ex: C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState\your_image_name.jpg).

4. After uploading the XML and image file, reboot the device so it will pick up the new custom theme.

Guest Post - TechSnips Founder Adam Bertram

The post below is by Adam Bertram. Adam is a Microsoft MVP and fellow Hoosier who I've had the fortune of following for years on his blog and twitter. Be sure to check out Adam's new venture, TechSnips, for all your interactive learning needs!

My name is Adam Bertram and Josh has so graciously allowed me to guest post on his blog about a new service I've started that offers free, how-to content for tech professionals. OK, here's the pitch:

We're geeks, right? We love tinkering with tech and figuring out better ways to solve problems. How cool would it be if lots of us could come together under one platform and share our hard-earned knowledge with everyone else via technical demo screencasts? I'm glad you asked!

I recently launched an e-learning platform called TechSnips. First and foremost, TechSnips is not a Pluralsight, Udemy or LinkedIn Learning. We don't do courses; we do snips. Snips are short (1-10) minute screencasts with absolutely no slides of any kind. Its purpose is to deliver exactly what IT pros, system administrators and other technology professionals need right now. We skip over all of the fluff.

Because of this short format, it's a lot easier to get started contributing if you're new to putting yourself out there in a tech community. You will learn presentation skills through feedback from myself and your peers, you'll be a member of our growing community and get access to our Slack channel, you'll have some great content to put on your resume and you will get paid in monthly royalties! Joining has a ton of upsides but you've got to be willing to put yourself out there.

I'm looking for contributors that can help myself and the dozens of other contributors build the TechSnips content library. As of now, we need to fill a lot of holes so the types of screencasts will most likely be up to you. As long the content fits in the snip format (which you'll get more info in the signup link), the world is your oyster. FYI: We needs lots of PowerShell stuff!

If you're interested, please sign up! You'll be asked to do a quick audition and once approved, you'll be part of the TechSnips Contributor community!

I look forward to seeing what new content you can come up with and how teaching others can help yours and others' IT careers flourish!

Skype for Business Online - Additional Emergency Locations in PowerShell

Assigning a phone number to a user in Skype for Business Online requires you to first assign an Emergency Location. The Emergency Location is used for saftety and liability purposes in case someone were to dial an emergency number (ex: 911 in the USA). The location is sent to the PSAP (Public Safety Access Point, i.e. police, firefighter, ambulance, etc) so they can show up to the correct address and provide help.

Take a look at the picture below from my tenant. Notice under 'Dallas,' my address is listed.  Underneath 'Dallas' is my actual apartment number (all addresses blacked out for privacy). Skype for Business Online allows for a parent/child relationship with Emergency Locations. For example, if there are multiple floors in a building, you could create a parent location of 'Minneapolis Office' with each floor of the building as a child item (Floor 1, Floor 2, etc).

While this flexibility is great, it presents problems when assigning Emergency Locations in bulk for new users. Lets say I want to assign 50 users to an additional location listed under 'Dallas' above. I haven't found a good way to bulk assign locations in the admin panel, so I'm going to use PowerShell instead.

The command 'Get-CsOnlineLisCivicAddress' lists all Emergency Locations with one cavaet - it doesn't list any of the 'additional locations'. Why? I have no clue, and frankly, it's kind of annoying. So how do we get the list of additional locations? Here's a command I've found useful:

Get-CsOnlineLisLocation|Where-Object {$_.location -ne $null}|ft description, location

When I run this command on my tenant, here's what I see for my apartment in Dallas:

So, how do I assign additional users to this location? The 'Set-CsOnlineVoiceUser' cmdlet takes a'locationid' object.I can get the'locationid' from the 'Get-CsOnlineLisLocation' cmdlet in our previous step and set the 'location' object to be the location I found running the 'Get-CsOnlineLisLocation' command above:

Now we can use the 'locationid' within the 'Set-CsOnlineVoiceUser' cmdlet to set the Emergency Location for a user to an additonal location listed underneath an Emergency Location:Set-CsOnlineVoiceUser -identity joshc -telphonenumber +19725551212 -location id 87b77092-4945-9824-38ada04012e7

If anyone has found a better way of dealing with 'additional locations' within PowerShell, feel free to leave a comment below.

Exchange Unified Messaging - Does Anybody Really Know What Time it is? (Your Edge Servers Really Should...)

Greetings and Happy New Year! I hope everyone's 2018 is off to a great start.

I received an interesting problem recently that I wanted to share. Below is an email from a client (I'm paraphrasing):

"Josh,

Exchange Unified Messaging (UM) is no longer working internally. People can call in from the outside, reach UM, and leave messages just fine. However, our own internal users cannot call eachother and leave a voicemial. Calls internally either go to dead air or receive a busy signal. 

Is this something you can help us out with?"

Of course I can help! 😃

The client has a hybrid environment with their S4B severs on premise and Exchange environment in the cloud. Since UM must reside in the same place as the Exchange mailboxes, their UM environment resides in the cloud as well. The customer connects to their O365 tenant via Edge federation (this will be important later 😉).

I decided to take a trace via CLS logger on the FE server of a failed internal VM call and noticed the following error:

SIP 429 Provide Referrer Identity

ms-diagnostics: 1020;reason="Identity of the referrer could not be verified with the ms-identity parameter";ErrorType="Invalid signature";Referrer="user1@contoso.com";HRESULT="0xC3E93EE0(SIP_E_CRYPT_REFERRER_DATE_SKEWED)";cause="Invalid signature";signer="skypefe2.internal.contoso.com";source="sip.contoso.com"
ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=skypeedgepool1.internal.contoso.com;ms-source-verified-user=verified
$$end_record

 I've bolded the part of the error above that helped me fix this issue. I only half understood what the error was trying to tell me - the date on the Edge pool is somehow 'skewed' and incorrect. I hadn't seen this error before, so some further research was needed.

A quick Google search pointed me to this article mentioning the exact same error the client was having. I logged onto one of the two Edge servers in the pool and noticed the same error mentioned in the article linked above:

The clock on the second Edge Server in the pool was six hours behind the current time. The customer had rebooted to install updates approximately two weeks before the error occurred and the clock never re-synced. Judging from the error in the event logs above, my guess as to why UM was not working is that for 'crytographic verification' to occur (i.e. TLS traffic via the Edge Server to O365) the time of the request must match between the two systems.

After adjusting the clock manually on the offending Edge Server, I had the client re-test and everything was working again. Yay!

Before I sign off, I must pay homage to the band Chicago. They were the true 'inspiration' for the title of this post 😉. 

Heck yes that is a keytar