Office 365 Outlook for Desktop constantly prompts for login password after enabling MFA two factor authentication – how to Enable Modern Authentication for Exchange Online

If you have recently enabled MFA multi factor authentication or 2FA on your Office 365 tenant, your Microsoft Outlook for Office 365 MSO 16.0.11929 (desktop version) users may be prompted over and over for their password, even though you are sure you have the correct password and even the apppassword / app password hash. I’m sure you’ve tried to re-configure Outlook, look at Azure settings, reinstall Outlook, check your autodiscover records, make sure you have the correct Office Suite version and perhaps have even attempted to change the windows 10 registry with the following settings:

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeExplicitO365Endpoint"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeLastKnownGoodUrl"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeHttpsRootDomain"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeSrvRecord"=dword:00000001

However doing these things did not resolve the issue, and the only fix that worked for us, was to follow the instructions on how to enable modern authentication for Exchange Online here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online

So I thought it would be helpful to have a step-by-step how to enable modern authentication in Exchange Online for Office 365 based on the instructions provided in the link above.

With MFA enabled, connecting to Exchange Online with powershell is not as simple as it used to be, but still not all that bad. I’ve found the easiest way to connect to Exchange Online with Powershell is to do the following.

Note: A forewarning here, with certain browsers, when clicking on the Exchange Hybrid “Configure” button, and then installing the Hybrid configuration, the Office 365 login screen may may flash on the screen as a white box, and then disappears before you can authenticate and use your 2FA txt code. I’ve seen this when using Microsoft Edge, Chrome, and even the new version of Microsoft Edge based on Chromium. The only browser I’ve gotten this to consistently work with is the Internet Explorer browser built into Windows 10. The Internet Explorer browser is installed on Windows 10 by default, it’s hidden in the start menu under Accessories:

If you do attempt to run the Exchange Powershell Module using chrome you may encounter the error:

“Application cannot be started. Contact the application vendor.”

When clicking the Details… button, you may find information similar to the following:

PLATFORM VERSION INFO
	Windows 			: 10.0.18363.0 (Win32NT)
	Common Language Runtime 	: 4.0.30319.42000
	System.Deployment.dll 		: 4.8.3752.0 built by: NET48REL1
	clr.dll 			: 4.8.4121.0 built by: NET48REL1LAST_C
	dfdll.dll 			: 4.8.3752.0 built by: NET48REL1
	dfshim.dll 			: 10.0.18362.1 (WinBuild.160101.0800)

SOURCES
	Deployment url			: file:///C:/Users/Jason/Downloads/Microsoft.Online.CSE.PSModule.Client%20(3).application

IDENTITIES
	Deployment Identity		: Microsoft.Online.CSE.PSModule.Client.application, Version=16.0.3527.0, Culture=neutral, PublicKeyToken=45baf49ae30bdb15, processorArchitecture=msil

APPLICATION SUMMARY
	* Installable application.
	* Trust url parameter is set.
ERROR SUMMARY
	Below is a summary of the errors, details of these errors are listed later in the log.
	* Activation of C:\Users\Jason\Downloads\Microsoft.Online.CSE.PSModule.Client (3).application resulted in exception. Following failure messages were detected:
		+ Deployment and application do not have matching security zones.

COMPONENT STORE TRANSACTION FAILURE SUMMARY
	No transaction error was detected.

WARNINGS
	There were no warnings during this operation.

OPERATION PROGRESS STATUS
	* [4/3/2020 3:32:57 PM] : Activation of C:\Users\Jason\Downloads\Microsoft.Online.CSE.PSModule.Client (3).application has started.
	* [4/3/2020 3:32:57 PM] : Processing of deployment manifest has successfully completed.
	* [4/3/2020 3:32:57 PM] : Installation of the application has started.

ERROR DETAILS
	Following errors were detected during this operation.
	* [4/3/2020 3:32:57 PM] System.Deployment.Application.InvalidDeploymentException (Zone)
		- Deployment and application do not have matching security zones.
		- Source: System.Deployment
		- Stack trace:
			at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
			at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
			at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState& subState, ActivationDescription actDesc)
			at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl, Uri& deploymentUri)
			at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivationWithRetry(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
--- End of stack trace from previous location where exception was thrown ---
			at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
			at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivationWithRetry(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
			at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)

COMPONENT STORE TRANSACTION DETAILS
	No transaction information is available.

At this point, it may be necessary to uninstall the existing module and then re-install and run using Internet Explorer. You may even receive the following error:

"You cannot start application Microsoft Exchange Online Powershell Module from this location because it is already installed from a different location."

To uninstall the module, click the Start Button > type “appwiz.cpl” and press Enter.

Inside of the Programs and Features screen find the application and click Uninstall.

After uninstall, log into your tenant (with an administrator account) at https://www.office.com using Internet Explorer 11, and click the Admin link:

Next, Expand the Menu on the left menu by clicking Show All… and then click on Exchange:

Next we want to click on the Hybrid link to get to our Powershell Configure button:

Go ahead and install the component if it asks, and when it completes, you’ll be greeted with a Windows Powershell screen with the following message:

Experience the fast and reliable Exchange PowerShell V2 Cmdlets via new PowerShellGallery module. Go to https://aka.ms/exops-docs

This PowerShell module allows you to connect to Exchange Online service.
To connect, use: Connect-EXOPSSession -UserPrincipalName <your UPN>
This PowerShell module allows you to connect Exchange Online Protection and Security & Compliance Center services also.
To connect, use: Connect-IPPSSession -UserPrincipalName <your UPN>

To get additional information, use: Get-Help Connect-EXOPSSession, or Get-Help Connect-IPPSSession

We now want to initiate our session using the instructions provided. At the prompt, type in the command:

Connect-EXOPSSession -UserPrincipalName [email protected]

You’ll now be prompted to sign into your tenant (Work or School). You’ll see some status bars go by and then be prompted with a warning about unapproved verbs (for example banish?)

So now we want to (only look before making changes) get our organization structure, and more precisely, find the status of our OAuth2ClientProfileEnabled setting by issuing the command:

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

Your output should look similar to the following (with the exception being that your result will probably be set to False:)

Finally we can set this to True by using the following command:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

To verify the command was successful, run the previous command again:

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

That’s about it! Give the setting about an hour to propagate and then try testing Outlook on the desktop again. You may get a few clients where their profile needs to be recreated. You can do this by going into the control panel > (1) choose Small Icons > (2) Mail Microsoft Outlook 2016.

Then click Show Profiles

Click Add…

Now when setting up the new mail account, you should be prompted with the modern authentication and you’ll be prompted for your txt code or Microsoft Authentication Application.

Working Remotely -Windows 10 virtual desktops and RDP Tips for laptops and multiple monitors

If you’re working remote with just a laptop, or a laptop and a small 2nd monitor, the desktop gets pretty cramped for a sysadmin. One way to mitigate the pain is to use your OS’s virtual desktops functionality.

Here’s links to guides for Windows, Ubuntu, and MacOS on how to get started with them for your OS. Using Windows as the example, you just press Win-Tab and click the plus sign at the top for New Desktop.

Then drag existing windows on to it, and now they’re on a separate screen. To quickly move between virtual desktops, you can use the CTRL-WIN-left/right arrows.

Once you get in a habit of using them, it’s great for keeping multiple small applications visible on a whole desktop, or multiple full screen apps on their own window that you don’t have to constantly minimize/maximize. You can use Win-Tab (or the Task View button next to the Cortana button on your taskbar) to mass organize things or rearrange, and your Taskbar will reflect what items are open on that particular Desktop.

Alerts and notifications will still appear, even if you’re on a different virtual desktop, and interacting with the notification will teleport you to the relevant desktop.

One gripe with the Windows Virtual desktops is that there’s no easy way to move between desktops without taking your hand off the mouse. You can use the buttons on the side of your mouse (if your mouse has them) to switch desktops if you have the buttons on the side. If your mouse software doesn’t support the windows key combos check out X-Button Mouse Control. Set the buttons to generic and tell X-BMC to change it to the virtual desktop switches.

In order to display an application on all virtual desktops, do Win+Tab, then Right click the Chrome window you want Show window on all desktops.

One thing to note is if you have an AWS Workspace desktop open inside of a virtual desktop, it’s best to have the workspaces desktop in the far-left/primary desktop.

When working remotely in RDP, and you have multiple monitors, and you remote into a machine with multiple monitors, when you open the Remote Desktop client, click the Show Options button then under the display tab, ‘select use all my monitors’ for the remote session.

Solved – Cannot uncheck “Only trust email from addresses in my safe senders and domains list and safe mailing lists” Outlook.office.com office365 Junk email

A user complained that valid good email was being sent to the Junk email folder on outlook on the web. To get to the setting, click on the Gear Icon > View all outlook settings > Junk Email. Attempts to uncheck “Only trust email from addresses in my safe senders and domains list and safe mailing lists.” were unsuccessful and we cannot save the setting.

To uncheck the box permanently:

  1. Open Powershell ISE
  2. Run function Connect-O365
function Connect-O365{
	$o365cred = Get-Credential [email protected]
	$session365 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $o365cred -Authentication Basic -AllowRedirection 
	Import-Module (Import-PSSession $session365 -AllowClobber) -Global
}

4. Run the command

Connect-O365

5. Log into Office 365 with Administrator account

Run the command Get-MailboxJunkEmailConfiguration emailaddress – replacing emailaddress with the user mailbox email address. Use other values from microsoft documentation here: https://docs.microsoft.com/en-us/powershell/module/exchange/antispam-antimalware/set-mailboxjunkemailconfiguration?view=exchange-ps

Get-MailboxJunkEmailConfiguration [email protected]

Results should be similar to below:

Run the following command to set TrustedListsOnly to False:

Set-MailboxJunkEmailConfiguration "[email protected]" -TrustedListsOnly $false

The checkbox should now be unchecked. Check to see if junk mail now works as intended.

How to Set Clock Time and Date on Ubuntu Server when NTP Synchronized is set to No

In the event our Ubuntu server has an incorrect time, a clock that is offset may prevent users from logging in, or for example, synchronizing databases. If OpenVPN is in use with 2FA and google authenticator, their login is dependent on the time of the server being correct . We want to ensure our end users can log into the server or OpenVPN successfully. Let’s start by viewing the clock on our server, and then synchronize the clock with an internet-based time service.

First issue the command:

date

If we compare this time with an accurate clock, such as a cell phone, we may see this time is no accurate. The date display in the above screenshot shows the Day, Date, Hours, Minutes, Seconds, TimeZone and Year. 

Let’s check to see if our clock is set to be synchronized. Do this by issuing the command:

timedatectl status

Here we see that our “NTP synchronized: no” status indicates our Network Time Protocol synchronization is turned off. 

In order to get our clock synchronized and change it to NTP synchronized: yes, we need to do the following.

  1. Stop the ntp service
  2. Sync the time using ntpd with the -g and -q switches (allows the time to be set without restriction)
  3. Start the ntp service

We can do this by issuing the commands: 

Sudo service ntp stop
Sudo ntpd -gq

This will produce something like the following output:

In this output we can see that our time was offset and adjusted by -49.77 seconds.

Next let’s start the ntp service again with the command:

Sudo service ntp start

Lastly we can confirm that our time is set correctly and that NTP synchronized: is now set to yes with the command:

timedatectl

That should do it! Try issuing the command date again and compare it to an accurate clock. Check to see that your OpenVPN users can log in. If they continue to have issues, check out the article on Troubleshooting OpenVPN

How to Install Visio 2016 Standard with Office 365 ProPlus Click to run using the Office Customization Tool

When trying to install Microsoft Visio or Publisher with a Volume License MAK license key alongside Office 365 Pro Plus, the Visio .iso installer may give the error: “this version of O365 does not get along with the Installer, or you cannot install 32bit with 64bit”. You may even have tried uninstalling the 32 bit version of Office, install the 64 bit version, only to receive the same exact message. You may find installing 64 bit Visio Volume License with 64 bit Office 2016 Pro Plus doesn’t work, nor does 32 bit with 32 bit, nor 64 bit with 32 bit. It can be frustrating.

The problem is that Microsoft has moved away from mixing the Volume License .iso installations (downloaded from the Volume Licensing website here: https://www.microsoft.com/Licensing/servicecenter/default.aspx ) – on the same computer with the “Click to Run” versions of Office you typically download from within Office 365 online. Instead, to get around the issue, you need to use the Office Deployment Tool. This will allow you build a build a package you’ll run from the command prompt to install for example, Visio or Publisher, on the same computer as Office 365 Pro Plus Click to Run. The configuration and setup is not all too difficult and we’ve documented the installation instructions below. 

*NOTE: While I’ve found Visio .ISO/MAK can be happy with CTR, and although I have gotten it to work in a few instances, I wholeheartedly recommend to bite the bullet and use O365 Visio monthly licensing alongside the O365 Click-to-Run suite. It’s orders of magnitude easier to deploy Visio with O365 than to mix CTR with ISO’s/MAKs! It will save you worlds of frustration when someone moves to a new PC, or MAK licensing changes. Instead, go to Office365 licensing, purchase a Visio license, and assign it to a user. Any money saved by mixing MAK licensing with click to run, in my opinion is not worth the headache. That being said, a lot of the instructions below are relevant to a sysadmin’s job, and you should be familiar with how the deployment tools and office ‘configurator’ works, so read on.

The first thing we need to do is download the Office deployment tool from the following site:

https://www.microsoft.com/en-us/download/details.aspx?id=49117

C https//www.microsoft.com/en-us/download/details.aspx?id=49117 
Apps 0365 
Microsoft I 
Download Center 
This is your 365 
Windows 
Office 
Web browsers 
More v 
All Mi 
Discover what's possible every day with Office 365 
FOR 1 USER > 
Office Deployment Tool 
FOR UP TO 6 U 
Important! Selecting a language below will dynamically change the complete page content to that language. 
Language: 
English

Run the .exe you downloaded, accept the license terms, and extract the tool to a new folder you create named c:\admin\ODT

The Microsoft Office 2016 Click-to-Run Administrator Tool 
You must accept the Microsoft Software License Terms in order to continue the installation. 
MICROSOFT SOFW,'ARE LICENSE TERMS 
MICROSOFT OFFICE DEPLOYMENT TOOL 2016 
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please 
read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply 
to any Microsoft 
• updates, 
• supplements, 
• Internet-based services, and 
• support services 
for this software, unless other terms accompany those items. If so, those terms apply. 
BY USING THE SOFW,'ARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTVVARE. 
IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE PERPETUAL RIGHTS BELOW. 
I . INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices. 
2. SCOPE OF LICENSE. The software is licensed, not sold. This agreement only gives you some rights to use the software. Microsoft 
reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly 
permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it 
in certain ways. You may not 
• work around any technical limitations in the software; 
• reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite 
this limitation; 
[Z Ick here to accept the Microsoft Software License Terms. 
Continue
Browse For Folder 
Select a folder to store the extracted files 
Desktop 
Documents 
Downloads 
Music 
[e Pictures 
Videos 
v Local Disk C:) 
admin 
Saf es 
SmartMaiI 
temp 
Intel 
keypairs 
PerfLogs 
Program Files 
Program Files (x86) 
Make New Folder

Click OK

The Microsoft Office 2016 Click-to-Run Administrator Tool 
Files extracted successfully

Next, let’s switch gears and configure and run the online XML generator tool to build the XML file which we’ll need to configure the tool we just downloaded and extracted above.

The online XML generator can be found here: https://config.office.com

At this website you can log into your office account (Recommended), or alternatively choose to continue without signing in:

C a https://config.office.com 
Apps 0365 
Microsoft I Office Client 
Welcome to the Office 
365 Client Configuration 
Service 
Sign in with your Azure AD Account to get access to all the features 
Get Office 
Sign in 
Continue without signing in? Choose from the options below. 
Create a new configuration 
Create, modify and export Office 
deplcyment configurations. 
Create 
Import your configuration 
Import and modify 'ßur existing 
configurations. 
Import

In our example we’ll create the file by logging in first by clicking “Sign in.”

Once logged in, click on Customization > Device Configuration > +Create.

C https://config.office.com/officeSettings/configurations 
Apps 0365 
Office 365 Clients 
Home / Device Configuration 
Home 
Security 
Customization 
evice Confi uration 
Policy Management 
Learn More 
O 
Office Customization 
O 
+ Create 
opy Remove 
Name 
64-CTR and Vision.. 
Q) Get Link U 
Date created 
07/05/2019 
Download Upload 
Description v

You’ll notice in the screenshot above we’ve already created a customization file which installs the 64 Bit version of Office Click to Run along with Visio 2016 Standard Volume license. We can download ImageFileNamethis configuration file again at a later date if we lose our .xml file.

In this example, we’ll create a customized file that pairs and combines installations of 32bit Office 365 Pro Plus with Visio Standard 2016 Volume License. 

Click on the + Create button.

We first give the configuration a title, something like:

32-Office365CTR_and_Visio2016-32-VL_Key

Our configuration will be setup something similar to the following:

32-Office365CTR and 
.xml 
A 
Products and releases 
Architecture 
Which architecture do you want to deploy? 
@ 32-bit 
C) 64-bit 
Products* 
Which products and apps do you want to deploy? 
Office Suites 
Office 365 ProPlus 
Visio Standard 2016 - Volume License 
Project 
Select Project product 
Additional Products 
Select Additional product 
Update channel 
Select the update channel, which controls the timing of feature updates Learn more CS 
Semi-Annual Channel 
Which version do you want to deploy? Learn more CS 
La test

Take note that Office365 has different versions, and you click the “Learn More” link to decide which version to install or accept the default “Latest”. You might want to install the version that all of your other deployed Office365 versions are using. If you choose “Latest” you’ll most likely get a newer version of Office365 installed than everyone else. As a reference, I’ve copied one of the version tables below:

The following table lists the supported version, and the most current build number, for each update channel. 
Channel 
Monthly 
Semi-Annual 
Semi-Annual (Targeted) 
Semi-Annual 
Semi-Annual 
Version 
1907 
1902 
1902 
1808 
1803 
Build 
1 1901.20176 
1 1328.20368 
1 1328.20368 
10730.20360 
9126.2428 
Release date 
July 29, 2019 
July 9, 2019 
July 9, 2019 
July 9, 2019 
July 9, 2019 
Version supported until 
Version 1908 is released 
September 8, 2020 
September 10, 2019 
March 10, 2020 
September 10, 2019

Also take a look at the primary language, and any other Office Suite apps you don’t want installed. It’s worth it to click through each heading to see what’s inside. 

Next, we need to provide our Visio Standard 2016 volume license key. Do this by first logging into the Microsoft Volume Licensing Center here: https://www.microsoft.com/Licensing/servicecenter/default.aspx , find your product, your version, expand the license keys, and copy the license key into the Office Customization Tool under the heading Licensing and Activation > Product Key > Multiple Activation Key:

Office Customization Tool 
Learn more about the Office Customization Tool C.f 
32-Office365CTR and 
.xml 
anu acuvauull 
Product key 
C) KMS Client Key 
Product key entry is not required for Key Management Service (KMS) activation. 
@ Multiple Activation Key (MAK) 
Multiple Activation Key (MAK). Type a valid 25 character volume license key with no spaces. 
Visio Standard 2016 - 
Volume License 
Autoactivate 
Automatically accept the EULA 
o 
Shared computer activation 
12345-12345-12345-12345-12345 
on 
Off 
Off 
Allow the licensing token to roam 
Network. local, or HTTP path 
Next

Finish by clicking Done in the upper right-hand corner. 

Next, place a check next to the configuration file we’ve just created and click Download:

Office Customization 
+ Create [C Copy Remove Get Link Download Upload 
Name 
'—0365-64-CTR and_Visi020... 
32-Offce365CTR and Visi02016-32-VL 
Date created 
07/05/2019 
07/29/2019 
Description v

Once you’ve downloaded the .xml file, copy it into the c:\admin\ODT folder.

Open the command prompt on the computer onto which we’ll be installing Office 365 and Visio. 

Change directory to c:\admin\ODT with the command:

cd c:\admin\ODT

Run the setup.exe tool from the command Prompt first with the /download switch, followed by the name of your .xml configuration file (use tab to auto-complete the long file name.) For example the filename would look like:

setup.exe /download configurationFileName.xml

The download will be “silent” – it will take about 10 minutes to download the installer to the c:\admin\ODT\Office folder.

Once the download completes, the cmd prompt will be waiting for input again. Next run the setup.exe, except this time, with the  /configure switch (again, reference your .xml file.) The /configure switch will process and install your applications as demonstrated in the following screenshot. For example the command would look like the following:

setup.exe /configure ConfigurationFileName.xml
(c) 2e18 Corporation. All rights reserved. 
: / dmmload 
: 'configure 
7/5/2019 
Type 
XML 
Office 
Installing Office 
Well be done injust a moment

When it finishes both the click to run Office365 will be installed as well as the Visio Volume License MAK version.

Drawing I 
- Visio Standard 
Account 
User Information 
S out 
Switch account 
Account Privacy 
Manage Settings 
Office Background: 
Clouds 
Office Theme: 
Product Information 
Product Activated 
Microsoft Visio Standard 2016 
This product contains 
Change Product Key 
Office Updates 
Updates are automatically downloaded and installed. 
About Visio

We’re done! Now if we need to do another install on a different computer of our Office365+Visio, we can copy the deployment tool and the .xml file to the computer and run the command prompt installer again. 


Site Maintenance – security and reliability

Thanks for all your support. Some of you may have noticed a little downtime. I invested a little professional expertise in the site and you should now see better performance and more site reliability and uptime. Special thanks to Gregory Morozov at upwork.com who quickly identified and resolved the following issues:

  • Block xmlrpc.php
  • Added the site to CloudFlare DNS (free tier)
  • Convert PHP to php-fpm – for many reasons, but one is control over max php processes (I’ll use: service php7.2-fpm restart – if I need to restart php.)
  • Relaxed Wordfence triggers so users don’t get denied access
  • Dropped memory usage from 700+MB to 400MB
  • Fixed invalid Repos, other updates and maintenance.
  • We’ll monitor the site usage into the beginning of next week to see if we need to add more memory to the instance.

Solved – Cannot find Sophos Device in Cloud Management Console Sophos Central

Say you have a Windows 7 or Windows 10 PC that has Sophos installed on it, but you cannot find the device in the management console in order to disable tamper protection. You want to uninstall Sophos because it is out of date or cannot communicate with the Sophos cloud. However, when you search for the device name in the console, it isn’t listed with the current computer name. The device was probably renamed several times. So how do you remove or uninstall Sophos without disabling tamper protection? My best advice is don’t try to uninstall the client without first disabling tamper protection.

In many instances, the Sophos client is out of date and cannot communicate with “Management Communication”. In the bottom-right corner of the Sophos client, you can click on “About”.

Here we can find the “Run Diagnostic Tool”. After running the tool you may find some errors such as the following: Last Communication – Failed with error ‘504 Gateway Time-out’ at 08:40:48 Jun 28, 2019 (UTC-07:00)

Reading the knowledge base articles about this and attempting to restart MCS Client services etc didn’t work for me. Instead, we need to find the identifier for the device so that we can get to the device page and obtain the Tamper Protection Password. To do this, on the computer with the bad installation of Sophos, open the File Explorer and go to:

C:\programdata\sophos\management communication system\endpoint\persist\

Inside this directory we will want to open the file named EndpointIdentity.txt

Copy the string of letters and numbers into your clipboard.

Next, log into your Sophos Cloud Console at https://cloud.sophos.com/manage/login then go to Overview > Devices. Click on any existing device and you’ll be directed to the page of that identity. At the top of the page, replace the identity string of the device you copied from the EndpointIdentity.txt file into the URL of the sample device, then hit Enter.

You should now be directed to the page with the correct device identity and password to disable Tamper Protection.

*If this article helped you please click on an ad to help pay for hosting and new content. 🙂

18 Things I’ve learned Trading Options on Robinhood and TD Ameritrade in the past 12 Months

So for the past 12 months or so I’ve tried my hand had trading options on Robinhood and TD Ameritrade, and I want to pass on what I’ve learned so perhaps someone new to options can get a head start. *Disclaimer: I’m in no way endorsing or advocating trading options. What you do with your money and your trades has no association with the information presented here. By reading this information you’re agreeing that you hold harmless and no liability to myself, my employer or this website. If that scares you, please click here. In all my trades, I’ve only made a little bit of money with a total amount of trade money equaling under $1000. *update 1/30/21* I’ve now made more than a little money 🙂 Starting in April of last year I funded $2500 into my TD Ameritrade account. Using the principles I have below, AND A LOT OF LUCK, my account has grown to around $17k. This was done with a combination of stocks and options purchases. This may not happen to you, and I’m not saying it will, this post is merely for advice and informational purposes. As you can see, I didn’t become a millionaire in a month. If that’s what you want, head on over to wallstreetbets with your 50k to blow. But I did earn enough for a pretty nice used car or family vacation…

Before you get started, it’s important to know that trading options are essentially gambling; it’s almost pure speculation on whether or not the market or stock will go up or down and your bets will pan out. I say almost because there are traders out there who make a consistent living doing options trading. This article is not for those who already know the in’s and out’s of options trading or are looking for information about advanced options trading strategies (spreads etc). But back to gambling… if you have a tendency to let emotions get control of you if you win or lose, or if you’ll hurt yourself or your family because one of your trades goes the wrong way, then stay out of options trading. I won’t go into all the other investment vehicles you can use to safeguard your money for retirement, and at a bare minimum, don’t even think of trading options if you don’t first have an emergency fund of several thousand dollars.

I work for a brokerage, and I’m in no way endorsing trading of options as a retirement vehicle. If you trade options, you may lose everything you have in your bank in one week if you’re not careful. Trading options can be stressful and painful when things don’t go your way. You really do have to watch your puts and calls pretty much every minute of the day while your trades are active. But on the flip side, if you are frugal and learn as much as you can, trading options can be a nice way to generate money quickly without too much physical work. Options trading really is just for “play” money; I advocate putting 99% of your money into a Roth IRA or 401K.

Now onto the eighteen things I’ve learned trading options. I, myself, read my list EVERY TIME I’M ABOUT TO PUT IN AN OPTIONS ORDER. I’ve probably canceled a dozen trades after I’ve read my own list just because I’ve let emotions get hold of me and this list brings me back to reality. This list isn’t necessarily in order of importance.

  1. Limit your losses (always) – Decide how much your bottom limit is and stick to it. If I ever let another option expire worthlessly, I’m worthless. It’s my money. Always keep enough in the brokerage account to at least place a couple more orders. When you have to add money to your brokerage account from savings to keep trading, you’re losing.
  2. Don’t buy options for smaller companies, stocks, or obscure ETFs based on hunches or charts. Smaller stocks sometimes don’t have the volumes and there will be no one around to buy your Out-of-the-Money option if the market is heading the wrong direction. They often have fewer price points and options in the option chains.
  3. If you win (your option hits its price target), you’ll probably be up a good amount, so sell when the trend is favorable.  You’ll never know what will happen in the next few hours or days. DISCIPLINE! Some news might hit, the president will tweet about China, or a scandal could erupt, and everything goes down or vice-versa.
  4. You’ll never time the sale of an In-the-money option exactly at the peak price of the day so it’s ok to sell after it’s coming down from the intra-day high. Better to make some money on the drop from the high than to wait for it to get back to the peak.
  5. It’s ok to sell for a $5, $10, or $20 profit if you’re In The Money and not feeling it and the trend changes or news hits.
  6. The whole reason you’re doing this is to make money whether or not the market is Rising or Falling. Don’t get emotional about what you want to happen to the market or company. Only go by the numbers and make money off of the trend, whether it’s a Call or a Put.
  7. Don’t let an option ride overnight especially if your option is expiring soon. After-market trading is a good way to lose a lot of money real quick once the market opens. You need your sleep and you don’t like to wake up early. This is not set in stone because you could be betting on a piece of big after-hours news or earnings. Also, if you have more money, you can purchase more expensive options that expire in a few months, which is absolutely better than buying a weekly that expires in a few days. This takes the ease off of after-hours fluctuations.
  8. Sometimes stocks are so beaten up, some more bad news just clears the way for a rally because there isn’t any reason to punish the stock further.
  9. Same with good news, a stock could be so bid-up that more good news essentially causes a ceiling and there is no reason for it to go up more because it is already so priced for perfection so it goes down.
  10. In a bad market, bulls want red openings and bears want green openings.  In a bad market, bulls will buy low right?  And in a bad market bears will fade a gap (short). 
  11. Keep a good positive mindset and just keep hitting singles for $20, $30, $50, whatever, and keep the loser mentality away.
  12. It sucks you can only do 4 same-day trades in 5 days (with Robinhood,) but don’t allow that fact make you ride an option longer than its value. Theta will steal your money anyway so stick to day trades with options. If you have a long-term bet then buy the actual stock, or buy an expensive option that expires in a few months/year.
  13. Implied Volatility (IV) – when looking to buy an option, look at the Implied Volatility. If it is something high like 91%, then you can probably expect to see the value of your options (most likely) swing/drop 91% during the term of your option. Options are not the best vehicle during earnings. It’s best to sell and make any profit you can before earnings come out. I YOLO bought $375 worth of SBUX options on Thursday with IV of 91% which expired the next day (Friday.) The option made almost no money on Thursday, then favorable earnings came out that Thurs night. The stock jumped up a little in after-hours trading then went back down again. The next morning it dropped like a rock 91 %. I got out that morning and lost $300. Then later that day, like not even 2 hours later, the stock went back up to its previous close. See the chart below. I could have just held on through the IV and not lost as much, but it takes real guts to hold in that situation, which you don’t want to go through, believe me. Again, holding options through earnings is very risky unless it’s something like MSFT which beat it’s projected earnings by a lot and IV was low. Place your bet either prior to or after the earnings and then watch the market reaction. Because this option was expiring the same day, theta was going to quickly eat into its value even if I held during the rise after the sharp drop. IV I’m not entirely sure about, so comment if you know more about this below.
  14. No “options guru tweet” nor r/wallstreetbets post will give you a winning trade every time. Trust your own instincts, gather as much information and news as you can, and find out what works for you, not someone else.
  15. In general it’s better to buy “natural” monthly options with non-weekly strike dates. For some reason, the weeklies don’t tend to do as well.
  16. In general, it’s better to buy an option with an expiration a few months out. Yes the option you’re buying on a Tuesday has better “YOLO” returns if it expires on Friday, but just the same, you have a bigger chance of losing everything very quickly. At least with an option a few months out, you can hold through a few dips without too much consequence, and then if a big pop occurs you can capitalize on it. Again, discipline. If you get a pop on an option, even if it expires in say, 2 months, cash out and bank the money. I’ve never regretted taking a big earnings pop and banking it. More often than not, the next couple days/weeks, the stock returns to it’s previous trend. The point is, you don’t know what the stock will do. Take your gains and get out. Then sit with your cash in your account, smile, take a breath, do your research again, and wait for the next opportunity.
  17. TD Ameritrade is my broker of choice now, and although I’ve got a little money in Robinhood, it’s practices lately are forcing me to close my Robinhood account. FYI, you don’t have to sell your securities in Robinhood in order to put them in a different brokerage, you can transfer. There is a $75 fee associated with the transfer, so it may or may not make more sense to sell your securities and just pull the money out or the transfer may make more sense if there are tax ramifications.
  18. Aside from Options, now that I have more cash in my account, I’ve done pretty well with “lots” of stocks. By “lots” I mean purchasing lower priced stocks in quantities of 100 shares. That way if the price goes up 1 point, I know I’ve made $100 on that stock that day. Just because they are shares, doesn’t mean I have to hold on to them for a longer period of time. There are better tax advantages when you hold on to a stock for at least one year, but I use the same principles above and sell and bank stock gains the same as I do options.

That’s it for now! I hope some of the information was valuable, and I wish you an exciting and profitable foray into the world of trading options.

Hacked Office 365 Outlook Account cannot send or receive email

Recently a client complained that an Office 365 account had sent out spam messages to a number of clients. Later, the suspect account which had been sending spam could no longer send or receive email. However upon first glance at the mailbox, sent messages were sitting in the sent items folder, and messages sent to the account in question were not receiving bounce-back failures, but the messages sent to the affected account were not in the inbox. After we changed the password to the account, and enabled 2FA on the account we could still not send and receive mail. Below are the steps used to resolve this particular issue. In short, a malicious inbox rule had been created and outbound messages had been blocked by Microsoft.

  1. Log into the tenant’s Admin console with an Administrative account, and change the password of the affected account.
  2. Log into the affected account as the user using the new password.
  3. Click on the Gear icon and then under Your app settings, click Mail.

4. One in the Mail app Settings, go to Mail > Automatic Processing > Inbox and Sweep rules.

Here we can see a malicious rule had been created to mark all inbound mail as Read and move the message to the “RSS Subscriptions” folder:

5. Uncheck and turn off any malicious or invalid rules.

Also check for any new forwarding rules in Mail > Accounts > Forwarding:

6. When we look in our “RSS Subscriptions” folder we find some messages from Microsoft indicating the account has been blocked from sending mail because the account was flagged as sending spam:

Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it's no longer allowed to send messages outside of your organization. Contact your email admin for assistance.

Remote Server returned '550 5.1.8 Access denied, bad outbound sender. For more information please go to http://go.microsoft.com/fwlink/?LinkId=875724. S(9333) [DM5PR10MB1914.namprd10.prod.outlook.com]'

7. To resolve this issue, we’ll need to go into the Action Center. Log into the Admin console > Admin Centers > Exchange > Protection > Action Center

8. In the Action center, we’ll find an issue flagged regarding our hacked user account. Take action on the issue and after a while due to permission propagation, it may take up to 2 hours for the account to be re-enabled for sending mail again.

9. It might be a good idea to contact Microsoft Support if you continue to experience problems with a user account sending spam. Changing the password should prevent malicious access. Most like the account had been phished or the computer the user has was compromised by a virus/malware or spyware. It’s recommended that the account have two-factor authentication or multi-factor authentication enabled to prevent the account from being hacked again.

tag: outlook cannot send or receive email but sent mail is in sent items folder

OpenVPN Cannot Authenticate -Google Authenticator Code Incorrect – Android Windows 10

When trying to setup and authenticate to an AWS Instance running OpenVPN, a user could not complete a new connection to OpenVPN after entering the initial un/pwd. They receive the error: Permission denied. This is after successfully setting up the OpenVPN client on Windows 10 and scanning an Authenticator code using Google Authenticator App on a Samsung S8 Active Android mobile phone running Android 8.0.0 ‘lollipop’. Ultimately the reason the user could not authenticate was their mobile phone’s time was off by about 3 minutes. Continue below to find additional information on how to troubleshoot this and other authentication issues with OpenVPN.

When troubleshooting OpenVPN login errors it’s a good idea to first try some of the following:

Unlock a Disabled or Locked account on OpenVPN Admin console

To check for the events related to a user lockout, first log into the Admin web console > Status > Log Reports. Here you will find the errors related to bad authentication and eventually an account lockout.

The errors you may find could be the following:

Google Authenticator Code is incorrect.
LOCKOUT: user temporarily locked out due to multiple authentication failures.

To unlock a user account (if using local authentication), Login to the Admin Web Console, Go to “General” under Authentication and change Authentication to “PAM”, Save Settings > Update Running Server > “Local” > Save Settings> Update Running Server.

This procedure should unlock disabled or locked user accounts on OpenVPN.

Reset A User Account on OpenVPN

To reset a user’s OpenVPN account:

Log in to the admin web console, click on User Permissions.

Find the username, place a checkmark in the Delete column, then Apply > Save. Next, re-create the account.
Scroll to the bottom of the list, type the new user name:
Eg. jcoltrin
Save > update server

Go back find the username again in the list and hit Show:

Enter in the Local Password: (S3cr3tP@ssw0rd!)
Save > Update

Check OpenVPN for Valid Concurrent License

In the admin web console, under the Configuration menu, click License. Check to ensure that your concurrent users have not reached or exceeded the limits of your licenses (under At a glance,) or that your licenses have not expired.

Use SSH to check the logs of the OpenVPN server and get the specific errors for an individual’s login problems.

After logging into the server using Putty/SSH, you can change directory to the scripts directory:

cd
/usr/local/openvpn_as/scripts/

and then issue the command ./authcli –user <username> –pass S3cr3tP@ssw0rd

./authcli --user jcoltrin --pass S3cr3tP@ssw0rd

This will produce something similar to the following information:

Result:
API METHOD: authenticate
AUTH_RETURN
  status : COM_FAULT
  reason : An error occurred while connecting: 13: Permission denied. (twisted.internet.error.ConnectError)
  user : jcoltrin

Addtionally you can find more messages related to authentication failures in /var/log. You’ll find these messages in the latest log files:

openvpnas.log

openvpnas.log.1

Use your favorite editor (vi) to search through the logs

vi openvpnas.log

use the command / and then the username to search for that term and hit “n” to go to the next instance of your term, for example:

/jcoltrin > n > n

and then :q to quit.

Here are some typical error messages for my authentication errors:

2019-02-26 14:03:26-0800 [-] WEB OUT: "2019-02-26 14:03:26-0800 [UDSProxyQueryProtocol,client] Web login authentication failed: {'status': 1, 'reason': 'local auth failed: password verification failed: auth/authlocal:42,web/http:1609,web/http:750,web/server:126,web/server:133,xml/authrpc:110,xml/authrpc:164,internet/defer:102,xml/authsess:50,sagent/saccess:86,xml/authrpc:244,xml/authsess:50,xml/authsess:103,auth/authdelegate:308,util/delegate:26,auth/authdelegate:237,util/defer:224,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:245,internet/defer:102,auth/authdelegate:61,auth/authdelegate:240,util/delegate:26,auth/authlocal:42,util/error:61,util/error:44', 'user': 'jcoltrin'}"
2019-02-26 14:19:40-0800 [-] WEB OUT: "2019-02-26 14:19:40-0800 [UDSProxyQueryProtocol,client] Web login authentication failed: {'status': 1, 'no_lockout': True, 'reason': 'challenge', 'user': 'jcoltrin', 'proplist': {'pvt_google_auth_secret_locked': 'true', 'prop_cli.script.win.user.connect': '[redacted]', 'pvt_google_auth_secret': '[redacted]', 'prop_autogenerate': 'true', 'prop_deny': 'false', 'prop_cli.script.win.user.disconnect': '[redacted]', 'prop_superuser': 'false', 'pvt_password_digest': '[redacted]', 'prop_cli.script.linux.user.connect': '[redacted]', 'prop_autologin': 'false', 'conn_group': 'Default', 'type': 'user_connect'}, 'client_reason': 'CRV1:R,E:[redacted]==:Enter Google Authenticator Code'}"
2019-02-26
14:20:08-0800 [-] WEB OUT: '2019-02-26 14:20:08-0800
[UDSProxyQueryProtocol,client] Web login failed
(twisted.cred.error.UnauthorizedLogin)'
2019-02-26 14:21:30-0800 [-] WEB OUT: "2019-02-26 14:21:30-0800 [UDSProxyQueryProtocol,client] Web login authentication failed: {'status': 1, 'client_reason': 'LOCKOUT: user temporarily locked out due to multiple authentication failures', 'reason': 'LOCKOUT: user temporarily locked out due to multiple authentication failures', 'user': 'jcoltrin'}"

Make sure the phone with Google Authenticator has the correct time and set the phone to sync it’s clock with the network/carrier

As mentioned at the beginning of this article, what the original login issue came down to was the Android phone, on which the Google Authenticator was running, had it’s time off by about 3 minutes. To set and change the correct time on an Android Galaxy S8 Active, first, go to Settings > General Management > Date and Time > Set/Turn on Automatic Date and Time.

I’m not sure why the value for this phone had it’s time set to not have automatic sync with the network/carrier. This may have been due to a recent android update because I found this setting off on a couple phones in the office. Ensure the time on your server is accurate as well by issuing the bash/ssh command:

date 

Your result should look like the following:

openvpnas@openvpnas2:/var/log$ date
Thu Feb 28 14:46:57 PST 2019

If you find the time on your server is not accurate, check out my article on how to set the time on Ubuntu and Synchronize NTP here.