Autoactivate Sensitivity Label Bar

If you deploy the all new AIP Unified Labeling Client to your machines, every user has to enable the status bar in Office if they want to apply some labels. This behavior can be changed through some Powershell Commandlets.

First of all, download the client MSI and deploy it through Intune

download  intune

Then, we need to create the required Labels in Office 365 (will cover that in a separate blog some days):

Annotation 2019-11-06 162120  Annotation 2019-11-06 162710

Next step is to connect the Office 365 Security & Compliance Center Powershell, easiest way if you are using MFA (which I hope you do), is to download the Exchange Online Powershell Commandlets in Internet Explorer (no comment), this can do your modern auth (connect-ippssession -userprincipalname

ps  connect

Then you can run a single command line to automatically enable the status bar for every scoped user in you label publishing (just replace the label policy name):

Set-LabelPolicy -Identity “Schützenswert / Sensible” -AdvancedSettings @{HideBarByDefault=”False”}


so, thats it, now the bar will be displayed automatically on the next start of the Office App.



Surface Hub 2s Deployment Part III: Room List for Teams Meeting Requests

The last part is about creating a Roomlist, to get the Surface Hub as Resource in Teams Meetings Requests. Learned from Yoav (

#1: Connect Exchange Online with MFA
If you are using MFA for you Admin Accounts: Download Exchange Online Powershell in Exchange Online Admin Center with Internet Explorer (had to Install IE again first haha), then connect with Powershell

#2Create the Roomlist and Add you Surface Hubs into it

#3: You can now select your Surface Hub as a resource in Teams

Go back to Part 1 or Part 2

Surface Hub 2s Deployment Part II: Intune Policies & Configuration

In the first part, Resource, User and License has been provisioned. Now it’s time to configure some Intune Polices for the device. The following Settings has been defined for deployment:

  • App Deployment from Microsoft Store (Win32 is not Supported)
  • Teams as Default Phone Client
  • PIN for Projection
  • Custom Start Layout

For AppDeployment, the Store for Business needs to be synchronized into Intune, Offline Licensing is required for every deployed App.

#1: Enable Store for Business Offline Apps

#2: “Buy” Teams and sync it into Intune

#3: Deploy it to your Surface Hubs

#4: Create Device Configuration Settings
Create a Custom Settings Profile for the 2 required OMA/URIs and deploy it to your Surface Hub (Details over here:

#5: Create Device Restriction Profile for Start Layout and PIN
To create the Startlayout, you can download and modify this template: (could not test that one yet)

In Part III, a Roomlist will be created for Teams Meeting Requests: Part III

Surface Hub 2s Deployment Part I (Resource & User)

Last week I was lucky and could get some hands on a brand new Surface Hub 2s; of course managed through Intune. A few printscreens and experiences from setup and configuration:

#1: Create Resource

#2: Set Auto-accept and Booking window

#4: Assign License to the User (we decided to go for the Meeting Room license wich contains Intune, Teams, and Phone System as well)

Part II: Intune Policies & Settings

Self Service PW Reset from LogonScreen

With W10 1803, it’s now possible to reset your password with a Hybrid Azure AD Joined (Domain Joined, Synchronized to Azure AD) device directly from Logon Screen.


The following actions needs to be done to fullfill this:

  • Configure your Azure AD Connect Service to synchronice device records


  • Set the following registry key to enable the “reset password” button on your logon screen: “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount\AllowPasswordReset” dword:00000001


Thats it, now your users are able to reset their passwords through the well known Azure AD SSPR feature:


New Tool: SetupDiag.exe

With setupdiag.exe, Microsoft is providing us an easy way to troubleshoot faild inplace upgrades. This is handy if you don’t like to crawl through massive logs in different places.

Here is a first impression:

First, download it here:

Then run it on your failed client with /online, or copy down all the logs and refere within the /offline switch. In my case, I’m troubleshooting directly on a failed client:


Now it’s collection every relevant entry in all the different locations and displays the interessting lines:


this is it, in my case it was the EFI Disk which was in a bad shape (led there by searching the 0x80070002 error). If you need the results collected, it stored in the path specified in the /Output parameter, the log itselfs looks like this: