Why turning off updates is always a bad idea

Started the day with the revenge of one of our former employees. It was causing someone to get "inappropriate" chrome notifications. The back story was someone in their infinite genius decided to add a registry modification command to a the deployment blocking chrome updates. In this case the key was in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update. This can be configured in a couple of different places so you might have to search.

I started remediation by first blocking chrome notifications. I then removed the key and kicked off a chrome update. The update succeeded and no more inappropriate notifications.

Legacy account shenanigans

MailError

I was manually setting up a new cell phone for an employee who had been brought back from furlough. Yes we should be using MDM. In our case the small number of devices, and simplicity of the configuration is below the Enterprise Device Management threshold. So I was attempting to sign in to the native mail client on the device and was getting some really weird behavior. I would tap the login button after entering the password and it would bring you back to screen with all the email providers. Didn't throw any authentication errors. Just booted you back to the previous screen.

I did all the basic due diligence troubleshooting on the device(close the app, clear app data, reboot) with no change. I started digging into the users account in our On-Premises Active Directory. The account wasn't locked and was configured correctly but I found account expiration setup. (Always check the account expiration if you are AD synced and have login issues. I have seen so many different odd issues caused by this. Especially if they try to login to 0365 it will throw cryptic red herring errors.)

After removing the expiration I was still seeing the same behavior. I logged into o365 with the account. Login occurred successfully, but it went to a "Mailbox Not Provisioned" error page. Typically this is caused by a license not being assigned. The license was assigned. One thing I have seen is where the license is assigned, but the individual app (Exchange Plan 1) was unchecked. Wasn't this either.

When checking the email section of the user account, I found a message "This user's on-premise mailbox hasn't been migrated"

We migrated all of our accounts and deprovisioned our Exchange server before I was onboarded. Many of the docs online will say go onto your exchange server and migrate the account. Obviously not a solution in this case. You need to clear 3 attributes from your on premises AD.

  • MsExchMailboxGuid
  • MsExchRecipientDisplayType
  • MsExchRecipientTypeDetails

After running an ad sync I was still getting the error. I ended up removing and re-adding the license. After that the error was replaced with a message saying the mailbox was provisioning. I left it to work on something else for about 30 minutes. When I came back the message was gone and I was able to log in.