適用於 Surface Hub 的 PowerShell (v1)
此頁面包含適用於原始 Surface Hub (v1) 的 PowerShell 腳本。 針對 Surface Hub 2S,請參閱 建立和測試裝置帳戶。
若要成功執行這些 PowerShell 腳稿,您必須安裝下列必要條件:
- 適用於 IT 專業人員的 Microsoft Online Services 登入小幫手 RTW
- Windows PowerShell (64 位版本) 的 Microsoft Azure Active Directory 模組
- 商務用 Skype Online 的 Windows PowerShell 模組
適用於 Surface Hub 系統管理員的 PowerShell 指令碼
- 建立裝置帳戶,使用純單一樹系的內部部署 (僅限 Microsoft Exchange 和 Skype 2013 及更新版本) 或線上 (Microsoft Office 365) 來進行設定,其均已針對您的 Surface Hub 正確設定。
- 針對任何設定 (內部部署或線上) 驗證現有的裝置帳戶,以確定它們可與 Surface Hub 相容。
- 為任何想要自行建立裝置帳戶或驗證指令碼的使用者,提供基本範本。
- 對於組織的網域或租用戶、Exchange Server 及商務用 Skype 伺服器的遠端 PowerShell 存取權。
- 適用於組織的網域或租用戶、Exchange Server 及商務用 Skype 伺服器的系統管理認證。
無論您要建立新帳戶或修改已經存在的帳戶,驗證腳本會驗證您的裝置帳戶是否已正確設定。 您應一律先執行驗證指令碼,然後再將裝置帳戶新增到 Surface Hub。
- 要求系統管理員認證。
- 在您的網域/租使用者中建立裝置帳戶。
- 建立 Surface Hub 相容的 ActiveSync 原則或將其指派給裝置帳戶。
- 在 Exchange 和 商務用 Skype 中設定所建立帳戶的各種屬性。
- 將授權和許可權指派給已建立的帳戶。
Cmdlet | 屬性 | 值 |
Set-Mailbox | RoomMailboxPassword | 使用者提供 |
EnableRoomMailboxAccount | True | |
Type | 會議室 | |
Set-CalendarProcessing | AutomateProcessing | AutoAccept |
RemovePrivateProperty | False | |
DeleteSubject | False | |
DeleteComments | False | |
AddOrganizerToSubject | False | |
AddAdditionalResponse | True | |
AdditionalResponse | 「這是 Surface Hub 會議室!」 | |
New-MobileDeviceMailboxPolicy | PasswordEnabled | False |
AllowNonProvisionableDevices | True | |
Enable-CSMeetingRoom | RegistrarPool | 使用者提供 |
SipAddress | 設定為裝置帳戶的使用者主體名稱 (UPN) | |
Set-MsolUserLicense (僅限 O365) | AddLicenses | 使用者提供 |
Set-MsolUser (僅限 O365) | PasswordNeverExpires | True |
僅 Set-AdUser (內部部署) | Enabled | True |
僅 Set-AdUser (內部部署) | PasswordNeverExpires | True |
自 2024 年 3 月 30 日起,Azure AD 和 MSOnline PowerShell 模組已被取代。 若要深入瞭解,請閱讀 淘汰更新。 在此日期之後,這些模組的支援僅限於移轉協助Microsoft Graph PowerShell SDK 和安全性修正。 已淘汰的模組會繼續運作到 2025 年 3 月 30 日。
建議您移轉至 Microsoft Graph PowerShell,以與 Microsoft Entra ID (先前的 Azure AD) 互動。 如需常見的移轉問題,請參閱 移轉常見問題。
請注意,1.0 版。x 的 MSOnline 可能會在 2024 年 6 月 30 日之後發生中斷。
這些腳本會為您建立裝置帳戶。 您可以使用帳戶驗證指令碼,來確定它們可正確執行。
帳戶建立指令碼不能修改已經存在的帳戶,但可用來協助您了解需要執行哪些 Cmdlet,才能正確設定現有的帳戶。
# SHAccountCreateOnPrem.ps1
$ErrorActionPreference = "Stop"
$status = @{}
# Cleans up set state such as remote powershell sessions
function Cleanup()
if ($sessExchange)
Remove-PSSession $sessExchange
if ($sessCS)
Remove-PSSession $sessCS
function PrintError($strMsg)
Write-Host $strMsg -foregroundcolor Red
function PrintSuccess($strMsg)
Write-Host $strMsg -foregroundcolor Green
function PrintAction($strMsg)
Write-Host $strMsg -ForegroundColor Cyan
# Cleans up and prints an error message
function CleanupAndFail($strMsg)
if ($strMsg)
exit 1
# Exits if there is an error set and prints the given message
function ExitIfError($strMsg)
if ($Error)
## Collect account data ##
$credNewAccount = (Get-Credential -Message "Enter the desired UPN and password for this new account")
$strUpn = $credNewAccount.UserName
$strDisplayName = Read-Host "Please enter the display name you would like to use for $strUpn"
if (!$credNewAccount -Or [System.String]::IsNullOrEmpty($strDisplayName) -Or [System.String]::IsNullOrEmpty($credNewAccount.UserName) -Or $credNewAccount.Password.Length -le 0)
CleanupAndFail "Please enter all of the requested data to continue."
exit 1
## Sign in to remote powershell for exchange and lync online ##
$credExchange = $null
$credExchange=Get-Credential -Message "Enter credentials of an Exchange user with mailbox creation rights"
if (!$credExchange)
CleanupAndFail("Valid credentials are required to create and prepare the account.");
$strExchangeServer = Read-Host "Please enter the FQDN of your exchange server (e.g. exch.contoso.com)"
# Lync info
$credLync = Get-Credential -Message "Enter credentials of a Skype for Business admin (or cancel if they are the same as Exchange)"
if (!$credLync)
$credLync = $credExchange
$strLyncFQDN = Read-Host "Please enter the FQDN of your Lync server (e.g. lync.contoso.com) or enter to use [$strExchangeServer]"
if ([System.String]::IsNullOrEmpty($strLyncFQDN))
$strLyncFQDN = $strExchangeServer
PrintAction "Connecting to remote sessions. This can occasionally take a while - please do not enter input..."
$sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $credExchange -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue
CleanupAndFail("Failed to connect to exchange. Please check your credentials and try again. If this continues to fail, you may not have permission for remote powershell - if not, please perform the setup manually. Error message: $_")
PrintSuccess "Connected to Remote Exchange Shell"
$sessLync = New-PSSession -Credential $credLync -ConnectionURI "https://$strLyncFQDN/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue
CleanupAndFail("Failed to connect to Lync. Please check your credentials and try again. Error message: $_")
PrintSuccess "Connected to Lync Server Remote PowerShell"
Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue
Import-PSSession $sessLync -AllowClobber -WarningAction SilentlyContinue
## Create the Exchange mailbox ##
> [!Note]
> These exchange commandlets do not always throw their errors as exceptions
# Because Get-Mailbox throws an error if the mailbox isn't found
PrintAction "Creating a new account..."
$mailbox = $null
$mailbox = (New-Mailbox -UserPrincipalName $credNewAccount.UserName -Alias $credNewAccount.UserName.substring(0,$credNewAccount.UserName.indexOf('@')) -room -Name $strDisplayName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true)
} catch { }
ExitIfError "Failed to create a new mailbox on exchange.";
$status["Mailbox Setup"] = "Successfully created a mailbox for the new account"
$strEmail = $mailbox.WindowsEmailAddress
PrintSuccess "The following mailbox has been created for this room: $strEmail"
## Create or retrieve a policy to be applied to surface hub devices ##
# The policy disables requiring a device password so that the SurfaceHub does not need to be lockable to use Active Sync
$strPolicy = Read-Host 'Please enter the name for a new Surface Hub ActiveSync policy to be created and applied to this account.
We will configure that policy to be compatible with Surface Hub devices.
If this script has been used before, please enter the name of the existing policy.'
$easpolicy = $null
try {
$easpolicy = Get-MobileDeviceMailboxPolicy $strPolicy
catch {}
if ($easpolicy)
if (!$easpolicy.PasswordEnabled -and ($easpolicy.AllowNonProvisionableDevices -eq $null -or $easpolicy.AllowNonProvisionableDevices ))
PrintSuccess "An existing policy has been found and will be applied to this account."
PrintError "The policy you provided is incompatible with the surface hub."
$easpolicy = $null
$status["Device Password Policy"] = "Failed to apply the EAS policy to the account because the policy was invalid."
PrintAction "Creating policy..."
$easpolicy = New-MobileDeviceMailboxPolicy -Name $strPolicy -PasswordEnabled $false -AllowNonProvisionableDevices $true
if ($easpolicy)
PrintSuccess "A new device policy has been created; you can use this same policy for all future Surface Hub device accounts."
PrintError "Could not create $strPolicy"
if ($easpolicy)
# Convert mailbox to user type so we can apply the policy (necessary)
# Sometimes it takes a while for this change to take affect so we have some nasty retry loops
Set-Mailbox $credNewAccount.UserName -Type Regular
} catch {}
if ($Error)
$status["Device Password Policy"] = "Failed to apply the EAS policy to the account."
# Loop until resource type goes away, up to 5 times
for ($i = 0; $i -lt 5 -And (Get-Mailbox $credNewAccount.UserName).ResourceType; $i++)
Start-Sleep -s 5
# If the mailbox is still a Room we cannot apply the policy
if (!((Get-Mailbox $credNewAccount.UserName).ResourceType))
# Set policy for account
Set-CASMailbox $credNewAccount.UserName -ActiveSyncMailboxPolicy $strPolicy
if (!$Error)
$status["ActiveSync Policy"] = "Successfully applied $strPolicy to the account"
$status["ActiveSync Policy"] = "Failed to apply the EAS policy to the account."
# Convert back to room mailbox
Set-Mailbox $credNewAccount.UserName -Type Room
# Loop until resource type goes back to room
for ($i = 0; ($i -lt 5) -And ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room"); $i++)
Start-Sleep -s 5
if ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room")
# A failure to convert the mailbox back to a room is unfortunate but means the mailbox is unusable.
$status["Mailbox Setup"] = "A mailbox was created but we could not set it to a room resource type."
Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
} catch { }
if ($Error)
$status["Mailbox Setup"] = "A room mailbox was created but we could not set its password."
PrintSuccess "Account creation completed."
PrintAction "Setting calendar processing rules..."
## Prepare the calendar for automatic meeting responses ##
try {
Set-CalendarProcessing -Identity $credNewAccount.UserName -AutomateProcessing AutoAccept
} catch { }
if ($Error)
$status["Calendar Acceptance"] = "Failed to configure the account to automatically accept/decline meeting requests"
$status["Calendar Acceptance"] = "Successfully configured the account to automatically accept/decline meeting requests"
try {
Set-CalendarProcessing -Identity $credNewAccount.UserName -RemovePrivateProperty $false -AddOrganizerToSubject $false -AddAdditionalResponse $true -DeleteSubject $false -DeleteComments $false -AdditionalResponse "This is a Surface Hub room!"
} catch { }
if ($Error)
$status["Calendar Response Configuration"] = "Failed to configure the account's response properties"
$status["Calendar Response Configuration"] = "Successfully configured the account's response properties"
## Configure the Account to not expire ##
PrintAction "Configuring password not to expire..."
Start-Sleep -s 20
Set-AdUser $mailbox.UserPrincipalName -PasswordNeverExpires $true -Enabled $true
if ($Error)
$status["Password Expiration Policy"] = "Failed to set the password to never expire"
$status["Password Expiration Policy"] = "Successfully set the password to never expire"
PrintSuccess "Completed Exchange configuration"
## Setup Skype for Business. This is somewhat optional and if it fails we SfbEnable can be used later ##
PrintAction "Configuring account for Skype for Business."
# Getting registrar pool
$strRegPool = $strLyncFQDN
$strRegPoolEntry = Read-Host "Enter a Skype for Business Registrar Pool, or leave blank to use [$strRegPool]"
if (![System.String]::IsNullOrEmpty($strRegPoolEntry))
$strRegPool = $strRegPoolEntry
# Try to SfB-enable the account. Note that it may not work right away as the account needs to propagate to active directory
PrintAction "Enabling Skype for Business..."
Start-Sleep -s 10
try {
Enable-CsMeetingRoom -Identity $credNewAccount.UserName -RegistrarPool $strRegPool -SipAddressType EmailAddress
catch { }
if ($Error)
$status["Skype for Business Account Setup"] = "Failed to setup the Skype for Business meeting room - you can run EnableSfb.ps1 to try again."
$status["Skype for Business Account Setup"] = "Successfully enabled account as a Skype for Business meeting room"
## Cleanup and print results ##
$strDisplay = $mailbox.DisplayName
$strUsr = $credNewAccount.UserName
PrintAction "Summary for creation of $strUsr ($strDisplay)"
if ($status.Count -gt 0)
ForEach($k in $status.Keys)
$v = $status[$k]
$color = "yellow"
if ($v[0] -eq "S") { $color = "green" }
elseif ($v[0] -eq "F")
$color = "red"
$v += " Go to https://aka.ms/shubtshoot"
Write-Host -NoNewline $k -ForegroundColor $color
Write-Host -NoNewline ": "
Write-Host $v
PrintError "The account could not be created"
使用 Office 365 建立裝置帳戶
建立帳戶,如使用 Office 365 建立裝置帳戶中所述。
# SHAccountCreateO365.ps1
$ErrorActionPreference = "Stop"
$status = @{}
# Cleans up set state such as remote powershell sessions
function Cleanup()
if ($sessExchange)
Remove-PSSession $sessExchange
if ($sessCS)
Remove-PSSession $sessCS
function PrintError($strMsg)
Write-Host $strMsg -foregroundcolor Red
function PrintSuccess($strMsg)
Write-Host $strMsg -foregroundcolor Green
function PrintAction($strMsg)
Write-Host $strMsg -ForegroundColor Cyan
# Cleans up and prints an error message
function CleanupAndFail($strMsg)
if ($strMsg)
exit 1
# Exits if there is an error set and prints the given message
function ExitIfError($strMsg)
if ($Error)
## Check dependencies ##
try {
Import-Module SkypeOnlineConnector
Import-Module MSOnline
PrintError "Some dependencies are missing"
PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to https://www.microsoft.com/download/details.aspx?id=39366"
PrintError "Please install the Azure Active Directory module for PowerShell from https://go.microsoft.com/fwlink/p/?linkid=236297"
## Collect account data ##
$credNewAccount = (Get-Credential -Message "Enter the desired UPN and password for this new account")
$strUpn = $credNewAccount.UserName
$strDisplayName = Read-Host "Please enter the display name you would like to use for $strUpn"
if (!$credNewAccount -Or [System.String]::IsNullOrEmpty($strDisplayName) -Or [System.String]::IsNullOrEmpty($credNewAccount.UserName) -Or $credNewAccount.Password.Length -le 0)
CleanupAndFail "Please enter all of the requested data to continue."
exit 1
## Sign in to remote powershell for exchange and lync online ##
$credAdmin = $null
$credAdmin=Get-Credential -Message "Enter credentials of an Exchange and Skype for Business admin"
if (!$credadmin)
CleanupAndFail "Valid admin credentials are required to create and prepare the account."
PrintAction "Connecting to remote sessions. This can occasionally take a while - please do not enter input..."
$sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $credAdmin -AllowRedirection -Authentication basic -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -WarningAction SilentlyContinue
CleanupAndFail "Failed to connect to exchange. Please check your credentials and try again. Error message: $_"
$sessCS = New-CsOnlineSession -Credential $credAdmin
CleanupAndFail "Failed to connect to Skype for Business Online Datacenter. Please check your credentials and try again. Error message: $_"
Connect-MsolService -Credential $credAdmin
CleanupAndFail "Failed to connect to Azure Active Directory. Please check your credentials and try again. Error message: $_"
Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue
Import-PSSession $sessCS -AllowClobber -WarningAction SilentlyContinue
## Create the Exchange mailbox ##
> [!Note]
> These exchange commandlets do not always throw their errors as exceptions
# Because Get-Mailbox throws an error if the mailbox isn't found
PrintAction "Creating a new account..."
$mailbox = $null
$mailbox = (New-Mailbox -MicrosoftOnlineServicesID $credNewAccount.UserName -room -Name $strDisplayName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true)
} catch { }
ExitIfError "Failed to create a new mailbox on exchange.";
$status["Mailbox Setup"] = "Successfully created a mailbox for the new account"
$strEmail = $mailbox.WindowsEmailAddress
PrintSuccess "The following mailbox has been created for this room: $strEmail"
## Create or retrieve a policy to be be applied to surface hub devices ##
# The policy disables requiring a device password so that the SurfaceHub does not need to be lockable to use Active Sync
$strPolicy = Read-Host 'Please enter the name for a new Surface Hub ActiveSync policy to be be created and applied to this account.
We will configure that policy to be compatible with Surface Hub devices.
If this script has been used before, please enter the name of the existing policy.'
$easpolicy = $null
try {
$easpolicy = Get-MobileDeviceMailboxPolicy $strPolicy
catch {}
if ($easpolicy)
if (!$easpolicy.PasswordEnabled -and ($easpolicy.AllowNonProvisionableDevices -eq $null -or $easpolicy.AllowNonProvisionableDevices ))
PrintSuccess "An existing policy has been found and will be applied to this account."
PrintError "The policy you provided is incompatible with the surface hub."
$easpolicy = $null
$status["ActiveSync Policy"] = "Failed to apply the EAS policy to the account because the policy was invalid."
PrintAction "Creating policy..."
$easpolicy = New-MobileDeviceMailboxPolicy -Name $strPolicy -PasswordEnabled $false -AllowNonProvisionableDevices $true
if ($easpolicy)
PrintSuccess "A new device policy has been created; you can use this same policy for all future Surface Hub device accounts."
PrintError "Could not create $strPolicy"
if ($easpolicy)
# Convert mailbox to user type so we can apply the policy (necessary)
# Sometimes it takes a while for this change to take affect so we have some nasty retry loops
Set-Mailbox $credNewAccount.UserName -Type Regular
} catch {}
if ($Error)
$status["Device Password Policy"] = "Failed to apply the EAS policy to the account."
PrintError "Failed to convert to regular account"
# Loop until resource type goes away, up to 5 times
for ($i = 0; $i -lt 5 -And (Get-Mailbox $credNewAccount.UserName).ResourceType; $i++)
Start-Sleep -s 5
# If the mailbox is still a Room we cannot apply the policy
if (!((Get-Mailbox $credNewAccount.UserName).ResourceType))
# Set policy for account
Set-CASMailbox $credNewAccount.UserName -ActiveSyncMailboxPolicy $strPolicy
if (!$Error)
$status["Device Password Policy"] = "Successfully applied $strPolicy to the account"
$status["Device Password Policy"] = "Failed to apply the EAS policy to the account."
PrintError "Failed to apply policy"
# Convert back to room mailbox
Set-Mailbox $credNewAccount.UserName -Type Room
# Loop until resource type goes back to room
for ($i = 0; ($i -lt 5) -And ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room"); $i++)
Start-Sleep -s 5
if ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room")
# A failure to convert the mailbox back to a room is unfortunate but means the mailbox is unusable.
$status["Mailbox Setup"] = "A mailbox was created but we could not set it to a room resource type."
Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
if ($Error)
$status["Mailbox Setup"] = "A room mailbox was created but we could not set its password."
$status["Device Password Policy"] = "Failed to apply the EAS policy to the account."
PrintError "Failed to obtain policy"
PrintSuccess "Account creation completed."
PrintAction "Setting calendar processing rules..."
## Prepare the calendar for automatic meeting responses ##
try {
Set-CalendarProcessing -Identity $credNewAccount.UserName -AutomateProcessing AutoAccept
} catch { }
if ($Error)
$status["Calendar Acceptance"] = "Failed to configure the account to automatically accept/decline meeting requests"
$status["Calendar Acceptance"] = "Successfully configured the account to automatically accept/decline meeting requests"
try {
Set-CalendarProcessing -Identity $credNewAccount.UserName -RemovePrivateProperty $false -AddOrganizerToSubject $false -AddAdditionalResponse $true -DeleteSubject $false -DeleteComments $false -AdditionalResponse "This is a Surface Hub room!"
} catch { }
if ($Error)
$status["Calendar Response Configuration"] = "Failed to configure the account's response properties"
$status["Calendar Response Configuration"] = "Successfully configured the account's response properties"
## Configure the Account to not expire ##
PrintAction "Configuring password not to expire..."
Set-MsolUser -UserPrincipalName $credNewAccount.UserName -PasswordNeverExpires $true
if ($Error)
$status["Password Expiration Policy"] = "Failed to set the password to never expire"
$status["Password Expiration Policy"] = "Successfully set the password to never expire"
PrintSuccess "Completed Exchange configuration"
## Setup Skype for Business. This is somewhat optional and if it fails we SfbEnable can be used later ##
PrintAction "Configuring account for Skype for Business."
# Getting registrar pool
$strRegPool = $null
try {
$strRegPool = (Get-CsTenant).TenantPoolExtension
catch {}
if (![System.String]::IsNullOrEmpty($strRegPool))
$strRegPool = $strRegPool.Substring($strRegPool[0].IndexOf(':') + 1)
$strRegPoolEntry = Read-Host "Enter a Skype for Business Registrar Pool, or leave blank to use [$strRegPool]"
if (![System.String]::IsNullOrEmpty($strRegPoolEntry))
$strRegPool = $strRegPoolEntry
# Try to SfB-enable the account. Note that it may not work right away as the account needs to propagate to active directory
PrintAction "Enabling Skype for Business on $strRegPool"
Start-Sleep -s 10
try {
Enable-CsMeetingRoom -Identity $credNewAccount.UserName -RegistrarPool $strRegPool -SipAddressType EmailAddress
catch { }
if ($Error)
$status["Skype for Business Account Setup"] = "Failed to setup the Skype for Business meeting room - you can run EnableSfb.ps1 to try again."
$status["Skype for Business Account Setup"] = "Successfully enabled account as a Skype for Business meeting room"
## Now we need to assign a Skype for Business license to the account ##
# Assign a license to thes
$countryCode = (Get-CsTenant).CountryAbbreviation
$loc = Read-Host "Please enter the usage location for this device account (where the account is being used). This is a 2-character code that is used to assign licenses (e.g. $countryCode)"
try {
Set-MsolUser -UserPrincipalName $credNewAccount.UserName -UsageLocation $loc
if ($Error)
$status["Office 365 License"] = "Failed to assign an Office 365 license to the account"
PrintAction "We found the following licenses available for your tenant:"
$skus = (Get-MsolAccountSku | Where-Object { !$_.AccountSkuID.Contains("INTUNE"); })
$i = 1
$skus | % {
Write-Host -NoNewline $i
Write-Host -NoNewLine ": AccountSKUID: "
Write-Host -NoNewLine $_.AccountSkuid
Write-Host -NoNewLine " Active Units: "
Write-Host -NoNewLine $_.ActiveUnits
Write-Host -NoNewLine " Consumed Units: "
Write-Host $_.ConsumedUnits
$iLicenseIndex = 0;
$iLicenseIndex = Read-Host 'Choose the number for the SKU you want to pick'
} while ($iLicenseIndex -lt 1 -or $iLicenseIndex -gt $skus.Length)
$strLicenses = $skus[$iLicenseIndex - 1].AccountSkuId
if (![System.String]::IsNullOrEmpty($strLicenses))
Set-MsolUserLicense -UserPrincipalName $credNewAccount.UserName -AddLicenses $strLicenses
if ($Error)
$status["Office 365 License"] = "Failed to add a license to the account. Make sure you have remaining licenses."
$status["Office 365 License"] = "Successfully added license to the account"
$status["Office 365 License"] = "You opted not to install a license on this account"
## Cleanup and print results ##
$strDisplay = $mailbox.DisplayName
$strUsr = $credNewAccount.UserName
PrintAction "Summary for creation of $strUsr ($strDisplay)"
if ($status.Count -gt 0)
ForEach($k in $status.Keys)
$v = $status[$k]
$color = "yellow"
if ($v[0] -eq "S") { $color = "green" }
elseif ($v[0] -eq "F")
$color = "red"
$v += " Go to https://aka.ms/shubtshoot for help"
Write-Host -NoNewline $k -ForegroundColor $color
Write-Host -NoNewline ": "
Write-Host $v
PrintError "The account could not be created"
此傳遞/失敗腳本會驗證先前在 Surface Hub 和 Surface Hub 2S 上建立的裝置帳戶,併產生摘要報告或詳細的錯誤訊息。 例如:
15 tests executed
0 failures
2 warnings
15 passed
# SHAccountValidate.ps1
$ErrorActionPreference = "Stop"
# Cleans up set state such as remote powershell sessions
function Cleanup()
if ($sessEx)
Remove-PSSession $sessEx
if ($sessSfb)
Remove-PSSession $sessSfb
function PrintError($strMsg)
Write-Host $strMsg -foregroundcolor "red"
function PrintSuccess($strMsg)
Write-Host $strMsg -foregroundcolor "green"
function PrintAction($strMsg)
Write-Host $strMsg -ForegroundColor Cyan
# Cleans up and prints an error message
function CleanupAndFail($strMsg)
if ($strMsg)
exit 1
# Exits if there is an error set and prints the given message
function ExitIfError($strMsg)
if ($Error)
$strUpn = Read-Host "What is the email address of the account you wish to validate?"
if (!$strUpn.Contains('@'))
CleanupAndFail "$strUpn isn't a valid email address"
$strExServer = Read-Host "What is your exchange server? (leave blank for online tenants)"
if ($strExServer.Equals(""))
$fExIsOnline = $true
$fExIsOnline = $false
$credEx = Get-Credential -Message "Please provide exchange user credentials"
$strRegistrarPool = Read-Host ("What is the Skype for Business registrar pool for $strUpn" + "? (leave blank for online tenants)")
$fSfbIsOnline = $strRegistrarPool.Equals("")
$fHasOnPrem = $true
if ($fSfbIsOnline -and $fExIsOnline)
$strHasOnPrem = (Read-Host "Do you have an on-premises Active Directory (Y/N) (No if your domain services are hosted entirely online)").ToUpper()
} while ($strHasOnPrem -ne "Y" -and $strHasOnPrem -ne "N")
$fHasOnPrem = $strHasOnPrem.Equals("Y")
$fHasOnline = $false
if ($fSfbIsOnline -or $fExIsOnline)
$fHasOnline = $true
if ($fSfbIsOnline)
try {
Import-Module SkypeOnlineConnector
CleanupAndFail "To verify Skype for Business in online tenants you need the Lync Online Connector module from https://www.microsoft.com/download/details.aspx?id=39366"
$credSfb = (Get-Credential -Message "Please enter Skype for Business admin credentials")
if ($fHasOnline)
$credSfb = $credEx
try {
Import-Module MSOnline
CleanupAndFail "To verify accounts in online tenants you need the Azure Active Directory module for PowerShell from https://go.microsoft.com/fwlink/p/?linkid=236297"
PrintAction "Connecting to Exchange Powershell Session..."
[System.Management.Automation.Runspaces.AuthenticationMechanism] $authType = [System.Management.Automation.Runspaces.AuthenticationMechanism]::Kerberos
if ($fExIsOnline)
$authType = [System.Management.Automation.Runspaces.AuthenticationMechanism]::Basic
$sessEx = $null
if ($fExIsOnline)
$sessEx = New-PSSession -ConfigurationName microsoft.exchange -Credential $credEx -AllowRedirection -Authentication $authType -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -WarningAction SilentlyContinue
$sessEx = New-PSSession -ConfigurationName microsoft.exchange -Credential $credEx -AllowRedirection -Authentication $authType -ConnectionUri https://$strExServer/powershell -WarningAction SilentlyContinue
if (!$sessEx)
CleanupAndFail "Connecting to Exchange Powershell failed, please validate your server is accessible and credentials are correct"
PrintSuccess "Connected to Exchange Powershell Session"
PrintAction "Connecting to Skype for Business Powershell Session..."
if ($fSfbIsOnline)
$sessSfb = New-CsOnlineSession -Credential $credSfb
$sessSfb = New-PSSession -Credential $credSfb -ConnectionURI "https://$strRegistrarPool/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue
if (!$sessSfb)
CleanupAndFail "Connecting to Skype for Business Powershell failed, please validate your server is accessible and credentials are correct"
PrintSuccess "Connected to Skype for Business Powershell"
if ($fHasOnline)
$credMsol = $null
if ($fExIsOnline)
$credMsol = $credEx
elseif ($fSfbIsOnline)
$credMsol = $credSfb
CleanupAndFail "Internal error - could not determine MS Online credentials"
PrintAction "Connecting to Azure Active Directory Services..."
Connect-MsolService -Credential $credMsol
PrintSuccess "Connected to Azure Active Directory Services"
# This really shouldn't happen unless there is a network error
CleanupAndFail "Failed to connect to MSOnline"
PrintAction "Importing remote sessions into the local session..."
$importEx = Import-PSSession $sessEx -AllowClobber -WarningAction SilentlyContinue -DisableNameChecking
$importSfb = Import-PSSession $sessSfb -AllowClobber -WarningAction SilentlyContinue -DisableNameChecking
if (!$importEx -or !$importSfb)
CleanupAndFail "Import failed"
PrintSuccess "Import successful"
$mailbox = $null
$mailbox = Get-Mailbox -Identity $strUpn
if (!$mailbox)
CleanupAndFail "Account exists check failed. Unable to find the mailbox for $strUpn - please make sure the Exchange account exists on $strExServer"
$exchange = $null
if (!$fExIsOnline)
$exchange = Get-ExchangeServer
if (!$exchange -or !$exchange.IsE14OrLater)
CleanupAndFail "A compatible exchange server version was not found. Please use at least exchange 2010."
$strAlias = $mailbox.UserPrincipalName
$strDisplayName = $mailbox.DisplayName
$strLinkedAccount = $strLinkedDomain = $strLinkedUser = $strLinkedServer = $null
$credLinkedDomain = $Null
if (!$fExIsOnline -and ![System.String]::IsNullOrEmpty($mailbox.LinkedMasterAccount) -and !$mailbox.LinkedMasterAccount.EndsWith("\SELF"))
$strLinkedAccount = $mailbox.LinkedMasterAccount
$strLinkedDomain = $strLinkedAccount.substring(0,$strLinkedAccount.IndexOf('\'))
$strLinkedUser = $strLinkedAccount.substring($strLinkedAccount.IndexOf('\') + 1)
$strLinkedServer = Read-Host "What is the domain controller for the $strLinkedDomain"
$credLinkedDomain = (Get-Credential -Message "Please provide credentials for $strLinkedDomain")
PrintAction "Performing verification checks on $strDisplayName..."
$Global:iTotalFailures = 0
$global:iTotalWarnings = 0
$Global:iTotalPasses = 0
function Validate()
[bool] $Condition,
Write-Host -NoNewline -ForegroundColor White $Test.PadRight(100,'.')
if ($Condition)
Write-Host -ForegroundColor Green "Passed"
if ($WarningOnly)
Write-Host -ForegroundColor Yellow ("Warning: "+$FailureMsg)
Write-Host -ForegroundColor Red ("Failed: "+$FailureMsg)
## Exchange ##
Validate -WarningOnly -Test "The mailbox $strUpn is enabled as a room account" -Condition ($mailbox.RoomMailboxAccountEnabled -eq $True) -FailureMsg "RoomMailboxEnabled - without a device account, the Surface Hub won't be able to use various key features."
$calendarProcessing = Get-CalendarProcessing -Identity $strUpn -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
Validate -Test "The mailbox $strUpn is configured to accept meeting requests" -Condition ($calendarProcessing -ne $null -and $calendarProcessing.AutomateProcessing -eq 'AutoAccept') -FailureMsg "AutomateProcessing - the Surface Hub won't be able to send mail or sync its calendar."
Validate -WarningOnly -Test "The mailbox $strUpn won't delete meeting comments" -Condition ($calendarProcessing -ne $null -and !$calendarProcessing.DeleteComments) -FailureMsg "DeleteComments - the Surface Hub may be missing some meeting information on the welcome screen and Skype."
Validate -WarningOnly -Test "The mailbox $strUpn keeps private meetings private" -Condition ($calendarProcessing -ne $null -and !$calendarProcessing.RemovePrivateProperty) -FailureMsg "RemovePrivateProperty - the Surface Hub will make show private meetings."
Validate -Test "The mailbox $strUpn keeps meeting subjects" -Condition ($calendarProcessing -ne $null -and !$calendarProcessing.DeleteSubject) -FailureMsg "DeleteSubject - the Surface Hub won't keep meeting subject information."
Validate -WarningOnly -Test "The mailbox $strUpn does not prepend meeting organizers to subjects" -Condition ($calendarProcessing -ne $null -and !$calendarProcessing.AddOrganizerToSubject) -FailureMsg "AddOrganizerToSubject - the Surface Hub won't display meeting subjects as intended."
if ($fExIsOnline)
#No online specifics
#No onprem specifics
$casMailbox = Get-Casmailbox $strUpn -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
Validate -Test "The mailbox $strUpn has a mailbox policy" -Condition ($casMailbox -ne $null) -FailureMsg "PasswordEnabled - unable to find policy - the Surface Hub won't be able to send mail or sync its calendar."
if ($casMailbox)
$policy = $null
if ($fExIsOnline -or $exchange.IsE15OrLater)
$strPolicy = $casMailbox.ActiveSyncMailboxPolicy
$policy = Get-MobileDeviceMailboxPolicy -Identity $strPolicy -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
Validate -Test "The policy $strPolicy does not require a device password" -Condition ($policy.PasswordEnabled -ne $True) -FailureMsg "PasswordEnabled - policy requires a device password - the Surface Hub won't be able to send mail or sync its calendar."
$strPolicy = $casMailbox.ActiveSyncMailboxPolicy
$policy = Get-ActiveSyncMailboxPolicy -Identity $strPolicy -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
Validate -Test "The policy $strPolicy does not require a device password" -Condition ($policy.PasswordEnabled -ne $True) -FailureMsg "PasswordEnabled - policy requires a device password - the Surface Hub won't be able to send mail or sync its calendar."
if ($policy -ne $null)
Validate -Test "The policy $strPolicy allows non-provisionable devices" -Condition ($policy.AllowNonProvisionableDevices -eq $null -or $policy.AllowNonProvisionableDevices -eq $true) -FailureMsg "AllowNonProvisionableDevices - policy won't allow the SurfaceHub to sync"
# Check the default access level
$orgSettings = Get-ActiveSyncOrganizationSettings
$strDefaultAccessLevel = $orgSettings.DefaultAccessLevel
Validate -Test "ActiveSync devices are allowed" -Condition ($strDefaultAccessLevel -eq 'Allow') -FailureMsg "DeviceType Windows Mail is accessible - devices are not allowed by default - the surface hub won't be able to send mail or sync its calendar."
# Check if there exists a device access rule that bans the device type Windows Mail
$blockingRules = Get-ActiveSyncDeviceAccessRule | where {($_.AccessLevel -eq 'Block' -or $_.AccessLevel -eq 'Quarantine') -and $_.Characteristic -eq 'DeviceType'-and $_.QueryString -eq 'WindowsMail'}
Validate -Test "Windows mail devices are not blocked or quarantined" -Condition ($blockingRules -eq $null -or $blockingRules.Length -eq 0) -FailureMsg "DeviceType Windows Mail is accessible - devices are blocked or quarantined - the surface hub won't be able to send mail or sync its calendar."
## End Exchange ##
## SfB ##
$strLyncIdentity = $null
if ($fSfbIsOnline)
$strLyncIdentity = $strUpn
$strLyncIdentity = $strAlias
$lyncAccount = $null
try {
$lyncAccount = Get-CsMeetingRoom -Identity $strLyncIdentity -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
} catch {
try {
$lyncAccount = Get-CsUser -Identity $strLyncIdentity -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
} catch { }
Validate -Test "There is a Lync or Skype for Business account for $strLyncIdentity" -Condition ($lyncAccount -ne $null -and $lyncAccount.Enabled) -FailureMsg "SfB Enabled - there is no Skype for Business account - meetings won't support Skype for Business"
if ($lyncAccount)
Validate -Test "The meeting room has a SIP address" -Condition (![System.String]::IsNullOrEmpty($lyncAccount.SipAddress)) -FailureMsg "SfB Enabled - there is no SIP Address - the device account cannot be used to sign into Skype for Business."
## End SFB ##
if ($fHasOnline)
#License validation and password expiry
$accountOnline = Get-MsolUser -UserPrincipalName $strUpn -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
Validate -Test "There is an online user account for $strUpn" -Condition ($accountOnline -ne $null) -FailureMsg "Could not find a Microsoft Online account for this user even though some services are online"
if ($accountOnline)
Validate -Test "The password for $strUpn won't expire" -Condition ($accountOnline.PasswordNeverExpires -eq $True) -FailureMsg "PasswordNeverExpires - the admin needs to update the device account's password on the Surface Hub when it expires."
if ($fIsSfbOnline -and !$fIsExOnline)
$strLicenseFailureMsg = "Has O365 license - The devices won't be able to use Skype for Business services."
elseif ($fIsExOnline -and !$fIsSfbOnline)
$strLicenseFailureMsg = "Has O365 license - The devices won't be able to use Exchange Online services."
$strLicenseFailureMsg = "Has O365 license - The devices won't be able to use Skype for Business or Exchange Online services."
Validate -Test "$strUpn is licensed" -Condition ($accountOnline.IsLicensed -eq $True) -FailureMsg $strLicenseFailureMsg
Validate -Test "$strUpn is allowed to sign in" -Condition ($accountOnline.BlockCredential -ne $True) -FailureMsg "BlockCredential - This user isn't allowed to sign in."
#If there is an on-premises component, we can get the authoritative AD user from mailbox
if ($fHasOnPrem)
$accountOnPrem = $null
if ($strLinkedAccount)
$accountOnPrem = Get-AdUser $strLinkedUser -server $strLinkedServer -credential $credLinkedDomain -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
#AD User enabled validation
$accountOnPrem = Get-AdUser $mailbox.UserPrincipalName -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
$strOnPremUpn = $accountOnPrem.UserPrincipalName
Validate -Test "There is a user account for $strOnPremUpn" -Condition ($accountOnprem -ne $null) -FailureMsg "Could not find an Active Directory account for this user"
if ($accountOnPrem)
Validate -WarningOnly -Test "The password for $strOnPremUpn won't expire" -Condition ($accountOnprem.PasswordNeverExpires -eq $True) -FailureMsg "PasswordNeverExpires - the admin needs to update the device account's password on the Surface Hub when it expires."
Validate -Test "$strOnPremUpn is enabled" -Condition $accountOnPrem.Enabled -FailureMsg "AccountEnabled - this device account won't sign in"
$global:iTotalTests = ($global:iTotalFailures + $global:iTotalPasses + $global:iTotalWarnings)
Write-Host -NoNewline $global:iTotalTests "tests executed: "
Write-Host -NoNewline -ForegroundColor Red $Global:iTotalFailures "failures "
Write-Host -NoNewline -ForegroundColor Yellow $Global:iTotalWarnings "warnings "
Write-Host -ForegroundColor Green $Global:iTotalPasses "passes "
啟用商務用 Skype
此腳本可在裝置帳戶上啟用 商務用 Skype。 只有先前在帳戶建立期間並未啟用商務用 Skype 時,才能使用它。
## This script performs only the Enable for Skype for Business step on an account. It should only be run if this step failed in SHAccountCreate and the other steps have been completed ##
# EnableSfb.ps1
$ErrorActionPreference = "Stop"
# Cleans up set state such as remote powershell sessions
function Cleanup()
if ($sessCS)
Remove-PSSession $sessCS
function PrintError($strMsg)
Write-Host $strMsg -foregroundcolor "red"
function PrintSuccess($strMsg)
Write-Host $strMsg -foregroundcolor "green"
# Cleans up and prints an error message
function CleanupAndFail($strMsg)
if ($strMsg)
exit 1
# Exits if there is an error set and prints the given message
function ExitIfError($strMsg)
if ($Error)
## Check dependencies ##
$input = Read-Host "Is the account you wish to enable part of an online environment (enter O) or on-premises environment (enter P)"
if ($input -eq "P")
$online = $false
elseif ($input -eq "O")
$online = $true
CleanupAndFail "Invalid selection"
if ($online)
try {
Import-Module SkypeOnlineConnector
PrintError "Some dependencies are missing"
PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to https://www.microsoft.com/download/details.aspx?id=39366"
PrintError "Please install the Azure Active Directory module for PowerShell from https://go.microsoft.com/fwlink/p/?linkid=236297"
$strRegPool = Read-Host "Enter the FQDN of your Skype for Business Registrar Pool"
## Collect account data ##
Write-Host "----------- Enter info for the account to enable -----------." -foregroundcolor "magenta"
$strRoomUri=Read-Host 'Please enter the UPN of the account you are enabling (e.g. confroom@surfacehub.microsoft.com)'
if ([System.String]::IsNullOrEmpty($strRoomUri))
CleanupAndFail "Please enter all of the requested data to continue."
exit 1
Write-Host "--------------------------------------------------------------." -foregroundcolor "magenta"
## Sign in to remote powershell for exchange and lync online ##
Write-Host "`n------------------ Establishing connection -----------------." -foregroundcolor "magenta"
$credAdmin=Get-Credential -Message "Enter credentials of a Skype for Business admin"
if (!$credadmin)
CleanupAndFail("Valid admin credentials are required to create and prepare the account.");
Write-Host "Connecting to remote sessions. This can occasionally take a while - please do not enter input..."
if ($online)
$sessCS = New-CsOnlineSession -Credential $credAdmin
$sessCS = New-PSSession -Credential $credAdmin -ConnectionURI "https://$strRegPool/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue
CleanupAndFail("Failed to connect to Skype for Business server. Please check your credentials and try again. Error message: $_")
Import-PSSession $sessCS -AllowClobber
Write-Host "--------------------------------------------------------------." -foregroundcolor "magenta"
# Getting registrar pool
if ($online)
try {
$strRegPool = $null;
$strRegPool = (Get-CsTenant).RegistrarPool
} catch {}
if ($Error)
$strRegPool = "";
Write-Host "We failed to lookup your Skype for Business Registrar Pool, but you can still enter it manually"
$strRegPool = $strRegPool[0].Substring($strRegPool[0].IndexOf(':') + 1)
try {
Enable-CsMeetingRoom -Identity $strRoomUri -RegistrarPool $strRegPool -SipAddressType EmailAddress
catch {}
ExitIfError("Failed to setup Skype for Business meeting room")
PrintSuccess "Successfully enabled $strRoomUri as a Skype for Business meeting room"
實用的 Cmdlet
建立與 Surface Hub 相容的 ActiveSync 原則
如果 Surface Hub 會使用 Exchange 服務,就必須將利用相容 ActiveSync 原則所設定的裝置帳戶佈建在裝置上。 這個原則具有下列需求:
PasswordEnabled == 0
在下列 Cmdlet 中,$strPolicy
是 ActiveSync 原則的名稱,而 $strRoomUpn
是您想要套用原則的裝置帳戶的 UPN。
若要執行 Cmdlet,您必須設定遠端 PowerShell 工作階段,以及:
- 您的系統管理員帳戶必須啟用遠端 PowerShell。 此設定可讓系統管理員使用腳本所需的 PowerShell Cmdlet。 (您可以使用
set-user $admin -RemotePowerShellEnabled $true
來設定此權限)。 - 如果您打算執行建立指令碼,您的系統管理員帳戶就必須具備「重設密碼」角色。 此角色可讓系統管理員變更腳本所需的帳戶密碼。 您可以使用 Exchange 系統管理中心來啟用 \[重設密碼\] 角色。
# Create new policy with PasswordEnabled == false
New-MobileDeviceMailboxPolicy -Name $strPolicy -PasswordEnabled $false –AllowNonProvisionableDevices $true
# Convert user to regular type
Set-Mailbox $strRoomUpn -Type Regular
# Set policy for account
Set-CASMailbox $strRoomUpn -ActiveSyncMailboxPolicy $strPolicy
# Convert back to room mailbox
Set-Mailbox $strRoomUpn -Type Room
允許適用於 ActiveSync 的裝置識別碼
若要允許帳戶 $strRoomUpn
Set-CASMailbox –Identity $strRoomUpn –ActiveSyncAllowedDeviceIDs “<ID>”
Get-ActiveSyncDevice -Mailbox $strRoomUpn
此命令會擷取已布建帳戶之每個裝置的裝置資訊,包括 DeviceId
若要使裝置帳戶根據其可用性自動接受或拒絕會議邀請,AutomateProcessing 屬性必須設定為 AutoAccept。 建議使用這個屬性來防止會議重疊。
Set-CalendarProcessing $strRoomUpn -AutomateProcessing AutoAccept
如果裝置帳戶會接受外部會議邀請 (來自不同租用戶/網域之帳戶的會議邀請),就必須設定裝置帳戶以允許處理外部會議要求。 設定之後,裝置帳戶會自動接受或拒絕來自外部帳戶和本機帳戶的會議要求。
如果 AutomateProcessing 屬性未設定為 AutoAccept,則設定此設定沒有任何作用。
Set-CalendarProcessing $strRoomUpn -ProcessExternalMeetingMessages $true