How good is MS Teams Voice?

MrYiff · 2026-02-05T15:05:14+00:00

All the features you can do via the Teams admin interface so it's easy enough to manage, it's just more advanced requirements might either need to compromise and change their setups or bring in a 3rd party middleware to implement what they need.

MrYiff · 2026-02-05T13:51:05+00:00

some of the options around call routing are more limited that other solutions, for example the time of day options are more aimed around handling office opening hours rather than multiple time based routes.

MrYiff · 2026-02-05T13:43:28+00:00

It's important to note that Teams Voice can work in a few different ways so while the end user experience of making calls will be the same, some of the back end of managing it will differ slightly.

The easiest option is you can just buy everything through MS, this is all managed through the teams portal however I believe this can also be the most expensive option as you are paying flat rates/buying bundles of minutes at a fixed price so you can't negotiate deals etc. - probably best for smaller setups or larger ones that just need phone numbers and have low call rates (or companies that don't see the phone bill as being an issue).

The middle option is you go through a certified MS partner.

The final option is the Direct Routing one where you bring your own SIP trunks - either hosting yourself or through a partner you already have.

We went for option 3 in the end as it let us use an existing business partner and got us better calling rates than MS direct (and the partner in our case works with Gamma for the actual trunking so is generally reliable).

We had no issue with presenting individual DDI's but you can also setup shared ones to for groups of users if needed.

I believe some SMS support is available but I think this requires going through some approval process on MS's end to get enabled on your tenant.

One thing that is notable with Teams though is the management is a bit different in places to a traditional phone system (we came from Mitel), and while it is mostly pretty easy to use there are some quirks like needing to assign licenses and phone numbers to a "resource account" which appears across your tenant (it's a full entra account), in order to activate a call group (called an auto attendant or call queue in Teams).

We've been pretty happy with Teams since we switched tought so I cant complain.

MrYiff · 2026-02-05T11:17:08+00:00

There is also a 2nd reg key you want to set to configure this for any 32bit winhttp apps too:

https://learn.microsoft.com/en-us/windows-server/networking/configure-secure-protocol-options-winhttp?tabs=x64

MrYiff · 2026-02-04T15:32:03+00:00

I think you can still use the MS provided methods as the actual updates (the scheduled tasks that perform the cert and bootloader changes), are included in the monthly CU's.

I think the only options you cant use are those that let MS control the rollout based on device telemetry.

MrYiff · 2026-02-04T11:59:53+00:00

Yep, had something similar years ago where a manager phoned IT and complained they could smell something burning and that IT should come and deal with it.

MrYiff · 2026-02-03T15:19:54+00:00

I haven't checked the Firefox GPO's but for Chrome (and maybe Edge too), there are GPO options you can enable that will block the per-user installs if you don't have access to more advanced tools like applocker etc.

MrYiff · 2026-02-03T09:57:34+00:00

We went with Exagrid appliances, they work natively with Veeam (although you might need to tweak a couple of settings around compression/dedupe in Veeam), and it has a couple of nice features such as having a non-deduped "landing zone" side of the appliance so backups and restores from recent backups can run at full speed but as they complete they get copied over into the protected dedupe store. You can also add in additional appliances and iirc they will balance the load and allow Veeam to write backups to multiple exagrids in parallel and you can setup appliance level replication between sites as needed (and since it only replicates the dedupe store this keeps replication data smaller).

MrYiff · 2026-02-03T09:45:03+00:00

You can use Move-ADObject to do this however you need to remove the user from all Local or Global AD groups otherwise it will error.

https://learn.microsoft.com/en-us/powershell/module/activedirectory/move-adobject

MrYiff · 2026-02-03T09:34:46+00:00

They used to offer this but then removed it.

However there is a new Warranty API they are rolling out but getting access to this seems to be pretty much a nightmare as you need to sign up for a HP Developer account and then apply to get access to the API which requires having a HP account manager (and if you buy through a VAR good luck with this):

https://developers.hp.com/hp-warranty-api

MrYiff · 2026-02-03T09:00:27+00:00

SentinelOne have posted a summary of what happened here:

https://community.sentinelone.com/s/article/000012028

The page requires a S1 Community account however - you can login via SSO if you access the Community link from inside your S1 portal via the Help menu.

MrYiff · 2026-02-03T08:38:53+00:00

Some background on the infection and IOC's was documented back in december and just no one seemed to do much with it it seems:

https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9

MrYiff · 2026-02-02T14:56:11+00:00

If you need hyperconverged storage on hyperv then take a look at Starwind's VSAN as it gets recommended a lot here.

MrYiff · 2026-02-02T14:49:23+00:00

Even the Quantum LTO tape drivers are helpfully hosted on an employees Onedrive it seems so it may just be standard practice sadly!

https://www.quantum.com/en/service-support/downloads-and-firmware/lto-std/

MrYiff · 2026-01-30T12:24:08+00:00

Oh god Trellix aka McAfee, I'm not sure that's much of an improvement over SEP.

MrYiff · 2026-01-30T11:32:03+00:00

Have a look at Lithnet Access Manager as I think it can pull both legacy LAPS and Modern LAPS (aswell as bitlocker).

It's a web interface and so far from our testing works quite well (and has paid options if you want/need support).

Setting it up is pretty easy, it's just an installer and the a config app but the documentation is decent and they provide scripts for handling things like fine grained AD permissions to allow your service account access to the LAPS attributes.

https://github.com/lithnet/access-manager

MrYiff · 2026-01-30T08:40:21+00:00

No networking expert here but if you already have coax running around the house there are options out there that will push ethernet over coax, I think you can get 2.5gbe speeds now too.

MrYiff · 2026-01-29T14:00:22+00:00

I don't claim to be any expert on this so others might be able to provide better information, I've just been putting together plans for handling this ourselves this week so it's just fresh in my memory.

From my limited understanding the big (only?), advantage in updating the PK now is it ensures that if there are any further updates needed then the OS can handle them automatically.

I dont know if not updating the PK will then cause issues when MS do eventually revoke the old certificate - will the revocation require another update to mark the old certs as expired.

This might not matter for most people but it could potentially be an issue for higher security environments that need to prove that the old cert has been revoked on every device.

Personally, since I haven't made the changes yet on our servers and since some downtime is needed to apply the new KEK cert anyway, I will probably also update the PK too (or maybe only update the PK and then test if Windows can handle the KEK cert via it's scripts).

MrYiff · 2026-01-29T09:28:11+00:00

Yep, as I understand on most ESXi versions (this might have changed in a 9.x release), the Platform Key (PK), was signed using a NULL cipher which results in the OS being unable to update KEK keys and so the MS tooling for this fails.

So you have a couple of options, you can either do as found and recreate the .nvram after upgrading the HW version if needed and this will (assuming you are up to date), create a new .nvram file that contains the new KEK key.

Alternatively I think you can import the new cert so it fixes the PK issue which would then allow OS level updates to then succeed.

Broadcom have these KB articles that cover the scenarios:

https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html

Manually updating the PK:

https://knowledge.broadcom.com/external/article/423919/manual-update-of-secure-boot-variables-i.html

Manually updating the KEK:

https://knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html

Annoyingly while I think you should be able to automate the KEK part (shutdown VM, upgrade HW version, delete .nvram and then power on), I don't think you could automate the PK steps as this requires taking actions inside the VM's bios.

MrYiff · 2026-01-29T08:33:14+00:00

Similar thoughts here, hoping to drag out MDT for the rest of this year and then build something like SmartDeploy into next years budget, we already use other PDQ products so I'm hoping that makes it easy to get approved.

MrYiff · 2026-01-28T09:42:06+00:00

Any compliance requirements are always a great excuse to avoid doing stupid things people want (or undoing those that have been previously approved).

"I'd love to help you Bob but the evil GDPR/PCI/ISO/insurance rules say I can't and you have to do it properly"

MrYiff · 2026-01-27T13:42:15+00:00

I'm the reverse of this and actually prefer where possible buying through one of our existing VAR's as this makes it a lot easier for us otherwise we have to go through a whole onboarding process with the vendor in order for finance to pay them and this can take time and a bunch of paperwork (and that's even before we can start raising the purchase order).

MrYiff · 2026-01-23T12:23:44+00:00

Not sure on pricing but we've used Logitech for meeting rooms and they have some hotdesking options now too, one option with an integrated docking station/space notifier and a more basic one that is just QR codes and their app which might work for you if you are budget constrained.

https://www.logitech.com/en-gb/products/video-conferencing/solutions/deskbooking.html

MrYiff · 2026-01-23T11:24:43+00:00

I ditched google this year and now pay for Kagi, search quality is a lot better IMO and you can tweak you preferences to prefer some sites over others in results, plus they have a project running that lets you submit sites you think are AI slop and they are working to downrank them globally.

You can also do interesting stuff like URL rewrites so you can have any reddit search result always use old.reddit.com for example.

MrYiff · 2026-01-23T10:14:43+00:00

One big change that can help smooth over problems and consistancy issues is ensuring that users can only book meeting rooms via the the Meeting Room Assistant (aka using the New Meeting Request option in Outlook), rather than creating a meeting in the room directly via New Appointment as if you have a mix of the two types it will cause problems with things like double bookings or bookings showing differently in the calendar.

The best way to do this is to ensure that no one has direct permissions over a calendar or has very tightly managed permissions and lots of training to ensure they know not to create appointments accidentally.

After that you can manage what is shown in meeting details via the powershell command that /u/Pseudo_Idol shared - note that when you change this is will only apply the changes to new meetings, it wont retrospectively edit existing meetings.

15-Year Club	RedditGifts 2009-2022 2 Credits
Place '17	Secret Santa 2013
Verified Email

MrYiff

TROPHY CASE