Security Archives - Page 34 of 94

Macros from the internet will be blocked by default in Office

VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we’re changing the default behavior of Office applications to block macros in files from the internet.

With this change, when users open a file that came from the internet, such as an email attachment, and that file contains macros, the following message will be displayed:

Security risk banner about blocked macros with a Learn More button

The Learn More button goes to an article for end users and information workers that contains information about the security risk of bad actors using macros, safe practices to prevent phishing and malware, and instructions on how to enable these macros (if absolutely needed).

In some cases, users will also see the message if the file is from a location within your intranet that’s not identified as being trusted. For example, if users are accessing files on a network share by using the share’s IP address. For more information, see Files centrally located on a network share or trusted website.

Important

Even before this change we’re introducing, organizations could use the Block macros from running in Office files from the Internet policy to prevent users from inadvertently opening files from the internet that contain macros. We recommend enabling this policy as part of the security baseline for Microsoft 365 Apps for enterprise. If you do configure the policy, your organization won’t be affected by this default change.

For more information, see Use policies to manage how Office handles macros.

Prepare for this change

To prepare for this change, we recommend that you work with the business units in your organization that use macros in Office files that are opened from locations such as intranet network shares or intranet websites. You’ll want to identify those macros and determine what steps to take to keep using those macros. You’ll also want to work with independent software vendors (ISVs) that provide macros in Office files from those locations. For example, to see if they can digitally sign their code and you can treat them as a trusted publisher.

Also, review the following information:

Preparation action	More information
Understand which versions and which update channels have this change (as we roll out this change)	Versions of Office affected by this change
See a flow chart of the process Office takes to determine whether to run macros in a file	How Office determines whether to run macros in files from the internet
Identify files with VBA macros that might be blocked using the Readiness Toolkit	Use the Readiness Toolkit to identify files with VBA macros that might be blocked
Learn about policies that you can use to control VBA macro execution	Use policies to manage how Office handles macros

Steps to take to allow VBA macros to run in files that you trust

How you allow VBA macros to run in files that you trust depends on where those files are located or the type of file.

The following table list different common scenarios and possible approaches to take to unblock VBA macros and allow them to run. You don’t have to do all possible approaches for a given scenario. In the cases where we have listed multiple approaches, pick the one that best suits your organization.

Scenario	Possible approaches to take
Individual files	• Select the Unblock checkbox on the General tab of the Properties dialog for the file • Use the Unblock-File cmdlet in PowerShell For more information, see Remove Mark of the Web from a file.
Files centrally located on a network share or trusted website	Unblock the file using an approach listed under “Individual files.” If there isn’t an Unblock checkbox and you want to trust all files in that network location: • Designate the location as a Trusted site • Add the location to the Local intranet zone For more information, see Files centrally located on a network share or trusted website.
Files stored on OneDrive or SharePoint, including a site used by a Teams channel	• Have users directly open the file by using the Open in Desktop App option • If users download the file locally before opening it, remove Mark of the Web from the local copy of the file (see the approaches under “Individual files”) • Designate the location as a Trusted site For more information, see Files on OneDrive or SharePoint.
Macro-enabled template files for Word, PowerPoint, and Excel	If the template file is stored on the user’s device: • Remove Mark of the Web from the template file (see the approaches under “Individual files”) • Save the template file to a Trusted Location If the template file is stored on a network location: • Use a digital signature and trust the publisher • Trust the template file (see the approaches under “Files centrally located on a network share or trusted website”) For more information, see Macro-enabled template files for Word, PowerPoint, and Excel.
Macro-enabled add-in files for PowerPoint	• Remove Mark of the Web from the Add-in file • Use a digital signature and trust the publisher • Save the Add-in file to a Trusted Location For more information, see Macro-enabled add-in files for PowerPoint and Excel.
Macro-enabled add-in files for Excel	• Remove Mark of the Web from the Add-in file • Save the Add-in file to a Trusted Location For more information, see Macro-enabled add-in files for PowerPoint and Excel.
Macros that are signed by a trusted publisher	• [recommended] Deploy the public code-signing certificate for the trusted publisher to your users and prevent your users from adding trusted publishers themselves. • Remove Mark of the Web from the file, and have the user add the publisher of the macro as a trusted publisher. For more information, see Macros that are signed by a trusted publisher	.
Groups of files saved to folders on the user’s device	Designate the folder a Trusted Location For more information, see Trusted Locations.

Versions of Office affected by this change

This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word.

The change began rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Monthly Enterprise Channel and Semi-Annual Enterprise Channel.

The following table shows the forecasted schedule of when this change will be available in each update channel. Information in italics is subject to change.

Update channel	Version	Date
Current Channel (Preview)	Version 2203	Started rolling out on April 12, 2022
Current Channel	Version 2206	Started rolling out on July 27, 2022
Monthly Enterprise Channel	Version 2208	October 11, 2022
Semi-Annual Enterprise Channel (Preview)	Version 2208	October 11, 2022
Semi-Annual Enterprise Channel	Version 2208	January 10, 2023

Note

As we roll out this change to Current Channel over the next few weeks, not all customers will see the change right away.

The change doesn’t affect Office on a Mac, Office on Android or iOS devices, or Office on the web.

How Office determines whether to run macros in files from the internet

The following flowchart graphic shows how Office determines whether to run macros in a file from the internet.

The following steps explain the information in the flowchart graphic, except for Excel Add-in files. For more information about those files, see Macro-enabled add-in files for PowerPoint and Excel. Also, if a file is located on a network share that isn’t in the Local intranet zone or isn’t a trusted site, macros will be blocked in that file.

A user opens an Office file containing macros obtained from the internet. For example, an email attachment. The file has Mark of the Web (MOTW).

Note

Mark of the Web is added by Windows to files from an untrusted location, such as the internet or Restricted Zone. For example, browser downloads or email attachments. For more information, see Mark of the Web and zones.
Mark of the Web only applies to files saved on an NTFS file system, not files saved to FAT32 formatted devices.

If the file is from a Trusted Location, the file is opened with the macros enabled. If the file isn’t from a Trusted Location, the evaluation continues.
If the macros are digitally signed and the matching Trusted Publisher certificate is installed on the device, the file is opened with the macros enabled. If not, then the evaluation continues.
Policies are checked to see if macros are allowed or blocked. If the policies are set to Not Configured, the evaluation continues to Step 6.
(a) If macros are blocked by policy, the macros are blocked.
(b) If the macros are enabled by policy, the macros are enabled.
If the user had previously opened the file, before this change in default behavior, and had selected Enable content from the Trust Bar, then the macros are enabled because the file is considered trusted.

Note

For more information, see New security hardening policies for Trusted Documents.
For perpetual versions of Office, such as Office LTSC 2021 or Office 2019, this step occurs after Step 3 and before Step 4, and isn’t affected by the change coming to Current Channel.

This step is where the change to the default behavior of Office takes effect. With this change, macros in files from the internet are blocked and users will see the Security Risk banner when they open the file.

Note

Previously, before this change in default behavior, the app would check to see if the VBA Macro Notification Settings policy was enabled and how it was configured.

If the policy was set to Disabled or Not Configured, then the app would check the settings under File > Options > Trust Center > Trust Center Settings… > Macro Settings. The default is set to “Disable all macros with notification,” which allows users to enable content in the Trust Bar.

Guidance on allowing VBA macros to run in files you trust

Remove Mark of the Web from a file

For an individual file, such as a file downloaded from an internet location or an email attachment the user has saved to their local device, the simplest way to unblock macros is to remove Mark of the Web. To remove, right-click on the file, choose Properties, and then select the Unblock checkbox on the General tab.

File properties dialog showing the choice to unblock

Note

In some cases, usually for files on a network share, users might not see the Unblock checkbox for a file where macros are being blocked. For those cases, see Files centrally located on a network share or trusted website.
Even if the Unblock checkbox is available for a file on a network share, selecting the checkbox won’t have any effect if the share is considered to be in the Internet zone. For more information, see Mark of the Web and zones.

You can also use the Unblock-File cmdlet in PowerShell to remove the ZoneId value from the file. Removing the ZoneId value will allow VBA macros to run by default. Using the cmdlet does the same thing as selecting the Unblock checkbox on the General tab of the Properties dialog for the file. For more information about the ZoneId value, see Mark of the Web and zones.

If you have your users access files from a trusted website or an internal file server, you can do either of the following steps so that macros from those locations won’t be blocked.

Designate the location as a Trusted site
If the network location is on the intranet, add the location to the Local intranet zone

Note

If you add something as a trusted site, you’re also giving the entire site elevated permissions for scenarios not related to Office.
For the Local intranet zone approach, we recommend you save the files to a location that’s already considered part of the Local intranet zone, instead of adding new locations to that zone.
In general, we recommend that you use trusted sites, because they have some additional security compared to the Local intranet zone.

For example, if users are accessing a network share by using its IP address, macros in those files will be blocked unless the file share is in the Trusted sites or the Local intranet zone.

Tip

To see a list of trusted sites or what’s in the Local intranet zone, go to Control Panel > Internet Options > Change security settings on a Windows device.
To check if an individual file is from a trusted site or local intranet location, see Mark of the Web and zones.

For example, you could add a file server or network share as a trusted site, by adding its FQDN or IP address to the list of trusted sites.

If you want to add URLs that begin with http:// or network shares, clear the Require server verification (https:) for all sites in this zone checkbox.

Important

Because macros aren’t blocked in files from these locations, you should manage these locations carefully. Be sure you control who is allowed to save files to these locations.

You can use Group Policy and the “Site to Zone Assignment List” policy to add locations as trusted sites or to the Local intranet zone for Windows devices in your organization. This policy is found under Windows Components\Internet Explorer\Internet Control Panel\Security Page in the Group Policy Management Console. It’s available under both Computer Configuration\Policies\Administrative Templates and User Configuration\Policies\Administrative Templates.

Files on OneDrive or SharePoint

If a user downloads a file on OneDrive or SharePoint by using a web browser, the configuration of the Windows internet security zone (Control Panel > Internet Options > Security) will determine whether the browser sets Mark of the Web. For example, Microsoft Edge sets Mark of the Web on a file if it’s determined to be from the Internet zone.
If a user selects Open in Desktop App in a file opened from the OneDrive website or from a SharePoint site (including a site used by a Teams channel), then the file won’t have Mark of the Web.
If a user has the OneDrive sync client running and the sync client downloads a file, then the file won’t have Mark of the Web.
Files that are in Windows known folders (Desktop, Documents, Pictures, Screenshots, and Camera Roll), and are synced to OneDrive, don’t have Mark of the Web.
If you have a group of users, such as the Finance department, that need to use files from OneDrive or SharePoint without macros being blocked, here are some possible options:
- Have them open the file by using the Open in Desktop App option
- Have them download the file to a Trusted Location.
- Set the Windows internet security zone assignment for OneDrive or SharePoint domains to Trusted Sites. Admins can use the “Site to Zone Assignment List” policy and configure the policy to place https://{your-domain-name}.sharepoint.com (for SharePoint) or https://{your-domain-name}-my.sharepoint.com (for OneDrive) into the Trusted Sites zone.
  - This policy is found under Windows Components\Internet Explorer\Internet Control Panel\Security Page in the Group Policy Management Console. It’s available under both Computer Configuration\Policies\Administrative Templates and User Configuration\Policies\Administrative Templates.
  - SharePoint permissions and OneDrive sharing aren’t changed by adding these locations to Trusted Sites. Maintaining access control is important. Anyone with permissions to add files to SharePoint could add files with active content, such as macros. Users who download files from domains in the Trusted Sites zone will bypass the default to block macros.

Macro-enabled template files for Word, PowerPoint, and Excel

Macro-enabled template files for Word, PowerPoint, and Excel that are downloaded from the internet will have Mark of the Web. For example, template files with the following extensions:

.dot
.dotm
.pot
.potm
.xlt
.xltm

When the user opens the macro-enabled template file, the user will be blocked from running the macros in the template file. If the user trusts the source of the template file, they can remove Mark of the Web from the template file, and then reopen the template file in the Office app.

If you have a group of users that need to use macro-enabled templates without macros being blocked, you can take either of the following actions:

Use a digital signature and trust the publisher.
If you’re not using digital signatures, you can save the template file to a Trusted Location and have users get the template file from that location.

Macro-enabled add-in files for PowerPoint and Excel

Macro-enabled Add-in files for PowerPoint and Excel that are downloaded from the internet will have Mark of the Web. For example, Add-in files with the following extensions:

.ppa
.ppam
.xla
.xlam

When the user tries to install the macro-enabled Add-in, by using File > Options > Add-ins or by using the Developer ribbon, the Add-in will be loaded in a disabled state and the user will be blocked from using the Add-in. If the user trusts the source of the Add-in file, they can remove Mark of the Web from the Add-in file, and then reopen PowerPoint or Excel to use the Add-in.

If you have a group of users that need to use macro-enabled Add-in files without macros being blocked, you can take the following actions.

For PowerPoint Add-in files:

Remove Mark of the Web from the .ppa or .ppam file.
Use a digital signature and trust the publisher.
Save the Add-in file to a Trusted Location for users to retrieve.

For Excel Add-in files:

Remove Mark of the Web from the .xla or .xlam file.
Save the Add-in file to a Trusted Location for users to retrieve.

Note

Using a digital signature and trusting the publisher doesn’t work for Excel Add-in files that have Mark of the Web. This behavior isn’t new for Excel Add-in files that have Mark of the Web. It’s worked this way since 2016, as a result of a previous security hardening effort (related to Microsoft Security Bulletin MS16-088).

Macros that are signed by a trusted publisher

If the macro is signed and you’ve validated the certificate and trust the source, you can make that source a trusted publisher. We recommend, if possible, that you manage trusted publishers for your users. For more information, see Trusted publishers for Office files.

If you have just a few users, you can have them remove Mark of the Web from the file and then add the source of the macro as a trusted publisher on their devices.

Warning

All macros validly signed with the same certificate are recognized as coming from a trusted publisher and are run.
Adding a trusted publisher could affect scenarios beyond those related to Office, because a trusted publisher is a Windows-wide setting, not just an Office-specific setting.

Trusted Locations

Saving files from the internet to a Trusted Location on a user’s device ignores the check for Mark of the Web and opens with VBA macros enabled. For example, a line of business application could send reports with macros on a recurring basis. If files with macros are saved to a Trusted Location, users won’t need to go to the Properties for the file, and select Unblock to allow the macros to run.

Because macros aren’t blocked in files saved to a Trusted Location, you should manage Trusted Locations carefully and use them sparingly. Network locations can also be set as a Trusted Location, but it’s not recommended. For more information, see Trusted Locations for Office files.

Additional information about Mark of the Web

Mark of the Web and Trusted Documents

When a file is downloaded to a device running Windows, Mark of the Web is added to the file, identifying its source as being from the internet. Currently, when a user opens a file with Mark of the Web, a SECURITY WARNING banner appears, with an Enable content button. If the user selects Enable content, the file is considered a Trusted Document, and macros are allowed to run. The macros will continue to run even after the change of default behavior to block macros in files from the internet is implemented, because the file is still considered a Trusted Document.

After the change of default behavior to block macros in files from the internet, users will see a different banner the first time they open a file with macros from the internet. This SECURITY RISK banner doesn’t have the option to Enable content. But users will be able to go to the Properties dialog for the file, and select Unblock, which will remove Mark of the Web from the file and allow the macros to run, as long as no policy or Trust Center setting is blocking.

Mark of the Web and zones

By default, Mark of the Web is added to files only from the Internet or Restricted sites zones.

Tip

To see these zones on a Windows device, go to Control Panel > Internet Options > Change security settings.

You can view the ZoneId value for a file by running the following command at a command prompt, and replacing {name of file} with your file name.

ConsoleCopy

notepad {name of file}:Zone.Identifier

When you run this command, Notepad will open and display the ZoneId under the [ZoneTransfer] section.

Here’s a list of ZoneId values and what zone they map to.

0 = My Computer
1 = Local intranet
2 = Trusted sites
3 = Internet
4 = Restricted sites

For example, if the ZoneId is 2, VBA macros in that file won’t be blocked by default. But if the ZoneId is 3, macros in that file will be blocked by default.

You can use the Unblock-File cmdlet in PowerShell to remove the ZoneId value from the file. Removing the ZoneId value will allow VBA macros to run by default. Using the cmdlet does the same thing as selecting the Unblock checkbox on the General tab of the Properties dialog for the file.

Use the Readiness Toolkit to identify files with VBA macros that might be blocked

To identify files that have VBA macros that might be blocked from running, you can use the Readiness Toolkit for Office add-ins and VBA, which is a free download from Microsoft.

The Readiness Toolkit includes a standalone executable that can be run from a command line or from within a script. You can run the Readiness Toolkit on a user’s device to look at files on the user’s device. Or you can run it from your device to look at files on a network share.

When you run the standalone executable version of the Readiness Toolkit, a JSON file is created with the information collected. You’ll want to save the JSON files in a central location, such as a network share. Then you’ll run the Readiness Report Creator, which is a UI wizard version of the Readiness Toolkit. This wizard will consolidate the information in the separate JSON files into a single report in the form of an Excel file.

To identify files that might be impacted by using the Readiness Toolkit, follow these basic steps:

Download the most current version of the Readiness Toolkit from the Microsoft Download Center. Make sure you’re using at least Version 1.2.22161, which was released on June 14, 2022.
Install the Readiness Toolkit.
From a command prompt, go to the folder where you installed the Readiness Toolkit and run the ReadinessReportCreator.exe command with the blockinternetscan option.For example, if you want to scan files in the c:\officefiles folder (and all its subfolders) on a device and save the JSON file with the results to the Finance share on Server01, you can run the following command.

ConsoleCopy

ReadinessReportCreator.exe -blockinternetscan -p c:\officefiles\ -r -output \\server01\finance -silent

After you’ve done all your scans, run the Readiness Report Creator.
On the Create a readiness report page, select Previous readiness results saved together in a local folder or network share, and then specify the location where you saved all the files for the scans.
On the Report settings page, select Excel report, and then specify a location to save the report.
When you open the report in Excel, go to the VBA Results worksheet.
In the Guideline column, look for Blocked VBA file from Internet.

For more detailed information about using the Readiness Toolkit, see Use the Readiness Toolkit to assess application compatibility for Microsoft 365 Apps.

Use policies to manage how Office handles macros

You can use policies to manage how Office handles macros. We recommend that you use the Block macros from running in Office files from the Internet policy. But if that policy isn’t appropriate for your organization, the other option is the VBA Macro Notification Settings policy.

For more information on how to deploy these policies, see Tools available to manage policies.

Important

You can only use policies if you’re using Microsoft 365 Apps for enterprise. Policies aren’t available for Microsoft 365 Apps for business.

Block macros from running in Office files from the Internet

This policy prevents users from inadvertently opening files containing macros from the internet. When a file is downloaded to a device running Windows, or opened from a network share location, Mark of the Web is added to the file identifying it was sourced from the internet.

We recommend enabling this policy as part of the security baseline for Microsoft 365 Apps for enterprise. You should enable this policy for most users and only make exceptions for certain users as needed.

There’s a separate policy for each of the five applications. The following table shows where each policy can be found in the Group Policy Management Console under User Configuration\Policies\Administrative Templates:

Application	Policy location
Access	Microsoft Access 2016\Application Settings\Security\Trust Center
Excel	Microsoft Excel 2016\Excel Options\Security\Trust Center
PowerPoint	Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center
Visio	Microsoft Visio 2016\Visio Options\Security\Trust Center
Word	Microsoft Word 2016\Word Options\Security\Trust Center

Which state you choose for the policy determines the level of protection you’re providing. The following table shows the current level of protection you get with each state, before the change in default behavior is implemented.

Protection level	Policy state	Description
Protected [recommended]	Enabled	Users will be blocked from running macros in files obtained from the internet. Part of the Microsoft recommended security baseline.
Not protected	Disabled	Will respect the settings configured under File > Options > Trust Center > Trust Center Settings… > Macro Settings.
Not protected	Not Configured	Will respect the settings configured under File > Options > Trust Center > Trust Center Settings… > Macro Settings.

Note

If you set this policy to Disabled, users will see, by default, a security warning when they open a file with a macro. That warning will let users know that macros have been disabled, but will allow them to run the macros by choosing the Enable content button.
This warning is the same warning users have been shown previously, prior to this recent change we’re implementing to block macros.
We don’t recommend setting this policy to Disabled permanently. But in some cases, it might be practical to do so temporarily as you test out how the new macro blocking behavior affects your organization and as you develop a solution for allowing safe usage of macros.

After we implement the change to the default behavior, the level of protection changes when the policy is set to Not Configured.

Icon	Protection level	Policy state	Description
	Protected	Not Configured	Users will be blocked from running macros in files obtained from the internet. Users will see the Security Risk banner with a Learn More button

VBA Macro Notification Settings

If you don’t use the “Block macros from running in Office files from the Internet” policy, you can use the “VBA Macro Notification Settings” policy to manage how macros are handled by Office.

This policy prevents users from being lured into enabling malicious macros. By default, Office is configured to block files that contain VBA macros and display a Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but can’t use any disabled functionality until they select Enable Content on the Trust Bar. If the user selects Enable Content, then the file is added as a Trusted Document and macros are allowed to run.

Application	Policy location
Access	Microsoft Access 2016\Application Settings\Security\Trust Center
Excel ^[1]	Microsoft Excel 2016\Excel Options\Security\Trust Center
PowerPoint	Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center
Visio	Microsoft Visio 2016\Visio Options\Security\Trust Center
Word	Microsoft Word 2016\Word Options\Security\Trust Center

Note

^[1] For Excel, the policy is named Macro Notification Settings.
The “VBA Macro Notification Settings” policy is also available for Project and Publisher.

Which state you choose for the policy determines the level of protection you’re providing. The following table shows the level of protection you get with each state.

Protection level	Policy state	Policy value
Protected [recommended]	Enabled	Disable all except digitally signed macros (and select “Require macros to be signed by a trusted publisher”)
Protected	Enabled	Disable all without notification
Partially protected	Enabled	Disable all with notification
Partially protected	Disabled	(Same behavior as “Disable all with notification”)
Not protected	Enabled	Enable all macros (not recommended)

Important

Securing macros is important. For users that don’t need macros, turn off all macros by choosing “Disable all without notification.”

Our security baseline recommendation is that you should do the following:

Enable the “VBA Macro Notification Settings” policy.
For users that need macros, choose “Disable all except digitally signed macros” and then select “Require macros to be signed by a trusted publisher.” The certificate needs to be installed as a Trusted Publisher on users’ devices.

If you don’t configure the policy, users can configure macro protection settings under File > Options > Trust Center > Trust Center Settings… > Macro Settings.

The following table shows the choices users can make under Macro Settings and the level of protection each setting provides.

Icon	Protection level	Setting chosen
	Protected	Disable all macros except digitally signed macros
	Protected	Disable all macros without notification
	Partially protected	Disable all macros with notification (default)
	Not protected	Enable all macros (not recommended; potentially dangerous code can run)

Note

In the policy setting values and the product UI for Excel, the word “all” is replaced by “VBA.” For example, “Disable VBA macros without notification.”

Tools available to manage policies

There are several tools available to you to configure and deploy policy settings to users in your organization.

Cloud Policy

You can use Cloud Policy to configure and deploy policy settings to devices in your organization, even if the device isn’t domain joined. Cloud Policy is a web-based tool and is found in the Microsoft 365 Apps admin center.

In Cloud Policy, you create a policy configuration, assign it to a group, and then select policies to be included in the policy configuration. To select a policy to include, you can search by the name of the policy. Cloud Policy also shows which policies are part of the Microsoft recommended security baseline. The policies available in Cloud Policy are the same User Configuration policies that are available in the Group Policy Management Console.

For more information, see Overview of Cloud Policy service for Microsoft 365.

Microsoft Endpoint Manager admin center

In the Microsoft Endpoint Manager admin center, you can use either the Settings catalog (preview) or Administrative Templates to configure and deploy policy settings to your users for devices running Windows 10 or later.

To get started, go to Devices > Configuration profiles > Create profile. For Platform, choose Windows 10 and later and then choose the profile type.

For more information, see the following articles:

Group Policy Management Console

If you have Windows Server and Active Directory Domain Services (AD DS) deployed in your organization, you can configure policies by using Group Policy. To use Group Policy, download the most current Administrative Template files (ADMX/ADML) for Office, which include the policy settings for Microsoft 365 Apps for enterprise. After you copy the Administrative Template files to AD DS, you can use the Group Policy Management Console to create Group Policy Objects (GPOs) that include policy settings for your users, and for domain joined devices.

UniFi Talk – Use UniFi Talk devices

This article describes how to use your UniFi Talk devices once they’re set up and configured in the Talk application. For more information on how to set up and configure your devices, please refer to these articles on adopting devices and using the Talk application.

For optimal performance, make sure you’re using the latest firmware for your devices and the latest UniFi Talk application version.

Configure voicemail

To configure voicemail on the Touch and Touch Max phone:

From the Keypad, dial *86 or long-press 1 to access voicemail configuration.
Follow the audio prompts to complete voicemail configuration.

Note: Visual voicemail configuration is coming soon.

To configure voicemail on the Flex phone:

Press the MESSAGE button to access voicemail configuration.
Follow the audio prompts to complete voicemail configuration.

Forward an incoming call

To forward an incoming call on the Touch and Touch Max phone:

From the incoming call screen, press the blue Forward button to view your contact list.
Select a contact to forward the incoming call.

Start a parallel call

To start a parallel call (i.e., start a new call while one or more calls are already ongoing) on the Touch and Touch Max phone:

From the active call screen, press the Add / Transfer button.
There are two options for starting a parallel call:
1. From the Contacts tab of the Add / Transfer screen, select a contact from your contact list.
2. From the Keypad tab of the Add / Transfer screen, dial a number and press the green button at the bottom of the screen.
Press the Call button to start a parallel call. The current active call will be placed on hold.
When two or more calls are active in parallel, swipe left or right to navigate between active calls.

Transfer an active call

To transfer an active call on the Touch or Touch Max phone:

From the active call screen, press the Add / Transfer button.
There are two options for transferring an active call:
1. From the Contacts tab of the Add / Transfer screen, select a contact from your contact list.
2. From the Keypad tab of the Add / Transfer screen, dial a number and press the green button at the bottom of the screen.
You will have the option to press Transfer or Warm Transfer.
1. If you press the Transfer button, this will utilize a cold (blind) transfer. The active call will immediately be transferred and will ring the destination phone once you press the Transfer button.
2. If you select the Warm Transfer option, the original caller is placed on hold while the transfer destination is dialed. The transfer destination has to pick up, at which point you have to again press the blue transfer button to complete the transfer.

To transfer an active call on the Flex phone:

While the call is active, press the TRANSFER button.
From here, you can either transfer to a specific number or a contact.
1. To transfer to a specific number, enter the number you’d like to transfer the call to and press the DIAL soft key.
2. To transfer to a contact, press the CONTACT soft key to load your contact list. Navigate the contact list using the up/down keys and dial the desired contact by pressing the DIAL soft key or the OK button.
You’re now calling the transfer destination. Once the transfer destination answers the call, press the TRANSFER button again to connect the original caller with the transfer destination.

Note: The Flex phone utilizes a warm (attended) transfer. The original caller will be placed on hold while a second call is established with the transfer destination. Once the second call is connected, the transfer can be completed to connect the original caller with the transfer destination.

Start a conference call

To start a conference call on the Touch and Touch Max phone:

From the active call screen, press the Add / Transfer button.
There are two options for adding additional parties to a conference call:
1. From the Contacts tab of the Add / Transfer screen, select a contact and press the Add to Call button.
2. From the Keypad tab of the Add / Transfer screen, dial the additional party’s number, press the green button at the bottom of the screen, and select the Add to Call option.

To start a three-way conference call on the Flex phone:

While the call is active, press the CONF soft key.
From here, you can either start a call with a specific number or a contact.
1. To call a specific number, enter the number you’d like to transfer the call to and press the DIAL soft key.
2. To call a contact, press the CONTACT soft key to load your contact list. Navigate the contact list using the up/down keys and dial the desired contact by pressing the DIAL soft key or the OK button.
You’re now calling the third party. Once the third party answers the call, press the CONF soft key again to start a conference call.

Manage your status

To manage your status on the Touch and Touch Max phone:

Press the App Selector button, located below the phone’s touchscreen to the left of the Ubiquiti logo.
Select Settings and click on My Status.
From here, you can select between three status settings:
1. Create a DND Allow List to allow specific numbers to ring your device when your status is set to Do Not Disturb.
2. Specify a redirect number using the Change Redirect Number button on the My Status page.
1. Available: Incoming calls will ring your device.
2. Do Not Disturb (DND): Incoming calls will be sent to voicemail.
3. Redirect: Incoming calls will be forwarded to the specified redirect number.

To manage your status on the Flex phone:

Do Not Disturb (DND): Incoming calls will be sent to voicemail.
1. Press the DND soft key to place your device in Do Not Disturb mode. Incoming calls will go to voicemail. When DND is enabled you will see the word DND with a symbol in the top-left corner of the screen.
2. Press the DND soft key again to disable Do Not Disturb mode.
Redirect: Incoming calls will be forwarded to the specified redirect number.
1. Press the MENU soft key, then select 2. SETTINGS.
2. Use the up/down keys to navigate the settings menu and select 5. CALL FORWARD.
3. Press the YES soft key to set a redirect status.

On the CALL FORWARD NUMBER screen, press the EDIT soft key, enter your redirect number with the keypad, and press the CONFIRM soft key.

Troubleshooting

My Talk device is showing a Connection Error screen

This error means that your Talk device cannot communicate with the Talk application.

To troubleshoot a Connection Error state:

Ensure that the Talk application is running. To check on Talk’s status, open unifi.ui.com, select your UniFi OS Console, go to Settings > Updates, and locate the Talk application tile. If Talk is stopped, click on the three dots menu in the Talk application tile and select Start.
Restart the Talk application. See this section for instructions on how to restart Talk.
Restart your UniFi OS Console by going to its Settings > Advanced and clicking Restart Console under the Console Controls header.
If you’re still encountering this issue after the troubleshooting steps above, please contact Ubiquiti Support.

Source :
https://help.ui.com/hc/en-us/articles/4409791920791-UniFi-Talk-Use-UniFi-Talk-devices

UniFi Talk – Use the UniFi Talk application

This article outlines key setup and configuration processes that can be completed in the UniFi Talk application.

Create users

To create new users in the UniFi Talk application:

Open the Users tab and click the Add User button in the top-right corner of the screen.
Type the user’s first name, last name, and extension in the respective text fields. If you do not assign an extension, the UniFi Talk application will do so automatically.
Select the user’s phone number from the drop-down menu and click Save. If no phone number is selected, the user will only be able to make internal calls unless they are added to a group with a number assigned.

Assign phones to users

A user must be assigned to each phone managed by the UniFi Talk application. You can assign a phone to a user on the Devices page or in the user’s profile panel.

To assign a phone to a user on the Devices page:

Click the Devices icon in the left navigation bar.
Hover your cursor over the phone you’d like to assign to the user, then click the Assign link when it appears.
Select the user from the pop-up window’s drop-down field, then click Assign.

To assign a phone to a user via their profile panel:

Click the Users icon in the left navigation bar.
Click the user that you’d like to assign a phone to.
Click the Manage tab, then scroll down and click the Manage drop-down option.
Select the phone that you’d like to assign to the user from the Reassign Device drop-down field.
Click Save at the bottom of the panel.

Assign numbers to users

If you wish to purchase additional numbers in the UniFi Talk application before you start assigning, see UniFi Talk – Manage UniFi Talk subscriptions.

To assign a number to a user:

Click the Users icon in the left navigation bar.
Click the user that you’d like to assign a number to.
Click the Manage tab, then scroll down and click the Manage drop-down option.
Select the number that you’d like to assign to the user from the Change Number drop-down field.
Click Save at the bottom of the panel.

Note: Users without a number assigned will not be able to make or receive external calls, but will still have an active extension that can make and receive unlimited internal calls.

Add a third-party SIP provider

Session Initiation Protocol (SIP) providers facilitate real-time video and voice communication (e.g., Twilio, Voxbone, 3CX, etc.). If you currently subscribe to a third-party SIP provider, you don’t have to purchase a UniFi Talk subscription to use your existing service in the UniFi Talk application.

To add a third-party SIP provider to your UniFi Talk application:

Create and configure a new trunk in your SIP provider’s settings console:
1. Create a credential list and assign username and password credentials to the trunk itself.
2. Add an ACL IP and a new entry for your router’s public IP address (e.g., 1.2.3.4/32).
3. Add an origination uri in the same format as your router’s public IP address (e.g., sip:1.2.3.4:6767).
4. Ensure that the Direct Inward Dialing (DID) number(s) you want to use with UniFi Talk are assigned to the newly created trunk.
Add your SIP provider’s information to the UniFi Talk application:
1. Go to Settings > System Settings.
2. Click the Add Third-Party SIP Provider button at the bottom of the screen.
3. Enter your provider’s name.
4. Enter your SIP provider’s required fields:
  1. Locate your SIP provider’s custom fields by referencing either the Providers ITSPs directory or your provider’s user documentation.
  2. Click the Add Field button in the UniFi Talk Settings menu.
  3. Type or paste the copied field into the Add Fields window and click the + icon. Repeat this process for multiple entries.
  4. Click Done once all fields have been added.
5. Type the DID number(s) from your SIP provider in the Input Numbers field(s) in either E.164 format (e.g., +10123456789) or the format supported by your provider.
6. Add your SIP provider’s media and signaling servers:
  1. Click the Add IP Address Range button.
  2. Type the address information in the corresponding fields and click Add.
7. Enable the Static Signaling Port toggle located in the Network tab of the UniFi Talk Settings menu.
Assign the new DID number(s) and phone(s) to users registered in your UniFi Talk application:
1. Open the Users page of your UniFi Talk application.
2. Click the desired user then click the Manage tab at the top of their profile panel.
3. Select the phone that you’d like to assign the user from the Reassign Device drop-down menu.
4. Select the DID number that you’d like to assign the user from the Change Number drop-down menu.
5. Repeat this process as needed for additional users.
  
  Note: If you’re using a third-party SIP provider, said provider will be responsible for maintaining E911 compliance. Please contact your provider for more guidance on how to ensure that all requirements are met.
Add or adjust port forwarding rule(s) for the UniFi OS Console hosting the UniFi Talk application:
1. Open the UniFi Network Settings menu and click the Firewall & Security tab.
2. Locate the Port Forwarding section and click the Create New Forwarding Rule button.
3. Add all required information to apply the port forwarding rule(s) to your UniFi OS Console.

If you have another router upstream from your UniFi OS Console, forward incoming traffic to Port 6767 of your UniFi OS Console.

Set up a Smart Attendant

The Smart Attendant helps you create and execute custom call routing to ensure that all your calls are directed to the right extension or preferred language speaker.

To set up a Smart Attendant:

Open the Smart Attendant tab in the UniFi Talk application. If you already have one or more Smart Attendants, click the Add New button. Otherwise, proceed with setup.
Name your Smart Attendant and click Next.
Select the number(s) you want the Smart Attendant to answer from the drop-down field.
1. If you select None, your Smart Attendant will not be active until you assign it a number.
2. You can also select multiple numbers for your Smart Attendant to answer.
From this screen, you can also configure the Ringback and Hold Music that your Smart Attendant will use.
1. Ringback: The audio that callers hear when dialing a Talk user or group via your Smart Attendant.
2. Hold Music: The audio that callers hear when a Talk user places them on hold after being dialed via your Smart Attendant.
Select if your Smart Attendant will behave differently based on business hours. When enabled, you can define custom call handling for business hours and non-business hours.
1. If you select Yes, configure your business hours schedule. You can add multiple business hour segments within a single day.
Select if you wish to have extension dialing enabled. When enabled, callers can dial an extension to connect with a user or group without going through Smart Attendant menus.
1. If you select Yes, select an extension dialing method:
  1. All Users and Groups: All users and groups in your Talk application can be dialed by their extension.
  2. Custom List: Only the Talk users and groups added to the custom list can be dialed by their extension.
  3. Smart Attendant Ring Menus: Only the Talk users and groups added to the Smart Attendant with a Ring Phone(s) menu can be dialed by their extension.
Configure your Smart Attendant’s greeting message:
1. Select the voice your Smart Attendant will use for generated audio.
2. Select the greeting type. You can generate audio from text or use custom audio by recording or uploading a file.
3. Following the instructions to configure your greeting based on the type selected.
Create your call routing tree:
1. Enter the prompt message and select the user(s) and/or group(s) that each key press will direct to.
2. If you don’t need a call routing tree or wish to configure this later, click No then Finish.

To add a new menu or user:

Hover your cursor over the menu that you’d like to add a new block to and click the + icon when it appears.
Choose between the two different types of blocks:
- Keypress Prompt (e.g., Press 1 for Sales)
- Ring Phone(s) (Dial a specific user or group)
- Play Audio (Play an audio message)
- Voicemail (Leave voicemail for a specific user)
- Keypress to Return (Return to the previous menu)
- Schedule (Configure call handling based on a schedule)

To delete a menu or user, hover your cursor over it and click the X icon when it appears.

Manage voicemails and call recordings

The UniFi Talk application collects voicemail by default. To listen to voicemails, click the Voicemail button on your Talk phone.

To automate call recordings:

Enable the Automatic Call Recording toggle from Settings > Call Settings.
Review the disclaimer text in the pop-up advisory window carefully, and click I Understand if you consent.

To disable voicemail:

Open the Settings menu and click the Call Settings tab.
Open the Voicemail drop-down.
Disable the voicemail toggle.

View call logs

To view your call logs:

Open the Call Log tab to view a listing of every call made with a device managed by the UniFi Talk application.
View the details of a specific call:
1. Click the desired call’s entry or hover your cursor over its listing and click the View link when it appears.
2. Review basic call information (e.g., caller, recipient, call experience score, length, date, and time) from the General section of the call log’s pop-up panel.
3. Click the Recording tab at the top of the call log’s panel to listen to its recording.
4. For voicemail messages, click the Voicemail tab at the top of the call log’s panel to listen to its recording.
To delete a call log, hover your cursor over the log’s entry and click Delete, then click the Delete button in the confirmation pop-up window.

Set up groups

The UniFi Talk application allows you to create groups that allow multiple phones to share the same number and ring. Groups can utilize all UniFi Talk application features, including the Smart Attendant.

To create a new group:

Click the Groups icon in the left navigation bar and click the Create New Group link in the top-right corner of the following page.
Enter a group name, assign a number to the group (optional), and add an internal extension (optional).
Select either Simultaneous or Sequential call handling.
1. Simultaneous: When the group is called, all phones assigned to group members will ring. The first phone to answer will receive the call and the other phones will stop ringing.
2. Sequential: When the group is called, phones assigned to group members will ring in the order you define.
Manage the group’s members. You can add Talk users and global contacts to a group.
Configure the Ringback for the group. This is the audio that callers hear when calling the group.
Click Create.

Note: Groups without a number assigned will not be able to make or receive external calls, but will still have an active extension that can make and receive unlimited internal calls.

To assign a specific outgoing number to a user who is a member of several groups:

Open the Users page, select the user, and click the Manage tab.
Select the desired outgoing number from the drop-down field.

Troubleshooting

I can’t receive incoming calls

We recommend enabling the static signaling port feature if your UniFi Talk deployment can’t receive incoming calls. The instructions below describe how to implement this fix.

In the Talk application, enable the toggle for static signaling port within Settings > System Settings > Create Static Signaling Port.
Create a port forwarding rule that forwards port 6767 to your UniFi OS Console running the Talk application. If your routing tasks are being handled by UniFi, go to the Network application to create this rule within Settings > Advanced Features > Advanced Gateway Settings > Port Forwarding.
Need help creating this port forwarding rule?
Try making a call to one of your UniFi Talk phones from an external number to test if incoming calling is working.
If the steps above did not work, try creating a firewall rule that allows Internet traffic destined for port 6767 of your UniFi OS Console running the Talk application. If your firewall rules are managed by UniFi, go to the Network application to create this rule within Settings > Traffic & Security > Global Threat Management > Firewall.Need help creating this rule?

I can’t make outgoing calls

For outgoing call failures, we recommend disabling the SIP ALG setting found in the router upstream from the UniFi OS Console running the Talk application (e.g., the router modem installed by your ISP). The SIP ALG setting is sometimes enabled by default on these devices and interferes with telephony.

I could previously make and/or receive calls, and now I can’t

In some cases, events like a network outage can result in degraded Talk application performance. This can be resolved by restarting the Talk application.

To restart the Talk application:

From unifi.ui.com, select your UniFi OS Console, go to Settings > Updates, and locate the Talk application tile.
Click on the three dots menu in the Talk application tile and select Stop.
After the Talk application has stopped, click on the Start Talk button.

If you’re still having trouble making and/or receiving calls, please contact UniFi Technical Support.

Recovering Talk subscriptions and phone numbers

If you need to factory reset, replace, or migrate to a new UniFi OS Console, or reset the Talk application, you can recover your Talk subscriptions and phone numbers during the UniFi Talk setup process. This option is available when you’re logged in using the same Ubiquiti account that manages your Talk subscriptions.

To recover or migrate your Talk subscriptions:

Log in to your Ubiquiti account at unifi.ui.com and select the UniFi OS Console you’d like to recover or migrate your Talk subscriptions to.
Launch the UniFi Talk Setup Wizard.
1. If you have multiple UniFi Talk deployments associated with your Ubiquiti account, you’ll see a list of previous deployments to select from. Hover over the information tooltip to view the phone numbers associated with each deployment.
2. Select the deployment with the phone numbers that you want to recover or migrate.
Click the Next button to continue setup.
On the Setup Device(s) page, you’ll now have the option to assign your recovered or migrated phone numbers to users and devices. These are available for selection from the Number / Area Code dropdown menu. Make your selections and click Next.
Complete the UniFi Talk setup process to finish recovering or migrating your Talk subscriptions and phone numbers.

Notes: A Talk subscription can only be active on a single UniFi OS Console. If you use this option during the UniFi Talk setup process while a subscription is still active on another UniFi OS Console, your subscription(s) will be transferred and will no longer be accessible from that device.

If you’re still having trouble making and/or receiving calls, please contact UniFi Technical Support.

Source :
https://help.ui.com/hc/en-us/articles/1500000304422-UniFi-Talk-Use-the-UniFi-Talk-application

UniFi Protect – Configure location-based activity notifications

You can configure UniFi Protect location-based activity notifications so you are only notified when the user(s) are off-site. This article outlines the steps needed to set this up for your account.

In this article, you will learn how to:

Set the location of your UniFi OS Console

To set the location of your UniFi OS Console:

Make sure that your UniFi OS Console has remote access enabled.
In the UniFi OS settings, go to Console Settings > Time Zone / Location > Edit Location on Map.
Search for the Address or drag your UOS Console to the correct location.
Adjust the Geofencing Radius slider to define your console’s on-site radius (i.e, “geofence”).
Click Apply Changes when you’ve set the desired geofence.

If you experience unexpected status changes while on site, increase the geofence’s radius.

Configure your primary mobile device

Your primary mobile device will be the one used to determine whether you are on or off-site (i.e., within the geofence).

To configure your primary mobile device:

Make sure cellular data is enabled on your mobile device.
Make sure that the UniFi Protect mobile app has proper location permissions:
1. For iOS devices, set the Protect mobile app’s Location Setting permission to Always. Precise Location should also be enabled.
2. For Android devices, make sure that Protect mobile app’s location access is set to Allow all the time.
Open the Protect mobile app, tap the Settings icon on the bottom-left corner of the screen followed by Primary Device; then, select the desired mobile device from the list.
To activate your UniFi OS Console’s geofence, use the Protect mobile app to go to Settings > UniFi OS Console > Network and enable the Geofencing toggle.

Configure location-based activity notifications

After you’ve configured the locations of your UniFi OS Console and primary mobile device, you can create activity notifications using your UniFi Protect web application or mobile app.

To create activity notifications using the UniFi Protect mobile app:

Go to Settings > Notifications to create a new activity notification or edit an existing one.
Select from Off, Default, or Custom.
1. If you choose Custom, click the Activity tab to customize the notification for each camera.

To create or edit activity notifications using the Protect web application:

Log in and go to Settings > Notifications > Activity.
Adjust When to Send > Location Based to receive notifications when you are off site (When I’m Away) or when all users are off site (When Everyone is Away).
Go back and customize the notifications for your cameras.

Troubleshooting inaccurate location tracking

The Protect mobile app uses GPS and communication with the UniFi OS Console to provide an accurate location.

If you are experiencing location inaccuracies, follow the device-specific steps below to improve the mobile app’s location tracking:

For iOS / iPadOS devices:

Disable Low Power mode, as it may prevent the app from sending location status updates.
Enable Background App Refresh and Cellular Data for the UniFi Protect mobile app.
Disable VPN or Mobile Hotspot if they interfere with location accuracy.

For Android devices:

Select High Accuracy mode for mobile phone location tracking, if available.
Disable data saving settings.
Disable battery optimization for the UniFi Protect mobile app by tapping Settings > Battery > Battery Optimization > Don’t Optimize.
Disable power saving mode to ensure it isn’t auto-enabled once your phone battery is low.
If your mobile has a Deep Sleep feature, disable it for the UniFi Protect mobile app to make sure you don’t receive location status updates after opening it.

Source :
https://help.ui.com/hc/en-us/articles/360037982314-UniFi-Protect-Configure-location-based-activity-notifications

UniFi Protect – Manage motion detection and privacy zones

This article describes how to set camera zones and configure motion detection behavior on your UniFi Protect system.

Camera zones overview

There are three different types of camera zone settings you can use:

Motion Zones, which tell the camera to recognize motion in specific zones and trigger certain actions, e.g. record footage and create Motion Detections for you to review later
Privacy Zones, which let you block out certain areas on the video recordings
Smart Detection (AI and G4 camera series), which let you create Events for certain types of motion, e.g. when the camera detects a person

Set up motion zones

Motion zones are specific zones where the camera will detect and record motion.

To trigger and record motion events and also trigger motion alerts, the camera recording settings must be set to Always or Detections.

For more information on recording settings, see UniFi Protect – View camera streams and manage recordings.

To set up a motion zone on the web application:

Go to the Devices section and select the desired camera.
On the right side panel, select Zones > Expand Motion Zones > Add Motion Zone.
Create the Motion Zone by clicking on the four corners of its perimeter. You can further adjust the corners by dragging them with your cursor.
Adjust the zone’s detection sensitivity based on your camera’s surroundings using the slider node below the feed window.”

unifi-protect-manage-motion-detection-privacy-zones-1.png

To set up a motion zone on the mobile app:

Select the desired camera on the home screen.
Tap on the Settings icon in the upper-right corner of your screen, then select Motion Zones > Add Motion Zone.
Create the Motion Zone by clicking on the four corners of its perimeter. You can further adjust the corners by dragging them with your cursor.
Adjust the zone’s detection sensitivity based on your camera’s surroundings using the slider node below the feed window.

Please note that adjusting the recording setting to Never disables motion detection recording and alerts.

When setting up zones, you can adjust the zone sensitivity. Setting a higher value will make your camera more sensitive, making it more likely to detect and log more subtle motions (e.g., small object movements).

If you’re getting an increased amount of motion events due to minor movements such as moving branches, decrease zone sensitivity to prevent excessive minor motion event logging.

Set up Smart Detection zones

Smart Detection Zones create events when specific motions are detected (e.g., a person’s movement).

Currently Smart Detection zones only supports person detection, meaning that you will only be notified when this specific motion event occurs.

The Smart Detection feature is only available for G4 and AI series cameras, except for G4 Instant.

To set up Smart Detection zones:

Go to Devices > Properties panel > Recordings and enable Person detection.
Go to the Zones section, click Add new zone, and name it.
Create the Smart Detection Zone by clicking on the four corners of its perimeter. You can further adjust the corners by dragging them with your cursor.
Adjust the zone’s detection sensitivity based on your camera’s surroundings using the slider node below the feed window.

unifi-protect-manage-motion-detection-privacy-zones-2.png

Set up privacy zones

You can set privacy zones for each of your cameras, which block live playback and recordings of content within the specified area. Instead, you will see a blacked-out image.

To set up a privacy zone on the web application:

Go to the Devices section and select the desired camera.
On the right side panel, select Zones > Expand Privacy Zones > Add Privacy Zone.
Create the Privacy Zone by clicking on the four corners of its perimeter. You can further adjust the corners by dragging them with your cursor.

unifi-protect-manage-motion-detection-privacy-zones-3.png

unifi-protect-manage-motion-detection-privacy-zones-4.png

To set up a privacy zone on the mobile app:

Select the desired camera on the home screen.
Tap on the Settings icon in the upper-right corner of your screen, then select Privacy Zones > Add Privacy Zone.
Create the Privacy Zone by clicking on the four corners of its perimeter. You can further adjust the corners by dragging them with your cursor.

Source :
https://help.ui.com/hc/en-us/articles/360056987954-UniFi-Protect-Manage-motion-detection-and-privacy-zones

UniFi Protect – Manage Live Footage and Recordings

The UniFi Protect mobile and web applications allow you to view live and recorded footage as well as adjust the image and video playback quality.

Live View

By default, the video bitrate of your cameras is automatically reduced during prolonged periods of low motion frequency in order to reduce storage utilization. You may choose a specific resolution by changing the Viewer Quality to Low or High on the Protect web application by hovering over the Live View, or on the mobile app within the Live View’s specific settings.

Note: If your bandwidth is limited, you may experience unstable playback while viewing a high quality live feed.

Recordings and Detections

Your recording’s duration and quality will depend on the camera’s Recording Mode. The When to Record setting can be set to Always, Never or Detections. Image quality and frame rate can be adjusted using the Recording Quality setting.

Note that:

A higher frame rate will give you smoother video playback while a lower frame rate will ensure better picture quality.
Recording with higher image quality will require more storage space than lower quality ones.

You can download the Detection clips from the mobile app by tapping the Share icon > Export clip, or from the web application by selecting the detection and clicking the Download icon.

Adjust the Camera Picture Settings

Most image quality issues can be resolved by adjusting the camera picture settings, which are specific to each camera and found within Devices > select a camera > Settings.

The camera’s image is dull, dark, or distorted

To correct imagery that appears dark, dull, or distorted:

Open the camera’s settings and select Adjust Camera Picture.
Adjust the Brightness, Contrast, and Hue settings for the camera.

Note: There is no definite way of setting this for all cameras in any environment. Try adjusting these settings to achieve the desired image quality outcome.

The camera recording quality is low

To improve a camera’s recording quality, open its Recording Mode settings and increase the Frame Rate and Image Quality settings as described above.

The camera’s image is harshly lit

Harsh lighting creates a strong contrast that can make it difficult to see smaller, finer details in your live feeds and recordings. To resolve this, try enabling the HDR feature (or WDR depending on the camera model) in the Camera Picture settings.

The camera is out of focus (G3 Pro, G4 Pro, G4 PTZ cameras only)

If your G3 Pro, G4 Pro, or G4 PTZ cameras appear to be out of focus:

Make sure there are no objects between the camera and its focal point that may affect its ability to auto-focus.
Try manually setting the focal point with the Focus Camera Picture setting.

The camera isn’t switching to Night (IR) Mode

If your cameras are not switching to Night (IR) mode, or are rapidly alternating between Night and Day Mode, verify that:

Each camera’s infrared setting is set to Auto.
There are no external light sources, such as ambient lights in front of a camera, affecting integrated light sensors.
There are no obstructions near the front of the camera. Obstructions can cause the camera’s infrared light to reflect back at its sensor, causing it to switch back and forth between Night and Day Modes.

Night (IR) Mode imagery is blurry

If your Night (IR) Mode imagery is blurry:

Carefully clean your camera’s lens or dome using a soft cloth and isopropyl alcohol. The alcohol’s concentration should not exceed 70%; otherwise, you risk damaging its surface. Be sure to remove all residue to prevent unwanted reflections.
Ensure that no obstructions near the camera’s lens are causing IR reflections.
(For Dome cameras) Make sure that the dome cover is tightly secured to the lens housing. The rubber gasket should be firmly fastened to the dome’s surface and the dome should be in the locked position.

Source :
https://help.ui.com/hc/en-us/articles/360058867233-UniFi-Protect-Manage-Live-Footage-and-Recordings

UniFi Protect – Optimizing G4 Dome’s Night Mode

The G4 Dome camera is equipped with infrared LEDs to give it night vision. However, some factors may cause these LEDs to produce glares on the camera’s feed. The most common causes of glaring and poor resolution are:

https://www.youtube-nocookie.com/embed/gKNf23tWOFE

Reflections from nearby objects

Per its installation guide, the G4 Dome should be installed at least 60 centimeters (cm), or 24 inches, away from neighboring walls and the ceiling. If nearby objects or fixtures, such as a wall corner or overhang, are closer than that, they may reflect infrared light into the camera and create a glare.

Ceiling-mounting near a wall corner

Below, you can see how mounting the G4 Dome to the ceiling with objects in the foreground can result in poor image quality.

Ceiling-mounting near overhangs

The camera below is too close to the pillar so it appears in the camera’s field of view (FoV).

Wall-mounting too close to the ceiling

The camera below doesn’t have at least 60 cm of separation from the ceiling and its image quality is diminished as a result.

Residue on the bubble cover or lens

While installing the G4 Dome, its lens and bubble cover may collect dust, oil stains, and fingerprints. This can also occur if you wipe the lens or bubble cover incorrectly.

If there is residue on the G4 Dome’s lens or bubble cover, clean them with either lens wipes, a lens cloth with a lens cleaning solution, or a soft cleaning cloth and rubbing alcohol. Continue to do this periodically to prevent distorted image quality due to dirty lens and cover surfaces.

Oil stains or fingerprints on the bubble cover or lens

When oil stains stick to the bubble cover or lens, the infrared lights become diffused by the foggy surface.

The image below shows the camera’s bubble cover marked with fingerprints.

The image below shows a lens with oil stains.

Below, you can see how image quality with a clean bubble cover is markedly better than that of an oil-stained equivalent.

Moisture droplets on the bubble cover

When moisture droplets stick to the bubble cover, the camera’s infrared lights become scattered by the trapped moisture, like in the example directly below.

To avoid reduced image quality due to moisture droplets, wipe the bubble cover’s exterior with a lens cloth.

Bubble cover not properly locked in place

The G4 Dome’s removable bubble cover has a locking mechanism to ensure an airtight seal. When the bubble cover is not attached properly, the camera’s infrared lights can be reflected back into its lens.

To mount the bubble cover correctly:

Align the small indentations on the cover and camera.
Rotate the cover clockwise to securely fasten its rubber lining. The sealing strips should not be visible.

The example images below show the G4 Dome when its bubble cover is properly attached (left), and when it’s not (right).

6_G4_Dome_correct_vs_incorrect_bubble_cover_attachment_2_correct.png

Here, you can see the G4 Dome’s image quality when its bubble cover is properly attached.

Here, you can see how its image quality is greatly reduced by an incorrectly attached cover.

The rubber seal surrounding the lens is damaged

When the rubber seal surrounding the lens is damaged, infrared light can leak in and distort the camera feed.

The images below show a normal seal (left) and a damaged one (right).

7_G4_Dome_rubber_seal_surrounding_the_lens_normal_vs_damaged.png

Source :
https://help.ui.com/hc/en-us/articles/1500008633161-UniFi-Protect-Optimizing-G4-Dome-s-Night-Mode

UniFi Protect – Optimizing Camera Connectivity

This article describes how to access your UniFi Protect application locally or remotely, the factors that create access issues, and how to solve said issues.

How to connect to UniFi Protect

There are two ways to access your UniFi Protect application:

Locally by accessing the IP address of the UniFi OS Console hosting Protect; or
Remotely on the Protect web application (unifi.ui.com ) or mobile app (iOS / Android ).

Note: Remote access must be enabled in your Protect application. It is enabled by default.

To enable Remote Access in your UniFi Protect application:

Access the UniFi OS Console hosting Protect via its IP address.
1. If you don’t know your UniFi OS Console’s IP address , use the WiFiman app (iOS / Android ) to locate it on your WiFi network.
Log in to your Ubiquiti SSO account.
Go to the System Settings > Advanced menu, and enable the Remote Access toggle.

Identifying issues

To identify potential reasons for Protect connectivity issues:

Try accessing your UniFi OS Console locally by entering its IP address in your web browser, or remotely via Protect web application (unifi.ui.com ) or mobile app.
Use different mobile devices, ideally running different operating systems (iOS, Android).
Use different supported browsers, such as Chrome, Firefox, or Safari, on different computers.
Connect to different client locations, such as:
- A local network with the same subnet as the Protect application.
- A mobile carrier network via a mobile device or tethering.
- A remote network, such as a workplace or public WiFi network.
Have multiple users, ideally with different system roles, attempt to access the Protect application.

Note: Note your observations. They may be helpful if you need to contact our technical support team.

My camera streams load slowly or buffer frequently

To identify potential reasons for slow stream loading and/or frequent buffering:

Check the stability of network connection:
- Perform a speed test using the Wifiman app while connected to the same network as your UniFi OS Console. UniFi Protect should perform well with a network connection better than 5 Mbps and decently with a connection of at least 2.5 Mbps. Below this, performance may suffer.
Ensure that your computer or mobile network is not limiting bandwidth:
- A VPN could be preventing client devices from making a peer-to-peer connection with your UniFi OS Console, meaning that all data is first relayed through Ubiquiti’s Remote Management Service—leading to diminished performance. If so, disable the VPN.
- Check if there’s a subnet conflict where the UniFi OS Console is on a different subnet than the client, but still on LAN. If the client needs to reach your UniFi OS Console’s subnet but doesn’t have a route, it will hit the gateway (the local router), which knows how to route to the UniFi OS Console. If a VPN is enabled and there’s a configured route on the VPN that goes to another network with the same subnet, it will override.
Inspect your UniFi OS Console’s performance data by making sure you haven’t exceeded its maximum supported camera limit . If so, streaming performance will be diminished.
Check your computer’s CPU utilization. A lower-specialization computer may not be capable of playing back multiple video streams. If the CPU utilization is nearing 100%, try playing back fewer video streams (e.g., fewer cameras on the live view matrix).

I can access Protect locally but not remotely

If you can’t access the Protect application remotely:

Check if Remote Access is enabled:
1. If it is enabled , try disabling it and enabling again.
Confirm that you have permission to access Protect remotely. For more information, see UniFi Protect – Add and manage users .
Visit status.ui.com to see if there are any issues with Ubiquiti’s Remote Management Service currently being resolved.

I can’t access Protect from the mobile app

If you can’t access Protect from the mobile app:

Verify that the UniFi Protect mobile app is updated to the latest version.
Ensure that the UniFi Protect mobile app is not restricted from accessing WiFi or cellular data:
1. For iOS devices , go to the Settings > Cellular Data menu and make sure UniFi Protect is toggled on.
2. For Android devices , go to the Settings > WiFi & Internet > Data Usage > Cellular Data Usage menu, select UniFi Protect, and make sure WiFi and cellular data are not disabled in the App data usage section.
Disable VPN if one is enabled since some VPNs may block WebRTC connectivity, which is used by Protect.
1. For Android devices with VPN enabled , try disabling the Private DNS in the Settings > WiFi & Internet > Private DNS menu. On some WiFi and mobile carrier networks, certain Private DNS providers such as CloudFlare’s 1.1.1.1 may interfere with WebRTC.
Disable or remove any third-party security or privacy apps that may interfere with network connectivity.
Force-quit the mobile app and open it again.
Uninstall the mobile app, reinstall, and open it.

I can’t access Protect from my web browser

If you’re having trouble accessing Protect from a web browser, but you can connect with the mobile app or a web browser on a different network, there may be an issue with your network configuration. For more information, see the Advanced troubleshooting processes section.

If you have a UniFi Cloud Key Gen2 Plus (UCK G2 Plus) updated to Version 2.0.24 running Protect application Version 1.14.0 or higher , it operates via UniFi OS and, therefore, can be accessed remotely at unifi.ui.com , not protect.ui.com.

If you don’t see your Cloud Key-hosted Protect application on unifi.ui.com , make sure your UCK G2 Plus’s firmware is up to date. For more information, see UniFi – How to manage & upgrade the Cloud Key .

If your Cloud Key’s firmware is up to date and can see the Protect application at unifi.ui.com but can’t access it , check if Remote Access is enabled. The recent firmware upgrade might have disabled Remote Access functionality. Follow the steps in the How to connect to UniFi Protect section.

I can’t access Protect on a specific browser

Browser-specific access failures are most often caused by third-party software, such as a browser extension or an application on the host computer.

Common extensions, software, and other features known to cause issues include:

uBlock Origin
Privacy Badger
WebRTC Leak Prevent
Various VPN services, such as Tunnelbear
Ad or traffic blockers that interfere with WebRTC connectivity used by UniFi Protect

To troubleshoot browser issues:

Disable all suspected third-party security or privacy-related browser extensions and software.
If you can now access Protect , re-enable the extensions and software, one at a time, and test your Protect access after each one. This will help you identify the inhibiting software.
(For Chrome only ) Disable the feature flag, Anonymize local IPs exposed by WebRTC :
1. Copy and paste the following into your address bar: chrome://flags/#enable-webrtc-hide-local-ips-with-mdns
2. Select Disabled , then restart Chrome.

Once you’ve found the inhibiting software, leave it disabled or uninstall it. If it’s essential, however, contact the developer’s support team for further guidance on how to configure it so it doesn’t prevent Protect access.

I’m a new user and see a No Controllers Detected notification

If you’re a new user signing in via unifi.ui.com or the Protect mobile app and the UniFi OS Console that hosts your Protect application isn’t appearing , make sure that your user permissions include remote access to the UniFi OS Console. For more information on creating users, see UniFi Protect – Add and manage users .

In some cases, a new user can accept a Protect application invitation, log in to their Ubiquiti account via web browser, initially see their UniFi OS Console, then receive a No Controllers Detected notification.

If you’re a new user and see a No Controllers Detected notification after trying to access Protect web application :

Make sure that your UniFi OS Console and Protect application versions are up to date.
Make sure that you have permission to remotely access the UniFi Protect application. For more information, see UniFi Protect – Add and manage users .
Verify that you are a verified and active user by going to unifi.ui.com , clicking on your UniFi OS Console, navigating to the Users menu, and checking your user status.
If this doesn’t resolve the issue , delete the custom users and user roles created, reboot the UniFi OS Console, and recreate the users:
1. Log in to your UniFi OS Console from the Owner account.
2. Go to unifi.ui.com , click on your UniFi OS Console, navigate to the Users menu, and delete all custom users and user groups.
3. Click on the dot grid icon in the top-right corner of the dashboard, navigate to Protect > Roles , and delete all custom user roles.
4. Click on the dot grid icon in the top-right corner of the dashboard, click the Settings > Advanced tab on the left side of the following screen, and click Restart Device .
5. Once the device reboots, log in again with the Owner account and recreate all desired users, groups, and roles.

Advanced troubleshooting processes

Check if a WebRTC connection can be established

UniFi Protect uses WebRTC technology to establish connections between your UniFi OS Console and client devices through NAT and firewalls, such as a UniFi gateway, without requiring explicit port forwarding or the revision of firewall rules.

Typically, you won’t need to make any changes to your network, device, or client configurations in order to access Protect locally or remotely.

However, to establish a WebRTC connection needed to access Protect, both networks (i.e., the one that your Protect application connects to and the one that your client device(s) connect to) must meet these requirements:

Reliable access to Internet and DNS service
Adequate bandwidth for basic connectivity and video transfer
Outbound TCP connection capability on Port 443
Outbound UDP connection capability on Ports 0–65535

Note: Port forwarding is not required for TCP or UDP connectivity.
A firewall configured to accept solicited, inbound UDP traffic
No network security appliances (e.g., IPS) or services blocking WebRTC (e.g., STUN or DTLS)
No gateways configured to use Symmetric NAT, which either block peer-to-peer connections, force the use of a relay server (i.e., TURN), or cause said relay to fail

Note: For more information on the technical aspects of WebRTC, please visit webrtc.org .

Troubleshooting WebRTC connection issues caused by Symmetric NAT

Symmetric NAT , while uncommon, can cause issues when establishing WebRTC and other peer-to-peer connections because it does not maintain a 1:1 port mapping ratio for established connections, causing them to fail.

If that happens, WebRTC will attempt to connect via a relay server (i.e., TURN), which will result in either diminished connection quality or outright connection failure.

If you are behind a Symmetric NAT , you can either:

Establish a VPN connection between the client and Protect; or
Configure your router to a mode other than Symmetric NAT, such as Cone NAT.

The UniFi OS Console hosting your UniFi Protect application will automatically detect and log Symmetric NAT on its side but will be unable to determine the NAT type on the clients’ side.

If you suspect Symmetrical NAT on the console-side connection:

Establish an SSH connection to your UniFi OS Console.
Execute the following command: grep -Ri “symmetric” /srv/unifi-protect/logs

Any results will confirm that the connection failed due to Symmetric NAT.

Troubleshooting issues with a particular network

If you identify connectivity problems within a particular network , focus your troubleshooting efforts there. For example, if you can connect to your business’s Protect deployment from home, but not while at a friend’s house, focus on troubleshooting the latter network.

If you can’t access Protect from any remote location , focus first on the application’s on-site network.

In both cases:

Verify that the UniFi OS Console hosting Protect and all client device(s) have a stable internet connection, including a valid gateway IP and DNS servers. Some DNS providers are known to cause problems, such as 1.1.1.1. Try changing it to Google’s 8.8.8.8.
Verify that selected DNS servers properly resolve the following domains:
1. Device.svc.ubnt.com
2. Device.amplifi.com
3. Global.stun.twilio.com
4. Global.turn.twilio.com
Review your firewall configuration to ensure it meets the requirements listed in the Check if a WebRTC connection can be established section. If you’ve configured custom firewall rules, try disabling them temporarily to test.
Remove any port forwards for UniFi Protect that may have been configured incorrectly.
Disable any network-level security appliance or service rules intended to block WebRTC’s internal protocols, STUN or DTLS. If you are using a UniFi gateway , the UniFi Intrusion Prevention System (IPS) does not require a specific configuration to prevent WebRTC connectivity blockage.

Source :
https://help.ui.com/hc/en-us/articles/360034238233-UniFi-Protect-Optimizing-Camera-Connectivity

Wordfence 7.7.0 Is Out! Here Are The Changes

Wordfence 7.7.0 has just been released and as usual, it includes several awesome enhancements and updates for our security conscious WordPress publishers and e-commerce websites. This post goes into a little more detail on each change we’ve included. We don’t usually post additional detail like this, and we thought we’d give it a try, and make it a routine if the community approves.

This is based on the official Wordfence 7.7.0 changelog, which is included below. The format I’ve used here is the changelog entry as a heading and some detail on what the entry means and some background where applicable.

Improvement: Added configurable scan resume functionality to prevent scan failures on sites with intermittent connectivity issues

We’ve added “scan resume” functionality which is configurable and will prevent security scan failures on sites that might have intermittent connectivity issues. As you know Wordfence runs on over 4 million websites on over 12,000 unique networks, and to say that we run in a range of environments and configurations is an understatement. Our quality assurance team has an oversized influence on the product, and this is one more way they have made Wordfence even more robust in version 7.7.0.

Improvement: Added new scan result for vulnerabilities found in plugins that do not have patched versions available via WordPress.org

This adds a scan result for plugins that have a vulnerability and are still present in the official WordPress plugin repository, and where there is no fix available. The usual course of action is that the plugin team will disable a plugin in the repository that has a known vulnerability, where the vulnerability has not been fixed yet. In some cases, this doesn’t happen, and this scan result is designed to deal with this unusual case. This change will also allow plugins that are not provided through wordpress.org to be flagged as vulnerable if there is no update available.

Improvement: Implemented stand-alone MMDB reader for IP address lookups to prevent plugin conflicts and support additional PHP versions

We use the Maxmind database internally for location lookups. Our code was using the Maxmind PHP library to perform these lookups. Maxmind stopped supporting older PHP versions a while ago, but many of our customers are still on those old versions. We have also found that other WordPress plugins may use a different version of the Maxmind library, which can lead to conflicts. So we’ve rolled our own stand-alone MMDB reader to resolve both of these issues. We now support older PHP versions than the official Maxmind library, and you won’t see any conflicts if another plugin is using the Maxmind library.

Improvement: Added option to disable looking up IP address locations via the Wordfence API

By default Wordfence contacts our servers to perform an IP address location lookup. This is just the way the plugin was originally engineered (by me actually) to try to move as much processing to our own servers and reduce resource usage on our customer websites. Some of our customers prefer that lookup to happen locally, so we’ve provided that option. The default is still to do the lookup on our servers, but you have the option to enable local lookups. The one downside of enabling this feature is that you’ll only get country-level lookups.

Improvement: Prevented successful logins from resetting brute force counters

Another design decision I made early on is that a successful login on a WordPress website would reset our brute-force login counters to zero. This made sense because if a real user makes multiple login failures and then succeeds, clearly they’re the real user and we should reset our counters so that their next failure doesn’t lock them out. Well, an unintended side effect of this is that a threat actor can register an account on WordPress websites with open registration, and sign in, and that would reset brute force counters to zero, so they can keep trying to guess that admin account’s password. We’ve fixed this by removing the reset that occurs on successful login.

Improvement: Clarified IPv6 diagnostic

We found that a message on our diagnostics page caused users to think they need to fix something related to IPv6. So we clarified the message to prevent our customers from going on wild goose chases trying to fix something that doesn’t need fixing.

Improvement: Included maximum number of days in live traffic option text

This is also a clarification. The maximum amount of data in live traffic that we store is 30 days. This wasn’t clear and some users would enter a larger number of days, expecting to see more than 30 days of data. We’ve fixed this user interface issue to make it clear.

Fix: Made timezones consistent on firewall page

When the page showing firewall activity loaded more results, they’d be in UTC time instead of your correct timezone. Oops! We fixed that little issue.

Fix: Added “Use only IPv4 to start scans” option to search

We have the ability to search your Wordfence options page which is super useful. This option was not included in the search, so we fixed that.

Fix: Prevented deprecation notices on PHP 8.1 when emailing the activity log

PHP 8.1 provides notices that a function has been deprecated if a developer (like us) is using an older function call. We were in this case, and PHP 8.1 was rightfully complaining about it. So we switched to a more modern version of the same code.

Fix: Prevented warning on PHP 8 related to process owner diagnostic

On our diagnostics page, if a hosting provider has restricted an account from seeing its own username, our customers would see a warning that you can’t access an array offset on a boolean. We fixed that.

Fix: Prevented PHP Code Sniffer false positive related to T_BAD_CHARACTER

We use PHP code sniffer to look for things that are incompatible between versions. We were getting a false positive when using this internal tool, so we fixed that. This change is really for the benefit of our engineering team.

Fix: Removed unsupported beta feed option

A long time ago when there was fire in the sky and the seas were boiling, we launched the first version of the Wordfence firewall. Because we wanted to test out new rules, and some of our users were brave enough to try the new stuff, we included this option. We would release beta firewall rules and malware signatures, and our brave testing community would try them out first by enabling this option. We do all our testing internally now and the firewall code and rule syntax has become extremely robust, so we don’t do these kinds of releases anymore. So we removed this configuration option.

Below I’ve included the short version of the changelog that you’ll see on WordPress.org. You’re most welcome to post your comments and questions below. Keep in mind that support questions are best posted via our official support channels, but if you’d like to chat about this post, comment below and a member of the team or I will reply if needed.

Regards,

Mark Maunder – Wordfence Founder & CEO

Wordfence 7.7.0 – OCTOBER 3, 2022

Improvement: Added configurable scan resume functionality to prevent scan failures on sites with intermittent connectivity issues
Improvement: Added new scan result for vulnerabilities found in plugins that do not have patched versions available via WordPress.org
Improvement: Implemented stand-alone MMDB reader for IP address lookups to prevent plugin conflicts and support additional PHP versions
Improvement: Added option to disable looking up IP address locations via the Wordfence API
Improvement: Prevented successful logins from resetting brute force counters
Improvement: Clarified IPv6 diagnostic
Improvement: Included maximum number of days in live traffic option text
Fix: Made timezones consistent on firewall page
Fix: Added “Use only IPv4 to start scans” option to search
Fix: Prevented deprecation notices on PHP 8.1 when emailing the activity log
Fix: Prevented warning on PHP 8 related to process owner diagnostic
Fix: Prevented PHP Code Sniffer false positive related to T_BAD_CHARACTER
Fix: Removed unsupported beta feed option

Source :
https://www.wordfence.com/blog/2022/10/wordfence-7-7-0-is-out-here-are-the-changes/

PHP 8: How to Update the PHP Version of Your WordPress Site

Considered one of the most beginner-friendly programming languages, PHP continues to introduce tremendous changes with each of its updates. Embracing the change, this blog is focused on the steps to upgrade to PHP 8.0 on a WordPress website.

Previously, PHP 7’s speed optimization update helped a lot with gaining higher rankings on the SERPs. Carrying the legacy forward, PHP surprised its enthusiasts with a release of PHP 8.0 back in November 2020, which brought a list of new features that revolutionized the way programmers worked.

PHP 8 lets you write concise code and build more exemplary applications with exciting changes and improvements to the earlier RFCs. Considering the new improvements, it would be a crime not to upgrade your current PHP version to PHP 8.0 on your WordPress site.

Table of Contents

Before we jump towards the steps to upgrade your PHP version to PHP 8 on WordPress, we will give a brief PHP 8.0 overview to help you get acquainted with the update.

PHP 8.0 – An Overview

PHP (an acronym for Hypertext Preprocessor) is a popular open-source scripting language used by coders worldwide for web and application development. This high-level programming language is easy to learn, hence preferred by starters and novice coders. Still, it is also complex enough to cater to the needs of a professional programmer.

PHP 8.0 is the latest update of PHP and has come up with new features, functions, and methods to facilitate the developers and provide the best user experience.

Previously, PHP had released 7.4 in November 2019, ending the support of PHP 7.1. The later version, 7.2, was also discontinued with the release of 8.0. Currently, PHP supports only 7.3, 7.4, and 8.0 versions.

Managed WordPress Hosting Starting From $10/Month

Experience Faster WordPress Themes’ Performance & Constant Availability on Cloudways.

TRY 3 DAYS FREE

PHP 8 Compatibility With WordPress

With every update come compatibility issues. If you want to have a hassle-free PHP 8.0 experience, we recommend opting for the latest WordPress version or going with at least 5.6 or any later versions.

Are you running your website on an older WordPress version but are skeptical about upgrading in fear of getting errors? Don’t worry; you can test your website via a staging environment and proceed with upgrading your live website safely to a newer WordPress version.

If you get any errors in the staging environment, then we’d recommend getting the help of a professional WordPress developer to diagnose and debug the errors before you move ahead with the update.

PHP 8 – Themes & Plugins Compatibility

Discomforts accompany every change; similar is the case with PHP 8. While PHP 8 offers extensive features to support its users and provide them with an ideal user experience, it brings the themes and plugins incompatibility issues.

PHP isn’t the player to be blamed here, as the themes and plugins should be updated to work with the latest software versions. If your favorite and irreplaceable plugin or theme is making problems with PHP 8, then try out the following solutions.

Rollback to the previous PHP version. (A boring option)
Contact the theme or plugin’s support team and inform them about the compatibility issues to boost the optimal user experience with the latest versions of both.

PHP 8 on WordPress: Installation Prerequisites

Before upgrading to PHP 8.0, it’s wise to check the current PHP version that your WordPress site is running.

Using an older version? You can upgrade the PHP version to enjoy the new features and improvements. But not so fast! Remember, safety always comes first. When we talk about security, we consider the “what ifs.”

What if your site is not compatible with the latest version, and you end up losing or corrupting your data in the process. Nope, you don’t want that.

Don’t lose hope; you can create a clone of your website to test it on the latest version.

If the clone website works smoothly after upgrading to PHP 8.0, you can move ahead with updating your actual site. This portion will list out the steps to create a clone website to test it under PHP 8.

Clone a Website via Your Web Hosting Provider

Fortunately, managed WordPress hosting solutions like Cloudways allow the users to create their site’s duplicate without dealing with any complexities. Follow the steps below to create your website’s clone via Cloudways.

Log in to Cloudways with your credentials.

Select your server, and click the application that you want to clone.

Navigate to the bottom, and you will see an orange circle, click it.
Click Clone App/Create Staging from the pop-up.

Select your preferred server, then click Continue.

You will be asked to wait for a few minutes, during which Cloudways will copy your entire website. Now, you are good to experiment on the clone.

Note: Clone App and Create as Staging are different functionalities. Clicking Clone App will only clone your website. Whereas, Create as Staging will sync the live and staged applications to allow you to perform Push/Pull actions on both the replica and live versions.

How to Update PHP in WordPress to PHP 8.0 on Cloudways

Cloudways announced its availability of PHP 8 earlier this year, maintaining its reputation of being the early bird to accept the latest updates. Want to update your PHP version on Cloudways? Follow the easy steps below to upgrade your current PHP version to PHP 8.0.

Note: Cloudways recommends keeping a backup of your server before upgrading to a newer PHP version. Keeping a backup will help you restore your application if you feel the need to revert to your previous PHP version anytime in the future.

Log in with Cloudways

Signup on Cloudways. Already have a Cloudways account? Log in with your credentials.

Select Server

Click on Servers. Select, and click the server of your choice.

Select Settings & Packages

Click on Settings & Packages on the left side.

Click on the Packages tab.

Upgrade your PHP version

Click the edit sign next to your current PHP version.

Select PHP 8.0 from the drop-down, and click Save.

The setup will prompt you with a warning to ensure if your application is compatible with the selected PHP version. If yes, then click OK.

The setup will take a few minutes to finish, and it will notify you once the update is done. After getting the notification, you can enjoy working with PHP 8.

PHP Supported Versions on WordPress

WordPress supports the following seven PHP versions ranging from PHP 5.6 to the latest version 8.0.

PHP 5.6
PHP 7.0
PHP 7.1
PHP 7.2
PHP 7.3
PHP 7.4
PHP 8.0

Note: Keep in mind that you won’t receive any PHP security updates if you are not using the latest PHP version. We recommend using the 8.0 PHP version.

What Is Holding Back Users From Updating to PHP 8.0?

The major reason that’s holding back users from upgrading to PHP 8 is the incompatibility of their favorite themes and plugins with PHP 8.

That said, every savvy user would like to enjoy the latest PHP features and RFC improvements. Anyone who wants to stay back and keep working with the legacy software would abstain from upgrading their PHP version.

Using the latest PHP versions allows for better and easier development of new features and also facilitates maintenance. Even if some of the themes and plugins are not working on PHP 8.0, they will eventually be updated.

Why Should You Upgrade to PHP 8?

Imagine using an outdated image editing tool for making logos or editing photos. While the world has moved to the latest version and is saving time and getting better quality and performance with the latest edition, you are still doing it the old way. Not really a smart decision, right?

Similarly, why would anyone abstain from upgrading to a newer PHP version when the new upgrade is specifically introduced to bring ease to the user’s end. You should definitely upgrade to PHP 8 if you want to benefit from the latest features, get better error handling, improved RFCs, and optimizations.

PHP 8 will remain in support till November 2022, and its security support will extend till November 2023. This longevity makes this newest version a lot more trustworthy and secure than the previous versions.

Most of the popular WordPress plugins and themes have accepted PHP 8 and are now compatible with it.

We ran a loader test to check PHP 8’s performance on the Cloudways server, and deduced the following results:

Source: Loader Test of PHP 8.0 on Cloudways Server

The average response time for the same WordPress website is 164 ms, and total success response counts are 3836.

Sadly, only 1.3% of the WordPress sites are using PHP 8.0. As per our experience, WordPress delivers the best performance with PHP 8.0 and gives better speeds than the previous PHP versions. It’s a good practice to use the latest versions, so the number of people migrating from 7.4 to 8.0 is gradually increasing with time.

PHP versions stats

Source: WordPress Version Stats

PHP has worked on the issues reported by the users in the previous versions, and the latest version is free from many recurring problems and has introduced new features.

To enjoy the services at their full potential, you will have to upgrade to the newest WordPress PHP version, as the older versions may eventually fade out or will be declined by most themes and plugins.

Source: PHP Supported Versions

Disadvantages of Using Older PHP Versions on WordPress

All PHP versions before 7.3 have reached their end of life, and it is advised to upgrade to the latest version if you are using any of the older versions, as it will make you vulnerable to unpatched security errors. Even 7.4 will reach the end of life on 28 Nov 2022.

Why would you risk your website to security vulnerabilities when you can easily upgrade to the latest version and enjoy the new improvements and features?

Also, ensure that you opt for a secure WordPress hosting provider to safeguard your sites from malicious traffic, DDoS attacks, and malware.

Using older PHP versions won’t only provide security issues but also will affect your website’s performance.

Which sane person compromises performance in this competitive era, where everyone is following the best practices to boost their site’s performance and gain their user’s attention?

Improve your website’s performance and security by halting the usage of older PHP versions, and upgrade your WordPress website’s PHP version to 8.0 to maximize safety and performance.

Final Thoughts

This blog covers PHP 8’s compatibility with WordPress and the steps to upgrade your PHP version to 8.0. The information shared in this guide will help you make the right decision to upgrade to PHP 8.0 on your WordPress site and enjoy the benefits of the newest update.

Ranging from the supported versions, disadvantages of using the old PHP version, and the reasons to upgrade to 8.0; we have tried to cover it all. Still, if any questions are popping up in your head, please feel free to comment with your queries; and we will answer all of them ASAP.

Frequently Asked Questions

Can WordPress use PHP 8?

Yes, WordPress can use PHP 8, and it is recommended to use PHP 8.0 with WordPress 5.6 or higher version for compatibility and better performance.
If you are using an older WordPress version, you can test your site with WordPress 5.6 in a staging environment. If you don’t experience any issues, then upgrade your live WordPress site to enjoy using PHP 8.0 on WordPress.

Is WordPress compatible with PHP 8?

Yes, WordPress is compatible with PHP 8.0. However, only WordPress 5.6 or higher versions are compatible with PHP 8. If you are using an older WordPress version, you can upgrade it to at least 5.6 to enjoy using PHP 8.

Should I upgrade to PHP 8?

Yes, if you want to benefit from the latest features, better error handling, improved RFCs, and optimizations, you should upgrade your PHP version to PHP 8.

What version of PHP should I use for WordPress?

We recommend using PHP 8.0 with WordPress if you are using at least WordPress 5.6. The oldest PHP version that we recommend using with WordPress is PHP 7.3.

Source :
https://www.cloudways.com/blog/wordpress-php-8/

Prepare for this change

Steps to take to allow VBA macros to run in files that you trust

Versions of Office affected by this change

How Office determines whether to run macros in files from the internet

Guidance on allowing VBA macros to run in files you trust

Remove Mark of the Web from a file

Files centrally located on a network share or trusted website

Files on OneDrive or SharePoint

Macro-enabled template files for Word, PowerPoint, and Excel

Macro-enabled add-in files for PowerPoint and Excel

Macros that are signed by a trusted publisher

Trusted Locations

Additional information about Mark of the Web

Mark of the Web and Trusted Documents

Mark of the Web and zones

Use the Readiness Toolkit to identify files with VBA macros that might be blocked

Use policies to manage how Office handles macros

Block macros from running in Office files from the Internet

VBA Macro Notification Settings

Tools available to manage policies

Cloud Policy

Microsoft Endpoint Manager admin center

Group Policy Management Console

Related articles

Configure voicemail

Forward an incoming call

Start a parallel call

Transfer an active call

Start a conference call

Manage your status

Troubleshooting

My Talk device is showing a Connection Error screen

Create users

Assign phones to users

Assign numbers to users

Add a third-party SIP provider

Set up a Smart Attendant

Manage voicemails and call recordings

View call logs

Set up groups

Troubleshooting

I can’t receive incoming calls

I can’t make outgoing calls

I could previously make and/or receive calls, and now I can’t

Recovering Talk subscriptions and phone numbers

Set the location of your UniFi OS Console

Configure your primary mobile device

Configure location-based activity notifications

Troubleshooting inaccurate location tracking

Camera zones overview

Set up motion zones

To set up a motion zone on the web application:

To set up a motion zone on the mobile app:

Set up Smart Detection zones

To set up Smart Detection zones:

Set up privacy zones

To set up a privacy zone on the web application:

To set up a privacy zone on the mobile app:

Live View

Recordings and Detections

Adjust the Camera Picture Settings

The camera’s image is dull, dark, or distorted

The camera recording quality is low

The camera’s image is harshly lit

The camera is out of focus (G3 Pro, G4 Pro, G4 PTZ cameras only)

The camera isn’t switching to Night (IR) Mode

Night (IR) Mode imagery is blurry

Reflections from nearby objects

Ceiling-mounting near a wall corner

Ceiling-mounting near overhangs

Wall-mounting too close to the ceiling

Residue on the bubble cover or lens

Oil stains or fingerprints on the bubble cover or lens

Moisture droplets on the bubble cover

Bubble cover not properly locked in place

The rubber seal surrounding the lens is damaged

How to connect to UniFi Protect

Identifying issues

My camera streams load slowly or buffer frequently

I can access Protect locally but not remotely