Hello folks

Since the release of version 6.0.7303.0 of Windows Server Operating System MP, many of you have reported regression bugs in the management pack. We now fixed all those issues in the latest released version 6.0.7316.0: https://www.microsoft.com/en-us/download/details.aspx?id=9296. The MP guide available in this link has details about the various bugs that were fixed. If you have any feedback on the MP, please provide it on our user voice website. 

Ravi Chivukula | SCOM Program Manager | Microsoft
Get the latest System Center news on Facebook and Twitter
Main System Center blog: http://blogs.technet.com/b/systemcenter/
Operations Manager Team blog: http://blogs.technet.com/momteam/

Howdy folks,

Cool news today! We’ve just turned on the first Azure AD Identity Protection API in the Microsoft Graph. To give you the low down, Michael McLaughlin one of the PM’s who works on Identity Protection has written up a quick blog post.

This is pretty cool stuff – we hope you’ll find it useful!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

——————

Hi folks!

I’m Michael McLaughlin and I work on the Identity Protection team in Microsoft’s Identity Division.

I have some great news to share today: The first Microsoft Graph API for Azure Active Directory Identity Protection, IdentityRiskEvents, is now available! This API allows you to query risk events generated by AAD Identity Protection. These risk events are sign-ins and other events that have been analyzed and found to be “risky” by Identity Protection’s machine learning and algorithms.

If Identity Protection sees behavior that’s anomalous—maybe there’s a login from a location that user doesn’t typically use, or malware is detected on the machine logging in, or we’ve detected that user’s credentials on the dark web—then it generates a risk event. A full list of the types of risk events that we currently detect is available here.

This API opens up a whole world of connectivity options, allowing you to pull the events into applications of your choice using Microsoft Graph, the standard in APIs across Microsoft’s product lines.

Here’s an example of a dashboard you can build by pulling the data into Power BI:

(Note: Azure AD Identity Protection is a premium feature and all users protected by it need to have Azure AD Premium licenses).

We wrote a guide to getting started with the IdentityRiskEvents API that will walk you through the process of authenticating and querying the data. You can also read all about the new API in our announcement on the Office Dev Center blog. If you’re new to the Microsoft Graph world, after going through our guide, dive deep into Graph at http://graph.microsoft.io/. There’s a huge number of APIs there for you to consume and use to analyze data, build great applications, and more.

I’m really excited about the possibilities here. I hope you are too!

Sincerely,

Michael

With the SCSM 2016 release, the product has moved to support .Net 4.5.1. The tool set to support this move to .Net 4.5.1, required to break few dependencies and has led to the movement of classes across the assemblies.
This may break the custom solutions made by 3^rd party (non-Microsoft) after upgrade to SCSM 2016.

Your custom solution will be impacted if:

• The custom solutions have target .NET Framework version lower than 4.5.1
• Existing classes or controls used by custom solutions have been moved to different assembly
• Custom solutions have “Specific Version” (7.1.1000.1) reference to SM assemblies

After upgrade to SCSM 2016, you might see the below popups on the SM console:

You can fix the problem with following steps:

• Recompile the custom solutions with target .Net Framework 4.5.1
• When you build your toolset with SM 2016, modify your solutions to include references to the appropriate SM assemblies. The provided excel sheet has detailed information about the affected classes.
• Remove the “Version Specific” (1.1000.0) information while referencing the out of box SM assemblies in your custom solutions.

In SM2012R2 few assemblies have higher version (7.1.1000.0) from SM 2016 assemblies. In SM 2016 all assemblies have same version (7.0.5000.0)

Steps for upgrade to SCSM 2016

1. In place upgrade of SM2012R2 to SM 2016
2. Reimport or reinstall the upgraded custom solutions from Partners/MVPs

What next..
Our partners (CasedDimensions, Gridpro, Cireson, Provance) will be offering their updated solutions for Service Manager 2016

You can also refer the following blog from our MVP Kurt Van Hoecke for more related information
http://www.scug.nl/system-center/scsm-2016-steps-used-for-upgrading-custom-development/

Excel sheet which has detailed information about code migration (affected classes)
SCSMCodeMigration

Today’s IT operations and security teams are tasked with managing highly complex environments which are being targeted by a growing number of sophisticated cyber-attacks. These teams have an obligation to identify and remediate security vulnerabilities and threats before they impact the business.

To solve these challenges, today we announced general availability of the updated Operations Management Suite (OMS) Security solution. OMS Security is an easy-to-use cloud solution designed to monitor security for any IT environment. With this new solution, Microsoft has enabled IT operations and security teams to more quickly and easily understand their overall security posture, detect security threats, and respond quickly.

Since the preview of the new capabilities for OMS Security in February, we have seen more than 30,000 customers using the service. Customers from a diverse set of businesses have benefited from the solution, driving ingestion of over several  terabytes of security data per day. OMS Security continues to help businesses defend against cyber-attacks by providing visibility into the security of their entire IT environment, detecting active threats, and enabling rapid search for further remediation.

OMS Security features available now include:

• Enhanced Security dashboard, which makes it easier to visualize and analyze security state, enables security monitoring for Linux servers, adds built-in notable issues to prioritize vulnerabilities and detections that require attention, and the ability to create custom notable issues:

• Antimalware assessment to show the status of installed antimalware protection on servers, and any malware detected:

• Threat Intelligence map and breakdown to detect servers communicating with malicious actors, along with insights into the source of the attack:

• Security Configuration Baseline Assessment to identify vulnerable Operating System configurations that could be exploited by attackers:

• Identity and Access dashboard to show failed logins and admin activities, providing insight into potential brute force or dictionary attacks:

• Microsoft Advanced Threat Analytics (ATA) integration, that surfaces security threats discovered by Advanced Threat Analytics within Operations Management Suite.

Additionally, today we’re announce two new capabilities that are available as public preview for Operations Management Suite:

• Advanced detection engine: Analyze security data from across your IT environment using behavioral analysis and machine learning. OMS Security can detect a wide array of attacks, including suspicious processes running on virtual machines, lateral movement attempts and more. The Advanced detection engine utilizes Microsoft security research to provide continual updates for recent attack knowledge.
• Cisco ASA log ingestion: Bring Cisco ASA security information into OMS with new insights on malicious network traffic in and out of your network. For customers, adding this log data broadens the ability to track malicious IP addresses from any computer trying to get through the firewall.

Operations Management Suite continues to advance monitoring, automation, security, and protection and recovery capabilities to give you a holistic view of management for your systems. Learn more about how to get started with the new OMS Security capabilities. Your feedback is important to us. We encourage you to submit ideas and suggestions on the Log Analytics forum or in the comments below.

As organizations adopt hybrid cloud models for IT, the challenges for operations management continue to increase. Among those challenges is the difficulty of securing these complex environments, which include resources on-premises as well as in hosted clouds, Azure or AWS. At the same time, the cost of breaches continues to rise – the average cost of a data breach to a single company is $3.5M. To help meet these challenges, today we are announcing the general availability of new and improved security features for Microsoft Operations Management Suite, a set of cloud-based services designed to help customers protect, detect and respond to security issues across hybrid cloud environments.

Operations Management Suite (OMS) is management for the cloud, from the cloud. Delivering analytics, automation, configuration, security, backup, and site recovery, OMS gives you the ability to increase visibility and control from the on-premises datacenter to the cloud. The advantages of cloud-based management include the ability to innovate faster, scale to meet expanding requirements, and get up and running without long deployment cycles. Using cloud-based security tools also ensures that you are always working from the latest information on threats. Security and management go hand in hand, because the same data that indicates a potential performance or health issue, might also indicate a security breach. By bringing security and management together in a single cloud-based offering, OMS provides the tools you need to address threats and remediate issues without the added complexity of point solutions.

Last week we announced the general availability of Azure Security Center, a set of tools to help customers gain visibility into the security state of their Azure resources, take control of cloud security policies, and both detect and respond to active attacks. With OMS Security we bring the security analytics that are built into Azure Security Center to hybrid cloud environments, giving you the capabilities you need to handle today’s evolving security threats. OMS Security leverages the same intelligence and detection that we use in Azure and is based on the security knowledge that we gain from running a hyper-scale cloud.

With OMS Security, you can quickly assess the security posture of your hybrid cloud environment and detect active security threats. OMS Security will continuously monitor the environment for security vulnerabilities such as missing critical security updates, antimalware, and recommended security configuration baselines. To detect active security threats and attacks, the service leverages powerful event analysis paired with threat intelligence derived from Microsoft’s own cloud experience. You can centralize management for protecting systems, as well as creating alerts, implementing automatic security updates across systems, and applying security policies. A simple approach to search and queries across all data sources lets you streamline the security audit process with easy access to comprehensive and actionable security log data. With these new capabilities, IT administrators can avoid being blindsided by a breach and alert the security team if they see indicators of compromise. Security response teams can then use the same simple search capabilities to rapidly get a view across operations and security data to help stop the threat.

The new Security service includes a broad range of tools to help you get deeper visibility across multiple aspects of the security landscape. Highlights include advanced threat detection and the Threat Intelligence dashboard, which lets you visualize attacks using the same data we use in Azure. For customers using Advanced Threat Analytics in Enterprise Mobility + Security (EMS), you can now view that information in OMS, giving you a single view of security for IT operations. The new Security Configuration Baseline Assessment identifies vulnerable OS configurations that could be exploited by an attacker. To see OMS Security in action, and get a deeper view on how these features can work for you, take a look at Operations Management Suite Security in this episode of Microsoft Mechanics.

To make it easier to get access to these solutions, we announced earlier this month that you can purchase OMS via a new subscription model. Existing System Center customers can get OMS as an add-on, extending the value of existing on-premises investments. To learn more about OMS Security, we encourage you to check out the website and read the deep dive blog post, Operations Management Suite expands to include security management, threat detection.

This post was authored by Rob Hindman, Senior Program Manager, Windows Server

Getting the best performance

Building enterprise-grade solutions with Windows Server 2016 is now easier with the new Simplified SMB Multichannel feature in Failover Clustering. A Windows Server 2016 failover cluster will now automatically recognize and configure multiple NICs on the same subnet, greatly simplifying network design and implementation. SMB Multichannel helps customers to leverage high-bandwidth 10GiB, 40GiB, and higher networks. Since both RSS-capable and RDMA-capable NICs can be used, throughput for SMB traffic is greatly improved. The net result is faster solutions that take advantage of modern hardware and are easier to configure.

Both Hyper-converged and Converged cluster configurations are supported. In the Hyper-converged diagram below, there are two physical networks (subnets); the network with multiple NICs in each cluster node can be used for high bandwidth traffic, such as Virtual Machine Live Migration.

In the Converged network diagram below, multiple NICs are used in the network that spans the two clusters (the North-South network) to achieve high performance.

Note that multiple physical networks (subnets) are required to ensure that the failover cluster can continue to function in the event of a switch failure.

Automatic and on by default

No configuration is necessary to use this feature – the cluster will automatically detect and use all the NICs that are present. All of the NICs will be used for cluster heart beating, CSV, and cluster traffic. The cluster will also automatically use the IPv6 Link Local (fe80) IP Address resources on private cluster-only networks. Cluster validation has also been updated to check for multiple NICs on the same subnet.

Further details on the Simplified SMB Multichannel feature in Windows Server 2016 can be found here. A great article about SMB Multichannel can also be found here.

Summary

In summary, the new Simplified SMB Multichannel feature means that Windows Server 2016 failover clusters can automatically take maximum advantage of modern network switches and NICs. Great network throughput and security can be realized with SMB 3.1.1 – your users will love it!

To try this new feature in Windows Server 2016, download the Technical Preview.

Check out the series:

• #01 Cluster OS Rolling Upgrade
• #02 Cluster Node Fairness
• #03 Stretched Clusters
• #04 Workgroup and Multi-Domain Clusters
• #05 Resilient Private Cloud
• #06 Virtual machine start ordering

The right technology partners are an important part of Intune’s vision to extend the value of our service by plugging into and working with other popular point solutions. Intune partnerships are designed to enhance our core functionality by delivering interoperability that results in rich new experiences for our customers.

We’re excited for you to check out two new Intune integrated experiences, brought to you in our latest service update: the release of the Xamarin component for our Intune App SDK and TeamViewer integration for remote assistance.

Intune App SDK support for Xamarin

The Intune App SDK Xamarin component allows you to easily enable Intune mobile app management features in your mobile iOS and Android apps built with Xamarin.

With our new support for Xamarin, we’re making it easier for developers to use our Intune App SDK to prevent data loss in their mobile iOS and Android apps. The Xamarin component was designed specifically for use when building cross-platform mobile apps on the Xamarin platform, so developers can easily bake in mobile application management (MAM) controls as part of their standard app development process. If you are a developer building a cross-platform app, you can now quickly apply Intune MAM controls to your project with very little modification to your mobile app.

To get started, download the Intune App SDK and its plugins, available on Github and the Xamarin component store. The Xamarin component supports Xamarin Cycle 7 and above.

For more details, watch our recorded session from Xamarin Evolve 2016 here.

TeamViewer integration for agent-managed Windows PCs

Our new TeamViewer integration delivers a remote assistance solution for Intune agent-managed Windows PCs.

We’ve introduced a TeamViewer Connector within the Intune admin console that allows you to register your company’s TeamViewer account with Intune. Once you’ve done this, your end users can use the Intune Center on their PCs to request remote assistance, and they’ll receive help from your help desk through a TeamViewer connection. All of the TeamViewer features are available to use during your remote session including chat, remote restart, video, screen annotation, file transfer, and more.

If you’re not already using TeamViewer and want to see how this works, get started with a trial account from TeamViewer. Once you’ve tried it out, jump over to the TeamViewer site to purchase a license from TeamViewer. There are several license options, and all of them work with Intune. For more information about Intune and TeamViewer, please visit their site.

Visit the What’s New in Microsoft Intune page for more on these and other recent developments in Intune.

Additional resources:

• Submit feedback and suggestions to the Intune engineering team
• Find technical resources for Intune in the TechNet library
• Sign up for a free trial of Microsoft Intune
• Subscribe to the Intune blog RSS feed
• Follow us on Twitter and Facebook

All right, it’s time for some more mandatory fun! Chad here back again for another round of Azure MFA Q/A’s! This Mailbag has a mixture of MFA Server, persistent cookie scenarios, sessions, and broker assistants. For those who have either deployed MFA, looking to deploy it, or in the process of deploying Azure MFA – this information should be useful.

Question 1:

I’m setting up RADIUS Authentication with my on-premises MFA server. If I wanted to use two different authentication types under the “Target” tab for RADIUS authentication, how do I do this? It will not let me. Am I missing something?

Answer 1:

You can’t map different targets to different clients. The one target you select applies to all clients.

Question 2:

Do you have any idea if we can use Windows Auth for the RDGateway setup using RADIUS Auth?

Answer 2:

The protocols used by RD Gateway cant be processed by MFA Server natively, so you have to use MFA Server as a RADIUS proxy to NPS. That can be the instance of NPS running on the RD Gateway server or a centralized NPS. NPS then does the primary auth against AD. NPS should be able to perform the primary auth for all RADIUS clients against AD, so setting the MFA Server RADIUS target to “RADIUS server(s)” shouldnt provide any restrictions over selecting “Windows domain” as the target. See https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server-rdg/ for deployment guidance.

Question 3:

When signing in through Azure AD, how does the Don’t ask again for X days checkbox displayed from the Remember MFA feature affect the user’s device? Is it a persistent cookie in the browser? Is it a certificate on the device?

Answer 3:

Today this is done through a persistent cookie stored on the device. The cookie expires after X days, thus requiring the user to perform MFA again at that time. See https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-whats-next/#remember-multi-factor-authentication-for-devices-users-trust.

Question 4:

How does the Remember MFA feature work with end-users using multiple browsers (e.g. Edge, IE, Chrome, Firefox)? Does the feature work across browsers when the user checks the “Don’t ask again for X days” checkbox?

Answer 4:

The user must check the “Don’t ask again for X days” checkbox on each device/browser individually. Please note that IE and Edge browsers do not share the same persistent cookie. See https://blogs.technet.microsoft.com/enterprisemobility/2014/08/20/suspend-mfa-on-a-remembered-device-now-in-preview/ for a deeper dive.

Question 5:

How does it work when a user uses something such as OneNote? Will it work for all other browsers? Is there a browser that it is not compatible with?

Answer 5:

We dont show the Dont ask again for X days checkbox for rich clients. We only show it for browsers since cookies only work for the different browsers (e.g. Firefox, Edge, IE, Chrome). See https://support.microsoft.com/en-us/kb/932118 for more information about cookies with Office vs. browsers.

Question 6:

Are there scenarios that prevent the Remember MFA feature from working?

Answer 6:

If the cookie couldn’t be set or be read, it wouldn’t work.

Question 7:

I do not have ADAL enabled for my Outlook client but I have MFA enforced for my users. We use App Passwords for my Outlook clients but I’m still being prompt when accessing a document from Word that is saved on SharePoint online. Why is this?

Answer 7:

There are a few variables that go into making this a smooth process.

1. SharePoint Online is natively enabled for modern authentication using the Active Directory Authentication Library (ADAL). In order to have a better experience, your Outlook client should be enabled for modern authentication as well. The Outlook client doesn’t require App Passwords when using modern authentication.
2. Depending on where the documentation is saved, will impact whether it is authenticating against SharePoint Online (SPO). If you go to SPO and open it here, then choose to open it locally – it will authenticate against SharePoint Online and require you to MFA. If you have already MFA’ed in your ADAL-enabled Outlook client then, SharePoint will leverage the existing refresh token to gain a new access token from SharePoint to give you access to the document. This flow will not prompt your end users to authenticate because they have an active session.
3. See https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/ for guidance on which clients currently support modern authentication, and how to enable modern authentication for Exchange Online and Skype for Business along with other information.

Question 8:

I have Windows, Android, and iOS devices in our corporate environment. Why do I have to download the Azure Authenticator application to gain SSO to Office for Android and iOS and not required for Windows phones?

Answer 8:

iOS and Android require broker assisted logins. What does this mean? I’ll reference our documentation:

“Broker-assisted logins are login experiences that occur within the broker application and use the storage and security of the broker to share credentials across all applications on the device that leverage the Microsoft Identity platform. This means that your applications will rely on the broker in order to sign users in. On iOS and Android these are provided through downloadable applications that customers either install independently or can be pushed to the device by a company who manages the device for their user. An example of this type of application is the Azure Authenticator application on iOS.

“If a compatible broker is installed on the device, like the Azure Authenticator application, the Microsoft Identity SDKs will automatically do the work of invoking the broker for you when a user indicates they wish to log in using any account from the Microsoft Identity platform.”

We hope youve found this post and this series to be helpful. For any questions you can reach us at
AskAzureADBlog@microsoft.com, the Microsoft Forums and on Twitter @AzureAD, @MarkMorow and @Alex_A_Simons

–Chad Hasbrook and Shawn Bishop

Author: Bruno Yoshioka, Software Engineer, System Center Configuration Manager Engineering

The Windows Team has released update KB3159706 that enables the provisioning of decryption keys in WSUS for Windows Server 2012 and 2012 R2. This update is necessary for WSUS to be able to natively decrypt the encrypted Windows 10 Anniversary Update packages, andany subsequent Windows 10 feature upgrades.Additionally, the 1606 updatefor the current branch of Configuration Manger containsnew client support that allows these types of packages to install correctly using the Configuration Manager Windows 10 servicing feature.

Both updates areneeded for the ConfigMgrWindows 10 servicing feature to deploy Windows 10 feature upgrades starting with the Windows 10 Anniversary Update. We recommend that you install KB3159706 on your Software Update Point (SUP)servers following the required manual installation steps that are outlined in the kb article before starting deployments of the Windows 10 Anniversary Update.

Until your SUP servers are updated, you can use the ConfigMgr Operating System Deployment (OSD)feature as an alternative to the SUM/Windows 10 servicing feature to deploy the Windows 10 Anniversary Update.

Learn More: Read the WSUS team blog post – The long-term fix for KB3148812 issues

Report Issues: Visit the WSUS forum if youre having issues deploying KB3159706 after following the guidance in theKB article.

–Bruno Yoshioka

Additional resources:

• Whats New in System Center Configuration Manager
• Get Ready for System Center Configuration Manager
• Start Using System Center Configuration Manager
• Upgrade to System Center Configuration Manager
• Technical Documentation for System Center Configuration Manager
• System Center Configuration Manager Forums
• System Center Configuration Manager Support
• Report an issue
• Provide suggestions

We’re incredibly excited to share that for the sixth year in a row, Microsoft was named a Leader by Gartner in the x86 Server Virtualization Infrastructure Magic Quadrant. We are honored by this continued recognition because it validates the relentless approach we’ve taken to creating a world-class virtualization platform for our customers. It is also aligned with the announcement that Microsoft Azure is a leader in the Magic Quadrant for Cloud Infrastructure as a Service for the third year in a row. This is  no coincidence because the hypervisor that underpins Azure is Hyper-V.

Many customers are surprised to find out that the hypervisor powering one of the world’s largest public cloud environments is the same one that can be deployed as a role in Windows Server, but this is part of the ongoing promise we have with our customers. We develop, test and harden great technologies running at scale in our public cloud environment and then bring those technologies into the products that you can buy and deploy in your datacenter.

Download the Gartner x86 Server Virtualization Infrastructure 2016 Magic Quadrant.

Long-term strategy and cloud investments

Our customers tell us that our long term strategy and cloud investments are the main reason why they are choosing Microsoft over VMware. The ability to deliver a consistent platform for both on-premises and public cloud positions Microsoft as a unique player for customers looking for a long term strategy on their datacenter investments and how IT can support the business transformation.

New security features set Hyper-V apart from the crowd

With Windows Server 2016, we are also bringing the security conversation to a new level. With Shielded VMs customers can confidently virtualize and encrypt critical and sensitive workloads and ensure the information inside the VM won’t be available to fabric or virtualization administrators. Even if a host or an admin account is compromised, VMs are protected and the content inside these VMs cannot be accessed. While this vector of attack is possible for all virtualization platforms, the protection Shielded VMs create is only available in Windows Server 2016 Hyper-V.

Download the Magic Quadrant.

More exciting announcements are coming, so be sure to follow Windows Server on Twitter.

Hello Readers! This blog is part 8 (and the last) of the series “ARM concepts in Azure Stack for the WAP Administrator.” In this post we’ll discuss and share troubleshooting techniques and resources that we have learned when working with customers and partners that are actively validating Microsoft Azure Stack Technical Preview 1.

Note
Some information relates to pre-released product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

I’m including the table of contents for this series of post so that you’ll find it easier to navigate across the series:

Table of contents

1. Introductory post, and some first information on the Azure Stack POC architecture and ARM’s role
2. Cloud Service Delivery
3. Plans, offers, and subscriptions
4. Resource Deployment
5. Packaging and publishing templates on Azure Stack
6. Multi-tier applications
7. In-guest configuration with ARM, and technologies such as Virtual Machines Extensions, including PowerShell Desired State Configuration (DSC)
8. Troubleshooting IaaS deployments in Azure Stack —this post

With no more delay, let’s get started!

WAP Troubleshooting

While we’ve already discussed the WAP architecture for IaaS in previous posts from this series, let’s summarize the components required – a fabric based on Windows Server 2012 R2, a fabric management infrastructure based on System Center 2012 R2 and Windows Azure Pack for offering cloud services to tenants as depicted in the picture below:

And specifically, for enabling the Virtual Machine Clouds (a.k.a. VM Clouds or simply IaaS) service in WAP, the System Center 2012 R2 components required are:

• Virtual Machine Manager (VMM)
• Service Provider Foundation (SPF)
• (Optional) Operations Manager (OpsMgr) – for usage
• (Optional) Service Management Automation (SMA) – for executing automation runbooks

This is depicted in the picture below:

As you can see, there are several moving parts involved just for the VM Clouds service in WAP (meaning tenants can deploy VMs and VM networks via a self-service portal). So, when something goes wrong (like a tenant VM deployment failing), the root cause could be in WAP, SPF, VMM, at the storage level, or event in Hyper-V!

To help with this potential challenge, back when WAP was released, the Building Clouds blog team (aka.ms/buildingclouds) and the community had been very active providing guidance and troubleshooting for the initial scenarios.

At the same time, the official WAP documentation was growing to cover the different areas (hence, not only IaaS, but PaaS too, such as Web Sites and SQL). The WAP troubleshooting article in TechNet covers the different components and scenarios in great detail:

• Windows Azure Pack troubleshooting

And, finally, WAP administrators have a plethora of troubleshooting information for Windows Server 2012 R2, Hyper-V, and System Center 2012 R2 (VMM, SPF, Operations Manager, and so on).

Now, let’s see what resources we’ve available for troubleshooting Azure Stack TP1.

Azure Stack Troubleshooting

At the time of this writing, the Azure Stack version we have available is Azure Stack Technical Preview 1. This means that we’re working with a very early version of the product and which is deployed on a one-node configuration for evaluation purposes. Hence, the guidance and links provided on this blog apply to Azure Stack TP1 only.

First, let’s start with a quick overview of the Azure Stack TP1 architecture, which is described on this article:

The same article explains the roles of each of the components, and also, if you read the comments, you’ll see that this diagram is missing the BGP VM, which acts as a router between different VMs in the TP1 single-node deployment.

As you can see in the picture above, the architecture and components on Azure Stack TP1 are very different from what you were used in WAP. New technologies from Windows Server 2016 Technical Preview 4 (such as Storage Spaces Direct) and from Microsoft Azure (such as Service Fabric) are used. With so many new components, let’s take a look at the resources available for you to troubleshoot Azure Stack TP1.

Azure Stack Troubleshooting – Where to go and how to contribute

In case you haven’t noticed, there is a very comprehensive list of known issues, workarounds and troubleshooting guidance in the Azure Stack documentation (direct link here). I’d suggest that you refer to this site for troubleshooting topics on Azure Stack as it’s been updated regularly. The articles are organized by categories, so that it’s easier to navigate and find answers depending on a specific area (such as Platform Image Repository, templates or TP1 deployment itself).

With that said, we will not start writing additional or new troubleshooting guidance for Azure Stack on this blog post, because the Azure Stack documentation is available in azure.microsoft.com and every one of us can contribute to it! You only need to have a GitHub account (if you don’t have one, you can get one here), go to the specific document, and click on the Edit on GitHub link as depicted in the picture below:

This will bring you to the article on the Azure GitHub repository, and from here you can easily contribute by clicking on the edit button as highlighted in yellow in the picture below:

Make the edits in your fork of this project, propose a file change and then submit a pull request. Pull requests are reviewed by the Azure Stack team, and if everything looks good, they’d merge the request into their repository, and everybody will see your contribution:

Azure Stack Troubleshooting – Most common issues

Alright, the list of known issues provided in the link above is quite comprehensive, but which are the most common issues faced when working with IaaS in Azure Stack? At the time of this writing, these were some of the most common issues we’ve seen when working with customers:

Azure Stack Troubleshooting – Tools available

Now, let’s review some of the tools available to help you troubleshoot Azure Stack TP1:

Tool: ARM Template Checker for Microsoft Azure Stack

Let’s imagine this situation: you have a JSON template that you’ve been using to deploy resources in your Azure subscription (for example, a virtual network, VMs and NSGs). When you deploy the template in your Azure subscription it works like a charm, but it fails to deploy on your Azure Stack subscription.

For scenarios like this, you can use the ARM template checker tool that as the name implies, it’ll help you to check your template, and it will indicate if it detects incompatibilities on your template that would prevent the successful deployment on Azure Stack. For example, your template might reference an Azure region (such as West Europe) that does not exist on Azure Stack (the only region on Azure Stack TP1 is local). Also, your template, might make references to resource providers or APIs available in Azure, but not available in Azure Stack yet.

ARM-Deployment-Troubleshooter

Think about this scenario: you take one of the templates from the Azure Stack Quick Start GitHub repository (or any template you may have written), deploy it to a resource group in your Azure Stack subscription, and for some reason, the deployment fails and maybe you get just a generic error in the Azure Stack portal or in PowerShell. It’s difficult to know where the deployment failed, isn’t it? (and this is even more complex when you’ve nested templates such as SharePoint).

This script can help you to troubleshoot ARM deployments on Azure Stack TP1. Basically, you pass the Resource Group as parameter to this script, and then, the script will contact ARM and will get you all the information and logs from the deployments available on the resource group, and it will save all that information in a log file, hence, you’ve in a single place all the logs and deployment details. Among the details collected from the deployments on the resource group, the script gets you:

• The template used during the deployment
• The deployment parameters
• Details of the deployment operations
  • Here you can see which specific action failed (if any)
• Resources in the resource group
• Details about the virtual machines,
  • VM status
  • VM Agent Status
  • Installed VM extensions on the VM

For example, one of my colleagues was troubleshooting a complex deployment, and using this script, he got the logs and noticed the following error on the Custom Script VM Extension:

As you can see on the snippet above, the Custom Script Extension is in failed state, and the error message clearly indicates that it couldn’t download the required files, as it received a 404 error code (not found). In this particular case, the environment required a proxy to connect to the internet, and additional configuration was required to allow this particular VM to access the internet to download the required files.

Deployment Checker for Azure Stack Technical Preview 1

Let’s imagine this scenario: you are eager to test Azure Stack TP1 and you got one server for installing and testing it, but after reading the online documentation for hardware requirements, you’re still not sure if your server meets the requirements to deploy Azure Stack TP1, and you’d like to know if it would be possible to run Azure Stack on your hardware before you download the Azure Stack TP1 installation files.

This script will help you to check if your hardware meets the requirements / prerequisites for deploying Azure Stack TP1. The script goes through the prerequisite checks done by the Azure Stack TP1 installer and it will indicate if your server meets the requirements beforehand.

Azure Stack Troubleshooting – Additional resources

Now, let’s review additional documents / links available for Azure Stack troubleshooting:

• Microsoft Azure Stack troubleshooting

  Official article from the Azure Stack team with detailed troubleshooting guidance. Expect this list to grow over time!

• Frequently asked questions for Azure Stack

  Also an official article from the Azure Stack team, which is frequently updated (last update was a couple of weeks ago!) with common asks and topics being answered directly by the Azure Stack team.

• FAQ, known issues and workarounds

  Collection of known issues and workarounds provided and maintained in the Azure Stack Forum.

• Azure Stack Forum

  MSDN forum dedicated for Azure Stack. Great place to learns from others, but also, this is the right place to place your questions when you face problems with your Azure Stack environment.

• Azure Stack Logs

  Entry in the Azure Stack forum with a comprehensive list of logs for different Azure Stack components, as well as instructions on how to gather logs manually and automatically.

• The Azure Stack Channel

  Channel 9 channel dedicated for Azure Stack resources (deployment, best practices, and more).

Conclusion

The resources provided on this blog should help you to troubleshoot the most common and known issues with Azure Stack TP1, specifically for IaaS (the focus of this series).

Also, with this blog post, we conclude this series that had as an original goal to map the IaaS concepts that WAP administrators are familiar with to the new Azure Stack TP1. We covered this series from a wide variety of angles, to help you understand more how cloud services are delivered on Azure Stack, and how the consistency with Azure via Azure Resource Manager is a key differentiator to bring the power of Azure to your datacenter.

Thanks and until next time!

Victor, Tiander and Bruno

Just a quick note to let you know that the Microsoft Security Bulletin Summary for August 2016 has been released. These security updates provide additional protections against malicious attackers. As a best practice, Microsoft encourages all customers to apply these security updates as soon as they are released. More information about this month’s security updates and advisories can be found in the Security TechNet Library.

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

As part of our ongoing effort to provide better malware protection, the August 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for BrowserModifier: Win32/Neobar, unwanted software, and Win32/Rovnix, a trojan malware family.

This blog discusses BrowserModifier:Win32/Neobar and its inclusion in MSRT supports our unwanted software family detections in Windows Defender, along with other protection features in our Windows 10 protection stack.

BrowserModifier:Win32/Neobar has been classified as unwanted software because it violates the following Objective Criteria:

• Lack of choice– the threat bypasses user consent options from the browser or operating system.
• Lack of control– the threat could prevent or limit the user from viewing or modifying browser features or settings.

Distribution

We have seen BrowserModifier:Win32/Neobar being distributed by various software bundlers that we detect as SoftwareBundler:Win32/InstallMonster, SoftwareBundler:Win32/ICLoader, and SoftwareBundler:Win32/Dlboost.

We have seen this threat use different application names:

• advPlugin
• Best YouTube Downloader
• Best Youtube Saver
• BonusBerry
• Currency Converter
• Goodshop app
• I Like It Extension
• Media Saver
• OdPodarki
• Torrent Search
• Video Saver
• Video Saver 2
• VK Downloader
• VK OK AdBlock
• VPN TOOLBAR
• WebBars
• Youtube AdBlock

The following heatmap shows the geographical spread of Neobar-infected machines:

Figure 1: Geographic distribution of BrowserModifier:Win32/Neobar infection from March to August 2016.

Installation

When BrowserModifier:Win32/Neobar is installed on your PC, it could change your default search provider. It also adds a toolbar to your browser, schedule tasks to automatically run itself, and add an uninstallation option.

We have seen this threat add a toolbar to the following browsers:

• Internet Explorer
• Google Chrome
• Mozilla Firefox

Symptoms

Adds a toolbar to browser

This threat adds a toolbar to the user’s browser and automatically enable it, thus, preventing the browser to display a consent dialog for the user to choose to enable it.

Figure 2: Manage Add-on page shows the toolbar that BrowserModifier:Win32/Neobar added in Internet Explorer.

Figure 3: Extensions page shows what BrowserModifier:Win32/Neobar added in Chrome.

Figure 4: Extensions page shows what BrowserModifier:Win32/Neobar added in Firefox.

Changes to default search provider

We have seen this threat change the user’s default search provider.

Figure 5: A sample setting change in Chrome.

After this threat has set the default search provider, it restricts the user from changing it.

Figure 6: A Neobar-infected machine prompts users with a message indicating that they cannot change the search provider setting that the threat configured as default.

Adds scheduled tasks

This threat adds scheduled tasks to automatically execute itself, and to check and download updates.

Figure 7: Sample scheduler entry in a Neobar-infected machine

Adds an uninstallation option

This threat adds an uninstallation option in the Programs and Features section.

Figure 8: Users can use the uninstallation option to remove this software from the system.

Prevention

To prevent this threat from disrupting your computing experience:

• Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
• Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
• Avoid browsing web sites that are known for hosting malware (such as illegal music, movies and TV, and software download sites).

Detection

• Ensure your antimalware protection (such as Windows Defender and Microsoft Malicious Software Removal Tool) is up-to-date.
• Enable Microsoft Active Protection Service (MAPS) to get the latest cloud-based unwanted software detection and blocking.

James Patrick Dee

MMPC

Howdy folks,

Today, I am super excited to announce the Preview of device-based policies for Azure AD Conditional Access!

These policies help you stay in control of your organization’s data by restricting access to enterprise managed devices. Policies can be applied on a per-application basisto require that devices bemanaged by your company and becorrectly configured. The new capability supports iOS, Android, Windows 10 Anniversary Update, Windows 7 and Windows 8.1.

This release, in conjunction with the per app MFA and location based rules, offer organizations the a robust and flexible tools for protecting resource, taking into account both the user and their device when an application is accessed.

And one more cool thing! It works with EVERY application that authenticates using Azure AD. That means Office 365, Azure and Microsoft CRM as well as all the apps in our app gallery, including thousands of apps like ServiceNow, Salesforce.com & Concur, plus on-premises applications published through the Azure AD Application Proxy.

Please note: Conditional Access is a feature of Azure AD Premium.

Getting Started

To set these policies is easy. On the Azure Management Portal, select the application you want to protect. Under the ‘configure’ tab you will find the control to enable device base access rules.

When you enable these rules, you can select which users or groups the policy applies to, which devices are covered and which type of client applications are covered (browser and native apps or native apps only).

After creating and saving the policy, any all access attempts from a device that doesn’t meet the policy to an Azure AD protected resource will be denied.

To learn about each of the controls available we have prepared a guide where you can find the details on each of the conditions, here.

Supported devices and applications

You may have a variety of devices in your organization. For devices to be able to participate in device-based conditional access, devices must be registered with Azure AD.

1. Windows domain joined devices (in on-premises Active Directory) can be easily registered with Azure AD in an automatic manner. This includes both Windows 10 and down-level Windows devices.
   
2. iOS and Android devices are registered with Azure AD when they get enrolled into Microsoft Intune, our MDM service.
   
3. Windows 10 Azure AD joined devices are registered upon join to Azure AD.
   
4. Windows 10 personal devices (BYOD) are registered when the work account is added to Windows.
   

You can see in detail how to setup automatic registration of domain joined devices in Azure AD here, and how to setup Azure AD for device compliance here.

Conditional access works for browser apps, rich client apps, phone apps and even on-premises apps being accessed using our Azure AD Application Proxy!

Teams across Microsoft have worked together to enable these policies across all the apps and services listed here. Most notably, per-app access can be set on the following services:

• Microsoft Office 365 Exchange Online
  
• Microsoft Office 365 SharePoint Online
  
• Dynamics CRM
  
• Microsoft Office 365 Yammer
  
• All of the 2,600+ SaaS applications from the Azure AD application gallery
  
• On-premises apps registered with Azure AD Application Proxy
  
• LOB apps registered with Azure AD
  

Try it out

We’re excited to be making this preview available. Please give it a spin and let us know what you think. You can learn more about conditional access capabilities here.

This is a set of capabilities that I know a LOT of you have been asking for. I hope you’ll find it useful.

And as always, we would love to receive any feedback of suggestions you have.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

This post was authored by Amitabh Tamhane, Program Manager, Windows Server

Introduction

The primary goal of failover clustering in Windows Server is to provide a reliable infrastructure to make workloads highly available. Configuring quorum correctly for failover clusters is an important step in ensuring high availability for the cluster itself. This helps to make applications hosted on clusters to be highly available. With features like Dynamic Quorum, Dynamic Witness, and Node Vote Tiebreaker, the cluster automatically handles quorum vote calculations to provide the most optimal quorum configuration. When cluster quorum witness is specified, it gives an additional quorum vote for the cluster to toggle as needed, providing highest availability.

The recommendation is to simply always configure quorum witness – which effectively lets the cluster determine when to use the quorum witness vote as needed. This greatly simplifies the cluster quorum configuration. The question is: What type of quorum witness should be configured?

Cloud Witness is a new type of failover cluster quorum witness being introduced in Windows Server 2016. Cloud Witness leverages Microsoft Azure’s Blob Storage to read/write a blob file, which is then used as an arbitration point in case of split-brain resolution.

Benefits of using Cloud Witness

There are significant benefits from this approach:

• Leverages Microsoft Azure
  • No need for a third separate datacenter when stretching a cluster across datacenters
• Uses standard publically-available Microsoft Azure Blob Storage
  • No extra overhead of maintaining VMs hosted in the public cloud
• Same Microsoft Azure Storage Account can be used for multiple clusters
  • Single blob file per cluster with cluster unique id as blob file name
• Very low on-going $cost to the Storage Account
  • Very small data written per blob file
  • Blob file updated only once when cluster nodes’ state changes
• Built-in Cloud Witness resource type
  • No extra download/installation steps necessary

Single witness type for most scenarios

If you have a failover cluster deployment, where all nodes can reach the internet (by extension Microsoft Azure), it is recommended to configure Cloud Witness as your quorum witness resource. Here are some sample scenarios where the Cloud Witness functionality can be utilized:

• Disaster recovery stretched multi-site clusters
• Failover clusters without shared storage (SQL Always On, Exchange DAGs, etc.)
• Failover clusters running inside Guest OS hosted in Microsoft Azure or Amazon Web Services IaaS VMs (or any other public cloud)
• Failover clusters running inside Guest OS hosted on Enterprise, Hoster, Azure Stack Private Cloud VMs (or any other private clouds)
• Storage clusters with or without shared storage (Storage Spaces Direct clusters, Scale-out File Server clusters, etc.)
• Small branch-office clusters (even 2-node clusters)

Easy to deploy

Our goal when making this feature available was to ensure that it would be a no-brainer to anyone familiar with failover clustering in Windows Server to start using the Cloud Witness option. With that in mind, we made an easy way to deploy Cloud Witness using Failover Cluster Manager GUI or cluster PowerShell:

PowerShell syntax

Set-ClusterQuorum –CloudWitness –AccountName -AccessKey

Microsoft Azure Storage Account considerations

There are a few things you’ll need to consider when using the Cloud Witness option:

• Failover cluster will not store the Azure Storage Access Key, but rather it will generate a Shared Access Security (SAS) Token that is generated using the Access Key provided and stores this SAS Token securely.
• The generated SAS Token is valid as long as the Access Key remains valid. When rotating the Primary Access Key, it is important to first update the Cloud Witness (on all your clusters that are using that Storage Account) with the Secondary Access Key before regenerating the Primary Access Key.
• Cloud Witness uses HTTPS REST interface of the Microsoft Azure Storage Account service which requires the HTTPS port to be open on all cluster nodes.

To try this new feature in Windows Server 2016, download the Technical Preview.

Check out the series:

• #01 Cluster OS Rolling Upgrade
• #02 Cluster Node Fairness
• #03 Stretched Clusters
• #04 Workgroup and multi-domain clusters
• #05 Resilient private cloud
• #06 Virtual machine start ordering
• #07 SMB Multichannel & Multi-NIC cluster networks

We are pleased to announce the availability of Linux Integration Services (LIS) 4.1.2. This point release of the LIS download expands supported releases to Red Hat Enterprise Linux, CentOS, and Oracle Linux with Red Hat Compatible Kernel 6.8. This release also includes upstream bug fixes and performance improvements not included in previous LIS downloads.

See the separate PDF file “Linux Integration Services v4-1c.pdf” for more information.

The LIS download is an optional way to get Linux Integration Services updates for certain versions of Linux. To determine if you want to download LIS refer to the blog post “Which Linux Integration Services should I use in my Linux VMs?”

Download Location

The Linux Integration Services download is available either as a disk image (ISO) or gzipped tar file. The disk image can be attached to a virtual machine, or the tar file can upload and expanded to install these kernel modules. Refer to the instruction PDF available separately from the download named “Linux Integration Services v4-1c.pdf”

https://www.microsoft.com/en-us/download/details.aspx?id=51612

Linux Integration Services documentation

See also the TechNet article “Linux and FreeBSD Virtual Machines on Hyper-V” for a comparison of LIS features and best practices for use here: https://technet.microsoft.com/en-us/library/dn531030.aspx

Source Code
Linux Integration Services code is open source released under the GNU Public License version 2 (GPLv2) and is freely available at the LIS GitHub project here: https://github.com/LIS and in the upstream Linux kernel: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/

My name is Ajay Sarkaria and I am a Supportability Program Manager at Microsoft. We have been seeing support volumes where administrators while performing daily tasks may accidentally delete a DNS Zone which is being used in production.

This post comes with inputs from our friends in Microsoft PFE team Brent Whitlow; Bryan Zink; Michael Hildebrand & Eric Jansen

Note: After you follow the below steps, you will not be able to delete or change the scope of replication for the DNS Zone unless you first unprotect the zone from accidental deletion.

Example screenshot if trying to delete from Active Directory Users and Computers:

“You do not have sufficient permissions to delete DNZ_Zone_Name, or this object is protected from accidental deletion”

OR

Example screenshot if trying to delete from the DNS Manager:

The zone cannot be deleted.
Access was denied

If you try to change the scope of replication with the protection enabled, you will see a message similar to the below:

The replication scope could not be set. For more information, see “DNS zone replication in Active Directory” in Help and Support. The error was:

Access was denied.

Now, am going to highlight steps which an administrator can perform to prevent such accidental deletions in the first place. If you remember, Active Directory has a great feature which prevents accidental deletions of Organizational Units by checking a flag. We are going to discuss something similar to prevent accidental DNS Zone deletions.

Important: As with any changes, you should always exercise caution and test things out in a lab BEFORE implementing any changes to your production environment.

Ensuring you have a LAB setup to test the changes first, let’s configure the DNS Zones from accidental deletions. There are a couple of way to prevent accidental DNS zone deletions

DNS Zones stored in the Domain Partition:

Doing it from the Active Directory Users & Computers MMC:

1. Check the flag of “Protect object from accidental deletion” by browsing to Active Directory Users and Computers \ Domain Name \ System \ Microsoft DNS \ DNS Zone name
2. Right click and select properties
3. Select the Object TabNote: The above flag will only be visible in Active Directory Users and Computers if you have stored the DNS Zone in the Domain Partition. You can check where your DNS Zone is stored in DNS Management UI. As an example, the below screenshot shows the replication scope set as “All domain controllers in this domain (for Windows 2000 compatibility)”

PowerShell:

• Enumerate all DNS Zones not protected from deletion in the Domain partition:Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “CN=MicrosoftDNS,CN=System,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
• Set the protect from accidental deletion flag:Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “CN=MicrosoftDNS,CN=System,DC=domain,DC=lab ” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true
• DNS Zones stored in Domain wide application partitions:
  • Enumerate all DNS Zones not protected from deletion in the domain application partition:Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=DomainDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
  • Set the protect from accidental deletion flag:Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=DomainDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true
• DNS Zones stored in Forest wide application partitions:
  • Enumerate all DNS Zones not protected from deletion in the Forest Wide application partition:Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=ForestDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
  • Set the protect from accidental deletion flag:Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=ForestDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true
• Check the protect from accidental deletion flag:
  • Forest wide application partition:Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=ForestDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview
  • Domain wide application partition:Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=DomainDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview
  • Domain Partition:Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “CN=MicrosoftDNS,CN=System,DC=domain,DC=lab ” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

Hi everyone, Randolph Reyes (Randy) here with another blog contribution. In this particular engagement, I was working doing an Active Directory Offline Security Assessment (awesome delivery), and one employee with knowledge of using Windows Performance Toolkit stopped me on my way to lunch.

Customer: Can we see how long takes an employee to type their user name and password?

Randy: Thanks to WPT, the answer is yes.

The customer provided me with the trace from the last known time the user logged on to review…

So let’s get to it.

The Before

Boot to Post Boot Activity ended: 72.734 Seconds and 734 Milliseconds = 1 Minute and 12 Seconds

Now you might be saying to yourself, 1 min and 12 seconds is not too bad. What if I told you it was a SSD (solid state drive)? Would you consider this to be an optimal value? I’ve discussed optimal times in a previous post, “Becoming an Xperf Xpert Part 7: Slow Profile Load and Our Very First Stack Walk”

Since I don’t have an idea in how much memory, CPU or disk speed are in this particular host. I decided to check the specs.

In order to confirm that we are using a SSD (solid state drive) or similar, plus other specs expected to have faster boot up. We go to the tab Trace, then System and then General.

Next, Storage

After doing some research about the hardware specs looks like this machine should be booting faster.

The major delay in the boot trace can be identified in the Winlogon Phase. Many operations occur in parallel during WinLogonInit, which on many systems, this subphase is CPU bound and has large I/O demands. Services like PnP and Power, network subsystem, Computer and User Group Policy processing, CAD (CTRL+ALT+DEL) screen and credentials delay. Good citizenship from the services that start in this phase is critical for optimized boot times.

To start we are going expand the System Activity graph group and we are going to add the graph Generic Events using table only.

After arranging the tables and the golden bar, the first issue detected was under Microsoft-Windows-Winlogon provider. The Task Name Display Welcome Screen aka CTRL+ALT+DEL was available to the user at 8.764 seconds of the trace. But he enters the combination in the keyboard at 18.055 of the trace.

Subtracting these times which get 9.295 seconds just waiting for the user to press CTRL+ALT+DEL.

Next issue detected in this particular trace is located under the Task Name Request Credential. Looks like the user entered the user name and password in 3 different times. First try was at 18.692 seconds of the trace at 39.59, again at 40.951 to 48.160 and finally at 48.958 to 51.012.

Looks like either the username, the password or one of the two were incorrectly typed and the access was denied.

At this point I explain the customer between the 9.295 waiting to press CRTL+ALT+DEL and 32.392 seconds with possible wrong typed credentials. This will probably be the reason of the long delay for the user.

We requested the user to log in again and the results are in the picture below…

The After

Boot to Post Boot Activity end: 39 Seconds and 373 Milliseconds

At the end of this engagement customer was satisfied, not only because we helped them with security implementations for Active Directory, but also because we answered an important question for them… How to use the Windows Performance Toolkit to detect log in issues from the user.

Recommended Articles

Here are some other blogs for related topics by my good friend Yong Rhee and me.

Becoming an Xperf Xpert Part 8: Long Service Load, Never Jump to Conclusions

http://blogs.technet.com/b/askpfeplat/archive/2014/02/24/becoming-an-xperf-xpert-part-8-long-service-load-never-jump-to-conclusions.aspx

WPT: Updated version of “Windows Performance Toolkit” from Windows 10 Technical Preview ADK or SDK

http://blogs.technet.com/b/yongrhee/archive/2015/03/21/wpt-updated-version-of-windows-performance-toolkit-10-technical-preview-from-the-adk.aspx

List of Task Scheduler related hotfixes post SP1 for Windows 7 SP1 and Windows Server 2008 R2 SP1

http://blogs.technet.com/b/yongrhee/archive/2015/01/20/list-of-task-scheduler-related-hotfixes-post-sp1-for-windows-7-sp1-and-windows-server-2008-r2-sp1.aspx

Randy “Why, this keep happening to me” Reyes

Yammer takes the work out of team collaboration, allowing for seamless connections between teams and information that results in more efficient conversations that move work forward. With Yammer, you can connect to the right people in your organization, share and search for information across teams, and organize around projects and ideas so you can accomplish more together. With the Yammer apps for iOS and Android, work gets done anywhere. You can contribute and collaborate with your team, even on the go.

Today were excited to announce an update to Yammer apps that allows you to protect team conversations and corporate data using Intune MAM controls. This update supports the Intune MAM app-level data protection with or without MDM device enrollment. The updated Yammer app will be available in the Google Play and iOS App stores today. For a complete list of supported policies, please review the Manage Yammer with Microsoft Intune support article. To hear directly from the Yammer team, check out their post about this update to their apps.

Heres a great article if youre looking for more details on Intune MAM policies. Visit the Whats New in Microsoft Intune page for more on these and other recent developments in Intune.

Additional resources:

Submit feedback and suggestions to the Intune engineering team
Find technical resources for Intune in the TechNet library
Sign up for a free trial of Microsoft Intune
Subscribe to the Intune blog RSS feed

Follow us on Twitter