Today, we’re announcing beta support for PowerShell in AutoRest, so that you can now generate PowerShell modules from Swagger/OpenAPI JSON documents.

AutoRest is the SDK generation tool that we use in Azure to produce SDKS for 90+ management services across 7+ languages.
Its pluggable architecture allows fine-grained control over the generation process, and allows extensions to be written in any language that can read/write JSON via stdin/stdout (we use the JSON-RPC protocol that Visual Studio Code uses )

Along the way, we had to go back and make some updates to the core of AutoRest (to begin support of OpenAPI 3, and introduce some changes to support generating multiple API versions with Azure Profiles.)

Getting Started

Requirements

Use of the beta version of autorest.powershell requires the following:

• Node.js LTS (10.15.x LTS preferred. Will not function with a Node version less than 10.x. Be wary of 11.x builds as they may introduce instability or breaking changes. )

If you want an easy way to install and update Node, I recommend NVS – Node Version Switcher or NVM – Node Version Manager

• AutoRest v3 beta:
  npm install -g autorest@beta

• PowerShell 6.1 – If you don’t have it installed, you can use the cross-platform npm package
  npm install -g pwsh
• Dotnet SDK 2 or greater – If you don’t have it installed, you can use the cross-platform .NET 2.1 npm package
  npm install -g dotnet-sdk-2.1 

Using AutoRest Powershell

At a bare minimum, you can generate a PowerShell module using a Swagger or OpenAPI file and using --powershell.

The output will be in the ./generated folder by default:

autorest --powershell --input-file:<path-to-swagger-file> [...options]

Be sure to check out these additional samples that use the PowerShell generator.

Features

Modules work on both Windows PowerShell and PowerShell

Due to the use of netstandard2.0 and PowerShellStandard.Library, once compiled, the cmdlets work on both Windows PowerShell 5.1 and PowerShell 6.x. PowerShell 6.x is required during development.

Generates modules from OpenAPI files without any external dependencies

Most language SDKs generated with AutoRest required the use of at least a ‘client runtime’ package, and often pulls in a few other libraries (ie, JSON.NET) that are required to compile the output of the generator.

The new PowerShell generator creates modules that require no dependencies outside of netstandard2.0 and the PowerShellStandard.Library which drastically reduces the chances of having assembly loading conflicts.

Cmdlets have no weird base-classes or force hierarchy

All the generated cmdlets inherit PSCmdlet and are fairly straightforward. For ARM resources, we already support generating -AsJob support for long-running-operations, and this can be expanded in the future to support more patterns.

An incredible number of extensibility points

After generation of a module, the developer may wish to augment the module in many ways (custom work when the module loads, changing the HTTP pipeline, adding additional variants of cmdlets, and more). The generated cmdlets offer number of ways to be customized and enhanced, and we’ll be posting some documentation on how to do that in the near future.

Many variants of cmdlets are created to offer several ParameterSets

Behind-the-scenes, many different flavors of a cmdlet can get created, and these are tied together into a single cmdlet with multiple parameter sets. These can be joined with manually written cmdlets that are written in .ps1scripts or C# classes.

No reflection for serialization

The generated module has custom-created JSON serialization (using an embedded copy of Carbon.JSON) This significantly improves serialization performance.

FAQs

What happened to ‘PSSwagger’?

In order to get to the point where we can generate the Az modules for all the Azure management services, we needed more control in the fine-grained details of the resulting cmdlets. After consulting with the PowerShell team, the decision was made to integrate more closely with the existing mechanism for generating Azure SDKs (AutoRest) and build a full-featured generator extension to create PowerShell cmdlets. All future work to generate cmdlets be done in the AutoRest PowerShell generator, as we’ve discontinued work on PSSwagger.

Source code?

Of course! You probably should get started with the by reading the developer documentation.

Are there any PowerShell specific generation options?

Yes! You can modify the entire output folder layout, and tweak the way it generates cmdlets, including cmdlet names, parameters, etc. (Check out our additional documentation on these options). If you have feedback about these code generation options, feel free to post an issue on the AutoRest GitHub repo.

Known Issues

As with all beta software, there are bound to be a few glitches or things that are not working.

We’ve cataloged some known issues with this first beta we encourage you to read before reporting any issues you experience.

Support

We’re working as fast as we can to finish up the generator, as we have a lot of modules to generate internally.

I should also have deeper design documentation over the next month or two, explaining a bit more of the “why-does-it-work-this-way?” category.

General feedback can be left in the PowerShell Generator thread in the github repo.

If you run into problems, feel free to post an issue on the github repo and tag it with the powershell label, and we’ll try to take a look.

Quick Links

• AutoRest GitHub repository
• Getting Started with the AutoRest PowerShell Generator
• Additional documentation will be added as we get it written.
• Developer documentation for the PowerShell generator.

The post Generating PowerShell Cmdlets from OpenAPI/Swagger with AutoRest appeared first on PowerShell.

Hi there! Stanislav Belov here, and you are reading the next issue of the Infrastructure + Security: Noteworthy News series!  

As a reminder, the Noteworthy News series covers various areas, to include interesting news, announcements, links, tips and tricks from Windows, Azure, and Security worlds on a monthly basis.

With 81 percent of security breaches caused by compromised user credentials, identity security is paramount for all organizations. Enterprise security operations (SecOps) analysts face an increasing volume and velocity of alerts and incidents across an ever-expanding surface area from on-premises to the cloud.

For analysts investigating compromised users, context is key. The ability to understand relationships between events and activities across multiple environments is central.

Microsoft has three identity-centric security products offering detection capabilities across on-premise and in the cloud:

• Azure Advanced Threat Protection (Azure ATP) identifies on-premises attacks
• Azure Active Directory Identity Protection (Azure AD Identity Protection) detects and proactively prevents user and sign-in risks to identities in the cloud
• Microsoft Cloud App Security (MCAS) identifies attacks within a cloud session, covering not only Microsoft products but also third-party applications

We are happy to announce that we have brought these together in a unified SecOps experience, which focuses on identity-based alerts and activities for true hybrid identity threat protection.

Growing Risk of Hybrid Attacks

Because many organizations have hybrid environments, we see attacks that start in the cloud and then pivot to on-premises, meaning SecOps teams need to investigate these attacks from multiple places.

By combining signals from cloud and on-premises sources, Microsoft empowers security analysts by providing unified identity and user information, in a single console, ending the need to toggle between security solutions. This gives your SecOps teams more time and the right information to make better decisions, and actively remediate the real identity threats and risks.

Understanding Top User Threats in Your Organization

In addition to the aggregated security awesomeness, we have simplified and boosted your ability to investigate with the new Investigation Priority Score, which provides you visibility into users that could pose the greatest risk to your organization should they be compromised.

Your SecOps team can immediately understand the real top user threats to your organization by Investigation Priority Score, directly verify their business impact and investigate all related activities – no matter whether they are compromised, exfiltrating data or acting as insider threats.

To calculate the Investigation Priority, we assess the investigation urgency of each specific user, using security alerts, abnormal activities, and potential business and asset impact related to each user.  For every Azure Active Directory user, we then build a dynamic Investigation Priority Score, based on intelligence built from Azure ATP, Microsoft Cloud App Security as well as Azure AD Identity Protection – which is continually updated based on recent behavior and impact.

The Investigation Priority Score helps in identifying top users to investigate and surfacing those users that we recommend for review based on the user analytics engine.

New investigation capabilities

The unified portal also brings significant new investigation capabilities for cloud and on-premises information.

• Enabling security analysts to perform threat hunting with greater context over both cloud and on-premises resources.
• Integrated user pages featuring all the information we know about the user coupled with everything we know about suggested investigation and next steps.
• Full visibility and management of Azure AD user risk levels - incorporating the ability to confirm compromised user status which changes the Azure AD User Risk level to High, based on Azure AD conditional access policies.
• Enhanced automation through Microsoft Flow integration for alerts (cloud and on-prem), as well task automation.

Participate in the evolution of the Unified SecOps Experience

If you’re one of the many enterprise customers already using Azure ATP, MCAS, or Azure AD Identity Protection (or a combination of these) and want to experience this new functionality, join our expanding preview program.

Get Started Today

If you are just starting your journey, begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace:

• Windows Defender ATP trial
• Office 365 E5 trial
• Enterprise Mobility Suite (EMS) E5 trial
• Azure Security Center trial

RSA is the world’s largest cybersecurity conference and a key moment for the industry, which our product team has eagerly been working towards.

Today we are excited to announce more than 15 new product capabilities for Microsoft Cloud App Security (MCAS).

They are oriented around 4 major themes, as we continue to deliver a unique Cloud Access Security Broker (CASB) that is designed with security professionals in mind and continues to push industry boundaries by providing cutting edge capabilities, simplicity of deployment, centralized management, and innovative automation capabilities.

State-of-the-art Threat Protection

Malware poses risks to organizations and individuals in the form of impaired usability, data loss, intellectual property theft, and monetary loss. Microsoft uses a broad array of tools and techniques to identify, block, and eradicate malware infections wherever they are found.¹ As cloud threats continue to evolve, it is becoming increasingly important to detect not only known, but especially zero-day, malware that is infiltrating your cloud environments.

UBA enhancements and User Investigation Priority

By integrating with the Microsoft Intelligent Security Graph, MCAS has an unparalleled view into the evolving threat landscape, enabling us to continuously evolve our detections and enhance our UBA capabilities. At the same time, we recognize that prioritization is key for often understaffed SOC teams. That’s why we have added a new, powerful investigation priority for users, based on the new user analytics engine. It provides admins with an overview of the users who likely pose the greatest risk to the organization and are recommended for immediate review. It takes into consideration several conditions such as the type of alerts, as well as a user’s overall impact to the organization, e.g. their level of access to sensitive information, based on patented UBA mechanisms.

Image 1: The new User risk overview provides you with User Investigation Priority and timeline of suspicious alerts and activities

Malware Detonation

Microsoft Cloud App Security is introducing malware detonation capabilities for our API-connected cloud storage apps. Intelligent heuristics allow us to identify potentially malicious files, rather than needing to detonate all files, to minimize the impact on user productivity. Once a suspicious file has been identified, it is then detonated in a sandbox environment and alerts the admins. Malware investigation and detonation is automatically applied to newly uploaded files in near-real time, as well files that already exist in your connected cloud apps.

Adaptive DLP Controls

Hackers want information. Consequently, organizations invest heavily in ensuring their most valuable assets stay protected by making sure they know where and how data travels in the cloud, and that it can only be accessed by authorized users.

We’ve added support for powerful use-cases in Microsoft Cloud App Security for real-time monitoring and control, which now allow you to monitor and control the following situations:

• Apply custom permissions on download - Creating a company-wide labelling strategy is often an extensive task, because permissions must be scoped beforehand to create the labels relevant for your organization. But today’s world organizations provide increasingly flexible work environments for employees, while also collaborating with external parties, creating many conditions to take into consideration. This often makes it difficult to ensure that sensitive data can is protected, but productivity remains high. In Microsoft Cloud App Security we have added a more generic way to protect files in zero-trust situations. It allows organizations to define risky conditions beforehand, such as unmanaged device or external user, and then automatically apply permissions, such as read-only, to the documents upon download from your cloud apps. This provides a much greater level of flexibility and the ability to protect information outside of the pre-configured corporate labels.

• File uploads in any app – enabling scenarios such as preventing uploads of known malware extensions, as well as preventing users from uploading unlabeled files to any corporate app and educating them in the session to add a label to the file to enable the upload.

• Cut/copy and paste in any app – rounding out our robust controls of data exfiltration that already include controlling download and print capabilities, and custom activities such as share.

• Sending messages with sensitive content - ensuring that PII data, such as passwords, are not shared in popular collaboration tools such as Slack, Salesforce, and Workplace by Facebook via IM messages, posts or comments. We will also be adding Microsoft Teams shortly.

Image 2: When user attempt to share sensitive information over IM, the message is blocked from being sent in real-time. In this case the user wanted to share his password.

• Applying download permissions to specific folders in OneDrive for Business and SharePoint Online – We understand that not all folders in OneDrive for Business and SharePoint are the same. Some contain highly confidential data and therefore need a different level of control. This new level of granularity now allows you to ensure your most sensitive data cannot be exfiltrated and you can create policies that work for you.

• Out-of-the-box templates - Session Policies now include built-in templates, such as blocking download of sensitive files, to enable your organization to effortlessly enable popular use-cases around real-time monitoring and control of your sanctioned apps.

Unique, native integrations

Microsoft Cloud App Security natively integrates with leading Microsoft solutions and we continue to build on this strategy to leverage powerful capabilities from Microsoft’s solution portfolio as part of our CASB, to create unique capabilities.

Image 3: Microsoft Cloud App Security native integrations

Last week Microsoft announced its entry into the SIEM market with Microsoft Azure Sentinel, which allows you to aggregate all security data with built-in connectors, native integration of Microsoft signals, and support for industry standard log formats like common event format and syslog.

Microsoft Cloud App Security now integrates with Azure Sentinel and Power BI to leverage security logs in new, powerful ways - allowing organizations to define custom retention times, correlate MCAS Cloud Discovery data with your own data sources, and providing new, powerful ways to visualize the data in custom Power BI dashboards.

Longer, custom retention of Cloud Discovery data

While MCAS has a strict data retention policy and only keeps Cloud Discovery data for 90 days, by integrating with Azure Sentinel, organizations can now leverage their Discovery data within Azure Sentinel to define custom, longer retention times.

This gives admins more flexibility to run queries and visualize data over time directly within Azure Sentinel.

Image 4: Visualization of MCAS discovery data in Azure Sentinel

Bring your own data

Our Cloud Discovery data collects a specific set of data including target app URL, target app IP, username, uploaded bytes and more. But we’ve heard from many of our customers that they would like to add additional data points from other log sources and correlate the data directly. Examples include AAD attributes like department and region, to allow for a deeper user-based investigation. Through the new integration with Azure Sentinel, these datasets can now also be exported to Power BI, where organizations can add their own data sets and correlate it with the data collected by MCAS. Allowing you to run very specific queries against the correlated data sets and for e.g. look for high traffic users from a specific department.

Customized reporting

While Microsoft Cloud App Security natively offers a variety of built-in reporting options, including an executive report that summarizes the Cloud Discovery findings, the new integration with Power BI also enables organizations to create powerful, custom Power BI dashboards.

As described in the section above, it enables organizations to bring their own data and create custom queries. These custom data sets can then be used to create visually rich reports, providing flexibility and powerful reporting options to organizations via natively integrated products and simple workflows. The image below shows an exemplary dashboard that brings together Microsoft Cloud App Security Cloud Discovery data, custom data that was correlated via Azure Sentinel and a custom reporting dashboard that allows users to easily drill down into each of the sections.

Image 5: Customized Shadow IT Cloud Discovery dashboard, leveraging MCAS and 3rd part data.

Protecting any cloud app

The key to a successful CASB solution is that it can help protect any of the cloud applications organizations use in their environment, as multi-cloud strategies are becoming the new normal. We continue to add new applications to our MCAS portfolio and are excited to announce a new API connector, as well as several new featured apps for our real-time controls via Conditional Access App Control.

Cisco Webex Connector

We’ve added a brand new connector for Cisco Webex and now provide the same powerful controls that we support for our other connected apps, giving organizations even more flexibility for their cloud app environments.

More featured apps for monitoring and controlling user actions in real-time

Conditional Access App Control became generally available (GA) last summer and allows you to control and limit access to your cloud apps and the files and data that you store within them. It utilizes a reverse proxy architecture and is uniquely integrated with Azure AD Conditional Access, to provide powerful real-time visibility and controls.

We recognize the importance of business applications organizations, and the sensitive nature of content within these apps. To help maintain productivity while handling sensitive customer data, we’ve added real-time monitoring and control for Dynamics 365. In addition, we are constantly focused on securing your most sensitive resources, and therefore continue to feature more apps, most recently the Azure Portal and LinkedIn Learning. The full list of currently featured applications can be found here.

Any app support - Become a design partner in our latest private preview!

While our featured application list continues to grow, we are aware that each organization is unique and may leverage SaaS apps not on this list, as well as custom applications, both on-premise and in the cloud. Therefore, we are extremely excited to let you know about a new private preview we are kicking off, enabling you to onboard any web application to Conditional Access App Control, to provide real-time monitoring and control. During the preview phase, space is extremely limited. To discuss your eligibility, please contact us at mcaspreview@microsoft.com

Today we have discussed a wide range of powerful announcements, as we continue to innovate in the CASB space. In the coming weeks we will discuss many of these topics in even greater detail as they are released into the product, and will provide specific use-cases, of which many are directly inspired by working closely with our customers.

.

More info and feedback

Learn more about Microsoft Cloud App Security here.

Haven’t tried Microsoft Cloud App Security yet? Start a free trial today and kick off your deployment with our detailed technical documentation.

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

¹Microsoft Intelligence Report Volume 24 (https://info.microsoft.com/ww-landing-M365-SIR-v24-Report-eBook.html?lcid=en-us)

This post is authored by Itay Argoety, Product Manager, Azure ATP

Enterprise security operations (SecOps) often have limited resources and staff, and security analysts face evolving, more sophisticated attack methods. Many of the newest tools and vulnerabilities can often go undetected without the right tools.

Today, Microsoft is expanding the preview of the Unified SecOps Experience which includes the new Investigation Priority.

The new Investigation Priority uses information from Azure ATP, Microsoft Cloud App Security (MCAS), and Azure AD Identity Protection to add powerful User and Entity Behavioral Analytics (UEBA) capabilities into Microsoft Threat Protection, to better help organizations in attack detection and incident investigation.

UEBA for Azure ATP, MCAS, and Azure AD Identity Protection

Identifying the riskiest users in your organization and their potential impact has remained a labor-intensive process - until now.

Instead of trying to connect the dots between alerts in the queue and active hunting, our user and behavior analytics highlights which users in your organization pose the biggest potential risk.

The Investigation Priority engine pulls signals and data from Azure ATP, Microsoft Cloud App Security as well as Azure AD Identity Protection. Activities and events from these solutions are scored based on their abnormality and aggregated into users’ Investigation Priority score. This allows SecOps analysts to identify the users posing the most risk to the organization, should they be compromised.

By identifying and surfacing the top users to investigate within your organization, this unified platform removes the guess work for security analysts by showing the greatest potential asset and business risks exposed by these suspicious users and their actions, in a single pane of glass.

Calculating the Investigation Priority

Analytics are used to build the standard profile and behaviors of users and entities across both time and peer group horizons, while activity that is anomalous to your standard baselines is evaluated and scored.  Once scoring is completed, we apply Microsoft patent-pending machine learning and proprietary dynamic peer calculations, to offer the fastest possible Time-to-Remediate (TTR) workflow. 

The Investigation Priority Score provides you the ability to detect both malicious insiders and external attackers moving laterally in your organizations, without having to rely on standard deterministic detections.

Investigation Priority Score:

Assessing the investigation urgency of each specific user, the Investigation Priority Score is based on security alerts, abnormal activities, and potential business and asset impact related to each user. 

Every Azure AD user has a dynamic Investigation Priority Score, that is constantly updated based on recent behavior and impact, built from data evaluated from Azure ATP, Microsoft Cloud App Security as well as Azure AD Identity Protection. Your SecOps team can now immediately understand the real top user threats by Investigation Priority Score, and then directly verify their business impact and investigate all related activities – no matter whether they are compromised, exfiltrating data or acting as insider threats.

Alerts scoring:
Understand the potential impact of a specific alert on each user. Alert scoring is based on severity, user impact, alert popularity across users, and all entities in the organization.

Activity scoring:
Determine the probability of a specific user performing a specific activity, based on behavioral learning of the user and their peers. Activities identified as the most abnormal receive the highest scores.  

User impact (blast radius):
Gauge the potential damage each specific user can cause to your business. The user impact analysis takes a holistic organizational user approach, assessing user role, group membership, privileges, hierarchy at the organization, access to sensitive resources (high value assets), and the ability to access sensitive information. This capability will be coming soon.

Azure Sentinel & Investigation Priority:

With the newly announced Microsoft Azure Sentinel, the Investigation Priority Score will also be based on specific data types onboarded into your Azure Sentinel workspace. Custom alerts created in Azure sentinel will be scored and will impact the Investigation Priority of users.

Used together, the solution offers a unified user investigation priority for Azure AD users across Azure Sentinel, as well as the other services in Microsoft Threat Protection.

Participate in the evolution of the Unified SecOps Experience

If you’re one of the many enterprise customers already using Azure ATP, MCAS, or Azure AD Identity Protection (or a combination of these) and want to experience this new functionality, join our expanding preview program.

Get Started Today

If you are just starting your journey, begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace:

• Windows Defender ATP trial
• Office 365 E5 trial
• Enterprise Mobility Suite (EMS) E5 trial
• Azure Security Center trial

This blog post was authored by Vithalprasad Gaitonde, Principal PM Manager, System Center.

As customers grow their deployments in the public cloud and on-premises data centers, management tools are evolving to meet customer needs. System Center suite continues to play an important role in managing the on-premises data center and the evolving IT needs with the adoption of the public cloud.

Today, I am excited to announce that Microsoft System Center 2019 will be generally available in March 2019. System Center 2019 enables deployment and management of Windows Server 2019 at a larger scale to meet your data center needs.

System Center 2019 has been in private preview through the Windows Server Technical Adoption Program (TAP) customers since December 2018. A big thank you to everyone who have given us feedback so far.

I would like to take a moment and give you an overview about the new release. System Center 2019 has the following areas of focus:

• First-class tools to monitor and manage data centers
• Support and manage capabilities in the latest versions of Windows Server
• Enable hybrid management and monitoring capabilities with Azure

System Center 2019 is our LTSC (Long Term Servicing Channel) release and provides the 5 years of standard and 5 years of extended support that customers can rely on. Subsequent to the GA of System Center 2019, the suite will continue to accrue value through the Update Rollup releases every six months over the mainstream support window of 5 years.

System Center 2019 is designed to deliver value in the following areas:

Hybrid

As enterprise environments now span on-premises to the cloud, customers look to leverage the innovation in Azure services using their on-premises tools. To enable this, we have integrated System Center with a set of management services in Azure to augment the on-premises tools.

• With Service Map integration with System Center Operations Manager (SCOM), you can automatically create distributed application diagrams in Operations Manager (OM) that are based on the dynamic dependency maps in Service Map.
• With Azure Management Pack, you can now view perf and alert metrics in SCOM, integrate with web application monitoring in Application Insights, and monitor more PaaS services, such as Azure Blob Storage, Azure Data Factory, etc.
• Virtual Machine Manager (VMM) 2019 enables simplified patching of VMs by integrating with Azure Update Management.

Dashboard for Azure resources in SCOM web console

Security

With the security threats growing in number and sophistication, security continues to be top priority for customers.

• System Center products now support service logon and shun the dependency on interactive logon aligning with security best practice.
• VMM 2019 now includes a new role, VM administrator, which provides just enough permissions for read-only visibility into the fabric of the data center, but prevents escalation of privilege to fabric administration.

VM Administrator Role in VMM

Software defined data center

Hyper Converged Infrastructure (HCI) is a significant trend in on-premises data centers today. Customers see lowered costs by using their servers with high performant local disks to run compute and storage needs at the same time.

• With VMM 2019, you can manage and monitor HCI deployment more efficiently – from upgrading or patching Storage Spaces Direct clusters without downtime to monitoring the health of disks.
• VMM 2019 storage optimization enables you to optimize placement of VHDs across cluster shared volumes and prevents VM outages caused when the storage runs full.

Storage Health in VMM

Modernizing operations and monitoring

Customers have come to rely on SCOM for its extensibility and the ecosystem of management packs to monitor Microsoft and third-party workloads.

• With HTML5 dashboards and drill down experiences in the SCOM web console, you will now be able to use a simplified layout and extend the monitoring console using custom widget and SCOM REST API.
• Taking modernization a step further, email notifications in SCOM have been modernized as well with support for HTML-email in SCOM 2019.
• SCOM 2019 brings a new alerts experience for monitor-based alerts whereby alerts have to be attended to and cannot be simply closed by operators when the respective underlying monitors are in unhealthy state.
• SCOM has enhanced your Linux monitoring by leveraging Fluentd; and now is resilient to management server failovers in your Linux environments.
• All the SCOM management packs will now support Windows Server 2019 roles and features.

SCOM web console

Faster backups with Data Protection Manager 2019

Data Protection Manager (DPM) 2019 will provide backups optimized in time (faster) and space (consumes less storage).

• DPM improves performance of your backups with a 75 percent increase in speed and enables monitoring experience for key backup parameters via Log Analytics.
• DPM further supports backup of VMWare VMs to tape. In addition to Windows Server 2019, DPM now provides backups for new workloads such as SharePoint 2019 and Exchange 2019.

DPM alerts and reports using Log Analytics

Orchestrator 2019 and Service Manager 2019

Orchestrator 2019 supports PowerShell V 4.0 and above, enabling you to run 64-bit cmdlets. Service Manager 2019 will ship with an improved Active Directory (AD) connector that is now capable of synchronizing with a specific domain controller.

Changes to release cadence

Finally, we are making changes to System Center release cadence to optimize the way we are delivering new features. System Center has two release trains today LTSC and SAC. There is also a release train called Update Rollups (URs).

Most of our customers use Long Term Servicing Channel (LTSC) like System Center 2016 to run their data center infrastructures. LTSC provides five years of mainstream support and five years of extended support with Update Rollups (UR) providing the incremental fixes and updates. From talking to customers, we learned that LTSC works better for most System Center deployments as the update cycles are longer and more stable.

Based on the learnings, we will start to focus our resources on innovation plans for System Center in LTSC releases and stop SAC releases. System Center 2019 will support upgrades from two prior SAC releases so customers running System Center 1801 or System Center 1807 will be able to upgrade to System Center 2019; just as System Center 2016 can be upgraded to System Center 2019.

System Center Configuration Manager (SCCM) is not impacted by the 2019 release change and will continue current branch release cadence of three times per year as noted in the documentation, “Support for Configuration Manager current branch versions.”

Call to action

In March, customers will have access to System Center 2019 through all the channels! We will publish a blog post to mark the availability of System Center 2019 soon. As always, we would love to hear what capabilities and enhancements youd like to see in our future releases. Please share your suggestions, and vote on submitted ideas, through ourUserVoice channels.

Frequently asked questions

Q: When will I be able to download the System Center 2019?

A: System Center 2019 will be generally available in March 2019. We will update this blog to inform that the build is available for download through the Volume Licensing Service Center (VLSC).

Q: Is there any change in pricing for System Center 2019?

A: No.

Q: Will there be a new Semi-Annual Channel release along with System Center 2019?

A: No. There will not be Semi-Annual Channel releases, but new features before the next Long-Term Servicing Channel (LTSC) release will be delivered through Update Rollups.

The post Coming soon: Microsoft System Center 2019! appeared first on Windows Server Blog.

This post was authored by @Arpita Duppala, PM on the Core Operating System and Intelligent Edge team. Follow her @arnuwish on Twitter.

Azure Blob Storage on IoT Edge is a light-weight Azure consistent module which provides local block blob storage, available in public preview. We are excited to introduce auto-tiering and auto-expiration functionalities to our “Azure Blob Storage on IoT Edge” module. Currently both these new features are only available for Linux AMD64 and Linux ARM32, support for Windows AMD64 is coming soon.

Auto-tiering is a configurable functionality, which allows you to automatically upload the data from your local blob storage to Azure with intermittent internet connectivity support. It allows you to:

1. Turn ON/OFF the tiering feature
2. Choose the order in which the data will be uploaded to Azure like FIFO or LIFO
3. Specify the Azure Storage account where the data will be uploaded.
4. Specify the containers you want to upload to Azure.
5. Do full blob tiering(using Put Blob operation) and block level tiering (using Put Block and Put Block List operations).

When your blob consists of blocks, it uses block-level tiering to upload your data to Azure. Here are some of the common scenarios:

1. Your application updates some blocks of a previously uploaded blob, this module will upload only the updated blocks and not the whole blob.
2. The module is uploading blob and internet connection goes away, when the connectivity is back again it will upload only the remaining blocks and not the whole blob.

Auto-Expiration is a configurable functionality where this module automatically deletes your blobs from local blob storage when TTL(Time to Live) expires. It allows you to:

1. Turn ON/OFF the auto-expiration feature
2. Specify the TTL in minutes

Video

Azure Blob Storage on IoT Edge – Version 1.1 (March 07, 2019)

In the diagram below, we have an edge device pre-installed with Azure IoT Edge runtime. It is running a custom module to process the data collected from the sensor and saving the data to the local blob storage account. Because it is Azure-consistent, the custom module can be developed using the Azure Storage SDK to make calls to the local blob storage. Then it will automatically upload the data from specified containers to Azure while making sure your IoT Edge device does not run out of space.

This scenario is useful when there is a lot of data to process. For example, data from industries who captures survey and behavioral data, research data, financial data, hospital data and so on. It is efficient to do the processing of data locally because there is a lot of data that is continuously being captured. Azure Blob Storage on IoT Edge module allows you to store and access such data efficiently, process if required, and then automatically upload that data for you to Azure and automatically deletes the old data from IoT Edge device to make space for new data.

Current Functionality:

With the current public preview module, the users can:

• Store data locally and access the local blob storage account using the Azure Storage SDK.
• Auto-tiering from IoT Edge device to Azure
• Auto-expiration the data from IoT Edge device
• Reuse the same business logic of an app written to store/access data on Azure.
• Deploy multiple instances in an IoT Edge device.
• Use any Azure IoT Edge Tier 1 host operating system

More Information:

Find more information about this module at https://aka.ms/AzureBlobStorage-IotModule

Feedback:

You can reach out to us at absiotfeedback@microsoft.com 

The official SqlServer module now includes a version of the Invoke-Sqlcmd cmdlet that runs in PSCore 6.2 and above. The version of the SqlServer module which contains this cmdlet is 21.1.18095-preview and is available in the PowerShell Gallery.

The post Invoke-Sqlcmd is Now Available Supporting Cross-Platform appeared first on PowerShell.

Back in 2015 I wrote a blog about Mac management with Intune, however it’s been a few years and I feel it’s time we re-visit Mac management with Intune to learn more about what’s changed. You’ll soon learn there’s been a significant amount of progress and since my first post Intune now has a lot of native Mac management capabilities built in.

First let’s look at MacOS enrollment options with Intune.

MacOS enrollment options

There are two methods to enroll MacOS with Intune, user driven or using Device Enrollment Program.

User driven enrollment

For user driven enrollment the end user will need to sign into the web based version of the company portal via https://portal.manage.microsoft.com

If the user already had a device registered it will show on the screen, if the Mac is the first device being enrolled, they will see the following:

Once the user selects “Add this one by tapping here” they’ll be prompted to download the Intune Company Portal app.

After the Company Portal is downloaded and installed, open it up and you’ll be asked to sign-in using your corporate credentials. These are the same credentials used to sign into Office 365 (derived from Azure AD).

After sign-in is complete the device will begin the enrollment process.

For more details on user driven Mac enrollment please visit: https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp

Apple Device Enrollment Program

The concept of the Apple DEP is to associate devices with an organization and to streamline the enrollment process, similar to enrolling Apple iOS devices. However, enrollment requires a different process by associating an Apple enrollment token with Intune. After the enrollment token is added and enrollment profile is created in Intune and associated with the enrollment token.

During the enrollment profile creation process you’ll be asked to select user affinity (i.e. userless or user associated). Once user affinity is selected, you’ll also select whether or no you’ll all users to remove the enrollment profile via the “Locked enrollment” setting. Finally, you’ll customize the setup assistance which allows for hiding setup screen, e.g. Apple Pay, Siri, Registration, etc.

For more details on the Apple enrollment token process with Intune please visit: https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-macos

Conditional access

An exciting feature of Azure AD is the ability to target certain device platforms (e.g. MacOS) and set a series of conditions for access by creating conditional access policies in Azure AD.

Compliance

Azure AD and Intune compliance policies also play a role in access. Step through the compliance policies below to view the restrictions that may be enabled for the device to be compliant.

Device Health

System integrity protection prevents malicious apps from modifying protected files and folders.

Device Properties

Specify which OS version and builds you’ll allow before accessing corporate resources.

System Security

Configured password and password integrity, storage encryption, firewall, and gatekeeper to project against malware.

Actions to take for non-compliance

Take action when devices are not compliant with the compliance policy by sending the user a mail and/or locking the device.

Associating an Intune compliance policy with Azure AD conditional access policy

Create an Azure AD conditional access policy to require the device be compliant to access corporate resources.

Looking at device configuration for MacOS there are a number of settings, and in my opinion, those settings address a lot of organizations requirements for Apple Mac management.

Device features

Device restrictions

Endpoint protection

Looking to protect the device further by configuring the firewall and controlling where apps are installed from? Gatekeep will help with those requirements.

Further configure firewall settings to device what you’ll allow in and which apps are allowed and/or blocked.

Certificates

Intune supports PKCS certificates for general and S/MIME purposes.

Device and user-based certificates are both supported via SCEP

VPN

Many VPN settings are available including 3rd party VPN support.

Make note of On-demand and per-app VPN

Use a proxy server? No problem!

Wi-Fi

Both Basic and Enterprise Wi-Fi profiles are supported with various auth types.

Customize with Apple Configurator

Don’t see a setting in the UI, not to worry as you can create a custom profile using Apple Profile Manager and/or Apple Configurator and upload the payload for delivery through Intune.

App deployment

Both line of business and Office apps are supported right from the UI.

When selecting “Line-of-business app” the MacOS app must be wrapped using the app wrapping tool for Mac which will wrap the app and give it an extension of .intuneMac.

The tool is available on GitHub: https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac

To learn more about Mac app deployment with Intune please visit: https://docs.microsoft.com/en-us/intune/lob-apps-macos

One of my peers Scott Duffy @Scottduf has a great post on this topic: https://blogs.technet.microsoft.com/microscott/deploying-apps-to-macs-using-microsoft-intune/

Note: as of this post only .pkg files are supported nor are conversions from .dmg to .pkg

Microsoft + Jamf partnership

Microsoft has also has a partnership with Jamf. Jamf also provides MacOS management and if your organization currently utilizes Jamf and would like to receive the benefits of integrating Jamf with Intune you can do this today with Jamf Pro. So, what does this mean?

MacOS devices managed by Jamf remain managed by Jamf when Intune comes into the picture (thus are only registered with Intune not enrolled) and integrating Jamf Pro with Intune provides a path for Jamf to send signals in the form of inventory to Intune. Intune will use compliance policies to evaluate the Jamf signals and in turn send signals over to Azure AD stating whether the device is compliant or not. The Azure AD conditional access policy will kick in and based on your configuration of the conditional access policy, will either block or further challenge the user to remediate before access company resources.

For more details about Intune and Jamf integration please visit: https://docs.microsoft.com/en-us/intune/conditional-access-integrate-jamf

Jamf also has a whitepaper about Intune integration: https://www.jamf.com/resources/technical-papers/integrating-with-microsoft-intune-to-enforce-compliance-on-macs/

That’s it for now, however Microsoft is always releasing updates for Intune.  Check back monthly with What’s new in Microsoft Intune and be sure to check which Intune features are under development by visiting: https://docs.microsoft.com/en-us/intune/in-development

Article re-posted from https://uem4all.com/2019/03/11/intune-macos-management/

While leveraging SCOM REST API, if you get the error message “The given key was not present in the dictionary.“ then it means that the request body is not being parsed correctly. For resolving this error, make sure that the Content-Type header is set to “application/json” and JSON.stringify() is called on the data value to convert it into string.

Below is a sample snippet of the script with the usage of Content-Type header and  JSON.stringify to resolve such errors:

window.onload = function () {
                $.ajax({
                        url: "/OperationsManager/data/performance",
                        type: "POST", 
       headers: {
                 "Content-Type": "application/json"
                },
                        data: JSON.stringify({
                        "duration":1440,
                        "id":"721BEA34-B0E4-DC97-5169-52808F731A6B",
                        "performanceCounters":[ 
                               {
                                       "objectname":"Health Service",
                                       "countername":"agent processor utilization",
                                       "instancename":""
                               }
                        ], 
                        }),

___________________________________________________________________________________________________________________________
IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

This content also resides in the Core Infrastructure and Security TechCommunity blog @ https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/Installing-SCVMM-2019-with-a-Group-Managed-Service-Account/ba-p/370186

Hello SCVMM Users, Michael Godfrey here again, Premier Field Engineer specializing in all things Private and Public Cloud including the Software Defined Datacenter.

It’s here, It’s here. The time has come for a new Long-Term Servicing Channel (LTSC) release of System Center 2019. I know first-hand that the Product Group behind Virtual Machine Manager has been hard at work bringing new features to make VMM a stellar part of your Private & Hybrid Cloud Deployment and I wanted to talk about one of my favorite new features before you begin the path to install VMM 2019.

In the past, VMM has had a requirement for a Service Account, this is the account that all VMM requests to the Hosts and Infrastructure components of VMM are made through. This has traditionally been a standard user account, that you or your Active Directory Administrator would create, set the password to a random string, and set the password to never expire. This was not a great idea in a modern infrastructure, especially when it came to security. This account has a lot of permissions, including local administrator rights on all of your hosts.

A wise manager once told me, “It’s not a problem, unless you have a solution.” So, in Windows Server 2012 a concept known as Group Managed Service Accounts was introduced, and these accounts are essentially a managed service account that provides automatic password management, provided by Active Directory. You can read more about them here.

What I am so excited to share with you today is after years of Microsoft products adopting GMSA’s, the time has finally come for System Center 2019. Now, as you prepare to install VMM 2019, you will have the option to supply a Service Account, a Local Account or a Group Managed Service Account. In this post, I want to share with you, exactly how you go about creating a GMSA and then use it to install VMM 2019. Here we go….

There are some prerequisites to creating a GMSA, there are great directions from our friends at Docs.Microsoft.Com; the link is here. The short end of it is, your AD Administrator will need to use PowerShell to create the Managed Service Account, you will need to provide the name of the account, and the “PrincipalsAllowedToRetriveManagedPassword.” This is quite simply the Computer Accounts that will be authorized to retrieve the password from Active Directory on an ongoing basis. In the instance of installing VMM, you will need to use all Servers that the VMM Server is installed on, so in a Stand-Alone environment, one machine. If you deployed VMM in a Highly Available Capacity, then all the nodes in the Cluster and the Cluster Computer Account Name itself will be included in this list. Here is an example command in PowerShell that can help you build the account on a domain controller.

New-ADServiceAccount SCVMMSVC -DNSHostName SCVMMSVC.Contoso.com -PrincipalsAllowedToRetrieveManagedPassword SCVMMCL, SCVMMNode1, SCVMMNode2 -KerberosEncryptionType RC4, AES128, AES256

Once you have the Managed Service Account Created and verified, you can use it for the install. When you get to the “Configure Service Account and Distributed Key Management” Page in the SCVMM 2019 Install Wizard, simply select the radio button; “Group Managed Service Account,” and enter the name of the service account. Please note this must be in the “FQDNService Account Name,” format, and be sure to include the dollar sign, $, at the end of the account name, as it is considered a computer account.

That’s it! Now continue through the wizard like normal and you will have set SCVMM 2019 with one of the newest features, GMSA. Now, the VMM Server will request the password from AD on a consistent basis and update the SCVMMService with the new Service Account password, all in the background, allowing you and your security team peace of mind that the Service account password is reset regularly and unknown to any humans.

I hope this helps and stay tuned for more blogs about new features in SCVMM 2019, as I will be posting new content on things like Storage Optimization, Azure Update Integration with VMM and Encrypting SDN VMNetworks in the future.

As always feel free to comment and reach out with any questions. Thanks again!

The post The PowerShell Extension is now in the Azure Data Studio Marketplace appeared first on PowerShell.

This article was co-authored by

Last week researchers found dozens of companies had inadvertently exposed their sensitive corporate and customer data in their corporate Box accounts, because employees had created public sharing links to files and folders, which makes data easily discoverable.¹

^{Figure 1: Data breach statistics via https://breachlevelindex.com/}

Companies choose to make cloud storage services available to their employees to increase productivity by enabling teams to work together efficiently and collaborate with external parties. But data in Box, like other file storage services, is managed by the end users, who are mainly focused on being productive, and don’t always consider the implications of oversharing data.

Consequently, cloud storage locations can quickly become a source of overexposed information, unless IT has visibility into the data that’s being shared, and the relevant management capabilities are in place.

Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB), that enables you to protect your sensitive information anywhere in the cloud.

In this post we will walk you through how it enables you to understand your current exposure of information from existing cloud storage locations like box and how to control information sharing in these environments continuously to ensure IT oversight.

Gaining visibility into your Box environment

CASBs connect to cloud services, like Box, to provide an additional layer of protection. So even if there is a user or configuration mistake, they ensure that important corporate data is protected. Microsoft Cloud App Security provides you with comprehensive auditing and controls over your files in Box and gives you full visibility into all the actions performed in by both users and admins. These include actions related to file uploads, edits or sharing and administrative changes made to the overall environment.

After you connect Microsoft Cloud App Security to Box, MCAS automatically scans all existing files and once complete, you can use the file overview and powerful data management reports, that give you full visibility into all files stored in Box and lets you understand access levels, owners, and collaborators.

Figure 2: Data Management report – data sharing overview

Ensuring your data is protected

The powerful filtering capabilities allow you to identify overexposed files in your organization. Once you understand your data exposure, you can dive even deeper and identify whether any of these files contain sensitive or regulated data and take corrective action. To automate, you can also configure file policies that will scan for publicly accessible files and inspect their content, and then automatically apply governance actions such as labeling, changing sharing permissions, and placing a file in quarantine.

Figure3: File overview, filtering options and automatic governance actions that were applied

Continuous monitoring of suspicious behavior

Whether for forensics, or proactive detection of suspicious user activity, Microsoft Cloud App Security also provides a built-in behavioral analytics (UEBA) and machine learning (ML) engine, as well as out-of-the-box anomaly detection policies to detect numerous behavioral anomalies, that indicate compromised accounts and Insider Threats. Once a suspicious activity is detected, MCAS will automatically alert you, and automate remediation actions.

Figure 4: Suspicious user behavior alerts

The latest breach was focused on data that users shared without limiting the sharing to a specific person or group of people, and instead allowing anyone with the link to access the data. By using MCAS these organizations could have easily prevented any data from leaking from their Box environments by putting policies in place to look at publicly accessible files and automatically limit sensitive content from being shared so widely.

Protect your Box environment today. Start using Microsoft Cloud App Security, understand your current exposure and start putting the right controls in place to ensure your company name does not end up on the next list of leaks.

More info and feedback

Check out our Information Protection datasheet for more information or get started with our technical documentation today.

Haven’t tried Microsoft Cloud App Security yet? Start a free trial today and kick off your deployment with our detailed technical documentation.

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Find out more about Microsoft Cloud App Security on our website.

¹https://techcrunch.com/2019/03/11/data-leak-box-accounts/

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

Hello IT Professionals. Robert M. Smith, PFE here, with a short blog post regarding Virtual Desktop Infrastructure (VDI). A peer of mine Tim Muessig (also PFE), developed a PowerShell script that can be used to optimize Windows 10 Enterprise, 1803, for use in a VDI environment.

This script goes through and performs the following actions:

• Remove non-essential UWP apps
  
• Disables several services
  
• Sets some default user settings
  
• Disables several scheduled tasks
  
• Disables several Windows “auto-logger” startup traces
  
• Applies dozens of GPO settings to local policy using the Microsoft Local Group Policy Object (LGPO) tool.
  
• Runs disk cleanup using the Disk Cleanup Wizard
  
• Changes network interface controller (NIC) settings, to optimize for networking performance
  

The PowerShell script uses core code in the main script to call and enumerate lists in the form of text files, of the various objects that will be changed. For example, the UWP apps to be removed are in a text file named ‘AppXPackages.txt’. If you decide that a UWP app on the list should not be removed, simply edit the ‘AppXPackages.txt’ file.

Once you download the tree of files, you are free to edit as you like for your environment.

There are a few dependencies of this script:

• The script calls a number of text files for the various categories of items to remove or disable. Those files must be in place for the script to work correctly.
  
• The script uses the ‘LGPO.exe’ Microsoft tool to import an included LGPO export of GPO settings from a generic Windows 10, 1803 virtual machine (VM). That tool must be included and in the proper location in your tree of files and folders for the script to function correctly.
  
• The script and the text files must be all in the same folder, which can be any folder of your choosing.
  

The VDI script and associated files are publicly available on GitHub, at the following location:

https://github.com/TheVDIGuys/W10_1803_VDI_Optimize

This script is based on the same settings in a soon to be released white paper on optimizing Windows 10 1803 in a VDI environment. This blog post will be updated when that paper is published. The publication for this white paper will be the ‘Docs.microsoft.com’ knowledge repository.

Any comments and/or questions are welcome. Thank you for visiting the blog, and let us know if you have any suggestions for topics you would like to see in future blog posts.

We are thrilled to announce the upcoming general availability of Microsoft Intune app protection policies in Microsoft Edge for iOS and Android for secure access to internal and external sites. This is an exciting step in our journey of evolving Microsoft Edge into the best browser for the enterprise. Since the launch of our preview, we have received great customer engagement with over 50,000 monthly active users already using Microsoft Edge targeted with Microsoft Intune policies on iOS and Android. Using a browser protected with Intune policy ensures that corporate data is always accessed with safeguards in place.

With this release, Microsoft Edge supports the same application management and security scenarios as the Intune Managed Browser. Microsoft Intune app protection policies for Microsoft Edge complete the security perimeter for your organization’s data and resources. Organizations can now standardize on Microsoft Edge across all platforms for a superior user experience, while leveraging industry-leading security features, including:

• Intune application protection policies
• Azure Active Directory conditional access
• App Proxy integration
• single-sign on, and
• application configuration settings for Microsoft Edge

Here's a quick demo:

Beyond the security features, Microsoft Edge offers a world-class browser with fast page-rendering and delightful productivity and personalization features. The cornerstone of the Microsoft Edge mobile enterprise experience is support for both work and personal identities. As with the Office 365 and Outlook apps, this dual-identity model allows end users to use Microsoft Edge for all browsing needs and easily move between the two experiences based on the content policies defined by the administrator. All the while, browsing in the personal context is unaffected and corporate information is kept containerized to the work context within Microsoft Edge. Browsing data such as cookies, passwords, history, clipboard content is kept separate between the two identity contexts.

This secure browsing solution will be available later this month for all your iOS and Android users, whether managed by Intune, managed by a different MDM product, or not managed at the device level.

More info and feedback

Learn how to get started with Microsoft Edge in the enterprise with deployment guidance for IT Pros.

Learn more about deploying Microsoft Edge with Microsoft Intune application protection policies.

Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Follow @MSIntune and @MicrosoftEdge on Twitter

Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Today, we are happy to introduce Microsoft Intune security tasks, a new one-click remediation capability in Microsoft 365 that bridges security stakeholders—security administrators, security operations, and IT administrators—by allowing them to collaborate and seamlessly remediate threats. This capability will extend the newly announced Microsoft Defender Threat & Vulnerability Management (TVM), a new component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP, previously Windows Defender ATP) that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.

Rapid response to detect and remediate security incidents among billions of events is essential for IT security because adversaries present a danger every minute they are in your environment. Communication cycles and distribution of tasks between Security Operations, Security Admins and IT Admins often allow security breaches to spread over time or even linger unattended. Microsoft Defender ATP and Microsoft Intune create a task pipeline to eliminate lengthy delays between security-driven threat detection and IT-driven threat remediation. The status of the remediation task is synchronized back to the Microsoft Defender ATP console to keep Security Operations or Security Admins updated on the progress.

Some examples of security tasks to remediate your security posture would be to update a vulnerable app, uninstalling a vulnerable app, updating an OS, or changing a device configuration. Let us walk through one such security task, as an example.

How to update a vulnerable app with Microsoft Intune

In this example, we will use Microsoft Intune for remediation when Microsoft Defender ATP detects a vulnerable app and recommends an update to a new version. Note the risk exposure score is high according to the dashboard.

The Security Admin acts upon this recommendation by putting in a request to their IT department to remediate the vulnerable app.

They may add a due date to complete the security task and add notes, before passing this information to the IT admin in Microsoft Intune

Over in the Microsoft Intune console, the IT admin can see all requests from the security department in the new Security tasks node, with a 'pending' status, due date, and number of impacted devices. 

From here, the IT admin can Accept or Reject the task. To help facilitate this decision, Microsoft Defender ATP provides insights into the security recommendation. Microsoft Intune security tasks can identify and remediate vulnerable apps on devices managed by both Intune and Configuration Manager.

The IT admin can directly open the vulnerable app from the task and take care of the update. Once complete, they can close the task and the threat is mitigated.

When this vulnerability is remediated, the risk exposure score drops to medium on the dashboard. 

As the security stakeholders work together to complete the remaining security tasks, it continues to harden the organization’s security posture. 

Preview available soon

Security tasks are simply the latest innovation in strengthening the existing integration between Microsoft Intune, Azure Active Directory and Microsoft Defender ATP. Together, the Microsoft 365 security management platform continues to evolve to help organizations easily block attackers from spreading if any machine is compromised. This integration has already proven successful in detecting and remediating new cyber-attacks using device risk score to drive conditional access. The new capabilities will be available for preview within the next month.

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

  Follow @MSIntune on Twitter

(This post is co-authored by Joey Glocke, Senior Program Manager, Microsoft Intune and Mayunk Jain, Product Manager, Microsoft 365 Security)

Microsoft Intune is pleased to announce partnership with Zebra Technologies, a leading manufacturer of ruggedized devices used by several industries such as retail, healthcare, manufacturing, logistics, and more. Microsoft Intune will support deeper management of Zebra ruggedized Android devices, starting with support for devices managed using Android device administrator mode, and adding support for Android Enterprise management later this year.

Many Intune customers already manage Zebra devices via Intune by leveraging Intune's Android settings management capabilities. The deeper integration will now allow these Intune customers to fully leverage the device management capabilities of their Zebra devices and Zebra specific settings. Others have been maintaining the overhead of another device management solution only for their Zebra devices. This integration will allow customers to enable Zebra ruggedized devices to be managed side by side with personal, corporate-owned, and bring-your-own (BYOD) devices they already managed using Intune. Customers simplify their device management workflows and reduce total cost of ownership by unifying endpoint management for all their devices.

Managing Zebra with Android device administrator mode

A number of our customers manage their Zebra devices as traditional Android devices in Intune. Customers can continue to leverage Android’s device administrator management capabilities while now being able to configure the Zebra specific properties via Intune. Intune will now enable the distribution of Zebra StageNow configuration profiles to Intune-enrolled Zebra devices. This enables customers to leverage their existing configuration tools to manage these devices via Intune.

Figure 1. Screenshot of Zebra MX profile creation in Intune admin console

To manage these devices, IT administrators will create an MDM enrollment profile with StageNow and use any of the supported staging options in StageNow (such as, barcode scanning, NFC or audio staging) to deploy the Intune Company Portal. After the device is enrolled with Intune, the device is ready to accept StageNow policy deployed by Intune. Customers can continue to deploy traditional MDM policies to Zebra devices as well. Availability will be communicated in the coming days on What’s New in Intune page.

Figure 2. Zebra devices that are being managed by Intune

Managing Zebra with Android Enterprise

Microsoft is working with Google to develop Intune support for the Android Enterprise platform, including the use of Android device policy controllers (DPC) for the device owner scenarios. We continue to collaborate with Zebra and Google to deliver Android Enterprise management for Zebra devices using the OEMConfig framework. This will allow organizations to continue to use Intune to manage their new devices as they move their hardware to Zebra devices running Android Enterprise. We expect this functionality to arrive later this year.

Next Steps

The partnership with Microsoft Intune allows organizations using Zebra devices to benefit from unified endpoint management without having to modify their current management workflows. The first phase of capabilities are already in development and estimated to release later this month.

To learn more about how Microsoft Intune can help your business, check out the technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

Follow @MSIntune on Twitter

As you work to empower your employees to be more productive wherever they are, on the devices of their choice, one of your greatest challenge may be how you manage and secure those known and unknown endpoints – without investing additional IT resources. You need a depth of control offered by a robust PC management solution, and the ability to scale to the modern demands of a mobile workforce. How can you transform into an agile service provider that meet these high security requirements without ever compromising user experience?

Building on experience over the past 25 years across every industry vertical, we have worked to offer the most complete unified endpoint management (UEM) platform in the industry, connecting the advanced security and mobility management strengths in Microsoft Intune to the robust Configuration Manager client management capabilities. Today, it’s estimated these products manage over 150 million endpoints at a global scale.

Investing in cloud-connected value

Customers frequently tell us that they need the depth of control offered by a robust PC management solution, and we continue to invest in driving cloud value for our on-premises PC management platform. Many of you have widely adopted Configuration Manager current branch, a cloud-connected version that enables you to stay current with updates three times per year. This week we are releasing Configuration Manager current branch 1902, which will include new insights and capabilities such as:

• New Office analytics: Native integration with the Office Readiness Toolkit provides insights that will help prepare your organization for Office 365 ProPlus deployments. These insights help organizations with the end-to-end readiness, deployment and status tracking of Office 365 ProPlus, all managed with the familiarity of Configuration Manager. 
• Updates to CMPivot for real-time queries: CMPivot provides a simple way to quickly investigate the whole device estate using pre-built queries, pivoting the data to answer specific questions relating to compliance and security, for example. You can now access CMPivot from the Configuration Manager Central Admin Site, enabling you to quickly run these queries and remediate where needed.
• New management and client health visibility: Improved management insights simplify and help you prepare for co-management. There are new Management Insight rules for optimizing and simplifying collections and packages. We have also made improvements in client health by providing a dashboard with detailed breakdowns of device status across your organization.

Greater insights empower you to take action, and with the addition of new deployment options, you can accelerate the shift to modernize the way your users work:

• Phased deployments: To accelerate OS and app deployment, phased deployments let you set the order of updates based on device collections, set parameters for those deployments including success criteria, and then execute all phases sequentially. In the Configuration Manager 1902 release, phased deployments now have their own dedicated monitoring node.
• Configuration of known-folder mapping to OneDrive: The ability to configure known-folder mapping to OneDrive from Configuration Manager, provides a streamlined way to seamlessly redirect users’ known folders to OneDrive, and redirecting their data from local folders. This helps simplify user data migration during OS updates.
• Configuration Manager integration with the Office Customization Tool: Streamline deployment of Office 365 ProPlus and other Click-to-Run managed Office products using a simple, intuitive, and web-based interface, surfaced within the Configuration Manager console.

Gain immediate value from co-management

Co-management is about leveraging your existing management infrastructure and connecting it to the cloud to gain management efficiency, greater security and global scale. In just four clicks, you can start delivering immediate cloud value to existing Windows users managed by Configuration Manager, such as:

• Azure Active Directory conditional access: Control user access to corporate resources based on device health and compliance policy signals from Microsoft Intune.
• Azure Active Directory cloud identity: Registering Windows devices with Azure Active Directory is a requirement for co-management, and it lets users take advantage of improved collaboration, productivity and security across the Microsoft 365 stack, within both cloud and on-premises environments.
• Remote Actions: Run remote actions from Intune for co-managed devices. For example, wipe and reset a device and maintain enrollment and account.
• Configuration Manager client health: Maintain visibility of Configuration Manager client health from the Intune portal.

Manage and secure all your devices

The unified endpoint management platform combining Microsoft Intune and Configuration Manager creates one place for you to manage Windows and other endpoints running Microsoft 365 within your organization. It allows you to achieve your digital transformation goals at your own pace, scaling to the security and management demands of an increasingly mobile workforce. Microsoft Intune is leading the innovation march to extend security management across devices, including Windows, macOS, iOS, Android and ruggedized devices:

• Secure browsing extended to all platforms with Microsoft Edge: We are excited to announce Microsoft Edge for iOS and Android will support Microsoft Intune app protection policies to enable the most secure and user-friendly browsing experience for enterprise users. Mobile users who sign in with their corporate Azure Active Directory accounts in the Microsoft Edge application will benefit from the unique ability to separate work and life in the same app, and have fully managed access to corporate resources. Switching from native browsers to Microsoft Edge gives users a greatly improved user experience, and leverages Microsoft 365 security features such as Intune application protection policies, Azure Active Directory conditional access, App Proxy integration, single sign-on, and application configuration settings defined by their IT admins for Microsoft Edge. This solution is expected to be generally available by the end of March.
• Support for ruggedized devices: Microsoft Intune is proud to partner with leading manufacturers of ruggedized devices, including Zebra Technologies and Samsung, to easily provision, deploy, and secure ruggedized scanners, printers, tablets, and handheld devices alongside their information worker and non-rugged deployments, from a unified management console. With upcoming support for new devices using Android Enterprise and deeper integration for existing management methods, Microsoft Intune’s highly scalable, globally distributed cloud service is an ideal management partner for the rugged devices to withstand punishing use and harsh conditions. We estimate the public previews to be available starting next quarter.
• Expanding support for Android Enterprise scenarios: With Microsoft Intune, you can select the right management approach for different use cases and scenarios relevant to your organization. Intune supports Android Work Profile, which requires users to enroll and provides certain device-level controls for IT administrators. If you don’t need the device management capabilities, you may deploy Intune app protection policies (APP) that manage the corporate identities and protect corporate data on devices without enrollment. The Android Enterprise dedicated device mode is designed for locked-down kiosk-style use cases where the device is not associated with a specific user identity. The Android Enterprise fully managed capabilities for company owned devices are now in public preview. Earlier this year, Microsoft also joined the Android Enterprise Recommended program for enterprise mobility management.
• Meeting customers’ top-requested macOS management features: With growing Microsoft 365 adoption on Apple Mac devices, customers have asked us to help simplify their macOS management. We are pleased to announce that some of the most-requested macOS management features will soon be available in Microsoft Intune. A few highlights are FileVault full-disk encryption (FileVault 2) to encrypt the startup disk on your Mac, support for volume purchasing plans (VPP) for macOS, along with other top-requested configuration settings. Here’s a quick review of recent management capabilities for macOS already available with Microsoft Intune

Microsoft Intune remains the best way for you to take full advantage of Windows 10 modern device management (MDM) capabilities. Several new features help you leverage skills and processes honed through on-premises management and use them in the cloud. For instance:

• Windows 10 Security Baselines (in preview) are a group of Microsoft-recommended configuration settings that explain security impact and help you improve your organization’s security posture, increase operational efficiency and reduce costs. If you're new to Intune, and not sure where to start, then MDM security baselines give you an advantage. You can quickly create and deploy a secure profile to help protect your organization's resources and data. If you're currently using Group Policy, migrating to Intune for management is much easier with these baselines natively built into Intune's modern management platform.
• Administrative templates include about 300 settings that previously only existed in the group policy editor, which can now be managed in Microsoft Intune. They include hundreds of settings that control features in Internet Explorer, Microsoft Office programs, remote desktop, access to OneDrive, using a picture password or PIN to sign in, and more. These fully cloud-based templates offer a simpler way to find and configure Windows settings you want.
• Win32 app deployment has been arguably one of the most anticipated cloud management features. Widely deployed since it became generally available earlier this year, it builds upon the existing support for line-of-business (LOB) apps and Microsoft Store for Business apps to enable Microsoft Intune administrators to add, install, and uninstall Win32 applications for Windows 10 users in a variety of formats such as MSI, Setup.exe, or MSP. New capabilities added recently include the option to install Win32 apps in user context for individual users, as well as installing for all users of the device; delivery optimization for app content download; install status in the troubleshooting blade; ability to suppress showing end user toast notifications per app assignment; and more.
• Endpoint protection for Windows 10 and newer devices continues to evolve in Microsoft Intune. Endpoint protection lets you control different security features on your devices --including firewall, BitLocker, Microsoft Defender -- allowing and blocking apps, and more. You can configure these settings in Microsoft Intune using device profiles. Check out the latest support for remediation of vulnerable apps using Microsoft Intune security tasks with Microsoft Defender ATP Threat & Vulnerability Management.  
• Windows Autopilot provides a simplified experience for both you and your users in the following situations -- set up and preconfigure new Windows 10 devices, and reset, recycle, and recover existing Windows 7 devices. Windows Autopilot with Microsoft Intune now supports several scenarios, all of which are maximized with co-management. Users can drive their own deployments of new devices into either Azure Active Directory or Active Directory with hybrid Azure Active Directory join; you can set up self-deploying kiosks and shared devices using Windows Autopilot and the Intune device-only subscription; or use Configuration Manager to migrate existing Windows 7 devices to Windows 10 and Azure Active Directory.

Microsoft unified endpoint management (UEM) maximizes the productivity of the devices and apps your employees choose to get work done. This article gives you a glimpse into the exciting magic our teams are busy creating for you, and we now have more ways for you to stay up-to-date with the latest releases and roadmap: the What’s New page covers an overview of everything released in the last six months; the In Development page gives you a sneak-peek at features estimated to release within the next quarter or sooner; and the Microsoft 365 public roadmap shares our longer term vision to help with your strategic planning.

More info and feedback

Learn how to get started with Microsoft Intune and Configuration Manager in this series of video blogs on cloud-connecting your management infrastructure. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

  Follow @MSIntune on Twitter

(This post is co-authored by Locky Ainley and Mayunk Jain, Product Managers, Microsoft 365 Security)

As you work to empower your employees to be more productive wherever they are, on the devices of their choice, one of your greatest challenge may be how you manage and secure those known and unknown endpoints – without investing additional IT resources. You need a depth of control offered by a robust PC management solution, and the ability to scale to the modern demands of a mobile workforce. How can you transform into an agile service provider that meet these high security requirements without ever compromising user experience?

Building on experience over the past 25 years across every industry vertical, we have worked to offer the most complete unified endpoint management (UEM) platform in the industry, connecting the advanced security and mobility management strengths in Microsoft Intune to the robust Configuration Manager client management capabilities. Today, it’s estimated these products manage over 150 million endpoints at a global scale.

Investing in cloud-connected value

Customers frequently tell us that they need the depth of control offered by a robust PC management solution, and we continue to invest in driving cloud value for our on-premises PC management platform. Many of you have widely adopted Configuration Manager current branch, a cloud-connected version that enables you to stay current with updates three times per year. Shortly we are releasing Configuration Manager current branch 1902, which will include new insights and capabilities such as:

• New Office analytics: Native integration with the Office Readiness Toolkit provides insights that will help prepare your organization for Office 365 ProPlus deployments. These insights help organizations with the end-to-end readiness, deployment and status tracking of Office 365 ProPlus, all managed with the familiarity of Configuration Manager. 
• Updates to CMPivot for real-time queries: CMPivot provides a simple way to quickly investigate the whole device estate using pre-built queries, pivoting the data to answer specific questions relating to compliance and security, for example. You can now access CMPivot from the Configuration Manager Central Admin Site, enabling you to quickly run these queries and remediate where needed.
• New management and client health visibility: Improved management insights simplify and help you prepare for co-management. There are new Management Insight rules for optimizing and simplifying collections and packages. We have also made improvements in client health by providing a dashboard with detailed breakdowns of device status across your organization.

Greater insights empower you to take action, and with the addition of new deployment options, you can accelerate the shift to modernize the way your users work:

• Phased deployments: To accelerate OS and app deployment, phased deployments let you set the order of updates based on device collections, set parameters for those deployments including success criteria, and then execute all phases sequentially. In the Configuration Manager 1902 release, phased deployments now have their own dedicated monitoring node.
• Configuration of known-folder mapping to OneDrive: The ability to configure known-folder mapping to OneDrive from Configuration Manager, provides a streamlined way to seamlessly redirect users’ known folders to OneDrive, and redirecting their data from local folders. This helps simplify user data migration during OS updates.
• Configuration Manager integration with the Office Customization Tool: Streamline deployment of Office 365 ProPlus and other Click-to-Run managed Office products using a simple, intuitive, and web-based interface, surfaced within the Configuration Manager console.

Gain immediate value from co-management

Co-management is about leveraging your existing management infrastructure and connecting it to the cloud to gain management efficiency, greater security and global scale. In just four clicks, you can start delivering immediate cloud value to existing Windows users managed by Configuration Manager, such as:

• Azure Active Directory conditional access: Control user access to corporate resources based on device health and compliance policy signals from Microsoft Intune.
• Azure Active Directory cloud identity: Registering Windows devices with Azure Active Directory is a requirement for co-management, and it lets users take advantage of improved collaboration, productivity and security across the Microsoft 365 stack, within both cloud and on-premises environments.
• Remote Actions: Run remote actions from Intune for co-managed devices. For example, wipe and reset a device and maintain enrollment and account.
• Configuration Manager client health: Maintain visibility of Configuration Manager client health from the Intune portal.

Manage and secure all your devices

The unified endpoint management platform combining Microsoft Intune and Configuration Manager creates one place for you to manage Windows and other endpoints running Microsoft 365 within your organization. It allows you to achieve your digital transformation goals at your own pace, scaling to the security and management demands of an increasingly mobile workforce. Microsoft Intune is leading the innovation march to extend security management across devices, including Windows, macOS, iOS, Android and ruggedized devices:

• Secure browsing extended to all platforms with Microsoft Edge: We are excited to announce Microsoft Edge for iOS and Android will support Microsoft Intune app protection policies to enable the most secure and user-friendly browsing experience for enterprise users. Mobile users who sign in with their corporate Azure Active Directory accounts in the Microsoft Edge application will benefit from the unique ability to separate work and life in the same app, and have fully managed access to corporate resources. Switching from native browsers to Microsoft Edge gives users a greatly improved user experience, and leverages Microsoft 365 security features such as Intune application protection policies, Azure Active Directory conditional access, App Proxy integration, single sign-on, and application configuration settings defined by their IT admins for Microsoft Edge. This solution is expected to be generally available by the end of March.
• Support for ruggedized devices: Microsoft Intune is proud to partner with leading manufacturers of ruggedized devices, including Zebra Technologies and Samsung, to easily provision, deploy, and secure ruggedized scanners, printers, tablets, and handheld devices alongside their information worker and non-rugged deployments, from a unified management console. With upcoming support for new devices using Android Enterprise and deeper integration for existing management methods, Microsoft Intune’s highly scalable, globally distributed cloud service is an ideal management partner for the rugged devices to withstand punishing use and harsh conditions. We estimate the public previews to be available starting next quarter.
• Expanding support for Android Enterprise scenarios: With Microsoft Intune, you can select the right management approach for different use cases and scenarios relevant to your organization. Intune supports Android Work Profile, which requires users to enroll and provides certain device-level controls for IT administrators. If you don’t need the device management capabilities, you may deploy Intune app protection policies (APP) that manage the corporate identities and protect corporate data on devices without enrollment. The Android Enterprise dedicated device mode is designed for locked-down kiosk-style use cases where the device is not associated with a specific user identity. The Android Enterprise fully managed capabilities for company owned devices are now in public preview. Earlier this year, Microsoft also joined the Android Enterprise Recommended program for enterprise mobility management.
• Meeting customers’ top-requested macOS management features: With growing Microsoft 365 adoption on Apple Mac devices, customers have asked us to help simplify their macOS management. We are pleased to announce that some of the most-requested macOS management features will soon be available in Microsoft Intune. A few highlights are FileVault full-disk encryption (FileVault 2) to encrypt the startup disk on your Mac, support for volume purchasing plans (VPP) for macOS, along with other top-requested configuration settings. Here’s a quick review of recent management capabilities for macOS already available with Microsoft Intune

Microsoft Intune remains the best way for you to take full advantage of Windows 10 modern device management (MDM) capabilities. Several new features help you leverage skills and processes honed through on-premises management and use them in the cloud. For instance:

• Windows 10 Security Baselines (in preview) are a group of Microsoft-recommended configuration settings that explain security impact and help you improve your organization’s security posture, increase operational efficiency and reduce costs. If you're new to Intune, and not sure where to start, then MDM security baselines give you an advantage. You can quickly create and deploy a secure profile to help protect your organization's resources and data. If you're currently using Group Policy, migrating to Intune for management is much easier with these baselines natively built into Intune's modern management platform.
• Administrative templates include about 300 settings that previously only existed in the group policy editor, which can now be managed in Microsoft Intune. They include hundreds of settings that control features in Internet Explorer, Microsoft Office programs, remote desktop, access to OneDrive, using a picture password or PIN to sign in, and more. These fully cloud-based templates offer a simpler way to find and configure Windows settings you want.
• Win32 app deployment has been arguably one of the most anticipated cloud management features. Widely deployed since it became generally available earlier this year, it builds upon the existing support for line-of-business (LOB) apps and Microsoft Store for Business apps to enable Microsoft Intune administrators to add, install, and uninstall Win32 applications for Windows 10 users in a variety of formats such as MSI, Setup.exe, or MSP. New capabilities added recently include the option to install Win32 apps in user context for individual users, as well as installing for all users of the device; delivery optimization for app content download; install status in the troubleshooting blade; ability to suppress showing end user toast notifications per app assignment; and more.
• Endpoint protection for Windows 10 and newer devices continues to evolve in Microsoft Intune. Endpoint protection lets you control different security features on your devices --including firewall, BitLocker, Microsoft Defender -- allowing and blocking apps, and more. You can configure these settings in Microsoft Intune using device profiles. Check out the latest support for remediation of vulnerable apps using Microsoft Intune security tasks with Microsoft Defender ATP Threat & Vulnerability Management.  
• Windows Autopilot provides a simplified experience for both you and your users in the following situations -- set up and preconfigure new Windows 10 devices, and reset, recycle, and recover existing Windows 7 devices. Windows Autopilot with Microsoft Intune now supports several scenarios, all of which are maximized with co-management. Users can drive their own deployments of new devices into either Azure Active Directory or Active Directory with hybrid Azure Active Directory join; you can set up self-deploying kiosks and shared devices using Windows Autopilot and the Intune device-only subscription; or use Configuration Manager to migrate existing Windows 7 devices to Windows 10 and Azure Active Directory.

Microsoft unified endpoint management (UEM) maximizes the productivity of the devices and apps your employees choose to get work done. This article gives you a glimpse into the exciting magic our teams are busy creating for you, and we now have more ways for you to stay up-to-date with the latest releases and roadmap: the What’s New page covers an overview of everything released in the last six months; the In Development page gives you a sneak-peek at features estimated to release within the next quarter or sooner; and the Microsoft 365 public roadmap shares our longer term vision to help with your strategic planning.

More info and feedback

Learn how to get started with Microsoft Intune and Configuration Manager in this series of video blogs on cloud-connecting your management infrastructure. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

  Follow @MSIntune on Twitter

(This post is co-authored by Locky Ainley and Mayunk Jain, Product Managers, Microsoft 365 Security)

PSScriptAnalyzer (PSSA) 1.18.0 is now available on the PSGallery and brings a lot of improvements in the following areas:

• Better compatibility analysis of commands, types and syntax across different platforms and versions of PowerShell
• Better formatting and customization. New capabilities are:
  • Multi-line pipeline indentation styles
  • Cmdlet casing for better consistency and readability
  • Consistent whitespace inside braces and pipes
• Custom rules can now be suppressed and preserve the RuleSuppressionID
• Better DSC support by being able to understand different syntaxes of Import-DscResource
• Better user experience by being able to pipe to Invoke-ScriptAnalyzer and added tab completion of the returned objects that are piped to the next pipeline
• Better handling of parsing errors by emitting them as a diagnostic record with a new Severity type
• Improved Performance: Expect it to be about twice as fast in most cases and even more when re-analyzing a file. More on this below
• Fixes and enhancements to the engine, rules, and documentation

There are some minor breaking changes such as e.g. requiring the minimum version of PowerShell Core to 6.1 as 6.0 has reached the end of its support lifecycle. With this, it was possible to update the used version of Newtonsoft.Json to 11.0.2. On Windows PowerShell, the minimum required runtime was upped from4.5.0 to4.5.2, which is the lowest version that is still supported by Microsoft but Windows update will have taken care of upgrading the to this patched version anyway, therefore no disruption is expected. We have also replaced old command data files of PowerShell 6.0 with a newer version for theUseCompatibleCmdletsrule.

Formatting

New rules and new features/customization of existing rules were added and in an upcoming release of the PowerShell vscode extension, those new features will also be configurable from within the extension in an upcoming update.

New PSUseConsistentWhitespace options

The PSUseConsistentWhitespace rule has 2 new configuration options that are both enabled by default:

• CheckInnerBrace: Checks if there is a space after the opening brace and a space before the closing brace. E.g. if ($true) { foo } instead of if ($true) {bar}.
• CheckPipe: Checks if a pipe is surrounded on both sides by a space. E.g. foo | bar instead offoo|bar.

In an upcoming update of the PowerShell vscode extension, this feature will be configurable in the editor via the settings powershell.WhitespaceInsideBrace and powershell.WhitespaceAroundPipe.

New PipelineIndentation option for PSUseConsistentIndentation

The PSUseConsistentIndentation rule was fixed to handle multi-line pipeline (before, the behavior was a bit ill-defined) and as part of that we decided to expose 3 options for a new configuration option calledPipelineIndentation. This allows PSSA to cater to different tastes of the user whether to increase indentation after a pipeline for multi-line statements. The settings are:

• IncreaseIndentationForFirstPipeline (default): Indent once after the first pipeline and keep this indentation. Example:

foo |
    bar |
    baz

• IncreaseIndentationAfterEveryPipeline: Indent more after the first pipeline and keep this indentation. Example:

foo |
    bar |
        baz

• NoIndentation: Do not increase indentation. Example:

foo |
bar |
baz

In an upcoming update of the PowerShell vscode extension, this feature will be configurable in the editor via the setting powershell.codeFormatting.

New PSUseConsistentCasing rule

By popular request, this rule can correct the casing of cmdlet names. This can correct e.g. get-azadapplicaTION to Get-AzADApplication. This not only makes code more consistent but can improve readability in most cases. In an upcoming update of the PowerShell vscode extension, this feature will be configurable in the editor via the settingpowershell.useCorrectCasingsettings.

Compatibility Analysis

The UseCompatibleCmdlets rule requires JSON files in the Settings folder of PSSA’s installation and their file name is mapped to directly the compatibility configuration. In the new version we have replaced the JSON files for PowerShell 6.0 with files for 6.1 and also added new files for e.g. ARM on Linux (Raspian) and also PowerShell 2.0 that is still being used by some despite it being deprecated. If desired, one can always add custom JSON files to the Settings folder and it will just work by using the filename without the need to re-compile. To generate your custom JSON file for your environment, you can use the New-CommandDataFile.ps1 script.

To further add more analysis, 3 more rules were being added:

• UseCompatibleSyntax
• UseCompatibleTypes
• UseCompatibleCommands

These rules do not follow the definition style of the UseCompatibleCmdlets rule. For usage and examples please refer to the rule documentation links of the 3 new rules above, there will be a more detailed blog post about them in the future.

Better DSC Support

Invoke-ScriptAnalyzer has a -SaveDscDependency switch that will download the required module from the PSGalleryto allow for parsing of the DSC files. In order to do that is has to parse calls to Import-DscResource correctly. Previously it could neither take the version into account or parse the hashtable syntax (Import-DscResource -ModuleName (@{ModuleName="SomeDscModule1";ModuleVersion="1.2.3.4"})). We added support for both of them. But because there could be different variations of the first one (different parameter name order or not using named paramters, etc.), please use it in the form Import-DscResource -ModuleName MyModuleName -ModuleVersion 1.2.3.4.

Custom Rules

We added the capability of being able to suppress violations from custom rules the same way how you can already suppress rules from the built-in rules. It is worth noting though that the rulename of custom rules has to be of the format CustomRuleModuleFileNameCustomRuleName, this is to uniquely identify the rule as it could be possible that 2 custom rule modules emit a rule of the same name.

When a custom rule emits a DiagnosticRecord, then the engine has to translate all properties of the object as it has to be re-created when emitting it via Invoke-ScriptAnalyzer. We added the translation of the SuggestedCorrectionsproperty already in the last release (1.17.1) to allow for auto-correction in the editor or via the -Fix switch. However, we also found that customers want to also use the RuleSuppressionID property in their custom rules, so we added translation for this as well.

Engine Improvements

PSScriptAnalyzer is highly multi-threaded by executing each rule (excluding custom or DSC rules) in parallel in each own thread. But there are some global resources such as e.g. a CommandInfo cache that needs to be accessed using a lock. Caching and lock granularity has been improved and are therefore reducing congestion which leads to much better performance. You can expect PSScriptAnalyzer to be about twice as fast for ‘cold runs’ (where Invoke-ScriptAnalyzerhas not been called before) and magnitudes faster when re-analyzing the same file. To you as a user, this will mean that you will see the squiggles faster when opening a new file in VS-Code and you will get faster updates when editing a file whilst reducing the CPU consumption in the background. We have more optimizations planned in this area, you can expect further improvements of similar scale in future versions and we hope to release future versions more frequent as well.

Miscellaneous Fixes

We received reports of some functionality not working when using Turkish culture and made a fix for and as part reviewed some culture critical points and made sure they work better across all cultures. The bug was very specific to Turkish culture, therefore we are confident that PSSA should work with any other cultures as well.

The Changelog has more details on the various fixes that were made to other rules.

On behalf of the Script Analyzer team,

Chris Bergmeister, Project Maintainer
Jim Truher, Senior Software Engineer, Microsoft

The post PowerShell ScriptAnalyzer Version 1.18.0 Released appeared first on PowerShell.