Infrastructure-as-a-Service (IaaS) initiated the decline of traditional data center strategies. Today, modern cloud-focused IT strategies enable organizations to implement new processes and scale their infrastructure up and down as needed, allowing them to reach cost efficiencies and high levels of flexibility.

Whether organizations have chosen a single- or multi-cloud vendor strategy, they are often surprised when they find that a business unit has servers on a platform without any IT oversight. PaaS adoption is often driven by developers, as they work on custom applications, or even business-users. When the use of IaaS and PaaS services is driven by these user groups, it often happens without any IT oversight and can go unmonitored for extended periods of time, posing significant security risks to an organization.

Take for instance storage solutions. Microsoft Azure blobs, Amazon Web Services S3 buckets, or Google Cloud Platform storage buckets, can host business-critical resources such as documents, databases, and source code. A simple access misconfiguration can expose sensitive information and lead to malicious exfiltration. Data shows that organizations often have hundreds of custom apps running in the cloud, while our research suggests that only a fraction is managed with IT oversight.

Therefore, it’s important to establish IT oversight from the beginning to avoid stale.

Microsoft Cloud App Security has extended its Shadow IT Discovery capabilities to detect resources that are hosted on IaaS and Platform-as-a-Service (PaaS) solutions across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), with more being added soon.

The new “Discovered resources” tab in the  portal provides you with visibility into the custom apps that run on top of your IaaS and PaaS subscriptions. 

You can use this new capability to gain full visibility into the resources that exist within your organization, which users are accessing them, transactions, IP addresses, and how much traffic is being transmitted.

Image 1 shows the new “Discovered resources” view in Microsoft Cloud App Security and the drill down into one of the discovered resources.

Image 1: “Discovered resources” view in Microsoft Cloud App Security

The data is collected based on the same implementation used for the Discovery of SaaS Shadow IT, where customers can choose between Microsoft Defender Advanced Threat Protection for endpoint-based data collection, a log collector or by integrating with their existing Secure Web Gateway.

More info and feedback

Get started with our technical documentation today.

Haven’t tried Microsoft Cloud App Security yet? Start a free trial today.

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

For more resources and information go to our website.

™2019, Amazon Web Services logo is a trademark of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

©2018 Google LLC All rights reserved. Google and the Google logo are registered trademarks of Google LLC.

Infrastructure-as-a-Service (IaaS) initiated the decline of traditional data center strategies. Today, modern cloud-focused IT strategies enable organizations to implement new processes and scale their infrastructure up and down as needed, allowing them to reach cost efficiencies and high levels of flexibility.

Whether organizations have chosen a single- or multi-cloud vendor strategy, they are often surprised when they find that a business unit has servers on a platform without any IT oversight. PaaS adoption is commonly driven by developers working on custom applications, or even business-users. When the use of IaaS and PaaS services are leveraged by these user groups, it often happens without any IT oversight and can go unmonitored for extended periods of time - posing significant security risks to an organization.

Take for instance storage solutions. Microsoft Azure blobs, Amazon Web Services S3 buckets, or Google Cloud Platform storage buckets can host business-critical resources such as documents, databases, and source code. A simple access misconfiguration can expose sensitive information and lead to malicious exfiltration. Data shows that organizations often have hundreds of custom apps running in the cloud, while our research suggests that only a fraction is managed with IT oversight. Therefore, it’s important to establish IT oversight from the beginning to avoid stale.

Microsoft Cloud App Security has extended its Shadow IT Discovery capabilities to detect resources that are hosted on IaaS and Platform-as-a-Service (PaaS) solutions across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), with more being added soon.

The new “Discovered resources” tab in the Microsoft Cloud App Security portal provides you with visibility into the custom apps that run on top of your IaaS and PaaS subscriptions. You can use this new capability to gain full visibility into the resources that exist within your organization, which users are accessing them, transactions, IP addresses, and how much traffic is being transmitted.

Image 1 shows the new “Discovered resources” view in Microsoft Cloud App Security and the drill down into one of the discovered resources.

Image 1: “Discovered resources” view in Microsoft Cloud App Security

More info and feedback

• Get started with our technical documentation today.
• Haven’t tried Microsoft Cloud App Security yet? Start a free trial today.
• As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.
• For more resources and information go to our website.

™2019, Amazon Web Services logo is a trademark of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

©2018 Google LLC All rights reserved. Google and the Google logo are registered trademarks of Google LLC.

The post PowerShell 7 Road Map appeared first on PowerShell.

Register-PsRepository myAzArtifactsRepo -SourceLocation  "https://pkgs.dev.azure.com/'yourorganizationname'/_packaging/'yourfeedname'/nuget/v2" -PublishLocation "https://pkgs.dev.azure.com/'yourorganizationname'/_packaging/'yourfeedname'/nuget/v2" -credential $credentials

Save-Module -Name SHiPS -Repository PSGallery -Path '.'
Publish-Module -path "pathtomodule"SHiPS -Repository myAzArtifactsRepo -NuGetApiKey <key-- any arbitrary string>

Find-module  -name SHiPS -Repository myAzArtifactsRepo

Install-Module -name SHiPS -Repository myAzArtifactsRepo

The post Using PowerShellGet with Azure Artifacts appeared first on PowerShell.

This blog post was authored by Dianna Marks, Product Marketing Manager, Windows Server Marketing.

At the Windows Server Summit in May, Cosmos Darwin and Greg Cusanza from the Windows Server team presented a lightning round all about hyperconverged infrastructure (HCI) powered by Windows Server. If you havent had a chance to watch the event, check out the recording of the live stream and deep dive sessions by registering online. Its quick and free.

Here are the 25 things they presented in the lightning round:

1. Azure Stack HCI Catalog

Available for purchase right now, there are over 75 Azure Stack HCI solutions from over 15 partners. Check out the Azure Stack HCI Catalog to find solutions from your preferred hardware vendor and get started today.

2. Networking and SDN coexisting side-by-side

Now all HCI solutions include what is required for software-defined networking (SDN). You no longer need to devote your entire infrastructure to SDN. Instead, you can mix and match per virtual machine (VM), using traditional VLAN-based networking alongside SDN. Try it out yourself in the latest Windows Admin Center release.

3. Deploy with SDN Express

Deploying SDN is easier than ever with SDN Express. Download the scripts and run SDN Express to get a helpful wizard that guides you through all the steps necessary for deploymentall in under 30 minutes. Learn more by reading the documentation for SDN deployment.

4. Windows Admin Center for HCI

Windows Admin Center is the future of Windows Server in-box management, and that extends to HCI as well. Add your HCI cluster to Windows Admin Center to get purpose-built tools for managing and monitoring Storage Spaces Direct and SDN, including capabilities like provisioning volumes, managing Hyper-V virtual machines, troubleshooting configuration or hardware problems, and much more.

5. Deduplication and compression for ReFS

Deduplication and compression are now available for ReFS, Microsofts recommended file system for HCI. Deduplication and compress increase usable capacity by identifying duplicate portions of files and only storing them once. Savings vary depending on the type of file but can range up to 90 percent for highly repetitive storage like ISO or VHDX backups. Check out the demo Deduplication and compression for Storage Spaces Direct from Microsoft Ignite 2018, and read the documentation for Data Deduplication and ReFS.

6. Larger maximum scale

Even with deduplication and compression, its still possible to run out of capacity, so in Windows Server 2019 the maximum total raw storage capacity per cluster is increased from 1 PB in Windows Server 2016 up to 4 PB now. Thats enough space to store all of Wikipedia, in every language, with complete edit history, uncompressed! Watch the demo Scale to over 3.5 PB with Windows Server 2019 and QCT QxStor from Microsoft Ignite 2018 for an example.

7. Cluster sets

Now in Windows Server 2019, we can encapsulate a cluster within a cluster set and we can add additional clusters in a cluster set. The great thing about this is that a virtual machine (VM) can seamlessly live migrate from one cluster to a host in a different cluster and continue to access its storage. To learn more, read the documentation on cluster sets.

8. Span sites with SDN

In Windows Server 2019 weve improved the gateway performance for SDNs by increasing from 4 Gbps to 18 Gbps in a single SDN gateway. We also have generic routing encapsulation (GRE) tunneling that connects two network controllers to allow different workloads to talk to each other as if theyre one network. To learn more about high performance gateways in Windows Server 2019, read the blog post “Top 10 Networking Features in Windows Server 2019: #6 High Performance SDN Gateways” on the Windows Server Networking Blog.

9. Native support for persistent memory

Windows Server has become more scalable over time with regards to both capacity and performance. It is on the leading edge of x86 hardware innovation and is consistently one of the first hardware systems and hypervisors to support new hardware technology, such as the Intel Xeon processors and Intel Optane. Watch the demo at Microsoft Ignite 2018, and read the documentation “Understand and deploy persistent memory.”

10. Faster networking with fewer cycles/byte

In addition to hardware improvements, weve also been investing in our networking stack. Some of the feature improvements include nearly double the throughput for send and receive paths, lower CPU utilization, more equipped for high bandwidth, high latency links, and a Data Plane Developer Kit (DPDK) for Windows that bypasses the host networking stack to speed up packet processing capabilities. You can read more about all of these features on our Windows Server Networking Blog.

11. Mirror-accelerated parity is 2X faster

The storage team has also been focused on optimizations with mirror accelerated parity, a technology that allows you to create a volume that partly uses mirror resiliency and parity, or erasure coding resiliency. This provides the benefit of faster writes and opens up capacity.

12. Built-in performance history

HCI now has built-in performance history. It easily gets historical data and displays over 50 performance counters in aggregate. Theres nothing that you have to install, set up, or configure. Explore more in the documentation for performance history.

13. Shielded virtual machines

Shielded virtual machines are part of the core hypervisor and have been improved so that even if you dont have network access you can still connect to it through the console in PowerShell Direct. Weve also added the ability to add Linux inside your shielded VMs. Watch the five minute overview video of shielded VMs and check out the documentation for VM connect and PowerShell Direct to shielded VMs, as well as deploying Linux inside a shielded VM.

14. Core scheduler

Its also important to protect your hypervisor host. In Windows Server 2016 we had the Classic Scheduler that offered fair share, preemptive round-robin scheduling for guest virtual processors. In Windows Server 2019, we have a new hypervisor scheduler called Core Scheduler, which constrains the virtual processors to physical core boundaries, further isolating virtual machines. Understand further details by reading the documentation “Managing Hyper-V hypervisor scheduler types.”

15. HTTP/2

In Windows Server 2019 weve made HTTP/2 better with connection coalescing, which allows two websites with a common domain name to share a certificate and a single TCP connection. It also has an improved cipher suite selection, which reduces connection failures and continues to enforce blacklisted ciphers.

16. More secure clustering

The core failover clustering has gotten more secure by completely removing dependency on NTLM, exclusively using Kerberos or certificate-based authentication between nodes, and now no change is required by the user or deployment tools. Check out the documentation “Whats new in Failover Clustering” to learn more.

17. Cluster-aware updating for HCI

Cluster-aware updating for HCI now allows you to easily keep your Windows Server fully patched with the latest updates. It is a technology that orchestrates the roll-out of updates across your server nodes. More information is included in the documentation “Whats new in Failover Clustering,” as well as during the demo “Be an IT hero with Storage Spaces Direct in Windows Server 2019” during Microsoft Ignite 2018.

18. USB witness

Now in Windows Serve 2019, in addition to file share witness requiring an on-premises connection, and cloud witness requiring a connection to the cloud, we are also offering a third option called USB witness, which allows you to insert into a compatible router or switch. More information can be found in the documentation “Whats new in Failover Clustering,” as well as in theexample steps to configure USB witness with the NetGear Nighthawk X4S.

19. Nested resiliency

Nested resiliency keeps you up and running even in the event of having both a drive failure and server failure at the same time. It uses RAID 5 + 1 to do parity resiliency and mirror that across to the other server. This allows you to survive multiple failovers even with a two-node cluster. To learn more, refer to the documentation “Nested resiliency for Storage Spaces Direct.”

20. Protection with Azure Site Recovery

For smaller sites and branch offices, Azure Site Recovery allows you backup your virtual machines to Azure and is integrated into Windows Admin Center. To learn more, refer to the documentation “Protect your Hyper-V Virtual Machines with Azure Site Recovery and Windows Admin Center.”

21. Azure Monitor and Health Service

Health Service on Windows Admin Center is now integrated with Azure Monitor and provides email and SMS notifications when something goes wrong. Learn how to configure Azure Monitor for HCI.

22. Integration with Azure Network Adapter

Azure Network Adapter is an integration into Windows Admin Center that allows you to connect a single server to an Azure virtual gateway so that you can get access from that server to your Azure files and VMs running in Azure. Watch the Microsoft Mechanics video “Windows Server 2019 + Microsoft Azure = hybrid management updates” for a demo.

23. LEDBaT or PacketMon

LEDBaT will back off lower priority workloads in order to let high priority traffic to take over and when the higher priority traffic slows down, the lower priority traffic will pick back up again in a second or two. Read more about LEDBaT on the Networking Blog.

24. High accuracy time

By implementing features such as Precision Time Protocol, Traceability, and Leap Seconds support, weve ensured improved time accuracy, especially for those of you in regulated industries. Learn more about high accuracy time features in the Windows Server Summit session and in the Windows Time Service documentation.

25. Over 25,000 clusters worldwide!

Last year, we had 10,000 clusters running around the world and this year we have over 25,000 clusters running storage spaces direct!

Thats a wrap!

We just gave you 25 reasons why you should consider HCI with Windows Server. And again, register online to watch the session from Windows Server Summit if youve missed it. From security to scalability and enhanced management, we are continuously improving our products to meet your data center needs. And if you stay tuned, I have no doubt youll be seeing 25 more reasons soon!

The post 25 reasons to choose Azure Stack HCI appeared first on Windows Server Blog.

This post builds upon the introduction published earlier to the PowerShell blog. In this post we are going to explore the Azure Policy Guest Configuration client and how configuration content is consumed. 

The full documentation for this service is available at the following short url. 

https://aka.ms/gcpol 

DSC service/daemon 

Inside Azure Policy Guest Configuration, you will find the new DSC engine as part of the extension for virtual machines. You can see this using the “Run Command” feature in Azure for any virtual machine that is being audited by Azure Policy using one of the Guest Configuration initiatives. 

The structure of the agent folders is the same for both operating systems. You will find a folder named “DSC” that contains the binaries for the engine, a folder named “logs” containing logs generated by the engine, and a subfolder named “downloads” that is used to support additional requirements. 

Here are some example commands you can use to take a look at the DSC engine yourself. 

Windows 

The Guest Configuration extension for Windows has not been published to GitHub yet.

List the DSC binaries in Guest Configuration in Windows 

Command (note the version is current at this time but could change): 

ls C:PackagesPluginsMicrosoft.GuestConfiguration.ConfigurationforWindows1.13.0.0dscDSCdsc_* 

Result: 

    Directory: C:PackagesPluginsMicrosoft.GuestConfiguration.Configurationfo
    rWindows1.13.0.0dscDSC

Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----         5/1/2019   1:16 PM         622592 dsc_client.exe                
-a----         5/1/2019   1:14 PM         532992 dsc_diagnostics.dll           
-a----         5/1/2019   1:14 PM         906752 dsc_infrastructure.dll        
-a----         5/1/2019   1:16 PM        1840640 dsc_pull_client.dll           
-a----         5/1/2019   1:17 PM         360960 dsc_reporting.dll             
-a----         5/1/2019   1:28 PM        1252864 dsc_rest_server.dll           
-a----         5/1/2019   1:28 PM         393216 dsc_service.exe               
-a----         5/1/2019   1:26 PM         956928 dsc_timer.dll   

You will also find an instance of pwsh.exe and supporting files in this same (version specific) folder. That is because Guest Configuration includes the portable installation of PowerShell Core so there is no need to manage PowerShell versions for the system. 

View the details of the DSC service in Guest Configuration in Windows 

Command: 

Get-Service DscService | fl * 

Result: 

Name                : DscService
RequiredServices    : {}
CanPauseAndContinue : False
CanShutdown         : False
CanStop             : True
DisplayName         : Guest Configuration Service
DependentServices   : {}
MachineName         : .
ServiceName         : DscService
ServicesDependedOn  : {}
ServiceHandle       : SafeServiceHandle
Status              : Running
ServiceType         : Win32OwnProcess
StartType           : Automatic
Site                :
Container           : 

Linux 

The Guest Configuration extension for Linux is published in GitHub here. 

List the DSC binaries in Guest Configuration in Linux 

Command (note the version is current at this time but could change): 

ls /var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-1.11.0/GCAgent/DSC/dsc_* 

Result: 

[stdout]
/var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-1.11.0/GCAgent/DSC/dsc_client
/var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-1.11.0/GCAgent/DSC/dsc_linux_service 

Currently, Guest Configuration in Linux is only supporting content in the format of Chef InSpec profiles. We expect this to soon open to PowerShell-based resources and other tool formats. 

View the details of the DSC service in Guest Configuration in Linux 

Command: 

systemctl status dscd.service 

Result: 

• dscd.service- DSC Service
   Loaded: loaded (/lib/systemd/system/dscd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-06-04 18:13:28 UTC; 1h 48min ago
Main PID: 22327 (dsc_linux_servi)
    Tasks: 42
   Memory: 11.9M
      CPU: 1.483s
   CGroup: /system.slice/dscd.service
           └─22327 /var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-1.11.0/GCAgent/DSC/dsc_linux_serviceJun 04 18:13:28 linux systemd[1]: Started DSC Service.
Jun 04 18:13:28 linux dsc_linux_service[22327]: Running DSC rest server... 

Configurations 

Configurations in Guest Configuration are managed in a whole new way. There is no longer a need for partial configurations because many configurations can be managed independently. 

Please keep in mind that currently, configurations are used only for auditing settings and not enforcing the configuration. 

The model for Guest Configuration takes lessons learned from both the DSC Extension and State Configuration service. The Guest Configuration service does not require or support uploading and storing assets in the service, or a compilation service. Configurations are packaged in .zip format as they were for DSC Extension. A Guest Assignment in the Guest Configuration resource provider includes a reference to the location of the package, a hash value of the package file, and a table of parameters to be passed to the engine when the configuration is executed. 

For content provided by Microsoft, the configuration content managed and replicated globally. When the package is downloaded to the machine, it is decompressed and extracted to a local folder. 

Each folder contains everything needed for DSC to manage the configuration including the mof, any resources required, and the metaconfiguration to use for that configuration. This means the mode, frequency, and other LCM settings can be unique per configuration. 

View configuration content in Windows 

In this test case, the server is in scope of multiple audit policies. 

Command: 

ls c:programdataGuestConfigConfiguration 

Result: 

 Directory: C:programdataGuestConfigConfiguration

Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-----         6/5/2019   1:03 PM                WindowsDefenderExploitGuard   
d-----         6/5/2019   1:03 PM                WindowsDscConfiguration       
d-----         6/5/2019   1:03 PM                windowsfirewallenabled        
d-----         6/5/2019   1:03 PM                WindowsLogAnalyticsAgentConnection                          
d-----         6/5/2019   1:03 PM                WindowsPendingReboot          
d-----         6/5/2019   1:04 PM                WindowsPowerShellModules      
d-----         6/5/2019   1:04 PM                WindowsTimeZone                

View configuration content in Linux 

In this test case, the server is in scope of only one audit policy. 

Command: 

ls /var/lib/GuestConfig/Configuration 

Result: 

[stdout]
firewalldenabled 

Logs 

Log output is available on each node within the agent folder named “Logs”. This can also be returned using “Run Command”, however the output is limited to the last 4096 bytes so it is best to filter the logs to only what you are looking for. Examples approaches are given below. 

View error messages in Windows logs 

Command (note the version is current at this time but could change): 

Select-String -Path 'C:PackagesPluginsMicrosoft.GuestConfiguration.ConfigurationforWindows1.13.0.0dsclogsdsc.log' -pattern 'DSC*Engine' -CaseSensitive -Context 0,5 

Result (this is a short snippet of the actual output): 

 [INFO] [00000000-0000-0000-0000-000000000000] Job 
3af0538a-35f4-415f-b5b8-70ae3099e6a2 : Operation Get-DscConfiguration 
completed successfully. 

View error messages in Linux logs 

Command (note the version is current at this time but could change): 

grep -A 5 'DSC*Engine' '/var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-1.11.0/GCAgent/logs/dsc.log' 

Result (this is a short snippet of the actual output): 

 [2019-06-05 18:14:22.772] [PID 30775] [TID 30824] [DSCEngine] [INFO] [00000000-0000-0000-0000-000000000000] Job 6ae51953-24aa-44e8-8abb-4ec522cc5b1f : Method CU_TestConfiguration ended successfully 

Thank you!
Michael Greene
Principal Program Manger
Microsoft Azure
@migreene 

The post Azure Policy Guest Configuration – Client appeared first on PowerShell.

This post builds upon the introduction published earlier to the PowerShell blog. In this post we are going to explore the Azure Policy Guest Configuration service. 

The full documentation for this service is available at the following short url. 

https://aka.ms/gcpol 

Resource provider 

At a fundamental level, this solution includes a new resource provider in Azure named “Microsoft.GuestConfiguration” and new virtual machine extensions named “Microsoft.GuestConfiguration.GuestConfigurationforLinux” and “Microsoft.GuestConfiguration.GuestConfigurationforWindows”. 

The new engine is delivered to the virtual machine by the extension. When the service/daemon starts, it queries the service to see if there are any jobs for the virtual machine. If so, it downloads the content (DSC mof/modules, packaged in the same way as DSC extension), performs the work, and reports status. Behind the scenes, microservices and big data platforms ensure data remains geographically local. 

The following diagram demonstrates the flow of requests as a Guest Assignment is published, the list of assignments are requested from the VM, the VM downloads and runs the configuration, status is returned to a regional location, and summary information is presented to Azure Policy. 

Diagram: 

You can think of the resource provider as surfacing VM scenarios in to Azure Resource Manager API. If you require that only one group of users should have administrative privilege inside a server, you can express that requirement as a Guest Assignment in Azure Resource Manager. This is just a reference to a configuration that checks (“Test”) whether only that group has the intended access and return who currently has access (“Get”). The scenario is given as a property of the virtual machine through a provider resource “Microsoft.GuestConfiguration”. 

Here is an example of that in code: 

{
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[LocalGroup]AdministratorsGroup;Members",
                            "value": "[parameters('Members')]"
                          }
                        ]
                      }
                    }
                  }, 

Using built-in policies 

One of our learnings from DSC has been to reduce complexity. We are aiming for a solution that you can just enable and immediately see value. A good example of this approach was Active Directory Group Policy. While Group Policy presented challenges for developers looking to rapidly iterate between builds, the concept of just picking the settings you need and turning them on has been popular with large enterprises. 

Our current list of built-in content is below.  This is growing nearly every week.  You can view this list in the Azure Portal by opening Policy and clicking Definitions, then changing the ‘Type’ filter to ‘Initiative’ and the ‘Category’ filter to ‘Guest Configuration’.  You can also run the following command to get a current list using PowerShell with the Az cmdlet. 

Get-AzPolicySetDefinition -Builtin | ? {$_.Properties.Metadata.Category -eq “Guest Configuration”} | % {$_.Properties.DisplayName} 

NOTE: it is important when assigning these policies to use the Initiative.  The DeployIfNotExists policy loads the VM extension, which is a requirement for Audit/AuditIfNotExists policies in Guest Configuration to work properly. 

Viewing results 

You can view the results of the policy in Azure Portal (as described here) and you also can get results using the cmdlets provided by a new module named Az.GuestConfiguration. A step by step gudie for using these cmdlets is available here. 

The key scenario for the cmdlets is to use the Get-AzVmGuestPolicyStatusHistory cmdlet with the -ShowOnlyChange parameter. This will tell you every time a VM was out of compliance over the reporting period and why. 

The Az Guest Configuration cmdlets are documented here. 

You can also directly query the Azure Policy Guest Configuration REST API to see the results of your audits. This includes the “Compliance Reasons” data the returns the raw information from the tool used to perform the audit. For Windows this data includes the name of the DSC resource used to run Test and Get, and the data returned. For Linux this includes the fully formatted output from InSpec. For both platforms, we intend to be open and extensible going forward. 

The API for getting compliance details is documented here. 

Thank you!
Michael Greene
Principal Program Manger
Microsoft Azure
@migreene 

The post Azure Policy Guest Configuration – Service appeared first on PowerShell.

It has been almost a year since the last DSC Planning update. There has been a lot going on, many decisions being made, and it just didn’t make sense to post earlier in this calendar year. In this post we will review what has been shipped and the high-level direction we are heading. 

I am accompanying this post with write-ups that are for the more technical audience. In two parts, I would like to explain the implementation of the Guest Configuration client/service and exactly how the new DSC engine functions. 

If you take nothing else away, here are the top-level items: 

• The new implementation of DSC is Azure Policy Guest Configuration 

• The solution is GA for built-in content and is moving towards a preview for custom content 
• Your skill set and your DSC scripts/modules can be used in a new way 

Azure Policy Guest Configuration 

Previously we have referred to the new DSC codebase under different names. “DSC Core” and “the new LCM”. We also disclosed that the platform would be used in Azure Policy Guest Configuration. 

What have we shipped? 

The DSC codebase we have been working on is now fully GA as Azure Policy Guest Configuration but this is not the DSC you have known up to this point. It is best to think of Azure Policy Guest Configuration as based on the DSC syntax but functionally a new platform. 

The intention for this service is to build confidence so application developers/owners are free to deploy servers when they need them without putting the organization at risk. Building this platform on a tool that was designed with operations in mind helps us to look beyond the types of settings that we thought about in platforms such as Group Policy. We can include operational requirements such as making sure all servers have a healthy monitoring agent, logging configuration, and the correct certificates in place to function in an enterprise environment. 

DSC has been the basis for other Azure solutions such as the Azure DSC Extension and Azure Automation State Configuration, that help you to configure virtual machines. Azure Policy Guest Configuration currently provides an audit platform to validate settings inside virtual machines. 

The full documentation for this service is available at the following short url. 

https://aka.ms/gcpol 

If you would like to continue reading about how this service is technically implemented, the two technical write-ups are published to accompany this post. 

Azure Policy Guest Configuration – Service

Azure Policy Guest Configuration – Client

High level direction forward 

For the next semester (the second half of 2019 calendar year) we are focused on iterating upon our first release of this solution, introducing the ability for you to use your own content for auditing machines, and to enable you to also enforce settings inside virtual machines using Azure Policy. 

It is important for many people to understand what the options will be to use DSC in disconnected scenarios going forward.  We are considering our options in this area and taking the feedback seriously.  I hope to have more to share on this area in the future. 

Iterating upon our first release of the solution includes multiple areas where we believe we can make life easier for customers. One of the patterns we have observed is customers assigning an audit policy but forgetting to assign the policy that handles automatically onboarding servers.  In the future we believe we can make this simpler.  We have also heard from customers that they would like to have the option to bulk export data about virtual machine compliance so it can be used in other tools, and that they would like to use the solution to audit servers running outside of Azure. 

We hope to enable customers to use their own content, and the tools of their choice, when auditing settings inside virtual machines. As an example, we have heard from Chef customers that they would like to be able to use InSpec to audit Windows Servers. As a result, we announced in our session at Chef Conference that we will be co-maintaining a Guest Configuration provider for InSpec as a collaborative open source project that customers can use in Azure Policy Guest Configuration. More information can be found here. 

We are investing in getting the user experience right for developing custom content, cross platform for the developer workstation, and having a validation and troubleshooting experience that improves on lessons we learned with DSC. We will soon be moving into a public preview of custom content. In the meantime, you are welcome to give us feedback in our “request for comments” public GitHub repo here. 

Finally, we are investigating the right approaches for enforcing settings inside virtual machines using Azure Policy. With this scope in mind, I would like to invite you to respond to a (an anonymous) survey to provide feedback on your top requirements. 

Survey link 

Thank you!
Michael Greene
Principal Program Manger
Microsoft Azure
@migreene 

The post DSC Planning Update – June 2019 appeared first on PowerShell.

We are excited to announce the updated Microsoft Intune Customer Adoption Pack is now available. It is a set of content and guidance that IT administrators, trainers, champions, and change management professionals can use to drive Microsoft Intune adoption in your organization and help ensure your users get up and running quickly.

Microsoft Intune helps you enable your workforce to take advantage of the latest cloud-based services and apps on any device, while protecting your corporate data. If you previously did not require mobile devices to be enrolled for work access, or your employees enrolled their device in a different management solution in the past, it is important that everyone in the organization understand the need for device management and mobile security when you implement Microsoft Intune. A comprehensive communication plan would help reassure any users concerned about their privacy and explain the safeguards in place to protect both user privacy and company resources.

This adoption pack contains videos, posters, and onboarding templates that can be used as is or customized to simplify the endpoint management adoption in your organization. It complements the wide range of planning guides, communication guides, and end user help available in Microsoft documentation.

The Microsoft Intune Adoption Pack includes the following resources for each phase of roll-out:

Email templates

We recommend the following email communication plan. We’ve provided templates for you to adapt for your communication plan:

• Email #1: Explain the benefits, expectations and schedule.  Take this opportunity to showcase any other new services whose access will be granted on devices managed by Intune.

• Email #2: Announce that services are now ready for access through Microsoft Intune.  Tell users to enroll now.  Give users a timeline before their access is affected.  Remind users of benefits and strategic reasons for migration.

After a certain period, you can begin enforcing compliance through conditional access policies and use it as criteria to access corporate data, as explained in Drive end-user adoption with conditional access.

Intune Enrollment Guide

This PDF attachment can be provided to your users as-is, or you may customize the Word version to include your internal resources and contact information.

Instructional Videos

We have created and included short, step-by-step YouTube videos to aid your users in easily enrolling their devices in Intune.

• Enroll your Android device for full management
• Enroll your Android device for Work Profile management
• Enroll your iOS device
• Enroll your macOS device
• Enroll your Windows 10 device

Next steps

Microsoft Intune is designed for the modern era of corporate connectivity from any location and any device that not only enable great consumer experiences at work, but must also protect against increased risk of inadvertent and malicious threats to corporate data. Join the over 100 million customers across the world who trust Microsoft 365 Enterprise Mobility + Security (EMS) to stay connected, secure data and get things done on the go.

Microsoft offers a variety of resources and support tools to help you in this journey. Plan your cloud services deployments with online resources and tools from FastTrack, a service that’s included in your eligible Microsoft subscription at no additional cost. FastTrack provides customized guidance for on-boarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources instead of creating new ones.

Visit the planning and migration documentation to drive successful customer adoption of managed mobile productivity with a robust communication plan.

More info and feedback

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Follow @MSIntune on Twitter

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving June 20, 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

Hello again. It is Mike “Cannonball” Kullish back in only my second post, so please be gentle. I was recently working with a customer and they asked me if it was possible to use a Surface Pro or Surface Go as a secondary monitor. I had never thought about this before, so figured I would see if I could figure it out. It only makes sense, right? I promise to keep this article sweet and to the point. (Mostly anyway…)

Well, it looks like our friends in the Windows Product Group have our backs. A quick search of Bing, did not provide the results I was looking for, but an email to another very smart PFE led me to a solution. (A big shout-out to Tom Ausburne for filling me in on an easy way to extend or duplicate your primary Windows 10 monitor to another Windows 10 device!) The quick answer is to use the Microsoft “Connect” app that is already installed on Windows 10 devices along with the Project option that shows up in the Windows Notification Center (Win + P). For the example below, I have a Surface Book 2 that I am using as my primary machine, and a Surface Pro 4 that I will use as a secondary display.

On the Surface Pro 4:

1. Click on the Windows icon lower left hand corner of the screen

2. Type Connect and verify the application is installed.

3. Click to launch the Connect App

On the Surface Book 2:

1. As with most Microsoft solutions, we have options. You can either:
   1. Open the Windows Message Center and Project

      Or

   2. Type Win+P and choose “Connect to a Wireless Display.” (It shows up if you are on the same network.)
   3. Choose the option to Connect to a wireless display:

2. Select the Surface Pro 4 device from above to connect the second monitor

3. You can click Win+P again to choose extend display.

4. Now you have Multimonitor capabilities.

My experience so far has been that this solution will work on most any Windows 10 device that supports Miracast, but in lab testing, I only used a Surface Book 2, Surface Go, and Surface Pro 4. I have to admit that I always travel with 2 devices, and this solution has come in handy on more than one occasion while sitting in a hotel working on a customer solution.

Thanks for reading, and I hope this helps you out!

Overview

PSScriptAnalyzer (PSSA) 1.18.1 is now available on the PSGallery and fixes not only a lot of the issues reported for 1.18.0 but has also been made twice as faster compared to 1.18.0. Additionally, the -SaveDscDependency switch on Invoke-ScriptAnalyzerhas been improved to be platform agnostic and should now also work on Linux systems if DSC has been set up. A long standing concurrency bug related to analysing module manifest has also been fixed. Analysis showed that Test-ModuleManifest is not thread-safe due to a bug either in the cmdlet or in the PowerShell engine itself, we resolved it by having a lock around calls to this cmdlet.

Formatter Fixes

This applies especially to its usage within the VS Code PowerShell extension:

• The new PSUseCorrectCasing formatting rule had to be adjusted to not expand/change paths and to treat wildcard characters correctly. Under the hood the rule calls Get-Command and because Get-Command ? returns all commands that have a name of length 1, it returned ForEach-Object first, which made PSSA incorrectly change the ? alias for Where-Object to ForEach-Object. The PowerShell VS Code extension has the powershell.codeFormatting.useCorrectCasing setting that wraps around this configuration and the setting is currently defaulting to false due to those issues that were found. With PSSA 1.18.1, we’d encourage you to enable the setting again as we think that we have fixed all issues and pending feedback we plan to enable the setting by default. Although the VS Code extension ships a backup version of PSSA (currently 1.18.0), one can always install PSScriptAnalyzer locally and the extension will pick it up. You can install the newer PSScriptAnalyzer version and start using it without having to wait for the extension to release an update.
• The new PipelineIndentation configuration setting of the PSUseConsistentIndentation formatting rule had a bug when it was set to IncreaseIndentationForFirstPipeline or IncreaseIndentationAfterEveryPipeline and in certain cases, indentation of code following the pipeline could be incorrectly indented. Currently the VS Code setting powershell.codeFormatting.pipelineIndentationStyle for it is set to NoIndentation to avoid this bug. We encourage you here as well to try out the options again so that we can get feedback before we set the default of the VS Code setting to IncreaseIndentationForFirstPipeline (which is the default when calling Invoke-Formatter without parameters). This desired default was voted for by the community here.

Conclusion and Future Outlook

Please try out this new patch, if you install it using Install-Module then the VS Code extension will automatically use it after a restart of the integrated terminal session or just by re-opening VS Code. Getting feedback in this period is very important so that the PowerShell team can make a decision on when to include 1.18.1 by default in one of the next updates of the PowerShell extension. After feedback of this phased rollout, we will consider changing the default settings in the extension as mentioned above. It is hard to anticipate all the use cases, so we chose to make features configurable behind new flags and rollout the changes to a smaller user group first.

The Changelog has more details if you want to dig further.

On behalf of the Script Analyzer team,

Christoph Bergmeister, Project Maintainer from the community
Jim Truher, Senior Software Engineer, Microsoft

The post Release of PowerShell Script Analyzer 1.18.1 appeared first on PowerShell.

This blog post was authored by Arpan Shah, General Manager, Microsoft Azure.

Customers such as Allscripts, Chevron, J.B. Hunt, and thousands of others are migrating their important workloads to Azure where they find unmatched security. While understanding cloud security is initially a concern to many, after digging in, customers often tell us the security posture they can set up within Azure is easier to implement and far more comprehensive than what they can provide for in other environments.

Azure delivers multiple layers of security, from the secure foundation in our physical datacenters, to our operational practices, to engineering processes that follow industry standard Mitre guidelines. On top of that, customers can choose from a variety of self-service security services that work for both Azure and on-premises workloads. We employ more than 3,500 cybersecurity professionals and spend $1 billion annually on security to help protect, detect, and respond to threats delivering security operations that work 24x7x365 for our customers.

Let’s look at some examples of how Azure delivers unmatched security for your Windows Server and SQL Server workloads.

The broadest built-in protections across hybrid environments with Azure Security Center

Customers can get the broadest built-in protection available across both cloud and on-premises through Azure Security Center. This includes security recommendations for virtual machines, storage, networking, databases, identity, application services, and IOT all from a single integrated dashboard.

Azure Security Center leverages the Microsoft Intelligent Security Graph, which collects more than 6.5 trillion signals daily from Microsoft services such as Xbox, Dynamics 365, Office 365, Azure, and our broad partner ecosystem. With Azure Security Center, customers can easily install an agent on Windows Server and get detailed recommendations on which best practices to implement such as installing end-point protection and the latest patches. It also comes with all the capabilities of Microsoft Defender ATP built-in. As a result, you get to tap into our industry-leading threat protection to protect your Windows Server and SQL Server workloads.

Further, Azure Security Center integration will soon be available through Windows Admin Center, a modern Windows Server management solution being used to manage millions of instances today. With a few clicks, you will soon be able secure your Windows Server instances on-premises directly from Windows Admin Center.

Unique platform-level security and governance

Azures consistent policy platform makes it easier for you to apply security policies faster across your Windows Server and SQL Server workloads. For every workload you run in Azure, you can easily define a set of security policies and apply them uniformly across your subscriptions or management groups at scale. Using Azure Blueprints, you can literally create a new subscription with all the security settings you need in a few clicks. All of this is possible because Azure has a unique underlying resource management foundation, giving you the confidence that your Windows Server and SQL Server workloads are compliant by design. Best of all, Azure Governance capabilities are available at no additional charge.

Built-in, AI driven Security Information and Event Management (SIEM)

Customers often use SIEM to bring together threat protection information from across the enterprise to enable advanced hunting and threat mitigation. Azure Sentinel is a cloud-native SIEM with built-in AI that enables you to focus on the important threats rather than low fidelity signals. It helps reduce noise drasticallywe have seen a reduction of up to 90 percent in alert fatigue from early adopters. It also lets you combine signals from your Windows Server and SQL Server workloads on Azure with all of your other assets including Office 365, on-premises applications, and firewalls to get ahead of bad actors and mitigate threats.

Industry leading confidential computing capabilities

Azure confidential computing offers encryption of data while in use, a protection that has been missing from both on-premises datacenters and public clouds. For certain workloads, it is important to ensure the data is not transparent while it is processed in the CPU. Azure brings this capability through hardware-based enclaves built on top of Intel SGX extensions in the Azure DC series of virtual machines. Microsoft, as the cloud operator, cannot access the data or compute resources inside a secure enclave. Confidential computing also opens up new scenarios like secure block-chain or multi-party machine learning where the data is shared between two parties, but neither has access to the other partys data due to the secure enclaves. In addition, we have enhanced the Always Encrypted feature in SQL Server 2019 to support secure enclaves and you can build your own applications using this technology with our open SDK.

Unique database security monitoring for your cloud SQL

We use our experience from monitoring more than one million databases over the past few years to offer Advanced Data Security for SQL Database and SQL Server VMs. It includes two key components vulnerability assessment and Advanced Threat Detection. Vulnerability assessment scans your databases so you can discover, track, and remediate potential database vulnerabilities. Advanced Threat Detection continuously monitors your database for suspicious activities like SQL injection and provides alerts on anomalous database access patterns. Threat alerts and reports from vulnerability assessments also appear in the Azure Security Center threats dashboard.

Free security updates for Windows Server and SQL Server 2008

We understand that customers are still running workloads on SQL Server and Windows Server 2008 and 2008 R2. These versions are approaching end of support in July 2019 and January 2020 respectively. You can automatically get three additional years of free Extended Security Updates if you simply migrate your 2008 and 2008 R2 instances to Azure to ensure they are protected. You can plan your upgrades to newer versions once they are in Azure. Additionally, for SQL Server, you can migrate legacy SQL Server workloads to Azure SQL Database Managed Instances. With this fully managed, version-less service your organization will not face end of support deadlines again.

Get started with Azure for unmatched security in the cloud

Microsoft offers you the training and best practice guidance you need to set up the most powerful protection for your Windows Server and SQL Server workloads in the cloud.

To learn even more best practices on how to take advantage of the built-in tools in Azure to protect your workloads, save the date for the upcoming Azure Security Expert Series webinar coming next Wednesday, June 19, 2019.

The post Customers get unmatched security with Windows Server and SQL Server workloads in Azure appeared first on Windows Server Blog.

Hello world! Brandon Wilson, Sr PFE, excited to be here with you yet again! Today’s post is a different kind of post, one that, for me personally, tugs a bit at my heart strings. Today I am here to announce that AskPFEPlat will be closing its doors on TechNet (effective June 17, 2019); it has certainly been a long run since that first post in 2011. We aren’t going away though, we have simply moved to a new location, and due to team growth, integration, and everything else that’s happened over our long run on TechNet, we are also rebranding to be the Core Infrastructure and Security (CIS) blog team.

If you haven’t happened to have noticed the over 450 banners at the top of all of our posts for the last few months, we have moved to the Core Infrastructure and Security TechCommunity on the https://techcommunity.microsoft.com site. I’ll go ahead and apologize for those header eye sores now…a few months late, but better late than never, right?!.

Rest assured, everything authored by AskPFEPlat over the years has been migrated and is available right now, as I type and as you read, over at https://aka.ms/CISTechComm! As a part of this migration, we have also joined forces with numerous other blog teams to extend our reach and content impact for our readers. So, if you haven’t already, please bookmark the site and visit us just as often as you have over the years!

You will find that most blog content from the majority of blogs on TechNet and MSDN are migrating over to the TechCommunity site, as TechNet and MSDN blog sites will be going into read-only/archive mode, also effective June 20, 2019. Speaking of which, if you happened to run across any blog content you expected to find but ended up getting a default “not found” type of page, that issue should now be corrected.

The Core Infrastructure and Security (AskPFEPlat) TechCommunity can be found at https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/ct-p/CoreInfrastructureandSecurity, and our blog content listing can now be found at https://aka.ms/CISTechComm (or if you like the super long URLs, https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/bg-p/CoreInfrastructureandSecurityBlog). Please by all means, join the techcommunity as a member. It isn’t necessary to become a member of the TechCommunity in order to view our content of course, but it does help out our internal team with potential future enhancements to the CIS TechCommunity.

NOTE: After June 20, 2019, any requests for AskPFEPlat content will be redirected to the root of the CIS TechCommunity blog site. You may have to update your bookmarks. Due to the amount of content we have, 1-to-1 redirection wasn’t feasible, and as such you may need to search for the blog content again. Content titles have not changed, nor have authors, so if you search either of those within the TechCommunity, you should find what you are looking for quickly!

Just to recap, in simple form, where we can be found:

Core Infrastructure and Security TechCommunity “main” page/home base-

https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/ct-p/CoreInfrastructureandSecurity

Core Infrastructure and Security TechCommunity blog:

https://aka.ms/CISTechComm

-or-

https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/bg-p/CoreInfrastructureandSecurityBlog

Since we are on the topic, I would also like to take this time for a shameless plug for a partner TechCommunity, the Premier Field Engineering TechCommunity (https://aka.ms/PFETechComm), which opened its doors at the beginning of May 2019. Here you can find excellent blog content on various technical topic areas, predominantly authored by Premier Field Engineers, along with information regarding our Premier offerings (workshops, health checks, etc). The PFE TechCommunity is also a culmination of many other blog teams, but is technology agnostic. If you haven’t found it already, please feel free to join the community and bookmark the PFE TechCommunity blog page as well!

To make things easier for you to explore the TechCommunity site in general, here are a couple of quick links for you:

TechCommunity main blog listings (right hand side):

https://techcommunity.microsoft.com/t5/custom/page/page-id/Blogs

TechCommunity listings:

https://techcommunity.microsoft.com/t5/Communities/ct-p/communities

Last but not least, I personally, and I think I can also speak for the entirety of the AskPFEPlat and Core Infrastructure and Security blog teams past and present, would like to sincerely thank all of our readers whom have supported us over the years! If I could thank each and every one of you personally, I would. On this topic, I would also like to thank the over 400 Premier Field Engineers, Consultants, Architects, Supportability Managers, Program Managers, and others that have been contributors to our blog team over the years! So, please continue checking in with us at our new home (https://aka.ms/CISTechComm), and we look forward to bringing you more quality content for many years to come from our new home!

As always, thanks for reading, and we look forward to seeing you over in our new home!

-Brandon “Now that wasn’t nearly as long as normal” Wilson

This week we announced a new Identity threat investigation experience, which correlates identity events from Microsoft Cloud App Security, Azure Advanced Threat Protection, and Azure Active Directory Identity Protection into a single investigation experience for security analysts and hunters alike.

If you are using Microsoft Cloud App Security, you will be able to access the new experience in the portal starting today, regardless of whether you are also using Azure Advanced Threat Protection and/or Azure Active Directory Identity Protection.*

The identity threat investigation experience combines user identity signals from on-premises and cloud services to close the gap between disparate signals in your environment and leverages state-of-the-art User and Entity Behavior Analytics (UEBA) capabilities to provide a risk score and rich contextual information for each user. It empowers security analysts to prioritize their investigations and reduce investigation times, ending the need to toggle between identity security solutions.

Microsoft Cloud App Security - A uniquely integrated CASB

New user investigation priority for users

The Top user view in the Microsoft Cloud App Security dashboard is shifting from an investigation model that is based on the number of total alerts, to a new user investigation priority which is determined by all recent user activities and alerts that indicate an active attack or insider threat. This now helps you immediately understand which users currently represent the highest risk within your organization and should be prioritized for further investigation.

Image 1: Cloud App Security dashboard: Top user view by investigation priority

New user page

We have also redesigned the existing user page to provide rich contextual information for how the risk score was determined and how a user compares to other across the organization. This will empower your SOC teams to address the users with the highest risk/impact ratio first and pivot from any scored activity into the deep dive alert investigation that you’re already familiar with.

Image 2: New user page in the Cloud App Security portal

From the new user page, you can then easily dive deeper into each one of the alerts or activities that you see on the timelines and pivot into the Cloud App Security investigation experience that you’re already familiar with.

Image 3: Deep dive investigation of alerts from the user timeline

The new Identity threat investigation experience further enriches the Cloud App Security portal and available investigation capabilities, giving SecOps teams correlated and weighted information to make better decisions, save time and more effectively remediate user threats and risks.

More info and feedback

• Get started with our technical documentation today.

• Haven’t tried Microsoft Cloud App Security yet? Start a free trial today.
• As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.
• For more resources and information go to our website.

*The information available on the new user page can vary depending on the services that you are using (Azure Advanced Threat Protection, Azure AD Identity Protection)

#To list all modules that tagged as DSCResourceKit
Find-Module -Tag DSCResourceKit 
#To list all DSC resources from all sources
Find-DscResource

Install-Module -Name < module name >

Install-Module -Name xWebAdministration

Update-Module

Get-DscResource

The post DSC Resource Kit Release June 2019 appeared first on PowerShell.

This blog post was authored by Jeff Woolsey, Principal PM Manager, Windows Server.

This month, SQL Server 2008 and 2008 R2 reached their End of Support. On January 14, 2020, Windows Server 2008 and 2008 R2 will also reach their End of Support. These important dates provide an opportunity for businesses outside of the obvious deadline, and were here to help. Here is a list of resources to help you get ready:

• For the latest information about your options, visit the Windows Server 2008/R2 End of Support site to learn about upgrading on-premises, migrating to Azure, or taking advantage of Extended Security Updates for your server environment.
• Download the Migration Guide for Windows Server for beginning-to-end guidance for on-premises or cloud workloads, including Assess, Migrate, Optimize, as well as Manage and Secure phases, with more links to tools that can help you along the way.
• If you have questions about what Azure can do for your Windows Server workloads, or are ready to start down the migration path, visit the Azure Migration Center to find specific migration advice for Windows Server 2008/R2 and start modernizing with Azure.
• We have a new migration tool to help you upgrade old file servers. Watch a brief demo of the Storage Migration Service, a new tool to help migrate file servers from Windows Server 2008/R2 (and even back to 2003) to newer versions, running on-premises or in Azure.
• Finally, watch my on-demand webinar on Transforming Windows Server 2008 Apps and Infrastructure where I lay out options on how to modernize your Windows Server 2008 environment using Microsoft’s hybrid cloud capabilities, including new tools and solutions available to help you migrate.

Ask the experts!

If you still have questions, weve scheduled an online Ask Me Anything on July 30, 2019. Bring your questions, and well have our top experts standing by ready to help. Add it to your calendar now.

The post Six months left to transform your Windows Server 2008 apps and infrastructure appeared first on Windows Server Blog.

Microsoft Intune is excited to announce general availability of Windows MDM Security Baselines. A new version of security baselines is also being released at the same time, identified as MDM Security Baseline for Spring 2019 Update (19H1). This is a new template that includes several new settings and some other updates. Please refer to the documentation for a detailed list of what's changed in the new template. 

A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. Industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, increases efficiency and reduces costs compared to creating them all by yourself. These settings are continually updated with feedback from Microsoft security engineering teams, product groups, partners, and real-world learning from thousands of customers. Microsoft security baselines provide intelligent recommendations that are relevant to the needs of your business, based on your IT infrastructure.

Attach the power of intelligent cloud

Microsoft has years of experience publishing security baselines as Group Policy Objects in the Security and Compliance Toolkit (SCT). Customers have trusted this toolkit for years to provide templates to configure security baselines through Group Policy. Microsoft Intune now brings the same collective knowledge and expertise to secure the modern desktop with MDM security baselines.

Microsoft recommended security baselines in the Intune service leverage the greatly expanded manageability of Windows 10 using Mobile Device Management (MDM). These security baselines will be managed and updated directly from the cloud – providing customers the most recent and most advanced security settings and capabilities available from Microsoft 365. The same Windows security team that creates Group Policy security baselines has collaborated with Intune engineers to offer their extensive experience for these recommendations. If you're brand new to Intune, and not sure where to start, then MDM security baselines give you an advantage. You can quickly create and deploy a secure profile to help protect your organization's resources and data. If you're currently using Group Policy, migrating to Intune for management is much easier with these baselines natively built into Intune's modern management platform.

Intune MDM security baselines leverage intelligent cloud insights to deliver unique benefits beyond the security and compliance toolkit:

• In-depth reporting on the state of each setting in the baseline on every device in your organization
• A first-class policy interface using familiar Intune policies to easily customize and deploy a baseline with MDM 

You may choose to create security policies directly from these baselines and deploy them to users or customize the recommendations to meet the needs of your enterprise. Intune will validate that devices follow these baselines, report on baseline compliance and notify administrators if any devices or users move out of compliance.

You can see a list of all available baselines, as well as the contents of each baseline, here: https://docs.microsoft.com/en-us/intune/security-baselines#available-security-baselines

Versioning between baselines

Alongside GA, Intune is launching a versioning experience that allows you to stay up-to-date as Microsoft updates security baseline recommendations. This means that if you’ve been using the preview baseline, you’ll be able to upgrade to the newly released GA baseline in just a few clicks.

1. Select a baseline. In this example, we’ll examine Windows 10 Security Baselines.

2. You can review the contents of each version of this baseline family by selecting Versions, then choosing the version you’d like to analyze. You can also select two versions to compare by selecting both in the table and clicking Compare baselines.

3. To upgrade a profile from one baseline version to another, go to Profiles, choose the profile you’d like to upgrade, and select Change Version.

4. In the upgrade experience, you can choose to review the changes that the upgrade will make, as well as decide whether you’d like to:

• Accept baseline changes but keep my existing setting customizations: This will retain any setting customizations you made in the original profile.
• Accept baseline changes and discard my existing setting customizations: This will overwrite all customizations from the original profile and apply the new baseline recommendations wholesale.

After you make this decision, Intune will automatically update the profile to adhere to the upgraded baseline.

Next steps

If you are a Microsoft Intune customer, look for the Security Baselines GA to be available in your tenant shortly.

If you require any help with your deployment, Microsoft offers a variety of resources and support tools to help you succeed. Customers with eligible subscriptions to Microsoft 365, Microsoft Enterprise Mobility + Security (EMS) or Microsoft Intune can request assistance from experts in FastTrack service at no additional cost for the life of their subscription. Whether you are a customer or a partner, FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources to plan your deployment.

More info and feedback

Learn how to get started with Microsoft Intune using our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Follow @MSIntune on Twitter

(This post is co-authored with Aashka Damani, Program Manager, and Mayunk Jain, Product Manager, Microsoft 365)

Microsoft Intune is excited to announce the general availability of administrative templates support for Windows 10 device configuration profiles. This feature received wide adoption during the public preview because it helps Windows administrators use the settings they are familiar with in group policy editor when they transition to cloud-attached management.  In the general release, we deliver one of the most requested feedback from the public preview: support for more settings. Administrative templates will be adding an over 2500 settings to the Intune console, covering  Windows, OneDrive and Office, in a user interface that is similar to group policy editor.

Let us walkthrough creating and editing a profile.

Create an Administrative Templates profile

Administrative template profiles in Intune apply to Windows 10 devices and the process is similar to creating most other device configuration profiles. Start by creating a new profile under ‘device configuration’ and select ‘administrative templates’ under profile type.

Upon creating a profile, the administrator will have access to the master list of all 2500+ available settings. Some of the setting names may appear to be duplicates, but each of them has a different path and different end effect.

Administrator may use the Search, Sort and Filter options to identify the settings they have set and the ones they may want to configure. For instance, the drop down list of products allows administrators to view only the settings that apply to Windows, those that apply to Office, and all settings.

The product filter in combination with search terms lets administrators quickly narrow down the list to the settings they wish to configure. The search works on both the name of the setting and any part of the setting’s path.

Many of the settings are applicable on both users and devices. Administrators can use column headings to distinguish between types of settings and differentiate between settings that have been configured and not configured.

Click on a setting to see its description and determine how it should be appropriately configured.

The description text for each setting includes the minimum app version supported by the setting as well as the ADMX setting version. This will help troubleshooting using widely available Microsoft and community documentation about ADMX files and their expected behavior. After editing the necessary settings and deploying them to the respective users and devices, close the profile to save the changes.

Upon reopening the profile, all of the settings that have been configured will automatically filter to the top. This makes it easy to know what settings have been set and administrators can edit the configuration profile if desired.

Next steps

Microsoft Intune is designed with the learnings and feedback from administrators managing over 175M devices worldwide. This feature is another reason more customers choose Microsoft endpoint management solutions for the easiest path to manage their Windows 10, Office 365, and other mobile applications and devices either on-premises, attached to the cloud, or both. Share your experience after you take administrative templates for a spin in your own modern workplace.

Microsoft offers a variety of resources and support tools to help you in this journey. Plan your cloud services deployments with online resources and tools from FastTrack, a service that’s included in your eligible Microsoft subscription at no additional cost. FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources instead of creating new ones.

Visit the planning and migration documentation to drive successful customer adoption of managed mobile productivity with a robust communication plan.

More info and feedback

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 Follow @MSIntune on Twitter

dotnet tool install --global PowerShell

FROM mcr.microsoft.com/dotnet/core/sdk:3.0
RUN pwsh -c Get-Date
RUN pwsh -c "Get-Module -ListAvailable | Select-Object -Property Name, Path"

docker run -it -v c:myrepo:/myrepo -w /myrepo mcr.microsoft.com/dotnet/core/sdk:3.0 pwsh ./build.ps1

The post Introducing PowerShell as .NET Global Tool appeared first on PowerShell.

(This post is co-authored with Anya Novicheva, Program Manager, Microsoft 365)

Microsoft Intune is excited to announce support for FileVault full-disk encryption configuration on macOS devices. FileVault full-disk encryption (also known as FileVault 2) helps prevent unauthorized access to the information on macOS startup disks. With support for FileVault, Intune administrators can ensure startup disks are unreadable without the password on company managed devices, and they can recover personal keys on behalf of users on corporate devices from the Intune console. Device users can also securely recover their personal key at any time using Intune.

This release includes:

• Personal recovery key rotation to help protect against unauthorized access using compromised keys. Intune administrators can rotate the personal recovery keys for company-managed encrypted Macs, and they may also configure how often to rotate the personal key.
• Personal key escrow, providing a secure location for both end users and administrators to access the personal recovery key for company-managed encrypted Macs.

Get started

To set up FileVault on a managed macOS device that is not yet encrypted, the admin configures the FileVault settings located under the Endpoint Protection profile type within Device Configuration navigation of the Microsoft Intune administration console.

On the same settings page, the admin may enter a message to help the end user in case they forget their password and need to locate the recovery key. For example, they may provide information such as the location of the personal recovery key. This message is shown to end users on the login screen where they enter the personal recovery key instead of a password.

Key recovery

The end user may use the Microsoft Intune Company Portal website on any device to access their personal recovery key. Once they login to the web Company Portal, they can select their FileVault enabled macOS device from the device thumbnails, and click on Get recovery key. If the macOS device isn’t encrypted or it was encrypted prior to enrollment, they will not see a personal recovery key.

To help protect a device that might have had its key compromised or to prevent other types of security incidents, the Intune admin may perform a remote device action to rotate the personal recovery key on a corporate macOS device.  This is as simple as selecting the macOS device in the Intune console, and going to Recovery Keys > and then choosing to rotate the device’s personal recovery key.

If the device is not enrolled or not encrypted, Intune doesn’t have a key for that device and the action is grayed out (as in the screenshot below).

Reporting

Encryption Reporting is a powerful tool for security management across all devices in the modern workplace. The Intune admin can see reporting for all of their macOS devices from Devices > all devices > macOS device > Encryption Reporting. This report shows whether devices are ready to be encrypted or not, whether they were encrypted prior to being enrolled, and whether there are any errors during the encryption process. Intune admins can report on the disk encryption for Windows BitLocker and macOS FileVault from a single dashboard. Admins may also export the entire report to an Excel file where they can filter by OS type, encryption readiness, or status.

Next steps

This feature is the latest in a series of innovations to simplify macOS management with Intune. This is a journey and we expect to add significant enhancements in future, based on your feedback and customer priorities. Administrators using Microsoft Intune can secure their entire workplace from a single place – not only Apple FileVault encryption but also mobile device encryption and Windows BitLocker.

Microsoft offers a variety of resources and support tools to help you in this journey. Plan your macOS management and deployment with online guides and tools from FastTrack, a service that’s included in your eligible Microsoft subscription at no additional cost. FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources instead of creating new ones.

More info and feedback

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Follow @MSIntune on Twitter