Quantcast
Channel: Category Name
Viewing all 5932 articles
Browse latest View live

Discover Shadow IT across IaaS and PaaS with Microsoft’s CASB

$
0
0

Infrastructure-as-a-Service (IaaS) initiated the decline of traditional data center strategies. Today, modern cloud-focused IT strategies enable organizations to implement new processes and scale their infrastructure up and down as needed, allowing them to reach cost efficiencies and high levels of flexibility.

 

Whether organizations have chosen a single- or multi-cloud vendor strategy, they are often surprised when they find that a business unit has servers on a platform without any IT oversight. PaaS adoption is often driven by developers, as they work on custom applications, or even business-users. When the use of IaaS and PaaS services is driven by these user groups, it often happens without any IT oversight and can go unmonitored for extended periods of time, posing significant security risks to an organization.

 

Take for instance storage solutions. Microsoft Azure blobs, Amazon Web Services S3 buckets, or Google Cloud Platform storage buckets, can host business-critical resources such as documents, databases, and source code. A simple access misconfiguration can expose sensitive information and lead to malicious exfiltration. Data shows that organizations often have hundreds of custom apps running in the cloud, while our research suggests that only a fraction is managed with IT oversight.

Therefore, it’s important to establish IT oversight from the beginning to avoid stale.

 

Microsoft Cloud App Security has extended its Shadow IT Discovery capabilities to detect resources that are hosted on IaaS and Platform-as-a-Service (PaaS) solutions across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), with more being added soon.

 

Resourcespic.png

 

The new “Discovered resources” tab in the  portal provides you with visibility into the custom apps that run on top of your IaaS and PaaS subscriptions. 

You can use this new capability to gain full visibility into the resources that exist within your organization, which users are accessing them, transactions, IP addresses, and how much traffic is being transmitted.

Image 1 shows the new “Discovered resources” view in Microsoft Cloud App Security and the drill down into one of the discovered resources.

 

resourcespic1.pngImage 1: “Discovered resources” view in Microsoft Cloud App Security

 

The data is collected based on the same implementation used for the Discovery of SaaS Shadow IT, where customers can choose between Microsoft Defender Advanced Threat Protection for endpoint-based data collection, a log collector or by integrating with their existing Secure Web Gateway.

 

 

More info and feedback

Get started with our technical documentation today.

Haven’t tried Microsoft Cloud App Security yet? Start a free trial today.

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

For more resources and information go to our website.

 

 

™2019, Amazon Web Services logo is a trademark of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

©2018 Google LLC All rights reserved. Google and the Google logo are registered trademarks of Google LLC.

 


Discover Shadow IT across IaaS and PaaS with Microsoft’s CASB

$
0
0

Infrastructure-as-a-Service (IaaS) initiated the decline of traditional data center strategies. Today, modern cloud-focused IT strategies enable organizations to implement new processes and scale their infrastructure up and down as needed, allowing them to reach cost efficiencies and high levels of flexibility.

 

Whether organizations have chosen a single- or multi-cloud vendor strategy, they are often surprised when they find that a business unit has servers on a platform without any IT oversight. PaaS adoption is commonly driven by developers working on custom applications, or even business-users. When the use of IaaS and PaaS services are leveraged by these user groups, it often happens without any IT oversight and can go unmonitored for extended periods of time - posing significant security risks to an organization.

 

Take for instance storage solutions. Microsoft Azure blobs, Amazon Web Services S3 buckets, or Google Cloud Platform storage buckets can host business-critical resources such as documents, databases, and source code. A simple access misconfiguration can expose sensitive information and lead to malicious exfiltration. Data shows that organizations often have hundreds of custom apps running in the cloud, while our research suggests that only a fraction is managed with IT oversight. Therefore, it’s important to establish IT oversight from the beginning to avoid stale.

 

Microsoft Cloud App Security has extended its Shadow IT Discovery capabilities to detect resources that are hosted on IaaS and Platform-as-a-Service (PaaS) solutions across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), with more being added soon.

Resourcespic.png

The new “Discovered resources” tab in the Microsoft Cloud App Security portal provides you with visibility into the custom apps that run on top of your IaaS and PaaS subscriptions. You can use this new capability to gain full visibility into the resources that exist within your organization, which users are accessing them, transactions, IP addresses, and how much traffic is being transmitted.

 

Image 1 shows the new “Discovered resources” view in Microsoft Cloud App Security and the drill down into one of the discovered resources.

 

resourcespic1.pngImage 1: “Discovered resources” view in Microsoft Cloud App Security

 

More info and feedback

 

™2019, Amazon Web Services logo is a trademark of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

©2018 Google LLC All rights reserved. Google and the Google logo are registered trademarks of Google LLC.

 

PowerShell 7 Road Map

$
0
0

Last month we announced that PowerShell 7 will be the next release of PowerShell.

Here I will provide more details of areas we’ll be investing in for the PowerShell 7 release.

When will I get it?!

Today, we’re releasing our first preview of PowerShell 7. Keeping with our monthly cadence, expect new preview releases approximately every month.

This first preview contains some of the changes that didn’t make it in time for the 6.2 GA release, and marks our move to .NET Core 3.0. For more details on what’s new, check out our changelog on GitHub.

As mentioned in the PowerShell 7 announcement blog, we will be changing the support life-cycle to align with .NET Core. This means that we expect PowerShell 7 to be generally available (GA) about a month after .NET Core 3.0 GA.

.NET Core 3.0

The biggest immediate change is moving to .NET Core 3.0 (from .NET Core 2.1). Not only are there significant performance improvements, but many new APIs are available including WPF and WinForms (Windows only, though!).

This means that (eventually) we can bring back Out-GridView.

Windows Compatibility

A big focus of PowerShell 7 is making it a viable replacement for Windows PowerShell 5.1. This means it must have near parity with Windows PowerShell in terms of compatibility with modules that ship with Windows.

The PowerShell Team will be working with Windows teams to validate and update their modules to work with PowerShell 7. This also means that to use PowerShell 7 with the breadth of Windows PowerShell modules, you will need to be using the latest builds of Windows 10 (and equivalent Windows Server).

Feature Investigations

We are looking at investing in three specific feature areas. Expect RFCs (Request For Comments specifications) to be published on how we intend to implement these features and the scope of the problem we intended to solve. Feedback is greatly appreciated!

Simplify Secure Credentials Management

Whether you are using PowerShell to automate resources in the cloud, local resources on premise, or a hybrid, you will generally need to have different credentials to access different resources.

The best practice is to never put credentials within your script. So we intend to introduce a way to securely use credentials from a local or remote based credential store.

Logging Off the Box

Part of the security of PowerShell is that it can log everything. However, logging today is purely local onto the machine. For each OS, there are ways to forward those events to a remote system, but it requires different configurations per OS.

We want to introduce a way to easily configure PowerShell through policy to automatically send the logs to a remote target regardless of the OS.

New Version Notification

Looking at our PowerBI dashboard, we see a large number of instances using older versions (some of which are no longer supported). It is important to inform our customers if there is a newer version available that may have security fixes so we need a way to inform the user that a newer version is available politely.

There is already a RFC published for this feature. Please take a look and provide us feedback!

GitHub Issues

We have a number of GitHub issues marked to be considered to be addressed for PowerShell 7. Although we would like to fix everything, we do have limited resources so not every issue marked for consideration will be fixed.

Popular Requested Features

There are a number of requested features we’d like to address in PowerShell 7. Some of these may show up as experimental features so that we can get feedback before we lock in the design.

This list is larger than what we will be able to fix, but these are the ones we’d like to investigate:

Other Investments

My team will also be involved in some other related investments during the time frame of working on PowerShell 7.

PowerShell in Azure Functions to generally available

A few weeks ago, Joey Aiello announced the Public Preview of PowerShell in Azure Functions 2.0. As we get feedback, my team will continue to work with the Azure Functions team to address that feedback and eventually move from public preview to being generally available.

PSReadLine 2.0

Jason Shirk has done a great job with PSReadLine. As part of Windows PowerShell 5, we decided to have it as the default interactive shell experience. As a side project to Jason, he’s made many improvements, but the project is bigger than one person. We’ve agreed to move the PSReadLine project to the PowerShell team where we can have some dedicated resources to get the 2.0.0 release to GA.

PowerShell Editor Services / Visual Studio Code PowerShell extension

We will continue to make progress on PowerShell Editor Services 2.0 release improving reliability, performance, and PSReadLine integration.

PSScriptAnalyzer

As part of improving performance for PSEditorServices, we need to make PSScriptAnalyzer 2.0 host-able so that PS Editor Services can simply call an API rather than calling PSScriptAnalyzer using a PowerShell runspace.

Summary

As you can see, we have a ton of work ahead of us. Not everything will make it in the same time frame of PowerShell 7 and some of the popular requested features may have to wait for PowerShell 7.1, but the more feedback you give us, the more we can be sure we’re doing the right thing to help you succeed.

Thanks!

Steve Lee
Principal Software Engineering Manager
PowerShell Team
https://twitter.com/Steve_MSFT

The post PowerShell 7 Road Map appeared first on PowerShell.

Using PowerShellGet with Azure Artifacts

$
0
0

We have improved the experience with PowerShell Get and private nuget feeds by focusing on pain points using an Azure Artifacts feed.
We addressed pain points by enabling/documenting the following features:

  • Non-PAT authentication for package management
  • Credential persistence in Register-PSRepository

These improvements will effect the following cmdlets:

  • Register-PSRepository
  • Set-PSRepository
  • Find-Module/Script
  • Install-Module/Script
  • Update-Module/Script
  • Save-Module/Script
  • Publish-Module/Script

What is Azure Artifacts and Why would I use it?

Azure Artifacts is an Azure Dev Ops service which introduces the concept of multiple feeds that you can use to organize and control access to your packages. In other words it is a place for storing and sharing packages with controlled access through Azure Dev Ops. A common use scenario for Azure Artifacts with PowerShellGet is for organizations which need a controlled access feed for sharing their private internal packages and vetted external packages within their organization. Package owners may also want to use Azure Artifacts as part of their CI/CD pipeline in Azure Dev Ops. For more information on Azure Artifacts, check out their documentation.

Getting started with Azure Artifacts with PowerShellGet

Since these fixes were introduced into PackageManagement, verify you have at least version 1.4.1 of the PackageManagement module
to do this run Get-InstalledModule PackageManagement . If you do not have this version 1.4.1 or higher run the command
Update-Module PackageManagement and then refresh your PowerShell session.

The next step is to create an Azure Artifacts feed, since Azure Artifacts is an Azure Dev Ops service you will need to create an Azure Dev Ops account if you don’t already have one.

Once you gave an account you can create an Azure Artifacts feed. To do this, follow these steps. Return here for instructions on how to connect to the feed and publish packages.

The other component you will need is the Azure Artifacts credential provider. The credential provider comes pre-installed with Visual studio, so if you have VS 15.9, you don’t need to install anything. Otherwise the steps for installing the credential provider, which are platform dependent are provided here.

To register your feed as a PSRepository you will need a name, source location,
publish location, and credential. The name is what you will call the PSRepository and can be anything you chose
in this example we call it “myAzArtifactsRepo”. Your source location, and publish location will be the same uri and will be the
format: “https://pkgs.dev.azure.com/’yourorganizationname’/_packaging/’yourfeedname’/nuget/v2“. You have a couple of options for your credential, you can either use a personal access token (PAT) or you can enable non-PAT authentication.
For more information on this check out the documentation.

You are now ready to register your Az Dev Ops feed as a PSRepository using the
following command:

Register-PsRepository myAzArtifactsRepo -SourceLocation  "https://pkgs.dev.azure.com/'yourorganizationname'/_packaging/'yourfeedname'/nuget/v2" -PublishLocation "https://pkgs.dev.azure.com/'yourorganizationname'/_packaging/'yourfeedname'/nuget/v2" -credential $credentials

Let’s publish a PowerShell Gallery package to our Azure Dev Ops feed.
To do this, you need to first save the module then, publish it using the following commands:

Save-Module -Name SHiPS -Repository PSGallery -Path '.'
Publish-Module -path "pathtomodule"SHiPS -Repository myAzArtifactsRepo -NuGetApiKey <key-- any arbitrary string>

Now that we have some packages let’s find and install them:

Find-module  -name SHiPS -Repository myAzArtifactsRepo

Install-Module -name SHiPS -Repository myAzArtifactsRepo

Now that you can manage packages on your feed, you may want to share it with other users. To manage the access to your feed use the feed settings in Azure Artifacts. For more information on this check out the documentation.

Getting Feedback

If you encounter any issues we would love to hear about it on our GitHub page.
Please file an issue letting us know what we can do to make your experience better.

The post Using PowerShellGet with Azure Artifacts appeared first on PowerShell.

25 reasons to choose Azure Stack HCI

$
0
0

This blog post was authored by Dianna Marks, Product Marketing Manager, Windows Server Marketing.

At the Windows Server Summit in May, Cosmos Darwin and Greg Cusanza from the Windows Server team presented a lightning round all about hyperconverged infrastructure (HCI) powered by Windows Server. If you havent had a chance to watch the event, check out the recording of the live stream and deep dive sessions by registering online. Its quick and free.

Here are the 25 things they presented in the lightning round:

1. Azure Stack HCI Catalog

Available for purchase right now, there are over 75 Azure Stack HCI solutions from over 15 partners. Check out the Azure Stack HCI Catalog to find solutions from your preferred hardware vendor and get started today.

2. Networking and SDN coexisting side-by-side

Now all HCI solutions include what is required for software-defined networking (SDN). You no longer need to devote your entire infrastructure to SDN. Instead, you can mix and match per virtual machine (VM), using traditional VLAN-based networking alongside SDN. Try it out yourself in the latest Windows Admin Center release.

3. Deploy with SDN Express

Deploying SDN is easier than ever with SDN Express. Download the scripts and run SDN Express to get a helpful wizard that guides you through all the steps necessary for deploymentall in under 30 minutes. Learn more by reading the documentation for SDN deployment.

4. Windows Admin Center for HCI

Windows Admin Center is the future of Windows Server in-box management, and that extends to HCI as well. Add your HCI cluster to Windows Admin Center to get purpose-built tools for managing and monitoring Storage Spaces Direct and SDN, including capabilities like provisioning volumes, managing Hyper-V virtual machines, troubleshooting configuration or hardware problems, and much more.

5. Deduplication and compression for ReFS

Deduplication and compression are now available for ReFS, Microsofts recommended file system for HCI. Deduplication and compress increase usable capacity by identifying duplicate portions of files and only storing them once. Savings vary depending on the type of file but can range up to 90 percent for highly repetitive storage like ISO or VHDX backups. Check out the demo Deduplication and compression for Storage Spaces Direct from Microsoft Ignite 2018, and read the documentation for Data Deduplication and ReFS.

6. Larger maximum scale

Even with deduplication and compression, its still possible to run out of capacity, so in Windows Server 2019 the maximum total raw storage capacity per cluster is increased from 1 PB in Windows Server 2016 up to 4 PB now. Thats enough space to store all of Wikipedia, in every language, with complete edit history, uncompressed! Watch the demo Scale to over 3.5 PB with Windows Server 2019 and QCT QxStor from Microsoft Ignite 2018 for an example.

7. Cluster sets

Now in Windows Server 2019, we can encapsulate a cluster within a cluster set and we can add additional clusters in a cluster set. The great thing about this is that a virtual machine (VM) can seamlessly live migrate from one cluster to a host in a different cluster and continue to access its storage. To learn more, read the documentation on cluster sets.

8. Span sites with SDN

In Windows Server 2019 weve improved the gateway performance for SDNs by increasing from 4 Gbps to 18 Gbps in a single SDN gateway. We also have generic routing encapsulation (GRE) tunneling that connects two network controllers to allow different workloads to talk to each other as if theyre one network. To learn more about high performance gateways in Windows Server 2019, read the blog post “Top 10 Networking Features in Windows Server 2019: #6 High Performance SDN Gateways” on the Windows Server Networking Blog.

9. Native support for persistent memory

Windows Server has become more scalable over time with regards to both capacity and performance. It is on the leading edge of x86 hardware innovation and is consistently one of the first hardware systems and hypervisors to support new hardware technology, such as the Intel Xeon processors and Intel Optane. Watch the demo at Microsoft Ignite 2018, and read the documentation “Understand and deploy persistent memory.”

10. Faster networking with fewer cycles/byte

In addition to hardware improvements, weve also been investing in our networking stack. Some of the feature improvements include nearly double the throughput for send and receive paths, lower CPU utilization, more equipped for high bandwidth, high latency links, and a Data Plane Developer Kit (DPDK) for Windows that bypasses the host networking stack to speed up packet processing capabilities. You can read more about all of these features on our Windows Server Networking Blog.

11. Mirror-accelerated parity is 2X faster

The storage team has also been focused on optimizations with mirror accelerated parity, a technology that allows you to create a volume that partly uses mirror resiliency and parity, or erasure coding resiliency. This provides the benefit of faster writes and opens up capacity.

12. Built-in performance history

HCI now has built-in performance history. It easily gets historical data and displays over 50 performance counters in aggregate. Theres nothing that you have to install, set up, or configure. Explore more in the documentation for performance history.

13. Shielded virtual machines

Shielded virtual machines are part of the core hypervisor and have been improved so that even if you dont have network access you can still connect to it through the console in PowerShell Direct. Weve also added the ability to add Linux inside your shielded VMs. Watch the five minute overview video of shielded VMs and check out the documentation for VM connect and PowerShell Direct to shielded VMs, as well as deploying Linux inside a shielded VM.

14. Core scheduler

Its also important to protect your hypervisor host. In Windows Server 2016 we had the Classic Scheduler that offered fair share, preemptive round-robin scheduling for guest virtual processors. In Windows Server 2019, we have a new hypervisor scheduler called Core Scheduler, which constrains the virtual processors to physical core boundaries, further isolating virtual machines. Understand further details by reading the documentation “Managing Hyper-V hypervisor scheduler types.”

15. HTTP/2

In Windows Server 2019 weve made HTTP/2 better with connection coalescing, which allows two websites with a common domain name to share a certificate and a single TCP connection. It also has an improved cipher suite selection, which reduces connection failures and continues to enforce blacklisted ciphers.

16. More secure clustering

The core failover clustering has gotten more secure by completely removing dependency on NTLM, exclusively using Kerberos or certificate-based authentication between nodes, and now no change is required by the user or deployment tools. Check out the documentation “Whats new in Failover Clustering” to learn more.

17. Cluster-aware updating for HCI

Cluster-aware updating for HCI now allows you to easily keep your Windows Server fully patched with the latest updates. It is a technology that orchestrates the roll-out of updates across your server nodes. More information is included in the documentation “Whats new in Failover Clustering,” as well as during the demo “Be an IT hero with Storage Spaces Direct in Windows Server 2019” during Microsoft Ignite 2018.

18. USB witness

Now in Windows Serve 2019, in addition to file share witness requiring an on-premises connection, and cloud witness requiring a connection to the cloud, we are also offering a third option called USB witness, which allows you to insert into a compatible router or switch. More information can be found in the documentation “Whats new in Failover Clustering,” as well as in theexample steps to configure USB witness with the NetGear Nighthawk X4S.

19. Nested resiliency

Nested resiliency keeps you up and running even in the event of having both a drive failure and server failure at the same time. It uses RAID 5 + 1 to do parity resiliency and mirror that across to the other server. This allows you to survive multiple failovers even with a two-node cluster. To learn more, refer to the documentation “Nested resiliency for Storage Spaces Direct.”

20. Protection with Azure Site Recovery

For smaller sites and branch offices, Azure Site Recovery allows you backup your virtual machines to Azure and is integrated into Windows Admin Center. To learn more, refer to the documentation “Protect your Hyper-V Virtual Machines with Azure Site Recovery and Windows Admin Center.”

21. Azure Monitor and Health Service

Health Service on Windows Admin Center is now integrated with Azure Monitor and provides email and SMS notifications when something goes wrong. Learn how to configure Azure Monitor for HCI.

22. Integration with Azure Network Adapter

Azure Network Adapter is an integration into Windows Admin Center that allows you to connect a single server to an Azure virtual gateway so that you can get access from that server to your Azure files and VMs running in Azure. Watch the Microsoft Mechanics video “Windows Server 2019 + Microsoft Azure = hybrid management updates” for a demo.

23. LEDBaT or PacketMon

LEDBaT will back off lower priority workloads in order to let high priority traffic to take over and when the higher priority traffic slows down, the lower priority traffic will pick back up again in a second or two. Read more about LEDBaT on the Networking Blog.

24. High accuracy time

By implementing features such as Precision Time Protocol, Traceability, and Leap Seconds support, weve ensured improved time accuracy, especially for those of you in regulated industries. Learn more about high accuracy time features in the Windows Server Summit session and in the Windows Time Service documentation.

25. Over 25,000 clusters worldwide!

Last year, we had 10,000 clusters running around the world and this year we have over 25,000 clusters running storage spaces direct!

Thats a wrap!

We just gave you 25 reasons why you should consider HCI with Windows Server. And again, register online to watch the session from Windows Server Summit if youve missed it. From security to scalability and enhanced management, we are continuously improving our products to meet your data center needs. And if you stay tuned, I have no doubt youll be seeing 25 more reasons soon!

The post 25 reasons to choose Azure Stack HCI appeared first on Windows Server Blog.

Azure Policy Guest Configuration – Client

$
0
0

This post builds upon the introduction published earlier to the PowerShell blog. In this post we are going to explore the Azure Policy Guest Configuration client and how configuration content is consumed. 

The full documentation for this service is available at the following short url. 

https://aka.ms/gcpol 

DSC service/daemon 

Inside Azure Policy Guest Configuration, you will find the new DSC engine as part of the extension for virtual machines. You can see this using the Run Command feature in Azure for any virtual machine that is being audited by Azure Policy using one of the Guest Configuration initiatives. 

The structure of the agent folders is the same for both operating systems. You will find a folder named DSC that contains the binaries for the engine, a folder named logs containing logs generated by the engine, and a subfolder named downloads that is used to support additional requirements. 

Here are some example commands you can use to take a look at the DSC engine yourself. 

Windows 

The Guest Configuration extension for Windows has not been published to GitHub yet.

List the DSC binaries in Guest Configuration in Windows 

Command (note the version is current at this time but could change): 

ls C:PackagesPluginsMicrosoft.GuestConfiguration.ConfigurationforWindows1.13.0.0dscDSCdsc_* 

Result: 

    Directory: C:PackagesPluginsMicrosoft.GuestConfiguration.Configurationfo
    rWindows1.13.0.0dscDSC

Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----         5/1/2019   1:16 PM         622592 dsc_client.exe                
-a----         5/1/2019   1:14 PM         532992 dsc_diagnostics.dll           
-a----         5/1/2019   1:14 PM         906752 dsc_infrastructure.dll        
-a----         5/1/2019   1:16 PM        1840640 dsc_pull_client.dll           
-a----         5/1/2019   1:17 PM         360960 dsc_reporting.dll             
-a----         5/1/2019   1:28 PM        1252864 dsc_rest_server.dll           
-a----         5/1/2019   1:28 PM         393216 dsc_service.exe               
-a----         5/1/2019   1:26 PM         956928 dsc_timer.dll   

You will also find an instance of pwsh.exe and supporting files in this same (version specific) folder. That is because Guest Configuration includes the portable installation of PowerShell Core so there is no need to manage PowerShell versions for the system. 

View the details of the DSC service in Guest Configuration in Windows 

Command: 

Get-Service DscService | fl * 

Result: 

Name                : DscService
RequiredServices    : {}
CanPauseAndContinue : False
CanShutdown         : False
CanStop             : True
DisplayName         : Guest Configuration Service
DependentServices   : {}
MachineName         : .
ServiceName         : DscService
ServicesDependedOn  : {}
ServiceHandle       : SafeServiceHandle
Status              : Running
ServiceType         : Win32OwnProcess
StartType           : Automatic
Site                :
Container           : 

Linux 

The Guest Configuration extension for Linux is published in GitHub here. 

List the DSC binaries in Guest Configuration in Linux 

Command (note the version is current at this time but could change): 

ls /var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-1.11.0/GCAgent/DSC/dsc_* 

Result: 

[stdout]
/var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-1.11.0/GCAgent/DSC/dsc_client
/var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-1.11.0/GCAgent/DSC/dsc_linux_service 

Currently, Guest Configuration in Linux is only supporting content in the format of Chef InSpec profiles. We expect this to soon open to PowerShell-based resources and other tool formats. 

View the details of the DSC service in Guest Configuration in Linux 

Command: 

systemctl status dscd.service 

Result: 

  • dscd.service- DSC Service
       Loaded: loaded (/lib/systemd/system/dscd.service; enabled; vendor preset: enabled)
       Active: active (running) since Tue 2019-06-04 18:13:28 UTC; 1h 48min ago
    Main PID: 22327 (dsc_linux_servi)
        Tasks: 42
       Memory: 11.9M
          CPU: 1.483s
       CGroup: /system.slice/dscd.service
               └─22327 /var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-1.11.0/GCAgent/DSC/dsc_linux_serviceJun 04 18:13:28 linux systemd[1]: Started DSC Service.
    Jun 04 18:13:28 linux dsc_linux_service[22327]: Running DSC rest server... 

Configurations 

Configurations in Guest Configuration are managed in a whole new way. There is no longer a need for partial configurations because many configurations can be managed independently. 

Please keep in mind that currently, configurations are used only for auditing settings and not enforcing the configuration. 

The model for Guest Configuration takes lessons learned from both the DSC Extension and State Configuration service. The Guest Configuration service does not require or support uploading and storing assets in the service, or a compilation service. Configurations are packaged in .zip format as they were for DSC Extension. A Guest Assignment in the Guest Configuration resource provider includes a reference to the location of the package, a hash value of the package file, and a table of parameters to be passed to the engine when the configuration is executed. 

For content provided by Microsoft, the configuration content managed and replicated globally. When the package is downloaded to the machine, it is decompressed and extracted to a local folder. 

Each folder contains everything needed for DSC to manage the configuration including the mof, any resources required, and the metaconfiguration to use for that configuration. This means the mode, frequency, and other LCM settings can be unique per configuration. 

View configuration content in Windows 

In this test case, the server is in scope of multiple audit policies. 

Command: 

ls c:programdataGuestConfigConfiguration 

Result: 

 Directory: C:programdataGuestConfigConfiguration

Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-----         6/5/2019   1:03 PM                WindowsDefenderExploitGuard   
d-----         6/5/2019   1:03 PM                WindowsDscConfiguration       
d-----         6/5/2019   1:03 PM                windowsfirewallenabled        
d-----         6/5/2019   1:03 PM                WindowsLogAnalyticsAgentConnection                          
d-----         6/5/2019   1:03 PM                WindowsPendingReboot          
d-----         6/5/2019   1:04 PM                WindowsPowerShellModules      
d-----         6/5/2019   1:04 PM                WindowsTimeZone                

View configuration content in Linux 

In this test case, the server is in scope of only one audit policy. 

Command: 

ls /var/lib/GuestConfig/Configuration 

Result: 

[stdout]
firewalldenabled 

Logs 

Log output is available on each node within the agent folder named Logs. This can also be returned using Run Command, however the output is limited to the last 4096 bytes so it is best to filter the logs to only what you are looking for. Examples approaches are given below. 

View error messages in Windows logs 

Command (note the version is current at this time but could change): 

Select-String -Path 'C:PackagesPluginsMicrosoft.GuestConfiguration.ConfigurationforWindows1.13.0.0dsclogsdsc.log' -pattern 'DSC*Engine' -CaseSensitive -Context 0,5 

Result (this is a short snippet of the actual output): 

 [INFO] [00000000-0000-0000-0000-000000000000] Job 
3af0538a-35f4-415f-b5b8-70ae3099e6a2 : Operation Get-DscConfiguration 
completed successfully. 

View error messages in Linux logs 

Command (note the version is current at this time but could change): 

grep -A 5 'DSC*Engine' '/var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationforLinux-1.11.0/GCAgent/logs/dsc.log' 

Result (this is a short snippet of the actual output): 

 [2019-06-05 18:14:22.772] [PID 30775] [TID 30824] [DSCEngine] [INFO] [00000000-0000-0000-0000-000000000000] Job 6ae51953-24aa-44e8-8abb-4ec522cc5b1f : Method CU_TestConfiguration ended successfully 

Thank you!
Michael Greene
Principal Program Manger
Microsoft Azure
@migreene 

 

The post Azure Policy Guest Configuration – Client appeared first on PowerShell.

Azure Policy Guest Configuration – Service

$
0
0

This post builds upon the introduction published earlier to the PowerShell blog. In this post we are going to explore the Azure Policy Guest Configuration service. 

The full documentation for this service is available at the following short url. 

https://aka.ms/gcpol 

Resource provider 

At a fundamental level, this solution includes a new resource provider in Azure named “Microsoft.GuestConfiguration” and new virtual machine extensions named “Microsoft.GuestConfiguration.GuestConfigurationforLinux” and “Microsoft.GuestConfiguration.GuestConfigurationforWindows”. 

The new engine is delivered to the virtual machine by the extension. When the service/daemon starts, it queries the service to see if there are any jobs for the virtual machine. If so, it downloads the content (DSC mof/modules, packaged in the same way as DSC extension), performs the work, and reports status. Behind the scenes, microservices and big data platforms ensure data remains geographically local. 

The following diagram demonstrates the flow of requests as a Guest Assignment is published, the list of assignments are requested from the VM, the VM downloads and runs the configuration, status is returned to a regional location, and summary information is presented to Azure Policy. 

Diagram: 

 

You can think of the resource provider as surfacing VM scenarios in to Azure Resource Manager API. If you require that only one group of users should have administrative privilege inside a server, you can express that requirement as a Guest Assignment in Azure Resource Manager. This is just a reference to a configuration that checks (“Test”) whether only that group has the intended access and return who currently has access (“Get”). The scenario is given as a property of the virtual machine through a provider resource “Microsoft.GuestConfiguration”. 

Here is an example of that in code: 

{
                    "apiVersion": "2018-11-20",
                    "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments",
                    "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('configurationName'))]",
                    "location": "[parameters('location')]",
                    "properties": {
                      "guestConfiguration": {
                        "name": "[parameters('configurationName')]",
                        "version": "1.*",
                        "configurationParameter": [
                          {
                            "name": "[LocalGroup]AdministratorsGroup;Members",
                            "value": "[parameters('Members')]"
                          }
                        ]
                      }
                    }
                  }, 

Using built-in policies 

One of our learnings from DSC has been to reduce complexity. We are aiming for a solution that you can just enable and immediately see value. A good example of this approach was Active Directory Group Policy. While Group Policy presented challenges for developers looking to rapidly iterate between builds, the concept of just picking the settings you need and turning them on has been popular with large enterprises. 

Our current list of built-in content is below.  This is growing nearly every week.  You can view this list in the Azure Portal by opening Policy and clicking Definitions, then changing the ‘Type’ filter to ‘Initiative’ and the ‘Category’ filter to ‘Guest Configuration’.  You can also run the following command to get a current list using PowerShell with the Az cmdlet. 

Get-AzPolicySetDefinition -Builtin | ? {$_.Properties.Metadata.Category -eq “Guest Configuration”} | % {$_.Properties.DisplayName} 

NOTE: it is important when assigning these policies to use the Initiative.  The DeployIfNotExists policy loads the VM extension, which is a requirement for Audit/AuditIfNotExists policies in Guest Configuration to work properly. 

Policy initiative diplay name 
Audit Windows VMs in which the Administrators group does not contain only the specified members 
[Preview]: Audit Windows VMs on which the Log Analytics agent is not connected as expected 
Audit Windows VMs in which the Administrators group does not contain all of the specified members 
Audit Windows VMs that do not have the specified applications installed 
[Preview]: Audit VMs with insecure password security settings 
Audit Windows VMs that are not set to the specified time zone 
Audit Windows VMs that are not joined to the specified domain 
Audit Windows web servers that are not using secure communication protocols 
[Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled 
Audit Windows Server VMs on which Windows Serial Console is not enabled 
Audit Windows VMs in which the Administrators group contains any of the specified members 
[Preview]: Audit Windows VMs that contain certificates expiring within the specified number of days 
[Preview]: Audit Windows VMs that have not restarted within the specified number of days 
[Preview]: Audit Windows VMs on which the DSC configuration is not compliant 
Audit Linux VMs that do not have the specified applications installed 
Audit Windows VMs with a pending reboot 
Audit Windows VMs that do not have the specified Windows PowerShell modules installed 
[Preview]: Audit Windows VMs that do not contain the specified certificates in Trusted Root 
Audit Windows VMs that have the specified applications installed 
Audit Linux VMs that have the specified applications installed 

Viewing results 

You can view the results of the policy in Azure Portal (as described hereand you also can get results using the cmdlets provided by a new module named Az.GuestConfiguration. A step by step gudie for using these cmdlets is available here. 

The key scenario for the cmdlets is to use the Get-AzVmGuestPolicyStatusHistory cmdlet with the -ShowOnlyChange parameter. This will tell you every time a VM was out of compliance over the reporting period and why. 

The Az Guest Configuration cmdlets are documented here. 

You can also directly query the Azure Policy Guest Configuration REST API to see the results of your audits. This includes the “Compliance Reasons” data the returns the raw information from the tool used to perform the audit. For Windows this data includes the name of the DSC resource used to run Test and Get, and the data returned. For Linux this includes the fully formatted output from InSpec. For both platforms, we intend to be open and extensible going forward. 

The API for getting compliance details is documented here. 

Thank you!
Michael Greene
Principal Program Manger
Microsoft Azure
@migreene 

The post Azure Policy Guest Configuration – Service appeared first on PowerShell.

DSC Planning Update – June 2019

$
0
0

It has been almost a year since the last DSC Planning update. There has been a lot going on, many decisions being made, and it just didn’t make sense to post earlier in this calendar year. In this post we will review what has been shipped and the high-level direction we are heading. 

I am accompanying this post with write-ups that are for the more technical audience. In two parts, I would like to explain the implementation of the Guest Configuration client/service and exactly how the new DSC engine functions. 

If you take nothing else away, here are the top-level items: 

  • The new implementation of DSC is Azure Policy Guest Configuration 
  • The solution is GA for built-in content and is moving towards a preview for custom content 
  • Your skill set and your DSC scripts/modules can be used in a new way 

Azure Policy Guest Configuration 

Previously we have referred to the new DSC codebase under different names. DSC Core and the new LCM. We also disclosed that the platform would be used in Azure Policy Guest Configuration. 

What have we shipped? 

The DSC codebase we have been working on is now fully GA as Azure Policy Guest Configuration but this is not the DSC you have known up to this point. It is best to think of Azure Policy Guest Configuration as based on the DSC syntax but functionally a new platform. 

The intention for this service is to build confidence so application developers/owners are free to deploy servers when they need them without putting the organization at risk. Building this platform on a tool that was designed with operations in mind helps us to look beyond the types of settings that we thought about in platforms such as Group Policy. We can include operational requirements such as making sure all servers have a healthy monitoring agent, logging configuration, and the correct certificates in place to function in an enterprise environment. 

DSC has been the basis for other Azure solutions such as the Azure DSC Extension and Azure Automation State Configuration, that help you to configure virtual machines. Azure Policy Guest Configuration currently provides an audit platform to validate settings inside virtual machines. 

The full documentation for this service is available at the following short url. 

https://aka.ms/gcpol 

If you would like to continue reading about how this service is technically implemented, the two technical write-ups are published to accompany this post. 

Azure Policy Guest Configuration – Service

Azure Policy Guest Configuration – Client

High level direction forward 

For the next semester (the second half of 2019 calendar year) we are focused on iterating upon our first release of this solution, introducing the ability for you to use your own content for auditing machines, and to enable you to also enforce settings inside virtual machines using Azure Policy. 

It is important for many people to understand what the options will be to use DSC in disconnected scenarios going forward.  We are considering our options in this area and taking the feedback seriously.  I hope to have more to share on this area in the future. 

Iterating upon our first release of the solution includes multiple areas where we believe we can make life easier for customers. One of the patterns we have observed is customers assigning an audit policy but forgetting to assign the policy that handles automatically onboarding servers.  In the future we believe we can make this simpler.  We have also heard from customers that they would like to have the option to bulk export data about virtual machine compliance so it can be used in other tools, and that they would like to use the solution to audit servers running outside of Azure. 

We hope to enable customers to use their own content, and the tools of their choice, when auditing settings inside virtual machines. As an example, we have heard from Chef customers that they would like to be able to use InSpec to audit Windows Servers. As a result, we announced in our session at Chef Conference that we will be co-maintaining a Guest Configuration provider for InSpec as a collaborative open source project that customers can use in Azure Policy Guest Configuration. More information can be found here. 

We are investing in getting the user experience right for developing custom content, cross platform for the developer workstation, and having a validation and troubleshooting experience that improves on lessons we learned with DSC. We will soon be moving into a public preview of custom content. In the meantime, you are welcome to give us feedback in our request for comments public GitHub repo here. 

Finally, we are investigating the right approaches for enforcing settings inside virtual machines using Azure Policy. With this scope in mind, I would like to invite you to respond to a (an anonymous) survey to provide feedback on your top requirements. 

Survey link 

Thank you!
Michael Greene
Principal Program Manger
Microsoft Azure
@migreene 

The post DSC Planning Update – June 2019 appeared first on PowerShell.


Microsoft Intune customer adoption pack is now available

$
0
0

We are excited to announce the updated Microsoft Intune Customer Adoption Pack is now available. It is a set of content and guidance that IT administrators, trainers, champions, and change management professionals can use to drive Microsoft Intune adoption in your organization and help ensure your users get up and running quickly.

 

Microsoft Intune helps you enable your workforce to take advantage of the latest cloud-based services and apps on any device, while protecting your corporate data. If you previously did not require mobile devices to be enrolled for work access, or your employees enrolled their device in a different management solution in the past, it is important that everyone in the organization understand the need for device management and mobile security when you implement Microsoft Intune. A comprehensive communication plan would help reassure any users concerned about their privacy and explain the safeguards in place to protect both user privacy and company resources.

 

This adoption pack contains videos, posters, and onboarding templates that can be used as is or customized to simplify the endpoint management adoption in your organization. It complements the wide range of planning guides, communication guides, and end user help available in Microsoft documentation.

 

Intune adoption kit.jpg

 

The Microsoft Intune Adoption Pack includes the following resources for each phase of roll-out:

Email templates

We recommend the following email communication plan. We’ve provided templates for you to adapt for your communication plan:

  • Email #1: Explain the benefits, expectations and schedule.  Take this opportunity to showcase any other new services whose access will be granted on devices managed by Intune.

 

  • Email #2: Announce that services are now ready for access through Microsoft Intune.  Tell users to enroll now.  Give users a timeline before their access is affected.  Remind users of benefits and strategic reasons for migration.

After a certain period, you can begin enforcing compliance through conditional access policies and use it as criteria to access corporate data, as explained in Drive end-user adoption with conditional access.

 

Intune Enrollment Guide

This PDF attachment can be provided to your users as-is, or you may customize the Word version to include your internal resources and contact information.

 

Instructional Videos

We have created and included short, step-by-step YouTube videos to aid your users in easily enrolling their devices in Intune.

  • Enroll your Android device for full management
  • Enroll your Android device for Work Profile management
  • Enroll your iOS device
  • Enroll your macOS device
  • Enroll your Windows 10 device

 

Next steps

Microsoft Intune is designed for the modern era of corporate connectivity from any location and any device that not only enable great consumer experiences at work, but must also protect against increased risk of inadvertent and malicious threats to corporate data. Join the over 100 million customers across the world who trust Microsoft 365 Enterprise Mobility + Security (EMS) to stay connected, secure data and get things done on the go.

 

Microsoft offers a variety of resources and support tools to help you in this journey. Plan your cloud services deployments with online resources and tools from FastTrack, a service that’s included in your eligible Microsoft subscription at no additional cost. FastTrack provides customized guidance for on-boarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources instead of creating new ones.

 

Visit the planning and migration documentation to drive successful customer adoption of managed mobile productivity with a robust communication plan.

 

 

More info and feedback

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

Follow @MSIntune on Twitter

twitter icon.png 

How to Use an Additional Computer as a Secondary Display

$
0
0

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving June 20, 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

Hello again. It is Mike “Cannonball” Kullish back in only my second post, so please be gentle. I was recently working with a customer and they asked me if it was possible to use a Surface Pro or Surface Go as a secondary monitor. I had never thought about this before, so figured I would see if I could figure it out. It only makes sense, right? I promise to keep this article sweet and to the point. (Mostly anyway…)

Well, it looks like our friends in the Windows Product Group have our backs. A quick search of Bing, did not provide the results I was looking for, but an email to another very smart PFE led me to a solution. (A big shout-out to Tom Ausburne for filling me in on an easy way to extend or duplicate your primary Windows 10 monitor to another Windows 10 device!) The quick answer is to use the Microsoft “Connect” app that is already installed on Windows 10 devices along with the Project option that shows up in the Windows Notification Center (Win + P). For the example below, I have a Surface Book 2 that I am using as my primary machine, and a Surface Pro 4 that I will use as a secondary display.

On the Surface Pro 4:

  1. Click on the Windows icon lower left hand corner of the screen

  2. Type Connect and verify the application is installed.

  3. Click to launch the Connect App

On the Surface Book 2:

  1. As with most Microsoft solutions, we have options. You can either:
    1. Open the Windows Message Center and Project

      Or

    2. Type Win+P and choose “Connect to a Wireless Display.” (It shows up if you are on the same network.)
    3. Choose the option to Connect to a wireless display:

  2. Select the Surface Pro 4 device from above to connect the second monitor

  3. You can click Win+P again to choose extend display.

  4. Now you have Multimonitor capabilities.

My experience so far has been that this solution will work on most any Windows 10 device that supports Miracast, but in lab testing, I only used a Surface Book 2, Surface Go, and Surface Pro 4. I have to admit that I always travel with 2 devices, and this solution has come in handy on more than one occasion while sitting in a hotel working on a customer solution.

Thanks for reading, and I hope this helps you out!

Release of PowerShell Script Analyzer 1.18.1

$
0
0

Overview

PSScriptAnalyzer (PSSA1.18.1 is now available on the PSGallery and fixes not only a lot of the issues reported for 1.18.0 but has also been made twice as faster compared to 1.18.0. Additionally, the -SaveDscDependency switch on Invoke-ScriptAnalyzerhas been improved to be platform agnostic and should now also work on Linux systems if DSC has been set up. A long standing concurrency bug related to analysing module manifest has also been fixed. Analysis showed that Test-ModuleManifest is not thread-safe due to a bug either in the cmdlet or in the PowerShell engine itself, we resolved it by having a lock around calls to this cmdlet.

Formatter Fixes

This applies especially to its usage within the VS Code PowerShell extension:

  • The new PSUseCorrectCasing formatting rule had to be adjusted to not expand/change paths and to treat wildcard characters correctly. Under the hood the rule calls Get-Command and because Get-Command ? returns all commands that have a name of length 1, it returned ForEach-Object first, which made PSSA incorrectly change the ? alias for Where-Object to ForEach-Object. The PowerShell VS Code extension has the powershell.codeFormatting.useCorrectCasing setting that wraps around this configuration and the setting is currently defaulting to false due to those issues that were found. With PSSA 1.18.1, we’d encourage you to enable the setting again as we think that we have fixed all issues and pending feedback we plan to enable the setting by default. Although the VS Code extension ships a backup version of PSSA (currently 1.18.0), one can always install PSScriptAnalyzer locally and the extension will pick it up. You can install the newer PSScriptAnalyzer version and start using it without having to wait for the extension to release an update.
  • The new PipelineIndentation configuration setting of the PSUseConsistentIndentation formatting rule had a bug when it was set to IncreaseIndentationForFirstPipeline or IncreaseIndentationAfterEveryPipeline and in certain cases, indentation of code following the pipeline could be incorrectly indented. Currently the VS Code setting powershell.codeFormatting.pipelineIndentationStyle for it is set to NoIndentation to avoid this bug. We encourage you here as well to try out the options again so that we can get feedback before we set the default of the VS Code setting to IncreaseIndentationForFirstPipeline (which is the default when calling Invoke-Formatter without parameters). This desired default was voted for by the community here.

Conclusion and Future Outlook

Please try out this new patch, if you install it using Install-Module then the VS Code extension will automatically use it after a restart of the integrated terminal session or just by re-opening VS Code. Getting feedback in this period is very important so that the PowerShell team can make a decision on when to include 1.18.1 by default in one of the next updates of the PowerShell extension. After feedback of this phased rollout, we will consider changing the default settings in the extension as mentioned above. It is hard to anticipate all the use cases, so we chose to make features configurable behind new flags and rollout the changes to a smaller user group first.

The Changelog has more details if you want to dig further.

On behalf of the Script Analyzer team,

Christoph Bergmeister, Project Maintainer from the community
Jim Truher, Senior Software Engineer, Microsoft

The post Release of PowerShell Script Analyzer 1.18.1 appeared first on PowerShell.

Customers get unmatched security with Windows Server and SQL Server workloads in Azure

$
0
0

This blog post was authored by Arpan Shah, General Manager, Microsoft Azure.

Customers such as Allscripts, Chevron, J.B. Hunt, and thousands of others are migrating their important workloads to Azure where they find unmatched security. While understanding cloud security is initially a concern to many, after digging in, customers often tell us the security posture they can set up within Azure is easier to implement and far more comprehensive than what they can provide for in other environments.

Azure delivers multiple layers of security, from the secure foundation in our physical datacenters, to our operational practices, to engineering processes that follow industry standard Mitre guidelines. On top of that, customers can choose from a variety of self-service security services that work for both Azure and on-premises workloads. We employ more than 3,500 cybersecurity professionals and spend $1 billion annually on security to help protect, detect, and respond to threats delivering security operations that work 24x7x365 for our customers.

Let’s look at some examples of how Azure delivers unmatched security for your Windows Server and SQL Server workloads.

The broadest built-in protections across hybrid environments with Azure Security Center

Customers can get the broadest built-in protection available across both cloud and on-premises through Azure Security Center. This includes security recommendations for virtual machines, storage, networking, databases, identity, application services, and IOT all from a single integrated dashboard.

Azure Security Center leverages the Microsoft Intelligent Security Graph, which collects more than 6.5 trillion signals daily from Microsoft services such as Xbox, Dynamics 365, Office 365, Azure, and our broad partner ecosystem. With Azure Security Center, customers can easily install an agent on Windows Server and get detailed recommendations on which best practices to implement such as installing end-point protection and the latest patches. It also comes with all the capabilities of Microsoft Defender ATP built-in. As a result, you get to tap into our industry-leading threat protection to protect your Windows Server and SQL Server workloads.

Further, Azure Security Center integration will soon be available through Windows Admin Center, a modern Windows Server management solution being used to manage millions of instances today. With a few clicks, you will soon be able secure your Windows Server instances on-premises directly from Windows Admin Center.

Unique platform-level security and governance

Azures consistent policy platform makes it easier for you to apply security policies faster across your Windows Server and SQL Server workloads. For every workload you run in Azure, you can easily define a set of security policies and apply them uniformly across your subscriptions or management groups at scale. Using Azure Blueprints, you can literally create a new subscription with all the security settings you need in a few clicks. All of this is possible because Azure has a unique underlying resource management foundation, giving you the confidence that your Windows Server and SQL Server workloads are compliant by design. Best of all, Azure Governance capabilities are available at no additional charge.

Built-in, AI driven Security Information and Event Management (SIEM)

Customers often use SIEM to bring together threat protection information from across the enterprise to enable advanced hunting and threat mitigation. Azure Sentinel is a cloud-native SIEM with built-in AI that enables you to focus on the important threats rather than low fidelity signals. It helps reduce noise drasticallywe have seen a reduction of up to 90 percent in alert fatigue from early adopters. It also lets you combine signals from your Windows Server and SQL Server workloads on Azure with all of your other assets including Office 365, on-premises applications, and firewalls to get ahead of bad actors and mitigate threats.

Industry leading confidential computing capabilities

Azure confidential computing offers encryption of data while in use, a protection that has been missing from both on-premises datacenters and public clouds. For certain workloads, it is important to ensure the data is not transparent while it is processed in the CPU. Azure brings this capability through hardware-based enclaves built on top of Intel SGX extensions in the Azure DC series of virtual machines. Microsoft, as the cloud operator, cannot access the data or compute resources inside a secure enclave. Confidential computing also opens up new scenarios like secure block-chain or multi-party machine learning where the data is shared between two parties, but neither has access to the other partys data due to the secure enclaves. In addition, we have enhanced the Always Encrypted feature in SQL Server 2019 to support secure enclaves and you can build your own applications using this technology with our open SDK.

Unique database security monitoring for your cloud SQL

We use our experience from monitoring more than one million databases over the past few years to offer Advanced Data Security for SQL Database and SQL Server VMs. It includes two key components vulnerability assessment and Advanced Threat Detection. Vulnerability assessment scans your databases so you can discover, track, and remediate potential database vulnerabilities. Advanced Threat Detection continuously monitors your database for suspicious activities like SQL injection and provides alerts on anomalous database access patterns. Threat alerts and reports from vulnerability assessments also appear in the Azure Security Center threats dashboard.

Free security updates for Windows Server and SQL Server 2008

We understand that customers are still running workloads on SQL Server and Windows Server 2008 and 2008 R2. These versions are approaching end of support in July 2019 and January 2020 respectively. You can automatically get three additional years of free Extended Security Updates if you simply migrate your 2008 and 2008 R2 instances to Azure to ensure they are protected. You can plan your upgrades to newer versions once they are in Azure. Additionally, for SQL Server, you can migrate legacy SQL Server workloads to Azure SQL Database Managed Instances. With this fully managed, version-less service your organization will not face end of support deadlines again.

Get started with Azure for unmatched security in the cloud

Microsoft offers you the training and best practice guidance you need to set up the most powerful protection for your Windows Server and SQL Server workloads in the cloud.

To learn even more best practices on how to take advantage of the built-in tools in Azure to protect your workloads, save the date for the upcoming Azure Security Expert Series webinar coming next Wednesday, June 19, 2019.

The post Customers get unmatched security with Windows Server and SQL Server workloads in Azure appeared first on Windows Server Blog.

Its Moving Day for AskPFEPlat!

$
0
0

Hello world! Brandon Wilson, Sr PFE, excited to be here with you yet again! Today’s post is a different kind of post, one that, for me personally, tugs a bit at my heart strings. Today I am here to announce that AskPFEPlat will be closing its doors on TechNet (effective June 17, 2019); it has certainly been a long run since that first post in 2011. We aren’t going away though, we have simply moved to a new location, and due to team growth, integration, and everything else that’s happened over our long run on TechNet, we are also rebranding to be the Core Infrastructure and Security (CIS) blog team.

If you haven’t happened to have noticed the over 450 banners at the top of all of our posts for the last few months, we have moved to the Core Infrastructure and Security TechCommunity on the https://techcommunity.microsoft.com site. I’ll go ahead and apologize for those header eye sores now…a few months late, but better late than never, right?!.

Rest assured, everything authored by AskPFEPlat over the years has been migrated and is available right now, as I type and as you read, over at https://aka.ms/CISTechComm! As a part of this migration, we have also joined forces with numerous other blog teams to extend our reach and content impact for our readers. So, if you haven’t already, please bookmark the site and visit us just as often as you have over the years!

You will find that most blog content from the majority of blogs on TechNet and MSDN are migrating over to the TechCommunity site, as TechNet and MSDN blog sites will be going into read-only/archive mode, also effective June 20, 2019. Speaking of which, if you happened to run across any blog content you expected to find but ended up getting a default “not found” type of page, that issue should now be corrected.

The Core Infrastructure and Security (AskPFEPlat) TechCommunity can be found at https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/ct-p/CoreInfrastructureandSecurity, and our blog content listing can now be found at https://aka.ms/CISTechComm (or if you like the super long URLs, https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/bg-p/CoreInfrastructureandSecurityBlog). Please by all means, join the techcommunity as a member. It isn’t necessary to become a member of the TechCommunity in order to view our content of course, but it does help out our internal team with potential future enhancements to the CIS TechCommunity.

NOTE: After June 20, 2019, any requests for AskPFEPlat content will be redirected to the root of the CIS TechCommunity blog site. You may have to update your bookmarks. Due to the amount of content we have, 1-to-1 redirection wasn’t feasible, and as such you may need to search for the blog content again. Content titles have not changed, nor have authors, so if you search either of those within the TechCommunity, you should find what you are looking for quickly!

 

Just to recap, in simple form, where we can be found:

Core Infrastructure and Security TechCommunity “main” page/home base-

https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/ct-p/CoreInfrastructureandSecurity

Core Infrastructure and Security TechCommunity blog:

https://aka.ms/CISTechComm

-or-

https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/bg-p/CoreInfrastructureandSecurityBlog

Since we are on the topic, I would also like to take this time for a shameless plug for a partner TechCommunity, the Premier Field Engineering TechCommunity (https://aka.ms/PFETechComm), which opened its doors at the beginning of May 2019. Here you can find excellent blog content on various technical topic areas, predominantly authored by Premier Field Engineers, along with information regarding our Premier offerings (workshops, health checks, etc). The PFE TechCommunity is also a culmination of many other blog teams, but is technology agnostic. If you haven’t found it already, please feel free to join the community and bookmark the PFE TechCommunity blog page as well!

 

To make things easier for you to explore the TechCommunity site in general, here are a couple of quick links for you:

TechCommunity main blog listings (right hand side):

https://techcommunity.microsoft.com/t5/custom/page/page-id/Blogs

TechCommunity listings:

https://techcommunity.microsoft.com/t5/Communities/ct-p/communities

 

Last but not least, I personally, and I think I can also speak for the entirety of the AskPFEPlat and Core Infrastructure and Security blog teams past and present, would like to sincerely thank all of our readers whom have supported us over the years! If I could thank each and every one of you personally, I would. On this topic, I would also like to thank the over 400 Premier Field Engineers, Consultants, Architects, Supportability Managers, Program Managers, and others that have been contributors to our blog team over the years! So, please continue checking in with us at our new home (https://aka.ms/CISTechComm), and we look forward to bringing you more quality content for many years to come from our new home!

 

As always, thanks for reading, and we look forward to seeing you over in our new home!

 

-Brandon “Now that wasn’t nearly as long as normal” Wilson

Prioritize user investigations in Cloud App Security

$
0
0

This week we announced a new Identity threat investigation experience, which correlates identity events from Microsoft Cloud App Security, Azure Advanced Threat Protection, and Azure Active Directory Identity Protection into a single investigation experience for security analysts and hunters alike.

If you are using Microsoft Cloud App Security, you will be able to access the new experience in the portal starting today, regardless of whether you are also using Azure Advanced Threat Protection and/or Azure Active Directory Identity Protection.*

 

The identity threat investigation experience combines user identity signals from on-premises and cloud services to close the gap between disparate signals in your environment and leverages state-of-the-art User and Entity Behavior Analytics (UEBA) capabilities to provide a risk score and rich contextual information for each user. It empowers security analysts to prioritize their investigations and reduce investigation times, ending the need to toggle between identity security solutions.

 

secops.pngMicrosoft Cloud App Security - A uniquely integrated CASB

New user investigation priority for users

The Top user view in the Microsoft Cloud App Security dashboard is shifting from an investigation model that is based on the number of total alerts, to a new user investigation priority which is determined by all recent user activities and alerts that indicate an active attack or insider threat. This now helps you immediately understand which users currently represent the highest risk within your organization and should be prioritized for further investigation.

 

secops1 (2).pngImage 1: Cloud App Security dashboard: Top user view by investigation priority

 

New user page

We have also redesigned the existing user page to provide rich contextual information for how the risk score was determined and how a user compares to other across the organization. This will empower your SOC teams to address the users with the highest risk/impact ratio first and pivot from any scored activity into the deep dive alert investigation that you’re already familiar with.

 

secops2.pngImage 2: New user page in the Cloud App Security portal

From the new user page, you can then easily dive deeper into each one of the alerts or activities that you see on the timelines and pivot into the Cloud App Security investigation experience that you’re already familiar with.

 

secops3.pngImage 3: Deep dive investigation of alerts from the user timeline

The new Identity threat investigation experience further enriches the Cloud App Security portal and available investigation capabilities, giving SecOps teams correlated and weighted information to make better decisions, save time and more effectively remediate user threats and risks.

 

More info and feedback

 

*The information available on the new user page can vary depending on the services that you are using (Azure Advanced Threat Protection, Azure AD Identity Protection)

 

 

 

DSC Resource Kit Release June 2019

$
0
0

We just released the DSC Resource Kit!

This release includes updates to 8 DSC resource modules. In the past 6 weeks, 95 pull requests have been merged and 55 issues have been closed, all thanks to our amazing community!

The modules updated in this release are:

  • CertificateDsc
  • NetworkingDsc
  • PSDscResources
  • SharePointDsc
  • SqlServerDsc
  • xActiveDirectory
  • xDnsServer
  • xPSDesiredStateConfiguration

For a detailed list of the resource modules and fixes in this release, see the Included in this Release section below.

Our latest community call for the DSC Resource Kit was last Wednesday, June 19. A recording of the call with be posted on the PowerShell YouTube channel soon. You can join us for the next call at 12PM (Pacific time) on July 31 to ask questions and give feedback about your experience with the DSC Resource Kit.

The next DSC Resource Kit release will be on Wednesday, August 7.

We strongly encourage you to update to the newest version of all modules using the PowerShell Gallery, and don’t forget to give us your feedback in the comments below, on GitHub, or on Twitter (@PowerShell_Team)!

Please see our documentation here for information on the support of these resource modules.

Included in this Release

You can see a detailed summary of all changes included in this release in the table below. For past release notes, go to the README.md or CHANGELOG.md file on the GitHub repository page for a specific module (see the How to Find DSC Resource Modules on GitHub section below for details on finding the GitHub page for a specific module).

Module Name Version Release Notes
CertificateDsc 4.7.0.0
  • Opted into Common Tests “Common Tests – Validate Localization” – fixes Issue 195.
  • Combined all CertificateDsc.ResourceHelper module functions into CertificateDsc.Common module and renamed to CertificateDsc.CommonHelper module.
  • CertReq:
    • Fix error when ProviderName parameter is not encapsulated in double quotes – fixes Issue 185.
  • Refactor integration tests to update to latest standards.
  • Refactor unit tests to update to latest standards.
  • CertificateImport:
    • Refactor to use common functions and share more code with PfxImport resource.
    • Resource will now only throw an exception if the PFX file does not exist and it needs to be imported.
    • Removed file existence check from Path parameter to enable the resource to remove a certificate from the store without the need to have the access to the certificate file.
    • Removed ShouldProcess because it is not required by DSC Resources.
  • CertificatePfx:
    • Refactor to use common functions and share more code with CertificateImport resource.
    • Resource will now only throw an exception if the certificate file does not exist and it needs to be imported.
  • CertificateImport:
    • Added FriendlyName parameter to allow setting the certificate friendly name of the imported certificate – fixes Issue 194.
  • CertificatePfx:
    • Added FriendlyName parameter to allow setting the certificate friendly name of the imported certificate – fixes Issue 194.
NetworkingDsc 7.3.0.0
  • DnsClientGlobalSettings:
    • Fixed SuffixSearchList Empty String Handling – fixes Issue 398.
  • NetAdapterAdvancedProperty:
    • Removed validation from RegistryKeyword parameter because the list of valid registry keywords is not fixed and will depend on adapter driver – fixes Issue 388.
  • MSFT_WinsServerAddress Added MSFT_WinsServerAddress to control the WINS servers for a given network adapter.
  • Test-DscParameterState:
    • This function was enhanced with an optional reversecheck, optional internal sorting for arrays.
    • The functions ConvertTo-CimInstance and ConvertTo-Hashtable were added required by Test-DscParameterState.
  • Fix missing context message content in unit tests – fixes Issue 405.
  • Correct style violations in unit tests:
    • Adding Get, Set and Test tags to appropriate describe blocks.
    • Removing uneccesary region blocks.
    • Conversion of double quotes to single quotes where possible.
    • Replace variables with string litterals in describe block description.
  • Firewall:
    • Fix bug when LocalAddress or RemoteAddress is specified using CIDR notation with number of bits specified in subnet mask (e.g. 10.0.0.1/8) rather than using CIDR subnet mask notation (e.g 10.0.0.1/255.0.0.0) – fixes Issue 404.
PSDscResources 2.12.0.0
  • Ports style fixes that were recently made in xPSDesiredStateConfiguration on test related files.
  • Ports most of the style upgrades from xPSDesiredStateConfiguration that have been made in files in the DscResources folder.
  • Ports fixes for the following issues: Issue 505 Issue 590 Changes to test helper Enter-DscResourceTestEnvironment so that it only updates DSCResource.Tests when it is longer than 120 minutes since it was last pulled. This is to improve performance of test execution and reduce the likelihood of connectivity issues caused by inability to pull DSCResource.Tests.
  • Fixes issue where MsiPackage Integration tests fail if the test HttpListener fails to start. Moves the test HttpListener objects to dynamically assigned, higher numbered ports to avoid conflicts with other services, and also checks to ensure that the ports are available before using them. Adds checks to ensure that no outstanding HTTP server jobs are running before attempting to setup a new one. Also adds additional instrumentation to make it easier to troubleshoot issues with the test HttpListener objects in the future. Specifically fixes Issue 142
  • Improved speed of Test-IsNanoServer function
  • Remove the Byte Order Mark (BOM) from all affected files
  • Opt-in to “Validate Module Files” and “Validate Script Files” common meta-tests
  • Opt-in to “Common Tests – Relative Path Length” common meta-test
  • Fix README markdownlint validation failures
  • Move change log from README.md to CHANGELOG.md
SharePointDsc 3.5.0.0
  • SharePointDsc generic
    • Improved logging in all resource. They are now outputting the current and targeted values in the Test method.
    • Updated various resources to comply with coding style guidelines.
    • Updated the following resources to not return Null from the Get method anymore, but an hashtable which contains null values: SPDesignerSettings, SPDiagnosticLoggingSettings, SPFarmAdministrators, SPHealthAnalyzerRuleState, SPIrmSettings, SPOutgoingEmailSettings, SPPasswordChangeSettings, SPSearchTopology, SPServiceAppProxyGroup, SPTimerJobState, SPUserProfileSection, SPUserProfileSyncConnection, SPWebAppBlockedFileTypes, SPWebApplicationAppDomain, SPWebAppPolicy, SPWebAppSiteUseAndDeletion, SPWebAppThrottlingSettings, SPWordAutomationServiceApp.
  • SPConfigWizard
    • Added check to make sure the Config Wizard is only executed when all servers have the binaries installed.
  • SPDistributedCacheService
    • Added ability to check for incorrect service account.
  • SPExcelServiceApp
    • Fixes issue where Get method throws an error when the value of PrivateBytesMax and UnusedObjectAgeMax are negative values.
  • SPFarm
    • Throw error in Get method if CentralAdministrationUrl is HTTP.
  • SPInstallPrereqs
    • Fixed bug in version check, where lower versions would be detected as higher versions.
  • SPProductUpdate
    • Updated Readme to reflect the new patching possibilities added in v3.3.
  • SPSecureStore
    • Fixed issue where the test issue returned false is the service application didn’t exist, but the database name/server parameter was specified.
  • SPUserProfileSyncConnection
    • Fixed issue where the parameter Server was checked in SP2016 but isn’t used there and therefore always fails.
  • SPWebAppAuthentication
    • Updated the documentation to better explain the use of this resource when using Classic authentication.
SqlServerDsc 13.0.0.0
  • Changes to SqlServerDsc
    • Added SqlAgentAlert resource.
    • Opt-in to the common test “Common Test – Validation Localization”.
    • Opt-in to the common test “Common Test – Flagged Script Analyzer Rules” (issue 1101).
    • Removed the helper function New-TerminatingError, New-WarningMessage and New-VerboseMessage in favor of the the new localization helper functions.
    • Combine DscResource.LocalizationHelper and DscResource.Common into SqlServerDsc.Common (issue 1357).
    • Update Assert-TestEnvironment.ps1 to not error if strict mode is enabled and there are no missing dependencies (issue 1368).
  • Changes to SqlServerDsc.Common
    • Added StatementTimeout to function “Connect-SQL” with default 600 seconds (10mins).
    • Added StatementTimeout to function “Invoke-Query” with default 600 seconds (10mins) (issue 1358).
    • Changes to helper function Connect-SQL
      • The function now make it more clear that when using the parameter SetupCredential is impersonates that user, and by default it does not impersonates a user but uses the credential that the resource is run as (for example the built-in credential parameter PsDscRunAsCredential). @kungfu71186
      • Added parameter alias -DatabaseCredential for the parameter -SetupCredential. @kungfu71186
  • Changes to SqlAG
    • Added en-US localization.
  • Changes to SqlAGReplica
    • Added en-US localization.
    • Improved verbose message output when creating availability group replica, removing a availability group replica, and joining the availability group replica to the availability group.
  • Changes to SqlAlwaysOnService
    • Now outputs the correct verbose message when restarting the service.
  • Changes to SqlServerMemory
    • Now outputs the correct verbose messages when calculating the dynamic memory, and when limiting maximum memory.
  • Changes to SqlServerRole
    • Now outputs the correct verbose message when the members of a role is not in desired state.
  • Changes to SqlAgentOperator
    • Fix minor issue that when unable to connect to an instance. Instead of showing a message saying that connect failed another unrelated error message could have been shown, because of an error in the code.
    • Fix typo in test it block.
  • Changes to SqlDatabaseRole
  • Changes to SqlSetup
    • Add an Action type of “Upgrade”. This will ask setup to do a version upgrade where possible (issue 1368).
    • Fix an error when testing for DQS installation (issue 1368).
    • Changed the logic of how default value of FailoverClusterGroupName is set since that was preventing the resource to be able to be debugged (issue 448).
    • Added RSInstallMode parameter (issue 1163).
  • Changes to SqlWindowsFirewall
    • Where a version upgrade has changed paths for a database engine, the existing firewall rule for that instance will be updated rather than another one created (issue 1368). Other firewall rules can be fixed to work in the same way later.
  • Changes to SqlAGDatabase
    • Added new parameter “ReplaceExisting” with default false. This allows forced restores when a database already exists on secondary.
    • Added StatementTimeout to Invoke-Query to fix Issue1358
    • Fix issue where calling Get would return an error because the database name list may have been returned as a string instead of as a string array (issue 1368).
xActiveDirectory 3.0.0.0
  • Changes to xActiveDirectory
    • Added new helper functions in xADCommon, see each functions comment-based help for more information.
      • Convert-PropertyMapToObjectProperties
      • Compare-ResourcePropertyState
      • Test-DscPropertyState
    • Move the examples in the README.md to Examples folder.
    • Fix Script Analyzer rule failures.
    • Opt-in to the following DSC Resource Common Meta Tests:
      • Common Tests – Custom Script Analyzer Rules
      • Common Tests – Required Script Analyzer Rules
      • Common Tests – Flagged Script Analyzer Rules
      • Common Tests – Validate Module Files (issue 282)
      • Common Tests – Validate Script Files (issue 283)
      • Common Tests – Relative Path Length (issue 284)
      • Common Tests – Validate Markdown Links (issue 280)
      • Common Tests – Validate Localization (issue 281)
      • Common Tests – Validate Example Files (issue 279)
      • Common Tests – Validate Example Files To Be Published (issue 311)
    • Move resource descriptions to Wiki using auto-documentation (issue 289)
    • Move helper functions from MSFT_xADCommon to the module xActiveDirectory.Common (issue 288).
      • Removed helper function Test-ADDomain since it was not used. The helper function had design flaws too.
      • Now the helper function Test-Members outputs all the members that are not in desired state when verbose output is enabled.
    • Update all unit tests to latest unit test template.
    • Deleted the obsolete xActiveDirectory_TechNetDocumentation.html file.
    • Added new resource xADObjectEnabledState. This resource should be used to enforce the Enabled property of computer accounts. This resource replaces the deprecated Enabled property in the resource xADComputer.
    • Cleanup of code
      • Removed semicolon throughout where it is not needed.
      • Migrate tests to Pester syntax v4.x (issue 322).
      • Removed -MockWith {} in unit tests.
      • Use fully qualified type names for parameters and variables (issue 374).
    • Removed unused legacy test files from the root of the repository.
    • Updated Example List README with missing resources.
    • Added missing examples for xADReplicationSubnet, xADServicePrincipalName and xWaitForADDomain. (issue 395).
  • Changes to xADComputer
    • Refactored the resource and the unit tests.
    • BREAKING CHANGE: The Enabled property is DEPRECATED and is no longer set or enforces with this resource. If this parameter is used in a configuration a warning message will be outputted saying that the Enabled parameter has been deprecated. The new resource xADObjectEnabledState can be used to enforce the Enabled property.
    • BREAKING CHANGE: The default value of the enabled property of the computer account will be set to the default value of the cmdlet New-ADComputer.
    • A new parameter was added called EnabledOnCreation that will control if the computer account is created enabled or disabled.
    • Moved examples from the README.md to separate example files in the Examples folder.
    • Fix the RestoreFromRecycleBin description.
    • Fix unnecessary cast in Test-TargetResource (issue 295).
    • Fix ServicePrincipalNames property empty string exception (issue 382).
  • Changes to xADGroup
    • Change the description of the property RestoreFromRecycleBin.
    • Code cleanup.
  • Changes to xADObjectPermissionEntry
    • Change the description of the property IdentityReference.
    • Fix failure when applied in the same configuration as xADDomain.
    • Localize and Improve verbose messaging.
    • Code cleanup.
  • Changes to xADOrganizationalUnit
    • Change the description of the property RestoreFromRecycleBin.
    • Code cleanup.
    • Fix incorrect verbose message when this resource has Ensure set to Absent (issue 276).
  • Changes to xADUser
    • Change the description of the property RestoreFromRecycleBin.
    • Added ServicePrincipalNames property (issue 153).
    • Added ChangePasswordAtLogon property (issue 246).
    • Code cleanup.
    • Added LogonWorkstations property
    • Added Organization property
    • Added OtherName property
    • Added AccountNotDelegated property
    • Added AllowReversiblePasswordEncryption property
    • Added CompoundIdentitySupported property
    • Added PasswordNotRequired property
    • Added SmartcardLogonRequired property
    • Added ProxyAddresses property (Issue 254).
    • Fix Password property being updated whenever another property is changed (issue 384).
    • Replace Write-Error with the correct helper function (Issue 331).
  • Changes to xADDomainController
    • Change the Requires statement in the Examples to require the correct module.
    • Suppressing the Script Analyzer rule PSAvoidGlobalVars since the resource is using the $global:DSCMachineStatus variable to trigger a reboot.
    • Code cleanup.
  • Changes to xADDomain
    • Suppressing the Script Analyzer rule PSAvoidGlobalVars since the resource is using the $global:DSCMachineStatus variable to trigger a reboot.
    • Code cleanup.
  • Changes to xADDomainTrust
    • Replaced New-TerminatingError with Standard Function.
    • Code cleanup.
  • Changes to xWaitForADDomain
    • Suppressing the Script Analyzer rule PSAvoidGlobalVars since the resource is using the $global:DSCMachineStatus variable to trigger a reboot.
    • Added missing property schema descriptions (issue 369).
    • Code cleanup.
  • Changes to xADRecycleBin
    • Remove unneeded example and resource designer files.
    • Added missing property schema descriptions (issue 368).
    • Code cleanup.
    • It now sets back the $ErrorActionPreference that was set prior to setting it to "Stop".
    • Replace Write-Error with the correct helper function (issue 327).
  • Changes to xADReplicationSiteLink
    • Fix ADIdentityNotFoundException when creating a new site link.
    • Code cleanup.
  • Changes to xADReplicationSubnet
    • Remove `{ Present
xDnsServer 1.13.0.0
  • Added resource xDnsServerConditionalForwarder
  • Added xDnsServerDiagnostics resource to this module.
xPSDesiredStateConfiguration 8.8.0.0
  • Ports fix for the following issue: Issue 142 Fixes issue where MsiPackage Integration tests fail if the test HttpListener fails to start. Moves the test HttpListener objects to dynamically assigned, higher numbered ports to avoid conflicts with other services, and also checks to ensure that the ports are available before using them. Adds checks to ensure that no outstanding HTTP server jobs are running before attempting to setup a new one. Also adds additional instrumentation to make it easier to troubleshoot issues with the test HttpListener objects in the future.

How to Find Released DSC Resource Modules

To see a list of all released DSC Resource Kit modules, go to the PowerShell Gallery and display all modules tagged as DSCResourceKit. You can also enter a module’s name in the search box in the upper right corner of the PowerShell Gallery to find a specific module.

Of course, you can also always use PowerShellGet (available starting in WMF 5.0) to find modules with DSC Resources:

#To list all modules that tagged as DSCResourceKit
Find-Module -Tag DSCResourceKit 
#To list all DSC resources from all sources
Find-DscResource

Please note only those modules released by the PowerShell Team are currently considered part of the ‘DSC Resource Kit’ regardless of the presence of the ‘DSC Resource Kit’ tag in the PowerShell Gallery.

To find a specific module, go directly to its URL on the PowerShell Gallery:
http://www.powershellgallery.com/packages/< module name >
For example:
http://www.powershellgallery.com/packages/xWebAdministration

How to Install DSC Resource Modules From the PowerShell Gallery

We recommend that you use PowerShellGet to install DSC resource modules:

Install-Module -Name < module name >

For example:

Install-Module -Name xWebAdministration

To update all previously installed modules at once, open an elevated PowerShell prompt and use this command:

Update-Module

After installing modules, you can discover all DSC resources available to your local system with this command:

Get-DscResource

How to Find DSC Resource Modules on GitHub

All resource modules in the DSC Resource Kit are available open-source on GitHub.
You can see the most recent state of a resource module by visiting its GitHub page at:
https://github.com/PowerShell/< module name >
For example, for the CertificateDsc module, go to:
https://github.com/PowerShell/CertificateDsc.

All DSC modules are also listed as submodules of the DscResources repository in the DscResources folder and the xDscResources folder.

How to Contribute

You are more than welcome to contribute to the development of the DSC Resource Kit! There are several different ways you can help. You can create new DSC resources or modules, add test automation, improve documentation, fix existing issues, or open new ones.
See our contributing guide for more info on how to become a DSC Resource Kit contributor.

If you would like to help, please take a look at the list of open issues for the DscResources repository.
You can also check issues for specific resource modules by going to:
https://github.com/PowerShell/< module name >/issues
For example:
https://github.com/PowerShell/xPSDesiredStateConfiguration/issues

Your help in developing the DSC Resource Kit is invaluable to us!

Questions, comments?

If you’re looking into using PowerShell DSC, have questions or issues with a current resource, or would like a new resource, let us know in the comments below, on Twitter (@PowerShell_Team), or by creating an issue on GitHub.

Katie Kragenbrink
Software Engineer
PowerShell DSC Team
@katiedsc (Twitter)
@kwirkykat (GitHub)

The post DSC Resource Kit Release June 2019 appeared first on PowerShell.


Six months left to transform your Windows Server 2008 apps and infrastructure

$
0
0

This blog post was authored by Jeff Woolsey, Principal PM Manager, Windows Server.

This month, SQL Server 2008 and 2008 R2 reached their End of Support. On January 14, 2020, Windows Server 2008 and 2008 R2 will also reach their End of Support. These important dates provide an opportunity for businesses outside of the obvious deadline, and were here to help. Here is a list of resources to help you get ready:

  • For the latest information about your options, visit the Windows Server 2008/R2 End of Support site to learn about upgrading on-premises, migrating to Azure, or taking advantage of Extended Security Updates for your server environment.
  • Download the Migration Guide for Windows Server for beginning-to-end guidance for on-premises or cloud workloads, including Assess, Migrate, Optimize, as well as Manage and Secure phases, with more links to tools that can help you along the way.
  • If you have questions about what Azure can do for your Windows Server workloads, or are ready to start down the migration path, visit the Azure Migration Center to find specific migration advice for Windows Server 2008/R2 and start modernizing with Azure.
  • We have a new migration tool to help you upgrade old file servers. Watch a brief demo of the Storage Migration Service, a new tool to help migrate file servers from Windows Server 2008/R2 (and even back to 2003) to newer versions, running on-premises or in Azure.
  • Finally, watch my on-demand webinar on Transforming Windows Server 2008 Apps and Infrastructure where I lay out options on how to modernize your Windows Server 2008 environment using Microsoft’s hybrid cloud capabilities, including new tools and solutions available to help you migrate.

Ask the experts!

If you still have questions, weve scheduled an online Ask Me Anything on July 30, 2019. Bring your questions, and well have our top experts standing by ready to help. Add it to your calendar now.

The post Six months left to transform your Windows Server 2008 apps and infrastructure appeared first on Windows Server Blog.

Microsoft Intune announces general availability of security baselines

$
0
0

Microsoft Intune is excited to announce general availability of Windows MDM Security Baselines. A new version of security baselines is also being released at the same time, identified as MDM Security Baseline for Spring 2019 Update (19H1). This is a new template that includes several new settings and some other updates. Please refer to the documentation for a detailed list of what's changed in the new template

 

A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. Industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, increases efficiency and reduces costs compared to creating them all by yourself. These settings are continually updated with feedback from Microsoft security engineering teams, product groups, partners, and real-world learning from thousands of customers. Microsoft security baselines provide intelligent recommendations that are relevant to the needs of your business, based on your IT infrastructure.

 

Attach the power of intelligent cloud

 

Microsoft has years of experience publishing security baselines as Group Policy Objects in the Security and Compliance Toolkit (SCT). Customers have trusted this toolkit for years to provide templates to configure security baselines through Group Policy. Microsoft Intune now brings the same collective knowledge and expertise to secure the modern desktop with MDM security baselines.

 

Microsoft recommended security baselines in the Intune service leverage the greatly expanded manageability of Windows 10 using Mobile Device Management (MDM). These security baselines will be managed and updated directly from the cloud – providing customers the most recent and most advanced security settings and capabilities available from Microsoft 365. The same Windows security team that creates Group Policy security baselines has collaborated with Intune engineers to offer their extensive experience for these recommendations. If you're brand new to Intune, and not sure where to start, then MDM security baselines give you an advantage. You can quickly create and deploy a secure profile to help protect your organization's resources and data. If you're currently using Group Policy, migrating to Intune for management is much easier with these baselines natively built into Intune's modern management platform.

 

baseline.png

 

Intune MDM security baselines leverage intelligent cloud insights to deliver unique benefits beyond the security and compliance toolkit:

 

  • In-depth reporting on the state of each setting in the baseline on every device in your organization
  • A first-class policy interface using familiar Intune policies to easily customize and deploy a baseline with MDM 

You may choose to create security policies directly from these baselines and deploy them to users or customize the recommendations to meet the needs of your enterprise. Intune will validate that devices follow these baselines, report on baseline compliance and notify administrators if any devices or users move out of compliance.

 

You can see a list of all available baselines, as well as the contents of each baseline, here: https://docs.microsoft.com/en-us/intune/security-baselines#available-security-baselines

 

Versioning between baselines

 

Alongside GA, Intune is launching a versioning experience that allows you to stay up-to-date as Microsoft updates security baseline recommendations. This means that if you’ve been using the preview baseline, you’ll be able to upgrade to the newly released GA baseline in just a few clicks.

 

  1. Select a baseline. In this example, we’ll examine Windows 10 Security Baselines.

baseline2.png

  1. You can review the contents of each version of this baseline family by selecting Versions, then choosing the version you’d like to analyze. You can also select two versions to compare by selecting both in the table and clicking Compare baselines.

baseline3.png

 

  1. To upgrade a profile from one baseline version to another, go to Profiles, choose the profile you’d like to upgrade, and select Change Version.

baseline4.png

 

 

  1. In the upgrade experience, you can choose to review the changes that the upgrade will make, as well as decide whether you’d like to:
  • Accept baseline changes but keep my existing setting customizations: This will retain any setting customizations you made in the original profile.
  • Accept baseline changes and discard my existing setting customizations: This will overwrite all customizations from the original profile and apply the new baseline recommendations wholesale.

After you make this decision, Intune will automatically update the profile to adhere to the upgraded baseline.

 

Next steps


If you are a Microsoft Intune customer, look for the Security Baselines GA to be available in your tenant shortly.


If you require any help with your deployment, Microsoft offers a variety of resources and support tools to help you succeed. Customers with eligible subscriptions to Microsoft 365, Microsoft Enterprise Mobility + Security (EMS) or Microsoft Intune can request assistance from experts in FastTrack service at no additional cost for the life of their subscription. Whether you are a customer or a partner, FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources to plan your deployment.

 

More info and feedback

Learn how to get started with Microsoft Intune using our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

Follow @MSIntune on Twitter

Microsoft Intune announces general availability of administrative templates

$
0
0

(This post is co-authored with Aashka Damani, Program Manager, and Mayunk Jain, Product Manager, Microsoft 365)

 

Microsoft Intune is excited to announce the general availability of administrative templates support for Windows 10 device configuration profiles. This feature received wide adoption during the public preview because it helps Windows administrators use the settings they are familiar with in group policy editor when they transition to cloud-attached management.  In the general release, we deliver one of the most requested feedback from the public preview: support for more settings. Administrative templates will be adding an over 2500 settings to the Intune console, covering  Windows, OneDrive and Office, in a user interface that is similar to group policy editor.

 

Let us walkthrough creating and editing a profile.

 

Create an Administrative Templates profile

 

Administrative template profiles in Intune apply to Windows 10 devices and the process is similar to creating most other device configuration profiles. Start by creating a new profile under ‘device configuration’ and select ‘administrative templates’ under profile type.

 

admx1.jpg

 

Upon creating a profile, the administrator will have access to the master list of all 2500+ available settings. Some of the setting names may appear to be duplicates, but each of them has a different path and different end effect.

 

admx2.png

 

Administrator may use the Search, Sort and Filter options to identify the settings they have set and the ones they may want to configure. For instance, the drop down list of products allows administrators to view only the settings that apply to Windows, those that apply to Office, and all settings.

 

admx3.jpg

 

The product filter in combination with search terms lets administrators quickly narrow down the list to the settings they wish to configure. The search works on both the name of the setting and any part of the setting’s path.

 

admx4.jpg

 

Many of the settings are applicable on both users and devices. Administrators can use column headings to distinguish between types of settings and differentiate between settings that have been configured and not configured.

 

admx5.jpg

 

Click on a setting to see its description and determine how it should be appropriately configured.

 

admx6.jpg

 

The description text for each setting includes the minimum app version supported by the setting as well as the ADMX setting version. This will help troubleshooting using widely available Microsoft and community documentation about ADMX files and their expected behavior. After editing the necessary settings and deploying them to the respective users and devices, close the profile to save the changes.

 

admx7.jpg

 

Upon reopening the profile, all of the settings that have been configured will automatically filter to the top. This makes it easy to know what settings have been set and administrators can edit the configuration profile if desired.

 

Next steps

 

Microsoft Intune is designed with the learnings and feedback from administrators managing over 175M devices worldwide. This feature is another reason more customers choose Microsoft endpoint management solutions for the easiest path to manage their Windows 10, Office 365, and other mobile applications and devices either on-premises, attached to the cloud, or both. Share your experience after you take administrative templates for a spin in your own modern workplace.

 

Microsoft offers a variety of resources and support tools to help you in this journey. Plan your cloud services deployments with online resources and tools from FastTrack, a service that’s included in your eligible Microsoft subscription at no additional cost. FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources instead of creating new ones.

 

Visit the planning and migration documentation to drive successful customer adoption of managed mobile productivity with a robust communication plan.

 

More info and feedback

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

 Follow @MSIntune on Twitter

Introducing PowerShell as .NET Global Tool

$
0
0

PowerShell is very suitable for CI/CD scenarios due to its easy and well understood scripting paradigm,
and its cross-platform support makes it great for building and testing cross-platform applications.
A .NET Global Tool is a special NuGet package that contains a console application.

A .NET Core application can be developed for various platforms like Windows, various distributions of Linux and macOS, while the same PowerShell scripts can be used for building, testing and deployment across all platforms.

Installing PowerShell Global tool

If you already have the .NET Core SDK installed, it’s easy to install PowerShell as a .NET global tool!

dotnet tool install --global PowerShell

Once installed, you can run it with pwsh.

PowerShell in .NET SDK docker containers

PowerShell has already been included as a global tool within the .NET Core 3.0 Preview Docker images since Preview.4.
These images are a great starting point for building a .NET Core CI/CD image
(you can find some awesome samples
over at the dotnet-docker repo.)

Docker files with PowerShell syntax

As PowerShell comes pre-installed, Docker files can have PowerShell syntax.
This allows you to run scripts or cmdlets as part of your Docker file.

FROM mcr.microsoft.com/dotnet/core/sdk:3.0
RUN pwsh -c Get-Date
RUN pwsh -c "Get-Module -ListAvailable | Select-Object -Property Name, Path"

Build scenarios in Docker

In addition to enabling PowerShell syntax, PowerShell scripts in the container can be easily invoked through Docker:

docker run -it -v c:myrepo:/myrepo -w /myrepo mcr.microsoft.com/dotnet/core/sdk:3.0 pwsh ./build.ps1

The NuGet package for the global tool can be found at: https://www.nuget.org/packages/PowerShell/

Please report issues or suggestions at: https://github.com/PowerShell/PowerShell/issues/new/choose

Thank you!

Aditya Patwardhan
Senior Software Engineer
PowerShell Team
@adityapatward13

The post Introducing PowerShell as .NET Global Tool appeared first on PowerShell.

Microsoft Intune announces support for macOS FileVault disk encryption management

$
0
0

(This post is co-authored with Anya Novicheva, Program Manager, Microsoft 365)

 

Microsoft Intune is excited to announce support for FileVault full-disk encryption configuration on macOS devices. FileVault full-disk encryption (also known as FileVault 2) helps prevent unauthorized access to the information on macOS startup disks. With support for FileVault, Intune administrators can ensure startup disks are unreadable without the password on company managed devices, and they can recover personal keys on behalf of users on corporate devices from the Intune console. Device users can also securely recover their personal key at any time using Intune.

 

This release includes:

  • Personal recovery key rotation to help protect against unauthorized access using compromised keys. Intune administrators can rotate the personal recovery keys for company-managed encrypted Macs, and they may also configure how often to rotate the personal key.
  • Personal key escrow, providing a secure location for both end users and administrators to access the personal recovery key for company-managed encrypted Macs.

FV6.png

Get started

To set up FileVault on a managed macOS device that is not yet encrypted, the admin configures the FileVault settings located under the Endpoint Protection profile type within Device Configuration navigation of the Microsoft Intune administration console.

 

On the same settings page, the admin may enter a message to help the end user in case they forget their password and need to locate the recovery key. For example, they may provide information such as the location of the personal recovery key. This message is shown to end users on the login screen where they enter the personal recovery key instead of a password.

 

FV1.png

 

Key recovery

The end user may use the Microsoft Intune Company Portal website on any device to access their personal recovery key. Once they login to the web Company Portal, they can select their FileVault enabled macOS device from the device thumbnails, and click on Get recovery key. If the macOS device isn’t encrypted or it was encrypted prior to enrollment, they will not see a personal recovery key.

FV3.png

 

To help protect a device that might have had its key compromised or to prevent other types of security incidents, the Intune admin may perform a remote device action to rotate the personal recovery key on a corporate macOS device.  This is as simple as selecting the macOS device in the Intune console, and going to Recovery Keys > and then choosing to rotate the device’s personal recovery key.

 

If the device is not enrolled or not encrypted, Intune doesn’t have a key for that device and the action is grayed out (as in the screenshot below).

FV4.png

 

Reporting

Encryption Reporting is a powerful tool for security management across all devices in the modern workplace. The Intune admin can see reporting for all of their macOS devices from Devices > all devices > macOS device > Encryption Reporting. This report shows whether devices are ready to be encrypted or not, whether they were encrypted prior to being enrolled, and whether there are any errors during the encryption process. Intune admins can report on the disk encryption for Windows BitLocker and macOS FileVault from a single dashboard. Admins may also export the entire report to an Excel file where they can filter by OS type, encryption readiness, or status.FV5.png

 

Next steps

This feature is the latest in a series of innovations to simplify macOS management with Intune. This is a journey and we expect to add significant enhancements in future, based on your feedback and customer priorities. Administrators using Microsoft Intune can secure their entire workplace from a single place – not only Apple FileVault encryption but also mobile device encryption and Windows BitLocker.

 

Microsoft offers a variety of resources and support tools to help you in this journey. Plan your macOS management and deployment with online guides and tools from FastTrack, a service that’s included in your eligible Microsoft subscription at no additional cost. FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources instead of creating new ones.

 

More info and feedback

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

twitter icon.png Follow @MSIntune on Twitter

 

Viewing all 5932 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>