Quantcast
Channel: Category Name
Viewing all 5932 articles
Browse latest View live

Advanced specialization for partners using Windows Server on Azure

$
0
0

Last week we held our annual Microsoft Inspire event welcoming partners from around the world! During the conference, we had some great sessions, including Microsoft Azure is the #1 destination for Windows Server and SQL Server. We also announced the Windows Server on Azure Advanced Specialization course in the Partner Center. What is the Windows Server on Azure Advanced Specialization? Continue reading to learn more!

The Windows Server on Azure Advanced Specialization is an extensive validation of a partners capability to deliver high fidelity services in a specific solution area. The new Windows Server on Azure specialization, specifically, enables partners to validate their expertise in migrating and optimizing Windows Server production workloads to Microsoft Azure.

What is the benefit to partners?

This specialization was developed to help partners further differentiate their organizations and build stronger connections with customers by demonstrating their expertise. Here are some benefits of earning an advanced specialization:

  • Makes partners more visible to customers who search for solution providers.
  • Develops deepened trust with customers that partners meet the highest standards for service delivery and support.

How does it work?

Partners with an active gold competency who demonstrate deep knowledge in a specified area may seek an advanced specialization and apply in the Partner Center. For more information and specific requirements of the program, see which partner offer is right for you.

Further resources

In addition to the specialization, the new Partner Portal was also released at Inspire. This is a one-stop-shop for all partner resources on Windows Server, including The Ultimate Guide to Windows Server and lots of other helpful migration resources. The Partner Portal is not just a resource hub, but it also enables partners to pursue some of the top Windows Server business opportunities:

  • Transform Windows Server workloads
  • Guide Windows Server end of support

Dont miss out! To learn more about migrating Windows Server to Azure using the Partner Portal, visit the Partner Portal.

The post Advanced specialization for partners using Windows Server on Azure appeared first on Windows Server Blog.


End of support for TLS 1.0 and 1.1 in Microsoft Cloud App Security

$
0
0

Microsoft is moving all its online services to Transport Layer Security (TLS) 1.2+ to provide best-in-class encryption, and to ensure our service is more secure by default, including Microsoft Cloud App Security.

 

How does this affect me?

As of September 8, 2019 Microsoft Cloud App Security will no longer support TLS 1.0 and 1.1. This means that any connection using these protocols will no longer work as expected, and no support will be provided.

 

What do I need to do to prepare for this change?

You should ensure that all client-server and browser-server combinations use TLS 1.2 (or a later version), to maintain the connection to Microsoft Cloud App Security.

Components that may be affected by this change include:

 

  • SIEM Agent - Versions older than 0.111.126 will not be able to establish a connection to Microsoft Cloud App Security. If you are using an older version, you need to update by following the instructions in our SIEM integration documentation.
  • Microsoft Cloud App Security API – Custom applications and code that are utilizing the Microsoft Cloud App Security API must support TLS 1.2 to continue functioning. If you’re not sure whether your application supports TLS 1.2 you can test it by authenticating to our dedicated API endpoint here https://tlsv12.portal-rs.cloudappsecurity.com
  • Apps configured with Conditional Access App Control – If you are using Conditional Access App Control for any web or native client applications, you need to verify that these applications support TLS 1.2, or access to these apps and subsequently the relevant controls will no longer work.
  • Log collector – versions older than 0.111.127 will not be able to establish a connection to Microsoft Cloud App Security. If you are using an older version, you need to update by following the instructions in Microsoft Cloud APp Security log collector documentation.

 

Where possible, Microsoft recommends that you remove all TLS 1.0/1.1 dependencies in your environment and that you disable TLS 1.0/1.1 at the operating system level.

 

Begin your migration to TLS 1.2 today.

 

-Microsoft Cloud App Security team

Introducing the Microsoft Intune configuration designer to manage OEMConfig devices

$
0
0

(This post co-authored with Jessica Yang, Program Manager, Microsoft 365) 

  

Microsoft Intune is pleased to announce the release of a new configuration designer experience for managing Android Enterprise devices using the OEMConfig application. We have received very positive early feedback from customers and partners and we can’t wait for you to try the improved user experience. In this article, we will walk through some steps to get started.   

 

What is OEMConfig? 

OEMConfig is a standard for the Android Enterprise platform that allows OEM (Original Equipment Manufacturers) and EMM (Enterprise Mobility Management) providers to build and support OEM-specific features in a standardized way on Android Enterprise devicesWith OEMConfig, an OEM defines OEM-specific management settings for their devices (also known as a management schema) in an application that they host in the Google Play store. Microsoft Intune uses this application to expose those settings in the admin console for you to configure. The settings configured in the resulting profile are then executed by the OEMConfig application on the device. 

 

How does this help you? 

Historically, EMMs such as Intune manually built support for OEM-specific features after they're introduced by the OEM. This approach sometimes led to duplicated effortsdelay in support for new features, and slow adoption. 

clipboard_image_0.png

 

With OEMConfigyou get day zero support for management features, direct from the OEM. When the OEM adds or enhances management features for the device, thealso update their OEMConfig application in Google Play store. Intune automatically reads those updates and makes them available to you in the console. No waiting! 

clipboard_image_1.png

  

Ways to create an OEMConfig profile 

You’ll find OEMConfig profiles in the Device configuration blade alongside your other device configuration profiles. The Intune documentation has complete details on creating and monitoring an OEMConfig profile. This article covers your two options for creating profiles. 

 

Option 1: Configuration designer 

 

 

We’ve created a brand-new configuration designer that gives you an intuitive interface for creating OEMConfig profiles, no matter how complicated the schema gets. This eliminates the need to hand-code an OEMConfig profile using the JSON editor, which can get tricky, especially when dealing with complex or heavily nested schemas. 

 

When you select an OEMConfig application to configure, Intune reads the schema from the app, and automatically generates a full graphical user interface for configuring the settings specified in the schema. 

 

The configuration designer lets you easily: 

  • Create and manage complex bundles and bundle arrays with many levels of nesting 
  • View setting titles and descriptions, which OEMs may use to provide documentation 
  • Understand what options are available for a given setting 

Going forward, the configuration designer is the default editor for OEMConfig profiles in Intune. 

 

Option 2: JSON editor 

The existing JSON editor interface is still there if you need itFor example, if you need to duplicate a setting many times, simply and copy and paste the corresponding JSON representation of that setting. Or, to take a backup of your profilesave the contents of the JSON editor to a file before you start making changes. 

 

Changes made in the configuration designer are synced to the JSON editor, and vice versa. If you accidentally enter invalid JSON syntaxthe editor also provides error messages so you can see what needs to be changed. 

 

Does my OEM support OEMConfig? 

Each OEM decides how they want their devices to be managedWe recommend you contact your device manufacturer to ask if they support OEMConfig with a schema built according to the standard.  

 

If an OEMConfig application exists for your device, but it isn’t showing up in the Intune console, please contact us using the instructions on the Intune OEMConfig documentation page. As more OEMs start adopting this new standard, the number of supported OEMs in Intune will increase, giving you more options for managing Android devices.

 

Next steps 

This feature expands the breadth and depth of support for Android Enterprise in Microsoft Intune and facilitates ruggedized and specialized devices to take full advantage of the Microsoft 365 cloud. This is a relatively new approach for both device manufacturers and management platforms, and we encourage you to push your OEMs to support this standard. You can learn more about OEMConfig here. 

 

Microsoft offers a variety of resources and tools to help you succeedCreate an OEMConfig profile in Microsoft Intune using our online guides. For further assistance, you may contact FastTrack, a service that’s included in eligible Microsoft subscriptions at no additional cost. FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources instead of creating new ones. 

 

More info and feedback 

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today! 

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page. 

 

Follow @MSIntune on Twitter 

 

DSC Resource Kit Release July 2019

$
0
0

We just released the DSC Resource Kit!

This release includes updates to 11 DSC resource modules. In the past 6 weeks, 96 pull requests have been merged and 45 issues have been closed, all thanks to our amazing community!

The modules updated in this release are:

  • ActiveDirectoryDsc
  • ActiveDirectoryCSDsc
  • ComputerManagementDsc
  • SecurityPolicyDsc
  • SharePointDsc
  • SqlServerDsc
  • StorageDsc
  • xDnsServer
  • xExchange
  • xPSDesiredStateConfiguration
  • xWebAdministration

For a detailed list of the resource modules and fixes in this release, see the Included in this Release section below.

Our latest community call for the DSC Resource Kit was last Wednesday, July 31. A recording of the call is posted on the PowerShell YouTube channel. You can join us for the next call at 12PM (Pacific time) on August 28th to ask questions and give feedback about your experience with the DSC Resource Kit.

The next DSC Resource Kit release will be on Wednesday, September 8.

We strongly encourage you to update to the newest version of all modules using the PowerShell Gallery, and don’t forget to give us your feedback in the comments below, on GitHub, or on Twitter (@PowerShell_Team)!

Please see our documentation here for information on the support of these resource modules.

Included in this Release

You can see a detailed summary of all changes included in this release in the table below. For past release notes, go to the README.md or CHANGELOG.md file on the GitHub repository page for a specific module (see the How to Find DSC Resource Modules on GitHub section below for details on finding the GitHub page for a specific module).

Module Name Version Release Notes
ActiveDirectoryCSDsc 4.0.0.0
  • BREAKING CHANGE: ActiveDirectoryCSDsc module minimum requirements updated to WMF 5.0 because newly added AdcsCertificateAuthoritySettings resource requires WMF 5.0.
  • Added new resource AdcsCertificateAuthoritySettings – see Issue 13.
  • Added new resource AdcsTemplate.
  • Replaced switch blocks with if blocks for evaluating “Ensure” parameter because switch was missing break – fixes Issue 87.
  • Added Comment Based Help for New-NotImplementedException common function.
  • Moved code to create the user account for use in integration test into a CommonTestHelper.psm1 function.
  • Removed user account creation code from AppVeyor.yml and into integration tests themselves to make tests execution easier.
  • Updated user account creation code to use local user/group management Powershell cmdlets available in WMF 5.1 – fixes Issue 24.
  • AdcsCertificationAuthority:
    • Integration tests updated to create test user account in administrators group to make test execution easier.
ActiveDirectoryDsc 4.0.0.0
    The change log length exceeds the allowable limit for PowerShell Gallery. For detailed information about the changes to each resource, see the changelog.md file in the GitHub repo.
  • Changes to ActiveDirectoryDsc
  • Changes to ADManagedServiceAccount
  • Changes to ADComputer
  • Changes to ADOrganizationalUnit
  • Changes to ADUser
  • Changes to ADDomain
  • Changes to ADServicePrincipalName
  • Changes to ADDomainTrust
  • Changes to WaitForADDomain
  • Changes to ADDomainController
  • Changes to ADObjectPermissionEntry
  • Changes to ADGroup
  • Changes to ADDomainDefaultPasswordPolicy
ComputerManagementDsc 6.5.0.0
  • Computer:
    • Fix for “directory service is busy” error when joining a domain and renaming a computer when JoinOU is specified – Fixes Issue 221.
  • Added new resource SmbShare
    • Moved and improved from deprecated module xSmbShare.
  • Changes to ComputerManagementDsc.Common
    • Updated Test-DscParameterState so it now can compare zero item collections (arrays).
  • Changes to WindowsEventLog
    • Minor style guideline cleanup.
  • Opt-in to common test to validate localization. Fixed localization strings in resources – Fixes Issue 217.
  • PowerShellExecutionPolicy:
    • Removed SupportsShouldProcess as it cannot be used with DSC – Fixes Issue 219.
  • Combined all ComputerManagementDsc.ResourceHelper module functions into ComputerManagementDsc.Common module – Fixes Issue 218.
    • Minor code cleanup against style guideline.
    • Remove code from New-InvalidOperationException because it was a code path that could never could be used due to the parameter validation preventing the helper function being called that way.
    • Updated all Get-LocalizationData to latest version from DSCResource.Template.
    • Fixed an issue with the helper function Test-IsNanoServer that prevented it to work. Though the helper function is not used, so this issue was not caught until now when unit tests was added.
    • Improved code coverage.
SecurityPolicyDsc 2.9.0.0
  • Bug fix – Max password age fails when setting to 0. Fixes Issue 121
  • Bug fix – Domain_controller_LDAP_server_signing_requirements – Require Signing. Fixes Issue 122
  • Bug fix – Network_security_Restrict_NTLM security options correct parameter validation. This fix could impact your systems.
SqlServerDsc 13.1.0.0
  • Changes to SqlServerDsc
    • New DSC resource SqlAgentFailsafe
    • New DSC resource SqlDatabaseUser (issue 846).
      • Adds ability to create database users with more fine-grained control, e.g. re-mapping of orphaned logins or a different login. Supports creating a user with or without login name, and database users mapped to a certificate or asymmetric key.
    • Changes to helper function Invoke-Query
      • Fixes issues in issue 1355.
      • Works together with Connect-SQL now.
      • Parameters now match that of Connect-SQL (issue 1392).
      • Can now pass in credentials.
      • Can now pass in “Microsoft.SqlServer.Management.Smo.Server” object.
      • Can also pipe in “Microsoft.SqlServer.Management.Smo.Server” object.
      • Can pipe Connect-SQL
StorageDsc 4.7.0.0
  • Removed suppression of PSUseShouldProcessForStateChangingFunctions PSSA rule because it is no longer required.
  • Combined all StorageDsc.ResourceHelper module functions into StorageDsc.Common module and removed StorageDsc.ResourceHelper.
  • Opted into Common Tests “Common Tests – Validate Localization” – fixes Issue 206.
  • Refactored tests for StorageDsc.Common to meet latest standards.
  • Minor style corrections.
  • Removed unused localization strings from resources.
  • DiskAccessPath:
    • Added function to force refresh of disk subsystem at the start of Set-TargetResource to prevent errors occuring when the disk access path is already assigned – See Issue 121
xDnsServer 1.14.0.0
  • Copied enhancements to Test-DscParameterState from NetworkingDsc
  • Put the helper module to its own folder
  • Copied enhancements to Test-DscParameterState from NetworkingDsc
  • Put the helper module to its own folder
  • Added xDnsServerRootHint resource
  • Added xDnsServerClientSubnet resource
  • Added xDnsServerZoneScope resource
xExchange 1.28.0.0
  • Added MSFT_xExchFrontendTransportService resource, based on MSFT_xExchTransportService resource. Issue 283
  • Added unit and integration tests to the MSFT_xExchFrontendTransportService resource.
  • Added comment based help to the MSFT_xExchFrontendTransportService resource.
  • Minor style fix in MSFT_xExchEcpVirtualDirectory to ensure new PowerShell Script Analyzer custom rules pass.
xPSDesiredStateConfiguration 8.9.0.0
  • MSFT_xRemoteFile:
    • Add a retry mechanism when the download fails.
  • Fixes 631, typo in SQL connection string property name
xWebAdministration 2.7.0.0
  • Changes to xWebAdministration
    • Opt-in to the following DSC Resource Common Meta Tests:
      • Common Tests – Relative Path Length
      • Common Tests – Validate Script Files
      • Common Tests – Validate Module Files
      • Common Tests – Validate Markdown Files
      • Common Tests – Validate Markdown Links
      • Common Tests – Custom Script Analyzer Rules
      • Common Tests – Flagged Script Analyzer Rules
      • Common Tests – Required Script Analyzer Rules
      • Common Tests – Validate Example Files
    • Add ConfigurationPath to xIisMimeTypeMapping examples since it is now a required field.

How to Find Released DSC Resource Modules

To see a list of all released DSC Resource Kit modules, go to the PowerShell Gallery and display all modules tagged as DSCResourceKit. You can also enter a module’s name in the search box in the upper right corner of the PowerShell Gallery to find a specific module.

Of course, you can also always use PowerShellGet (available starting in WMF 5.0) to find modules with DSC Resources:

# To list all modules that tagged as DSCResourceKit
Find-Module -Tag DSCResourceKit 
# To list all DSC resources from all sources 
Find-DscResource

Please note only those modules released by the PowerShell Team are currently considered part of the ‘DSC Resource Kit’ regardless of the presence of the ‘DSC Resource Kit’ tag in the PowerShell Gallery.

To find a specific module, go directly to its URL on the PowerShell Gallery:
http://www.powershellgallery.com/packages/< module name >
For example:
http://www.powershellgallery.com/packages/xWebAdministration

How to Install DSC Resource Modules From the PowerShell Gallery

We recommend that you use PowerShellGet to install DSC resource modules:

Install-Module -Name < module name >

For example:

Install-Module -Name xWebAdministration

To update all previously installed modules at once, open an elevated PowerShell prompt and use this command:

Update-Module

After installing modules, you can discover all DSC resources available to your local system with this command:

Get-DscResource

How to Find DSC Resource Modules on GitHub

All resource modules in the DSC Resource Kit are available open-source on GitHub.
You can see the most recent state of a resource module by visiting its GitHub page at:
https://github.com/PowerShell/< module name >
For example, for the CertificateDsc module, go to:
https://github.com/PowerShell/CertificateDsc.

All DSC modules are also listed as submodules of the DscResources repository in the DscResources folder and the xDscResources folder.

How to Contribute

You are more than welcome to contribute to the development of the DSC Resource Kit! There are several different ways you can help. You can create new DSC resources or modules, add test automation, improve documentation, fix existing issues, or open new ones.
See our contributing guide for more info on how to become a DSC Resource Kit contributor.

If you would like to help, please take a look at the list of open issues for the DscResources repository.
You can also check issues for specific resource modules by going to:
https://github.com/PowerShell/< module name >/issues
For example:
https://github.com/PowerShell/xPSDesiredStateConfiguration/issues

Your help in developing the DSC Resource Kit is invaluable to us!

Questions, comments?

If you’re looking into using PowerShell DSC, have questions or issues with a current resource, or would like a new resource, let us know in the comments below, on Twitter (@PowerShell_Team), or by creating an issue on GitHub.

Michael Greene
Principal Program Manager
PowerShell DSC Team
@migreene (Twitter)
@mgreenegit (GitHub)

The post DSC Resource Kit Release July 2019 appeared first on PowerShell.

Out-GridView Returns

$
0
0

Out-GridView Returns!

It’s been almost 3 years since PowerShell Core debuted for Linux and Mac, and as we’ve increased our cmdlet coverage more and more, one cmdlet has always stood out as a top, cross-platform request. Today, we are excited to announce that Out-GridView is debuting on all Core-supported platforms through the GraphicalTools Module.

Linux Windows Mac
linux-gif window-gif macos-gif

Installation

If you want to get right to it:

Install-Module Microsoft.PowerShell.GraphicalTools

Features

Out-GridView is a visualization tool to help you deep dive into objects returned from PowerShell.

Out-GridViewImage Piping Get-Process into Out-GridView

Quick Search

Easily locate data points matching a query.

Filters

Display specific data matching only selected filters. Supports common string comparison operators, such as contains, equals, starts with, etc..

DataGrid

Rearrange, sort, and select columns to display. Auto-generates object columns based on the PowerShell format type data, expands PSObject properties if no format definition is available.

PassThru

One of the most powerful features, the -PassThru parameter lets you use the GUI to select data to send further down the pipeline.

Get-Process | Out-GridView -PassThru | Stop-Process

If you were so inclined the above script uses -PassThru to create a pretty effective emulation of Windows Task Manger.

Show Code

Sometimes, you need to automate infrequent but complex tasks where filters may be error-prone. Out-GridView can be used as a filtering tool for these cases to ensure that your filters will produce the output you expect.

Occasionally, you end up needing to repeat this automation and so it would be useful to port your existing Out-GridView workflow to a script.

Pressing the “Show-Code” button will do this for you. It will generate a PowerShell filtering script that is ready for production.

Out-GridViewImage Using Show Code to find a specific instance of VSCode

Examples of Out-GridView

The Future

We are looking for a community member to help port Show-Command and Show-Object. Check out the repository and post in the issue tracking Show-Command if you’re interested.

With the majority of the brunt work integrating PowerShell & Avalonia done, we are also open to submissions for new graphical commands or packages. A huge thanks to Adam Driscoll for showing the potential of Avalonia + PowerShell with PSAvalonia.

Lastly, check out the great work AvaloniaUI is doing for cross-platform, .NET Core-based GUIs if you haven’t already.


John Zeiders
Software Engineering Intern
PowerShell Team

The post Out-GridView Returns appeared first on PowerShell.

PowerShell 7 Preview 3

$
0
0

PowerShell 7 Preview 3

In May, I published our PowerShell 7 Roadmap. We have been making progress on our roadmap and are currently on track to have a Generally Available (GA)
release by end of this calendar year.

Long Term Servicing

PowerShell 7 GA will also be our first Long Term Servicing (LTS) release which is a change from our current Modern Lifecycle support for PowerShell Core 6.
We will support PowerShell 7 GA for as long as .NET Core 3.1 is supported before you must upgrade to a newer version to continue to be supported by Microsoft.

Windows PowerShell compatibility

One of the main goals of PowerShell 7 is to have a viable replacement for Windows PowerShell 5.1 in production and we’ve made significant progress towards that goal.

PowerShell 7 Preview 3 is built on .NET Core 3.0 Preview 8 and leverages the work from the .NET Team to close the gap between .NET Core and .NET Framework. .NET Core 3.0 reintroduces a large number of .NET Framework APIs, opening up a large number of PowerShell modules shipped with Windows to be validated and marked as compatible by our team. Because the compatibility changes to the modules come as part of Windows, the latest version of Windows 10/Windows Server is required for full module compatibility.

However, on older versions of Windows, some modules may just work if you use:

Import-Module <moduleName> -SkipEditionCheck

If you have issues with a Microsoft PowerShell module, please open an issue in the PowerShellModuleCoverage repository!

Expect more content on this specific topic from Joey Aiello in the near future with more detail on which modules are compatible and where they’re marked as such.

New Features in Preview 3

This is just a small part of the entire changelog.
New features in this preview from the community and also the PowerShell team:

Experimental Features on by default in Preview builds

We decided to enable all Experimental Features by default in order to solicit more feedback for the PowerShell Committee to determine if a feature should continue as experimental, move from experimental to stable (non-experimental), or be withdrawn. On Stable builds (as well as Release Candidates), experimental features will continue to be disabled by default.

Note that if you had previously manually enabled experimental features, your powershell.config.jsonsettings file will take precedence and only experimental features listed within that file will be enabled. You can delete that file or run Get-ExperimentalFeature | Enable-ExperimentalFeature to ensure all experimental features are enabled. However, if you use the pipeline, you’ll have to do it again with a future Preview release that has new experimental features.

gif

Single Apartment Thread as default

In general, you don’t need to worry about a concept called ApartmentState which only applies to Windows.

Prior to this release pwsh would run as a multi-threaded apartment by default. However, graphical user interface (GUI) APIs such as WinForms and WPF require a single-threaded apartment. What is important here is that pwsh is now the same as powershell.exe in regards to apartment state and as such support calling WinForms and WPF APIs from PowerShell script.

gif

Display COM Method Signature Argument Names

On Windows, if you happen to call COM APIs from PowerShell, a new capability by nbkalex will now show the argument names of COM methods instead of just the type information which can be used as simple documentation indicating what arguments should be passed.

gif

Consider DBNull and NullString as $null

If you work with database types, you may get back a [dbnull]::Value which is equivalent to $null within the database, but in PowerShell, this was not equal to $null so you can’t compare it directly. This change from Joel Sallow allows you to compare both [dbnull]::Value and [nullstring]::Value to $null and get $true.

gif

Read-Host -Prompt works for all input

Due to how Read-Host calls into the console host and how the console host prompts for input (such as mandatory parameters that are given a value), you might encounter a situation where using Read-Host to prompt for input in your script exhibits unintended behavior when certain characters are used. This has been fixed so Read-Host will accept input as expected.

gif

Support negative numbers with -Split operator

The -Split operator splits one or more strings into substrings. You can optionally specify a value to indicate the maximum number of substrings you want returned.

This new capability by Jacob Scott now allows you to specify the maximum number of substrings as a negative value signifying that the split should happen right to left instead of the usual left to right.

gif

ForEach-Object -Parallel

We’ve received consistent feedback that PowerShell users use PSWorkflow primarily to easily run scriptblocks in parallel.

We’ve added a -Parallel parameter to ForEach-Object that accepts a scriptblock to execute in parallel. There is an optional -ThrottleLimit parameter to set the maximum threads to use in parallel where it defaults to 5.

gif

Resolve AppX reparse points

On Windows 10, if you have apps installed from the Windows Store and list them in the command line, they show up as 0 byte files. These files are actually a different type of link to the actual executable. With this change, the target executable will now show up when using Get-ChildItem.

gif

pwsh as a login shell

On Linux and macOS systems, there is a concept of a login shell which sets up the environment from which other apps and shells inherit. Prior to this release if you used pwsh as your default login shell, you may have noticed that some environment variables are missing or incomplete.

With this change, pwsh will work the same as sh Bourne Shell in how it sets up the login environment so that everything works correctly.

Additional Telemetry

In this Preview release, we’ve added more telemetry. Please see Sydney Smith‘s blog post on New Telemetry in PowerShell 7 Preview 3.

Closing

Although this blog post focuses on new features, this release also contains many bug fixes as well as targeted performance improvements.

You can always get the latest version of PowerShell from https://aka.ms/get-powershell.

Expect more new features from the community and the PowerShell team in future Preview releases!

Steve Lee
PowerShell Team

The post PowerShell 7 Preview 3 appeared first on PowerShell.

New Telemetry in PowerShell 7 Preview 3

$
0
0

Beginning in PowerShell 7 Preview 3, PowerShell will be sending some additional data points to Microsoft.
This data will allow us to better understand usage of PowerShell and enable us to prioritize our future investments.
These additional points of data were reviewed with the PowerShell community and approved by the PowerShell Committee through the PowerShell RFC process.

What we added

We will continue to use Application Insights to collect the following new telemetry points:

- Count of PowerShell starts by type (API vs console)
    - Count of unique PowerShell usage
    - Count of the following execution types:
        - Application (native commands)
        - ExternalScript
        - Script
        - Function
        - Cmdlet
    - Enabled Microsoft experimental features or experimental features shipped with PowerShell
    - Count of hosted sessions
    - Microsoft owned modules loaded (based on white list)
This data will include the OS name, OS version, the PowerShell version, and the distribution channel when provided.

We will continue to share portions of our aggregated data with the PowerShell community through the
Public PowerBi report.

Why we added it

We want to make PowerShell better and believe this can be achieved by better understanding how PowerShell is being used.
Through these additional data points we will get answers backed by data to the following questions:

  • Is the PowerShell Core user-base growing?
  • How is PowerShell being used? What is the usage distribution across command types and session type?
  • How can we encourage PowerShell Core usage growth?
  • What are issues that customers are hitting in PowerShell Core?
  • What versions of PowerShell tools and services should Microsoft continue to support?
  • Which experimental features are being used and tested? Which experimental features should we invest in?
  • How can we optimize the engine size and efficiency of PowerShell for cloud scenarios?

To ensure we are getting an accurate picture of how everyone uses PowerShell, not just those most
vocal/involved in the community, we made improvements in our telemetry.
PowerShell usage telemetry will allow us to better prioritize testing, support, and investments.

Performance testing

When implementing this telemetry we took special care to ensure that there would not be a discernible performance impact.
The telemetry is collected through Application Insights and is batched and sent on a separate thread in order to reduce impact.
We also conducted tests to verify that there would not be a noticeable difference in PowerShell performance.

In order to test the performance impact of the telemetry we ran our test suite 5 times with and 5 times without the telemetry changes
and compared the average time for test completion.
The tests had a 1% difference in average completion time with the telemetry-enabled test runs actually having the faster average completion. The difference in average completion time, however, was not statistically significant.

We also tested the impact of collecting telemetry on startup time for both cold starts (first start-up of PowerShell) and warm starts (all future starts). We found that on average cold starups were .028 seconds slower with the additional telemetry while warm startups were, on average, .027 slower. The average performance impact was around 4% and all start-ups during the test runs performed faster than .6023 seconds.

How to disable

The telemetry reporting can be disabled by setting the environment variable POWERSHELL_TELEMETRY_OPTOUT to true, yes, or 1.
This should not be done in your profile, as PowerShell reads this value from your system before executing your profile.

Feedback and issues

If you encounter any issues with PowerShell telemetry, the best place to get support is through our GitHub page.

The post New Telemetry in PowerShell 7 Preview 3 appeared first on PowerShell.

Microsoft Intune supports Zebra devices with Android Enterprise OEMConfig

$
0
0

(This post is authored by Jessica Yang, Program Manager, Microsoft 365) 

 

Microsoft Intune is delighted to announce support for specialized configuration of Zebra Technologies devices deployed with Android Enterprise (AE). Zebra Technologies is a leading manufacturer of ruggedized devices used by several industries such as retail, healthcare, manufacturing, logistics, and more.

 

Today’s announcement is a result of our continued collaboration with Zebra and Google to support Android Enterprise management for Zebra devices using the OEMConfig standard, in addition to managing Zebra devices on Android device administrator, announced earlier this year. 

 

Before you read on, you’ll want to refresh your knowledge of the OEMConfig configuration designer that we introduced earlier this month.

 

Getting started with Zebra OEMConfig

Zebra’s OEMConfig application provides management capabilities for Zebra-specific functions. With Intune support for Zebra’s OEMConfig app, your organization can use Intune to manage these settings as you onboard to hardware running Android Enterprise.

 

To get started, follow the instructions in the Intune documentation for OEMConfig to add Zebra’s OEMConfig app in the Managed Google Play store to your Intune tenant. Then use the configuration designer or JSON editor to customize the settings available to you. As Zebra updates their OEMConfig app, Intune will automatically pick up new management features for Zebra devices as they are released. For details on supported settings and usage, refer to Zebra’s OEMConfig documentation.

 

Zebra AE 02.png

 Screenshot of Intune console showing Zebra settings in an OEMConfig profile

 

The OEMConfig standard currently supports targeting a single policy to each device, with basic reporting. You may use the Steps feature in Zebra’s OEMConfig schema to organize your profiles. For example, you can create a Step that configures all network and connectivity-related settings, a second Step that configures user experience-related settings, then order the Steps so that they are executed in the order you want. In the future, we are partnering closely with Zebra to add support for multiple OEMConfig profiles on Zebra devices, as well as improved status reporting.

 

Microsoft Managed Home Screen

In addition to Zebra-specific settings with OEMConfig, Intune’s existing support for AE Dedicated devices allows you to configure OEM-independent Android Enterprise capabilities. You can combine OEMConfig and AE Dedicated device management with Microsoft’s Managed Home Screen for further kiosk lockdown and custom launcher capabilities. For example, the Managed Home Screen allows you to set a custom branded wallpaper for the device, or temporarily drop out of lock task mode for troubleshooting.

 
 

Zebra AE 03.png

 Screenshots of the Microsoft Managed Home Screen.

 

Next steps

This feature expands the breadth and depth of support for Android Enterprise in Microsoft Intune and enables ruggedized and specialized devices to take full advantage of the Microsoft 365 cloud. The continued partnership between Zebra Technologies and Microsoft Intune allows organizations using Zebra devices to benefit from unified endpoint management without having to modify their current management workflows.

 

We are excited to see more OEMs adopt this OEMConfig and encourage you to push your OEMs to support this standard, giving you more options for managing Android devices using Microsoft Intune. You can learn more about Intune support for OEMConfig here.

 

More info and feedback

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit our page on Microsoft Tech Community.

 

Follow @MSIntune on Twitter

 

 


Advanced security for any app in your organization

$
0
0

This blog post was co-authored by - Senior Program Manager, Cloud App Security

 

In today’s modern enterprises, apps run the workplace. While we see an average of 129 IT-managed applications, discovery data from our Cloud Access Security Broker (CASB) shows that the total number of apps accessed by employees in large organizations exceeds 1,000.

In addition, we see that a hybrid app environment is a reality for many organizations. You likely still have on-premises apps alongside your modern cloud apps, as well as a wide range of custom line-of-business apps, that all need to be equally integrated into your security strategy.

 

apps2.png

 

The increasing number of apps and their various deployment modes provide a challenge for IT departments in ensuring secure access and protecting the flow of critical data with a consistent set of controls.

To help streamline the process of providing advanced security for any app in your organization, Microsoft Cloud App Security now provides real-time session controls for any app across cloud, on-premises and custom apps. It provides a centralized experience that allows you to apply a standardized set of inline controls to all the apps in your organization, making it the first Cloud Access Security Broker (CASB) to deliver on a true self-service onboarding experience with a standardized set of powerful monitoring capabilities and controls.

 

This expands the support for Conditional Access App Control, our CASB inline controls, to any app in addition to the rich support we already offer for a set of featured applications. Any app in your environment can now be protected by our CASB solution and allows you to enable powerful real-time monitoring and control over data infiltration and exfiltration across your cloud, on-premises, and custom apps. In creating this new capability, we were focused on developing a solution for customers that ensures a fast, simple and integrated deployment, taking away the pain points of traditional proxy configurations.

 

Any cloud app that leverages SAML 2.0 or Open ID Connect and is configured with single sign-on in Azure AD, as well as any on-premises app configured with Azure AD App Proxy that uses Kerberos Constrained Delegation (KCD) is supported.

 

Deployment

 

The self-guided deployment is simple and only requires 3 basic steps:

 

1. Configure the app in Microsoft Cloud App Security

2. Traverse the app to ensure to ensure as all behaviors are expected, with the ability to provide feedback to the engineering team from directly inside the app to enable a fast fix process if needed.

3. Enable the app with a checkbox deployment and configure the relevant conditional access policies

 

blog_any_app_onboarding_experience_1.gifGIF 1: Onboarding a custom app to Cloud App Security and admin testing

 

Once an app is connected, you can implement any of the below controls to prevent exfiltration of sensitive data during risky user sessions, and equally prevent malicious files from compromising your environment:

 

Data exfiltration

  • Block download
  • Block copy/cut
  • Block print
  • Apply Azure Information Protection (AIP) label on download

 

Data infiltration

  • Block upload
  • Block paste

 

Exemplary use case: Prevent download when the user's device is unmanaged

 

use case2.png

 

blog_any_app_user_experience_2.gifGIF 2: End user experience when a file download is blocked

 

All activities are monitored by our Cloud Access Security Broker and available for review and in-depth analysis in the admin activity log. On the Activity log  page admins can leverage various filters to find specific activities or search for activities performed on a certain file. In addition admins can create activity-based policies to define alerts and automatic governance actions. In the image below you can see a series of activities performed by an end users across various apps. Upon login to a custom app, the user was redirected to inline session controls.

 

use case.PNGImage 1: Activity log in Microsoft Cloud App Security, showing redirection to the reverse proxy for a custom app.

 

The extension of Conditional Access App Control to any app is a game changer in securing your organization. It allows for seamless and centralized configuration of real-time security policies and monitoring across all the apps that matter to you with easy onboarding and an optimized end-user experience. At the same time, we will continue to expand our list of featured apps that will provide custom controls specific to each app.—for example, protecting sensitive content from being share via IM messages in Microsoft Teams.

Get started today and onboard all apps that matter in your organization.

 

More info and feedback

 

 

*https://www.techrepublic.com/article/employees-switch-apps-more-than-1100-times-a-day-decreasing-productivity/

PowerShell ForEach-Object Parallel Feature

$
0
0

PowerShell ForEach-Object Parallel Feature

PowerShell 7.0 Preview 3 is now available with a new ForEach-Object Parallel Experimental feature. This feature is a great new tool for parallelizing work, but like any tool, it has its uses and drawbacks.

This article describes this new feature, how it works, when to use it and when not to.

What is ForEach-Object -Parallel?

ForEach-Object -Parallel is a new parameter set added to the existing PowerShell ForEach cmdlet.

ForEach-Object -Parallel <scriptblock> [-InputObject <psobject>] [-ThrottleLimit <int>] [-TimeoutSeconds <int>] [-AsJob] 
[-WhatIf] [-Confirm] [<CommonParameters>]

 

Normally, when you use the ForEach-Object cmdlet, each object piped to the cmdlet is processed sequentially.

PS C:> 1..5 | ForEach-Object { "Hello $_"; sleep 1 }
Hello 1
Hello 2
Hello 3
Hello 4
Hello 5

PS C:> (Measure-Command { 1..5 | ForEach-Object { "Hello $_"; sleep 1 } }).Seconds
5

But with the new ForEach-Object -Parallel parameter set, you can run all script in parallel for each piped input object.

PS C:> 1..5 | ForEach-Object -Parallel { "Hello $_"; sleep 1; } -ThrottleLimit 5 
Hello 1 
Hello 3 
Hello 2 
Hello 4 
Hello 5 

PS C:> (Measure-Command { 1..5 | ForEach-Object -Parallel { "Hello $_"; sleep 1; } -ThrottleLimit 5 }).Seconds
1

Because each script block in the ForEach-Object example above takes 1 second to run, running all five in parallel takes only one second instead of 5 seconds when run sequentially.

Since the script blocks are run in parallel for each of the 1-5 piped input integers, the order of execution is not guaranteed. The -ThrottleLimit parameter limits the number of script blocks running in parallel at a given time, and its default value is 5.

This new feature also supports jobs, where you can choose to have a job object returned instead of having results written to the console.

PS C:> $Job = 1..5 | ForEach-Object -Parallel { "Hello $_"; sleep 1; } -ThrottleLimit 5 -AsJob 
PS C:> $job | Wait-Job | Receive-Job 
Hello 1 
Hello 2 
Hello 3 
Hello 5 
Hello 4

ForEach-Object -Parallel is not the same as the foreach language keyword

Don’t confuse ForEach-Object cmdlet with PowerShell’s foreach keyword. The foreach keyword does not handle piped input but instead iterates over an enumerable object. There is currently no parallel support for the foreach keyword.

PS C:> foreach ($item in (1..5)) { "Hello $item" }
Hello 1
Hello 2
Hello 3
Hello 4
Hello 5

How does it work?

The new ForEach-Object -Parallel parameter set uses existing PowerShell APIs for running script blocks in parallel. These APIs have been around since PowerShell v2, but are cumbersome and difficult to use correctly. This new feature makes it much easier to run script blocks in parallel. But there is a fair amount of overhead involved and many times there is no gain in running scripts in parallel, and in fact it can end up being significantly slower than running ForEach-Object normally.

PowerShell currently supports parallelism in three main categories.

  1. PowerShell remoting. Here PowerShell sends script to external machines to run, using PowerShell’s remoting system.
  2. PowerShell jobs. This is the same as remoting except that script is run in separate processes on the local machine, rather than on external machines.
  3. PowerShell runspaces. Here script is run on the local machine within the same process but on separate threads.

This new feature uses the third method for running scripts in parallel. It has the least overhead of the other two methods and does not use the PowerShell remoting system. So it is generally much faster than the other two methods.

However, there is still quite a bit of overhead to run script blocks in parallel. Script blocks run in a context called a PowerShell runspace. The runspace context contains all of the defined variables, functions and loaded modules. So initializing a runspace for script to run in takes time and resources. When scripts are run in parallel they must be run within their own runspace. And each runspace must load whatever module is needed and have any variable be explicitly passed in from the calling script. The only variable that automatically appears in the parallel script block is the piped in object. Other variables are passed in using the $using: keyword.

$computers = 'computerA','computerB','computerC','computerD' 
$logsToGet = 'LogA','LogB','LogC' 

# Read specified logs on each machine, using custom module
$logs = $computers | ForEach-Object -ThrottleLimit 10 -Parallel {
    Import-Module MyLogsModule 
    Get-Logs -ComputerName $_ -LogName $using:logsToGet 
}

 

Given the overhead required to run scripts in parallel, the -ThrottleLimit becomes very useful to prevent the system from being overwhelmed. There are some cases where running a lot of script blocks in parallel makes sense, but also many cases where it does not.

When should it be used?

There are two primary reasons to run script blocks in parallel with the ForEach-Object -Parallel feature (keeping in mind that this feature runs the script on separate system threads).

  1. Highly compute intensive script. If your script is crunching a lot of data over a significant period of time and the scripts can be run independently, then it is worthwhile to run them in parallel. But only if the machine you are running on has multiple cores that can host the script block threads. In this case the -ThrottleLimit parameter should be set approximately to the number of available cores. If you are running on a VM with a single core, then it makes little sense to run high compute script blocks in parallel since the system must serialize them anyway to run on the single core.
  2. Script that must wait on something. If you have script that can run independently and performs long running work that requires waiting for somethings to complete, then it makes sense to run these tasks in parallel. If you have 5 scripts that take 5 minutes each to run but spend most of the time waiting, you can have them all run/wait at the same time, and complete all 5 tasks in 5 minutes instead of 25 minutes. Scripts that do a lot of file operations, or perform operations on external machines can benefit by running in parallel. Since the running script cannot use all of the machine cores, it makes sense to set the -ThrottleLimit parameter to something greater than the number of cores. If one script execution waits many minutes to complete, you may want to allow tens or hundreds of scripts to run in parallel.
$logNames.count 
10

PS C:> Measure-Command { $logs = $logNames | ForEach-Object -Parallel { Get-WinEvent -LogName $_ -MaxEvents 5000 2>$null } -ThrottleLimit 10 }
TotalMilliseconds : 115994.3 (1 minute 56 seconds)
$logs.Count
50000

PS C:> Measure-Command { $logs = $logNames | ForEach-Object { Get-WinEvent -LogName $_ -MaxEvents 5000 2>$null } }
TotalMilliseconds : 229768.2364 (3 minutes 50 seconds)
$logs.Count
50000

 

The script above collects 50,000 log entries on the local machine from 10 system log names. Running this in parallel is almost twice as fast as running sequentially, because it involves some relatively slow disk access and can also take advantage of the machine multiple cores as it processes the log entries.

When should it be avoided?

ForEach-Object -Parallel should not be thought as something that will always speed up script execution. And in fact it can significantly slow down script execution if used heedlessly. For example, if your script block is executing trivial script then running in parallel adds a huge amount of overhead and will run much slower.

PS C:> (measure-command { 1..1000 | ForEach-Object -Parallel { "Hello: $_" } }).TotalMilliseconds
10457.962

PS C:> (measure-command { 1..1000 | ForEach-Object { "Hello: $_" } }).TotalMilliseconds
18.4473

The above example, a trivial script block is run 1000 times. The ThrottleLimit is 5 by default so only 5 runspace/threads are created at a time, but still a runspace and thread is created 1000 times to do a simple string evaluation. Consequently, it takes over 10 seconds to complete. But removing the -Parallel parameter and running the ForEach-Object cmdlet normally, results in completion in about 18 milliseconds.

So, it is important to use this feature wisely.

Implementation details

As previously mentioned, the new ForEach-Object -Parallel feature uses existing PowerShell functionality to run script blocks concurrently. The primary addition is the ability to limit the number of concurrent scripts running at a given time with the -ThrottleLimit parameter. Throttling is accomplished by a PSTaskPool class that holds running tasks (running scripts), and has a settable size limit which is set to the throttle limit value. An Add method allows tasks to be added to the pool, but if it is full then the method blocks until a new slot becomes available. Adding tasks to the task pool was initially performed on the ForEach-Object cmdlet piped input processing thread. But that turned out to be a performance bottleneck, and now a dedicated thread is used to add tasks to the pool.

PowerShell itself imposes conditions on how scripts run concurrently, based on its design and history. Scripts have to run in runspace contexts and only one script thread can run at a time within a runspace. So in order to run multiple scripts simultaneously multiple runspaces must be created. The current implementation of ForEach-Object -Parallel creates a new runspace for each script block execution instance. It may be possible to optimize this by re-using runspaces from a pool, but one concern in doing this is leaking state from one script execution to another.

Runspace contexts are an isolation unit for running scripts, and generally do not allow sharing state between themselves. However, variables can be passed at the beginning of script execution through the $using: keyword, from the calling script to the parallel script block. This was borrowed from the remoting layer which uses the keyword for the same purpose but over a remote connection. But there is a big difference when using the $using: keyword in ForEach-Object -Parallel. And that is for remoting, the variable being passed is a copy sent over the remoting connection. But with ForEach-Object -Parallel, the actual object reference is being passed from one script to another, violating normal isolation restrictions. So it is possible to have a non thread-safe variable used in two scripts running on different threads, which can lead to unpredictable behavior.

# This does not throw an error, but is not guaranteed to work since the dictionary object is not thread safe 
$threadUnSafeDictionary = [System.Collections.Generic.Dictionary[string,object]]::new()
Get-Process | ForEach-Object -Parallel {
    $dict = $using:threadUnSafeDictionary
    $dict.TryAdd($_.ProcessName, $_)
}

 
# This *is* guaranteed to work because the passed in concurrent dictionary object is thread safe
$threadSafeDictionary = [System.Collections.Concurrent.ConcurrentDictionary[string,object]]::new()
Get-Process | ForEach-Object -Parallel {
    $dict = $using:threadSafeDictionary
    $dict.TryAdd($_.ProcessName, $_)
}

$threadSafeDictionary["pwsh"]

NPM(K) PM(M) WS(M) CPU(s) Id SI ProcessName
------ ----- ----- ------ -- -- -----------
112 108.25 124.43 69.75 16272 1 pwsh

 

Conclusion

This feature can greatly improve your life for many work load scenarios. As long as you understand how it works and what its limitations are, you can experiment with parallelism and make real performance improvements with your scripts.

Paul Higinbotham
Senior Software Engineer
PowerShell Team

The post PowerShell ForEach-Object Parallel Feature appeared first on PowerShell.

Release of PowerShell Script Analyzer (PSScriptAnalyzer) 1.18.2

$
0
0

In keeping with the tradition of releasing improvements to PSScriptAnalyzer more often, we’re happy to announce that 1.18.12 is now available! As a dependency of PowerShell Editor Services (a module used by editor extensions like the PowerShell Visual Studio Code extension), this release is motivated by a desire to further stabilize our editor experience. At the moment, the Visual Studio Code PowerShell extension still ships with PSScriptAnalyzer 1.18.0. After fixing some undesirable edge cases between 1.18.1 and 1.18.2, we intend to ship an update to the Visual Studio Code extension that will include 1.18.2.

The blocking issue that it resolves is quite technical and should not concern end-users, but for those who are interested: starting with1.18.1, a performance optimization was added whereby we started to share and cache a PowerShell runspace pool instead of creating a new one for every command invocation. However, it turns out that there is an edge case where, when dealing with specific commands from thePackageManagementmodule, the runspace pool can get into a deadlock, which causes the execution of PSScriptAnalyzer to hang indefinitely. This is due to a bug inPackageManagementitself (a very unfortunate asynchronous API call that leads to the deadlock) but also PowerShell itself, which should be able to handle bad scenarios like this. Therefore, a workaround for this had to be implemented in PSScriptAnalyzer by blacklisting the PackageManagement commands.

Given that the other changes in this release are mainly fixes and small enhancements, we decided to not bump the minor version number. We ask that the community participate in testing and giving feedback on this update before it ships by default in the Visual Studio Code extension. You can make this new update with the Visual Studio Code extension start by executing the following command:

Install-Module -Name PSScriptAnalyzer -Repository PSGallery -Scope CurrentUser

Should you find that there are changes that you are not happy with, please report them here.

Optionally, you can roll back to the default included version of PSScriptAnalyzer by running Uninstall-Module -Name PSScriptAnalyzer.

In this release, we’ve made the following fixes

  • PipelineIndentation: More edge cases when using non-default values of this setting (NoIndentation in the Visual Studio Code extension) were fixed. This feature was only introduced in1.18.0and we hope the be closer to a state now where we could potentially change the default.
  • New compatibility rule profiles were added for non-Windows OSs on PowerShell 7 (preview). Additionally, fixes were made to profile generation to support macOS and Linux.
  • A fix was made to PSCloseBrace to correctly flag the closing brace of a one-line hashtable, correcting some broken formatting.

Enhancements were made in the following areas

  • When using settings files, error messages are now much more actionable.

PS> Invoke-ScriptAnalyzer -Settings /tmp/MySettings.psd1 -ScriptDefinition 'gci'

Invoke-ScriptAnalyzer : includerule is not a valid key in the settings hashtable.
Valid keys are CustomRulePath, ExcludeRules, IncludeRules, IncludeDefaultRules,
RecurseCustomRulePath, Rules and Severity. 
...

  • PSScriptAnalyzer has a logo now thanks to the community member @adilio
  • The formatter was enhanced to also take commented lines into account in multi-line commands
  • The formatter was enhanced to optionally allow correction of aliases as well. With this change, a setting in the Visual Studio Code extension will soon be made available to configure this. By default, this setting will not be on for the moment. We are open to feedback: while there are very likely a few people that would love for it to be enabled, it may upset others.
  • UseDeclaredVarsMoreThanAssignmentsnow also takes into account the usage of Get-Variable with an array of variables and usage of the named parameter -Name

We’ve also made some changes in our GitHub repository and changed the default branch from development to master to simplify the development workflow and be consistent with other repositories in the PowerShell organization. If you have a fork of the project, you will need to make this change in your fork as well or remember to use master as a base and open pull requests against master. This also means that the next version of the Visual Studio Code extension will point tomasterfor the documentation of PSScriptAnalyzer’s rules.

The Changelog has more details if you want to dig further.

Future Directions

We are thinking of following an approach similar to the Visual Studio Code extension where we make a version 2.0 at that drops support for PowerShell version 3 and 4. One of the next changes could be to improve how PowerShellEditorServices calls into PSScriptAnalyzer: currently, Editor Services uses the PSScriptAnalyzer PowerShell cmdlets which means that we have to create an entire instance of PowerShell for these invocations. Knowing that bothPowerShellEditorServicesandPSScriptAnalyzerare binary .NET modules, we could directly call into PSScriptAnalyzer’s .NET code by publishing a NuGet package of PSScriptAnalyzer with suitable public APIs. Given that PSScriptAnalzyer currently performs a conditional compilation for each PowerShell version (3, 4, 5, and 6+), dropping support for version 4 and 5 could help make the aforementioned move to an API model much easier to implement. Please give feedback if your use case ofPSScriptAnalyzerwould be impacted by this.

On behalf of the Script Analyzer team,

Christoph Bergmeister, Project Maintainer from the community, BJSS
Jim Truher, Senior Software Engineer, Microsoft

The post Release of PowerShell Script Analyzer (PSScriptAnalyzer) 1.18.2 appeared first on PowerShell.

Maximizing your Identity Security Posture with Azure Advanced Threat Protection

$
0
0

Can your Identity Security Posture be fixed?

 

A fact known to security teams worldwide is that most cyber-attacks leverage existing unpatched vulnerabilities (ever heard of BlueKeep?), and have taught us that often the most effective proactive security strategy for any organization is maintaining healthy security posture. If you haven’t done it already, patch your operating system while you read this!

 

As attacks continue to grow, in both sophistication and scale, maintaining a strong identity security posture has never been more important. Malicious actors and attackers are constantly searching for exploitable weak spots. According to a recent survey by Code42, unpredictable humans remain the weakest link in data security.

 

What can be done to mitigate the risks that users may unknowingly create?

 

Identity security posture

 

Proactive management and improvement of your identity security posture is the best defensive strategy against unpredictable human behavior.

 

By investigating network traffic and gathering data directly from your identity infrastructure (Active Directory schema and domain controllers as well as other services) Azure Advanced Threat Protection (Azure ATP) can identify common misconfigurations and weak spots that can be used to compromise your environment.

 

By providing you with the relevant information to remediate the risks and assure they don’t resurface, our latest Identity Security Posture Assessment capabilities are your best new line of defense. 

 

ISPM.png

 

 

Azure ATP is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

 

Azure ATP also enables SecOps analysts and security professionals struggling to detect advanced attacks in hybrid environments to:

 

  • Monitor users, entity behavior, and activities with learning-based analytics
  • Protect user identities and credentials stored in Active Directory
  • Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
  • Provide clear incident information on a simple timeline for fast triage

 

Take immediate action to secure your organization

 

Using Azure ATP’s identity security posture assessments, a Security Administrator can quickly understand if an assessment requires their immediate attention using the suggested remediation.  By providing data, context (most critical entities) and urgency ranking, your security administrators can refocus on what really matters.

 

Ready to dive even deeper? Azure ATP provides the relevant information on why each assessment is important to your organization, along with all the contextual information needed for your security team to act and improve your security posture.

 

Field example: Still hunting legacy protocol usage? The hunt is over.

 

The security community needs an easy way to identify and access use of legacy authentication protocols such as NTLMv1 in organizations of all sizes. Additionally, most organizations accept the risk of legacy protocols because they fear existing line of business apps will cease functioning.

 

Leveraging Azure ATP sensors on the domain controller, we surface the riskiest entities in your organization that continue authenticating with NTLMv1 as a remediation guide.  It’s key to remediate legacy protocols before disabling NTLMv1 usage completely with use of a LAN Manager authentication level group policy.

 

ispm2.png

 

 

Field example: Stop unconstrained Kerberos delegations in their tracks

 

Several methods of Active Directory-based attacks are known to leverage often misconfigured entities, especially ones set with unconstrained Kerberos delegation.

 

Entities capable of unconstrained Kerberos delegation enjoy nearly unlimited organizational power, allowing them to impersonate any service as another entity, much like how domain controllers operate in Active Directory. It is strongly recommended to modify this permission to allow for more controlled, constrained, or resource-based Kerberos delegation.

 

By querying the active schema, Azure ATP surfaces all non-domain controller entities currently configured in your organization with unconstrained Kerberos delegation, enabling you to act immediately to remediate the threat.

 

ispm3.png

 

Demonstrate impact

 

Improving your identity security posture as an ongoing process is a proven way to make your organization more resilient to threats.

 

Together, with our team of security researchers and developers, these new Azure ATP assessments provide continuous support to your security admins and CISOs by providing an accurate picture of what your security posture looks like and which issues require immediate remediation.

 

Use Azure ATP to provide your teams with all the context they need to monitor, improve, and secure your environment and deliver better, long-term security across your enterprise.

 

Azure ATP is already a part of Microsoft Secure Score and we will add dedicated scoring for each of these new assessments to Secure Score’s identity category in a later update.

 

Sign-up to attend our webinar where we walk you through how to leverage Azure ATP to maximize your security posture.

 

Learn more:

 

Get Started Today

 

If you’re one of the many enterprise customers already using Azure ATP and want to use these new Identity Security Posture Management assessments,  turn on the new identity threat investigation experience today.

 

Just starting your Azure ATP journey? begin a trial of Microsoft Threat Protection to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

 

Join the Azure ATP community for the latest updates and news about identity security posture assessments and management.

Updating Help for older versions of PowerShell

$
0
0

It turns out, maintaining Updateable Help is difficult. The steps required to build and host the updated files are mostly manual. We made improvements to our build automation in the release of PowerShell 6 and now host the help files in Azure blob storage. However, for various internal reasons, we haven’t been able to change the way we distribute the help files for previous versions. Because of that, the downloadable help files for version 5.1 and older have not been updated since PowerShell 6.0 released.

Manually update local help from source

The good news is we have been updating the content. You can see that on the Docs site. And, since the documentation is open source, you can build the updated help content locally and install it on any machine you want. To make it easier to build a specific version, I have created a script that creates the files you need. The process is simple:

  1. Clone or download the PowerShell-Docs repository
  2. Run build-updatedhelp.ps1 to build version of the documentation you want to update
  3. Run Update-Help to install the newly built help

Prerequisites

Almost all the documentation on the Microsoft Docs platform is written in Markdown. This is the case for PowerShell documentation. However, the help files used by PowerShell are plain text files for About_ topics and Microsoft Assistance Markup Language (MAML) files for cmdlet reference. MAML is XML conforming to a well defined schema. The MAML schema describes the structure of the help content. There is no layout or style information within the MAML files. Rendering this help content in PowerShell is managed by the Get-Help cmdlet. To build the content for Get-Help, we must convert the Markdown source files to plain text and MAML. This is done using the following tools:

  • PlatyPS – an open source tool that creates PowerShell help content – Converts Markdown to MAML.
  • Pandoc – an open source tool that converts documents to or from many different formats – Converts markdown to plain text for About topics.
  • build-updatedhelp.ps1 – This script downloads PlatyPS and Pandoc, then builds CAB files that can be installed using Update-Help.

Step by step instructions

  1. Clone or download the PowerShell-Docs repository

    cd C:temp
    git clone https://github.com/MicrosoftDocs/PowerShell-Docs.git --depth 1
     Output
    Cloning into 'PowerShell-Docs'...
    remote: Enumerating objects: 3588, done.
    remote: Counting objects: 100% (3588/3588), done.
    remote: Compressing objects: 100% (2169/2169), done.
    remote: Total 3588 (delta 2270), reused 1754 (delta 1403), pack-reused 0
    Receiving objects: 100% (3588/3588), 8.63 MiB | 14.70 MiB/s, done.
    Resolving deltas: 100% (2270/2270), done.
    Updating files: 100% (3905/3905), done.

    NOTE: Cloning the repository using --depth 1 minimizes the history that is downloaded. This reduces the download size. This is the quickest way to get the latest content. If you intend to contribute changes to the documentation, you should first create a fork then clone your fork.

  2. Run build-updatedhelp.ps1 to build version of the documentation you want to update. This script is in the tools folder of the PowerShell-Docs repository. This is script is based on thebuild.ps1 script that is used to build the the documentation today. This script downloads PlatyPS and Pandoc then builds the documentation in the target folder. For example, run the following command to build the help content for PowerShell v5.1:

    C:tempPowerShell-Docstoolsbuild-updatedhelp.ps1 -sourceFolder C:tempPowerShell-Docsreference5.1 -Verbose

    The script builds the updateable help content for all Markdown source files in each module subfolder.

  3. Run Update-Help to install the newly built help

    This command must be run within the version of PowerShell that is being updated. Update-Help overwrites the local help content with whatever content you target.

    Installing help in PowerShell 5.1 (and older) requires administrative rights. You must run the following command from an elevated session:

    Update-Help -SourcePath c:tempupdatablehelp5.1 -Recurse -Force

    When the Update-Help command completes, you may receive an error message similar to this:

    Update-Help : Failed to update Help for the module(s) 'ActiveDirectory, AppBackgroundTask,
    AppLocker, AppvClient, Appx, AssignedAccess, BestPractices, BitLocker, BitsTransfer, BranchCache,
    ConfigCI, Defender, DirectAccessClientComponents, Dism, DnsClient, EventTracingManagement,
    HgsClient, HgsDiagnostics, HostNetworkingService, Hyper-V, IISAdministration, International,
    iSCSI, IscsiTarget, Kds, MMAgent, MsDtc, NetAdapter, NetConnection, NetEventPacketCapture,
    NetLbfo, NetLldpAgent, NetNat, NetQos, NetSecurity, NetSwitchTeam, NetTCPIP,
    NetworkConnectivityStatus, NetworkControllerDiagnostics, NetworkSwitchManager, NetworkTransition,
    NFS, PcsvDevice, PKI, PnpDevice, PrintManagement, ProcessMitigations, Provisioning,
    RemoteDesktop, ScheduledTasks, SecureBoot, ServerManager, ServerManagerTasks, SmbShare,
    SmbWitness, StartLayout, Storage, TLS, TroubleshootingPack, TrustedPlatformModule, UEV,
    VpnClient, Wdac, WebAdministration, Whea, WindowsDeveloperLicense, WindowsErrorReporting,
    WindowsSearch, WindowsUpdate, WindowsUpdateProvider' with UI culture(s) {en-US} : Unable to
    retrieve the HelpInfo XML file for UI culture en-US. Make sure the HelpInfoUri property in the
    module manifest is valid or check your network connection and then try the command again.
    
    At line:1 char:1
    +Update-Help -SourcePath c:tempupdatablehelp5.1 -Recurse -Force
    +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : ResourceUnavailable: (:) [Update-Help], Exception
     + FullyQualifiedErrorId : UnableToRetrieveHelpInfoXml,Microsoft.PowerShell.Commands.UpdateHel

    This message is warning you that the update did not include help for the modules listed. The content for those modules is also kept up-to-date on Microsoft Docs, but the script we’ve provided doesn’t yet support the windows-powershell-docs repo where that content is hosted. However, it could potentially be extended to support that repo (and others) too, so stay tuned for updates.

NOTE: The build script downloads the supported versions Pandoc and PlatyPS to a temp folder on your computer. It does not overwrite version you may have installed already. The files are left behind in the temp folder.

Further reading

 

The post Updating Help for older versions of PowerShell appeared first on PowerShell.

PowerShell 7 Preview 4

$
0
0

We continue to make progress towards our PowerShell 7 release which currently is targeting December 2019 for a Release Candidate and January 2020 for General Availability and will be our first LTS (Long Term Servicing) release!

Please see the previous blog post on Preview 3 for more details about LTS and also Windows PowerShell compatibility.

Preview 4 contains a number of bug fixes, but also new features which I’ll cover in this blog post.

New Features in Preview 4

This is just a small part of the entire changelog. New experimental features in this preview from the community and also the PowerShell team:

Ternary Operator

The ternary operator is popular among C# developers due to its terseness which can improve readability if you are familiar with this operator.

This operator is completely opt-in so if you prefer to use if..else instead, you can certainly continue to do that.

gif

Start-Job -WorkingDirectory

Those of you familiar with the Start-Job cmdlet will have encountered that the new PowerShell process started to handle the job will have different working directory on Windows PowerShell and PowerShell Core and it can sometimes be not what you expected. This parameter was added to allow you to specify the working directory of the new job process before your script block runs!

gif

$ErrorActionPreference = “Break”

This feature comes from a well known PowerShell MVP Kirk Munro. Basically, if you set $ErrorActionPreference to Break, then when there is an error it will drop you into the debugger immediately!

gif

Invoke-DscResource

With this change, you can now leverage DSC Resources while by-passing the LCM (Local Configuration Manager). This means that you can author your own LCM or simply leverage existing DSC Resources within your scripts and this also works cross platform!

Note that binary DSC Resources are not supported!

gif

DSC Configuration Compilation

Previously if you authored a DSC Configuration script, you would need to use a Windows machine to compile it to a mof file to deploy onto your managed node. Starting with Preview4, you can now perform DSC compilation on non-Windows systems.

Note that this is work in progress with some known issues.

gif

Testing the MSIX package

Recently, we started publishing a MSIX package for Windows. This will eventually allow us to publish PowerShell 7 to the Windows Store. For now, if you wish to try out this package, you must be in Developer Mode and use Add-AppxPackage to install it. Double clicking it from the Windows Shell will not allow you to install the developer signed package.

Closing

Although this blog post focuses on new features, this release also contains many bug fixes as well as targeted performance improvements.

You can always get the latest version of PowerShell from https://aka.ms/get-powershell.

Expect more new features from the community and the PowerShell team in future Preview releases!

Steve Lee
PowerShell Team

The post PowerShell 7 Preview 4 appeared first on PowerShell.

DSC Resource Kit Release September 2019

$
0
0

We just released the DSC Resource Kit!

This release includes updates to 15 DSC resource modules. In the past 6 weeks, 160 pull requests have been merged and 68 issues have been closed, all thanks to our amazing community!

The modules updated in this release are:

  • ActiveDirectoryCSDsc 4.1.0.0
  • ActiveDirectoryDsc 4.1.0.0
  • ComputerManagementDsc 7.0.0.0
  • DFSDsc 4.4.0.0
  • NetworkingDsc 7.4.0.0
  • SecurityPolicyDsc 2.10.0.0
  • SqlServerDsc 13.2.0.0
  • xDnsServer 1.15.0.0
  • xExchange 1.29.0.0
  • xFailOverCluster 1.13.0.0
  • xPSDesiredStateConfiguration 8.10.0.0
  • xRemoteDesktopSessionHost 1.9.0.0
  • xSCSMA 2.1.0.0
  • xWebAdministration 2.8.0.0

For a detailed list of the resource modules and fixes in this release, see the Included in this Release section below.

Our latest community call for the DSC Resource Kit was last Wednesday, September 11. A recording of the call is posted on the PowerShell YouTube channel. You can join us for the next call at 12PM (Pacific time) on August 28th to ask questions and give feedback about your experience with the DSC Resource Kit.

The next DSC Resource Kit release will be on Wednesday, October 9.

We strongly encourage you to update to the newest version of all modules using the PowerShell Gallery, and don’t forget to give us your feedback in the comments below, on GitHub, or on Twitter (@PowerShell_Team)!

Please see our documentation here for information on the support of these resource modules.

Included in this Release

You can see a detailed summary of all changes included in this release in the table below. For past release notes, go to the README.md or CHANGELOG.md file on the GitHub repository page for a specific module (see the How to Find DSC Resource Modules on GitHub section below for details on finding the GitHub page for a specific module).

Module Name Version Release Notes
ActiveDirectoryCSDsc 4.1.0.0
  • AdcsCertificationAuthoritySettings:
    • Fix grammar in the resource README.md.
  • Fix minor style issues in statement case.
ActiveDirectoryDsc 4.1.0.0
    • We could not add the change log to the release notes due to the length of the change log. What have change in this release can be found here

https://github.com/PowerShell/ActiveDirectoryDsc/blob/dev/CHANGELOG.md#4100

    .
ComputerManagementDsc 7.0.0.0
  • ScheduledTask:
    • Better compatibility with Group LogonType when passing BuiltIn groups through ExecuteAsCredential
      • Primary use case is “BUILTINUsers”
      • Use the ExecuteAsCredential property to pass the username The PSCredential needs a non-null that is ignored
    • Delay property not handled properly on AtLogon and AtStartup trigger – Fixes Issue 230
    • Changed Get-ScheduledTask calls to ScheduledTasksGet-ScheduledTask to avoid name clash with Carbon module. Fixes Issue 248
    • Cast MultipleInstances value returned by Get-TargetResource to string – fixes Issue 255
  • PendingReboot:
    • Migrated xPendingReboot from xPendingReboot and renamed to PendingReboot.
    • Converted to meet HQRM guidelines – Fixes Issue 12.
    • Changed SkipCcmClientSDK parameter to default to $true – Fixes Issue 13.
    • Fixed Test-TargetResource so that if ConfigMgr requires a reboot then the pending reboot will be set – Fixes Issue 26.
    • Refactored Test-TargetResource to reduce code duplication and move to a data driven design.
    • Refactored Get-TargetResource by adding a new function Get-PendingRebootState so that Test-TargetResource no longer needed to use Get-TargetResource. This eliminated the need to include write parameters in Get-TargetResource.
    • Converted the call to Invoke-WmiMethod to Invoke-CimMethod.
    • Deleted the code that removes the regRebootLocations variable at the end of the resource as it appears to serve no purpose.
  • Correct all tests to meet Pester 4.0 standards.
  • RemoteDesktopAdmin:
    • New resource for configuring Remote Desktop for Administration – fixes Issue 224.
  • Updated common function Test-DscParameterState to support ordered comparison of arrays by copying function and tests from NetworkingDsc – fixes Issue 250.
  • BREAKING CHANGE: ScheduledTask:
    • Correct output type of DaysInterval,StartTime,WeeksDaysOfWeek, and WeeksInterval parameters from Get-TargetResource to match MOF.
    • Refactored Get-TargetResource to remove parameters that are not key or required – fixes Issue 249.
    • Added function Test-DateStringContainsTimeZone to determine if a string containing a date time includes a time zone.
    • Enable verbose preference to be passed through to Test-DscParameterState.
    • Changed Test-TargetResource so that StartTime is only compared for trigger types Daily,Weekly or Once.
  • Fix minor style issues in statement case.
DFSDsc 4.4.0.0
  • Fix example publish to PowerShell Gallery by adding gallery_api environment variable to AppVeyor.yml – fixes Issue 91.
  • Fix minor style issues in statement case.
NetworkingDsc 7.4.0.0
  • Added Comment Based Help for New-NotImplementedException common function – fixes Issue 411.
  • Added common function “Format-Win32NetworkADapterFilterByNetConnectionID” to properly accept wild cards for Win32_NetworkAdapter filters.
  • Updated MSFT_Netbios to use “Format-Win32NetworkADapterFilterByNetConnectionID”
  • Corrected minor style and consistency issues in NetworkingDsc.Common.tests.ps1 and NetworkingDsc.Common.ps1.
  • Changed verbose messages in Test-DscParameterState to include full type name.
  • Fixed bug in Test-DscParameterState that causes it to return true when both the current array and desired array is empty.
  • Fix minor style issues in statement case.
SecurityPolicyDsc 2.10.0.0
  • Changes to SecurityPolicyDsc
    • Opt-in to the following DSC Resource Common Meta Tests:
      • Common Tests – Validate Module Files
      • Common Tests – Validate Script Files
      • Common Tests – Validate Markdown Files
      • Common Tests – Required Script Analyzer Rules
      • Common Tests – Flagged Script Analyzer Rules
      • Common Tests – New Error-Level Script Analyzer Rules
      • Common Tests – Custom Script Analyzer Rules
      • Common Tests – Validate Markdown Links
      • Common Tests – Relative Path Length
      • Common Tests – Validate Example Files
      • Common Tests – Validate Example Files To Be Published
    • Fix keywords to lower-case to align with guideline.
SqlServerDsc 13.2.0.0
  • Changes to SqlServerDsc
    • Fix keywords to lower-case to align with guideline.
    • Fix keywords to have space before a parenthesis to align with guideline.
xDnsServer 1.15.0.0
xExchange 1.29.0.0
  • Enable Script Analyzer default rules
  • Fixed keywords in upper case
xFailOverCluster 1.13.0.0
  • Updated the xCluster test method to return true if a node is joined to the cluster but is in a Paused state.
xPSDesiredStateConfiguration 8.10.0.0
  • Changes to xPSDesiredStateConfiguration
    • Fix keywords to lower-case to align with guideline.
  • Added SMB PullServer support for publishing.
xRemoteDesktopSessionHost 1.9.0.0
  • Changes to xRDRemoteApp
    • Fixing typo in parameter name when calling the function ValidateCustomModeParameters (issue 50).
  • Changes to xRDSessionDeployment
    • When RDMS service does not exist the Get-TargetResource will no longer throw an error (issue 47).
  • Rename Tests/Unit folder to use upper case on first letter.
  • Update appveyor.yml to use the default template.
  • Added default template files .codecov.yml, .gitattributes, and .gitignore, and .vscode folder.
  • xRDSessionCollectionConfiguration:
    • Changed CollectionName variable validation max length to 256
  • xRDSessionCollection
    • Changed CollectionName variable validation max length to 256
  • xRDRemoteApp
    • Changed CollectionName variable validation max length to 256
xSCSMA 2.1.0.0
  • Update appveyor.yml to use the default template.
  • Added default template files .codecov.yml, .gitattributes, and .gitignore, and .vscode folder.
  • Closed issue 29 – Web bindings fail due to hardcoded WSE
  • Switched from Get-WmiObject Win32_Product to Get-ItemProperty for identifer number
xWebAdministration 2.8.0.0
  • Fix multiple HTTPS bindings on one xWebsite receiving the first binding”s certificate 332
    • Added unit regression test
  • Changes to xWebsite
    • Added ServerAutoStart (controls website autostart) and changed documentation for ServiceAutoStartEnabled (controls application auto-initialization). Fixes 325.
    • Fix multiple HTTPS bindings on one xWebsite receiving the first binding”s certificate 332
      • Added unit regression test
    • Changes to xWebAppPool
      • Fix false Test-TargetResource failure for logEventOnRecycle if items in the Configuration property are specified in a different order than IIS natively stores them 434
    • Changes to xIisModule
      • Fixed the parameters specification for the internal Get-IISHandler and Remove-IISHandler function

How to Find Released DSC Resource Modules

To see a list of all released DSC Resource Kit modules, go to the PowerShell Gallery and display all modules tagged as DSCResourceKit. You can also enter a module’s name in the search box in the upper right corner of the PowerShell Gallery to find a specific module.

Of course, you can also always use PowerShellGet (available starting in WMF 5.0) to find modules with DSC Resources:

# To list all modules that tagged as DSCResourceKit
Find-Module -Tag DSCResourceKit 
# To list all DSC resources from all sources 
Find-DscResource

Please note only those modules released by the PowerShell Team are currently considered part of the ‘DSC Resource Kit’ regardless of the presence of the ‘DSC Resource Kit’ tag in the PowerShell Gallery.

To find a specific module, go directly to its URL on the PowerShell Gallery:
http://www.powershellgallery.com/packages/< module name >
For example:
http://www.powershellgallery.com/packages/xWebAdministration

How to Install DSC Resource Modules From the PowerShell Gallery

We recommend that you use PowerShellGet to install DSC resource modules:

Install-Module -Name < module name >

For example:

Install-Module -Name xWebAdministration

To update all previously installed modules at once, open an elevated PowerShell prompt and use this command:

Update-Module

After installing modules, you can discover all DSC resources available to your local system with this command:

Get-DscResource

How to Find DSC Resource Modules on GitHub

All resource modules in the DSC Resource Kit are available open-source on GitHub.
You can see the most recent state of a resource module by visiting its GitHub page at:
https://github.com/PowerShell/< module name >
For example, for the CertificateDsc module, go to:
https://github.com/PowerShell/CertificateDsc.

All DSC modules are also listed as submodules of the DscResources repository in the DscResources folder and the xDscResources folder.

How to Contribute

You are more than welcome to contribute to the development of the DSC Resource Kit! There are several different ways you can help. You can create new DSC resources or modules, add test automation, improve documentation, fix existing issues, or open new ones.
See our contributing guide for more info on how to become a DSC Resource Kit contributor.

If you would like to help, please take a look at the list of open issues for the DscResources repository.
You can also check issues for specific resource modules by going to:
https://github.com/PowerShell/< module name >/issues
For example:
https://github.com/PowerShell/xPSDesiredStateConfiguration/issues

Your help in developing the DSC Resource Kit is invaluable to us!

Questions, comments?

If you’re looking into using PowerShell DSC, have questions or issues with a current resource, or would like a new resource, let us know in the comments below, on Twitter (@PowerShell_Team), or by creating an issue on GitHub.

Michael Greene
Principal Program Manager
PowerShell DSC Team
@migreene (Twitter)
@mgreenegit (GitHub)

The post DSC Resource Kit Release September 2019 appeared first on PowerShell.


Microsoft Intune support for Android Enterprise fully managed devices is now generally available

$
0
0

(This post is co-authored by Priya Ravichandran, Senior Program Manager, Microsoft 365) 

 

We are pleased to announce that Microsoft Intune support for Android Enterprise fully managed devices is now generally available.

 

Android Enterprise fully managed is one of the “device owner” management scenarios in the Android Enterprise solution set. This scenario enables user productivity on corporate devices while allowing IT admins to manage capabilities needed by the organization. We have seen an overwhelming uptake of this management capability throughout the multiple phases of public preview making this the most widely adopted preview for Android management thus far. In preview, we have tens of thousands of devices across global customers already using it configure and manage their Android devices. In addition to this extensive adoption, we have received significant feedback from the community and customers alike. With this release, customers can deliver a high quality and feature-rich productivity scenario for users on corporate-owned devices while maintaining an extended set of policy controls over the devices.

Onboarding a fully managed device

Intune supports popular provisioning technologies with Android Enterprise devices running Android 6.0 and later, including:

  • Knox Mobile Enrollment
  • NFC
  • QR Code
  • Token Entry
  • Zero Touch Enrollment

Deploying fully managed devices start when a new device is acquired and unboxed, or an existing device is factory reset. Using Intune’s enrollment token with your preferred choice of deployment technology, the fully managed provisioning workflow will launch the out of the box experience (OOBE) that will then guide the user though the necessary steps to complete the onboarding process.

 

Once the user enters their corporate credentials, the onboarding process starts with guiding the user through the process of setting up a device PIN based on the organization policy. Having this set up during OOBE ensures that the device is protected against misuse from the start.          

clipboard_image_14.png

Figure 1: Fully managed OOBE guides user to set up PIN

 

OOBE will automatically download the Microsoft Intune app, Microsoft Authenticator app and the Microsoft Intune Company Portal app. Additionally, the user is also made aware of the full list of required apps that the organization is pushing to their device, making the process more transparent to the end user.

clipboard_image_15.png

 

Figure 2: OOBE installs the two required apps and shows the user the rest of the mandatory apps being installed

 

Since the download of these additional apps start immediately in the background, the user gets a head start having the right tools for the job.

 

The final piece of the OOBE is registering the device with Azure Active Directory. Device registration during OOBE ensures that the device is compliant with the organization’s requirements before being able to access any corporate resources on the device.

clipboard_image_16.png

Figure 3: User starts device registration in OOBE

  

clipboard_image_17.png

      

Figure 4: Device registration completes during OOBE

  

At the end of the onboarding workflow, the user now has a device that has all the policies and apps they need to be productive and secure.

Multi Factor Authentication with fully managed devices

Multi Factor Authentication (MFA) is a key part of the authentication process for many organizations. With this GA release, the fully managed device will be able to support MFA policies that have been put in place by the organization.

Configuring certificates and resource access policies

On a fully managed device, you can deploy both root certificates and SCEP certificates for authentication. Along with certificate profiles, resource access profiles are also now supported with the full spectrum of authentication options. Email, Wi-Fi and VPN profiles can also be created to leverage the certificate profiles needed for your organization.

 

This support allows your organization to determine which resources are used on a device and how the user can authenticate before using it. For example, you can allow a device to use a specific Wi-Fi profile and authenticate with a certificate that has been pushed to the device, in this case a SCEP certificate you deployed.

Enabling corporate and personal applications on the device

On a fully managed device, Intune provides a locked down approach to apps. By preventing the sideloading of apps on the device, the device maintains its security posture. Organizations do not have to enable installing apps from untrusted sources, which is a concern with the previous device administrator management mode. To ensure that only apps from approved sources are installed on the device, organizations can leverage the Managed Google Play store to distribute corporate apps to managed devices.

 

An organization may deploy additional policies to allow users to install other apps from the public Play store on the device, if they wish to, allowing users to personalize their work device. By default, access to the public Play store is blocked on a fully managed device.

clipboard_image_18.png

Figure 5:Enabling end user access to the consumer store on fully managed devices

System applications

System apps – like the camera and the dialer – are key apps that are required by many organizations for their users to do their jobs as expected. Intune enables granular control over system apps on Android Enterprise corporate devices. Admins can manage system apps at the package level to ensure that only key apps needed for productivity are enabled on the device, excluding other system apps that are not relevant to the organization. 

Blog Figure 06.png

Figure 6: Adding and managing system apps - like the Samsung Clock app - on fully managed devices

 

In addition, since these are post-provisioning policy deployments, the list of enabled system apps can be adjusted over the life of the device to meet the organization’s needs.  

Configuration and compliance

The fully managed device supports all the Android Enterprise Device Owner settings offered in the Intune console. Additionally, Intune now supports the ability to create compliance policies on fully managed devices, including:

  • Support for enforcement of PIN complexity requirements
  • Support for specifying a threat level threshold for the device and leveraging Mobile Threat Defense providers
  • Support for SafetyNet Attestation, which will incorporate the jailbreak detection as well.

As with other Intune managed devices, when a device does not meet the compliance requirements, the user is notified and provided with guidelines on how to mitigate the issue. For fully managed devices, end user experiences are now surfaced in the new Microsoft Intune app.

Redesigned end user experience in the Microsoft Intune app

This new modern and light-weight app, simply called ‘Microsoft Intune’, enables the experiences that end users know and love in the Company Portal app for fully managed devices, including managing compliance for their devices, getting support from their organization, and viewing notifications.

 

 

clipboard_image_20.png

   

Figure 7: View devices, update settings when needed, and view notifications

 

clipboard_image_21.png

  

Figure 8: Get support when needed, view organizational terms, and view user profile

 

The latest release of Microsoft Intune app for Android has the following updates:

  • Improved layout with bottom navigation for the most important actions.
  • Added an additional page that shows the user's profile.
  • Added the display of actionable notifications in the app to inform the user, such as the need to update their device settings.
  • Added the display of custom push notifications, aligning the app with the support recently added in the Company Portal app for iOS and Android.

Today, this new app is only for the fully managed scenario; in all other Android management scenarios, Company Portal will continue to be the end user app.

App protection policies

Intune app protection policies are wholly supported on fully managed devices, at parity with support on other platforms. The Microsoft Company Portal is automatically deployed in the background to enable the additional layer compliance control.

 

OEMConfig support

Intune has full support for the OEMConfig framework, including an intuitive configuration designer UI that allows organizations to easily leverage supported OEM-specific settings on their fully managed devices. For more details, see this blog post on the OEMConfig configuration designer or refer to the Intune documentation on OEMConfig.

 

Microsoft Launcher for Enterprises

Another key aspect of managing a corporate device – like a Fully Managed device – is to ensure that all end users have a consistent home screen experience on the device. This includes being able to clearly brand the device as well as ensure that the key apps needed for their role are accessible and discoverable on the device. The Microsoft Launcher is a key partner in enabling this well-defined end user experience on corporate devices.  When the Microsoft Launcher is deployed to a device, the Launcher is able to detect that the device is a corporate device and will then enable enforce any app config settings that the admin has specified. This includes being able to set a device wallpaper as well as the list and order of applications on the home screen.

clipboard_image_22.png

Figure 9 Microsoft Launcher home screen experience on work-managed Android device

While the launcher configuration is currently only exposed via the App config workflow, we are partnering with the Microsoft Launcher team to deliver a first class configuration experience in the Intune Admin Console – to match the experience that is available for the Managed Home Screen today. Watch this space for updates.

 

Next steps

We’re excited to share this milestone with our Microsoft Intune customers who can now deliver a premier manageability and security experience to their end users on Android Enterprise devices. As we continue to innovate on the Android Enterprise platform, we look forward to your ongoing usage and feedback.

Fully managed support is the next step in Intune's commitment to full Android Enterprise support. Also look for new support for private publishing within the Intune console, as well as web link support launching at the same time as Fully managed.  We're committed to a full set of Android Enterprise scenarios that meet high standards of manageability and privacy, so stay tuned for more on this in the coming months.

 

Learn more

Documentation:

Previous blogs in this series:

 

 

More info and feedback

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

Follow @MSIntune on Twitter

Windows Admin Center unleashes Server Core adoption

$
0
0

Since the general availability of Windows Server 2019, we have seen the fastest adoption rate of Windows Server Core in history. If you havent heard of Windows Server Core, then youre really missing out! Windows Server Core is the lightest deployment option of Windows Server Standard or Windows Server Datacenter editions.

Why are customers choosing to deploy Windows Server Core now? Its Windows Admin Center. This new server management tool delivers many of the benefits of the Desktop Experience and is a free download that comes with your Windows Server license. Admins love the intuitive, graphical user interface and the ability to manage your virtual machines from any Windows 10 device. It can be used to log in and manage Windows Server running anywhere. This is a great management option for Windows Server Core because the graphical interface runs locally on your client device and not on your servers. This reduces the size of the operating system that you deploy to support your server workloads.

The benefit of Windows Server Core is that its a minimal server installation option with fewer server components. This option creates a smaller OS footprint and is ideal for cases where you run virtual machines at scale. Because Windows Server Core does not include a traditional Windows desktop GUI, admins manage Windows Server Core with a command-line interface (CLI) such as PowerShell, which offers scaled automation and lowers server management costs.

Microsoft Office 365 realized the benefits of Windows Server Core. Exchange Online is a core part of Office 365 and has standardized with Windows Server Core across its entire fleet of cloud infrastructure servers. This is because Windows Server Core enables Office 365 to be more operationally efficient and secure by only deploying and managing the capabilities of Windows Server that it needs.

Customers are choosing the Windows Server Core installation option for Windows Server 2019 installed as the host OS on bare metal hardware at three times the rate than that of Windows Server Core for Windows Server 2016. This installation is great for hyper-converged infrastructure, Hyper-V, and storage technologies like Storage Spaces Direct. It is also an important infrastructure choice for hybrid cloud deployments. As mentioned, Windows Admin Center, the centralized management tool for Windows Server on-premises and in the cloud, has made Windows Server Core even more manageable than ever.

Windows Server 2019 application compatibility for Windows Server Core

As a customer of Windows Server with Desktop Experience, you might be wondering whether the application youre running is compatible with Windows Server Core. With the release of Windows Server 2019, we published a list of compatible Microsoft enterprise server applications. In the list, you can see the growing number of applications that are compatible with Windows Server Core. Exchange Server 2019 is the most recent addition to the list that we recommend using on Windows Server Core. The Windows Server Core App Compatibility feature on demand (FOD) was introduced to give customers the opportunity to add more support for apps they would normally run on Windows Server with Desktop Experience.

The two benefits that App Compatibility FOD include are:

  • Increase in the compatibility of Windows Server Core for server applications that are already in market or have already been developed by organizations and deployed.
  • Assistance with providing OS components and increased app compatibility of software tools used in acute troubleshooting and debugging scenarios.

If youre curious about whether you should go with Windows Server Core or Windows Server with Desktop, find out which one is best for you in this Server Core and Server with Desktop blog. Operating system components that are available as part of the Windows Server Core App Compatibility FOD. Below youll find screenshots of Windows Server Core with the App Compatibility FOD installed, including Windows Event Viewer and SQL Server with SQL Management Studio, two FODs that customers really appreciate.

Windows Event Viewer:

Screenshot of Windows Event Viewer
SQL Server with SQL Server Management Studio:
Screenshot of SQL Server with SQL Management Studio
Thank you for using Windows Server 2019. We will continue to listen and improve. Please let us know on Insider forums or User Voice if your app does not work on Server Core with the App Compatibility FOD installed, or if you have any other feedback on Windows Server.

The post Windows Admin Center unleashes Server Core adoption appeared first on Windows Server Blog.

Windows Server 2019 adds support for Office 365 ProPlus

$
0
0

Today were introducing Office 365 ProPlus support for Windows Server 2019 customers with on-premises and Azure deployments. Weve also enabled customers to immediately download and leverage FSLogix functionality, including the Office 365 Container, to enhance the speed and performance around user profile data in non-persistent virtualized environments. This continues our commitment to enhance the Office experience in local and virtualized environments and improves the end user experience in non-persistent virtualized environments.

Our priority is to continue to deliver a great Office experience in on-premises virtualized environments; we have updated our Office 365 support requirements and Windows Server support documentation to reflect Office 365 ProPlus support for Windows Server 2019. We recommend taking the following steps as a best practice:

  • Run Office 365 ProPlus on Windows Server 2019
  • Leverage flexibility of Windows Server 2019 to implement single and multi-session capabilities
  • Deploy FSLogix to ensure smooth user profile roaming and end user experience at log on
  • Use OneDrive with the Files On-Demand capabilities for optimized storage and retrieval of user files

For businesses considering the next step in their journey to the cloud, these recommendations ensure the best experience for on-premises deployment while enabling migration to Microsofts new Windows Virtual Desktop service on Azure, now generally available worldwide. Windows Virtual Desktop provides customers with the best virtual desktop and simplified management on Azure, including support for Windows Server workloads and Office 365 ProPlus, to unlock a productive virtualized end user experience.

The post Windows Server 2019 adds support for Office 365 ProPlus appeared first on Windows Server Blog.

All you need to know about Windows Server at Ignite 2019

$
0
0

Ready, set, go! The Windows Server team is ready to make sure you are set up for success at Microsoft Ignite 2019. Our experts are busy preparing technical content for breakout sessions, theater sessions and hands-on-workshops. Youll find the schedule to plan your attendance below. We might even challenge you to a game of bowling or cornhole, if youre up for it!

Thats right, youve guessed it, aside from all the great product and feature updates at the conference, were also going to have an awesome customer appreciation party on Tuesday evening, November 5, 2019. Visit the Windows Server booths to find out how to register.

So, what else is going on with Windows Server at Ignite? Its all about modernization. We want to make sure youre equipped to modernize your server management with Windows Admin Center, your re-imagined server management option that centralizes and simplifies previous Windows Server management tools. We also want to arm you with the information you need to migrate off of Windows Server 2008 before the end of support on January 14, 2020. Our unbeatable offers like Extended Security Updates and Azure Hybrid Benefit will get you to Azure at no additional charge above the cost of running Azure Virtual Machines. Check out the full list of sessions below!

Dont miss speakers like Jeff Woolsey, Ned Pyle, Bernardo Caldas, and Cosmos Darwin as they take the stage and dive deep on Windows Server 2019, Windows Admin Center, Windows Server 2008 End of Support, and Azure Stack HCI.

You can begin creating your personalized Windows Server schedule at Ignite this year by copy and pasting the event code (starting with BRK, THR or WRK) into the session scheduler. The Windows Server team is very excited to meet you there. See you soon!


Windows Server Schedule for Ignite 2019 Breakout (BRK), Theater (THR), and Workshop (WRK) sessions

  • WS – BRK2129 “What’s New and What’s Next” (Monday, 3:15pm – 4:00pm)
  • WS – BRK3182 “Windows Server Deep Dive: Demopalooza” (Monday, 4:30pm – 5:15pm)
  • WS – THR2146 “Stop paying someone else to do it automatically monitor, secure, and update your on-premises servers from Azure with Windows Admin Center” (Tuesday, 9:00am – 9:20am)
  • WS – BRK3184 “Automate and manage your Windows Server environment using Azure Management Services” (Tuesday, 10:30am – 11:15am)
  • WS – WRK3003 “Power your hybrid environment with Windows Admin Center and Azure” (Tuesday, 10:45am – 12:00pm)
  • WS – BRK3246 ” Plan for Z-Day 2020: Windows Server 2008 End of Support is coming!” (Tuesday, 11:45am – 12:30pm)
  • WS – BRK3244 “Azure Guest Configuration, the evolution of Group Policy” (Tuesday, 11:45am – 12:30pm)
  • WS – BRK3176 “Windows container and the Azure Kubernetes Service” (Tuesday, 1:00pm – 1:45pm)
  • WS – THR1084 “How to re-use your Windows Server licenses in Azure with Azure Hybrid Benefit” (Tuesday, 1:15pm – 1:35pm)
  • WS – THR2140 “Get more done with Windows Admin Center 3rd party extensions” (Tuesday, 3:05pm – 3:25pm)
  • WS – BRK2145 “Windows Virtual Desktop Overview” (Tuesday, 3:30pm – 4:15pm)
  • WS – THR2135 Be a Windows Admin Center expert: best practices for deployment, configuration, and security (Tuesday, 5:00 – 5:20pm)
  • WS – THR2176 “Windows Admin Center: Better together with System Center and Azure” (Wednesday, 9:00am – 9:20am)
  • WS – BRK3192 “Seamless connectivity to Azure with Windows Server and Hybrid Networking” (Wednesday, 9:15am – 10:00am)
  • WS – BRK3252 “Windows Server on Azure Overview: Lift-and-Shift Migrations for Enterprise Workloads” (Wednesday, 10:30am – 11:15am)
  • WS – BRK3165 “Windows Admin Center: Unlock Azure Hybrid Value” (Wednesday, 11:45am – 12:30pm)
  • WS – BRK3228 “Files are critical to your business: Modernize your file services with Windows Server 2019 and Azure” (Wednesday, 1:00pm – 1:45pm)
  • WS – THR2155 “Clustering in the Age of HCI and Hybrid!” (Wednesday, 1:15-1:35pm)
  • WS – BRK3166 “OS Internals (for nerds only)” (Wednesday, 2:15pm – 3:00pm)
  • WS – WRK3003 “Power your hybrid environment with Windows Admin Center and Azure” (Wednesday, 2:15pm – 3:30pm)
  • WS – BRK3174 “SCOM 2019: Customer Success stories and whats next” (Wednesday, 3:30pm – 4:15pm)
  • WS – BRK3183 “Accelerate your RDS and VDI migration to Windows Virtual Desktop” (Thursday, 9:15am – 10:00am)
  • WS – BRK3193 “Maximize security with Windows Server 2019 and Azure” (Thursday, 10:30am – 11:15am)
  • WS – BRK2048 “Windows Admin Center: Whats New and Whats Next” (Thursday, 11:45am – 12:30pm)
  • WS – BRK3173 “Hyper-V Roadmap” (Thursday, 1:00pm – 1:45pm)
  • WS – BRK2147 “Modernize your IT environment and Applications with Windows Containers” (Thursday, 2:15pm – 3:00pm)
  • WS – THR2191 Navigate common pitfalls encountered when containerizing Windows Server applications (Friday, 10:10-10:30am)
  • WS – BRK3257 “Protect Access to Office 365/Azure with new features in Active Directory Federation Services in Windows Server 2019 ” Samuel P19 (Friday, 10:30am – 11:15am)
  • WS – BRK2208 “Hybrid management and operations for Windows Server” (Friday, 10:30 – 11:15am)
  • WS – BRK3251 “Whats next for software-defined storage and networking for Windows Server” (Friday, 10:45am – 12:00pm)
  • WS – BRK3177 “VMM 2019 and DPM 2019: Customer success stories and whats next” (Friday, 11:45am – 12:30pm)

The post All you need to know about Windows Server at Ignite 2019 appeared first on Windows Server Blog.

Microsoft Intune helps high-security customers authenticate using derived credentials on mobile

$
0
0

Many high-security organizations offer secure passwordless access to corporate data using smart cards. The end user does not have their username and password. Employees and contractors use physical smart card readers to authenticate themselves for secure access to desktops and laptops. Smart cards provide seamless and secure authentication to apps, websites, Wi-Fi, and VPN as well as enable the use of S/MIME to sign and encrypt email. With mobile user productivity becoming commonplace in enterprises, many government and high security customers wonder how to embrace mobility while still maintaining a highly secure environment. When we think about a standard mobile device enrollment experience, the end user begins by entering their username and password which enrolls their device. Various policies, including certificates, are then pushed to the device without further user interaction.

derived 01.jpg

 

 

Since smart card users don't have their passwords, how do they authenticate if they can't plug their smart card into their phone?

 

To address this high security use case while enabling the use of mobile devices, the National Institute of Standards and Technology (NIST) created guidelines for derived Personal Identity Verification (PIV) credentials as part of Special Publication (SP) 800-157. The document provides technical details and guidelines on how customers using physical smart cards can obtain a certificate that can be used on mobile devices for authentication and S/MIME signing and encryption. 

 

Microsoft Intune is excited to announce support for derived credentials on iOS devices.

 

Microsoft Intune support for derived credentials

Microsoft has integrated with partners including Entrust Datacard, Intercede, and DISA Purebred for the initial release of derived credentials in support of NIST 800-157 requirements. This is available immediately on iOS devices. In the future, we will add support for Android Enterprise fully managed devices, Windows 10, and integration with other derived credential partners. 

 

So how do smart card users join the secure passwordless revolution from their mobile phones if they cannot plug-in their smart card into their phone for authentication? Well, they authenticate using the smart card reader on a trusted device which links the authentication with their mobile device.  A digital certificate is then issued to the mobile device. In order to make the user experience smooth for end users, the derived credential enrollment flow is built into the Intune Company Portal app, which is the app used to enroll the device with Intune.  As we will see in the next section, users will be prompted shortly after enrollment to retrieve their derived credential and will be guided through the process.

 

Mobile device enrollment flow with derived credentials

Let's walk through the end user experience on day zero, where a user wants to enroll an iOS device into Intune management to get access to company resources, such as Office 365 apps on mobile. The end users authenticate twice using their smart card from a smart card enabled device: once to enroll the mobile device with Intune and once more with the derived credential issuer’s identity system. After successfully completing both steps, a digital certificate is issued to the mobile device:

  • On a mobile device, the end user downloads and installs the Company Portal application from the public app store.
  • As the user reaches the sign in screen, they choose Sign in from another device since they don't have their password.

derived 02.jpg

  • On a smart card enabled device, such as a Windows PC, the user is directed to a sign-in website https://microsoft.com/devicelogin to complete their authentication request using the code that is displayed on their mobile device.

 derived 03.jpg.

 
  • The user enters this code into the https://microsoft.com/devicelogin site on their Windows PC and authenticates with their smart card, which completes the authentication request for the Company Portal login. The user then completes the rest of Intune enrollment workflow on the mobile device.

derived 04.jpg

 

  • After Intune enrollment, an app notification for Company Portal informs the user that they need to go through the enrollment process to get a mobile smart credential (their derived credential). Alternatively, email notifications can be used as well.
  • After clicking on the notification, the user is taken to the derived credential enrollment flow within the Company Portal and follows the process to get the certificate from the derived credential provider onto the device. 
  • This part of the process varies depending on the certificate provider, but generally involves using a physical smart card on a trusted PC to authenticate with the provider's identity system and linking the authentication request on mobile device. Depending on the provider, the user may have to scan a QR code on the mobile device. 

derived 05.jpg

 

  • Once the process is complete and certificates are received, the mobile device can be used for authentication, signing, and encryption, as defined by the policies configured by the administrator.

 

S/MIME signing and encryption with Microsoft Outlook

In addition to derived credentials for authentication, a significant number of government and high security customers also use S/MIME to sign and encrypt email. To further improve email security, Outlook recently began rolling out S/MIME support on iOS. Soon, you will be able to use derived credentials delivered via Intune’s integration with our partners for S/MIME signing and encryption with Outlook.

 

Microsoft Outlook for iOS and Android provides a fantastic end user experience, combining mail, calendar, and contacts into a single app. Additionally, Outlook contains enterprise protection capabilities against accidental data leakage using Intune app protection policies, and APP also ensures sensitive corporate data is completely wiped from the device when a user leaves the organization. 

 

Next steps

We’re excited to enable Microsoft administrators to adopt the secure passwordless future across all their devices with the industry’s leading manageability and security platform. With support for derived credentials, high-security Microsoft Intune customers can deliver a consistent experience to smart card users on not only Windows devices, but mobile devices as well. To get started, check out the derived credentials documentation for instructions to integrate with our partners, including Entrust Datacard, Intercede, and DISA Purebred.

 

More info and feedback

For more information on how to deploy Microsoft Intune, add our detailed technical documentation as a favorite. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

 Follow @MSIntune on Twitter

 

(This article is co-authored with Lance Crandall, Principal Program Manager, and Tiffany Silverstein, Program Manager 2)

Viewing all 5932 articles
Browse latest View live


Latest Images