人工知能による表情分析で経済の先行きを予測！そんなことが実現できるようになるかもしれません。野村證券金融経済研究所と米マイクロソフトとの共同研究で、インターネット上に公開されている日銀総裁の記者会見の映像を解析、喜び、中立、怒り、驚き、嫌悪感、軽蔑、悲しみ、恐怖の８つに分類される感情のスコアを計測しました。感情のスコア化には、マイクロソフトが提供する Microsoft Cognitive Services の Face API を利用。人間がわからないようなレベルで出された特徴的な感情スコアの変化により、日銀が金融政策変更を発表した会合の１つ前と直後の記者会見で、「怒り」、「嫌悪」、「悲しみ」の感情スコアに特徴的な変化が確認できたと言うことです。

いままでエコノミストやアナリストは「マクロ指標」や、「日銀文学」ともいうべき難解で独特な発表文書の表現の読解を中心に分析を行ってきましたが、これからは経済・金融分野の要人の画像から表情スコアを計測することで経済の先行きがわかるかもしれません。今後は米連邦準備理事会 (FRB)や欧州中央銀行(ECB) のケースでも試してみるとのこと。今後の面白い展開に期待です。

詳しくは以下の記事をご覧ください。

• 2017/10/20: 焦点：世界初、ＡＩで日銀総裁の表情解析　政策予想に応用も (ロイター)

こんにちは。SharePoint サポートの趙 雲龍です。

本投稿では、クロール ルールの追加ページにおける [認証の指定] セクションの選択肢の 1 つである、 [フォーム資格情報を指定する] の動作変更についてご紹介いたします。

SharePoint Server 2013 において、SharePointサイト以外のフォームベース認証の Web サイトのクロールは、通常はクロール ルールの [フォーム資格情報を指定する] を選択することにより、資格情報を指定し、クロールも可能です。

しかしながら、SharePoint Server 2016 では、セキュリティ強化の変更が行われたため、クロール ルールを使用した場合も SharePoint ファーム以外のサイトのフォームベース認証ページにて認証情報を設定、および取得することができないように変更されました。

このため、SharePoint Server 2016 の環境のクロール ルールの追加ページにある [認証の指定] セッションにて、[フォーム資格情報を指定する] を選択し、[フォームの URL:] にフォームベース認証の外部 Web サイトの URL を入力後、[資格情報の入力] ボタンをクリックすると、下記のメッセ―ジが表示されます。 

==================== メッセージの詳細ここから ====================

==================== メッセージの詳細ここまで ====================

■ 対処策

本動作は SharePoint Server 2016 の想定された動作となります。

考えられる対処案としては、対象の Web サーバーにて Windows 認証を構築し、SharePoint Server 2016 にて、別のコンテンツ アクセス アカウントを指定し、利用する方法となります。

今回の投稿は以上になります。

Třetí ročník konference HyperCon je otevřen registracím. Účastníky čekají témata nejen okolo Windows Server, virtualizace Hyper-V, GDPR a infrastruktura, bezpečnost, SQL 2017, Azure Containers. Vše popsané nejen teoreticky, ale i na praktických ukázkách.

O své zkušenosti se podělí jedna z největších koncentrací držitelů ocenění Microsoft MVP na dvou dnech naplněných odbornými přednáškami:

• 21. a 22. listopadu 2017 v Novém Jičíně
• 24. a 15. ledna 2018 v Praze

Registrace a bližší informaci o konferenci najdete na www.hypercon.cz. Vstup na konferenci je zpoplatněn.

- Petr Vlk (KPCS CZ, WUG)

Windows 10 1709 kodlu sonbahar güncelleştirmesi içerisinde yer alan People uygulaması ile birlikte, uygulama ve kontaklara hızlı ulaşım sağlanabilmesi için kullanılan bir taskbar kısayolu bulunmaktadır. Bu kısayola People uygulaması kaldırıldıktan sonra ayrıca müdahale edilmeli ve taskbardan kaldırılmalıdır.

Taskbardan bu ikonun kaldırılabilmesi için SCCM / MDT Task Sequence içerisinde öncelikle default kullanıcının politika ağacı import edilmeli, taskband içerisinden ilgili ikon kaldırılmalı ve default kullanıcı profilinin ağacının kaydedilmesi gereklidir.

Task sequence içerisine eklenebilecek olan komut ise şu şekildedir:
"REG LOAD HKUDU C:UsersDefaultNTUSER.DAT"
"reg add HKUDUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedPeople /v PeopleBand /t REG_DWORD /d "0" /f"
"REG UNLOAD HKUDU"

Hello All,

Let me say this again this is unofficial and not maintained by Microsoft, but has a nice feature that it is an RSS Feed (Which I like as I can pull them into outlook and consume like an email).  This is maintained by a gentleman that goes by the name of Joe Palarchio, please refer to his about page here for any questions about the feed.

You can go to http://www.roadmapwatch.com/home/subscribe then follow the links to the actual feed itself and load that into any RSS reader you prefer (Again i like to use Outlook...), however if you prefer you can also use the website to search for Features it can then redirect you to the official roadmap.

I found this kinda cool and hope you do as well.

Pax

Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control flips the model from one where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand this and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).

While most customers inherently understand the value of application control, the reality is that few customers have been able to employ application control solutions in a manageable way. Consequently, adoption of application control solutions is low. In fact, we estimate that only about 20% of our customers are using any type of application control technology; in many cases these customers use it only on a subset of devices because of the difficulty of creating and maintaining a comprehensive Allow/Deny list. With Windows 10, version 1709, also known as the Fall Creators Update we think we have changed that, and now have a solution that is a viable option for most of our customers to adopt and deploy across nearly all of their devices.

Application Control in Windows 10

With Windows 10 we introduced Windows Defender Device Guard, a set of hardware and OS technologies that, when configured together, allow enterprises to lock down Windows systems so they operate with many of the properties of mobile devices. Device Guard would restrict devices to only run authorized apps using a feature called configurable code integrity (CI), while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (HVCI). With Device Guard’s configurable CI, specifically, customers gained access to a highly differentiated application control solution that provided several unique advantages not found in most other solutions.

First, configurable CI policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. Second, configurable CI allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. Third, customers could protect the configurable CI policy even from local administrator tampering by digitally signing the policy. This meant that changing the policy required not just administrative privilege, but also access to the organization’s digital signing process. This made it extremely difficult for an attacker or malware that managed to gain administrative privilege to alter the application control policy. And finally, the entire configurable CI enforcement mechanism could be protected by HVCI, which creates the condition where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable CI or any other application control solution.

(Re-)Introducing Windows Defender Application Control

When we originally designed Device Guard it was built with a specific security promise in mind. Although there were no direct dependencies between its two main OS features, configurable CI and HVCI, we intentionally focused our marketing story around the Device Guard lockdown state you achieve when deploying them together. However, this unintentionally left an impression for many customers that the two features were inexorably linked and could not be deployed separately. And given that HVCI relies on the Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many customers assumed that they couldn’t use configurable CI either. But configurable CI carries no specific hardware or software requirements other than running Windows 10, which means many customers were wrongly denied the benefits of this powerful application control capability.

Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. And so, with the Fall Creators Update we are promoting configurable CI within our security stack and giving it a name of its own: Windows Defender Application Control. We hope this branding change will help us communicate with customers about their options for application control in Windows and, in so doing, allow more of our customers to begin to approach application control within their organizations.

Does this mean Windows Defender Device Guard is going away? Not at all. Device Guard will continue to exist as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are "Device Guard capable" so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original Device Guard scenario.

Making Application Control easier with managed installer

In the Windows 10 Creators Update (1703) released last spring we introduced an option to WDAC called managed installer to simplify the management of WDAC for organizations with centrally managed software libraries through solutions like System Center Configuration Manager. With the managed installer option, enterprises can declare trusted software distribution authorities so that any applications deployed by them are automatically authorized by the WDAC application control policy without the need to define explicit allow rules. System Center Configuration Manager 1706 added native support for WDAC and managed installer, making deployment of WDAC a two- to three-click action.

Application Control for allow list management made easy

Repositioning Windows Defender Application Control within our security stack eliminates the requirements confusion of Device Guard, and managed installer drastically simplifies options for organizations with well-managed software libraries. Yet many customers struggle to introduce application control due to business necessity or organizational resistance to central control. With these customers in mind, we are excited to introduce a new option for Windows Defender Application Control in the Fall Creators Update that will allow enterprises to leverage Microsoft’s cloud-powered Intelligent Security Graph (ISG) to automatically authorize well-known and reputable apps built from a catalog of billions of apps and binaries that run on Windows. When the ISG option is enabled, software that Microsoft’s ISG determines as being well-known and reputable will be automatically authorized without the need for specific, manually authored rules for each application or binary. This allows IT administrators to easily allow commonly used and prevalent software like Microsoft Office and Adobe Reader, while preventing unknown and known-bad software from running. This kind of cloud-driven application control will help customers protect their environments from attacks like WannaCry that run uncommon scripts or binaries, while still empowering their end users or business groups to manage their individual application needs.

Application Control for more tightly managed or centralized environments

All of the new policy options introduced in the Creators Update and the Fall Creators Update are meant to complement the WDAC policies from earlier Windows 10 releases. Code signing provides the most robust way to identify and authorize applications, and when used with explicit allow and deny rules code-signing provides enterprises the means to express the most secure application control policies. Newer controls like managed installer and ISG-driven application control give enterprises the flexibility they need to balance manageability and security demands. When these options are used with existing tools like signtool, Package Inspector and the Microsoft Store for Business’ Device Guard Signing Service, enterprises have everything they need to start the journey to more secure Windows 10 systems through application control. For apps that are in active development, Windows SDK tools like signtool are available to incorporate code signing into the build process of an application. For applications that are not in active development or acquired from third parties, Package Inspector provides a way to generate a catalog file by monitoring an application’s installation process. Once created, the catalog file can be signed using the organization’s own signature, thus allowing the organization to authorize existing applications without needing to rebuild or repackage them. Catalog signing can be done with certificates issued by the organization’s own internal PKI or by using the Device Guard Signing Service to manage code signing keys and sign catalog files. The Device Guard Signing Service automatically generates and secures organization-specific code signing keys and provides a convenient interface for uploading and signing application catalog files.

Windows Defender Application Control in Windows Defender ATP

With the Fall Creators update, Windows Defender Advanced Threat Protection (WD ATP) is getting a significant update, one of which is related to integrated management of the Windows preventive protection stack, meaning features like Windows Defender Application Control, Antivirus, Firewall, and others will all provide full optics into the malware and other types of attacks that have been encountered but successfully blocked by the Windows preventive protection stack. All of this information will be surfaced in Windows Defender ATP’s Security Center Console, which acts as a single pane of glass for the security operations team. In addition, these same preventive protection features can also be centrally enabled and configured in either System Center Configuration Manager or in Intune, as shown in the image below.

With the Fall Creators Update we believe that we have democratized application control by being one of the first solutions in the market that makes it easy to manage and enables it to work on any device running the Enterprise edition of Windows 10. Please download the Fall Creators update and begin proof of concept testing to see if Windows Defender Application Control is a good fit for your organization. We look forward to hearing your feedback so we can continue to make it a better solution for your organization and users.

Nazmus Sakib

Program Manager, Windows & Devices Group, Security & Enterprise

Learn more about Windows 10 Fall Creators Update

Microsoft 365 Security and Management Features Available in Fall Creators Update

Windows Defender Exploit Guard: Reducing the attack surface with next-generation host intrusion prevention

Stopping ransomware where it counts: Protecting your data with Controlled folder access

Making Microsoft Edge the most secure browser with Windows Defender Application Guard

Introducing Windows Defender Application Control

Hardening the system and maintaining integrity with Windows Defender System Guard

Move away from passwords, deploy Windows Hello. Today!

What’s new in Windows Defender ATP Fall Creators Update

Antivirus evolved

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center

Innovation in the attack space is constant as adversaries increase in both determination and sophistication. In response to increased investments in defense, attackers are adapting and improving tactics at breakneck speed. The good news is that defenders are also innovating and disrupting long reliable attack methods with new technologies. In Windows 10 we’re not just delivering tit for tat point solutions for the latest attacks; instead we’re looking closely at the root causes and are transforming the platform such that we can eradicate entire classes of attacks. Some of the most impactful improvements will come by way of attack surface area reduction and architectural change. One example of these kinds of disruptive approaches can be found in Windows Defender Application Guard (WDAG).

WDAG introduces a slimmed down version of the Hyper-V virtualization technology to bring Azure cloud-grade isolation and security segmentation to Windows applications with Microsoft Edge. WDAG for Microsoft Edge is the strongest form of isolation today, and now with the recently released Windows 10 version 1709, also known as the Fall Creators Update, users of Windows 10 Enterprise can run the Microsoft Edge browser in a fully isolated hardware environment. Doing so provides the highest level of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware. The WDAG container provides a temporary, contained environment for users to experience the Internet. The ability to refresh the container when a user logs off means malware does not have a place to persist.

Threat landscape

In recent years, software isolation of commonly attacked applications such as browsers and document readers have become ubiquitous. Software isolation seeks to contain the damage in the event an application is successfully compromised by an exploit. When sandboxes are in place, malicious code delivered by a successful application exploit is restricted from accessing data and resources on the host operating system, which prevents attacks from performing lateral movement or exfiltrating sensitive information.

Attackers have adapted their tactics rapidly in response to widespread sandboxing by shifting their attention to kernel attacks. In most software sandboxes, the kernel attack surface is left unrestricted providing attackers who have achieved code execution within a sandboxed app the opportunity to "escape" and escalate the attack. This growing trend is evidenced by the data collected by Microsoft threat analysts on the number of known kernel exploits for Windows

Number of kernel exploits by year collected by Microsoft

The sharp increase in recent years is attributed to attackers leveraging kernel exploits to escape software sandboxes. Security-conscious enterprises can augment Microsoft Edge top level exploit mitigation and isolation features with an additional layer of kernel protection provided by Windows Defender Application Guard for Microsoft Edge.

Virtualization-based isolation

Microsoft has moved to counter the increase in kernel attacks through a major technological breakthrough in sandbox technology. Leveraging the power of hardware-supported virtualization technology, Windows Defender Application Guard creates what can be thought of as a "miniature" version of the parent Windows OS to host Microsoft Edge when browsing the untrusted internet. In the event that a user clicks a link or visits a site containing a full exploit chain, the container "guest" kernel is fully isolated from the host machine that contains the sensitive or enterprise data and enterprise credentials. This means even a zero-day kernel exploit will only result in a container compromise, which means that user data, apps, the organization's network, and the rest of the OS can remain secure. The container will be disposed of, removing all traces of the attack when the user logs off.

This isolation breakthrough was achieved by creating a new form of container technology that safely shares resources between a guest container and the parent OS. Unlike a standard virtual machine, the WDAG container technology securely shares DLL, executables, and other operating system resources between the guest and host, minimizing the resources needed to create a WDAG VM. As result, the unique disk footprint of the WDAG container image is an incredible 18 megabytes! In addition, the Windows operating system has been "enlightened" with full support for WDAG container apps, which includes the ability to suspend or deprioritize the container when not in use, helping to preserve battery life and make the experience of using a container app comparable to a native app. Core operating system functions like language settings, accessibility, and many other features all work across the container, making the advanced security provided by WDAG nearly transparent to the user.

Security is paramount to the value proposition for the WDAG container technology, so the Microsoft Offensive Security Research (OSR) and Windows Security Assurance (SA) partnered with the WDAG engineering team to build the technology securely from the ground up. The benefits of this partnership had a dramatic impact on WDDAG and the security promise we were ultimately able to make with it. The process we used will be detailed at the upcoming Microsoft BlueHat Conference as we think it represents a powerful model for future security-related research and development here at Microsoft. With WDAG now shipping, the effort to better secure it will continue; WDAG is continuously reviewed with a standing WDAG security bug bounty with payouts of up to $250K for discovery of issues effecting the hypervisor that it is built upon.

So in a nutshell, WDAG offers VM-grade isolation at significantly lower system resources and user experience cost.

WDAG management and Windows Defender ATP integration

User experience and isolation customizations are some of the most commonly discussed topics when we talk about isolation based security solutions. Windows Defender Application Guard offers several policies to let organizations customize the user experience and security policies based on the enterprise risk profile and security posture.

The most critical policy from a trust decision perspective is the network isolation policy that defines what URL or network locations are not managed or explicitly trusted by an enterprise and thus will open in the isolated container environment, versus those that will open on the native host browser. WDAG makes this simple to manage with options for IP- and host-based policy definitions. This policy is also shared across security features such as Windows Information Protection, where it is used to protect against enterprise data leakage

Clipboard and print policies control user initiated data exchange between Windows 10 host and the WDAG container. Persistence policy determines whether WDAG should discard all user generated session data (cookies, downloaded files, temporary Internet files etc.) on container recycle or preserve it for later use in the container.

For more details on the WDAG policies, please refer to product documentation.

Windows Defender Application Guard Management Options

For customers of Windows Defender ATP and Microsoft 365, WDAG offers deep integration with WDATP’s post-breach and EDR capabilities. This is an important integration point as it allows WDAG customers a view into any malicious attacks that have been prevented and isolated within the container and enables further remediation and defensive actions across the Windows multiple layers of security.

The WDATP team has developed a full range of container specific indicators of attack (IOAs) that are capable of detecting browser and kernel compromises. We recently demonstrated some of these capabilities in a Microsoft mechanics session that highlights the power of WDAG + WDATP as the pre- and post-breach solutions in a synthetic zero-day attack scenario:

Windows Defender ATP console showing WDAG container events

Windows Defender ATP users benefit from an investigation experience that combines events from the container and host into unified timeline while still allowing container-specific investigation through visual cues and event filtering.

The combination of the pre-breach isolation capability of WDAG and the deep investigation and analytics provided by Windows Defender ATP can provide customers with a robust defense even against the most sophisticated apex attackers.

Conclusion

Windows Defender Application Guard provides an additional hardware isolation-level capability on top of Microsoft Edge’s formidable exploit mitigation and sandbox features. This was enabled by engineering hardware container-based isolation capabilities into the Windows core. WDAG provides a near-native user experience with low resource consumption, deep OS enlightenment, and moderate hardware requirements. Enterprises deploying the Fall Creators Update can immediately deploy WDAG and enjoy the benefits of world-class hardware-rooted security that has enabled Microsoft Edge to become the most secure browser for enterprises.

David Weston (@dwizzzleMSFT)

Principal Group Manager, Windows & Devices Group, Security & Enterprise

Learn more about Windows 10 Fall Creators Update

Microsoft 365 Security and Management Features Available in Fall Creators Update

Windows Defender Exploit Guard: Reducing the attack surface with next-generation host intrusion prevention

Stopping ransomware where it counts: Protecting your data with Controlled folder access

Making Microsoft Edge the most secure browser with Windows Defender Application Guard

Introducing Windows Defender Application Control

Hardening the system and maintaining integrity with Windows Defender System Guard

Move away from passwords, deploy Windows Hello. Today!

What’s new in Windows Defender ATP Fall Creators Update

Antivirus evolved

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center

Windows Defender Exploit Guard is a new set of intrusion prevention capabilities that ships with the Windows 10 Fall Creators Update. The four components of Windows Defender Exploit Guard are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements.

Traditional antivirus technologies are an integral aspect of the endpoint security stack through the identification and removal of malicious executables using a combination of cloud-based machine learning and heuristics. Despite advances in antivirus detection capabilities, attackers are continuously adapting and have been expanding their arsenal of tricks and techniques to compromise endpoints, steal credentials, and execute ransomware attacks without ever needing to write anything to disk. This emerging trend of fileless attacks, which compose over 50% of all threats, are extremely dangerous, constantly changing, and designed to evade traditional AV. Fileless attacks have two types: those that use non-traditional executable files (e.g., documents with active content in them), and those that exploit vulnerabilities.

Windows Defender Exploit Guard utilizes the capabilities of the Microsoft Intelligent Security Graph (ISG) and the world-class security research team at Microsoft to identify active exploits and common behaviors to stop these types of attacks at various stages of the kill chain. Although the underlying vulnerability being exploited varies, the delivery mechanism differs, and the payload changes, there is a core set of behaviors and vectors that many different attacks adhere to. By correlating streams of events to various malicious behaviors with the ISG, Windows Defender Exploit Guard provides the capability and controls needed to handle these types of emerging threats.

The four components of Windows Defender Exploit Guard are:

• Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
• Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
• Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
• Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications 

Attack Surface Reduction (ASR): Intelligence to control the surface area of the device

Email and Office applications are generally thought of as keystones of enterprise productivity, yet they are the most common vector for attacks and can cause nightmares for security administrators. Both Office and email serve as simple and easy ways to distribute mechanism for bad actors to kick off malware and fileless attacks. Although Office macros and scripts have many productive use cases, malicious actors can use them to directly perform exploits that operate entirely in memory and are often undetectable by traditional AV techniques. All it takes is for a single user to enable macros on a legitimate-looking Office file, or to open an email attachment that executes a malicious PowerShell script, to compromise a machine.

Attack Surface Reduction provides enterprises with a set of built-in intelligence that can block the underlying behaviors used by these malicious documents to execute without hindering productive scenarios. By blocking malicious behaviors independent of what the threat or exploit is, ASR can protect enterprises from never before seen zero-day attacks like the recently discovered CVE-2017-8759, CVE-2017-11292 , and CVE-2017-11826.

The different behaviors ASR provides coverage for in Fall Creators Updated are split among Office, scripts, and email.

For Office apps, ASR can:

• Block Office apps from creating executable content
• Block Office apps from launching child process
• Block Office apps from injecting into process
• Block Win32 imports from macro code in Office
• Block obfuscated macro code

Although malicious Office macros are oftentimes responsible for utilizing techniques like injection and launching of executables, ASR can also protect end-users from emerging exploits like DDEDownloader, which has been recently gaining in popularity. This exploit uses the Dynamic Data Exchange (DDE) popup in Office Documents to run a PowerShell downloader; however, in doing so, it launches a child process that the corresponding child process rule blocks.

For script, ASR can:

• Block malicious JavaScript, VBScript, and PowerShell codes that have been obfuscated
• Block JavaScript and VBScript from executing payload downloaded from internet

To highlight the intelligence behind ASR, we can look at how it can address obfuscated code as an example; in this case, there is a machine learning model powering our obfuscation detection capabilities that gets retrained multiple times per week in our cloud protection service. The model is updated on client, where it interfaces with Antimalware Scan Interface (AMSI) to make a determination on whether or not a script has been obfuscated for malicious purposes. When a high-confidence match occurs, any attempt made to access the script is blocked.

For email, ASR can:

• Block execution of executable content dropped from email (webmail/mail-client)

Enterprise administrators can set policies on their corporate email (e.g., Office 365) to limit the files that can be delivered to end user inboxes. However, they don’t have control over the files that are delivered via personal email on company devices. Given the increase in spear-phishing, employees' personal emails are also targeted and need to be protected. ASR enables enterprise administrators to apply file policies on personal email for both webmail & mail-clients on company devices.

For any line of business applications running within your enterprise, there is the capability to customize file and folder based exclusions if your applications include unusual behaviors that may be impacted by ASR detection.  

ASR has a dependency on Windows Defender Antivirus being the primary AV on the device and its real-time protection feature must be enabled. The Windows 10 Security baseline recommends enabling most of the rules in Block Mode to protect your devices from these threat vectors.

Network protection: Blocking outbound connection

The internet is home to a swath of malicious websites that are designed to lure and trick users. They use phishing, deceptive ads, tech scams, social engineering, and other means as part of their campaigns. For some attacks, they seek to acquire information or get immediate financial payout, while others may attempt to install malware on the machine. Oftentimes malware will attempt to connect with a command-and-control server (C&C) to seek further instructions and deliver additional malicious payloads, such that the attacker can spread to additional machines on the network.

Windows Defender SmartScreen protects Microsoft Edge from socially engineered malware, phishing, and other web-based threats through the power of the Intelligent Security Graph (ISG). This has made Microsoft Edge one of the most secure browsers out there, outperforming Chrome and Firefox.

NSS Labs test results for phishing protection between August 23 and September 12, 2017

NSS Labs test results for socially engineered malware between August 23 and September 12, 2017

Windows Defender Exploit Guard’s network protection capability utilizes this same intelligence from ISG to vet, and if necessary block, all outbound connections before they are made. This brings the same level of protection that we previously just had for Microsoft Edge across the entire system and network stack.

By integrating a new network filtering driver into the kernel, the network protection capability can evaluate and block outbound network traffic based on ISG’s hostname and IP address-related reputation intelligence. With a combination of cloud lookups and performant caching to perform these reputation checks, the network protection capability can render web-based malware that depends on a communication channel inoperable.

Regardless if the outbound call is to phishing, socially engineered malware, or a C&C website, or if the call originates from a browser or a background process, network protection can intercept and kill the connection. These filtering capabilities can also augment and work in concert with similar protection capabilities from others security solutions, browsers, etc.

Controlled folder access

Encryption of files by ransomware and other unauthorized apps means losing control of your data: documents, precious photos and videos, and other important files. For enterprises and small businesses, losing access to files can mean disrupted operations. Controlled folder access protects files by locking down critical folders, allowing only authorized apps to access files. Unauthorized apps, including malicious and suspicious executable files, DLLs, scripts, and others will be denied access even when they are running with the user's or administrator's privilege, which malware is often be able to secure.

By default, Controlled folder access protects common folders where documents and other important data are stored, but it’s also flexible. You can add additional folders to protect, including those on other drives. You can also allow apps that you trust to access protected folders, so if you’re using unique or custom app, your normal everyday productivity will be not affected.

When enabled, controlled folder access blocks unauthorized access and notifies the user of any attempt by unauthorized apps to access or modify files in protected folders. It delivers this protection in real-time.

Exploit Protection 

Windows Defender Exploit Guard’s exploit protection represents the suite of vulnerability mitigation and hardening techniques that are built directly into Windows 10. As you install the Fall Creators Update, the appropriate mitigation settings will already be configured and applied on the machine. 

Rest In Peace (RIP) EMET

Users of the Enhanced Mitigation Experience Toolkit (EMET) will notice that it was automatically uninstalled from your machine during the upgrade. This is because WDEG includes the best of EMET built directly into Windows 10, so it’s now just part of the platform. You can the find previous user experiences for configuring EMET vulnerability mitigation capabilities in Windows Defender Security Center. For more information, read Moving Beyond Emet II - Windows-Defender-Exploit-Guard.

Figure shows using the Windows Security Center Exploit Protection control to enable mitigation Address Filtering (EAF) to unpatched application Word 2007

It is important to note that Exploit Guard’s exploit protection accepts a different format for the mitigation configuration than EMET did. To make the process of migrating to Exploit Protection and Windows Defender Exploit Guard easier, there is a PowerShell module that converts EMET XML settings files into Windows 10 mitigation policies for Exploit Guard. This PowerShell module also provides an additional interface for Windows Defender Security Center to configure its mitigation settings.

More information about this PowerShell module, and details on the EMET features relative to security in Windows 10 can be found in the topic Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit. For more details on Windows 10’s threat mitigations, please refer to our Windows 10 Threat Mitigations. Finally, the Windows 10 Security baseline provides a recommended Exploit Protection XML to apply.

Windows Defender Exploit Guard manageability

All the Windows Defender Exploit Guard components are manageable by Group Policy (GP), System Center Configuration Manager (SCCM), and Mobile Device Management (MDM) such as Microsoft Intune.

All components support running in both Audit and Block modes. When Block mode is enabled and a corresponding malicious behavior is observed, Windows Defender Exploit Guard blocks the event from occurring in real-time. Block events for Attack Surface Reduction, Controlled folder access and Network Protection surface a notification toast to the endpoint in real-time as well as an event log, and can be centrally viewed by security operations personnel in the Windows Defender Advanced Threat Protection (WD ATP) console. Instead of actually blocking the behavior, Audit Mode detects if an event would have occurred and surfaces that information to the event log and WD ATP console. This enables enterprises to evaluate how a rule or feature within Windows Defender Exploit Guard will perform in their enterprise and determine if there are exclusions that are needed to setup. Additionally, Audit mode provides an immense amount of optics into what kinds of behaviors are going on across the enterprise, providing valuable information to security admins to determine if a rule needs to be moved to block mode.

Windows Defender Advanced Threat Protection

Windows Defender ATP provides a single pane of glass experience for managing and viewing all the security feeds and events happening on managed endpoints across the enterprise. With Windows Defender ATP, the entire process tree execution can be seen for Exploit Guard events, making it extremely easy to determine what happened, such that a proper response can be executed. In the figure below you can see an example of how a malicious document in Word was used to drop an executable, which was then blocked when it attempted to access the C:Demo folder.

Controlled folder access blocking sample ransomware

Network Protection blocking phishing test via Chrome browser

Exploit Guard is also surfaced in the Security Analytics dashboard of the Windows Defender ATP console, enabling enterprises to view how the feature is configured across their device and to drive compliance with recommendations based on best practice security configurations.

In the end, Windows Defender Exploit Guard is one of the most important new defenses that we’ve added to Windows 10 in the Fall Creators Update. In many ways, it completes out stack for preventive protection. Organizations that deploy it alongside Windows Defender Antivirus will find that they have a highly effective and differentiated solution for addressing modern fileless attacks and host intrusion. We recommend you evaluate it at the earliest opportunity and we look forward to your feedback.

Misha Kutsovsky (@mkutsovsky)

Program Manager, Windows Active Defense

Learn more about Windows 10 Fall Creators Update

Microsoft 365 Security and Management Features Available in Fall Creators Update

Windows Defender Exploit Guard: Reducing the attack surface with next-generation host intrusion prevention

Stopping ransomware where it counts: Protecting your data with Controlled folder access

Making Microsoft Edge the most secure browser with Windows Defender Application Guard

Introducing Windows Defender Application Control

Hardening the system and maintaining integrity with Windows Defender System Guard

Move away from passwords, deploy Windows Hello. Today!

What’s new in Windows Defender ATP Fall Creators Update

Antivirus evolved

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center

10 октября 2017 года завершился жизненный цикл Project 2007. Это значит, что Майкрософт больше не предоставляет новые функции, исправления и обновления системы безопасности для всех перечисленных продуктов: Project Server 2007, Project Portfolio Server 2007, Project Стандартный 2007, Project Профессиональный 2007. Жизненный цикл продукта обычно длится 10 лет с момента его первоначального выпуска. После 10 октября 2017 г. корпорация Майкрософт не будет предоставлять для Project Server 2007:

• техническую поддержку по возникающим проблемам;
• исправления обнаруженных проблем, которые могут влиять на стабильность работы и удобство использования сервера;
• исправления для обнаруженных уязвимостей, которые могут подвергать сервер опасности;
• изменения часового пояса.

Установленные экземпляры Project 2007 будут продолжать работать и после этой даты. Но из-за перечисленных выше изменений мы настоятельно рекомендуем как можно скорее перейти на новые решения Майкрософт.

Чем можно заменить Project 2007 и Project Server 2007?

Если вы работаете с Project Server 2007, рассмотрите переход на Project Online или новую версию локального сервера Project Server (предпочтительно Project Server 2016).

При переходе на Project Online вы сможете работать с проектами мобильно, это недорогой вариант с отсутствием затрат на обслуживание после миграции – обновления выполняются регулярно и автоматически.

Если вы не можете использовать облачную среду согласно политикам компании или по другим причинам, и вам нужно контролировать обновления, перейдите на Project Server 2016.

Полезные ресурсы:

• Центр партнеров (Майкрософт)
• Планирование обновления серверов Office 2007
• Приступая к работе с Project Online
• Описание служб Project Online
• Обновление до Project Server 2010
• Планирование обновления до Project Server 2010
• Обновление SuperFlow для Microsoft Project Server 2010
• Переход с Project Server 2007 на Project Server 2010
• Вопросы обновления, связанные с веб-частями Project Web App
• Пакет средств разработки программного обеспечения (SDK) для Project
• Обновление до Project Server 2013
• Общие сведения о процессе обновления до Project Server 2013
• Обновление баз данных и семейств сайтов Project Web App (Project Server 2013)
• Схема обновления Microsoft Project Server 2010
• Великая консолидация баз данных: переход с Project Server 2010 на 2013 за 8 простых действия
• Обзор процесса обновления до Project Server 2016
• Развертывание Project Server 2016.
• Руководство по переносу Microsoft Office Project Portfolio Server 2007

Mehr als 100 Panels, 400 Speaker, 6000 Besucher und 80 Aussteller – das bedeutet, es ist wieder Zeit für die Medientage München. Vom 24. bis 26. Oktober 2017 sind wir dort mit verschiedenen Panels und Mixed Reality Demos vertreten. Alles unter dem Motto: Die Zukunft der Mensch-Computer-Interaktion mit Mixed Reality und künstlicher Intelligenz.

Mit dem Windows Fall Creators Update, verfügbar seit dem 17. Oktober, sind auch die ersten Windows Mixed Reality Headsets unserer Hardware-Partner in Deutschland erhältlich. Auf den #MTM17 haben Besucher nun die Chance, die verschiedenen Headsets zu testen und in die Mixed Reality einzutauchen.

Virtual, Augmented und Mixed Reality: Potenziale für Medienmacher

Aber was ist eigentlich der Unterschied zwischen den Windows Mixed Reality Headsets und der Microsoft HoloLens? Das erklärt Michael Zawrel, Senior Product Manager Mixed Reality & HoloLens Germany, Microsoft Deutschland, in seiner Keynote am Mittwoch, den 25. Oktober um 13:30 Uhr im Rahmen des Immersive Media Days. Neben den Unterschieden und Einsatzmöglichkeiten der verschiedenen Devices stehen dort auch die Potenziale der Geräte für Medienmacher im Fokus.

Einen weiteren Ausblick auf die nächsten Schritte im Bereich Mixed Reality gibt Michael Zawrel im Rahmen des Panels „Gekommen um zu bleiben – Virtual, Augmented & Mixed Reality: Was ist drin für Medienmacher?“ am Donnerstag, den 26. Oktober um 11:15 Uhr. Denn nach der Welle der Verbreitung von Virtual, Augmented und Mixed Reality an die Konsumenten im Jahr 2016, dem sogenannten „Year Zero“, ergeben sich damit zugleich neue Anforderungen an Storytelling, Produktion und Technik. Welche Herausforderungen dies sind und wie mögliche Lösungen dafür aussehen könnten, erfahrt ihr in dieser Session.

Künstliche Intelligenz: Wohin führt der Weg?

Künstliche Intelligenz steckt voller Möglichkeiten, das wissen wir nicht erst seit gestern. Doch bisher benötigt es ausgeprägte Kenntnisse, um einen lernenden Algorithmus oder eine andere künstliche Intelligenz zu entwickeln. Daher stellt sich die Frage: Wie kann künstliche Intelligenz demokratisiert werden? Darüber spricht Manuela Rink Keynote am Mittwoch, den 25. Oktober um 11:15 Uhr.

Auch im Bewegtbild-Markt spielen künstliche Intelligenz und Cognitve Services eine immer stärker werdende Rolle. Videos können automatisiert analysiert und daraus eine neue Qualität an Metadaten und Verschlagwortung geschaffen werden. Das ist insbesondere für die junge Zielgruppe, die in Mediatheken eher nach Themen, Personen oder Stimmungen als nach klassischen Sendern oder Rubriken sucht, relevant. Darauf aufbauend beschäftigt sich der Impulsvortrag und die anschließende Diskussion am Mittwoch, den 25. Oktober um 10 Uhr mit Thomas Heigl, Industry Lead Media, Microsoft Deutschland, mit den daraus entstehenden Herausforderungen für die Fernsehsender und dem Wandel der zukünftigen redaktionellen Kuration.

Ebenfalls mit Thomas Heigl findet am Mittwoch, den 25. Oktober um 11:15 Uhr ein Panel zum Thema „Der neue Weg zu Medieninhalten: Die Potenziale von Sprachassistenten wie Alexa, Google Assistant oder Cortana“ statt. Dieses thematisiert die Nutzung von „Lautsprechern“ als weiteren Kanal für die Verbreitung von Inhalten verschiedener Medienhäuser und die Positionierung letzterer im Bereich Voice Control.

Ergänzend dazu geht es auch im Panel mit Alexander Britz, Senior Sales Director Internet of Things, Microsoft Deutschland, um das Potenzial digitaler Assistenten sowie Chatbots und Messenger – diesmal im Bereich Content Marketing. Dabei dreht sich alles um die Frage „Welche Möglichkeiten bieten die Helfer den Unternehmen und Marken und wie steht es um die Akzeptanz bei den Anwendern?“. Dieser und weitere Aspekte werden im Rahmen eines Impulsvortrags mit anschließender Diskussion am Donnerstag, den 26. Oktober um 10 Uhr beleuchtet.

Am Donnerstag, den 26. Oktober um 11:15 Uhr findet zudem eine Diskussion mit Rainer Kellerhals, Media & Cable Industry Lead EMEA, Microsoft, rund um die mediale Wertschöpfungskette in der Cloud statt. Denn letztere ermöglicht eine Produktionsumgebung, die fast jedem Aspekt der medialen Wertschöpfungskette zugutekommt, sodass sich Medienunternehmen ganz auf die Produktion und Vermarktung erstklassiger Inhalte konzentrieren können. Im Rahmen des Avid-Panels diskutieren wir grundlegende Überlegungen zur Integration Cloud-basierter Strategien, konkrete Bereitstellungsmodelle und erste Erfahrungen bei Avid und Microsoft.

Darüber hinaus spricht zur selben Zeit Maxi Graeff, Communications Manager Xbox und Gaming, Microsoft Deutschland, zur Herausforderung der Zuschauerbindung. Im Fokus stehen dabei die Technologien, mit denen sich Microsoft und Xbox dem entgegenstellt.

Alle Termine im Überblick:

• Mittwoch, den 25. Oktober, 13:30 Uhr: Keynote mit Michael Zawrel, Senior Product Manager Mixed Reality & HoloLens Germany, Microsoft Deutschland, zum Thema „Microsoft HoloLens vs. Mixed Reality Brille – Unterschiede, Zielmärkte und Potenziale für Medienmacher“
• Mittwoch, den 25. Oktober, 10 Uhr: Impulsvortrag und die anschließende Diskussion mit Thomas Heigl, Industry Lead Media, Microsoft Deutschland zum Thema „Broadcast und NewTV: Wie Cognitive Services & Co. die Nutzung von Produktions- und Nutzungs-Konzepten von Sendern verändern“

• Mittwoch, den 25. Oktober, 11:15 Uhr: Keynote mit Manuela Rink zum Thema „Democratizing Artificial Intelligence“

• Mittwoch, den 25. Oktober, 11:15 Uhr: Panel mit Thomas Heigl, Industry Lead Media, Microsoft Deutschland zum Thema „Der neue Weg zu Medieninhalten: Die Potenziale von Sprachassistenten wie Alexa, Google Assistant oder Cortana“

• Donnerstag, den 26. Oktober, 10 Uhr: Impulsvortrag und Diskussion mit Alex Britz, Senior Sales Director Internet of Things, Microsoft Deutschland, zum Thema „Talk tot he Machine!“

• Donnerstag, den 26. Oktober, 11 Uhr: Panel mit Maxi Graeff, Communications Manager Xbox und Gaming, Microsoft Deutschland, zum Thema „Herausforderung Zuschauerbindung – mit welchen Technologien sich Xbox und Microsoft dem entgegenstellt“

• Donnerstag, den 26. Oktober, 11:15 Uhr: Panel mit Michael Zawrel, Senior Product Manager Mixed Reality & HoloLens Germany, Microsoft Deutschland, zum Thema „Gekommen um zu bleiben – Virtual, Augmented & Mixed Reality: Was ist drin für Medienmacher?“

• Donnerstag, den 26. Oktober, 11:15 Uhr: Diskussion mit Rainer Kellerhals, Media & Cable Industry Lead EMEA, Microsoft zum Thema „Die mediale Wertschöpfungskette in der Cloud“

Ein Beitrag von Sydney Loerch
PR/Communications Intern

Hi! We’re Travis Wright and Tobias Ternstrom from the Microsoft SQL Server engineering team and we along with other members of the team are hosting a Reddit Ask Me Anything session on /r/Database, Wednesday, October 25, 2017, from 10:00 am to 11:30am PDT.

Why are we doing an AMA?

SQL Server 2017 was made generally available on October 2, on Windows, Linux and Docker containers. With this release, customers have an even wider choice of development languages, data types, and operating systems. We’re excited to connect with you on Reddit to tell you more about our experiences bringing it to market and answering your questions!

We’re also getting ready to join thousands of data professionals in Seattle from October 31 – November 3rd at the PASS Summit 2017. We look forward to this gathering every year. If you’re attending or planning to watch online, this AMA is a great time to catch up beforehand.

Join us! We're looking forward to having a conversation with you.

When creating a transport rule, please…. PLEASE, do not disable auditing. Your rule auditing setting should not look like this.

Unless of course, you have a security mandate about not auditing transport rules, then please continue on and disable auditing on transport rules. But for those that do not have a security mandate, please do not turn this off!

Why should I not turn it off?

I’m glad you I asked! With auditing disabled (unchecked), a transport rule will not appear in the standard message trace. That’s right, if this rule triggers on a message, and you run a standard message trace on the message, you won’t be able to see what rule triggered. This can make troubleshooting transport rules extremely difficult.

An interesting case

I recently worked with an organization that was not receiving any messages from one of their partners. The sender was not receiving an NDR, and the recipient did not receive the message. When running a message trace, we could see that a transport rule in the recipients’ tenant deleted the message, but the name of the transport rule wasn’t present in the message trace (we later discovered the reason why… auditing had been disabled on this transport rule). All we saw in the message trace was this.

'[{LED=550 5.2.1 Message deleted by the transport rules agent};{MSG=};{FQDN=};{IP=};{LRT=}]'

If auditing had not been disabled, we also would have seen the name of the transport rule that triggered in the message trace.

The organization wanted to know what transport rule was deleting the message. The tricky part is that there were over 100 transport rules and a lot of them had the action of “delete message.” Going through these rules one by one to try and find the rule with criteria that matched the sending message would be extremely time consuming. If only there was another way.

Wait… there is another way!

Another way!

We pulled an extended message trace for the message and loaded it into Excel. In the custom data column, you can view the transport rules that are evaluated against the message. If you see S:TRA=ETRP, this means that a transport rule was evaluated, but did not trigger. I grabbed the following from an Extended Message Trace that we ran on the message.

In looking at all the rules that were evaluated, I counted about 50. Keep in mind that this organization has well over 100 rules. Since only 50 were evaluated, either a rule triggered with the option of “stop processing more rules,” or a rule triggered with the action of delete. When a rule triggers that has an action of delete, we stop processing subsequent rules.

In looking at the above, we can see the GUID of the last transport rule to trigger. To figure out what this rule is, we can run the following PowerShell.

Get-TransportRule -Identity <GUID>

This returned the name of a rule, which suspiciously contained the text “Phishing Rule” in the name. In looking at the details of this rule we found it had an action of “Delete Message”, and criteria which matched the message that was deleted. Also…. Auditing was disabled on the transport rule, which is why it never showed up in the original message trace that was run.

Now that we have the transport rule, we could modify the criteria to prevent the false positive detection that is caused.

Help me find my rules that are set to Do Not Audit

If you would like to quickly see what rules you have that are currently set to Do Not Audit, you can run the following PowerShell.

Get-TransportRule | Where-Object {$_.SetAuditSeverity -like "DoNotAudit"} | fl -property Name, SetAuditSeverity

Wrap up

There are many scenarios that may force you to disable auditing on some transport rules. But if you don’t’ have this justification, run the above PowerShell to verify that you have not accidentally disabled Auditing on any of your transport rules.
For more information, see my previous article on Auditing Transport Rules.

Cheers!

There's a raft of blogs and articles out there about what's been announced at Ignite 2017, but I wanted to share a quick update with some exciting key highlights, links to videos, PPT's and articles that might be of interest to you. - yes there's a tonne I've missed.

Although we'd all love to have enough time to watch every session, sometimes we can't #firehose

Here's my highlights specifically for productivity and collaboration:

Azure Information Protection Scanner

https://myignite.microsoft.com/videos/53453

• You can scan on premises File Servers and SharePoint to discover, label and protect your data! Coming Soon!

LinkedIn integration

https://myignite.microsoft.com/videos/55478

• Ability to use contact cards from within O365 (native experience)
• Used as static business card - makes these more intelligent
• People centric through Microsoft graph - learning and growth my network
• Centric way to find information about people - not going through emails, docs etc
• Show same card throughout o365

Overview on Security and Compliance

https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Bringing-deeper-integration-and-new-capabilities-to-Office-365/ba-p/109409

• ATP - Anti-Fishing. Internal Safe links for compromised internal accounts.
• Expansion of ATP - Across SharePoint, Teams and OneDrive
• Safe links updates - URL wrapping removed - original URL on hover over.
• Attack simulator - phish own employees - how secure the orgs security is.
• Threat Tracker / Explorer - targeted attacked and risky content activity.
• Compliance manager - Conduct Realtime risk assessment - intelligent score against GDPR.
• Advance eDiscovery - import non-office 365 data on premises such as legacy file shares - consistent tool for cases.
• Customer key BYOK - meet compliance needs, they use their own keys to encrypt mailboxes and files in Office 365
• Office 365 Message Encryption - easier to encrypt emails for end users apply encryption to "do not forward" emails or other custom templates.
• Non-Office 365 user can authenticate and read protected message user google or yahoo identities, in addition to the options like OTP or Microsoft account.
• More information: https://techcommunity.microsoft.com/t5/Security-Privacy-Compliance/ct-p/SecurityPrivacyCompliance

Multi-Geo Capabilities for Office 365

https://myignite.microsoft.com/videos/55160

• Exchange multi-geo - creating resource forest in other data centres - migrate mailboxes to those regions. You control where your users are located

https://myignite.microsoft.com/videos/53873

• OneDrive and SharePoint Online

Yammer Roadmap

https://myignite.microsoft.com/videos/53798

• Deeper SharePoint integration - web part file storage
• In-app OneNote integration
• Messaging enhancements
• Mobile experience upgrades
• More with Office 365 groups
• Unified office 365 profile
• Bot framework integration

Teams guest access

https://docs.microsoft.com/en-us/microsoftteams/guest-access

• Intelligent communications - focus on voice
• Guest access in Microsoft Teams allows teams in your organization to collaborate with people outside your organization by granting them access to teams and channels.

Microsoft 365 F1 for first-line workers

https://myignite.microsoft.com/videos/53493

• User voices on the frontline - might have been considered too expense to provide services to all end users. Now they can be part of the company

OneDrive Files on Demand

https://myignite.microsoft.com/videos/53848

• Add 100 new features and functions since Ignite last year!
• October 17th - delivered (out now)
• Ability to choose files you don't want synced but still need access to.
• Support for IRM/DRM sync (SharePoint or OneDrive)
• Multi-geo
• Service level encryption with customer key -  you own the master key, when and how it's available
• Auto account configuration with ADAL  - simplify user setup (without asking for credentials multiple times).
• Self-service migration toolkit - available to customers
• On-premise and cloud viewing through one app
• Photo intelligence - receipts OCR on all photos - into meta data (easier to fill-out expenses)
• Zip file support - browse directly into Zips.

Microsoft Groups updates

https://myignite.microsoft.com/videos/53450

• More than just a SharePoint team site - conversations, files etc.
• Connect existing sites to Office 365 groups.
• Manage group creation enhancements for controlled self-service.
• Naming policy - ensure group names follow your org schema
• Updated licensing requirements
• Update distribution lists to group in Outlook. http://Aka.ms/whyupgradedls
• Roadmap - Multi-geo / connect existing site to a new group / manage group sites via SharePoint / Expiry policy - in app renewal and custom email notifications

Office 2019 -

• To be released 2018

https://blogs.office.com/en-us/2017/09/26/the-next-perpetual-release-of-office/?eu=true

SharePoint 2019

https://techcommunity.microsoft.com/t5/SharePoint-Blog/Connecting-the-modern-workplace-with-SharePoint-and-OneDrive/ba-p/110399

• SharePoint Unplugged - protecting data including roadmap:
• https://myignite.microsoft.com/videos/55154

The SharePoint Server 2016 Architectural Models poster describes the key configurations for SharePoint, including SharePoint Online and SharePoint Server 2016 in Microsoft Azure and on-premises, for business decision makers and solution architects.

This poster has been updated with the following:

• Removed the Azure Access Control Service (ACS)
• Links to key SharePoint Online scenarios (isolated team sites, secure team sites and files)
• Includes Azure Active Directory (AD)  Domain Services as an alternative to Windows Server AD domain controller virtual machines in Azure
• Links to the new Reference Architecture for a High Availability SharePoint Server 2016 farm in Azure

PDF

Visio

PDF online

You can also get this poster in eleven languages here.

Additional architectural models and posters for Office server products are here.

To join the CAAB, become a member of the CAAB space in the Microsoft Tech Community and send a quick email to CAAB@microsoft.com to introduce yourself. Please feel free to include any information about your experience in creating cloud-based solutions with Microsoft products or areas of interest. Join now and add your voice to the cloud adoption discussion that is happening across Microsoft and the industry.

Hello, my name is Michael Godfrey and I am a Platform's Premier Field Engineer (PFE) at Microsoft. I have been a Fabric Administrator for the past few years and have made it a habit of building quite a few Hyper-V Hosts. I was always looking for a way to ensure my team and I knew the exact way to build a Hyper-V or ESXi host in the same way, consistently. I used many different methods of deploying hosts, including the Bare-Metal Deployment method in System Center Virtual Machine Manager. Yet I was always looking for the next great method of deployments, one that could be used not just for Hypervisors, but for virtual machines and physical machines and in varying different methods of configurations.

Recently, I started to learn PowerShell DSC for one of my customers and we came across an issue regarding Hypervisor Host health. We were finding inconsistencies in the way the hosts were built and we wanted a way to streamline the deployment process for our hosts, as well as a way to monitor their compliance. So, naturally I decided to build out a DSC Configuration for a Hyper-V Host.

I wanted to share that process, and start with a several part series on deploying a Hyper-V Host via DSC. I want to let the code do the work for me, so that I can scale this solution for future builds. So, I wanted to set some goals in the deployment and will use this series to track my progress:

• Deploy Hyper-V Role and PowerShell Modules for Management
• Deploy Failover Clustering Role and PowerShell Modules for Management
• Ensure Remote Management is enabled and Basic OS Security/Compliance settings are present.
• Set default folder locations for VM and VM Checkpoints
• Ensure SCVMM Agent is installed and Running
• Ensure OMS Agent is installed and Running
• Configure a Highly Available Cluster with Cluster Shared Volumes and Quorum
• Set Software Defined Networking vSwitches, in a HA configuration

In each blog posting, I will address another item in our checklist and by the end, we should have a Highly Available Server 2016 Hyper-V Cluster with a well-defined cluster network and storage solution. This will be fun.

To start, let’s begin with the configuration itself. We need to define the configuration name and node definitions. We will be using a single configuration, so we will not need to define node variables, but if we wanted, we could use a technique called Partial Configurations. Here is a great article on that:

https://docs.microsoft.com/en-us/powershell/dsc/partialconfigs

In our example though, we will be keeping things simple and defining our configuration for one purpose, to deploy a Hyper-V host.

The host will need a few roles, like Hyper-V, Failover clustering and the PowerShell modules for each installed. For this we will be using the Windows Feature Resource in DSC.

https://docs.microsoft.com/en-us/powershell/dsc/windowsfeatureresource

Here are the roles I am installing on this Hyper-V Host to start with:

I am utilizing the Windows Feature Resource in DSC to Declaratively say, I would like to ensure each Feature is installed or “Present,” and I am including the sub features included for the Role/Feature. This configuration will ensure the Hyper-V Role, as well as the Features like Failover-Clustering, Multipath-IO and the PowerShell Modules for managing Hyper-V and Failover Clustering, are installed on every Server that is configured to “Pull” this DSC Configuration.

The next item on our list is to ensure that Remote Management of our Host is enabled and that we have settings like UAC configured. We will be using a few modules to accomplish this, so you will need to define these as DSC Resource. We will Import these resources at the beginning of our configuration and you can see that in my configuration here:

I also went ahead and created a default folder for our VMs to be stored in, outside of the Cluster Shared Volumes we will be creating in a subsequent post. In addition, I have given you an idea of how we can use the xHyper-V module to create an Internal VSwitch on our Hyper-V host.

I am happy with the results so far, we now have a DSC configuration that will install and ensure all the Roles and Features we need for a Hyper-Visor are present. We also have some basic settings like Time Zone and Remote Management set as well, and we started some of the configuration we will need by creating a default location for Virtual Machines on our Hosts, as well as a Virtual Switch for our VMs to utilize. I am only using this in a stand-alone configuration. In a Hyper-V Cluster configuration, this would be one of the Cluster Shared Volumes (CSVs).

The last thing we need to do is to compile our Configuration and Publish it to our Pull server. To compile our configuration, we need to “dot-source” the script in PowerShell by running the script. This will resolve all of our variables, and create the folder location and file itself for a MOF document. The MOF is the configuration document that we will be publishing to our DSC Pull server.

I will leave you with the full configuration I have written so far, so that you can use it in your examples and testing. In the next post, we will begin configuring our node(s) to be members of a Hyper-V Cluster and begin setting the Highly Available aspect of our Hyper-V Hosts. I look forward to your comments and questions. Happy Scripting!

#BEGIN POWERSHELL SCRIPT

Configuration Hypervisor {

Import-DscResource -ModuleName 'PSDesiredStateConfiguration', 'xRemoteDesktopAdmin', 'xTimezone','xHyper-V', 'xComputerManagement'

Node Hypervisor{

#Windows Features Installations
WindowsFeature Hyper-V {
Ensure = 'Present'
Name = "Hyper-V"
IncludeAllSubFeature = $true
}

WindowsFeature Failover-Clustering {
Ensure = 'Present'
Name ='Failover-Clustering'
}

WindowsFeature  Multipath-IO {
Ensure = 'Present'
Name=' Multipath-IO'
IncludeAllSubFeature = $true
}

WindowsFeature RSAT-Shielded-VM-Tools{
Ensure = 'Present'
Name='RSAT-Shielded-VM-Tools'
IncludeAllSubFeature = $true
}

WindowsFeature RSAT-Clustering-Powershell{
Ensure = 'Present'
Name='RSAT-Clustering-Powershell'
IncludeAllSubFeature = $true
}

WindowsFeature Hyper-V-PowerShell{
Ensure = 'Present'
Name='Hyper-V-PowerShell'
IncludeAllSubFeature = $true
}


#Base OS Settings
        {
xUAC UAC{
Setting = "NotifyChanges"
}

xTimeZone ServerTime{
TimeZone = "Eastern Standard Time"
}

xRemoteDesktopAdmin RemoteDesktopSettings {
Ensure = 'Present'
UserAuthentication = 'secure'
}

        }

#HyperVisor Host Settings {
#VM Folder Directory
    File VMs {
    Ensure = 'Present'
    Type = 'Directory'
     DestinationPath = "$($env:SystemDrive)VMs"
}


#VM Host Switch
    xVMSwitch InternalVSwitch {
        DependsOn = '[WindowsFeature]Hyper-V'
        Name = 'IntvSwitch'
        Ensure = 'Present'
        Type = 'Internal'
}
}



}

Hypervisor

#END POWERSHELL SCRIPT

Important: This little quirk only occurs with the “SharePoint Profile Synchronization” (aka: FIM Sync) option in SharePoint 2010 and 2013.  It does not occur with the “Active Directory Import” (aka: AD Import) option available in SharePoint 2013 and 2016.

Consider the following scenario:

You have an Active Directory forest that consists of 4 domains:
NA
LATAM
EMEA
APAC

When setting up a User Profile Synchronization connection, you decide to create four separate connections: one for each domain.
After you run profile synchronization, you find that the Organization Browser / Org chart is not right.  Some users are missing their managers.

Cause:

When manager / direct report relationships are cross-domain, the manager reference cannot be made by FIM Sync.

For example: we’ll say that EMEAUser1, APACUser2, and NAUser3 all report to NAManager1.  In this case, the manager value for EMEAUser1 and APACUser2 are blank, while NAUser3 and any direct reports in the NA domain have their manager property populated correctly as NAManager1.

This behavior is by-design.  When you split the forest into multiple Sync connections, you are also splitting it into multiple Management Agents in Forefront Identity Manager (FIM).  Manager / Direct Report connections cannot be established across separate management agents.

Resolution:

Merge the separate Sync connections into a single Sync connection for the Forest.

Following the example above, we would want to remove the four separate Sync connections and create just one connection for the entire forest.  This way, all profiles are imported with the same management agent and the manager / direct report relationships can be created successfully.

WARNING: to avoid data loss, you must do the following when deleting and re-creating Sync connections:

• Disable the “My Site Cleanup Job” timer job.  -- This should remain disabled until you’ve run a few Syncs with the new connection and are good with the results.
• Document the current OUs selected, connection filters, and property mappings so that they can be replicated in the new connection.

This is one of the rare situations where it will take more than one Full Sync to fix everything up.  After the new connection has been created, you will need to run two Full Syncs.  The first one will mark all profiles for deletion because they are linked to a management agent that no longer exists.  This is not a problem as long as the Mysite Cleanup Job is disabled.  -- You did disable the Mysite Cleanup Job right?

Then the second Full Sync will run through and link all the newly-imported users with their existing user profiles.  You shouldn't lose anything, include profile data that users enter themselvles like "about me", "skills", "interests", etc.

More keywords for Bing:

Hello again fellow Windows 10 users!

I'd like to dedicate this post to discussing a reoccurring problem that I am seeing crop up in more and more customer environments as of late. Before I get too entrenched in discussing the details of the issue, see if this scenario hits home for any of you.

The issue.

It's a beautiful and sunny second Tuesday of the month, and you've just finished up a long day of filling out and submitting one TPS report after another. Your Windows 10 machines informs you that updates are available for install, and that they are scheduled to apply to your system at midnight. You decide to log off and let the wonder of patch automation handle installing the updates for you. You get back to the office in the morning ready for another productive day of work, only to find your Windows 10 device sitting at the Windows Recovery screen. You reboot the device and are greeted with a Blue Screen of Unhappy Death shortly after the OS starts to initialize. This pattern repeats two more times before you find yourself back in Windows Recovery area.

For those of you who are finding this post through a Bing or Google search, I reckon the scenario probably sounds mighty familiar to you.

So what exactly happened to cause this tragedy of Greek proportions? Lets dig into the issue a bit.

The back story.

To really get to the bottom of what's happening, you need to be familiar with the patching methodology that Microsoft is utilizing to ensure that Windows 10 stays as up to date as possible. When Windows 10 became generally available to the public, a new patching paradigm was adopted to keep the code that Windows 10 runs off of as up to date and secure as possible for all of our customers. Monthly Cumulative Updates (referred to as CUs from this point on) became the new patching mechanism responsible for delivering all the necessary code changes to the Operating System. Anyone who has ever worked with CUs knows that there is one predominant problem when it comes to CUs... mainly that they are, well, cumulative! Each months update gets progressively larger because of ever increasing amounts of updated code that get added to the updates.

To combat the growth problem, shortly after the release of Windows 10 version 1607 (Anniversary Update), Microsoft introduced a new Windows Update package type effectively dubbed the Delta update. Like the name implies, it only contains code that has changed since the last full CU that was released, which effectively (and dramatically) reduces the overall size of the updates that get pushed out to managed systems. Cool right?

Unfortunately, these two patch types have introduced some peculiar issues into customer environments... especially environments that rely on two different patch deployment solutions... lets say, System Center Configuration Manager and IBM Bigfix just to pick on two.

The problem. 

The main problem that arises from utilizing multiple patch deployment services is that it becomes possible to deploy two different types of patches. When it comes to the issue mentioned above, this is exactly what's happening, which results in the BSOD end state that so many customers Windows 10 machines are finding themselves in. The problem state occurs when both a full CU and Delta CU get deployed during the same reboot cycle.

Picture this scenario if you will. Your organization utilizes IBM Bigfix to catch and deploy the full CU out to all Windows 10 machines that need it, and System Center Configuration Manager to deploy the Delta updates. A Windows 10 machine that is a month or so behind on it's updates gets booted up and analyzed by both services. BigFix sees that the device needs the latest deployed month CU, and pushes the update down to the system. No restart occurs due to policies that are in place that prevent this kind of action from occurring during work hours. The Configuration Manager Agent kicks in directly afterwards, and detects that the machine needs the latest Delta update that has been published. This update gets pushed down to the system and installed. No restart occurs due to the same policies mentioned above. When the machine does finally reboot, we immediately encounter the BSOD condition mentioned above. Why?

If we take a look at the stop error code that gets generated by the system during the BSOD event, we will see that it's a 0x7B INACCESSIBLE_BOOT_DEVICE stop error. This error is a direct result of the oddball boot state that the system gets into when both a full CU and Delta update get pushed to, and installed by a system during the same reboot cycle.

Recovery.

So great. You've found yourself stuck in this state. Now what? Fortunately, it's fairly easy to recover Windows 10 devices from this non-bootable condition. Most of the time. Unfortunately, if you use Bitlocker or a third-party encryption service like McAfee or CheckPoint, you're going to find that you need to decrypt or suspend encryption on the system prior to being able to perform the recommended fix action below.

For Bitlocker users, use the following commands below to suspend encryption so that the repair operation can be performed:

manage-bde.exe -protectors -get c:
manage-bde.exe -unlock c: -recoverypassword "xxxxxx"
manage-bde.exe -protectors -disable c:

In the case of third party encryption solutions, I've seen the decryption process take anywhere from a couple of hours, to three or four days... depending on the encryption service that's being utilized. If a customer has a wealth of data that has not been backed up on their system, it will likely be a very worthwhile action for you to perform. The reason the device needs to be either decrypted or unlocked is due to the fact that we will need to utilize some recovery tools from the nifty Windows Recovery Environment that will need access to the volume that Windows is installed on... namely, the Command Prompt, which can be found under the Advanced Options section of the Recovery Environment:

Once you have gotten into the Command Prompt, you're going to want to run the following command:

• dism.exe -image:C: /get-packages > X:packages.txt

*Note - The -image option should point to the volume where the Windows directory is located.

• Open the packages text file with notepad by typing: notepad x:packages.txt

At this point you will want to scroll all the way to the bottom of the text file, and look for any packages that have a state status of Install Pending. Copy the package names, and use the following command to remove the 'Install Pending' packages:

• dism.exe /image:C: /remove-package /packagename:Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.953.1.2

*Note -  The above package name was included only as an example. Please ensure you use the package name from the packages.txt file above.

Once the DISM tool has finished removing the package, your system should be good to go. Once it's reboots, Windows 10 will continue to uninstall any packages previously scheduled for removal, at which point the OS should be able to initialize itself properly.

The follow up.

To prevent this issue from reoccurring in the future, it is highly recommended that customers configure their patching infrastructure so that the Windows 10 full CUs and Delta updates are NOT installed at the same time, during the same reboot cycle.

And there you have it folks! Go forth and perform good updating deeds! Until next time.

This is an Ice breaker and a question I get all the time and I see it maybe in the same way an electrician would see it 100 years ago...

Today we all know about its benefits and mostly take it for granted however at that time only a few knew it could become a... utility.

If you look at the applications you have been running On-Premises you may find Apps that authenticate users through Active Directory and others that will use customized methods and even store a separate set of identities to enable users access... the same way people would have a firewood or gas stove oven to cook their meals.

Ok. I'll stop with the analogies here... now my 10 questions are:

1. Are you only providing your users access to On-premises apps?
2. Would you like to manage a single set of Identities instead of having to manage separate Identity sources for each app, group of apps, customers or partners?
3. Would your users like to have to remember only one password to access all of their apps?
4. Do you or your users want to be able to securely and easily access those apps from any device, platform or location?
5. Are you using or planning to provide access to cloud apps and services - not only Azure Services and Office 365 apps but also non-Microsoft apps on any cloud?
6. Do you want to easily provision and de-provision users/groups access to those apps from any device, platform or location?
7. Do you require your users, devices and apps to be remotely managed, monitored and compliant with any industry regulation or data protection laws?
8. Do you need to provide highly secure access to your apps and protect your resources against advanced security threats?
9. Do you want to enable your customers and partners (consumers and enterprises) to seamlessly and securely sign-up and sign-in to your apps?
10. You want all of the above and have the control over who, when, where and how users access your resources (and data)?

If you answered NO to all the questions above then you can keep using your firewood or gas stove wood or gas it still serves a purpose and Azure AD is not a replacement for AD(DS) but a (huge) complement.

For everyone else be assured Azure AD is for you, so stay in tune and I promise that I will go over the main use cases in the next few posts.

Today Azure AD is the largest cloud Identity solution in the world providing identity management and access control to approximately 13 million organizations, including 1 billion users access to Microsoft and 3rd party Apps which makes 10 billion authentications per week!!!

If you have a scenario that has not been provided with a solution yet, we are probably already working on it and if not please talk to us, we are always listening and willing to help you achieve more.

Hope it helps!

Paulo Francisco Viralhadas

Premier Field Engineer - Secure Infrastructure - Microsoft

There’s a new culture of work; one that is increasingly diverse, geographically distributed, and mobile.  Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device - and for that experience to be seamless, among these trends includes the increasing use of shared systems, such as kiosks to access and work with corporate data.  In order to help safeguard your information on these systems, we’re introducing new idle session timeout policies rolling out as preview on November 6, 2017 and changes to the “Keep me signed in” experience with Office 365.

Idle session timeout provides an Office 365 administrator to configure a threshold at which a user is warned and subsequently signed out of SharePoint or OneDrive after a period of inactivity as illustrated below.

Demo

The demonstration below illustrates the idle session timeout policy enacted on a site that is also configured with site-scoped limited access policies.

Idle session timeout policies allow Office 365 administrators to automatically sign out inactive sessions preventing the overexposure of information in the event a user leaves a shared system unattended.

NOTE

Idle session timeout takes a dependency on the Keep me signed in signal.  In scenarios where Keep me signed in is selected at authentication, the client will not honor the idle session timeout. 

In addition to the new idle session timeout policy we’re rolling out in preview, in late September we updated the keep me signed in experience, replacing the “Keep me signed in” checkbox that appears on the sign-in flow with a prompt that shows after the user successfully signs in.  Idle session timeout interprets this signal and where selected does not affect the client where "Keep me signed in" has been selected, on devices where "Keep me signed in" is not selected, the policy applies.

In addition to those recent changes, we’re also adding a layer of protection to intelligently hide this prompt if we detect a shared device, or a high-risk sign-in. Our goal is to decrease the number of times users are prompted to authenticate. Although the new screen adds a small amount of friction up front, users get a better long-term experience as they get less sign-in prompts when they use our services.

This prompt asks the user if they would like to remain signed in. Responding “Yes” to this drops a persistent refresh token, the same behavior as when the user checks the old “Keep me signed in” checkbox.

For federated tenants, this prompt will show after the user successfully authenticates with the federated identity service. Some things to consider: - During the Public Preview period of the new sign-in experience, this new “Keep me signed in” prompt will only show when users opt-in to the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt. - You can choose to hide this new prompt for your users by using the “Show option to remain signed in” setting in company branding. Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox on your tenant, we won’t show the new prompt to your users. - This change will not affect any token lifetime settings you have configured.

Frequently Asked Questions

When will idle session timeout start rolling out as preview?

November 6, 2017

Is idle session timeout enabled by default, can I control the settings?

No.  Idle session timeout is disabled by default.  The warning and timeout timespans, as well as enabling idle session timeout are administrator controlled.  Instructions will follow as we start to roll out this feature.

Does the policy effect existing signed in sessions?

No, only new sign-ins to new browsers

How long does it take to effect?

Approx. 15 minutes

What is considered a managed device?

A device is managed if Azure Active Directory indicates to SharePoint Online that the device state was evaluated and the device is at least one of the following:

• Domain joined
• Compliant

Device state claims are not passed in Google Chrome or when using inPrivate mode – device claims are only available on Internet Explorer or Microsoft Edge on Microsoft Windows.

Can I hide the Keep me signed in prompt?

During the public preview period of the new sign-in experience, the updated “Keep me signed in” prompt will only show when users opt into the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt.

Admins can choose to hide this new prompt for users by using the “Show option to remain signed in” setting in company branding.

NOTE 

Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox in your tenant, we won’t show the new prompt to users in your tenant.

This change won’t affect any token lifetime settings you have configured.

When will idle-session timeout be generally available?

Late CY2017