Digital transformation is a massive topic. And its importance feels impossible to escape. No wonder, then, that in five blog posts, it feels as though we've touched on just a few ways to use technology for change. Things like getting ready for the modern workplace. And the apps and devices customers will be looking for. And new ways to use data to make decisions.

These are, of course, the basics. But we've only just scratched the surface.

So let's go deeper. We'll start here, with three ways the cloud is changing how your customers work - and how you can work with them.

Future Decoded

Did you attend our Future Decoded event earlier this year? Then you've probably already heard this from Microsoft Vice President Jean Phillippe Courtois during the Vision keynote (if you missed it, you can catch up here). This was a chance for leaders from businesses large and small - your customers - to make sense of what it means to digitally transform. And Jean Phillippe shared a valuable insight: it's no longer enough to be mobile first; the cloud is behind three key shifts that exist on every level of your customers' businesses.

They are:

• Multi-device and multi-sense experiences.
• Artificial intelligence (AI).
• Serverless technologies.

Let's take a look at each in a little more detail.

Multi-device and multi-sense

There's always been a need to be able to multi-task at work. But what about the tools your customers use to complete those tasks? Multi-device and multi-sense experiences are a key symptom of digital transformation. And they're quite simple.

This is work that's done through uniquely human experiences - across multiple devices and multiple senses. This could be dictating notes by voice. Or annotating using ink. Or interacting in mixed reality. Or any number of other ways to work.

Artificial Intelligence

Speaking of being joined-up, the second key shift is about how you keep your customers informed - by making sure they have the information they need to do great work. AI via the cloud is infusing everything a company does. It's bringing intelligence to employees, and it's changing the way your customers work.

AI isn't just about omnichannel. It does a whole lot more for your customers. It helps them set their service apart by giving every customer experience a personal touch. It keeps things clear and makes sure knowledge is with the right person, in the right place, at the right time. And above all, it makes sure everybody - employees and customers alike - are on one journey.

Serverless technologies

The third key shift is the way your customers develop, deploy, and manage the technologies and information they rely on to succeed. It all comes together here, in a serverless environment. Here, customers get more done, faster, with the intelligent edge. It's dynamic. It's responsive. It's the heart of the business, and it connects everything.

It's in these ways the cloud can disrupt business and drive transformation. And you can see them at work already.

It's already happening

You can see multi-device and multi-sense transforming the way thyssenkrupp Elevator technicians do their day-to-day work. They use Skype and HoloLens, the mixed reality headset, to see the problem before they start a job. Then, once they reach the site, they have real-time access to technical information as they work. It's all hands-free, too, and has cut the average length of service calls by four times.

AI is making for a more cohesive customer journey at Dixons Carphone. Customers of the electronics brand can take to Facebook and chat with Cami. This "mildly geeky and quite confident" AI bot is built from the Microsoft Bot Framework and Microsoft Cognitive Services. Cami bridges the gap between channels - giving in-store employees a head start on how best to serve customers, based on the online chats they've had with Cami.

And BAFTA and Emmy award-winning studio Jellyfish Pictures has been able to run its accelerated apps using serverless technology, with Microsoft Azure N-Series. It's made the server more efficient and productive, cutting the time it takes to render special effects by five times. And there's no risk of over-provisioning server use. This is what we call the intelligent edge - using the data accumulated by every part of the business to inform and adjust the way its technology operates.

Jean Phillippe said it himself:

"This is an era where every company is becoming a digital business."

Thinking of moving into data and cloud solutions? We can help you help your customers in any one of these three shifting areas - and best of all, we can help you do it securely. That's what we'll be looking at in the next blog post. Check back next time to see how you can secure the modern workplace for your customers.

Hi folks,

Here I am again. This time I will be writing my second post around HTTP Data Collector, more in particular on how to make that data ingestion automatic.

There are several methods that can be used. Basically, depending on your need and environment you could use:

• Azure Automation
• Azure Automation with Hybrid Worker roles
• Windows Task Scheduler
• System Center Operations Manager (SCOM)

Background:

I implemented a script to ingest data using HTTP Data Collector. This data represents a custom Log Analytics field, that maps to the Organizational Unit (OU) a given computer belongs to.

In the example below, you see a part of the script which is used to retrieve and push the OU information:

I want to later use this data to create computer groups in Azure Log Analytics based on the OU. Now, since there is a data retention policy in Azure Log Analytics, I need to ingest this data on a given frequency: say once per day.

As listed above, I can use the Task Scheduler in my Windows Operating System, to create a task which executes my PowerShell script or, since I have System Center Operations Manager monitoring all my computers I would go for it.

Implementation:

I will focus the discussion on SCOM, since the first 2 methods have been discussed in several other blogs and Task Scheduler is something we all know very well. Moreover, I personally do not recommend any approach which involves manual configuration or action to be carried on or applied on more than one target.

At this point the question is: How can I teach SCOM to retrieve and send data?

First, note that this approach works also for agents which have not been configured to report to Azure Log Analytics as long as they have Internet access. Second, the "secret" ingredient that you need is just a "collection rule" which run a PowerShell script (mine or any other script of your choice) and that's it.

I will continue my discussion, with the assumption that you have dealt with Management Pack Authoring before. If not, you will appreciate the following links:

• Authoring for System Center 2012 - Operations Manager at https://technet.microsoft.com/en-us/library/hh457564(v=sc.12).aspx
• Authoring Tools at https://technet.microsoft.com/en-us/library/hh457569(v=sc.12).aspx
• Authoring Management Packs – the fast and easy way, using Visual Studio??? at https://blogs.technet.microsoft.com/kevinholman/2016/06/04/authoring-management-packs-the-fast-and-easy-way-using-visual-studio/

I built my data ingestion MP using a fragment from Kevin Holman's SCOM Management Pack VSAE Fragment Library. I used the Timed PowerShell Rule (identified by the Rule.TimedScript.PowerShell.WithParams.mpx file. Since it was just a Proof of Concepts (PoC) I created the MP directly using an XML editor, doing a bit of copy/paste.

Before importing the sample MP, let's have a look at the key parts:

• The frequency: This needs to be adjusted according to your needs. It can be done through overrides. During my tests, I set it to run once per day (86400 seconds)

• The script: I basically used the same sample script that I referenced in my previous post with few small adjustments to add the logging and to use parameters for WorkspaceID and PrimaryKey. Of course, you can replace my sample script with any other script that fits your needs the best; it's just a matter of doing it the right way (parameters order, data retrieving and posting syntax, and so on)

• The parameters: They really depends on the script in use; hence parameters can be considered something which are up to your script. In my example, on one of the rules, I did use the following:
  • WorkspaceID
  • PrimaryKey
  • DebugEnabled

  And passed them through, this way (you'll need to replace with your WorkspaceID and PrimaryKey):

With all that said, it should be easier to go and create rules to upload data to Azure Log Analytics. Anyway, attached to the post, I am providing you with my sample MP which includes both RegistryKey and OU based rules. As I normally do, the rules come disabled by default.

Lesson Learned:

• Take into high consideration the pricing tier you subscribed. Data retention differs according to the pricing tier. For instance, if you are on the free subscription, the data will be kept for only 7; hence configuring the script to run every 2 weeks will put you in a situation in which you have missing data on the week before the collection is configured to run again. More info on pricing and licensing can be found at https://www.microsoft.com/en-us/cloud-platform/operations-management-suite and at https://azure.microsoft.com/en-us/pricing/ .
• Enable the rule only where needed. if you need data from more than one computer, the recommendation is to create a group and to configure the override for that group.
• Disable the debug once you made sure that the rules work as expected.

Thanks,

Bruno.

HTTPUploadDataToLogAnalytics.Addendum.zip

Beschreibung 
der 4tägige Windows Server: Software Defined Networking Workshop vermittelt den Teilnehmern fundiertes Wissen und Verständnis des Storage Stacks in Windows Server 2016. Durch Präsentationen, Whiteboard Diskussionen und zielbasierten Übungen, deckt er Deployment Optionen, Deployment, Network, Clustering und Troubleshooting ab.

Agenda
Module 1: Course Introduction:
This module introduces chapters, workflow and course labs.

Module 2: Deployment Considerations:
This module discusses all topics that needs to be considered before Software Defined Storage deployment

Module 3: Deploying SDS Solution:
This module covers end-to-end deployment of SDS solution. Starting with OS deployment, configuring nodes, configuring network and configuring volumes.

Module 4: Underlying storage technologies:
This module deep dives into the storage spaces layers and other supporting technologies such as volumes, pools, resiliency, tiering.

Module 5: Failover Clustering:
This module talks about new and improved features in Windows Server 2016 and focuses on failover clustering features for Software Defined Storage such as Fault Domains and Storage Replica.

Module 6: Networking:
This module talks about Switch Embedded Teaming, network design virtual and physical NICs. Further, it covers offloading technologies and configuration techniques to optimize SDS solution.

Module 7: Troubleshooting:
This module covers new Health Service, troubleshooting techniques and deep dives into maintenance tasks.

Zielgruppe
Der Workshop ist ein Fortgeschrittenen Workshop, der in die Tiefen des Software Defined Networking mit Focus der neuesten Windows Server 2016 Technologie abtaucht. Erfahrungen in Netzwerk Konzepten und Windows Server werden vorausgesetzt.

Level 300
(Level Skala: 100= Strategisch/ 200= technischer Überblick/ 300=tiefe Fachkenntnisse/  400= technisches Expertenwissen)

Anmeldung
Zur Anmeldung wenden Sie sich bitte direkt an Ihren Microsoft Technical Account Manager oder besuchen Sie uns im Web auf Microsoft Premier Education. Dort finden Sie eine Gesamtübersicht aller offenen Workshops, für die Sie sich dort auch gleich anmelden können. Wir verwenden Ihre Daten ausschließlich zur Anmeldung für den Workshop.

In yesterday’s AutoPilot troubleshooting blog, https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-windows-autopilot-level-300400/, I showed a variety of captured traces for AutoPilot (and one non-AutoPilot) deployment scenario, which required actually reproducing some different scenarios, including some failure cases.  As some of those aren’t particularly simple to reproduce outside of a lab environment (where you can purposely reconfigure Azure AD or Intune), a few people requested copies of those traces – analyzing the failures without having to cause the failures, as an educational exercise.  So, here they are; download the zip file at the bottom of this blog.

Here’s a quick overview of the included traces, all of which were captured from (unpatched) Windows 10 Enterprise 1709 virtual machines:

• 1629915.NoAutoPilot.etl.  This trace was captured from a VM that is not known to AutoPilot (hash was never captured or uploaded).  The device went through the standard OOBE process, manually.
• 1629915.Success.etl.  This is a normal, successful AutoPilot deployment (hash was captured and uploaded, with an AutoPilot profile of settings applied).  The device went through the optimized OOBE process.
• 1629915.801C0003.etl.  This trace, from the same VM as the success case, shows what happens when the user does not have the ability to join Azure AD.
• 1629915.801C0003-5limit.etl. This trace, also from the same VM as the success case, shows what happens when the user can join no additional machines to Azure AD (device limit was set to 5 in Azure AD, this would have been device #6).  (From what I can tell, this trace is identical to the previous one, which just indicates that there is no way to tell the difference between the two failure scenarios.)
• 1629915.80180018.etl.  This trace, also from the same VM as the success case, shows what happens if you take away the Azure AD Premium or Intune license from the user who was setting up the device.  (They did again have rights to join Azure AD.  I only captured one trace, even though I did run through both scenarios separately – once I saw that “no AAD Premium license” and “no Intune license” returned the same error, I didn’t bother capturing a second trace.)

Let me know if you find any other interesting tidbits in these traces.

AutoPilotTraces

I love PowerBI and have blogged about it quite a bit here already, as well as led some projects using it in the K-12 space in previous roles. The above video is really worth checking out if you’re a school looking to simplify the process of taking attendance as well as if you’re a software developer working in the schooling sector.

The video uses the free Microsoft Flow and PowerBI live data streams to enable students to record their own attendance in class and have that written to Azure SQL and simultaneously streamed to PowerBI for visual reporting. It’s worth checking out the custom visual designer of Synoptic Panel Designer for PowerBI if nothing else from this post. Now, as Patrick points out in the video, this is not a complete solution and end users would need to use their imagination on how to get around some of the inherent challenges in taking attendance.

The first, and perhaps biggest, is the fact that most Student Information Systems (SIS) often prevent the writing of data from external sources to the tables in the database. This is a safety precaution around data integrity and preventing corruption of the database tables due to invalid data being inserted. However, if you’re a software developer building your own SIS, or you have API that allow third party apps to safely and securely write back to the database, this can be overcome.

Screenshot showing the student app in Microsoft Flow on the left and the real time data stream report in PowerBI of the desktop layout in the classroom.

The other issue is around student integrity when it comes to taking attendance. This is a school’s biggest fear – a system that allows students to inaccurately or fraudulently record attendance. I’ve spent 2-3 minutes thinking about a few ideas that could be implemented to mitigate risk here. This is not an exhaustive list, simply a few ideas if you’re thinking of going down this pathway:

• A student companion app could be developed by the SIS company that requires students to sign in, which identifies them rather than simply entering their name and desk number (as per the video above).
• The SIS could generate a unique QR code per class that the teacher simply displays on the projector/TV screen and students scan that to verify they’re physically in the classroom, which would then trigger the Flow and Attendance recording.
• Wifi data and the Wireless Access Point (WAP) could be used to verify the student was in the actual classroom when submitting their own attendance (this is actually already being used in some tertiary lecture halls as an ad-hoc attendance record. The student does nothing around recording attendance but if one of their devices accesses the WAP in the lecture hall the College can record that as the student being physically in the room).
  • This does not, of course, work if students are on cellular 4G networks instead of wifi.
• Some level of biometric recording that feeds back into Flow to trigger the attendance. On Windows 10 devices, this could be Windows Hello or even a fingerprint scanner that students place their thumb on as they enter the classroom. I know that holding personally identifiable information like a biometric fingerprint might be frowned upon, but the actual identifiable information of that fingerprinted could be hashed and then salted so it could not be used in other scenarios at the school.
• Visual Reporting as safety check – the fact that the PowerBI report visually shows which desk is occupied would give the teacher a very quick visual cue to scan the room for “empty” desks and see if this correlates.

This is not necessarily an easily implementable solution for schools but it hints at a future where mundane and time consuming activities like attendance checking can be streamlined allowing greater emphasis and time for teaching.

Hey folks, Ned here again. Are you interested in a reduced cost but reduced functionality version of Storage Replica? We are too. Come take a 2-minute survey:

https://aka.ms/srlite1

Ned "this survey promises nothing" Pyle

大盛況のうちに閉幕した [Microsoft Tech Summit 2017] が、早くもバーチャル イベント になって帰ってきました。基調講演を始め、70 を超えるセッション動画と関連資料をご用意しています。皆様のビジネスにぜひお役立てください!

▼ Microsoft Tech Summit 2017 Online はこちらから

If you value it, you measure it.

If you can’t measure it, you can’t improve it.

The above two quotes are pretty common in modern business practices and yet ironically for institutions that are used to assessing students on a regular basis,  I don’t always see schools regularly measuring the impact of their eLearning initiatives and technology deployments.

I’ve blogged a lot here about both how to use the tools to measure impact but also why it’s important to be doing this within your organisation:

• Tracking Office365 ProPlus Activation
• Measuring the Impact of PowerBI Usage In Your School
• Getting the Most Out of Office365

Consequently, in a similar theme I’m going to share how schools can track the usage of Teams for Education and a good starting point is to review this blog post here (if you’re still in the planing and setup phase of Teams, read this guide first). With the announcement earlier this year that Microsoft Classroom Preview was going to discontinue and be replaced by Teams for Education, schools all across the globe have been implementing or preparing to deploy Teams. As with any new tool, training and support for teachers and students is important and being able to measure the impact of the uptake of a tool is critical for school leaders to see if they’re achieving the Return On Investment (ROI) both of the platform itself,  and the cost of training.

One way to do this is to use the the Office365 Admin Teams User Activity Report(direct link):

1. The Microsoft Teams user activity report gives you a view of the most common activities that your users perform in Microsoft Teams – including how many people engage in team chat, how many communicate via private chat message, and how many participate in calls or meetings. You can see this information both at the tenant level, as well as for each individual user.
2. The Microsoft Teams app usage report provides you with information about how your users connect to Microsoft Teams, including mobile apps. The report helps admins understand what devices are popular in their organization and how many users work on the go.

Getting The Data Insights To The Right People:

Of course, it is rarely the role of the IT Admin to be driving usage of the tools in schools. This often falls to an eLearning Lead Teacher, ICT Co-Ordinator, or even external training partners. To ensure they can measure the impact of their work, there is a new role created in O365 Admin called “Reports Reader Role” which allows a standard user to have access to:

the usage reporting dashboard in the admin center, the adoption content pack in PowerBI as well as the data returned by the Microsoft Graph reporting API. In the admin center, a reports reader will be able to access areas relevant to usage and adoption only – for example, a user with this role cannot configure settings or access the product specific admin centers.  NB: The reports reader role UI is not available yet in Azure Active Directory but will come soon.

Example report of Teams usage from my demo tenant. At the very bottom you can see the column headings that would have users displayed below them.

The report above can be switched to show “activities” or “users” in the graph. It’s a good way to see the uptake of things like channel conversations or private chat messages within Teams by your users. Additional reporting is available in the Office365 Admin PowerBI Reporting Pack showing usage of Teams:

The bottom report is particularly useful for visually displaying if usage of Teams for Education is building, showing good uptake amongst a school.

These reports should provide insights into what areas of Teams are being used successfully, and what areas perhaps need further training or promotion to staff and students. An area I would like to see reported on is interaction by end users in the “Files” tab i.e. how many files they’ve uploaded / downloaded within the Team.

Final Thoughts:

It’s amazing how much AI is making it’s way into Office365 (this is a useful blog to read from the O365 team with the latest AI and Machine Learning features being added into Excel and Word). The future of O365 Admin reporting is clearly heading towards personalised recommendations on how to maximise the tools to drive efficiency and smarter collaboration within your organisation. A future feature is going to be the “Usage Score” (see below) which will provide personalised and contextual recommendations on how to get more out of the tools, and also allow trainers and those responsible for driving institutional uptake to set target adoption campaigns:

To loop back to the opening quotes of this blog “if you value it, you measure it”, for those in schools responsible for driving adoption of technologies, the above reporting provides a perfect way to demonstrate their impact on the organisation and to perhaps bring this evidence to the table in performance reviews. Staff are generally the most valuable resource a company has, hence most are measured on a regular, scheduled way. Now, it’s even easier to measure the impact of some of their activities well.

Applies to:

Windows Server 2008 R2 Service Pack 1
Windows Server 2008 R2 SP1
W2K8 R2 Service Pack 1
W2K8 R2 SP1

Windows 7 Service Pack 1
Windows 7 SP1
Win7 Service Pack 1
Win7 SP1

Note:  You should check http://support.microsoft.com/ for the latest version of the different files.

Note 2:  These may not available in Windows Update.

Note 3:  You can download them without entering your e-mail address and captcha if you are a Microsoft Premier customer and have a http://premier.microsoft.com/ account.

Note 4:  Carefully review the list and decide which might be applicable to your unique environment.

Note 5:  Test in your test and your quality assurance environment.

List of AppLocker related hotfixes post SP1 for Windows 7 SP1 and Windows Server 2008 R2 SP1 as of Sep. 2015.

3083992 Microsoft security advisory: Update to improve AppLocker certificate handling: September 8, 2015
https://support.microsoft.com/?id=3083992

Update(s):
Adtschema.dll    6.1.7601.23153
Adtschema.dll.mui    6.1.7601.23153
Apisetschema.dll    6.1.7601.23153
Appid.sys    6.1.7601.18950
Appid.sys    6.1.7601.23153
Appidapi.dll    6.1.7601.18950
Appidapi.dll    6.1.7601.23153
Appidcertstorecheck.exe    6.1.7601.18950
Appidcertstorecheck.exe    6.1.7601.23153
Appidpolicyconverter.exe    6.1.7601.18950
Appidpolicyconverter.exe    6.1.7601.23153
Appid-ppdlic.xrm-ms   
Appid-ppdlic.xrm-ms   
Appidsvc.dll    6.1.7601.18950
Appidsvc.dll    6.1.7601.23153
Auditpol.exe    6.1.7601.23153
Auditpol.exe.mui    6.1.7601.23153
Ci.dll    6.1.7601.18519
Ci.dll    6.1.7601.22730
Ci.dll.mui    6.1.7601.18950
Ci.dll.mui    6.1.7601.23153
Cng.sys    6.1.7601.22946
Credssp.dll    6.1.7601.23153
Cryptbase.dll    6.1.7601.23153
Csrsrv.dll    6.1.7601.23153
Driver.stl   
Driver.stl   
Kerberos.dll    6.1.7601.23153
Ksecdd.sys    6.1.7601.23153
Ksecpkg.sys    6.1.7601.23153
Lsasrv.dll    6.1.7601.23153
Lsasrv.dll.mui    6.1.7601.23153
Lsasrv.mof   
Lsass.exe    6.1.7601.23153
Mrxsmb.sys    6.1.7601.23153
Mrxsmb10.sys    6.1.7601.23153
Mrxsmb20.sys    6.1.7601.23153
Msaudite.dll    6.1.7601.23153
Msaudite.dll.mui    6.1.7601.23153
Msobjs.dll    6.1.7601.23153
Msobjs.dll.mui    6.1.7601.23153
Msv1_0.dll    6.1.7601.23153
Ncrypt.dll    6.1.7601.23153
Ntdll.dll    6.1.7601.23153
Ntkrnlpa.exe    6.1.7601.23153
Ntoskrnl.exe    6.1.7601.23153
Rpchttp.dll    6.1.7601.23153
Rpcrt4.dll    6.1.7601.23153
Rstrui.exe    6.1.7601.23153
Schannel.dll    6.1.7601.23153
Secur32.dll    6.1.7601.23153
Setbcdlocale.dll    6.1.7601.18950
Setbcdlocale.dll    6.1.7601.23153
Setbcdlocale.dll    6.1.7601.18950
Setbcdlocale.dll    6.1.7601.23153
Smss.exe    6.1.7601.23153
Srclient.dll    6.1.7601.23153
Srcore.dll    6.1.7601.23153
Sspisrv.dll    6.1.7601.23153
Tspkg.dll    6.1.7601.23153
Tspkg.mof   
Wdigest.dll    6.1.7601.23153
Winload.exe    6.1.7601.18649
Winload.exe    6.1.7601.23003
Winload.exe.mui    6.1.7601.18950
Winload.exe.mui    6.1.7601.23153
Winresume.exe    6.1.7601.18519
Winresume.exe    6.1.7601.23003
Winresume.exe    6.1.7601.18950
Winresume.exe    6.1.7601.23153
Winresume.exe.mui    6.1.7601.18950
Winresume.exe.mui    6.1.7601.23153
Winresume.exe.mui    6.1.7601.18950
Winresume.exe.mui    6.1.7601.23153
Winresume.exe.mui    6.1.7601.18950
Winresume.exe.mui    6.1.7601.23153
Winresume.exe.mui    6.1.7601.18950
Winresume.exe.mui    6.1.7601.23153

3008790 "Rules cannot be created for the following files" error message in AppLocker when you try to select certain files
https://support.microsoft.com/?id=3008790
<Not a hotfix>

2894252 Process that runs in Untrusted integrity level is reported as an AppContainer after you install KB2532445 in Windows 7 SP1 and Windows Server 2008 R2 SP1
https://support.microsoft.com/?id=2894252
Update(s):
Apisetschema.dll    6.1.7601.22469
Apisetschema.dll    6.1.7601.22469
Appid.sys    6.1.7601.22469
Appidapi.dll    6.1.7601.22469
Appidcertstorecheck.exe    6.1.7601.22469
Appidpolicyconverter.exe    6.1.7601.22469
Appid-ppdlic.xrm-ms   
Appidsvc.dll    6.1.7601.22469
Csrsrv.dll    6.1.7601.22469
Ntdll.dll    6.1.7601.22469
Ntkrnlpa.exe    6.1.7601.22469
Ntoskrnl.exe    6.1.7601.22469
Smss.exe    6.1.7601.22469
Smss.exe    6.1.7601.22469

2862565 AppLocker blocks administrators and other high privileged group’s users from executing files on a Windows 7 SP1-based or Windows Server 2008 R2 SP1-based computer
https://support.microsoft.com/?id=2862565
Update(s):
Apisetschema.dll    6.1.7601.22382
Appid-ppdlic.xrm-ms   
Appid.sys    6.1.7601.22382
Appidapi.dll    6.1.7601.22382
Appidcertstorecheck.exe    6.1.7601.22382
Appidpolicyconverter.exe    6.1.7601.22382
Appidsvc.dll    6.1.7601.22382
Csrsrv.dll    6.1.7601.22382
Ntkrnlpa.exe    6.1.7601.22382
Ntoskrnl.exe    6.1.7601.22382
Smss.exe    6.1.7601.22382

2768362 You cannot open Office documents in Protected View if an AppLocker policy restricts the use of Office 2010
https://support.microsoft.com/?id=2768362

2750770 "This app has been blocked by your system administrator" error when you to start Microsoft Store apps
https://support.microsoft.com/?id=2750770
<Not a hotfix>

2749690 "0x800700C1: not a valid Win32 application" error when you create an AppLocker hash rule for a file in Windows 8, Windows Server 2012, Windows 7, or Windows Server 2008 R2
https://support.microsoft.com/?id=2749690
<Not a hotfix>

2659440 AppLocker path condition does not work when a file name contains international characters in Windows 7 or in Windows Server 2008 R2
https://support.microsoft.com/?id=2659440
Update(s):
Appid-ppdlic.xrm-ms   
Appid.sys    6.1.7601.21915
Appidpolicyconverter.exe    6.1.7601.21915
Appidsvc.dll    6.1.7601.21915
Ntkrnlpa.exe    6.1.7601.21915
Ntoskrnl.exe    6.1.7601.21915

2568071 Nested Windows Installer (MSI) package failes to install when Applocker policy is enabled
https://support.microsoft.com/?id=2568071
<Not a hotfix>

2568041 You cannot access allowed applications that are managed by AppLocker in Windows 7 or in Windows Server 2008 R2
https://support.microsoft.com/?id=2568041
Update(s):
Appid.sys    6.1.7600.21010
Appid.sys    6.1.7601.17514
Appidapi.dll    6.1.7600.16385
Appidapi.dll    6.1.7600.16385
Appidcertstorecheck.exe    6.1.7600.16385
Appidcertstorecheck.exe    6.1.7600.16385
Appidpolicyconverter.exe    6.1.7600.21010
Appidpolicyconverter.exe    6.1.7601.21772
Appid-ppdlic.xrm-ms   
Appid-ppdlic.xrm-ms   
Appidsvc.dll    6.1.7600.21010
Appidsvc.dll    6.1.7601.21772

2532445 You can circumvent AppLocker rules by using an Office macro on a computer that is running Windows 7 or Windows Server 2008 R2
https://support.microsoft.com/?id=2532445
Update(s):
Api-ms-win-core-console-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-console-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-datetime-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-datetime-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-debug-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-debug-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-delayload-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-delayload-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-errorhandling-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-errorhandling-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-fibers-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-fibers-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-file-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-file-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-handle-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-handle-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-heap-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-heap-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-interlocked-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-interlocked-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-io-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-io-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-libraryloader-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-libraryloader-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-localization-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-localization-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-localregistry-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-localregistry-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-memory-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-memory-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-misc-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-misc-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-namedpipe-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-namedpipe-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-processenvironment-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-processenvironment-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-processthreads-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-processthreads-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-profile-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-profile-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-rtlsupport-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-rtlsupport-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-string-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-string-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-synch-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-synch-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-sysinfo-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-sysinfo-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-threadpool-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-threadpool-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-util-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-util-l1-1-0.dll    6.1.7601.21798
Api-ms-win-core-xstate-l1-1-0.dll    6.1.7600.21035
Api-ms-win-core-xstate-l1-1-0.dll    6.1.7601.21798
Api-ms-win-security-base-l1-1-0.dll    6.1.7600.21035
Api-ms-win-security-base-l1-1-0.dll    6.1.7601.21798
Appid.sys    6.1.7600.21035
Appid.sys    6.1.7601.21798
Appidapi.dll    6.1.7600.16385
Appidapi.dll    6.1.7600.16385
Appidcertstorecheck.exe    6.1.7600.16385
Appidcertstorecheck.exe    6.1.7600.16385
Appidpolicyconverter.exe    6.1.7600.21035
Appidpolicyconverter.exe    6.1.7601.21798
Appid-ppdlic.xrm-ms   
Appid-ppdlic.xrm-ms   
Appidsvc.dll    6.1.7600.21035
Appidsvc.dll    6.1.7601.21798
Conhost.exe    6.1.7600.21035
Conhost.exe    6.1.7601.21798
Kernel32.dll    6.1.7600.21035
Kernel32.dll    6.1.7601.21798
Kernelbase.dll    6.1.7600.21035
Kernelbase.dll    6.1.7601.21798
Ntkrnlpa.exe    6.1.7600.21035
Ntkrnlpa.exe    6.1.7601.21798
Ntoskrnl.exe    6.1.7600.21035
Ntoskrnl.exe    6.1.7601.21798
Winsrv.dll    6.1.7600.21035
Winsrv.dll    6.1.7601.21798

983551 Windows 7 or Windows Server 2008 R2 stops responding at the "Please wait" screen before you are requested to press Ctrl+ALT+DEL
https://support.microsoft.com/?id=983551
Appid.sys    6.1.7600.20710
Appidapi.dll    6.1.7600.16385
Appidcertstorecheck.exe    6.1.7600.16385
Appidpolicyconverter.exe    6.1.7600.20710
Appid-ppdlic.xrm-ms   
Appidsvc.dll    6.1.7600.16385

976922 The "Run only allowed Windows applications" Group Policy setting displays no entries
https://support.microsoft.com/?id=976922
<Not a hotfix>

Forrester於12月6日發布企業雲端檔案同步與共用的Forrester Wave報告，並將Microsoft OneDrive列為「領導者」。除了成為領導地位之外，Microsoft在當前產品中總排名目前第一，在產品策略上則位居第二。

Forrester在報告中指出：「微軟提供全方位的協同合作」，且OneDrive「透過內容辨識服務，提供工作場所更佳的生產力、檔案共享和內容管理能力」，Forrester也注意到我們的客戶採用服務與佈署服務，並指出「微軟透過本身的FastTrack計畫，幫助客戶從內部佈署系統遷移，讓顧客可以輕鬆的移動檔案。」

這項認可展現出我們對顧客的承諾，確保OneDrive提供最佳的檔案共享和協同合作能力，其中包括：

• 和Office 365的最佳相容性 — OneDrive被包含在Office 365的訂閱當中，且透過Microsoft Graph的智慧探索和洞見能力，是唯一可以讓您在跨瀏覽器、行動裝置和桌面型App上編輯和共同編輯Office文件的解決方案。
• 支援各式各樣的檔案類型 — OneDrive 可以儲存各種的檔案類型，除了Office檔案外，還可預覽超過270種類型的檔案，其中包含：Adobe Photoshop (PSD)、Illustrator (AI)、Acrobat (PDF)以及影片、3D格式和 DICOM影像。
• 資訊安全與IT級保證 — OneDrive 透過Microsoft資訊安全能力，例如：Data Loss Prevention (DLP)、eDiscovery、Customer Key (BYOK) 和資料保留控制，以掌握Office 365的一致性管理。
• 佈署彈性 — 顧客可以選擇適用的佈署模型：雲端、混和使用或內部佈署。顧客不需付費即可使用Microsoft FastTrack佈署、採用和移動服務朝雲端邁進。
• 雲端領導者與合規性 — 在擁有100多個全球數據中心和微軟全球網絡優勢之下，結合合規性的準則，包括：ISO 27001、AICPA SOC 1/2/3、FISMA、 FedRAMP、FERPA、EU Model Clause和GDPR在合約上的承諾。我們提供顧客在合規性和資訊安全上企業級的信任。

除了來自Forrester的好消息外，過去一年以來，OneDrive團隊在Microsoft Ignite上分享了超過100種新功能，包含：檔案隨選、不須MSA的安全外部共享、支援超過270種檔案類型的預覽功能。並將這些功能更新至行動應用程式(在iOS和Android均有4+星的等級)。

每天，越來越多像Accenture、Lowe’s、Rackspace和DBS的客戶，為了隨時隨地使用任何裝置，安全的達到檔案共享與協同合作，轉而使用OneDrive。

若要深入了解如何使用OneDrive以完成更多，請前往我們的網頁。

點此取得個人Forrester Wave™：企業檔案同步與共享平台-雲端解決方案，Q4 2017免費報告副本。

こんにちは。Windows プラットフォーム サポートの大川です。
今回は Hyper-V 環境の仮想マシンバックアップのタイムアウトについてお伝えさせていただきます。

仮想マシンの構成変更後や仮想マシン自体を格納しているディスクに障害が発生し、仮想マシンが起動できない場合に備えて、
仮想マシンのバックアップを Hyper-V ホストから取得いただいていると思います。

仮想マシンのバックアップは Hyper-V 環境のバックアップに対応した 3rd party 製のソフトウェアや弊社の製品である
Data Proctection Manager (DPM) やWindows Server バックアップを利用することで取得が可能です。

Hyper-V ホストからバックアップソフトを使用してバックアップを取得する場合、Hyper-V のコンポーネントや VSS が
連携し、整合性のあるバックアップデータが取れるように動作します。仮想マシンバックアップの流れとコンポーネントは
以下のとおりです。

// Hyper-V 仮想マシンのバックアップに関連するコンポーネント
1. バックアップ リクエスター
DPM や Windows Server バックアップなどのバックアップ処理を命令するコンポーネント

2. Hyper-V ホスト上の VSS
VSS を制御するコンポーネント。仮想マシンの vhdx 静止点やスナップショットを取得するコンポーネント

3. 仮想マシン上の統合サービス
Hyper-V ホスト上の VSS と連携するコンポーネント

4. 仮想マシン上の VSS
VSS を制御するコンポーネント。仮想マシン上のデータの静止点やスナップショットを取得するコンポーネント

ここで 1 点注意点があります。それは、"4.仮想マシン上の統合サービス" にタイムアウト値が存在している点です。
このタイムアウト値は仮想マシン 内での VSS 処理の時間を監視しており、10 分以内に完了しない場合、仮想マシン
内で処理中であっても、Hyper-Vホストに対して後続処理をするように命令をします。その結果、仮想マシン 内の
データは整合性が取られていない状態でバックアップされます。この状態でリストアした場合、仮想マシンの回復
ができない可能性があります。また、この 10 分は固定であり、設定などにより変更することができません。

仮想マシン 内での VSS 処理に時間がかかるケースとしては、以下が考えられます。

1.仮想マシン 内で多くの VSS スナップショットが取得されている場合
2.仮想マシン 内で非常に大きなボリュームに対して、VSS スナップショットが取得されている場合

上記は仮想マシン内のデータの静止点を取る際に、VSS スナップショット作成処理が行われますが、この際に、
仮想マシン 内の "スナップショットの列挙処理" が行われるためです。この "スナップショットの列挙処理" は
仮想マシン内の全てのスナップショットについて ID や属性情報などを取得します。そのため、スナップショットの数が
多い場合には、本処理に時間がかかります。また、各スナップショットにおいて、ボリューム上のどのデータを
保護しているのかも確認しているため、ボリュームサイズの大きさに比例して処理に時間を要します。

もし、本事象が発生した場合には、仮想マシン内のイベントログに以下のイベントがセットで記録されます。

===
ログの名前:         System
ソース:           volsnap
日付:            XXXX/XX/XX XX:XX:XX
イベント ID:       16
タスクのカテゴリ:      なし
レベル:           エラー
キーワード:         クラシック
ユーザー:          N/A
コンピューター:       XXXXX
説明:
The shadow copies of volume \?...XXX-XXXX-XXXX-XXXXXXXXXXXX} were aborted because volume \?...XXX-XXXX-XXXX-XXXXXXXXXXXX},
which contains shadow copy storage for this shadow copy, was force dismounted.
===

===
ログの名前:         System
ソース:           disk
日付:            XXXX/XX/XX XX:XX:XX
イベント ID:       51
タスクのカテゴリ:      なし
レベル:           警告
キーワード:         クラシック
ユーザー:          N/A
コンピューター:       XXXXX
説明:
ページング操作中にデバイス DeviceHarddiskXDRXX 上でエラーが検出されました。
===

===
ログの名前:         System
ソース:           Microsoft-Windows-Ntfs
日付:            XXXX/XX/XX XX:XX:XX
イベント ID:       140
タスクのカテゴリ:      なし
レベル:           警告
キーワード:         (8)
ユーザー:          SYSTEM
コンピューター:       XXXXX
説明:
トランザクション ログへのデータのフラッシュに失敗しました。VolumeId: \?Volume{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}、
DeviceName: DeviceHarddiskVolumeXX で破損が発生している可能性があります。
(存在しないデバイスを指定しました。)
===

===
ログの名前:         System
ソース:           disk
日付:            XXXX/XX/XX XX:XX:XX
イベント ID:       157
タスクのカテゴリ:      なし
レベル:           警告
キーワード:         クラシック
ユーザー:          N/A
コンピューター:       XXXXX
説明:
ディスク X が突然取り外されました。
===

上記のイベントがセットで記録されている場合には、タイムアウトが発生している可能性がありますので、
以下の対処策の実施についてご検討いただければと思います。

[対処策1]
仮想マシン内で作成するスナップショットの世代数を減らす。

スナップショットの世代数が増えることに比例して、"スナップショットの列挙処理"  の時間も長くなります。
そのため、vssadmin list shadows コマンドで作成されているスナップショットを確認し、 vssadmin delete shadows
コマンドでスナップショットを削除することをご検討いただければと思います。

Vssadmin list shadows
https://technet.microsoft.com/ja-jp/library/cc788116(v=ws.10).aspx

Vssadmin delete shadows
https://technet.microsoft.com/ja-jp/library/cc788026(v=ws.10).aspx

もし、vssadmin delete shadows コマンドでも削除できないスナップショットが存在する場合は、diskshadows コマンド
にて削除を試してもらえればと思います。diskshadows コマンドについての詳細は以下を参照ください。

vssadmin コマンドでシャドウ コピーが削除できない場合の対処方法について

vssadmin コマンドでシャドウ コピーが削除できない場合の対処方法について

また、[シャドウ コピーの構成] 画面の設定から作成されるスナップショットは既定では 64 世代まで作成することが
可能になっています。このスナップショットで作成できる既定の世代数は以下のレジストリにて制御が可能ですので、
こちらの設定についてもご検討ください。

// スナップショットの世代数設定
----------------------------------------------------------------------------------------------------------------
1. [スタート] – [ファイル名を指定して実行] をクリックし、regedit と入力し、OK ボタンをクリックします。

2. 以下のレジストリキーをご確認いただき、クリックします。

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesVSSSettings

3. メニューバーより、[編集] – [新規] を選択し、[DWORD 値] をクリックします。

4. MaxShadowCopies と入力し、Enter キーを押します。

5. 続けて、[編集] – [修正] をクリックします。

6. 設定する世代数を入力し、[OK] をクリックします。

7. メニューバーより、[ファイル] – [レジストリエディタの終了] で終了します。

8. コンピュータを再起動します。
-----

※ バックアップソフトにより作成されたスナップショットは上記のレジストリでも世代数を制御することができません。
その場合は、diskshadow コマンドにより、スナップショットを定期的に削除する必要があります。

[対処策2]
VSS スナップショットを取得している大きなボリュームを縮小する。

"スナップショットの列挙処理" はボリュームの大きさに比例しても処理時間が長くなります。そのため、
対象ボリュームを縮小することもご検討ください。ボリュームのサイズがどれぐらいの大きさにより
本事象が発生するのかは環境に依存するところがありますが、これまでの報告事例では数十 TB を超える
ボリュームを利用しているマシンで発生しています。

ボリュームの縮小方法は以下のとおりです。

// ボリュームの縮小方法
----------------------------------------------------------------------------------------------------------------
1. [スタート] – [ファイル名を指定して実行] をクリックし、diskmgmt.msc と入力し、OK ボタンをクリックします。

2. ディスクの管理画面が開きますので、対象のボリュームを右クリックし、[ボリュームの縮小] をクリックします。

3. 縮小可能なサイズが表示されますので、そのサイズ内に収まるサイズを入力し、[縮小] をクリックします。

4. ボリュームが縮小されたことを確認します。
-----

本ブログが少しでも皆様のお役に立てますと幸いです。

(この記事は 2017 年 12 月 6 日に Office Blogs に投稿された記事 Microsoft OneDrive recognized as a Forrester Wave Leader in Enterprise File Sync and Share の翻訳です。最新情報については、翻訳元の記事をご参照ください。)

2017 年 12 月 13 日追記
Forrester Wave™ の企業向けファイル同期/共有プラットフォーム部門においても Microsoft OneDrive が「リーダー」に選出されました。「The Forrester Wave™: Enterprise File Sync and Share Platforms—Hybrid, Q4 2017」のレポート全文は、Microsoft Tech Community (英語) からご確認いただけます。

このたび、Forrester が公開した企業向けクラウドのファイル同期/共有部門の Wave レポートにおいて、Microsoft OneDrive が「リーダー」に選出されました。さらに、「現行の製品」では最高評価を獲得し、「戦略」においては 2 位タイに選ばれました。

Forrester のレポートには、「マイクロソフトは包括的な共同作業を実現」し、OneDrive は「コンテンツ認知サービスによって強化された、職場の生産性向上機能、ファイル共有機能、コンテンツ管理機能を提供している」とあります。また、導入および展開サービスについても、「マイクロソフトは顧客がオンプレミス システムから移行する作業を FastTrack プログラムで支援しており、プログラム利用者は無料でファイルを移動できる」と記載されています。

この評価は、マイクロソフトが、OneDrive で以下のような最高クラスのファイル共有機能や共同作業機能をお客様に提供するべく取り組んできた成果と言えます。

• Office 365 との最高のコンビネーション: OneDrive は Office 365 サブスクリプションに含まれていて、ブラウザー、モバイル アプリ、デスクトップ アプリで Office ドキュメントの編集や共同編集が可能な唯一のソリューションであり、Microsoft Graph によるインテリジェントな検索機能やインサイトも利用できます。
• 幅広い種類のファイルをサポート: OneDrive ではあらゆる種類のファイルを保存できます。また、Office のファイルの他に Photoshop (PSD)、Illustrator (AI)、Acrobat (PDF) などの Adobe 製品、動画、3D 書式、DICOM 画像など 270 種類のファイルを表示できます。
• 信頼できるセキュリティと IT: OneDrive にはデータ損失防止 (DLP)、電子情報開示、カスタマー キーの管理 (BYOK)、データ保持期間の制御など、マイクロソフトのセキュリティ機能が適用されます。また、Office 365 全体で一貫して管理を行うことができます。
• 柔軟な展開: お客様はクラウド、ハイブリッド、オンプレミスのいずれかの展開モデルを選択できます。また、クラウドに移行する場合には、Microsoft FastTrack で提供される展開、普及、移行のサービスを無料でご利用いただけます。
• クラウドにおけるリーダーシップとコンプライアンス: マイクロソフトは世界中に 100 以上のデータセンターを設置し、世界規模のネットワーク エッジを保有しています。また、ISO 27001、AICPA SOC 1/2/3、FISMA、FedRAMP、FERPA、EU モデル条項などのコンプライアンス標準への準拠、GDPR への契約上のコミットメントと併せて、エンタープライズ クラスのコンプライアンスとセキュリティをお客様に提供しています。

今回 Forrester から発表された嬉しいニュースの他に、Microsoft Ignite (英語) では、ファイル オンデマンド (英語)、Microsoft アカウント不要の安全な外部共有 (英語)、270 種類以上のファイルのプレビューのサポート (英語) など、この 1 年間に提供が開始された 100 種類以上の新機能、高い評価を得ているモバイル版 OneDrive アプリ (iOS と Android の両方で 4 つ星以上を獲得) の更新について OneDrive チームがお伝えしました。

Accenture (英語)、Lowe's (英語)、Rackspace (英語)、DBS (英語) をはじめとして、場所やデバイスを選ばない安全なファイル共有や共同作業環境を求めて OneDrive を利用しているお客様は日々増加しています。OneDrive の活用方法の詳細については、こちらの Web サイトを参照してください。

「Forrester Wave™: Enterprise File Sync and Share Platforms—Cloud Solutions, Q4 2017」のレポート全文は、こちら (英語) から無料で請求できます。

OneDrive チーム

※ 本情報の内容 (添付文書、リンク先などを含む) は、作成日時点でのものであり、予告なく変更される場合があります。

みなさま、いつも Device & Mobility Team Blog をご覧いただきありがとうございます。セキュリティ製品 担当の鈴木です。

Office 365 などのライセンスの割り当て。皆様はどのように行っていますでしょうか。
ユーザーが多い場合、PowerShell を利用して自動割り当てを行っている方が大半ではないかと思います。しかし、少し前にAzure AD のセキュリティグループ（以下、グループ）のユーザーにライセンスを自動的に付与する機能が実装され 、 PowerShell のようなバッチ処理を行わなくてもユーザーにライセンスを割り当ていることができるようになりました。

現在 Office 365 を利用している方は、ユーザー管理をAzure AD と同期しているオンプレミス側の Active Directory で行っている人が多いのではないでしょうか。その場合このユーザー管理の仕組みをうまく使うことでライセンス管理を自動化することができます。

オンプレミスのADに「O365 Users」や「EMS Users」などのグループを作成してそこに利用するユーザーをあらかじめ割り当てていたり、それに近い構成になっている場合、そのグループにライセンスの割り当てを行ないます。これにより、PowerShellを利用しなくてもライセンスの割り当てができます。
図にすると以下のような形です。

より複雑に条件に対応した設定を行いたい場合、もう一つ方法があります。
Azure AD の グループには Dynamic Group があります。これはユーザーの属性を利用して動的にグループのユーザーを割り当てる機能です。例えば、Active Directory の拡張プロパティ（ extensionAttribute1 など）に ”O365" , "EMS" などの文字列を入れておき、Azure AD 側のDynamic Groupで「O365 Users」や「EMS Users」などのグループにユーザーを割り当てます。これによって同時に各ライセンスを付与します。

Azure AD の各種機能を利用するとグループというのは重要な要素になります。例えば SaaS 連携で SSO の設定をするときにユーザー範囲をグループで指定します。また条件付きアクセスを利用する時にも適用範囲をグループで指定します。このように何らかの形でユーザはAzure ADのグループに割り当てられていることになります。
この Azure AD グループを利用したライセンスの割り当ては一度設定してしてしまえば PowerShell の実行用の管理権限を持ったユーザーの定期的なアクセスがなくてもライセンス割り当てができます。
Azure AD Premium2のPIMの機能と組み合わせると、スクリプトを実行する永続的な管理者を置かなくてもよくなり、セキュリティの向上にもつながります。

ただ、制限事項もあります。詳細はこちらにありますが、その中でも階層化されたグループでは指定された最上位のグループにしか適用されないのには注意が必要です。

そのほかにも、この機能は工夫次第でいろいろ応用が利きます。
是非この機能を活用して Azure AD のライセンス管理をご検討ください。

参考情報
Azure Active Directory のグループベースのライセンスの基礎
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-licensing-whatis-azure-portal
グループベースのライセンスを動的グループとともに使用する
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-licensing-group-advanced#use-group-based-licensing-with-dynamic-groups
グループを使用する際のシナリオ、制限、および既知の問題
https://docs.microsoft.com/ja-jp/azure/active-directory/active-directory-licensing-group-advanced#limitations-and-known-issues

While Digital Transformation is driving exponential growth for organizations, businesses are increasingly being exposed sophisticated cyber threat with complex codes that are hard to detect. The security landscape is changing very swiftly, with record leaks, bank accounts hacks, online frauds making headlines every morning. Clearly the mechanisms in place today aren’t strong enough to protect against these breaches.

The security landscape is changing very fast and must deal with dynamic cyber wars and ‘’Advanced Persistent Threats (APT’s).’’Lockheed-Martin defines Advanced Persistent Threat (APT’s) as:

• Advanced: Targeted, coordinated and purposeful
• Persistent: Month after month, year after year
• Threat: Person with intent, opportunity and capability

Attackers must complete the following stages of Cyber Kill Chain to achieve their objectives:

Endpoints: PROTECT, DETECT and RESPOND

Traditional solutions like Antivirus/AntiSpam aren’t equipped to combat modern day threats on the most vulnerable and valuable target for the intruders, the Endpoints. Let us discuss briefly how endpoints can be protected at each stage of the cyber kill chain and make it more expensive for intruders which destroys their standard playbook.

Reconnaissance/Weaponization

We have less control on pre-attack reconnaissance/weaponization where the adversary will use various techniques like phishing, spear-phishing, water-holing, social engineering, etc. to learn more about you and develop a weapon to target you. Some hygiene and awareness can be maintained to make the attacker sweat a little at an early stage itself. It may include keeping your ecosystem updated, employee training so that they do not fall prey to phishing and social engineering attacks.

Delivery

Once the weapon is developed, delivery to you will be attempted. The delivery vector can be an email, browser, USB/DVD or even a vulnerability in your application.

• Protection against unsafe attachments and expanding protection against malicious links

0365 Advanced Threat Protection offers protection against unknown malwares and viruses, malicious URL’s and rich reporting and URL trace capabilities. It also complements the security features of Exchange Online Protection to provide better zero-day protection. This protection blocks the weapon from entering your endpoint via the email channel and the intruder must now rethink on another way to deliver it to you.

•  Protection while browsing the web

Windows Defender Application Guard (WDAG)helps isolate enterprise-defined untrusted sites, protecting organizations when their employees browse the Internet. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. In addition, Edge is sandboxed by default, with inherent security features like Attack Surface Reduction, MEMGC and Control Flow Guard which makes it even more difficult to hack.

Getting tough isn’t it, for the attacker of course!

Exploitation and Installation

Even if the adversary can still get in, execution and installation of the malicious code will be attempted to exploit the vulnerabilities. Once successful, they can still control your endpoint persistently via the command and Control Center(C&C)

• Real Time Protection against known codes

Inbuilt Antivirus/AntiSpam solution (Windows Defender AV) in Windows 10 will block the execution of known malicious code. Advanced capabilities like Cloud Delivered Protection and Block at First Sight help add protection against New Malware within a few seconds.

• Protection against installation of untrusted Applications

Windows Defender Application Control (WDAC) is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control flips the model from one where all applications are assumed trustworthy by default to one where applications must earn trust to run.

No space for any malware or ransomware to execute! You don’t trust them, right?

• Protection against vulnerabilities in your Applications and Reduction of Attack Surface

Windows Defender Exploit Guard (WDEG) are a set of Host Intrusion Prevention capabilities which helps reduce the attack surface of the Applications you use. There are four set of capabilities that come along with Exploit Guard

Exploit protection can apply exploit mitigation techniques to your apps.

Attack Surface Reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office, script and mail based malware

Network Control extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your devices

Controlled Folder Access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware

Exploitation? No more!

Privilege Escalation

Intruder might try using various techniques like social engineering, stealing the credentials from the LSASS (Pass the Hash Attacks) etc. steal credentials for performing lateral movements to move further in your network.

• Protecting Stored Credentials

Windows Defender Credential Guard (WDCG) is a native capability in Windows 10 which prevents attacks against the credentials by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.

• Moving Towards a Password Less World

Just Imagine a world without passwords. What will the attackers use to get access to your values resources?

Windows Hello for Business (WHfb) replaces passwords with strong two-factor authentication on Endpoints This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.

Detection and Response at all Stages

We live in a world where we assume Breach and that’s where we see a lot of attacks materializing in large organizations despite the heavy investments they might have done on their Protection mechanisms. We need to detect these breaches early and initiate a timely response so that we can limit the damage caused.

Windows Defender Advanced Threat Protection(WDATP) is an intelligent Endpoint Detection and Response capability in Windows 10 which provides preventative protection, detects attacks and zero-day exploits, and gives you centralized management for your end-to-end security lifecycle. This will give you timely insights so that the breach can be responded to in a timely manner.

 PUTTING IT ALL TOGETHER!

Windows 10 and Office 365 have built in native capabilities that help address threats at each stage of an attack lifecycle adding to less administrative, performance and cost overhead. These integrated capabilities work well with each other and are empowered with Intelligence through Microsoft Security Intelligence Graph (MISG). Microsoft's unique insights into the threat landscape, informed by trillions of signals from billions of sources, create an intelligent security graph(MISG) that we use to inform how we protect all endpoints, better detect attacks and accelerate our response.

こんにちは、日本マイクロソフトの Windows サポートチームです。
今回は、Windows 10 での UWF (Unified Write Filter) に対して uwfmgr コマンドによる除外設定を行った場合の留意事項についてご紹介します。

<事象>
UWFMGR コマンドにて、パスが長いファイルやレジストリを対象として除外設定を行う場合、登録 (add) 操作は行えますが、削除 (remove) できない問題が発生します。

一例ですが、以下のように長いレジストリ パスに対して、除外設定の登録・削除を行った際、削除時にエラーが発生する場合があります。この現象は異なるレジストリ パスを対象とした場合も文字数によっては同様のエラーが発生します。

- 除外設定を登録 (add) します
uwfmgr registry add-exclusion HKLMControlSet001ControlPowerUserPowerSchemes381b4222-f694-41f0-9685-ff5bb260df2e245d8541-3943-4422-b025-13a784f679b712345678-1234-1234-1234-12345678901234567890123

- 除外設定を削除 (remove) します
uwfmgr registry remove-exclusion HKLMControlSet001ControlPowerUserPowerSchemes381b4222-f694-41f0-9685-ff5bb260df2e245d8541-3943-4422-b025-13a784f679b712345678-1234-1234-1234-12345678901234567890123レジストリー キー <Registry> は除外一覧に含まれません – アクションは実行されません。

上述の通り、登録したレジストリ パスを削除 (remove) する際にエラーが発生し、削除することができません。

<原因>
UWF 除外設定の登録 (add) を行うと、パスがノード パスに変換され、内部的なリストに追加されます。削除 (remove) を行う場合、UWFMGR は指定されたパスをノード パスに変換した上で削除を試みますが、この際に UWFMGR が使用するバッファー サイズが十分な大きさを持たないため、ノード パスに変換する時点でバッファーに格納できない部分のパスが切り捨てられます。
この結果、登録 (add) したパスと、削除 (remove) しようとするパスに差異が生じてしまい、削除対象のパスが見つからないと判断された結果、削除に失敗します。

<対処策>
本事象は、以下公開情報にある Windows PowerShell スクリプトで Windows Management Instrumentation（WMI）インターフェイスを使用いただくことで、長いパスに対しても削除  (remove)  の操作が行えます。
スクリプトのサンプルについては、以下公開情報内の “Remarks” にある “Example” を参考としていただき、ご利用環境に合わせてコンピューター名を変更するなどの上ご利用ください。

UWF_RegistryFilter (Industry 8.1)
https://msdn.microsoft.com/en-us/library/dn449297.aspx

Beschreibung
Der dreitägige Workshop Office 365 SharePoint Online: End User befasst sich mit der erweiterter Site Administration, Security, Collaboration Funktionen und viele weiteren Funktionen von Office 365 SharePoint Online. Durch Präsentationen, Whiteboard Diskussionen und zielbasierten Übungen, erhalten SharePoint Benutzer und Site Administratoren, den Überblick über das technischen Konzeptes, das benötigt wird, um eine Collaboration Infrastruktur erfolgreich zu administrieren und zu nutzen.

Zielgruppe
Der Workshop richtig sich an SharePoint Online Benutzer, wie mehr über die Funktionen und Möglichkeiten für End User von SharePoint Online kennen lernen möchten.

Level 200
(Level Skala: 100= Strategisch/ 200= technischer Überblick/ 300=tiefe Fachkenntnisse/ 400= technisches Expertenwissen)

Agenda
Module 1: Site Administration
In this module, you will learn the difference between site collection and site administration settings and the various administration user roles. Also, you will explore the various site templates available for use and the best practices around site taxonomy and structure.

Module 2: Securing Content
In this module, you will understand site and object security options such as permissions, permission levels, groups, the inheritance model, and the external user sharing.

Module 3: Lists and Libraries
In this module, you will take a deep dive into working with lists and libraries, list templates, columns, views, versioning, check in/check out, and alerts.

Module 4: Working with Content
In this module, you will explore the powerful content management features such as content types, site columns, managed metadata, policies, the search interface and more.

Module 5: Web Parts and Apps
In this module, you will gain insight into working with the available Web Parts provided with SharePoint Online products and learn how to leverage SharePoint Apps.

Module 6: Productivity Features
In this module, you will dive into working with Office 365 Video, OneDrive for Business, and Delve features that are included in Microsoft Office 365 and SharePoint Online.

Anmeldung
Zur Anmeldung wenden Sie sich bitte direkt an Ihren Microsoft Technical Account Manager oder besuchen Sie uns im Web auf Microsoft Premier Education. Dort finden Sie eine Gesamtübersicht aller offenen Workshops, für die Sie sich dort auch gleich anmelden können.

I had a chance to work with a customer on importing the new AD MP for SCOM. I like this MP in particular, as it’s much less noisy than the old management pack for AD. That said, one thing I’ve seen in a few environments is a warning from the Reliable Time Server Monitor being unable to locate a time server. I had a chance this week to do some digging into this particular monitor, and there appears to be a flaw in the script data source that calculates this monitor.

Why does it matter?

In short, it’s an authentication thing. Protocols such as Kerberos rely on time stamps for authentication, and in order for those to be accurate, all systems in the domain must be using a shared time source.

What is it doing?

The script is straight forward, it runs the following command:  nltest.exe /dsgetdc: /gtimeserv

Documentation for this command can be found here. Interestingly enough, there are two time server commands available. The /gtimeserv command, which our script is using, looks for a master time server, which from what I can tell has to be designated. The /timeserv command simply looks for a time server. I’m not an AD expert, but I can say that in any AD domain, a master time server is not designated from the get go. It’s possible that an admin should do this with an authoritative internet source, but documentation on that process seems rather light in my quick search of the issue. That said, the output from said commands is the same:

It’s worth noting the circled items, as these appear to play a role in our script. The key line in the script is here:

I don’t pretend to be a VB expert, but from my untrained eye, the script runs the NLTEST command and then does a filter against the string GTIMESERV. Note that this string does not appear anywhere in the NLTEST results. As such, this will generate an alert in almost any (if not every) environment. My guess would be that the preferred solution would be to designated an internet master time server in your environment, though that’s not always reasonable. In that case, the next best thing would be to modify the data source. I’ve recreated this data source with an override to the original monitor.

You can find that management pack here:

Bonjour à tous.

Voici le Device Partner Edge, c'est là que tout se passe. Vous pouvez avoir accès à de nombreux contenus de formation sur les produits, comment les utiliser, comment les déployer. Inscrivez-vous vite, une surprise peut vous y attendre...

Je vous retrouve tous sur le Device Partner Edge pour plus de contenu... et en FRANCAIS.

http://dpedge.microsoft.com/Welcome.aspx

Mucha gente asume que los dispositivos y la tecnología distraen a los estudiantes y afectan de manera negativa la manera en la que los profesores llevan sus lecciones. Este no es el caso cuando la implementación se realiza con un propósito, con herramientas de aprendizaje que soportan las infraestructuras existentes en el aula.

En otras palabras, la tecnología no reemplaza al profesor, pero mejora sus capacidades de enseñanza y administración. Una de las soluciones más efectivas que se han visto de manera reciente es de parte de Insync, Microsoft Gold Partner. La empresa utiliza tecnología de Microsoft para hacer más eficiente el aprendizaje e involucrar más a los estudiantes en diferentes maneras:

Dispositivos y movilidad

Insync utiliza el amplio rango de dispositivos Windows para apoyar diferentes temas y estilos de aprendizaje, para brindar a los educadores maneras más efectivas de entregar sus lecciones. Funciones en los dispositivos, como interactividad con pantallas táctiles, tinta digital, compatibilidad de teclado, integración con voz y video, permiten a los estudiantes hacer bocetos y notas, teclear ensayos, realizar lecciones con video y mucho más.

Para ayudar a tener listas las lecciones, Microsoft también hace de la gestión de todos los dispositivos un proceso sencillo a través de Enterprise Mobility Suite, que brinda acceso seguro y sencillo para inicio de sesión a servicios escolares, aplicaciones, y redes sociales seguras. Windows 10 también ayuda a los estudiantes y staff a organizar su trabajo escolar, con maneras sencillas de colocar aplicaciones en su lugar, optimizar su espacio de pantalla, agrupar elementos y crear escritorios virtuales.

Adicional a esto, los estudiantes con necesidades especiales se benefician más del enfoque de Insync para el aula digital. El aprendizaje es más accesible para los estudiantes discapacitados gracias al reconocimiento de habla en Windows 10, mientras que Skype brinda transcripciones en tiempo real para aquellos con discapacidades auditivas.

Soluciones de aprendizaje

Las interacciones entre estudiantes para proyectos en equipo no se detienen después de clases. Continúan en línea a través de Office 365, que incluye un rango de herramientas de productividad basadas en la nube que permiten a estudiantes y miembros del staff actualizar ensayos, documentos y hojas de cálculo en casa, la escuela o en movimiento.

Y para ayudar a los estudiantes a destacar con sus proyectos o revisiones, las escuelas también pueden registrar múltiples aplicaciones de nube de terceros en su Azure Active Directory, que brinda acceso sencillo de registro a un portafolio de relevantes recursos en línea.

Administración escolar

Uno de los más grandes costos para las escuelas viene de la parte administrativa. Las escuelas siempre están en busca de maneras para simplificar el registro, organizar el papeleo, y mejorar la gestión de los cursos. El staff no cuenta con el tiempo o el espacio de lidiar con estas cosas y enfocarse también en el bienestar de los estudiantes.

Con Microsoft Azure, las escuelas pueden optar por acceso de pago sobre la marcha para infraestructura y servicios de plataforma. Esto les ahorra dinero al permitirles escalar recursos durante tiempos con mucho trabajo, como periodos de matriculado y evaluaciones, y reducirlos durante periodos de baja demanda.

Además, los dispositivos personales también se pueden conectar a servicios de gestión de dispositivos móviles, para dar a los equipos de administración un reporteo más inteligente y una seguridad más proactiva.

Seguridad e infraestructura

Y por supuesto, las opciones integradas de seguridad de Microsoft también brindan a las escuelas un impresionante nivel de seguridad y utilidad digital, lo que evita la necesidad de adquirir soluciones más costosas. A través de Enterprise Mobility Suite (EMS) de Microsoft, los estudiantes y el staff pueden acceder a servicios de TI con reseteo de contraseña de auto servicio, instalaciones de aplicaciones y dispositivo, y gestión de grupos.

EMS también gestiona el acceso a dispositivos (que incluye a aquellos que de manera consistente se encuentran fuera de los firewall) y capacidades de autentificación de factor múltiple. Un ambiente integrado extiende la gestión de dispositivo a escuelas y campus pequeños o remotos.

Las soluciones de educación de Microsoft CityNext incluso pueden ayudar a las escuelas a operar de manera más sustentable a través del uso de sensores IoT para controlar la iluminación, la calefacción y el aire acondicionado, además de las tarjetas inteligentes para un acceso seguro.

Analítica e investigación en la educación

Antes de esto, las escuelas no podían buscar áreas de mejora para cada estudiante, lo que forzaba a los profesores a apoyarse en la retroalimentación directa o en sus propios instintos sobre qué tan efectivas resultaban sus lecciones. Sin embargo, con la analítica de datos, los profesores pueden dar seguimiento y evaluar diferentes criterios a través de cada calificación y resultado de sus estudiantes, para ayudarles a identificar y afrontar de mejor manera cualquier dificultad en el aprendizaje que pudieran surgir.

A un nivel de toda la escuela, Microsoft Power BI Brinda a las escuelas una visión en 360 grados del desempeño y las operaciones, mientras que las herramientas de reporteo de uso sencillo simplifican el acceso a datos visuales y mejoran las capacidades de compartir reportes con las personas interesadas.

Soluciones como las de Insync ayudan a las escuelas a realizar las lecciones, gestionar la administración y brindar responsabilidad como nunca. Para conocer cómo su escuela se puede beneficiar de las soluciones basadas en Microsoft para la educación, vean los recursos listados a continuación:

Descarguen el documento: 6 características de una Escuela Australiana Moderna

Descarguen el sumario: Educación en la nube

O pónganse en contacto con los expertos en educación de Insync al teléfono 1300 652 207 o al correo info@insynctechnology.com.au.

Nuestra misión en Microsoft es equipar e impulsar a los educadores a dar forma y asegurar el éxito de cada estudiante. Cualquier profesor puede unirse a nuestra comunidad y esfuerzos de Office 365 Education de manera gratuita, encontrar dispositivos Windows costeables y conectar con otros en Educator Community para entrenamiento gratuito y recursos para el aula. Síganos en Facebook y Twitter para las más recientes actualizaciones.

The purpose of this post is to help IT pro's and architects understand Windows Hello for Business as it relates to Windows 10 modern management (with Intune). The deployment guide for Windows 10 hello for business is very comprehensive so I'm not reproducing that – but instead want to strip out much of the complexity and choices available and focus on the pieces that matter to organisations aiming for Windows 10 Modern Management using Microsoft Enterprise Mobility + Security (EMS) suite. This means I'm not even going to touch on the pure "On-Premises" deployment choices.

Choosing the right Windows Hello for Business deployment:

Summarizing a massive table of considerations and requirements (and hopefully not over-simplifying it) I'm going to boil it down to a few key points common to the majority of Intune customers I work with:

• They use Intune to manage mobile devices (iOS and Android) and they enforce conditional access to Exchange online and SharePoint online. For that reason, they are already using Azure AD user identities AND device registration for domain-joined devices (aka hybrid Azure AD Join) as this is a requirement for conditional access -> Hybrid Azure AD
  
• They are looking at or actively moving to Modern Windows 10 management, shifting away from heavy-handed IT SOE design and management, but still have traditional desktop managed Windows 10 machines (managed by GPO or SCCM Client) and want those devices to leverage Windows Hello for Business too -> Hybrid Azure AD
• They are actively trying to reduce On-Prem server infrastructure, move away from an Active Directory Federation Services (ADFS) and Web Application Proxy (WAP) architecture and simplify deployment -> Key Trust

For those reasons I'll cover the Hybrid Key Trust deployment method. (There are reasons to choose Hybrid Certificate Trust too – I'll cover that setup in a future post)

Overview of Configuration Steps:

Step 1: Configure Azure AD Connect - Password Hash Sync and Device Registration (AD Service connection point) + build a Server 2016 Domain Controller

Step 2: Configure a new KDC Certificate Template on your CA and issue a cert to your DC's (Optional)

Step 3:
Configure Windows Hello client settings (Though Intune for Modern managed devices and through GPO for the domain joined PC's)

Step 1: Configure Azure AD Connect - Password Hash Sync and Device Registration (AD Service connection point) + build a Server 2016 Domain Controller

The deployment guide calls out loads of requirements but in truth, there is not a lot to it, and most of these things will already be done if you've been using other Microsoft 365 scenarios like Conditional Access.

Start the Azure AD Connect setup wizard and configure these requirements needed for the scenario

User Sign-in

Password Synchronisation OR Pass-Through Authentication must be enabled (as opposed to using ADFS).

SSO – Not strictly needed for Hello for Business but it enhances user experience when in the corporate network so I'm enabling it.

Turn on Device Registration

This is one of the most important steps because it creates a Service Connection Point in the Active Directory forest that directs your Windows 10 devices to the right endpoint in AAD to perform a device registration (aka Hybrid Azure Ad join). If you ran the express installation of Azure AD Connect, this would have already been done and would not be required as an extra step.

Add-WindowsFeature RSAT-AD-Tools

Import-Module 'C:Program FilesMicrosoft Azure Active Directory ConnectAdPrepAdSyncPrep.psm1'

Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount:[connector account]

Set extra permissions for Azure AD Connect Service Account

As an extra step specifically for Windows Hello for Business - AAD Connect Service account needs to be part of the "KEY ADMINS" AD Security Group. This gives the sync service account access to read and write the msDS-KeyCredentialLink attribute on each user object).

Ie: Allows the windows hello public key to be synchronised from Azure AD to AD,

Verify that its configured correctly:

Use ADSI Edit on a domain controller to ensure a service connection point has been created.

Other Infrastructure Changes

Server 2016 - You need to build at least one Server 2016 Domain Controller to authenticate Windows Hello Logons

Step 2: Configure a new KDC Certificate Template on your CA and issue a cert to your DC's (Optional)

Certificate Authority Requirements

The CA is not for handing out certificates to devices as we are doing "Key Trust" here. Its only purpose in this scenario is to configure a newer, better performant Kerbersos KDC template that your 2016 domain controllers can use to prove their identity to clients. In a lab environment you could skip this step if you didn't want to deploy Public Key Infrastructure.

Configure a new Certificate template and get your 2016 DC's to use it (Copy the "Domain Controller Authentication" template and change these things)

Template Name: Domain Controller Authentication (Kerberos)

Compatibility: Windows Server 2016 (or 2012 or 2012 R2)

Subject Name: DNS

Cryptography: Key Storage Provider, Request hash SHA256

Superseded Templates: Domain Controller, Domain Controller Authentication

Now enable the auto-enrolment GPO setting and target at your domain controllers

Computer Configuration > Policies > Windows Settings > Security Settings > Certificate Services Client - Auto-Enrollment

After a GPUpdate, your Domain controllers will have a Certificate in the Computer store based on the new template which supersedes the old ones.

Step 3: Configure Windows Hello client settings (Though Intune for Modern managed devices and through GPO for the domain joined PC's)

Modern Managed Devices

If you are managing devices that are Azure AD Joined + Intune enrolled, the configuration for Windows Hello for business is on by default (Windows 10 1709) so you don't need to do anything.

If you want to configure or change the defaults, head to the Intune console and tweak the Hello for Business client configuration:

Domain Joined devices

If you want your domain joined devices to be able to do windows hello you need to configure at least one group policy to get things started.

Computer Configuration > Administrative Templates > Windows Components > MDM > Auto MDM Enrolment with AAD Token

This GPO can be targeted at all Windows 10 1709 Devices and it will essentially perform two things: Trigger Azure AD Device Registration AND enrol the device into Intune so that Intune can deliver the Windows Hello for Business settings (from the screenshot above).

Option 2 - If you are not quite ready to have your devices managed by GPO and INTUNE at the same time, you can instead just enable the Device Registration and Windows Hello for Business as separate Group Policy delivered settings.

Turn on Device Registration (aka Hybrid Azure AD Join)

Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration > Register domain joined computers as devices

Turn on Windows Hello for Business

Computer Configuration > Policies > Administrative Templates > Windows Components> Windows Hello for Business > Use Windows Hello for Business

Note: This setting is also available as a user targeted setting

The third option for registering devices into Azure AD and delivering the Hello for Business Settings would be through the Configuration Manager client – Using "Co-Management", you could orchestrate the Device registration and deliver the Hello for Business settings – which you could then gradually move across to being delivered from Intune rather than SCCM. I'm not going to cover co-management in this post (It's a very big topic) but I wanted to call it out as a viable option here as you slowly move devices from traditional to modern management.

Testing it out and Troubleshooting

Domain Joined PC

After you configure all the pre-reqs, there is a lot of work that gets orchestrated under the covers. Here is a quick flow diagram to show where and how you can troubleshoot or validate progress along the way.

Domain Joined PC's grab Computer policies during the boot process so during the first boot after targeting the GPO for Automatic MDM enrolment, the machine should receive the group policy setting telling it to perform the Automatic Intune enrolment. A good test that this is working is once logged on, launch a command prompt as an administrator and run GPRESULT /User: domainnameusername /Z and look for AutoEnrollMDM setting

At the first login, a scheduled task will be triggered that starts the Device Registration Process off. Check that the scheduled task has been initiated by launching Task Scheduler as an administrator and looing for ensuring the Automatic-Device-Join task is enabled and look at the History to see if it has initiated successfully

If Device registration worked, you should also see a Device Registration certificate installed in the Local Machine Personal store. Launch certlm.msc and look in Personal to check for certificates issued by MS-Organization-Access

Also, if you go to the Azure Active Directory portal and look at All Azure AD Devices you will see a device object created.

If the device registration doesn't work, you can open a command prompt or Powershell window (with standard user credentials) and run Dsregcmd /status or dsregcmd /status /debug to investigate.

(This screenshot is a successful Device registration)

Device registration status information is also provided in the Microsoft – Windows - User Device Registration event log.

A scheduled task exists to Automatically enrol the device into Intune, it will run every 15 minutes. Check it out to ensure it ran successfully

Upon successful Intune enrolment, you will also see a new certificate deployed to the local machine personal store

… and an object in the Intune portal

Upon enrolment, the device will start pulling down settings and configuration from Intune – in this case, the Windows Hello for Business configuration settings. You will be able to see the settings arrived by looking at the MDM Diagnostics report from Settings. (Note: The settings in this report still appear under the old name "PassportForWork"

Another indicator that this is good to go is by running dsregcmd /status again.

In this example PolicyEnabled means that Intune delivered the settings, but DeviceEligible = No because my machine didn't have a TPM and I configured this as a requirement in the Windows Hello for Business policy. To fix, I had to enable virtual TPM on my Hyper-V VM.

After the MDM Settings are delivered via Intune, the user will be prompted to configure Hello at the next user logon. A visual check during the logon will tell you that Windows Hello for Business is working at this point.

After a strong (Private-Public) key-pair has been generated on the Device, the private key will be secured on the device (backed by TPM) and the Public key will be written into Azure AD.

In order for users to authenticate against a domain controller when they are inside their corporate network, Sync must occur. The Public Key from Azure AD will be written into the Users object in AD using the msDS-KeyCredentialLink attribute. The default sync interval for AAD Connect is 30 minutes.

You can visually check that this has occurred using a tool like LDP. In this screenshot the user "Scott" has multiple Windows 10 devices enrolled with Windows Hello for business and therefore multiple entries.

The next time the user wants to logon, they can use their Windows Hello for Business pin or biometrics to sign-in and authenticate against a Windows Server 2016 domain controller.

If sync back to on-prem has not occurred yet, the user may get an error "That option is temporarily unavailable. For now, please use a different method to sign in" if they are inside the corporate network.

Modern Managed Windows 10 Device

The flow is much simpler for Azure AD joined devices. The Device registration is not required and there is not Group Policy involved:

Device is Azure AD Joined (Either user driven or Auto-pilot driven during OOBE)

At the end of the AADJ, User will be prompted to Setup Windows Hello for Business Pin. This is the default configuration for a non-domain joined Windows 10 device. After a strong (Private-Public) key-pair has been generated on the Device, the private key will be secured on the device (backed by TPM) and the Public key will be written into Azure AD.

On the next logon, the user will be able to logon with their "Hello" credentials. This unlocks access to the private key.

Device authenticates against AzureAD. (Note – Private key is never sent on the wire. The client instead sends a "Nonce" to Azure AD, which replies with a message encrypted with the Public key. After authentication, the device obtains an Azure AD PRT.

Summary:

This post was way longer that what I expected it to be! I tried my hardest to take the complexity out of the setup and configuration, yet also add enough detail for you to setup and test the feature while also understanding the nuts and bolts that make it work across both AD and Azure AD, GPO and MDM.

Let me know how you go – Next up I want to cover Windows Hello for Business - Hybrid Certificate Trust deployment.

Oh, and If you want to go deeper on this stuff, I'd recommend reading some of Jairo Cadena's posts:

https://jairocadena.com/2016/01/18/how-domain-join-is-different-in-windows-10-with-azure-ad/

https://jairocadena.com/2016/03/09/azure-ad-and-microsoft-passport-for-work-in-windows-10/

https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/