Partner Training, our new central hub for readiness, is now live. Replacing Partner UpSkill, the new and improved site has been designed to help you easily navigate and browse our training courses and events, whether in-person, online or on-demand.

We've added new functionality, such as the ability to filter by practice, expertise level and location. You can also search based on audience, whether that's sales or technical, helping you to easily locate the learning resources tailored to your needs.

Visit Partner Training today to see the courses and events available to help you grow your knowledge and reach your business goals.

Summary

Is your SharePoint Farm in or soon to be in a hybrid state? If so, you may be considering to move your users on-prem Mysite to OneDrive in the cloud. After enabling Office 365 features via Central Admin and running the "Hybrid Picker" (SharePoint Hybrid Configuration Wizard) users will be in a hybrid state, and will have access both on-prem and cloud services.

For example, if a user click on the "Newsfeeds" from within the on-prem team site, they would be redirected to their on-prem mysite. This can make things a bit confusing to customers and difficult to support for administrators.

How does "Default to Cloud" work?

With "Default to Cloud" enabled, users are less likely to access the on-prem content from within their mysite, as all requests to the on-prem mysite will automatically be redirected to the cloud based OneDrive, as defined in Central Admin.

Example from Fiddler, when accessing "Newsfeed":

Example from Fiddler when accessing "Documents" from "viewlsts.aspx":

How did it work before the update?

Before the new feature is installed, even after enabling "OneDrive and Sites" in the "Configure hybrid OneDrive and Sites features" settings via Central Admin, users would still be able to access the their local "Site Contents" (viewlsts.aspx) and "Documents" (OneDrive)  via  the "Newsfeed" link, or using direct links to their on-prem Mysite.

Where is the Office 365 My Site URL specified?

You will specify the cloud based My Site URL from "Central Admin > Office 365 > Configure hybrid OneDrive and Sites features"

Example:

Options:

• My Site URL: This will be the "My Site URL" that is defined in SharePoint Admin via Office 365.
• Audience: Who should this policy apply to, "Everyone" or a particular audience?
• OneDrive and Sites: Will re-direct users when clicking both OneDrive and Newsfeed to the cloud-based OneDrive site.
• OneDrive Only: Will only redirect users to the OneDrive cloud site when clicking the OneDrive link. Clicking the Newsfeed link will still allow users to access the OnPrem Newsfeed site.
• None: Disables all cloud redirects

See it in Action

What do users see when the feature is enabled or disabled.

When the feature is enabled:

After the feature is enabled, accessing "OneDrive" or "Newsfeed" will redirect the users to the cloud-based OneDrive location.

Example:

After a user clicks "Newsfeed", they will be re-directed to their personal OneDrive site in the cloud.

When the feature is disabled:

If the feature is disabled, users will be redirected to the local site for Newsfeeds and OneDrive.

Example:

After the user clicks "Newsfeed", they are redirected to the on-prem Newsfeed.

How to enable the feature:

SharePoint 2013:

1. To enable this feature, install the October 2017 CU or higher

Note: The KB article that details the change is in 4011180

Recommend:

Although the fix for this feature was released in October 2017, it is highly recommend to install the December 2017 PU, which included cloud hybrid search capability in SharePoint Server 2013.

December 12, 2017, cumulative update for SharePoint Server 2013 (KB4011593)
https://support.microsoft.com/en-us/help/4011593/december-12-2017-cumulative-update-sharepoint-server-2013-kb4011593

December 12, 2017, cumulative update for SharePoint Foundation 2013 (KB4011588)
https://support.microsoft.com/en-us/help/4011588/december-12-2017-cumulative-update-for-sharepoint-foundation-2013-kb40

2. Select the desired option from "Configure hybrid OneDrive and Sites features" in Central Admin.

"Central Admin > Office 365 > Configure hybrid OneDrive and Sites features"

3. Re-run the SharePoint Hybrid picker

You can find the Hybrid Picker from the SharePoint Admin Center in your Office 365 Portal.

Example:

https://tenant_name-admin.sharepoint.com/_layouts/15/online/SharePointHybridSettings.aspx

SharePoint 2016:

Coming soon

Important Note:

The "Default to Cloud" features are activated by the "hybrid configuration wizard" after the appropriate patch is installed. If you later disable the settings via Central Admin, then re-enabled, you will need to re-run the "hybrid configuration wizard" to fully enable the feature.

2018 年 1 月の更新プログラムを適用すると、CoInitializeSecurity の呼び出しが失敗する事象を確認しております。

本ブログは、ユーザー様への影響度を鑑みまして、本件の対策状況などについて、タイムリーに情報を発信することを目的としています。
そのため、掲載内容は、随時更新いたしますことご理解をいただけますようお願いいたします。

原因

2018 年 1 月の更新プログラムには以下の通り既知の問題が含まれており、その影響により、CoInitializeSecurity の呼び出しが失敗し、一部アプリケーション等が起動できない等の報告を確認しております。

CoInitializeSecurity を呼び出すときに、認証レベルとして RPC_C_AUTHN_LEVEL_NONE を渡すと呼び出しが失敗することがあります。
失敗時に返されるエラーは STATUS_BAD_IMPERSONATION_LEVEL です。

回避策

本問題につきましては、次段 “影響を受ける更新プログラム一覧” に記載させていただきます更新プログラムを、一時的にアンインストールいただくことで回避することが出来ます。
現時点において、更新プログラムのアンインストール以外に、事象を回避する方法はございません。

尚、更新プログラムが適用されないよう自動更新を停止する場合には、以下ブログにおいて更新を無効にする方法をご案内させていただいております。

Windows 10 / Windows Server 2016 でも Windows Update の自動更新は止められます
https://blogs.technet.microsoft.com/jpwsus/2017/09/08/wecanstop-wu/

影響を受ける更新プログラム一覧

2018 年 1 月 4 日 KB4056892 (OS ビルド 16299.192)
適用対象: Windows 10 version 1709
https://support.microsoft.com/ja-jp/help/4056892/

2018 年 1 月 4 日 KB4056891 (OS ビルド 15063.850)
適用対象: Windows 10 Version 1703
https://support.microsoft.com/ja-jp/help/4056891/

2018 年 1 月 4 日 KB4056890 (OS ビルド 14393.2007)
適用対象: Windows 10 Version 1607, Windows Server 2016, Windows 10 Mobile, released in August 2016
https://support.microsoft.com/ja-jp/help/4056890/

2018 年 1 月 4 日 KB4056888 (OS ビルド 10586.1356)
適用対象: Windows 10 Version 1511
https://support.microsoft.com/ja-jp/help/4056888/

2018 年 1 月 4 日 KB4056893 (OS ビルド 10240.17738)
適用対象: Windows 10 Enterprise released in July 2015
https://support.microsoft.com/ja-jp/help/4056893/

January 8, 2018 KB4056895 (Monthly Rollup)
適用対象: Windows 8.1, Windows Server 2012 R2 Standard
https://support.microsoft.com/ja-jp/help/4056895/

2018 年 1 月 4 日 KB4056898 (セキュリティのみの更新プログラム)
適用対象: Windows 8.1, Windows Server 2012 R2 Standard
https://support.microsoft.com/ja-jp/help/4056898/

2018 年 1 月 5 日 KB4056896 (マンスリー ロールアップ)
適用対象: Windows Server 2012 Standard
https://support.microsoft.com/ja-jp/help/4056896/

2018 年 1 月 4 日 KB4056899 (セキュリティのみの更新プログラム)
適用対象: Windows Server 2012 Standard
https://support.microsoft.com/ja-jp/help/4056899/

現在、CPU の脆弱性（Meltdown/Spectre）に関連したお問い合わせを、多くいただいております。

弊社にいただいております良くあるお問い合わせや、公開情報についてまとめさせていただきました。本ページは今後も随時更新される予定です。

なお、本件につきましては以下の公開情報も合わせてご確認ください。

• ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities
• Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
• Windows Server guidance to protect against speculative execution side-channel vulnerabilities
• Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems
• Important Windows security updates released January 3, 2018, and antivirus software
• Windows operating system security update block for some AMD based devices
• Protecting guest virtual machines from CVE-2017-5715 (branch target injection)

FAQ 

[更新プログラムの検出について]

Q. QualityCompat のレジストリキーの用途は？

A. アンチウィルス アプリケーションが Windows のカーネルメモリに対してサポートされていない呼び出しを行う場合に発生する互換性の問題があり、この呼び出しの結果として、STOP エラー (ブルースクリーンとも呼ばれる) が発生し、デバイスが起動できない場合がございます。

このような互換性のないアンチウィルスアプリケーションによる問題を防ぐために、弊社では、2018 年 1 月 3 日にリリースいたしましたセキュリティ更新プログラムにつきましては、以下のレジストリを更新プログラムの検出条件としており、本レジストリの設定がない場合、Windows Update 及び WSUS による更新では当該の更新プログラムが検出されない仕組みとなっております。

キー：HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionQualityCompat

名前：adca5fe-87d3-4b96-b7fb-a231484277cc

種類：REG_DWORD

値： 0x00000000

なお、本設定自体は CPU の脆弱性の問題に対する緩和策を含んでいる、今月の更新プログラムを Windows Update 及び WSUS にて検出するための設定であり、この設定自体が CPU の脆弱性の問題と直接の関係はありません。

Q. 手動で適用しますが、QualityCompat を設定する必要はありますか？

A. msuファイルを直接実行する場合、本レジストリの設定に関わらず、更新プログラムが適用されます。更新プログラムの適用前にウイルス対策アプリケーションが互換性を保持しているか、事前にお使いのウイルス対策プロバイダーに問い合わせの上、実施ください。

[更新プログラムの適用について]

Q. パッチ適用の前提条件

A. Windows 7 及び Windows Server 2008 R2では Service Pack 1 が適用されている必要があります。

Windows 8.1、Windows Server 2012 R2 及び Windows Server 2012 R2 Storage Serverでは KB2919355 が前提条件となります。

KB2919355 の適用にはさらに、KB2919442が前提となりますので、未適用の場合には、KB2919442を先にインストールください。

Windows 10 及び Windows Server 2016 には前提条件はございません。

Q. Windows Server 2008 と Windows Server 2012 ではどんな対策を取ったらいいの？

A. 1/10 11:00 時点では、Windows Server 2008 及びWindows Server 2012 のセキュリティパッチは引き続きリリースを検討中でございます。

以下、公開情報からの引用となりますが、リリースに関する情報のアップデートがあり次第ご連絡いたします。

Windows Server を投機的実行のサイドチャネルの脆弱性から保護するためのガイダンス

https://support.microsoft.com/ja-jp/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

----- 抜粋 -----

Q3: Windows Server 2008 および Windows Server 2012 プラットフォームで更新プログラムを入手できないのはなぜですか。 修正プログラムはいつ入手できる予定ですか。

A3: ソフトウェアの更新プログラムでハードウェアの脆弱性に対処することは非常に困難であり、古いオペレーティング システムに緩和策を提供するには大幅なアーキテクチャの変更が必要です。 マイクロソフトは影響を受けるチップの製造元との協力を継続し、緩和策を提供する最善の方法を調査しています。 

----- 抜粋 -----

[緩和策の有効化について]

Q. クライアント OS については、パッチ適用のみで緩和策が有効化されますか？

A. はい、パッチ適用のみで緩和策が有効化されます。

Q. サーバ OS については、パッチ適用のみで緩和策が有効化されますか？

A. いいえ、FeatureSettingsOverride および FeatureSettingsOverrideMask のレジストリを有効化しない限り、緩和策が有効化されません。

Q. 更新プログラムを適用せずに、FeatureSettingsOverrideとFeatureSettingsOverrideMaskのレジストリの変更だけやって意味あるの？

A. 更新プログラムを適用しない場合上記レジストリの設定を実施いただく必要はございません。

Q. 更新プログラムの適用とレジストリ（FeatureSettingsOverrideとFeatureSettingsOverrideMask）の変更の順番はどっちが先でもいいの？

A. はい、どちらが先でも問題ありません。

Q. HyperVのホストとゲストへはどのように対応したらいいの？

A. Hyper-V 環境への対応策については、以下をご確認ください。

- 公開技術情報

Protecting guest virtual machines from CVE-2017-5715 (branch target injection)

https://docs.microsoft.com/ja-jp/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms

[システムへの影響について]

Q. 修正を適用後、パフォーマンスは低下しますか？

A. ご利用の環境によりましては、パフォーマンスの低下が発生する可能性がありますが、多くのコンシューマー デバイスでは影響はごくわずかです。具体的な影響内容はハードウェアの世代やチップ製造元の実装方法により異なります。実際の環境で発生するパフォーマンスの影響を評価し、必要に応じて調整いただくことを推奨いたします。

For the Enterprises that are already not working on their Windows 10 upgrade, something to note.

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/10/a-worthy-upgrade-next-gen-security-on-windows-10-proves-resilient-against-ransomware-outbreaks-in-2017/

Yong

Milad Aslaner (PM for Devices and Mobility) posted:

How to disrupt attacks caused by social engineering
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/10/how-to-disrupt-attacks-caused-by-social-engineering/

Over the next few days, we are releasing updates for several Surface devices, including:

• Surface Book 2
• Surface Laptop
• Surface Studio
• Surface Book
• Surface Pro 4
• Surface Pro 3 (Preview)

These updates include updated Surface UEFI firmware for each listed device to address potential security vulnerabilities, including Microsoft security advisory 180002. For more information about this advisory and how it affects Surface devices, see Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability.

For Surface Book, these updates also include drivers for Intel(R) Display Audio, Intel(R) HD Graphics 520, Intel(R) Management Engine Interface, Surface dTPM (IFX), Surface Management Engine, and Surface System Aggregator. These updates improve reliability, audio stability, DirectX 12 and power performance, and system stability; and resolve potential security vulnerabilities, including Microsoft security advisory 170012.

For Surface Book 2, the updates are available in MSI format from the Surface Book 2 Drivers and Firmware Page in the Microsoft Download Center. Click Download to download the following files:

• SurfaceBook2_Win10_15063_1801009_1.msi
• SurfaceBook2_Win10_16299_1801009_0.msi

For Surface Laptop, the updates are available in MSI format from the Surface Laptop Drivers and Firmware Page in the Microsoft Download Center. Click Download to download the following files:

• SurfaceLaptop_Win10_15063_1801008_1.msi

For Surface Studio, the updates are available in MSI format from the Surface Studio Drivers and Firmware Page in the Microsoft Download Center. Click Download to download the following files:

• SurfaceStudio_Win10_15063_1801006_4.msi
• SurfaceStudio_Win10_16299_1801006_0.msi

For Surface Book, the updates are available in MSI format from the Surface Book Drivers and Firmware Page in the Microsoft Download Center. Click Download to download the following files:

• SurfaceBook_Win10_15063_1801000_2.msi
• SurfaceBook_Win10_16299_1801000_0.msi

Note: These updates to TPM firmware require the device to restart twice to complete installation.

For Surface Pro 4, the updates are available in MSI format from the Surface Pro 4 Drivers and Firmware Page in the Microsoft Download Center. Click Download to download the following files:

• SurfacePro4_Win10_15063_1801001_4.msi
• SurfacePro4_Win10_16299_1801001_0.msi

For Surface Pro 3, we're releasing this driver as a preview while we work on validating the final release for Windows Update. The update file is available in MSI format from the Surface Pro 3 Drivers and Firmware Page in the Microsoft Download Center. Click Download to download the following files:

• SurfacePro3_Win10_15063_1801002_1_Preview.msi

You can identify which file to download for your device by the build number located in the file name. This build number represents the minimum build of Windows required to install the drivers and firmware within that file. For example, the file SurfaceBook2_Win10_16299_1801009_0.msi has a minimum build of 16299, in other words, Windows 10 Version 1709 (Fall Creators Update). You can find a full list the build numbers for each Windows 10 version at the Windows 10 release information page.

Surface Book 2:

• Surface UEFI (v388.1932.769.0) resolves security vulnerabilities, including Microsoft security advisory 180002.

Surface Laptop:

• Surface UEFI (v136.1932.789.0) resolves potential security vulnerabilities, including Microsoft security advisory 180002.

Surface Studio:

• Surface UEFI (v118.1925.769.0) resolves potential security vulnerabilities, including Microsoft security advisory 180002.

Surface Book:

• Intel(R) Display Audio (v10.22.1.102) improves audio stability.
• Intel(R) HD Graphics 520 (v22.20.16.4811) improves DirectX 12 and power performance.
• Intel(R) Management Engine Interface (v11.7.0.1040) improves system stability.
• Surface dTPM (IFX) (v5.62.3126.2) improves reliability and resolves potential security vulnerabilities, including Microsoft security advisory 170012.
• Surface Management Engine (v11.7.4.3330) improves reliability and resolves potential security vulnerabilities, including Microsoft security advisory 170012.
• Surface System Aggregator (v90.1837.256.0) improves reliability and resolves potential security vulnerabilities, including Microsoft security advisory 170012.
• Surface UEFI (v91.1926.768.0) improves reliability and resolves potential security vulnerabilities, including Microsoft security advisories 170012 & 180002.

Surface Pro 4:

• Surface UEFI (v108.1926.769.0) resolves potential security vulnerabilities, including Microsoft security advisory 180002.

Surface Pro 3:

• Surface UEFI (v3.11.2250.0) resolves potential security vulnerabilities, including Microsoft security advisory 180002.

As always, you can find the link to all the videos on YouTube at http://aka.ms/o365update-youtube. The transcript, including links to additional information on everything we cover, can be accessed by clicking on the following link: Office-365-Update-January-2018-Transcript.

Microsoft Intune Device Categories

In this blog post, I am going to cover how to use Device Categories in Microsoft Intune.  Device Categories can help with managing devices using Microsoft Intune and Azure Active Directory. This post will build upon my last two blog post on Dynamic Groups - https://blogs.technet.microsoft.com/pauljones/2017/08/28/dynamic-group-membership-in-azure-active-directory-part-1/

I will document (with screen shots) the following steps:

• Create Categories in Microsoft Intune
• Create Dynamic Groups based on the Categories
• Deploy Policies and Apps to Dynamic Groups

Create Categories in Microsoft Intune Console (Azure Portal)

The first step is to create Categories in the Intune Console (Azure Portal).

Launch Azure Portal - https://portal.azure.com and navigate to the Intune Blade.  Once in the Intune Console, navigate to Device Enrollment and select Device Categories.  Click + Create,  enter a Name for the Category, then click on the Create button at the bottom of the page.

In the screen shot below, it shows where I created 4 different Categories: Virtual Machines, iOS Devices, Android Devices and Physical Machines.  I will focus on managing Windows 10 Virtual Machines in this post.

Now that we have the Device Categories created in the Portal, we will now move create a Dynamic Group using Azure Active Directory.

Create Dynamic Groups based on Device Category

From the Azure Portal, select the Azure Active Directory blade - choose Users and Groups - select All Groups.  This will list all the current Security and Office Groups.

At the top of the blade, click + New Group to create a New Group. Enter a Name - I used Windows 10 Virtual Machines for this example.  Choose Membership Type - Dynamic Device and finally select Dynamic Device Members - Add dynamic query. Now it is time to add the dynamic membership rule - Under Add Devices Where select the following: deviceCategory Equals then type in Virtual Machines.

With those 2 steps: Create Device Category, then Create Dynamic Group, we will now be able to deploy Apps and Polices to devices based on Categories.

Now the final step is to deploy Apps and Policies to Dynamic Group.

Deploy Apps and Policies based on Device Category

I will not document the steps to create a Configuration Profile, but I will share a screen shot where I deployed Device Configuration Profile (Windows Defender Firewall) to the Dynamic Group (Windows 10 Virtual Machines) which is based on the Device Category (Virtual Machines).

The next screen shot will display deploying an Application  (Azure Information Protection) to the same Dynamic Group (Windows 10 Virtual Machines).

This concludes my blog post on using Device Categories with Microsoft Intune and Azure Active Directory to help better manage devices.

By Chris Baldwin| Principal PM

If you are managing Android devices with a work profile (Android for Work), there is a specific, one-time task that IT admins need to perform in order to ensure that the Intune Company Portal app continues to receive automatic updates from the managed Google Play store. If this is not done, the Company Portal app itself may not receive updates. This could result in Company Portal falling out of date and potentially missing out on important bug fixes or feature updates.

How to approve the Company Portal app

You will need to manually approve the Company Portal app in the managed Google Play store. This needs to be done only one time, by following these steps:

1. Browse to the Intune Company Portal in the managed Play Store by following this URL: https://play.google.com/work/apps/details?id=com.microsoft.windowsintune.companyportal

2. Sign in to the managed Google Play store using the same Google account you used to configure your Android for Work binding. If you forget what account you used, you can view it in the Intune admin page on the device enrollment > Android for Work enrollment blade under "Google Account."

3. In the Intune Company Portal listing in the managed Google Play store, click Approve.

4. Review the permissions dialog and click Approve. These permissions are necessary for the Company Portal to manage the work profile on devices managed by your organization:

5. We recommend selecting "Keep approved when app requests new permissions" so that the app will stay approved in the event that permissions change. You can optionally sign up for email notifications of permissions changes on the "Notifications" tab. Click Save.

6. Verify that the "Approved" label appears as shown below.

7. You can now close the managed Google Play store browser window.

In November, 2016, we published the list of .msp files (MSI patches) that have been released for Office 2013, so that Office installation images can be created with the proper set of security and non-security .msp's in the Updates folder. We're happy to announce that an equivalent page is now available for Office 2016. As with the Office 2013 page, we will keep the Office 2016 .msp list current with each monthly update.

GENERAL AVAILABILITY TODAY

Taking advantage of cloud services doesn’t have to be difficult or a long-phased migration project.  Today we're excited to announce General Availability of the SharePoint Migration Tool, a simple, and fast migration solution to help you migrate content from on-premises SharePoint sites and file shares to SharePoint or OneDrive in Office 365.

Based on the learning and experience from Microsoft FastTrack, the SharePoint Migration Tool from Microsoft  was designed to help you bring your information to the cloud and take advantage of the latest collaboration, intelligence, and security solutions with Office 365.

With a few simple clicks in the intuitive user interface, you can quickly and easily migrate files from file shares, SharePoint sites, or support bulk migrations.

Whether you’re looking to migrate from file shares on-premises to SharePoint or OneDrive or from on-premises versions of SharePoint, the SharePoint Migration Tool supports the smallest of migrations to large scale migrations with support for bulk scenarios.

SharePoint Migration Assessment Tool Updates

In parallel to releasing the SharePoint Migration Tool, we’re also making it easier to ensure your migration is successful by helping you remediate common migration issues before they occur through improvements to the SharePoint Migration Assessment Tool.  Improvements in the latest release include:

A Unified Download Package

• SMAT.exe will determine the version of SharePoint on which it’s installed and run the appropriate tool based on the parameters passed to it. Works on both SharePoint 2010 and SharePoint 2013.

New and Updates Assessment Scans

• New Assessment Scans
  • Custom Permission Levels. Enumerates and reports on all locations that a custom permission level has been created.
  • External Lists – Enumerates and reports on all external lists (BCS connected) in the environment.

• Changes to existing assessment scans
  • Default filter added to site language to exclude 1033.
  • Default filter added to Customized Pages to exclude anything under _catalogs.
  • Retry logic added to calls to remote resources such as SQL Server. This will help the scans succeed in environments with suspect connectivity. -r switch  added to command line to enable an operator to specify the number of retries. Default is 3.

Improved Identity Mapping Support

• Ability to generate a full identity report that provides a comprehensive view of the users and groups that have access to the SharePoint environment and if they were able to be mapped to Azure Active Directory identities.
• Ability to generate an identity mapping file that can be consumed by SPMT or other tool that can use the SMAT identity mapping format.
• New identity mapping scans configured in the same scandef.json file as the assessment scans.
  • SharePoint Identity Scanner - Discovers all the users and groups that have access to SharePoint.
  • Active Directory Identity Scanner - If the identities found in SharePoint are Windows accounts, lookup Active Directory information for the users and groups. This data is useful to track down identities that did not have a mapping in Azure Active Directory.
  • Azure Active Directory Identity Scanner - Look up users and groups found in SharePoint in the Azure Active Directory tenant the user logged into. Determine if there is an Exact Match, Partial Match, or No Match.
    • ExactMatch – Windows SID in SharePoint matches the OnPremisesSecurityIdentifier in Azure AD.
    • PartialMatch – Claim value in SharePoint matches UPN or email. Display Name in SharePoint matches Display Name in Azure AD.
    • NoMatch – Unable to find an exact/partial match.

While the SharePoint Migration Tool and SharePoint Migration Assessment Tool provide support for many migration scenarios, we recognize your needs may differ in scope and complexity.  For more complex migrations, support with adoption and usage, or help planning Microsoft FastTrack includes resources, tools, and experts to make your rollout of Office 365 a success.

To learn more about Microsoft FastTrack visit https://fasttrack.microsoft.com/office.  In addition, consider one of Microsoft’s many partners that can help ensure your migration to Office 365 is both seamless and successful.

Getting Started

To get started and download the new SharePoint Migration Tool from Microsoft visit https://aka.ms/spmt.

To get started and download the SharePoint Migration Assessment Tool visit https://aka.ms/smat.

デジタル トランスフォーメーションのメリットとして特に注目したいのが、IoT (モノのインターネット) です。

企業がビジネスの刷新に乗り出す中、IoT は大きなビジネス チャンスとなっています。マイクロソフトでは、IoT テクノロジに関心のあるパートナー様を対象に「IoT in Action」と題したイベントを各地で開催しています。

東京では 2018 年 1 月 25 日～ 26 日に開催されます。 ぜひご参加ください。

▼ 参加登録はこちらから

▼ イベントの詳細とアジェンダはこちらから

The Problem

Group Policy ADMX versioning has caused a few concerns for Microsoft customers in the past one to two years. A great description of the issue and how to address it is found here.

Recently, one of my customers wanted to identify the ADMX files referenced by Group Policies deployed in their domain so that they could carefully update the ADMX/ADML central store in SYSVOL. This isn't entirely easy because the ADMX file is not used when the GPO is applied to a computer or user.

Further Explanation

The ADMX/ADML file combination may be thought of as the description language that instructs the Group Policy editor. The Group Policy editor shows the policy settings, policy descriptions, drop down boxes and radio buttons that the ADMX/ADML files tell it to. Configuring a policy setting results in the Group Policy editor making changes to a .pol (or other) file in SYSVOL that is ultimately applied to the computer or user.

When you generate a Group Policy report, all of the ADMX and ADML files are read and compared with the policy settings stored in SYSVOL. This information is then glued together by the report generator and output as either HTML or XML. No record of the ADML/ADML files required for the report is kept.

The Solution

I managed to construct a PowerShell script that consumes an XML-based GPO Report, parses out all of the settings, reads the ADML store specified in the script and matches settings to ADMLs. ADML file names correspond to ADMX file names used by the Group Policy editor. The output is a CSV (also specified in the script) that looks similar to -

The script assumes a language match between the GPO Report and the ADML file path provided in the script and has a dependency on the Group Policy PowerShell module.

If you wish to use the following code, redefine <OUTPUT_PATH> and <FULLY_QUALIFIED_DOMAIN_NAME> according to your own environment (I know I could have parameterised this but I'm lazy and this is just a sample).

Also note that something whacky is going on with the source code plugin colour formatting below. I can't work it out but the script still works …

The Script

# Define results file
$results = "<OUTPUT PATH>Results.csv"

# Define PolicyDefinition ADML Folder
$policyDefs = "\<FULLY_QUALIFIED_DOMAIN_NAME>SYSVOL<FULLY_QUALIFIED_DOMAIN_NAME>PoliciesPolicyDefinitionsen-US"

# Generate a GPO report and capture it as XML
[xml]$GPOs = Get-GPOReport -All -ReportType Xml

# Parse captured XML
$policyInfo = @()

for ($i = 0; $i -lt ($GPOs.DocumentElement.GPO.Count); $i++)
{
    #Process Computer Policy
    for ($j = 0; $j -lt $GPOs.DocumentElement.GPO[$i].Computer.ExtensionData.ChildNodes.Count; $j++)
    {
        if (($GPOs.DocumentElement.GPO[$i].Computer.ExtensionData.ChildNodes[$j].type) -like "*:RegistrySettings")
        {
            if (!($GPOs.DocumentElement.GPO[$i].Computer.ExtensionData.ChildNodes[$j].Policy.Count -eq $null))
            {
                for ($k = 0; $k -lt $GPOs.DocumentElement.GPO[$i].Computer.ExtensionData.ChildNodes[$j].Policy.Count; $k++)
                {
                    $polInfo = "" | Select-Object gpoName, settingScope, settingName
                    $polInfo.gpoName = $GPOs.DocumentElement.GPO[$i].Name
                    $polInfo.settingScope = "Computer"
                    $polInfo.settingName = $GPOs.DocumentElement.GPO[$i].Computer.ExtensionData.ChildNodes[$j].Policy[$k].Name
                    $policyInfo += $polInfo
                }
            }
            else
            {
                $polInfo = "" | Select-Object gpoName, settingScope, settingName
                $polInfo.gpoName = $GPOs.DocumentElement.GPO[$i].Name
                $polInfo.settingScope = "Computer"
                $polInfo.settingName = $GPOs.DocumentElement.GPO[$i].Computer.ExtensionData.ChildNodes[$j].Policy.Name
                $policyInfo += $polInfo
            }
        }
    }
    #Process User Policy
    for ($j = 0; $j -lt $GPOs.DocumentElement.GPO[$i].User.ExtensionData.ChildNodes.Count; $j++)
    {
        if (($GPOs.DocumentElement.GPO[$i].User.ExtensionData.ChildNodes[$j].type) -like "*:RegistrySettings")
        {
            if (!($GPOs.DocumentElement.GPO[$i].User.ExtensionData.ChildNodes[$j].Policy.Count -eq $null))
            {
                for ($k = 0; $k -lt $GPOs.DocumentElement.GPO[$i].User.ExtensionData.ChildNodes[$j].Policy.Count; $k++)
                {
                    $polInfo = "" | Select-Object gpoName, settingScope, settingName
                    $polInfo.gpoName = $GPOs.DocumentElement.GPO[$i].Name
                    $polInfo.settingScope = "User"
                    $polInfo.settingName = $GPOs.DocumentElement.GPO[$i].User.ExtensionData.ChildNodes[$j].Policy[$k].Name
                    $policyInfo += $polInfo
                }
            }
            else
            {
                $polInfo = "" | Select-Object gpoName, settingScope, settingName
                $polInfo.gpoName = $GPOs.DocumentElement.GPO[$i].Name
                $polInfo.settingScope = "User"
                $polInfo.settingName = $GPOs.DocumentElement.GPO[$i].User.ExtensionData.ChildNodes[$j].Policy.Name
                $policyInfo += $polInfo
            }
        }
    }
}

# Define output array
$admlFileUsage = @()

# Search ADML files for policy settings
$admlFiles = Get-ChildItem -Path $policyDefs -Filter *.adml

foreach ($admlFile in $admlFiles)
{
    $admlContent = (Get-Content -Path ($admlFile.FullName))
    $out = "" | Select-Object gpoName, settingScope, settingName, admlFile
    foreach ($polInfo in $policyInfo)
    {
        $settingName = $polInfo.settingName
        if ($admlContent -like "*$settingName*")
        {
            $out.gpoName = $polInfo.gpoName
            $out.settingScope = $polInfo.settingScope
            $out.settingName = $polInfo.settingName
            $out.admlFile = $admlFile.Name
            $admlFileUsage += $out
        }
    }
}

$admlFileUsage | Export-Csv -Path $results -NoTypeInformation -Force

Conclusion

I hope that this script serves as a useful example for others to build upon. As I've only used this script in a test lab with a small number of Group Policy objects, it's entirely possible I've overlooked something. If you identify a problem or see room for improvement, I'd be happy to take the feedback.

こんにちは。日本マイクロソフト Outlook サポート チームです。

今回の記事ではタイトルの現象でお困りのお客様には朗報となる Office 2016 機能追加についてご紹介します。

概要

Outlook を含む Office アプリケーションには、ヘルプやオンライン テンプレートなど、インターネット上のコンテンツへのアクセスを制御する設定項目が存在します。

これらの設定項目の場所、詳細や制御方法については こちら の記事をご覧ください。

上記ブログ記事内でご紹介しているように、管理者は UseOnlineContent レジストリを 0 に設定することにより、Office アプリケーションによるインターネット上のコンテンツへの接続を禁止することが可能です。

一方で、Outlook 2013/2016 は認証時に MSO.dll と呼ばれる Office の共通コンポーネントを使用した認証を行いますが、UseOnlineContent が 0 に設定された環境では、インターネットへの接続性がないと判断される動作となり、認証時に必要な処理が一部中止され、保存された資格情報が使用されず Outlook 起動時に毎回認証ダイアログが表示されたり、アカウント設定が失敗するという問題が発生します。

これらの問題についてご紹介しているのが こちらの KB3060280 となります。
なお、この現象は Outlook 2010 では発生しません。

これらの現象は、MSO.dll による認証が多要素認証や先進認証といった近代的な認証方法を実現するため、インターネットへの接続が必要なタイミングがあることを前提にした設計により発生していました。

また、Office 2013 では多要素認証なども使用できなくなることを前提に、MSO を使用した認証を無効化したり、UseOnlineContent を 0 以外の値に変更するという回避策しか存在していませんでした。
これらの Office 2013 環境に関する情報は こちら のブログ記事でご紹介しています。
Outlook 2016 では MSO を使用した認証を無効化することは出来ず、これまでは UseOnlineContent を 0 以外の値に変更する以外の回避策がありませんでした。

今回、Office 2016 で、インターネット上のコンテンツへのアクセスを禁止したまま、上記 KB3060280 の事象を回避したいというお客様のリクエストを元に、UseOnlineContent が 0 であっても、通常通りの認証を行えるように動作を変更可能なバージョンがリリースされていますのでご紹介します。

使用可能なバージョンおよび適用が必要な更新プログラム

前述したように、今回の機能追加は Office 2016 でのみ行われています。

Office 365 ProPlus などのクイック実行版では一斉に更新が適用されるので、後述のバージョン以降で利用可能となります。
MSI 版と呼ばれるインストール方式の Office 2016 では、後述の更新プログラムの適用が必要となります。

ご利用の Office がクイック実行版か MSI 版かを確認する方法については、こちら の記事をご覧ください。

Office 365 ProPlus などクイック実行版
バージョン 1710 以降 (月次チャネルではリリース済みであり、半期チャネルなど他のチャネルでは随時展開予定です。)

MSI 版
以下の 3 つの MSO 関連の更新プログラムを全て適用する必要があります。

KB4011622 - https://support.microsoft.com/en-us/help/4011622/descriptionofthesecurityupdateforoffice2016january9-2018
KB4011625 - https://support.microsoft.com/en-us/help/4011625/january-2-2018-update-for-office-2016-kb4011625
KB4011630 - https://support.microsoft.com/en-us/help/4011630/january-2-2018-update-for-office-2016-kb4011630

動作を変更するために必要なレジストリ

必要な更新を適用後、以下のレジストリを追加することで動作が変更され、Outlook 2016 における KB3060280 の事象を回避可能となります。

キー : HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonIdentity
名前 : EnableAuthInOfflineMode
種類 : REG_DWORD
データ : 0x00000001 (10 進数 : 1)

本情報の内容 (添付文書、リンク先などを含む) は、作成日時点でのものであり、予告なく変更される場合があります。

By Esther Michel | PM

We’re excited to announce that Intune will soon be releasing a major user experience update to the iOS Company Portal app. The update will feature a complete visual redesign, which includes a modernized look and feel with increased usability and accessibility. All current iOS Company Portal functionality will be maintained.

Register for early access

Are you interested in using the new iOS Company Portal app before it's generally available? In the coming weeks, we will make a pre-release version of the app available for you through Apple TestFlight. If you’re not already part of our Apple TestFlight program, it’s not too late to register. Registering will enable you to use the updated Company Portal before it’s available to your end users. You will also have the opportunity to provide feedback directly to the Intune team. We plan to continue releasing Company Portal updates through Apple TestFlight until we release publicly in the App Store.

To sign up for TestFlight access, email CompanyPortalBeta@microsoft.com with your first name, last name, email address, and company name. The testing requirements include:

1. An active Intune tenant with Apple Push Notification service (APNs) set up

2. An iOS test device

3. A willingness to provide feedback on the experience

Before and After

Here's an example of how we've updated the user experience.

Before                                                      After

An app-consistent snapshot is a point-in-time snapshot of the application data inside the VM. Volume Shadow Copy Service (VSS) ensures that app on the VM are in a consistent state when the snapshot is taken.  This article details some of the common causes for No latest App Consistent Snapshot issue for VMWare to Azure when using Azure Site Recovery and recommendations to resolve:

• Check for conflicts: Ensure there are no other application taking VSS snapshots (ex. Backup application) when ASR is scheduled to take snapshot (as specified in your replication policy). By default, Site Recovery takes an app-consistent snapshot every 4 hours. You can configure any value between 1 and 12 hours. This can be done by manually triggering a snapshot using steps listed below:
  • Open command prompt as admin
  • Navigate to agent install directory and run the below command
    • C:Program Files (x86)Microsoft Azure Site Recoveryagent>vacp.exe -systemlevel
  • If  you see any other application using the VSS service then there is a conflict.  Review the replication policy to adjust snapshot frequency to prevent overlap.
  • In addition, check for VSS related errors in C:program files(x86)Microsoft azure site recoveryAgentapplication dataApplicationpolicylogs file.
• Check the health of VSS Service:
  • Open command prompt as admin. Run the below commands:
    • Vssadmin list writers
    • Vssadmin list shadows
    • Vssadmin list providers

• If the output does not return values, then restart the below services:
  • Microsoft Software Shadow Copy Provider
  • Volume shadow copy

• Check if your VM is experiencing High Churn: The Daily Data Change Rate for VMs displayed on the portal represents cumulative data churn rate of all protected disks of a given VM., this data churn rate can increase or stay at high levels depending on how busy the VM or applications running in the VM.
  • The Average Source Disk Data Churn is 2 MB/s for standard storage for Azure Site Recovery (more information see).  In addition you can find storage scalability limits in this article.
  • Run Deployment planner and review recommendations (for network and storage). Check if you need to adjust the bandwidth and throttling as listed in this article.
  • Ensure the sizing requirements for Configuration/Process Server are met.