Translate

Wednesday, May 18, 2016

Advanced Threat Protection - brandnew feature in Windows 10 (Anniversary release 2016)

Microsoft responded to their customers requests regarding security threats and how to get hold on them especially when the breach already occured.


Antivirus tools we were used to use where yesterday. Now its ATP time!


This tool is really outstanding and uses unique techniques and possibilities that only Microsoft can do!




Please CLICK here to watch the video!
https://channel9.msdn.com/Events/Build/2016/B890


And to learn more and check it out you can sign up here:
https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp




ATP consists of 3 components:
1. The Client – end-point behavioral sensor, built into Windows 10 (Windows 10 Anniversary update, Windows Insider Preview Build number 14332 and later) and activated upon service enrollment. The client logs relevant security events and behaviors from the endpoint.     
2. Cloud security analytics service – processing data from endpoints in combination with historical data and Microsoft’s wide data repository to detect anomalous behaviors, adversary techniques and similarity to known attacks. The service runs on the Microsoft scalable big data platform, and uses a combination of Indicators of Attacks (IOAs), generic analytics and machine learning rules, as well as Indicators of Compromises (IOCs) collected from past attacks.
3. Microsoft and community intelligence – our Hunters and researchers investigate the data, finding new behavioral patterns and correlating the data with existing knowledge from the security community.

Windows 10 Update Assistant for failing upgrades from RTM to 1511

Recently MS released an update that let you update your system to the latest public release (1511) if your system is still on RTM and may not update automatically to the recent version due to errors in Windows Update.






Please chekcout this KB article therefore https://support.microsoft.com/en-us/kb/3159635


The update to 1511 is essential to receive the new Redstone release coming in few weeks!

LEGACY: Good news for Win7 and Win8.1 image builders -> new Win7 "SP2" available aka Convenience rollup update

I had recently a customer they had the need to rebuild the Windows 7 SP1 image from time to time due to changes in their images. It took hours over hours to get the hundreds of post SP1 fixes into the image. And finally the image build process stuck with an error.


This was the log situation with our customer while building a new reference image with SCCM:


The client is busy downloading updates from the Deployment Point and putting it in the Ccmcache folder.
But for some reason, the activity in WUAHandler.log suddenly stops with the following lines:
Successfully completed scan.      WUAHandler     09-Mar-16 14:00:53         3016 (0x0BC8)
Going to search using WSUS update source.         WUAHandler     09-Mar-16 14:02:06         2668 (0x0A6C)
Synchronous searching of all updates started...  WUAHandler     09-Mar-16 14:02:06         2668 (0x0A6C)

Usually, after these lines we would expect lines were it is doing the actual installation of updates which it doesn't.

It seems we are not the only ones dealing with this problem. MS created a new solution for people like us dealing with these types of issues.

They created a so-called "Convenience rollup update for Windows 7 SP1"

And the corresponding KB article is found here: https://support.microsoft.com/en-us/kb/3125574

This Convenience rollup does not include updates that are not broadly available and necessary and also not updates they introduce behaviour changes or hotfixes they need additional changes like registry keys etc. So it will shortcut the whole process dramatically but there are still other updates you need to apply additionally.


Monday, May 2, 2016

Use Windows Phone Emulator without Visual Studio

Sometimes it might be very convinient to run the Windows Phone emulator if you want to test things with Phone where full VS running did not help really as you need an open empty project so the UI in VS 2015 let start you the VM.
This might be usefull if you play around with Intune as I do from time to time without disturbing my operational phone. :-)
1. You need to install the current Windows Phone emulator (while I did it the current was 10586)
Requirements found here
And Download for the Emulator Setup found here
If you want to use it as stated in the requirements you need to install Visual Studio (probably Visual Studio Community is enough) but I can not verify it easy as I always use the Enterprise Edition.


2. Before you continue its always wise to make a backup of your flash.vhd file.
You find the file here:"C:\Program Files (x86)\Windows Kits\10\Emulation\Mobile\10.0.10586.0\flash.vhd"


Otherwise when downloaded and installed (need a couple minutes and eat up a few gig on your HDD) then try this here:
Start the installed emulator as VM with this command (without Visual Studio)


"C:\Program Files (x86)\Microsoft XDE\10.0.10586.0\XDE.exe" /name "My Win10 test emulator with default values" /memsize 2048 /vhd "C:\Program Files (x86)\Windows Kits\10\Emulation\Mobile\10.0.10586.0\Flash.vhd"  /creatediffdisk "%LOCALAPPDATA%\Microsoft\XDE\10.0.10586.0\dd.480×854.1024.vhd" /snapshot /fastShutdown /noGPU




If your user is not member of the Client HyperV admins then you get this window and the ability to fix this right away.


Known issues
(as of 10.0.10586.11 which is the installed version from the link above).


1. Store updates only apps they are already in the image
2. Store is not able to download new additional apps (you get a wide range of error messages)
3. If you start the VM directly in Client-HyperV then the additional features are missing. Its just "like" a normal computer VM with limited capabilities.


Commandline Help
Here you get all the different parameters the xde.exe (Build 10586) will show with /?

 

Windows Store for Business - a quick setup primer

recently I had to create a demo environment to show how Windows Store for Business works.  (updated 04.07.2017)


Here a quick primer.


Just to make sure to have the right understanding.


"Windows Store for Business" is another cloud service that lives side by side with the Windows Store! (This is an essential understanding we need for the next steps).


Great feature that works with your own company account (!).


Whooww when this runs in the cloud how does Microsoft knows my account?
This is a very common question I got these days. To clarify a few things.


Microsoft introduced in Windows 10 a great feature called "Single SignOn" (Well its not brandnew but know it works very easily with currently more than 2500 cloud based services (as of April 2016). Means you can use your company account to logon in Facebook, Twitter, Citrix goto meeting, and many others. Name it and probably they support it).


Therefore it is necessary to have your account synced with Azure Active Directory (a cloud based user directory which is under your full control and enriches your security by features like multi factor authentication (MFA) and much more. Its really worth to spend extra time on this topic!)


And guess what even the Windows Store for Business is one of these more than 2500 cloud services. Thats why you can use your account and password to logon there. (For the security freaks: Cool down your own domain controller is judging if the users password is right or wrong. Keyword: Active Directory Federation Services ADFS))


To come back to our quick primer (Assuming you have already Azure AD setup, if not there will be later another post how to set this up!):


Windows Store for Business Quick-Start
https://technet.microsoft.com/en-us/windows/store-for-business.aspx

How to setup it up:










2. Logon there with your local domain account (must be synced to Azure AD first!)


      • Hint for MS-Partners you can use your demo environment from demos.microsoft.com
      • If your domain name is not yet transfered the user must logon with the cloud prefix like Users.Name@xxxxxxxx.onmicrosoft.com)








          3. Read the EULA. You need to agree with it!
           










          4. Now you are ready to set it up.



          5. Here we will add simply a few apps from the public store and make them available for users in the Store App.

          6. Search for "Excel Mobile" in the search field.






          7. Click on "Get the App"





          8. Let the default value to make it available to all users
          (repeat the steps with all Office Mobile apps)






          9. It may take a while until the content is visible in the store.




          10. When you are finished it looks like this:

          




          to be continued as I need the 24 hours to get it into the tenant.


          11. A few hours later (18 in my case) you would see this here:














          Finally on the client it looks like this here:


          A. You open the store and find another tab:




          B. When you click on the tap it looks like this:


          When you are looking for information's how to bring LOB apps to the store you should also consult these sites:
          https://docs.microsoft.com/en-us/windows/uwp/publish/distribute-lob-apps-to-enterprises

          In some cases you try to carry out offline apps. They also need to go to the store before you can download them and deploy via SCCM.
          Checkout also this site: https://docs.microsoft.com/en-us/microsoft-store/distribute-offline-apps

           

          DONT DO THIS AT HOME! - Just for testing disable the local firewall with Powershell on new Windows Servers

          I found while working with the advanced firewall under current Windows Server 2012R2 and newer that since an update (cant tell you which one) disabling the firewall may result in total loss of communication.




          Which is in general a very good security practice.


          For production machines it is always absolutelly recommended to have a fully operational firewall.




          BUT under some circumstances it might be good to know if a newly introduced service is working in general to find out if a blocked port is causing issues or if it is the service itself.




          In the past it was easy:
          Simply shutdown the firewall on all profiles and you could test if it works or not.


          But now its more complex. (PowerShell helps a lot here!)


          Just to rembember:


          1. Dont do this at home! (unskilled admins should stay away!)
          2. Make sure you only do it in a save testing environment which is externally protected by a firewall. (Ok in these days firewalls are only a basic protection anymore!)
          3. If you checked that your testing environment works well turn on the firewall again and add all needed firewall ports from your services documentation to make sure it works the way it was designed for!!!


          Here how it works:


          Open the PowerShell as admin and let run these 4 lines:


          New-NetFirewallRule -DisplayName "Allow TCP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Outbound –LocalPort Any -Protocol TCP -Action Allow

          New-NetFirewallRule -DisplayName "Allow UDP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Outbound –LocalPort Any -Protocol UDP -Action Allow


          New-NetFirewallRule -DisplayName "Allow TCP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Inbound –LocalPort Any -Protocol TCP -Action Allow


          New-NetFirewallRule -DisplayName "Allow UDP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Inbound –LocalPort Any -Protocol UDP -Action Allow









          But last but not least you also need to Re-Enable the firewall function after your testing!


          This is done with these steps:


          Remove-NetFirewallRule -DisplayName "Allow TCP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"

          Remove-NetFirewallRule -DisplayName "Allow UDP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"


          Remove-NetFirewallRule -DisplayName "Allow TCP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"


          Remove-NetFirewallRule -DisplayName "Allow UDP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"