Translate

Thursday, July 14, 2016

Azure AD Connect: Synced attributes

I am asked from time to time what attributes are synced with Azure AD through Azure Active Directory Connect tool:


In general its just selected user, group and contact information.

Here you find a list of synced attributes:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-attributes-synchronized


Depending on Windows 10 features there are also a few machine attributes synced to Azure AD as well. This is necessary for specific scenarios like Passport for work and requires actual versions of Windows 10 build (build 10551 or newer) for devices:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/


Be carefull and dont think you know what you are doing by partially not syncing them. Depending on the services they are really necessary. E.g. Exchange onpremise stores a lot of informations in AD. So Exchange online do as well. Therefore these attributes are necessary for proper function.


Unless you are the developer of the cloud application like Exchange Online you are not the one to judge if an attribute is necessary for correct function or not.


So either you feel comfortable with the attributes or just dont use Azure AD at all. Everything else will just mess up the AAD information and the cloud applications will not work properly.


Azure AD also stores Bitlocker keys but only for Azure AD joined machines.
https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2016/03/14/automatic-bitlocker-on-windows-10-during-azure-ad-join/



Created from um
Labels: , ,

Sunday, June 12, 2016

Windows 10 privacy is always a reason for rumors - whats the fact?

Windows 10 privacy is often a discussion that I have with MS customers especially in Europe and there especially in Germany. Therefore I developed a workshop to discuss all the different settings which finally ends up in a 60 slides deck. But as it get outdated with every version I just use anymore the "online" version of information in the TechNet Blog.




In the last years the technology evolves and with this we have much more possibilities we can use these technologies.


E.g. lets think about Cortana. Cortana is a brilliant assistant. She can do amazing things. And each newer version can even more.


But to let Cortana doing these things you need to share informations so she can use them to serve you better.


Lets assume you want to get a reminder when you are on your way home to buy milk. In this case Cortana need to know when you are driving home (GPS data and also your typical way from your working place to your home address). Without these data she is not able to serve you the right information right in time.


That finally means an assistant can only be as usefull as possible when you share the needed amount of data so she can do their job.


This is not different to a physical assistent. Lets say her name is Mary. She can also only be as supportive as possible when I let her know the things she need to know to be able to do her job.


Microsoft changed their way now how they communicate these privacy settings. They are much more transparent as they were in the past.


Please checkout this technet article from time to time as it gets updated over time with new features as well: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services


There are also telemetry stages discussed. You find more Informations about them here:https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization


When you are through these articles you are very familiar which data is when shared for what purpose and how you can control it.


During my time working for MS labs I get in contact with the way how MS is dealing internally with customers privacy data. And believe me they take this very seriously. From this experience on I trust MS fully in the way how they handle privacy.
Created from um
Labels: , ,

Wednesday, May 18, 2016

Advanced Threat Protection - brandnew feature in Windows 10 (Anniversary release 2016)

Microsoft responded to their customers requests regarding security threats and how to get hold on them especially when the breach already occured.


Antivirus tools we were used to use where yesterday. Now its ATP time!


This tool is really outstanding and uses unique techniques and possibilities that only Microsoft can do!




Please CLICK here to watch the video!
https://channel9.msdn.com/Events/Build/2016/B890


And to learn more and check it out you can sign up here:
https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp




ATP consists of 3 components:
1. The Client – end-point behavioral sensor, built into Windows 10 (Windows 10 Anniversary update, Windows Insider Preview Build number 14332 and later) and activated upon service enrollment. The client logs relevant security events and behaviors from the endpoint.     
2. Cloud security analytics service – processing data from endpoints in combination with historical data and Microsoft’s wide data repository to detect anomalous behaviors, adversary techniques and similarity to known attacks. The service runs on the Microsoft scalable big data platform, and uses a combination of Indicators of Attacks (IOAs), generic analytics and machine learning rules, as well as Indicators of Compromises (IOCs) collected from past attacks.
3. Microsoft and community intelligence – our Hunters and researchers investigate the data, finding new behavioral patterns and correlating the data with existing knowledge from the security community.
Created from um
Labels: , ,

Windows 10 Update Assistant for failing upgrades from RTM to 1511

Recently MS released an update that let you update your system to the latest public release (1511) if your system is still on RTM and may not update automatically to the recent version due to errors in Windows Update.






Please chekcout this KB article therefore https://support.microsoft.com/en-us/kb/3159635


The update to 1511 is essential to receive the new Redstone release coming in few weeks!

Created from um
Labels: , ,

LEGACY: Good news for Win7 and Win8.1 image builders -> new Win7 "SP2" available aka Convenience rollup update

I had recently a customer they had the need to rebuild the Windows 7 SP1 image from time to time due to changes in their images. It took hours over hours to get the hundreds of post SP1 fixes into the image. And finally the image build process stuck with an error.


This was the log situation with our customer while building a new reference image with SCCM:


The client is busy downloading updates from the Deployment Point and putting it in the Ccmcache folder.
But for some reason, the activity in WUAHandler.log suddenly stops with the following lines:
Successfully completed scan.      WUAHandler     09-Mar-16 14:00:53         3016 (0x0BC8)
Going to search using WSUS update source.         WUAHandler     09-Mar-16 14:02:06         2668 (0x0A6C)
Synchronous searching of all updates started...  WUAHandler     09-Mar-16 14:02:06         2668 (0x0A6C)

Usually, after these lines we would expect lines were it is doing the actual installation of updates which it doesn't.

It seems we are not the only ones dealing with this problem. MS created a new solution for people like us dealing with these types of issues.

They created a so-called "Convenience rollup update for Windows 7 SP1"

And the corresponding KB article is found here: https://support.microsoft.com/en-us/kb/3125574

This Convenience rollup does not include updates that are not broadly available and necessary and also not updates they introduce behaviour changes or hotfixes they need additional changes like registry keys etc. So it will shortcut the whole process dramatically but there are still other updates you need to apply additionally.


Created from um
Labels: , ,

Monday, May 2, 2016

Use Windows Phone Emulator without Visual Studio

Sometimes it might be very convinient to run the Windows Phone emulator if you want to test things with Phone where full VS running did not help really as you need an open empty project so the UI in VS 2015 let start you the VM.
This might be usefull if you play around with Intune as I do from time to time without disturbing my operational phone. :-)
1. You need to install the current Windows Phone emulator (while I did it the current was 10586)
Requirements found here
And Download for the Emulator Setup found here
If you want to use it as stated in the requirements you need to install Visual Studio (probably Visual Studio Community is enough) but I can not verify it easy as I always use the Enterprise Edition.


2. Before you continue its always wise to make a backup of your flash.vhd file.
You find the file here:"C:\Program Files (x86)\Windows Kits\10\Emulation\Mobile\10.0.10586.0\flash.vhd"


Otherwise when downloaded and installed (need a couple minutes and eat up a few gig on your HDD) then try this here:
Start the installed emulator as VM with this command (without Visual Studio)


"C:\Program Files (x86)\Microsoft XDE\10.0.10586.0\XDE.exe" /name "My Win10 test emulator with default values" /memsize 2048 /vhd "C:\Program Files (x86)\Windows Kits\10\Emulation\Mobile\10.0.10586.0\Flash.vhd"  /creatediffdisk "%LOCALAPPDATA%\Microsoft\XDE\10.0.10586.0\dd.480×854.1024.vhd" /snapshot /fastShutdown /noGPU




If your user is not member of the Client HyperV admins then you get this window and the ability to fix this right away.


Known issues
(as of 10.0.10586.11 which is the installed version from the link above).

1. Store updates only apps they are already in the image
2. Store is not able to download new additional apps (you get a wide range of error messages)
3. If you start the VM directly in Client-HyperV then the additional features are missing. Its just "like" a normal computer VM with limited capabilities.


Commandline Help
Here you get all the different parameters the xde.exe (Build 10586) will show with /?

 

Created from um
Labels: ,

Windows Store for Business - a quick setup primer

recently I had to create a demo environment to show how Windows Store for Business works.  (updated 04.07.2017)


Here a quick primer.


Just to make sure to have the right understanding.


"Windows Store for Business" is another cloud service that lives side by side with the Windows Store! (This is an essential understanding we need for the next steps).


Great feature that works with your own company account (!).


Whooww when this runs in the cloud how does Microsoft knows my account?
This is a very common question I got these days. To clarify a few things.


Microsoft introduced in Windows 10 a great feature called "Single SignOn" (Well its not brandnew but know it works very easily with currently more than 2500 cloud based services (as of April 2016). Means you can use your company account to logon in Facebook, Twitter, Citrix goto meeting, and many others. Name it and probably they support it).


Therefore it is necessary to have your account synced with Azure Active Directory (a cloud based user directory which is under your full control and enriches your security by features like multi factor authentication (MFA) and much more. Its really worth to spend extra time on this topic!)


And guess what even the Windows Store for Business is one of these more than 2500 cloud services. Thats why you can use your account and password to logon there. (For the security freaks: Cool down your own domain controller is judging if the users password is right or wrong. Keyword: Active Directory Federation Services ADFS))


To come back to our quick primer (Assuming you have already Azure AD setup, if not there will be later another post how to set this up!):


Windows Store for Business Quick-Start
https://technet.microsoft.com/en-us/windows/store-for-business.aspx

How to setup it up:










2. Logon there with your local domain account (must be synced to Azure AD first!)


      • Hint for MS-Partners you can use your demo environment from demos.microsoft.com
      • If your domain name is not yet transfered the user must logon with the cloud prefix like Users.Name@xxxxxxxx.onmicrosoft.com)








          3. Read the EULA. You need to agree with it!
           










          4. Now you are ready to set it up.



          5. Here we will add simply a few apps from the public store and make them available for users in the Store App.

          6. Search for "Excel Mobile" in the search field.






          7. Click on "Get the App"





          8. Let the default value to make it available to all users
          (repeat the steps with all Office Mobile apps)





          9. It may take a while until the content is visible in the store.




          10. When you are finished it looks like this:

          




          to be continued as I need the 24 hours to get it into the tenant.


          11. A few hours later (18 in my case) you would see this here:














          Finally on the client it looks like this here:


          A. You open the store and find another tab:




          B. When you click on the tap it looks like this:


          When you are looking for information's how to bring LOB apps to the store you should also consult these sites:
          https://docs.microsoft.com/en-us/windows/uwp/publish/distribute-lob-apps-to-enterprises

          In some cases you try to carry out offline apps. They also need to go to the store before you can download them and deploy via SCCM.
          Checkout also this site: https://docs.microsoft.com/en-us/microsoft-store/distribute-offline-apps

           
          Created from um
          Labels: ,
          Subscribe to: Posts (Atom)