AWS

You could try to get one on Electronics, Cars, Fashion, Collectibles & More | eBay or another site. Why would you. Windows XP is old and the minute it gets installed it gets infected. Windows XP was the most insecure version of Windows ever. If you really want to install Windows XP here is a link to download a virtual hard disk you install in VMWare or other virtualization software. https://windows-xp-mode.en.softonic.com/download

Is this an Epson printer giving you the error. If it is try this:

The openSUSE project is currently undertaking a brand refresh aimed at establishing a distinct identity from its parent company, SUSE. Community designers were invited to submit designs for an updated openSUSE logo, and a public vote launched to help the project narrow down the shortlist to potential winners (the ultimate victor will be decided by the project). With the finish line for the vote set for December 12th, the clock’s ticking if you want to cast your vote in helping shape the future brand appeal of this iconic Linux distribution. Subtle evolution: openSUSE’s logo hasn’t changed much in years Why does openSUSE want a new logo? As said, the project wishes to develop a brand identity that stands independently from SUSE, underlining the project’s distinctiveness within the open-source community. Or to quote openSUSE’s Douglas DeMaio directly: “The brands of both SUSE and openSUSE can oftentimes confuse people who don’t understand the relationship between the open-source company SUSE and the open-source community project openSUSE.” Think of it as aiming for an identity that is “less corporate, more community.” Karma chameleon: a handful of the many candidates After a winning logo is selected, there won’t be an immediate logo swap. Instead, the new logo will phase in gradually. The iconic “Geeko” lizard logo will continue to be used (there’s a lot of existing promotional materials with it on) during the transition period. Conservationists will be pleased to hear the iconic openSUSE chameleon isn’t about to go extinct. All of the 30+ logos available in the vote are creative variations of the much-loved lizard. So if you haven’t already done so, be sure to hop on board and make your voice count defining a new direction for this Linux distro! • Take the openSUSE logo survey The post You Can Vote for openSUSE’s New Logo – But Not For Long! is from OMG! Linux Continue reading...

My iPad is old. I am looking to upgrade. I waited for the new models to revealed. To me last years iPad with M3 looks like what I'll buy. Wasted a year waiting and will wind up with what I could have had. That's the first time that the iPad gets a processor that is faster than the Mac, isn't it ? Maybe M3 Max is still faster than the M4 but still, that's quite a revolution. What do you think ? Continue reading...

Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217. Through our investigation, we found that these affect a subset of our products and as of today, we have addressed them in our products as outlined below: CVE-2023-4863 Microsoft Edge Microsoft Teams for Desktop Skype for Desktop Webp Image Extensions (Released on Windows and updates through Microsoft Store) CVE-2023-5217 Microsoft Edge Additional updates will be documented in the MSRC Security Update Guide CVE-2023-4863 and CVE-2023-5217 accordingly. You can register for the security notifications mailer to be alerted when updates are available, and when content changes are made to the CVEs. See Microsoft Technical Security Notifications and Coming Soon: New Security Update Guide Notification System. References Visit the Security Update Guide for information about CVE-2023-4863 and CVE-2023-5217 Continue reading...

Today, we are adding a new Security Advisory tab to the Security Update Guide to meet our customers’ needs for a unified and authoritative source for the latest public information about Microsoft security updates and issues. We are continuously listening to feedback from users of the Security Update Guide. Our goal is to find new and improved ways to help customers manage security risks and keep their systems protected. Continue reading...

The re-birth of FPCHF was derailed for a few days. Since I dusted off the cobwebs on the old servers from when the site first started way back in 2003 one of the drives failed. As it happened it was the drive that had all the data on it. I replaced the drive and the others as well, reinstalled the OS and started the data import. Please bear with me as I upgrade and fix things. I will keep you informed during the process of getting the site in tip top shape.

Introduction In this blog post, I would like to introduce you to packaging and patching your applications. You might have tried to manually package applications into Microsoft Intune before and also made sure to update an application. It takes a lot of time to prepare and test an application before deploying it. Microsoft has luckily come to the rescue and introduced Enterprise App Management! Let's take a closer look at it in this blog and see how it works. Security for Beginners course Would you like to expand your knowledge in the security world? I might have found the course for you. It's designed to help you get started with the fundamentals behind security. Take a look at the course right here. Cybersecurity for Beginners Enterprise App Management The Enterprise App Catalog is a new app type for Windows devices in Intune. The catalog contains applications based on the Win32 app type that you might have used before for application deployment. The catalog contains at this time, 100 prepackaged applications, this number is expanding over time. Some of the apps in the catalog are self-updating, which means that the application will automatically update when the vendor releases a new version. It's not all applications in the catalog that are self-updating. The applications that are self-updating have the below message displayed in Intune. Licensing for Enterprise App Management If you are thinking about utilizing the Enterprise App Management feature in Intune, you have to be aware of which license you have to use. There are two options available for you. Standalone add-on There is an option to buy the Enterprise App Management feature as a standalone add-on if you don't want to use the other features in Intune Suite. [*]Intune Suite If you would like to utilize more than the Enterprise App Management feature, you can take a look at the Intune Suite license. It includes features such as endpoint privilege management, advanced analytics, and more! If you are more curious about the options, I would highly recommend you take a look right here. Configuration Once you have acquired the license for Enterprise App Management, is it time to take a look at the exciting part - configuration! Head into our (at least my) favorite portal of them all, the Intune portal. Click on apps, and last but not least, all apps. 3. Once you are in the apps section, click Add. In the app type section, scroll down to the Enterprise App Catalog app. Make sure to click select, once you have clicked on the Enterprise App Catalog app. 4. As you can see now, we are in the machinery. This is where we can start configuring. Select an app from the catalog, in my case, I will pick 7-Zip. 5. I will click next and pick the configuration of the app. Once that's done, remember to click select. The options available for configuration can be different from app to app. Have you tried to deploy apps from Intune before? Remember all the fields that you have to fill out, before the application can be deployed? Microsoft makes sure to pre-populate a lot of the information in the Enterprise App Catalog. This includes the app and program information, as well as the requirements and detection rules for the application. If you are satisfied with the pre-populated information from Microsoft, you can simply press next through the tabs and deploy the application. Be aware that you can't make the assignments before the application has been created, so this has to be done afterwards. Conclusion Thank you for reading through this blog. I hope it gave you some insights on how Enterprise App Management works. In my opinion it makes the deployment of the applications more easier and faster. Microsoft Learn references Take a look below for official documentation for Enterprise App Management. Microsoft Intune Enterprise Application Management Do you want to get started with application management in Intune? Take a look at the training below. Understand app management using Microsoft Intune Continue reading...

Microsoft is headed to VMware Explore 2023 in Barcelona After seeing everyone in person at the Las Vegas VMware Explore event, we are even more excited for Barcelona! If you want to know about Azure, the work we are doing with VMware, or just have a great conversation, we’d love to talk to you so stop by our booth! This year we will have a bunch of sessions with Microsoft employees on stage, so if you're building out your schedule check them out: Microsoft Keynote: Transform your VMware Workloads with Microsoft Azure Speaker: Jeff Woolsey, Principal PM Manager, Microsoft Date/Time: Wednesday, November 8 @ 9:00 - 10:00 CET Jeff will share how customers can transform their on-prem VMware environments using Microsoft Azure. Keynote attendees will learn how to: Learn about everything that’s new in Windows Server 2022 and address end of support for Windows Server 2012 Use familiar VMware skills to migrate or extend your VMware environment to the cloud, including hybrid cloud options with Azure VMware Solution and Azure Arc Modernize hybrid work with Azure Virtual Desktop and Horizon Cloud Learn how Azure VMware Solution could be the ideal landing spot for those looking to migrate their SQL Server workloads to Azure, but still want to use Unlimited Virtualization In addition, here are some other Microsoft Azure-related sessions that we highly recommend for learning more about Azure and VMware: Day, Time, Topic Session Title Monday, Nov. 6 15:00-16:30 Azure VMware Solution Azure VMware Solution: Networking & Security Deep-Dive CEIT2450BCNS Tuesday, Nov. 7 11:30-12:00 Azure VMware Solution Meet the Expert Roundtable: Ask me anything about Azure VMware Solution CEIM2452BCNS Tuesday, Nov. 7 11:45-12:30 Azure VMware Solution Azure VMware Solution Lessons Learned: Designing, Migrating, and Operating CEIB2451BCNS Wednesday, Nov. 8 9:00-9:45 Azure VMware Solution Microsoft Executive Keynote: Transform your VMware workloads with Azure CEIB2488BCNS Wednesday, Nov. 8 10:15-11:00 Azure VMware Solution Azure VMware Solution: Migration on Steroids CEIB2547BCNS Wednesday, Nov. 8 11:30-12:15 Azure VMware Solution Pave the way to innovation with Azure, Azure Arc, Windows & SQL Server! CEIB2489BCNS Wednesday, Nov. 8 12:45-13:30 Azure VMware Solution Bring Azure to your VMware vSphere environment on premises and in the cloud CEIB2490BCNS Wednesday, Nov. 8 12:45-13:30 Azure VMware Solution Speed Your Azure Migration with the Latest Azure VMware Solution Features CEIB2033BCN Wednesday, Nov. 8 13:30-14:00 Azure VMware Solution Meet the Expert Roundtable: Ask me anything about Azure VMware Solution CEIM2453BCNS Wednesday, Nov. 8 14:00-14:45 Azure VMware Solution Extending Windows in the Cloud with VMware Horizon EUSB2491BCNS Wednesday, Nov. 8 14:00-14:45 Azure Virtual Desktop Radically Simplify Your Published App Architecture with Apps on Demand EUSB1594BCN During the event we will also have presentations in our booth at the bottom of every hour! Be sure to stop by! Continue reading...

We are happy to announce new content updates to Microsoft 365 Learning Pathways (M365LP), our free and customizable, on-demand training solution for September 2023. This update included five (5) new playlists for Microsoft Viva Engage, under the Microsoft 365 training section. The new playlists are below. Read our what’s new documentation here for more details. Get started with Viva Engage Communities Storyline Leadership Answers in Viva Campaigns Analytics Viva Engage Mobile App Microsoft Viva Engage playlists Since 2019, M365LP has been helping drive healthy usage and adoption of Microsoft 365 apps and services, providing customers with content streamed from Microsoft for key services such as Microsoft Teams, Office apps (e.g., Word, Excel, and PowerPoint), Planner and more. Once installed, this solution can be customized to your organization’s brand and service usage, custom playlists can be created for your own business processes, and the entire experience is configured in SharePoint Online to give you maximum familiarity and flexibility. Learn more about M365LP here. Microsoft 365 Learning Pathways, your customizable, on-demand training solution Our upcoming releases will include Viva Insights and Viva Topics in October and Viva Amplify in November. Use this new content and our upcoming releases as an opportunity to update your app and re-engage your users. On-demand, micro training is a great way to help people learn in the flow of work. Continue reading...

Today, we’re excited to announce that the new Outlook for Windows is generally available for personal accounts through the Microsoft Store on Windows 11 and the Sept. 26 Windows fall update. It’s a free app for Windows users designed to help you easily connect and coordinate your various email accounts and calendars in one place, with a sleek and modern interface. You can write clear, concise emails and get intelligent suggestions with built-in AI, seamlessly and securely attach important documents and photos to any note, and access OneDrive files and Office web apps without a subscription. Newly purchased Windows devices running Windows 11, version 23H2 or higher, and some devices upgrading to Windows 11, version 23H2, will also see the new Outlook pre-installed*. The new Outlook for Windows is already actively used by millions in preview stage, and remains in preview for commercial customers with availability to be announced at a later date. For years, Windows has offered the Mail and Calendar apps for all to use. Now Windows is bringing innovative features and configurations of the Microsoft Outlook app and Outlook.com to all consumers using Windows – at no extra cost, with more to come. For Microsoft 365 subscribers, there’s even more to enjoy on the new Outlook, including an ad-free inbox, additional mailbox and cloud storage, advanced security benefits, and premium features across Microsoft 365 apps. Streamline email & calendar in one app We are constantly trying to get things done so that we have time for the things that matter. As we move through our day, we schedule and track events and appointments on digital calendars while we communicate, confirm, and plan with others through email, whether it’s a child’s teacher, a hiring manager for a prospective job, or friends planning a trip. Microsoft Outlook is committed to meeting our ever-changing needs with email and calendars, so core to our modern way of living--at home, work or on the go. Whether your email service of choice is Outlook.com, Hotmail.com, Gmail, Yahoo, iCloud, or a provider that uses IMAP (or all of the above), you can use the new Outlook for Windows. Add your various accounts and see all your calendars in one view, and toggle between accounts to see your emails and contacts. Write better emails with AI With the new Outlook for Windows, you can write better emails with AI built into the app. Help keep your sentences concise and error-free with intelligent spelling and grammar checks. If you have a Microsoft 365 Personal or Family subscription, you will also get advanced AI writing tools via Microsoft Editor, providing suggested refinements for clarity, conciseness, inclusive language and more to make your emails polished and professional. Copilot and other advanced AI features will be offered for the new Outlook for Windows at a later date. Connect seamlessly to Microsoft 365 apps The new Outlook for Windows is designed to connect seamlessly with free Microsoft Word, Excel, and PowerPoint web apps with the click of a button, perfect for making quick edits and comments. You can even access and attach OneDrive files right from your inbox. It’s never been easier to find the documents you’ve been working on and share them securely with the new Outlook for Windows. Intelligent tools to keep you organized Another key improvement in the new Outlook for Windows compared to Windows Mail and Calendar is how it can help you stay on top of your day. Here is a sampling of these great features: With My Day view, you can see your upcoming calendar events and tasks anywhere in Outlook. Package delivery and upcoming travel dates are also automatically added to your calendar from your email confirmations, and view the weather forecast in your calendar at any time. You can pin emails to the top of your inbox so they are easy to find later, snooze emails to temporarily hide them and then have them reappear when you’re ready to respond, and get reminders to follow up on important conversations. Schedule email sends to deliver at the best time for the recipient, or undo a sent email within ten seconds. Use the sweep function to clean up your inbox quickly by setting advanced inbox rules for incoming mails. Customize your inbox to your personal style The new Outlook for Windows allows you to customize your viewing experience to ensure you are getting the Outlook view you want – based on your mood and style. Choose from over 50 themes and 150+ fonts and customize how many emails you want to see in your inbox with roomy, cozy, and compact view options. Also included for all users of the new Outlook for Windows, is spam and malware filtering. Those who purchase a Microsoft 365 Basic, Personal, or Family subscription will also get advanced security benefits** like end-to-end message encryption. For complete details, visit the new Outlook for Windows page. Millions of people are already using the new Outlook for Windows every day by installing from the “Try the new Outlook” toggle button in the Mail or Calendar app. That toggle is still available today, or we invite you to download through the Microsoft Store on Windows 11 or enjoy on your new Windows 11 device*. * New Outlook for Windows is available on all Windows builds >23H2. Note in some cases you may not get the new Outlook pre-installed. **Applies to Microsoft email accounts (Outlook.com, Hotmail.com, Live.com, and MSN.com) Continue reading...

Support for restoring database backups from Amazon S3 to Azure SQL Managed Instance (MI) is now Generally Available (GA)! This feature offers users a flexible way of restoring backups and makes database migration to Azure SQL Managed Instance easier. Dive into this post to understand the scope and benefits of this new feature. Background In September last year SQL server 2022 introduced new feature – backup and restore to simple storage service (S3) – compatible object storage that grants the user the capability to back up or restore their databases using S3-compatible object storage, whether that be on-premises, or in the cloud. To provide this integration Azure SQL MI is enriched with a new S3 connector, which uses the S3 REST API to connect to Amazon S3 storage. It extends the existing RESTORE FROM URL syntax by adding support for the new S3 connector using the REST API. Prerequisites for the Amazon S3 endpoint The S3 endpoint must be configured as follows: A user (Access Key ID) has been configured and the secret (Secret Key ID) for that user is known to you. You need both to authenticate against the S3 endpoint. At least one bucket with a .bak file has been configured. Prerequisites for Azure SQL Managed Instance The Azure SQL Managed Instance must be configured as follows: User must have permissions to connect to Azure SQL Managed Instance and run T-SQL scripts to perform restore operations. Network Security Group (NSG) must have outbound security rules set to allow TCP protocol on port 443 to Any destination. Make sure other network security rules in tools such as Network Manager/Azure firewall, and similar, are not blocking outbound traffic. How to restore from S3 bucket via T-SQL In this example we will show how to restore .bak file(s) from AWS S3 bucket. 1. Make sure you have the right file path from Amazon S3 The easiest way to get a proper S3 URL of a .bak file you want to restore to Azure SQL MI is to navigate to S3 bucket and specific folder where .bak files are located. Now select a .bak file and click “Copy URL“ to copy correct URL. Copying S3 URL Keep the copied URL handy. Pro tip: if you use Windows you can use Windows logo key + V to see clipboard history. 2. Create credential First navigate to T-SQL query editor of your choice and connect to the Azure SQL Managed Instance. To restore from S3 bucket first you need to set up a credential to retrieve files from S3 bucket. To do so follow the next template and choose one of these two file path options: -- Option 1 CREATE CREDENTIAL [s3://./] WITH IDENTITY = 'S3 Access Key', SECRET = ':'; -- Option 2 CREATE CREDENTIAL [s3:////] WITH IDENTITY = 'S3 Access Key', SECRET = ':'; Make sure you always use the path in your restore command as it is defined in your credential. This is the "real" credential we'll use in our example: CREATE CREDENTIAL [s3://realbucket.s3.us-east-2.amazonaws.com/TestFolder] WITH IDENTITY = 'S3 Access Key', SECRET = 'REAL_ACCESS_KEY'; 3. Test credential After having credentials set, now is the moment to perform test on the backup file stored on AWS S3 bucket. We can do this by performing `RESTORE HEADERONLY`. RESTORE HEADERONLY FROM URL = 's3://realbucket.s3.us-east-2.amazonaws.com/TestFolder/TestBackup.bak'; After running this script you shall be able to see the results from reading a backup header as following. Test results 4. Restore database from single .bak file on S3 If you have received results, that means now you have everything prepared for performing the native restore from S3 bucket. The script for performing restore operation from the S3 endpoint location looks like this: RESTORE DATABASE FROM URL = 's3:////.bak' You can also use "Option 1" URL with bucket name in front. In our example below with "real" URL, we use option 1 since that one matches our credential. RESTORE DATABASE [DB1] FROM URL = 's3://realbucket.s3.us-east-2.amazonaws.com/TestFolder/TestBackup.bak'; Note: You cannot have your database pre-created. When performing a native restore Azure SQL Managed Instance will create a database on your behalf. This is general limitation, it is not S3-specific. 5. (Optional) Restore from multiple .bak files on S3 You can also perform a native restore from multiple .bak files located in AWS S3 just by simply adding multiple URLs, like usual. Follow the next template to perform this: RESTORE DATABASE FROM URL = 's3:////_01.bak' , URL = 's3:////_02.bak' , URL = 's3:////_03.bak' -- ... , URL = 's3:////_64.bak' Note: Limit is 64 files, and this works for both filepath options. If you receive any error, you can check best practices & troubleshooting page. How to restore from S3 bucket via SSMS If you use SSMS 19.1 or later, you can also utilize restore wizard. Once you are connected to Azure SQL Managed Instance, do a right click on databases and click on “Restore Database” item. Opening SSMS' restore database wizard This will lead you to restore wizard where you can add S3 URLs to your backups and make sure you also populate details about credentials. SSMS Restore Database wizard to restore from S3 URL When restoring a database via SSMS wizard, be aware that it will read DatabaseName field from .bak file and will prepopulate destination database name. Make sure you do not have already created a database with the same name or change the database destination name. After the completion of restore you will receive a popup that will let you know it has been successful. You can also restore from multiple .bak files in SSMS as well. Conclusion In this blog post we have outlined the steps to retrieve the file path from S3 and the methods for restoration via T-SQL and SSMS, along with key prerequisites. Backup to S3 is currently not supported, but feel free to nominate it on Azure SQL Ideas forum. If you find this guide useful, please share it with others who might benefit. Happy restoring! Related articles RESTORE (Transact-SQL) - SQL Server | Microsoft Learn Automated backups in Azure SLQ Managed Instance | Microsoft Learn Backup & restore with S3-compatible object storage - SQL Server | Microsoft Learn SQL Server backup to URL for S3-compatible object storage - SQL Server | Microsoft Learn Release notes for SQL Server Management Studio (SSMS) | Microsoft Learn Back up to URL best practices & troubleshooting for S3-compatible object storage - SQL Server | Microsoft Learn Continue reading...

We are pleased to announce the security review for Microsoft Edge, version 116! We have reviewed the new settings in Microsoft Edge version 116 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 114 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. Microsoft Edge version 116 introduced 8 new computer settings and 8 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them. As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here. Please continue to give us feedback through the Security Baselines Discussion site or this post. Continue reading...

We are happy to share new updates to OneNote Android app. You can now capture notes at the speed of your thought with a refreshed notetaking canvas – that is easy to use and has a lot of new editing capabilities that you have been asking for. In this blog post we will cover updates of the following features - Contextual Command Bar optimization Additional capture modalities (using + button) Real time note sharing Insert shapes in ink mode Insert tables Update font color and style Update page color and style 1.Command Bar optimization - All the text mode commands you need, such as checklists, bullet lists and text formatting, are available to you as you start typing a new note. These commands are dynamically brought on the fore front, as per the usage pattern to ensure you only see what’s important to you. 2.Additional capture modalities (using ‘+’ icon) - Introducing streamlined approach for quick capture and switching between different notes formats. Capture text, images, voice, ink, URLs, tables, attachments and annotate them all in one convenient note. Save time and reduce cognitive load with ‘+’ icon on your command bar. 3.Real time note sharing - Click on the three-dot menu on the top right to access note level actions. You can now apply a page style, file the note to a different notebook, add the note to your home screen, delete, share your note in real time, enhancing collaboration and knowledge sharing and more. 4.Insert shapes in ink mode - Tap the ‘+’ icon on the top right to switch to ink mode. Select the newly introduced shapes icon to view a list of all the shapes you can add to your notes 5.Insert tables - As you are typing a note, click on the table icon within your contextual command bar. By default, a 3X3 table will be inserted into your note, but you can add or delete rows/columns as per your need 6.Update font color and style - Let your notes reflect your style and personality. Tap on the text formatting option within your contextual command bar and select the fonts icon. You can change the style, color and size of your text, heading as per your choice to format your notes. 7.Update page color and style - Tap on triple dot menu to get page color option. Tap on the button, access a range of page color options, select the perfect hue to set the mood or choose from rule lines to enhance the structure of your notes We’d love to hear from you! We’re excited about the future of OneNote and look forward to hearing your feedback to make OneNote the best place for your notes. Please continue to tell us what you think through the in-app feedback and in the comments below! Be sure to join our Tech Community to stay up to date with the latest. Follow OneNote Blog and connect with us on Facebook and Twitter for regular product updates. Continue reading...

Ubuntu Server is one of the most popular Linux distributions in the cloud. While many Azure customers are happy with Ubuntu Server as a free, community-supported distribution, Microsoft recommends you consider Ubuntu Pro for enhanced support from Canonical, including live kernel patching and extended security updates for more than 25,000 packages for 10 years. Customers may also benefit from switching to Ubuntu Pro to continue receiving support on images that have reached the end of support (Ubuntu Server 18.04 reached end of support on 31 May 2023). Today, in collaboration with Canonical, we are making it even easier to adopt Ubuntu Pro with the new support for in-place migration without the need to redeploy your VM or schedule a maintenance window. Azure is the first cloud to offer in-place upgrade from Ubuntu Server to Ubuntu Pro with zero downtime, saving you time and resources and minimizing disruption. "Through our strategic partnership with Azure, we demonstrate our shared dedication to delivering robust cloud solutions that prioritize security, compliance, and longevity. This partnership streamlines operations and makes the adoption of open-source software on Azure straightforward and effortless" - Alex Gallagher, VP of cloud. You can convert your Ubuntu Pro via command line (CLI) in a few simple steps. As an example, run the following with the Azure CLI: # The following will enable Ubuntu Pro on a virtual machine az vm update -g myResourceGroup -n myVmName --license-type UBUNTU_PRO And the following commands in the instance that you have converted: sudo apt install ubuntu-advantage-tools sudo pro auto-attach You can check that Ubuntu Pro is enabled on your instance by running: pro status -all --wait Note the “Subscription: Ubuntu Pro” and that both “esm-infra” and “esm-apps” services have a status of “enabled”. You can also use the --license-type UBUNTU_PRO option shown above during VM creation (az vm create) for a new instance with Ubuntu Pro or a new instance with Ubuntu Pro enabled from launch (on Ubuntu 16.04 and 18.04 you will also need to run the in-instance commands above). Please note that you will be charged by Microsoft for Ubuntu Pro as part of the Preview. Pricing for Ubuntu Pro starts at $0.01/hour. Combined with the recently announced enhanced security awareness through Azure Guest Patching Service (AzGPS), Ubuntu users on Azure now have a comprehensive system to identify Ubuntu instances running older releases that would benefit from Extended Security Maintenance plus a straightforward mechanism to attach Ubuntu Pro to gain access to it. Get Started Visit our documentation to get started with upgrading from Ubuntu Server to Ubuntu Pro on your existing Azure Virtual Machines. You can also read Canonical’s blog to learn more about the benefits of Ubuntu Pro. Continue reading...

Introduction Misconfigurations are common entry points for attackers. Cloud misconfigurations occur when cloud resources are set up with incorrect or insecure settings, leaving them vulnerable to exploitation. Misconfigurations can lead to sensitive data being exposed to the public internet, unauthorized users, or can open up unnecessary ports, services, or permissions that attackers can exploit. Proactive security management for cloud misconfiguration is essential to maintaining a strong security posture. In this blog, I will walk through a few scenarios of misconfigured AWS Cloud resources and how Microsoft Defender for Cloud can help proactively identify misconfigurations and allow security teams prevent risks and remediate quickly. Proactively secure your AWS resources Prerequisites: To protect resources in Amazon Web Services (AWS), you need to set up the connection between your AWS account and Microsoft Defender for Cloud. Please refer guidance here Defender for Cloud uses AWS environment context to perform a risk assessment of your security issues. Enabling Defender CSPM Plan on your AWS Connector is a mandatory prerequisite to experience contextual security capabilities including Attack Path Analysis, and Cloud Security Explorer. Learn more about the cloud security graph, attack path analysis, and the cloud security explorer. Use case Scenarios: The following fictitious scenarios will help you to understand how this capability can assist you to proactive secure your AWS resources. Keep in mind that while these are fictitious scenarios, they are based on real-world situations that our customers face while trying to protect their multicloud resources.   Scenario 1:  Contoso Bank is using Amazon S3 to store sensitive customer data, financial records, and proprietary business information. They have set up a private S3 bucket called "PrivateDataBucket" to store this data securely. The bucket is configured with strict access controls, and data is intended to be accessible only to authorized personnel. Contoso Bank’s data engineering team decides to set up a data replication process to facilitate data analysis. They intend to replicate data from the "PrivateDataBucket" to another bucket for processing. During the setup of the data replication process, instead of configuring the replication to another private S3 bucket, the team mistakenly selects a public S3 bucket named "PublicDataBucket" that is accessible to the Internet. Using Defender CSPM attack path analysis, the data engineering team can identify this scenario and remediate the risk. The attack path “Private AWS S3 bucket replicates data to internet exposed and publicly accessible AWS S3 bucket” shows the misconfiguration and the potential impact as shown below: While the risk involved here is Sensitive Data Exposure, this is a result of data replicating to Internet exposed and publicly accessible S3 bucket. Insights on the target S3 bucket provides more information about the misconfiguration, as shown below: The remediation step suggests reviewing replication and S3 bucket public access settings to minimize the exposure of data publicly, as shown below: Scenario 2:  Datum Corporation’s IT Admin team is responsible for managing several applications hosted on AWS EC2 instances. The team wants to implement an automated backup and restore solution for their databases, ensuring data durability and disaster recovery capabilities. The administrator creates a script that runs on the EC2 instances to initiate automated backup and restore operations at specified intervals. The administrator creates an IAM role with AdministratorAccess to access all the AWS services and associates the IAM role with the EC2 instance. When an AWS EC2 instance has permissions to an AWS account, it means that the instance has privileges to access other AWS resources within that account. A misconfigured IAM role could lead to over-permissioning, where the instance has access to more resources and actions than it needs. This can expose unnecessary attack surfaces. By leveraging Defender CSPM attack path capability, the IT Admin team can gain visibility about the potential risk by reviewing the attack path called “Internet exposed EC2 instance has high severity vulnerabilities and high permission to an account”. The potential impact in this scenario is that a threat actor could exploit the vulnerabilities on the EC2 instance, gain remote code execution, and use its permission to manage the account - create resources, delete resources, and move laterally to additional resources. The possible risk is account takeover and compute abuse. Defender for Cloud calculates effective permission of identities and helps you understand what resources your identities can access. In this scenario, EC2 instance has 'AmazonSSMManagedInstanceCore', 'AmazonEC2ContainerRegistryReadOnly', 'AmazonEKSWorkerNodePolicy', permissions to account. The Insights tab on the EC2 instance provides details about the EC2 instance reachable from the internet, has high severity vulnerabilities allowing remote code execution. The remediation steps suggest granting permission at the resource level and not at the account level, as shown below: Scenario 3:  Fabrikam Inc hosts a critical application on an Amazon EC2 instance, and this application requires access to encrypted data stored in Amazon S3. To securely retrieve and decrypt this data, the EC2 instance is granted read permissions to a dedicated AWS KMS key. By granting the EC2 instance read permission to the KMS key, the organization ensures that sensitive data remains encrypted and secure both at rest and in transit. A high severity vulnerability was detected on the EC2 instance, which could potentially be exploited by attackers to gain unauthorized access to the system. If an attacker gains access to the EC2 instance and its associated read permissions for the KMS, they could extract sensitive cryptographic keys. This could result in the compromise of encrypted data across the organization's infrastructure. Defender CSPM identifies the attack path “Internet exposed EC2 instance has high severity vulnerabilities and read permission to a KMS” and the potential impact could be stealing credentials from the Key Management Service (KMS). The EC2 instance has IAM role attached with 'AmazonSSMManagedInstanceCore' permission via IAM policy to AWS Key Management Service (KMS) key. The Insights gives details about the EC2, such as the fact that it is reachable from the internet, and has high severity vulnerabilities allowing remote code execution as shown below: The Remediation steps suggest hardening the internet exposure to the minimum required, as shown below: For more detailed list of the attack paths, connections, and insights you might see in Microsoft Defender for Cloud Reference list of attack paths and cloud security graph components - Defender for Cloud | Microsoft ...  Conclusion Mitigating risks using Attack path analysis is not a one-time activity. It involves continuous monitoring of Attack paths. Security teams can regularly analyze new misconfigurations introduced during changes to the environment. Incorporating attack path analysis into your security strategy helps security teams stay ahead of potential security misconfigurations in AWS environments. Additional Resources Please refer the resources below to learn more about these capabilities: Microsoft Defender for Cloud Security Posture Management (Video) Identify and remediate attack paths Reference list of attack paths and cloud security graph components Public Lab: Contextual Security capabilities for AWS using Defender CSPM Reviewers Or Serok Jeppa, Senior PM Lead, Microsoft Defender for Cloud Yuri Diogenes, Principal PM Manager, CxE, Microsoft Defender for Cloud Continue reading...

Google typically releases a new Android version annually during the late third or early fourth quarter of the calendar year. They also require that apps uploaded to the Google Play Store are optimized to run on at least the previous year’s API version by mid-fourth quarter. API versioning is the practice of managing changes to an API to prevent breaking changes. Android 14 is soon expected to be releasing by Google. Our Microsoft Intune app protection policies (APP) and mobile device management (MDM) teams have been working hard to make sure Microsoft Intune customers are supported on the new operating system (OS) release. In this post, we’ll share some of what we’ve found from testing the latest Android beta builds and highlight other noteworthy changes that are coming with this release. We’ll update this blog post if new items are discovered during our continued testing. We also encourage you to read through Google’s Android 14 change documentation, and the Google article, Behavior changes: Apps targeting Android 13 or higher, to identify other changes that may be relevant to your organization. Keep us posted on what APP and MDM learnings you find from your testing too! Versioning vs targeting Day zero support refers to supporting the new Android OS version and API targeting. New Android OS versions are released every year, first on Google Pixel devices and later by various OEMs as they build out support. This year, the latest OS version is Android 14, and is expected to be available soon. API targeting is set within client apps. Google mandates that apps must target the two most recent versions to be approved in the Play store. This year, we’re targeting API 33 (Android 13) with support beginning in August 2023. Throughout this post, you may see changes attributed to either Android 14 readiness or API 33 targeting readiness. It’s important to note their differing release dates. Android 14: Updates to the Exact alarm permission on Managed Home Screen (MHS) When configured by admins, MHS uses the Exact alarm permission for configurations, which require action at an exact time. Currently, MHS uses this permission to automatically sign users out after a set time of inactivity on the device, to launch a screen saver after a set period of inactivity, and to automatically relaunch MHS after a certain period of time when a user exits kiosk mode. For devices running Android 14 and higher, by default, the Exact alarm permission will be denied. In order make sure critical functionality continues to work, users will be prompted to grant Exact alarm permission upon first launch of MHS. Targeting API 33: Changes to Android notification permission prompt behavior There are changes to how Android apps handle notification permissions to align with recent changes made by Google to the Android platform. Notification permissions will be granted to apps as follows:  On devices running Android 12 and earlier: Apps are permitted to send notifications to users by default.    On devices running Android 13 and later: Notification permissions vary depending on the API the app targets.    Apps targeting API 32 and lower: Google has added a notification permission prompt that appears when the user opens the app. Management apps are still be able to configure apps so that they're automatically granted notification permissions. Apps targeting API 33 and higher: App developers define when the notification permission prompts appear. Management apps are still be able to configure apps so that they're automatically granted notification permissions. Admins and users can expect to see the following changes once we begin targeting API 33: Managed Home Screen: In previous versions of Managed Home Screen, when an admin had enabled automatic relaunch of Managed Home Screen, a push notification was displayed to alert users of the relaunch. To accommodate changes to notification permission, in the scenario when an admin has enabled auto-relaunch of Managed Home Screen, the application will now display a toast message alerting users of the relaunch instead of a push notification. Managed Home Screen is able to autogrant permission for this notification, so no change is required for admins configuring Managed Home Screen to accommodate the change in notification permission with API 33. Company Portal used for work profile management: In the personal instance of the Company Portal, users will see a notification permission prompt when they first open it. In the work profile instance, users won’t see a notification permission prompt as the notification permissions will be automatically permitted. Users will be able to silence app notifications in the Settings app. Company Portal used for device administrator management: Users will see a notification permission prompt when they first open the Company Portal app and will be able to adjust app notifications in the Settings app.   Microsoft Intune app: No changes to existing behavior. Users will continue to not see a prompt because notifications are automatically permitted. App notifications can be adjusted in the Settings app. Microsoft Intune app for Android Open Source Project (AOSP): No changes to existing behavior. Users will continue to not see a prompt because notifications are automatically permitted. Users are unable to adjust app notifications in the Settings app. How can you reach us? Keep us posted on your Android 14 and API 33 experience through comments on this blog post or through Twitter @IntuneSuppTeam, and request any new features through our Intune Feedback Portal. We’ll update this post with any additional information we learn as testing continues, and when Android 14 releases. Continue reading...

Microsoft Edge for Business, the new, dedicated work experience currently in preview for the Microsoft Edge browser, is planned to be released with Microsoft Edge stable version 116 (scheduled for the week of August 17, 2023). All customers who sign into Edge using Microsoft Entra ID (formerly Azure Active Directory) will automatically be transitioned to Microsoft Edge for Business as part of the release. What to expect with Microsoft Edge for Business: Policies, settings, and configurations previously set by an organization and its Entra ID connected users will be automatically transitioned to Edge for Business. IT maintains full control over policy and feature management and configuration with Edge for Business. The icon will be updated to include a briefcase. An optional personal browsing window, Microsoft Edge, is enabled so users with a personal profile can separate their work and personal browsing and take advantage of the full feature set of Edge for personal use. This will also enable automatic switching from the personal to work browser window when work sites are accessed. The personal browser window is lightly managed, with IT maintaining control over security, compliance, and update policies. From the beginning, Microsoft Edge was designed with the specific needs of businesses and organizations in mind, with enterprise grade security, productivity, management, and now AI, built in. Microsoft Edge for Business is the next step in the journey to deliver the best browser for business across desktop and mobile, with enhanced separation of work and personal browsing, unmanaged device support, and more coming soon. General Is this a new browser?  No, this is not a new browser. This is a new, dedicated Microsoft Edge experience built for work that enables organizations to configure it to maximize productivity and security. It has the same functionality that you’re already familiar with in Microsoft Edge in addition to optional automatic switching built to help meet the evolving needs of users and businesses. Signing in with Microsoft Entra ID will automatically enable Microsoft Edge for Business.    How is Edge for Business differentiated from regular Microsoft Edge?  Microsoft Edge for Business is a dedicated work browsing experience. It’s distinguished through visual elements such as an adjusted icon and other minor visual cues.    IT maintains full control over policy and feature management and configuration with Edge for Business. Meanwhile, Microsoft Edge is lightly managed, with IT maintaining control over security and compliance policies of the personal browsing window. With users separating their work and personal browsing and content, personal data can be excluded from enterprise sync in the work browser window, giving users the privacy they want.   What benefit does Microsoft Edge for Business provide?  For IT, Microsoft Edge for Business can reduce the surface area for cyberattacks, heightening the organization’s security posture, since it offers the opportunity to streamline down to one browser for all use cases. For end users who are signed in with work and personal profiles, Edge for Business can provide a better browsing experience with automatic switching, which has security and privacy benefits. Does Microsoft Edge for Business require a separate download?  No. Microsoft Edge for Business is automatically triggered by signing in with a Microsoft Entra ID.   User experience What will the user experience be when Edge for Business becomes available? After Edge stable version 116 release is deployed, and the browser is restarted: The Microsoft Edge icon will be updated to the Edge for Business icon When the user launches Edge for Business, Microsoft Entra ID users will automatically be signed in A one-time banner will appear at the top of the browser after first launching Edge for Business informing the user of the change with a link to learn more What impact will the change to Edge for Business have on users? Users who are only signed in with Microsoft Entra ID After Edge stable version 116 release is deployed, and the browser is restarted, all users who sign in with Microsoft Entra ID will be transitioned to Edge for Business. Edge for Business inherits all configurations and policies previously set for Microsoft Edge, so the main difference users will see at this time is the Microsoft Edge for Business icon and a new location for their profile photo. Users who are signed in with both Microsoft Entra ID and Microsoft Account (MSA) Users who are also signed in with a personal profile (using their Microsoft account (MSA)) can experience automatic switching between their work browser window (Microsoft Edge for Business) and their personal browser window (Microsoft Edge). With the Edge stable version 116 release: Switching from the personal browser window to the work browser window will be on by default with the option to turn off by the user Switching from the work browser window to the personal browser window will be off by default with the option to turn on by the user. Switching from the work browser window to the personal browser window will be default on in future versions of Edge for Business. To turn on/off automatic switching, visit Edge settings and toggle on/off “Automatic profile switching”. Work-related sites, such as Microsoft 365 apps and services and sites requiring work login, automatically open in the work browser window. A growing set of popular sites open in the personal browser window once enabled by the user in Edge settings. Users can designate additional sites for work or personal use in settings. (Note: user site designation cannot be overwritten by IT administrators at this time.) What happens to favorites, passwords, etc.?  Passwords, favorites, and data currently associated with the user’s work profile will be maintained in Edge for Business. Passwords, favorites, and data are not shared between the work browser window and the personal browser window.  What impact will this cause to my default browser settings? There is no impact to users' default browser settings.  Will users see both the Edge and Edge for Business icons on the taskbar? Users that are only signed in with Entra ID will see the Edge for Business icon and not the Edge icon. Are there materials I can share with my end users to prepare them? Yes! A downloadable email draft is available and is linked at the bottom of this post.    IT management and controls Will all policies and configurations previously set by IT be applied to Edge for Business? Yes, all policies and configurations currently in place will be inherited by Edge for Business. What controls will IT admins have? IT maintains control over the security and compliance posture of both Microsoft Edge and Microsoft Edge for Business. Edge is lightly managed, with users able to access all features, while in Edge for Business, IT can control which features are available to users. IT admins can disable the personal browser window so that their users can only access Edge for Business. Please note that in this case, users will not be able to use Microsoft account based personal profiles and will not experience automatic switching between work and personal browsing.    What policies will be enabled in the personal browser window? The Microsoft Edge personal browser window is lightly managed, with all security, compliance, and Edge update policies applied, without the additional overhead of managing another browser. To learn more, please visit this site. How does my organization turn off the personal browser window? To turn off the personal browser window, please follow the steps listed in this document.    Does Edge for Business support unmanaged devices? Yes, Edge for Business includes support for unmanaged devices, currently available in preview. Please use these steps to access this preview. Is Edge for Business available on mobile? Yes. Edge for Business on mobile is built with enterprise grade security, productivity, management, and now AI, built in. An updated icon, automatic switching, and management via Edge management service in the Microsoft 365 admin center will be available for Edge for Business on mobile the future. Can anyone with a Microsoft Entra ID (formerly known as Azure Active Directory) can get Microsoft Edge for Business?  Microsoft Edge for Business will be the standard experience for all users with a Microsoft Entra ID. Will my sites and apps that work in Microsoft Edge work in Microsoft Edge for Business? Yes, sites and apps that currently work in Microsoft Edge will work in Microsoft Edge for Business. Are there any functional changes to the Entra ID profile? No. There are not any functional changes to the Entra ID profile. Automatic Switching How do I switch between the Microsoft Edge for Business browser window and the Microsoft Edge browser window?  With the Edge stable version 116 release, URLs entered into the personal browser window that are for work-related sites, such as Microsoft 365 apps and services and sites requiring work login, will automatically open in the work browser window. Do I need to enable automatic switching? With this release, switching from the personal browser window to the work browser window will be on by default with the option to turn off by the user. Switching from the work browser window to the personal browser window will be off by default with the option to turn on by the user. This will be enabled by default in a future release. To turn on/off automatic switching, visit Edge settings and toggle on/off “Automatic profile switching”. Are the work and personal browser window connected? The work browser window (Microsoft Edge for Business) and personal browser window (Microsoft Edge) will have their own separate caches and storage locations, so information stays separate. This feature does not create any link between the user's Microsoft Entra ID account and their MSA account, and the organization settings related to linking work and personal accounts are unaffected. There are no functional changes to the Entra ID profile. How does a user customize the work and personal URL list? To designate sites to open automatically in the work and personal browser windows, go to edge://settings/profiles/multiProfileSettings and select “Choose preferred browser for sites” to turn off or select a preferred profile for the applicable site. Is there a group policy to customize the work and personal URL list? Not at this time.   Is there a group policy to turn on/off automatic switching? At this time, only users will be able to turn switching between work and personal browser windows on and off. For organizations that do not want automatic switching or personal profile usage, there is a group policy to turn off multiple profiles. Is there a group policy to add sites to the site list? Not at this time. When the user switches between work and personal browser windows, are they logged out of sites and apps?  No, switching between the work and personal browser windows will not log the user out of sites and apps.     How do I adjust which browser window a site is opened in? There are two ways to change which browser window is used to open a website:  Click the Switching icon, pictured below, to switch back to the preferred browser window. This action makes the browser remember your choice for that URL. Go to edge://settings/profiles/multiProfileSettings and select “Choose preferred browser for sites” to turn off or select a preferred profile for the applicable site. Continue reading...

Malware Scanning in Defender for Storage will be generally available (GA) for Azure Blob Storage on September 1, 2023. This add-on to Defender for Storage will be priced at $0.15 (USD) per GB of data scanned. Malware Scanning in Defender for Storage helps protect your Blob storage accounts from malicious content by performing a full, built-in, agentless malware scan on uploaded content in near real time, using Microsoft Defender Antivirus capabilities. It scans all file types and allows you to detect and prevent malware distribution events. Defender for Storage helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. Malware Scanning is its latest feature. Defender for Storage is part of Microsoft Defender for Cloud, a CNAPP solution. Malware Scanning in Defender for Storage Enabling Malware Scanning at scale is easy and simple, requires zero maintenance, and supports automated responses at scale. You can enable it with an Azure built-in policy (recommended), IaC templates such as Bicep and ARM, REST API, or the Azure portal UI to enable at scale. Malware protection is old news, but protecting your non-compute resources from malware still proves to be difficult Compute vs. non-compute malware protection: The malware distribution challenge is not new. Traditionally, endpoint detection and response (EDR) solutions solve this problem for compute resources such as VMs and containers. However, non-compute resources such as storage are much harder to protect against malware - they do not have a compute layer to run antimalware tools, installing an EDR on them is impossible. While non-compute resources cannot be infected by malware (because it cannot be executed in a non-compute environment), cloud storage resources are central hubs of data that downstream consumers tend to trust. This means that storage can be a gateway and distribution point to malware into your org or to 3rd parties and consumers. Untrusted content uploaded to cloud storage could be malware. Without verifying that incoming files are free of malicious content before they’re uploaded, storage accounts can become a malware entry point into the organization and serve as a point of distribution to the environment. This is because your storage accounts are data hubs and are typically a convenient place to upload content to, and have many downstream consumers pull the data and transform it. The malware could be distributed downstream to consumers in multiple copies. If the malware finds a host to run on – the impact could be game over. It could lead to data loss or corruption, steal sensitive data and authentication tokens, and present opportunities for potential ransomware attacks. It’s common for these attacks to damage the reputation of organizations and cause significant harm, regulatory fines, and compliance issues, making the protection of non-compute resources a challenging yet crucial aspect of cybersecurity. That’s why top compliance standards, such as NIST, SWIFT, and UK Government protocols, as well as security best practices, require scanning files in cloud storage before human users or applications access them. Traditional approaches to addressing the cloud storage malware protection challenge have scalability and privacy issues. Some popular approaches are sending files to a VM that runs antivirus, like open source ClamAV or by EDR providers, or running SaaS solutions that are not tailored to PaaS and IaaS. The main issue with these systems is they don't scale well, require too many resources, rely heavily on multiple copy jobs and complex networking, and keep you waiting a bit too long before they start scanning, creating hiccups in your apps and workflows. In most cases, they'll have you tangled up in intricate networking and juggling data management tasks, adding to your IT team's workload. The enablement friction and resource scaling maintenance is cumbersome, creates overhead, and leaves too much room for error. Unfortunately, these solutions fail to scale up as needed, and instead of protecting, they might increase the attack surface because of the data flow and resources. So, we end up needing even stronger security measures. An alternative approach to address these challenges involves sending files, or their signatures, to external third-party services for malware detection. The key drawback of such solutions is their inherent requirement to move your potentially sensitive data outside your existing environment, crossing regional and cloud boundaries. This is a compliance and privacy issue that exposes your data to potential leaks and breaches and places it beyond your control. A modern, private, and scalable approach that helps protect your cloud storage from malware, built for high-compliance industries Malware Scanning in Defender for Storage offers built-in and agentless detection with zero maintenance. As soon as a file is uploaded to a storage account, Malware Scanning will immediately read the uploaded content, scan it out of band, and detect polymorphic and metamorphic malware in near real-time. If a file is determined as malicious by the Microsoft Defender Antivirus engine, access to the file can be blocked, the file can be quarantined or deleted, and the scan result will automatically trigger a security alert in Defender for Cloud or other workflows, so your SOC analysts have full context on the malicious findings. To maintain maximum privacy, the regional malware scanning engine never retains the content of the files, and the data is never centralized. Files are scanned "in-memory" and are never stored in the Malware Scanning engine. Malware Scanning occurs within the same region of the storage account. In some cases, when a file is suspicious, and more data is required, the Malware Scanning engine may share metadata outside the scanning region, including metadata classified as customer data (e.g., SHA-256 hash), with Microsoft Defender for Endpoint, leveraging its powerful Cloud Protection features. Supporting fully-fledged features with granular cost control at the feature level The Malware Scanning capability within Defender for Storage was built with flexibility and cost management in mind. It allows enablement either at the subscription level or at the resource level while offering the ability to exclude individual storage accounts from protection. You can control and cap your costs. The pricing of Malware Scanning is based on the number of gigabytes (GB) of data scanned. For granular cost control, there's an option to set a monthly limit on the volume of data scanned per storage account per month. This limit can be set for the entire subscription or for each individual storage account. Once the set limit is reached in a month, the scanning process halts to prevent additional costs. You will be alerted when nearing the cap, and when crossing it. The default cap for the recommended enablement methods is 5TB per storage account per month. You can also choose to enable logging for every scan result (including clean files) for compliance needs. A hands-on lab to try out Malware Scanning in Defender for Storage We recommend you try the Ninja training instructions for detailed step-by-step instructions on how to test Malware Scanning end-to-end with setting up responses to scanning results. This is part of the 'labs' project that helps customers get ramped up with Microsoft Defender for Cloud and provide hands-on practical experience with its capabilities. Common use cases In the last two years, we’ve worked with customers who’ve used the beta version of Malware Scanning and helped design it. During that process, we’ve learned the common use cases and scenarios that require and typically utilize malware scanning in cloud storage services to maintain data and system integrity. The following list is an example of some of these: Web applications: many cloud web applications allow users to upload content to storage. This allows low maintenance and scalable storage for applications like tax apps, CV upload HR sites, and receipts upload. Content protection: assets like videos and photos are commonly shared and distributed at scale both internally and to external parties. CDN and content hubs are a classic malware distribution opportunity. Compliance requirements: resources that adhere to compliance standards like NIST, SWIFT, GDPR, and others require robust security practices, which include malware scanning. It is critical for organizations operating in regulated industries or regions. Third-party integration: third-party data can come from a wide variety of sources, and not all of them may have robust security practices, such as business partners, developers, and contractors. Scanning for malware helps to ensure that this data doesn't introduce security risks to your system. Collaborative platforms: similar to file sharing, teams leverage cloud storage for continuously sharing content and collaborating across teams and organizations. Scanning for malware ensures safe collaboration. Data pipelines: data moving through ETL processes can come from multiple sources and may include malware. Scanning for malware can help to ensure the integrity of these pipelines. ML training data: the quality and security of the training data are critical for effective machine learning models. It's why it's important to ensure these data sets are clean and safe, especially if they include user-generated content or data from external sources. See it at work Here’s a short demo showcasing Malware Scanning capabilities to scan and provide quick, reliable results so you can easily make your applications secure: Malware Scanning - Tax App demo In this example, tax files are uploaded to a storage blob container that stores all the uploaded untrusted content. Once a file is uploaded, Malware Scanning scans the files and sends the scanning results to a serverless function that moves clean files to a ‘clean’ blob container and malicious files to a ‘suspicious’ files blob container (for quarantine/deletion). Consuming scan results and setting up response Scan results are returned for every file scanned. There are several supported methods to consume the scan results, fitting different use cases. Read more about consuming scan results and using them for an automated response. View and consume malware scanning results Getting started A common way to start is to deploy Malware Scanning protection with this built-in Azure Policy. You can also use IaC templates such as Bicep and ARM, REST API, or the Azure portal UI to enable at scale. If you’re using the old (“classic”) Defender for Storage plan, migrate to the new plan to enable Malware Scanning. You can also read about how to run an effective POC. Additional resources Malware Scanning in Defender for Storage documentation. A hands-on Ninja lab. Built-in Azure Policy to deploy to protect your environment now. Watch the “ ” YouTube episode to learn more about the threat landscape for Azure Storage and how Microsoft Defender for Storage can help detect and mitigate these threats. Learn more on the threat matrix for storage services. for product deep dives. Follow us at @MSThreatProtect for the latest news and updates on cybersecurity. Have questions or comments? Write them below. Continue reading...

We are excited to announce the public preview of new alerts for IT admins managing Cloud PCs in Intune to better inform them about Cloud PCs in a grace period. This capability is available for Windows 365 Enterprise customers today! We heard you. You want to receive proactive alerts on Cloud PCs so you can easily take appropriate actions based on this information. This can help reduce risk in situations where an IT admin may not be fully aware of Windows 365 provisioning controls and, therefore, make changes to user licensing or group membership that inadvertently trigger the grace period. Then you need this capability to extend to automated scripts, ensuring comprehensive coverage and proactive notification. With this Windows 365 IT admin alerts, an email is delivered whenever a Cloud PC enters the grace period state. This provides admins with greater awareness of their environment so they can take appropriate actions and acts as a preventive measure against unintended Cloud PC deprovisioning. Windows 365 IT admin alerts offer the following features: Admins can establish and customize system-based alerts for Cloud PCs in the grace period based on their preferences. IT admins can define alert rules by selecting from the available options, setting thresholds, specifying frequency, and choosing notification channels for receiving alerts. IT admins are able to assess their environment and take informed decisions to either reprovision or end the grace period for specific Cloud PCs as needed. Enabling the functionality to generate alerts when a Cloud PC enters the grace period is a critical, precautionary measure. It acts as a safety net in scenarios such as Cloud PC license expiration or inadvertent changes made by IT admins to groups, resulting in a Cloud PC being set to deprovision within seven days. Why is this important? Windows 365 Enterprise users are granted a seven-day grace period to continue using a Cloud PC once it enters that state. After the grace period elapses, the user is logged off, loses access to the Cloud PC, and the Cloud PC undergoes deprovisioning. Deprovisioning is a significant and irreversible action. By proactively notifying IT admins, unnecessary deprovisioning of Cloud PCs can be mitigated. The Alerts (preview) in Microsoft Intune In the Microsoft Intune admin center, under Tenant admin, you can review the alert history and monitor the status of a Cloud PC alert event, including details such as severity, state, and date. Screenshot of Tenant admin in Alerts (preview) menu Easy-to-understand alert insights The event summary page provides a more detailed overview of the specific alert event that needs attention. This enables you to promptly investigate issues related to Cloud PCs in the grace period and gain a comprehensive understanding of the impact. Screenshot of Alerts (preview) menu with a red highlight on the reports “Show all Cloud PCs in grace period” When you select Show all Cloud PCs in grace, you are redirected to the corresponding alert event page, as displayed below. This page offers additional information about the alert event, enabling you to take appropriate actions to resolve the issue. Screenshot of All Cloud PCs tab under the Windows 365 menu with a red highlight over the status of devices in grace period If you select In grace period for a particular Cloud PC, a fly-out will appear, providing details about the impact of Cloud PCs in the grace period. You can then choose to either Reprovision Cloud PC or End the grace period. Screenshot of CPC-SB pop up menu showing the option to “reprovision Cloud PC” or “end grace period” Managing alert rules and email notifications With this new capability, you have the flexibility to customize and enable or disable the alert rules, including conditions, settings, and notifications, depending on their specific requirement. Additionally, you have the flexibility to configure your preferred notification methods for events by choosing options such as portal pop-up and email. We also provide support for email localization, allowing you to customize the language in which you prefer to receive alert notifications. Screenshot of Alerts (preview) under the Alert Rules tab showing the optional notification methods Screenshot of the Cloud PCs in grace period menu under the Alert rules tab showing more details on notification options Prerequisites and what's next Windows 365 system-based alerts are currently available for Windows 365 Enterprise customers and only with Microsoft Intune. The account needs to have the Intune Global Admin, Intune Admin, or Windows 365 Admin roles assigned. Enhanced IT admin alerts for Cloud PCs that are unable to connect are coming soon. You'll also soon have the ability to proactively notify IT admins when Cloud PCs encounter issues such as unhealthy hosts, persistent connection errors, suspected infrastructure problems, or other systemic issues. These new capabilities will also provide valuable insights to assist in resolving the problem promptly. For a demo on this new alerts capability for Cloud PCs in a grace period, now in public preview, please check out this video: Learn more Looking to see what the latest capabilities in Windows 365 alerts look like up close? See our documentation on Alerts in Windows 365. Finally, have feedback or suggestions? Visit this forum to share your ideas and help shape the future of Windows 365! Continue the conversation. Find best practices. Bookmark the Windows Tech Community and follow us @MSWindowsITPro on Twitter. Looking for support? Visit Windows on Microsoft Q&A. Continue reading...

Windows client roadmap updates help guide organizations with their planning processes. In our last Windows client roadmap update blog, we announced that Windows 10, version 22H2 would be the final version of Windows 10. It will reach end of support on October 14, 2025 for all editions of that version. We also announced that there would be a Windows 11-based Long- Term Servicing Channel (LTSC) release in the second half of 2024. Here's additional information on the lifecycle updates for specific versions of Windows 10 and Windows 11. Windows 11, version 23H2 will be available as an enablement package The upcoming Windows 11, version 23H2 shares the same servicing branch and code base as Windows 11, version 22H2. What does it mean for you? If you're running Windows 11, version 22H2, it will be a simple update to version 23H2 via a small enablement package (eKB). Do you remember updating from Windows 10, version 1903 to 1909? Or how you've managed recent updates beginning with Windows 10, version 20H2 through 22H2? It will be that simple. Moreover, since both versions share the same source code, you don't need to worry about application or device compatibility between the versions. Check out our whitepaper Windows and the shared servicing model for definitions and examples of how this works! Recommendation Don't wait for Windows 11, version 23H2. Continue (or begin) your Windows 11 rollout with version 22H2 now. Upon release in the fourth quarter of 2023, simply deploy the 23H2 enablement package via one of the following: Windows Server Update Services Windows Update for Business Windows Autopatch Stay current and reset the product lifecycle for your edition! Extend it by another three years for Enterprise, Education, and IoT Enterprise editions or by two years for the Pro edition. Note: The eKB is not available on Volume Licensing Service Center. Media packages contain the complete Windows 11 operating system. Windows 10 IoT Enterprise LTSC 2021 available through Volume Licensing Traditionally, Windows 10 IoT Enterprise LTSC has only been available through direct licensing from original equipment manufacturers (OEMs) that sell IoT devices. In response to your feedback, we're pleased to be able to make the licensing more flexible. We'll be offering Windows 10 IoT Enterprise LTSC 2021 through Volume Licensing starting August 1st. Consider this solution if your organization meets the following criteria: Requires the longer 10-year lifecycle of Windows 10 for devices specifically used in IoT scenarios. Doesn't purchase special devices that include the IoT LTSC license through OEMs. Recommendation If your organization meets the above criteria and has IoT use cases NOT related to knowledge worker scenarios, purchase the Windows 10 IoT Enterprise LTSC 2021 edition directly from Microsoft through Volume Licensing starting August. Windows IoT Enterprise is specifically designed for fixed function, industrial use scenarios in manufacturing, healthcare, retail, and more. Note: The Windows 10 Enterprise LTSC 2021 edition will continue to be supported for five years and is available as a standalone license in Volume Licensing or as part of the Windows E3/E5 subscription. If you're waiting for a Windows 11 LTSC release, you can begin planning and testing your applications and hardware on the current General Availability (GA) Channel release, Windows 11, version 22H2. Check out App confidence: Optimize app validation with Test Base for more tips on how to test your applications. Stay informed In the future, we'll add more information here and to the Windows release health page, which offers information about the GA Channel and LTSC under release information for appropriate versions. Continue the conversation. Find best practices. Bookmark the Windows Tech Community and follow us @MSWindowsITPro on Twitter. Looking for support? Visit Windows on Microsoft Q&A. Continue reading...

As advanced threats such as ransomware continue to increase in velocity, and sophistication, organizations are evolving their endpoint security strategies away from point solutions to a more holistic security approach focused on vendor consolidation. At the same time, we continue to see a gap between security and IT teams to achieve a seamless and effective operating model for effective endpoint security. While many endpoint security solutions now provide some level of endpoint management experience that include capabilities such as device inventory and policy authoring, they are often disconnected from the tools IT teams use to do many of the same things. This combination leads to a lack of visibility and coordination among these two groups, leaving too much room for security gaps to grow. Microsoft believes organizations can protect their endpoints more effectively by bringing their security and IT teams closer together. Today we are excited to announce the public preview of a unified security settings management experience that offers a consistent, single source of truth for managing endpoint security settings across Windows, macOS, and Linux. It is built into the Microsoft 365 Defender portal, and therefore easily accessible for security teams, but built on the powerful capabilities of Microsoft Intune. Starting today, customers will benefit from a host of new capabilities: Native security settings management capabilities in Defender for Endpoint that support Windows, macOS, and Linux Existing endpoint security policies are automatically ingested in the Microsoft 365 Defender portal Create and edit AV policies directly from the Microsoft 365 Defender portal Policies are automatically synced with Microsoft Intune to ensure coordination between IT and Security teams for organizations who use Intune as a full management suite. A new list on the device page, that shows all security policies and their settings Simplified device onboarding: Removal of Azure Active Directory hybrid join as a management prerequisite Cross-platform support Security administrators can now use the security settings management capabilities in Defender for Endpoint to manage their security configuration settings across Windows, macOS and Linux devices without the need for separate management tools, or updates to IT resources. Managing security policies in the Microsoft 365 Defender portal Up until today, security administrators were required to use additional tools to manage their endpoint security settings, which can slow down response. The new integration of Microsoft Intune’s endpoint security experience into the Microsoft Defender for Endpoint bridges this gap to help organizations better protect themselves by operating from a single portal. While Microsoft Intune is not a requirement, the seamless sync offers additional benefits for organizations using both products. All data is shared, always in sync and therefore ensures that IT and security teams share single source of truth for both IT administrators using Microsoft Intune and Security administrators – thanks to this integration, both administrators will see the same data between their portals, preventing confusion, misconfigurations and potential security gaps. Simplified device onboarding For organizations that wanted to use security settings management capabilities in the past, Defender for Endpoint required all devices to fully register with Azure AD. This required fixing of pre-existing misconfigurations that prevented devices from successfully joining their identity inventory. Starting today, devices no longer need to be joined to the organizations Azure AD and can instantly be managed with Defender for Endpoint. This significantly simplifies the onboarding process and security settings can be deployed to all in-scope devices immediately. Let’s take a look at the new, integrated experience. Manage your security policies View all your Intune security policies directly in the Microsoft 365 Defender portal by going to Configuration Management > Endpoint Security Policies. You can filter the list as well as search for specific policies using the built-in ‘filter’ and ‘search’ capabilities. Image 1: Security policy interface in the Microsoft 365 Defender portal AV policies for Windows, Linux and MacOS can be created from the portal. Image 2: Create a new policy The device page includes a list of received policies, as well as their respective settings and status: Image 3: New device page With this update we want to make sure that the transition is seamless for all existing customers. Here is how the transition will work: All Windows devices that previously used this management feature, will seamlessly transition to use the new, lightweight mechanism. Devices that were previously managed by Defender for Endpoint but had enrollment errors will now seamlessly be enrolled. Devices that are already fully registered with Azure AD and are receiving policies, will remain registered to Azure AD and continue to receive policies. Get started today! While this change doesn’t require any immediate administrative action, you can take the following actions to prepare for this upgrade: Step 1: Turn on preview features Make sure you have preview features enabled in order to use Native Security Settings Management for Microsoft Defender for Endpoint In the Microsoft 365 Defender portal navigation pane, select Settings > Endpoints > Advanced features > Preview features. Toggle the setting On and select Save preferences. Step 2: Review how Settings Management for Microsoft Defender for Endpoint is configured We recommend navigating to the Microsoft 365 Defender portal and reviewing which devices you intend to manage using by Defender for Endpoint at Settings > Endpoints > Configuration management > Enforcement scope. Make sure the feature is turned on, and that for each Operating System, your management preferences have been configured accurately. Advanced configuration options which were available until today remain effective and are outlined in our main documentation. Image 4: Security settings management configuration Step 3: Create a dynamic AAD group to automatically target devices with policies To ensure that all endpoints enrolled with security settings management capabilities for Defender for Endpoint receive policies, we recommend creating a dynamic Azure AD group based on the devices’ OS Type. Note that you can now also dynamically group servers in Azure AD. By targeting security policies to these dynamic Azure AD groups, all devices managed by Defender for Endpoint will automatically be protected - without requiring admins to perform any additional tasks like creating a new policy or fine tuning existing ones. Important : If until today you’ve been creating dynamic Azure AD groups based on the “MDEManaged” or "MDEJoined" system labels, these are currently not supported for new devices that enroll using Defender for Endpoint settings management. If you still intend to dynamically group devices in Azure AD based on this criterion, we recommend using the “Management Type = microsoftSense” attribute instead. More information: Get started now by checking out our documentation Continue reading...

In this blog post, I will discuss the various threat protection capabilities that customers are leveraging to safeguard their workload deployments in Azure using Azure Firewall. Azure Firewall is a cloud-native firewall-as-a-service solution that empowers customers to centrally govern and log all their traffic flows using a DevOps approach. This service offers both application and network-level filtering rules, and it seamlessly integrates with the Microsoft Threat Intelligence feed to filter known malicious IP addresses and domains. Moreover, Azure Firewall boasts high availability and comes equipped with built-in auto scaling. While it may appear straightforward, the first line of defense can be effectively achieved through access restriction. Customers are adopting two simple approaches to bolster their security posture: Egress Traffic Blocking: This method involves blocking all egress traffic to the internet and only allowing access to specific domains that are deemed safe and necessary. Suspicious Site Blocking: Alternatively, customers can choose to allow all egress traffic to the internet while implementing measures to block access to suspicious sites. This approach mitigates potential risks associated with accessing untrustworthy destinations. URL (Uniform Resource Locator) and FQDN (Fully Qualified Domain Name) filtering play a crucial role in analyzing web traffic and deciding whether to allow or block access based on the URLs accessed by applications. This control mechanism is critical for safeguarding cloud workloads and data from malicious activities such as command-and-control connections and data exfiltration. Notably, URL filtering is particularly essential for cloud deployments, especially when protecting Virtual Desktop Infrastructure (VDI) environments. It's important to differentiate URL filtering from domain or FQDN filtering. FQDN filtering primarily focuses on the destination domain, while URL filtering takes into account the complete URL. Let's consider an example to illustrate this distinction. Suppose we examine the domain linkedIn.com. In this case, filtering based solely on FQDN would not suffice because distinguishing between different URLs within the domain (e.g., linkedIn.com/LegitUser vs. LinkedIn.com/MaliciousUser) becomes a critical detail when implementing a secure egress strategy. Consequently, filtering based on the URL becomes necessary. URL filtering also plays a crucial role in preventing attackers from establishing connections to their command-and-control (C2) servers or exfiltrating data to sites under their control. Moreover, organizations often need to adhere to security compliance standards and guidelines, such as PCI DSS and SOC2 Type2, which require the implementation of URL filtering as an essential security measure. TLS decryption is a prerequisite for implementing URL filtering since the URL is part of TLS-encrypted HTTPS traffic. And since the percentage of the encrypted web traffic is in constant incline, it is a mandatory requirement to enable TLS inspection in your Azure Firewall deployment. The need for Threat Intelligence Now that we understand the significance of URL filtering and the need for TLS inspection to implement it on encrypted traffic, how can we distinguish between safe and suspicious domains and URLs? Threat intelligence is our second ring of defense. It refers to the information an organization utilizes to comprehend the threats that have targeted, are targeting, or will target the organization. This valuable information aids in preparation, prevention, and identification of cyber threats aiming to exploit valuable resources. Azure Firewall leverages threat intelligence from the Microsoft Threat Intelligence feed, which encompasses multiple sources, including the Microsoft Cyber Security team. By enabling threat intelligence-based filtering on your firewall, you can receive alerts and block traffic associated with known malicious IP addresses and fully qualified domain names (FQDNs). With recent enhancements, Azure Firewall Threat Intelligence offers even more fine-grained filtering capabilities, including identification of malicious URLs within specific domains. Consequently, while customers may have access to a certain domain, any specific URL within that domain identified as malicious will be denied by Azure Firewall. To achieve optimal granularity, customers have the option to utilize a Threat Intelligence allow list, which allows trusted FQDNs, IP addresses, ranges, and subnets to bypass threat intelligence validation. In the case of HTTPS traffic, where URLs are encrypted, Azure Firewall Premium's TLS inspection comes into play. This feature enables URL-based threat intelligence analysis for encrypted traffic, ensuring comprehensive protection. Over the past year, we observed a consistent upward trend in the number of web requests being blocked as a result of Threat Intelligence filtering. On an average daily basis, we are witnessing over 20 million blocked requests to suspicious sites. Security Risks in Azure Cloud Workloads Unlike Threat Intel and URL/FQDN filtering which are mainly egress oriented, a third ring of defense that Azure Firewall offers is intrusion detection and prevention system (IDPS) which protect against both ingress and egress threats. IDPS is a security technology designed to detect and prevent unauthorized activities and potential threats within a computer network or system. An IDPS is typically comprised of two main components: Intrusion Detection System (IDS): This component monitors network traffic, system logs, and other sources of information to identify potential security breaches or malicious activities. It analyzes network packets, system events, and behavior patterns to detect signs of intrusion or suspicious behavior. Intrusion Prevention System (IPS): This component goes a step further than IDS by actively taking measures to prevent identified threats. It can automatically block or mitigate malicious network traffic or activities to protect the network or system from attacks. The main functions of IDPS include: Monitoring and Detection: The IDPS constantly scans network traffic, searching for known attack patterns or abnormal behavior that could indicate an intrusion or security breach. Alerting and Reporting: When the IDPS detects a potential threat, it generates alerts or notifications to notify security personnel. It provides detailed information about the detected event, including the type of attack and severity level. Response and Prevention: An IDPS takes action to mitigate or prevent attacks by blocking network traffic. Logging and Analysis: The system maintains logs and records of security events, which can be used for post-incident analysis, forensic investigations, and compliance requirements. Azure Firewall IDPS plays a crucial role in enhancing the security posture of networks and systems by detecting and preventing unauthorized activities, reducing the risk of data breaches, and helping organizations respond effectively to security incidents. In the last year, we noticed a notable surge in network and application layer attacks. Using Azure Firewall's IDPS, we were able to handle an average of over 5 million daily threat attempts. Over the past twelve months, the three main threats we've been preventing are malicious SSL certificates that use JA3 hashes, vulnerabilities in the Domain Name System (including DNS tunneling), and specific user agents associated with known malicious activity on the web. When customizing their firewall, customers can specify which threats should be mitigated and which only require detection and alerting. We've observed that alerted threats are distributed in different way, and that most such threats are caused by policy violations within an organization, as well as information events at the audit level that can be useful for identifying interesting activity. Although network layer attacks represent a significant portion of the pie chart, the majority of threats occur at Layer 7. Therefore, it's essential to use TLS inspection to protect against attackers who increasingly use SSL/TLS to keep their malicious activities hidden. Conclusion Azure Firewall offers robust threat protection capabilities for safeguarding workload deployments in Microsoft Azure. Customers can leverage its application and network-level filtering rules and its integration with Microsoft Threat Intelligence feed. URL and FQDN filtering play a crucial role in analyzing web traffic, and threat intelligence is essential for distinguishing between safe and suspicious domains and URLs. URL filtering is a vital component of a robust security strategy as it enables organizations to prevent unauthorized connections within their network and prevent data exfiltration attempts by threat actors. By leveraging TLS decryption, organizations can enhance their defenses and fortify their overall security posture. Azure Firewall's IDPS, comprising IDS and IPS components, provides an additional layer of defense by monitoring network traffic, detecting potential breaches, and taking preventive measures. Overall, Azure Firewall offers a comprehensive set of features to enhance security and protect against various threats in Azure cloud workloads, allowing customers to improve their security posture and become better protected against future threats. Continue reading...