AWS

The tech world has always shown a lot of interest in Artificial Intelligence, especially in the last years. However, recently, interest has started to spread also outside the tech enthusiast bubble. Dall-E, the model developed by OpenAI to create images, started to give a new meaning to "generative AI", showing the capabilities of these new powerful AI models. But it's ChatGPT that really ignited the interest, by providing a conversational model that it's very close to the human one and that, most of all, can help you accomplishing many tasks: it can make searches, it can relate content together, it can generate summaries or lists, it can create stories, etc. A few days ago, Microsoft demonstrated how ChatGPT isn't just a "toy" to play with, by announcing a new shift of the search experience with the integration of a conversational and content generation experience into Bing and Edge. AI becomes a copilot, that can assist you during your daily tasks and help you to be more productive and, as the new Microsoft mission states, "do more with less". And I'm sure, in the coming months, we'll see even more integrations; some of them have already been announced, like the ones in Teams and Viva Sales. So, why don't we get ahead of the game and we start to play with the possibilities of using AI to improve productivity? In this blog post we'll combine the best of both worlds: the productivity offered by the Microsoft 365 ecosystem and the content generation capabilities of the latest AI models. We're going to build an Outlook add-in that, through OpenAI APIs, will help people to craft professional business mails from one or two sentences. We aren't going to use the real ChatGPT model, since it isn't available for public consumption yet, but we're going to use one of the many powerful GPT models offered by OpenAI. The goal of this blog post is to help you understand the capabilities of these models and the basic steps to integrate them. Once ChatGPT will be available (directly through Open AI or using another provider, like Azure Open AI, you will just need to swap the model (or the API implementation), but the basic architecture will stay the same. Let's start! Create the Outlook add-in We're going to create the Outlook add-in using the new web-based model, so you will need the following tools installed on your machine: The latest LTS version of Node.js. Visual Studio Code The Yeoman generator for Office add-ins. Once you have all the requirements, open a terminal and run the following command: yo office You will be guided through a series of steps to scaffold the starting template for the project. Use the following settings: Choose a project type: Office Add-in Task Pane project using React framework (here actually you can pick up the framework you prefer, but since React is the one I know better I'm going to use this template for this post). Choose a script type: TypeScript (also in this case you can pick up the language you prefer, but I highly suggest TypeScript for everything that is nothing more than a "hello world" in the web ecosystem). What do you want to name your add-in?: Give it a meaningful name, like "Outlook AI Mail generator". Which Office client application would you like to support?: Outlook Now the tool will scaffold the basic template and it will run npm install to restore all the dependencies. At the end of the process, you will find in the current folder a subfolder with the same name of the add-in you picked up during the wizard. Just open it with Visual Studio Code to start the coding experience. The Outlook add-in template contains two basic implementations of the two scenarios supported by Office add-ins: Task pane. The task pane is a HTML page that is displayed inside a panel placed on the right of the screen inside the application. The user can interact with the page and, through the Office SDK, perform operations that can interact with the context. Commands. These are operations that don't require any UI interaction. You click on a button and an operation is performed. Also in this case, through the Office SDK you can retrieve the context and operate on it. For example, you can select some text in the mail body and the command is able to read it. We're going to support both approaches, so that you can pick the one you like better. For the taskpane, this is the final look & feel we're going to achieve: The user will specify the text he wants to turn into a business mail in the first box. By pressing the Generate Text button, we're going to invoke the Open AI APIs, passing a prompt followed by the input text. The result returned by the API will be displayed in the second box. Users will have the chance to adjust and then, once they're done, they can click the Insert into mail button, which will use the Office APIs to include the text in the mail's body. For the command, instead, we don't really have a user interface, just a button available in our ribbon: The logic, however, is the same as the taskpane. The only difference is that the input text to process through Open AI won't be typed by the user in a dedicated box, but directly in the mail's body. Using the Office APIs, we'll retrieve the body and pass it to the Open AI APIs. Then, the result will be automatically pasted back into the body. Now that we have a better idea of the result, let's start to work! Configuring the manifest An Office add-in includes a file called manifest.xml, which describes it: the name, the publisher, the supported actions, etc. Before we start working on the code, we must make some changes. Some of them are purely cosmetic. For example, you can use the DisplayName property to change the name of the add-in that will be displayed to the user inside Outlook; or the IconUrl one to change the icon. A particularly important section, however, is the one called MailHost, which describes where and how the add-in will be integrated inside the Outlook surface. By default, the template includes the following extension point: This means that the add-in will be integrated in the reading experience: you'll be able to invoke it when you're reading a mail. This isn't our scenario, however. We want this add-in to help us in writing a new mail, so we must change this value as in the following snippet: Finally, we can customize the section inside the ShortStrings element to change the labels that are associated to the buttons: Now we can move to the code. Building the task pane We're going to focus on the taskpane folder of our solution, which includes the files that are used to render the web content displayed in the panel. Since I've picked up the React template, the taskpane.html page doesn't contain much. It includes only a div, called container, which is used by the index.tsx file to load the React application and render it into the div placeholder. The real application is stored inside the components folder: App.tsx is the main component, which defines the UI and includes the interaction logic. We also have some smaller components, which are used to render specific UI elements (like the header or the progress indicator). Let's start to build the various elements we need step by step. Since we're going to make multiple changes compared to the default template, I won't go into the details on what you need to change. Just replace the existing components and functions with the ones I'm going to describe in the rest of the article. Getting the initial text and pass to Open AI As the first step, we need to define the state of our main component. To support our scenario, we need the state to store the initial text and the generated one. As such, we must update the AppState interface as following: export interface AppState { generatedText: string; startText: string; } Let's initialize them as well in the constructor of the component with an empty string: export default class App extends React.Component { constructor(props) { super(props); this.state = { generatedText: "", startText: "", }; } } Now let's tlookat how we can define the UI, through JSX, the markup language (sort of) used by React, and the render() function of the component: render() { return ( Open AI business e-mail generator Briefly describe what you want to communicate in the mail: onChange={(e) => this.setState({ startText: e.target.value })} rows={10} cols={40} /> Generate text ) } We have added a textarea, which is where the user is going to type the starting text, and a button, which will invoke the Open AI APIs. As for the textarea, we subscribe to the onChange event (which is triggered every time the user types something) and we use it to store the typed text inside the state, through the startText property. Before implementing the onClick event of the button, however, we must take a step back and register to Open AI so that we can get an API key. Just go to OpenAI API and click on Sign Up (or Log In if you already have an account). Once you're in, click on your profile and choose View API keys. From there, click on Create new secret key and copy somewhere the generated key. You won't be able to retrieve it again, so do it immediately. The free plan gives you 18 $ of credits to be used within 3 months, which is more than enough for the POC we're building. Now that we have an API key, we can start using the Open AI APIs. The easiest way to do it in our add-in is through the official JavaScript library. Open a terminal on the folder which includes your project and type: npm install openai Then, at the top of the App.tsx file, add the following statement to import the objects we need from the library: import { Configuration, OpenAIApi } from "openai"; Now we can implement the onClick event that is triggered when the user clicks on the Generate text button: generateText = async () => { var current = this; const configuration = new Configuration({ apiKey: "add-your-api-key", }); const openai = new OpenAIApi(configuration); const response = await openai.createCompletion({ model: "text-davinci-003", prompt: "Turn the following text into a professional business mail: " + this.state.startText, temperature: 0.7, max_tokens: 300, }); current.setState({ generatedText: response.data.choices[0].text }); }; First, we create a Configuration object, passing in the apiKey property the API key we have just generated. Then we create a new OpenAIApi object, passing as parameter the configuration we have just created. Through this object, we can interact with the various models exposed by Open AI. The one related to text is accessible through the createCompletion() method, which requires as parameter an object with the following properties: model, which is the name of the model to use. In this sample, we're using text-davinci-003, which is the most advanced GPT model available through the APIs at the time of writing this article. Soon, Open AI will make available also ChatGPT as one of the available options. prompt, which is the text we want to process. We use a prompt that describes what we want to achieve (turn the following text into a professional business mail), followed by the text typed by the user (which we have previously stored in the component's state). temperature, which is a value between 0 and 2 that controls how much randomness is in the output. As explained in this good article, the lower the temperature, the more likely GPT-3 will choose words with a higher probability of occurrence. In our case, we set 0.7, which is a good balance between "too flat" and "too creative". max_tokens, which is the maximum number of words that will be returned by the API. This method is asynchronous and based on JavaScript promises, so we can use the async / await pattern to invoke it. This means that the final line of our snippet will be called only when the API has returned a response. Specifically, the text generated by Open AI will be included in the text property of the first element of the data.choices collection. We store it in the generatedText property inside the component's state, so that we can later use it. Use the generated text to craft our mail Now that Open AI has generated the text of our business mail for us, we must display it to the user, give them the option to edit it and then use it as body of the mail. In order to do that, we need to add a new property in our state to store the final text to include in the mail, which might have some differences compared to the one generated by Open AI since we're giving the user the option to edit it. Here is the updated definition of the AppState interface: export interface AppState { generatedText: string; startText: string; finalMailText: string; } Let's not forget to initialize it as well in the component's constructor: export default class App extends React.Component { constructor(props) { super(props); this.state = { generatedText: "", startText: "", finalMailText: "" }; } } Now that we have the property we need, let's add a new box and a new button to our application, by adding the following elements in JSX right below the ones we've added in the previous section: defaultValue={this.state.generatedText} onChange={(e) => this.setState({ finalMailText: e.target.value })} rows={10} cols={40} /> Insert into mail The textarea control in React has a property called defaultValue, which we can set with a text that we want to display when the component is rendered. We connect it to the generatedText property available in the component's state. This way, once the Open API call has returned the generated text and stored it into the state, the box will automatically update itself to show it. Then, like we did with the previous box, we handle the onChange event, by saving the text typed by the user inside the finalMailText property of the component's state. Finally, we have another button, which invokes a function called insertIntoMail(), which is described below: insertIntoMail = () => { const finalText = this.state.finalMailText.length === 0 ? this.state.generatedText : this.state.finalMailText; Office.context.mailbox.item.body.setSelectedDataAsync(finalText, { coercionType: Office.CoercionType.Html, }); }; Here we can see the Office SDK in action. First, we determine if the user has made any change to the text generated by Open AI. Then, we call the Office.context.mailbox.item.body.setSelectedDataAsync() method, passing as parameter the final text (the one generated by the Open API plus any edit the user might have done). This method will take care of adding the text into the body of the mail, specifically where the text cursor is placed. Building the command Building the command requires less effort than the taskpane, since we don't have any UI. We just need to intercept the click on the button in the ribbon and manage it. The default commands.ts file inside the commands folder includes a function called action(), which we can use for this purpose. First, let's create a new function that takes the body of the mail and processes it using Open AI: function getSelectedText(): Promise { return new Office.Promise(function (resolve, reject) { try { Office.context.mailbox.item.body.getAsync(Office.CoercionType.Text, async function (asyncResult) { const configuration = new Configuration({ apiKey: "your-api-key", }); const openai = new OpenAIApi(configuration); const response = await openai.createCompletion({ model: "text-davinci-003", prompt: "Turn the following text into a professional business mail: " + asyncResult.value, temperature: 0.7, max_tokens: 300, }); resolve(response.data.choices[0].text); }); } catch (error) { reject(error); } }); } The main difference with the taskpane is that, in this case, we are getting the text to turn into a business mail directly from the body of the mail. To do it, we use the Office SDK and, specifically, the Office.context.mailbox.body.getAsync() method. Being asynchronous, we receive the body in a callback, in which we implement the Open AI integration, which is the same we have seen for the taskpane. By using the Open AI library, we send a prompt followed by the text typed by the user to Open AI, by using the createCompletion() function and using the text-davinci-003 GPT model. Once we get a response, we return to the caller the text processed by Open AI, which is stored inside the text property of the first element of the data.choices collection. Now we can implement the action() function: function action(event: Office.AddinCommands.Event) { getSelectedText().then(function (selectedText) { Office.context.mailbox.item.setSelectedDataAsync(selectedText, { coercionType: Office.CoercionType.Text }); event.completed(); }); } Also, in this case we're using code we have already seen in the taskpane implementation. We call the getSelectedText() function we have just created and, once we have the generated business mail, we use the Office.context.mailbox.item.setSelectedDataAsync() method to copy it into the mail's body. In the end, we call event.completed() to let Office know that the command execution is completed. Testing and debugging the add-in Visual Studio Code makes testing the add-in easy, thanks to a series of debug profiles which are created by Yeoman. If you move to the Debug tab of Visual Studio Code, you will find different profiles, one for each Office application. The one we're interested in is called Outlook Desktop (Edge Chromium). If you select it and you press the Play button, two things will happen: A terminal prompt will be launched. Inside it, Visual Studio Code will run the local server (which uses Webpack to bundle all the JavaScript) that serves the add-in content to Outlook. Outlook will start and you will see a security prompt asking if you want to sideload the add-in. Now click on the button to compose a new mail and based on the size of your screen, you should see your add-in available in the ribbon (or, in case it doesn't fit, you'll see it by clicking on the three dots at the end of the ribbon). When you click on it, a panel on the left will be opened, like the one we have seen at the beginning of the post. You will also be asked if you want to connect to the debugger, make sure to click Yes to confirm. Now type a simple sentence that you want to turn into a mail. For example, something like: David, I'm planning to work on your garden tomorrow at 3 PM, but I might be a bit late. Then click on Generate text and, after a few seconds, you should see a more carefully crafted text being displayed in the box below: Dear David, I hope this message finds you well. I wanted to let you know that I am planning to work on your garden tomorrow at 3 PM, however, I may be running a bit late. I apologize for any inconvenience this may cause. Thank you for your understanding. Sincerely, [Your Name] Now you can make the changes you need, then click on Insert into mail. You will find the text included inside the body of the mail, ready to be sent to your customer. In background, Visual Studio Code has attached a debugger to the WebView which is rendering the panel inside Outlook. This means that you can set breakpoints in your TypeScript code and do step-by-step debugging whenever it's needed. For example, you can set breakpoints inside the generateText() function and monitor the interaction with Open AI APIs. The local server, additionally, supports live reload, so whenever you make any change, you won't have to redeploy the add-in, but they will be applied in real time. The same testing can be done also for the command. The difference is that you must type the text to turn into a business mail directly in the mail's body, then click on the Generate business mail button in the ribbon. A loading indicator will be displayed at the top of the window, and you'll be notified once the operation is completed. Also, in this case the Visual Studio Code debugger will be attached, so you can set breakpoints in your code if needed. Deploying the add-in Once you're done testing, you can choose to make available your plugin to a broader audience. The publishing story for Office add-ins is similar to the Teams apps ones: You can share the add-in for manual sideloading, which is great for testing and limited distribution. You can publish the add-in in your organization, so that all the employees can pick it up from the add-in store. You can publish the add-in in the Office store, to make it available to every Office customer around the globe. Regardless of your choice, Office is just the "interface" for your add-in, but it doesn't host it. This is why the only required component to deploy for an Office add-in is the manifest, which includes all the information on where the web app is hosted. If you explore the manifest.xml file we have previously edited, you will find the following tag, which defines the entry point of our taskpane: Ideally, once you're ready to deploy, this URL (and the other localhost references included in the manifest) will be replaced by the real URL of the web application. If you want to start the process to make your add-in available to a broader audience, Visual Studio Code is still your best friend. The following document will guide on how to leverage the Azure extension for Visual Studio Code to generate the distributable version of the add-in and to publish it on Azure Storage, which is a perfect match for our scenario since the add-in is made only by static web content. Once you have published your add-in, you can open any Outlook version (desktop, web, etc.), click on Get add-ins, move to the My add-ins section and, under Custom addins, click on Add a custom add-in. From there, you can either pick up the manifest.xml file of your project or specify the URL of the manifest published on Azure Storage. This way, people will be able to add it to Outlook without needing you to share any file. Wrapping up In this blog post we have learned how we can help users to be more productive by infusing software with the latest powerful AI models created by Open AI. Specifically, we focused on the Microsoft 365 ecosystem, by providing an Outlook "copilot" to help you write more professional business mails. And this is just the beginning! We know that new and powerful models are already available (like ChatGPT) and that Microsoft will directly offer new integrations. It's an exciting time to work in the tech space =) You can find the definitive version of the add-in on GitHub, with a few improvements that we didn't discuss in this blog post since they help to deliver a better UX, but they aren't strictly connected to the AI integration (like showing a progress indicator meanwhile Open AI processes the input text in the taskpane). Happy coding! Continue reading...

Set user expectations about Windows 11 adoption across your organization with these resources in just over one hour! Take a bite of quick readiness assessment and training snacks to prepare yourself and your end users for the latest features and experiences. Time to learn: 71 minutes [attachment=32309:name]DOWNLOAD Windows 11 Onboarding Kit Use this kit to help educate people in your organization for Windows 11. From documents and schedules to help you create an upgrade plan to sample employee emails and education materials, this kit offers guidance and templates that can be easily customized with your company's logo, name, and relevant links. [attachment=32310:name]WATCH Getting started with Windows 11 via onboarding features and app See how you can familiarize end users with the OOBE (out of the box experience), Welcome Back features, and the Get Started app. Help them transition from an old device to a new device seamlessly. (2 mins) Features + Settings + Files + Apps + User Experience [attachment=32311:name]READ Windows 11 onboarding and demo lab test kits Follow the advice in this blog post on how to use the onboarding kit you've just downloaded. Learn about a set of demo lab test kits that you can utilize in your training sessions with end users. (5 mins) User Experience + Office 365 + Server 2022 + Edge + OneDrive + Universal Print + ConfigMgr + Autopilot + Azure + Intune + Microsoft 365 Apps + GPO + BitLocker + Defender + Windows Hello [attachment=32312:name]READ Assess organizational change readiness Assess technical readiness as part of your upgrade journey. Borrowed from our friends in Microsoft Teams, these activities provide context for organizational change and teamwork. (8 mins) Teams + Early Adopters + Informed Users + Laggards [attachment=32313:name]READ Prepare a user readiness plan After assessing organizational change readiness, plan for user readiness. Taking advantage of these tips from our friends in Microsoft Teams to help you personalize your approach. (2 mins) Upgrade Success Kit + Communication + Training + Support [attachment=32314:name]WATCH Windows productivity & collaboration Get tips on how to light up productivity and collaboration features for the end users across your organizations. Learn from engineering and product teams as they answer specific questions on accessibility, taskbar, and more. (49 mins) File Explorer + Live Captions + Taskbar + Feedback + Camera & Video + Tasks + Voice Typing + Touch Keyboard [attachment=32315:name]READ 11 tips to get the most out of Windows 11 Share or walk your end users through the screenshots with 11 practical tips on how to improve their use of the PC for their work-life balance. The tips range from accessibility to productivity to collaboration. (5 mins) Live Captions + Focus + Voice + Layout + Video Editing + Gaming + Carbon Emission Reduction + Apps + Defender + Security Did that hit the spot? For further exploration of Windows 11 features, poke around Windows 11 Tips, Tricks & Features and Preparing your organization for a seamless Windows deployment. Found one you'd like to chew on some more? Let us know in the comments below. Come back for second helpings during your weekly work breaks! Continue the conversation. Find best practices. Bookmark the Windows Tech Community. Stay informed. For the latest updates, stay tuned to this blog and follow us @MSWindowsITPro on Twitter. Continue reading...

Microsoft 365 Defender Monthly news February 2023 Edition [attachment=31752:name] This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from January 2023. NEW: At the end we now include a list of the latest threat analytics reports, as well as other Microsoft security blogs for you. Legend: [attachment=31753:name] Product videos [attachment=31754:name] Webcast (recordings) [attachment=31755:name] Docs on Microsoft [attachment=31756:name] Blogs on Microsoft [attachment=31757:name] GitHub [attachment=31758:name] External [attachment=31759:name] Product improvements [attachment=31760:name] Previews / Announcements Microsoft 365 Defender [attachment=31761:name] Build custom incident response actions with Microsoft 365 Defender APIs. Use the Microsoft 365 Defender APIs to perform custom actions in bulk. [attachment=31762:name] Use Microsoft 365 Defender role-based access control (RBAC) to centrally manage user permissions. The new Microsoft 365 Defender role-based access control (RBAC) capability, currently in public preview, enables customers to centrally control permissions across different security solutions within one single system with greater efficiency and consistency. More information on docs: Microsoft 365 Defender role-based access control (RBAC). [attachment=31763:name] Alert evidence are shown in the alert side panel. See all related alert evidence from the alert side panel at a glance - and click on each evidence to get more information. You can open the alert side panel from the incident queue, alerts in incident, device and user page, or any other experience where you investigate alerts in the portal. [attachment=31764:name] The new Microsoft Defender Experts for Hunting report is now available. The report's new interface now lets customers have more contextual details about the suspicious activities Defender Experts have observed in their environments. It also shows which suspicious activities have been continuously trending from month to month. [attachment=31765:name] Supporting search the schema in Advanced hunting. Search across the schema, queries, functions and custom detection rules is now available in Advanced hunting page. You can search for names of tables, columns, queries and rules to easily locate what you are looking for. [attachment=31766:name] Guided mode improvements in Advanced hunting. Using the guided mode in Advanced hunting you can craft queries using a friendly query builder. As we are improving the expereince, you can now: 1. Customize the sample size of the results from your query (set the number of results you wish to get back) 2. Add conditions from the results set to the query [attachment=31767:name] Supporting "all device groups" and "all organization" scoping in Custom detection rule and Alert suppression. When configuring a custom detection or alert suppression rule, the "all device groups" and "all organization" scoping was an ability saved only for the Admin users. M365D is now supporting the same capability for users exposed to all the existing device groups, saving time to select all separately [attachment=31768:name] The new Identity page including Identity timeline is now in public preview! Identity timeline is now available as part of the new Identity page in Microsoft 365 Defender! The updated User page in M365 Defender now has a new look and feel, with an expanded view of related assets and a new dedicated timeline tab. The timeline represents activities and alerts from the last 30 days, and it unifies the user’s identity entries across all available workloads (Defender for Identity/Defender for Cloud Apps/Defender for Endpoint). By using the timeline, you can easily focus on activities that the user performed (or were performed on them), in specific timeframes. Microsoft Defender for Endpoint [attachment=31769:name] Introducing tamper protection for exclusions. One of the most requested features for tamper protection is protection of antivirus exclusions. With that in mind, the Microsoft Defender team has implemented new functionality that allows (path, process, and extension) to be protected when deployed with Intune. [attachment=31770:name] Recovering from Attack Surface Reduction rule shortcut deletions. This blog contains information on how to recover from Attack Surface Reduction rule shortcut deletions and is being updated on a regular basis when new information becomes available. Microsoft Defender for Identity [attachment=31771:name] New health alert for verifying that Directory Services Object Auditing is configured correctly. If the Directory Services Object Auditing configuration does not include all the object types and permissions as required it can limit the sensors' ability to detect suspicious activities. [attachment=31772:name] New health alert for verifying that the sensor’s power settings are configured for optimal performance. If the operating system's power mode is not configured to the optimal processor performance it can impact the server's performance and the sensors' ability to detect suspicious activities. [attachment=31773:name] Redirecting accounts from Microsoft Defender for Identity to Microsoft 365 Defender. Starting January 31, 2023, the portal redirection setting will be automatically enabled for each tenant. Once the redirection setting is enabled, any requests to the standalone Defender for Identity portal (portal.atp.azure.com) will be redirected to Microsoft 365 Defender (Sign in to your account) along with any direct links to its functionality. Accounts accessing the former Microsoft Defender for Identity portal will be automatically routed to the Microsoft 365 Defender portal. Microsoft Defender for Office 365 [attachment=31774:name] Automatic Tenant Allow/Block List Expiration Management is now available in Defender for Office 365! Microsoft Defender Vulnerability Management [attachment=31775:name] Leverage authenticated scans to prevent attacks on your Windows devices. Authenticated scans for Windows provide the ability to remotely target by IP\range or hostname and scan Windows services by equipping the tool with credentials to remotely access the machines. Microsoft 365 Defender Threat Analytics Reports Threat Insights: OAuth consent phishing trust abuse. As detection and protection controls for traditional credential phishing increase, attackers are adopting OAuth consent phishing, a technique that tricks a user into allowing a malicious application to perform actions on behalf of their account without the need for credentials. SystemBC tool used in human-operated ransomware intrusions. SystemBC is a post-compromise commodity remote access trojan (RAT) and proxy tool that Microsoft researchers have observed multiple adversaries use in a diverse array of seemingly opportunistic ransomware attacks on targets across various sectors and geographies. These adversaries use SystemBC infections to deliver additional malware and maintain persistence in a compromised environment. To this end, multiple groups including DEV-0237, DEV-0832, and DEV-0882, continue to use SystemBC with, or as a substitute for, Cobalt Strike in compromises that ultimately result in the deployment of payloads like Play, Black Basta, and Zeppelin. DEV-1039 mass SQL server exploitation continues to deliver Mallox ransomware. Since at least mid-2022, the threat group that Microsoft tracks as DEV-1039, has deployed both Mallox (also known as Fargo) and GlobeImposter ransomware in mass opportunistic Microsoft SQL server vulnerability exploitation attacks. After initial exploitation, DEV-1039 delivers commodity malware like Remcos, and deploys Mallox, GlobeImposter, or BlueSky ransomware. CVE-2022-47966: Zoho ManageEngine unauthenticated SAML XML RCE vulnerability. A proof of concept (POC) for CVE-2022-47966 was released on Github on January 18, 2022. Microsoft observed an increase in ManagedEngine exploitation in our endpoint telemetry in the past seven days. Microsoft recommends patching this vulnerability as soon as possible. DEV-0300 ransomware activity. The group Microsoft tracks as DEV-0300 represents unattributed activity associated with ransomware attacks, including both pre-ransomware activities and ransomware deployment. As multiple cybercrime actors customize and reuse a range of common tools and techniques deployed in ransomware attacks and the relationships between actors change very rapidly, Microsoft labels observed ransomware-related activity that has not yet been associated with a known tracked group as DEV-0300. As more patterns are identified from this activity, it is often merged into existing Activity Groups or split into new, well-defined clusters. Continue reading...

Architecture and Capabilities: From the endpoint security management architecture perspective, this scenario fulfills the gap of managing endpoint security features on unmanaged devices. For Intune managed devices, either cloud-only or co-management scenarios provided the endpoint security management capabilities. Also, Intune and Configuration Manager integration provided similar management capabilities for on-prem (ConfigMgr) managed devices. Finally, security configuration enforcement integration between MDE and Intune helps security teams to use the same admin interface – Intune console – to deploy Security policies to the devices that are enrolled to MDE only. Unified Endpoint Security Management Experience Architecture So let’s have a look at the configuration requirements and components of the solution first and start configuring on our test tenant and validate the configuration afterwards: First, supported platforms while this document was written were Windows Server operating systems starting from Windows Server 2012 R2 up to Windows Server 2022 and Windows 1x clients. However it is always a good idea to check the official documentation for an updated list of supported platforms. Architecture of Microsoft Defender for Endpoint Integration with Microsoft Endpoint Manager Conceptually, devices need to be enrolled to Microsoft Defender for Endpoint service to be able to have policies applied. Also, an Azure AD trust is required to communicate with AAD & Intune. Once communication is started with Intune, status is reported, and policy information is pushed down and applied to the endpoint. From capabilities perspective, Intune – MDE integration provides fundamental security policy management such as antivirus configuration, antivirus exclusions, firewall configuration, firewall configuration exclusions and EDR configuration. However, it is always a good idea to check for updated capability documentation to check for future capability improvements while making a decision. Initial Status: I have started configuration by onboarding several devices to MDE tenant. As you can see from the device inventory view in MDE; two of them are managed directly by Intune (MEM), one of them is managed by Configuration Manager agent and a two listed as “Unknown” in managed by column. Snippet from Microsoft Defender for Endpoint, Device Inventory View Configuration management view also shows the same information focused on Security Enforcement feature in graph view. As you can see from the following snippet, no devices security settings are enforced by MDE in the initial status. Snippet from Microsoft Defender for Endpoint, Endpoints Node, Configuration Management View When looking at the Endpoint Manager console for all devices, we would see only the ones that are managed are listed: Snippet from Microsoft Intune, Endpoint Security Node, All Devices View Also, on the Azure AD portal we can see the devices that are already joined to the tenant. Note that not all of the AAD Joined devices are listed in Intune. Snippet from Azure Active Directory, Devices View Now let's proceed with the integration. Configuring the Integration Integration has two parts in configuration. First part is to integrate Microsoft Defender for Endpoint and Microsoft Intune if not already integrated. This is done in Settings – Endpoints – Advanced Features view. When scrolled through the available features, Microsoft Intune connection can be seen. Once it is turned on, it will also be available on the Intune side. Snippet from Microsoft Defender for Endpoint, Settings - Endpoints - Advanced Features View Second, configuration is about Security settings management. This configuration can be turned on from Settings – Endpoints – Configuration Management. Snippet from Microsoft Defender for Endpoint, Settings - Endpoints - Configuration Management View When turned on, additional configuration options will be available to define enforcement scope for endpoint security configuration. The first option is selecting windows device type for configuration enforcement. We can distinguish between Windows client and Windows Server devices. Also, it is possible to define a subset of these device types by tagging them as “MDE-Management” so that a more granular management would be in place. The second section defines if the security settings management for devices that are enrolled by Microsoft Defender for Cloud will be handled by MDE. The last option is to define the enforcement for the devices that have Configuration Manager agent. With this setting turned on, configuration manager agent will take care of security policies on CM managed devices. Snippet from Microsoft Defender for Endpoint, Settings - Endpoints - Configuration Management Node, Enforcement Scope View These settings were the ones that allow MDE to push down the security policies created in Intune. However, a simpler configuration is also needed on Intune end to enable MDE integration. This configuration is present in Microsoft Defender for Endpoint view under Endpoint security node. Setting is listed as “Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations”. Once this setting is turned on, it will open MDE channel for pushing down the security policies. Snippet from Microsoft Intune, Endpoint Security Node, Microsoft Defender for Endpoint View Post Configuration: First change following the configuration is the new reflected device to Microsoft Intune. As you can see new device named CON01 is reflected on Intune console. Its management authority is listed as MDE. Snippet from Microsoft Defender for Endpoint, Endpoint Security Node, All Devices View On Microsoft Defender for Endpoint, we can see the managed by attribute for devices that was reported as “Unknown” turns to “MDE” under device inventory. Snippet from Microsoft Defender for Endpoint, Assets Node, Device Inventory View It is also reflected in the configuration management section. Following our configuration, 40% of devices security settings are enforced by MDE. Device configuration management view also gives information about devices that are onboarded via MDE security management feature. Snippet from Microsoft Defender for Endpoint, Endpoints Node, Configuration Management View I won’t go into the specifics of the AV policies that you may configure via Intune, however when you take a look at a policy that is created in the Intune console, you may see the target policy applies is listed as mdm and microsoftSense. Meaning this policy is applied on Intune managed devices as well as devices that have security enforcement is configured for MDE. Snippet from Microsoft Intune, Endpoint Security Node, Antivirus Policies View Controls in Client: After you validate that the security configuration is enforced to the client from MDE console, there are two main controls on the client side to make sure the policies are applied. The first thing to check is the Windows Security application itself. You will notice that Virus & threat protection settings are listed as managed by system administrator and is configured by the policy settings created in Intune. Snippet from Windows Security Application, Virus & threat protection settings Second control would be running a “get-mppreference” commandlet on the endpoint. It will show the running policy configuration on the endpoint. Snippet from PowerShell, Get-MPPreference Cmdlet Things to Consider: Azure AD Trust: For the integration to work properly, all devices should have some trust relationship with Azure AD. When you consider Domain Joined devices; this would be Hybrid Azure AD Joining the devices. On the other hand, Domain Controller devices are not capable of doing a Hybrid Azure AD Join - at least that was the case while this post is written. So, if you will need to manage Microsoft Defender in your DCs, you will either need a Configuration Manager integration as discussed here, or you will need to have a legacy solution such as GPOs for this specific server role. OS Upgrade Level: Most companies have a better level of update than my lab environment. And i found it in the hard way that the OS Update level can be a problem while waiting for things to work. My bad that i've used vanilla versions of WS 2019, which is already 3 years old. Bottomline, check if your devices are in the supported OS level. Creating Groups for Policies: I did not walk through the process, however if you need to apply different AV configurations for different device types, it would be a good idea to create groups and apply policies to those groups as detailed here. Tamper Protection: Another interesting learning for me is the fact that you will need to disable tamper protection before applying these policies. Otherwise, it won't work as mentioned here. Wrap-up Intune has an integration with Microsoft Defender for Endpoint which allows fundamental security policy enforcement on non-managed clients. Even though this is limited to Antivirus, Firewall and EDR policies; it fills an important gap on certain scenarios. This also helps Intune to be a unified endpoint security management interface for companies. Continue reading...

Overview We are excited to announce public preview of device isolation for Microsoft Defender for Endpoint on Linux devices both manually through the Microsoft 365 Defender portal and using APIs. Some attack scenarios may require you to isolate a device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. Just like in Windows devices, this device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, while continuing to monitor the device. Important to note: When isolating a device, only certain processes and web destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic. Exclusion is not supported for Linux isolation This capability is part of the set of response actions that can be taken on a device. Further information on the response actions can be found in Take response actions on a device in Microsoft Defender for Endpoint | Microsoft Learn. Note: The capability applies to all Microsoft Defender for Endpoint Linux supported distros documented in the System requirements page. Walkthrough Linux Manual Isolation In the Microsoft 365 Defender portal, navigate to the device page of the Linux device. You’ll see the “Isolate Device” action among other response actions on the device page Figure 1: ‘Isolate Device’ on the Device page Once the action is completed on the device, you can track progress in the Action Center. You'll be able to reconnect the device back to the network at any time. The button on the device page will change to say Release from isolation, by following the same steps as isolating the device. API Linux isolation is available using APIs. For more details, please refer to the resources below: Isolate machine API | Microsoft Learn Release device from isolation API | Microsoft Learn Let us know what you think We are excited to bring this feature to you and your security teams. Try it out today and let us know what you think in the comments below! We take all feedback into account as we work to continue to improve your security experience in Microsoft Defender for Endpoint. If you have questions or comments, reply to this post or reach out to linuxisolation@microsoft.com. For more information: Take response actions on a device in Microsoft Defender for Endpoint | Microsoft Learn Continue reading...

A vibrant new look and feel is coming to Microsoft Teams Rooms on Windows consoles and front-of-room displays. To make Teams Rooms even easier to use, we're aligning key elements of the user interface across the Windows and Android ecosystems. These updates will be generally available by the end of this quarter, in Microsoft Teams Rooms on Windows application version 4.16. Users will first notice the vivid new ambient screens and a refreshed calendar on consoles and front-of-room displays. They will also enjoy improved visual cues throughout the experience that make it easier and more intuitive to interact with the console. On the calendar, users will be able to scroll down on the calendar to see the schedule for the entire day. Front-of-room display and calendar Updated buttons on the console allow users to quickly access the most used features, including: Meet: Start a new meeting from the room Call: Make a call to a phone number or add a person from directory Share: Share local HDMI content Join via ID: Enables this Teams Room to join a Teams meeting using the meeting ID, with Direct Guest Join interoperability functionality coming later this year More: Opens the overflow menu (see details below) Console and calendar The new overflow menu screen enables users to further interact with the room, and simplifies access extended features, like extensibility apps. Some examples of features on the overflow menu include: Invite this room: Use the Room audio and video for a Teams meeting initiated on your companion device Accessibility: Enable accessibility features Report a problem: Report a problem to your IT admin Restart device: Restart the device functionality Settings: Access settings In addition, error states and associated messages have simplified to help allow for quicker resolution. Simplified error states For enhanced customization, your organization will have a wider range of ambient screens to choose from than before, with five exciting new themes added to the eight themes currently available. Accompanying the new look and feel, end users will enjoy more control of the front-of-room display during a meeting with an updated interface for the view switcher menu. Additionally, users will be able to customize the Front Row view, including visibility of the meeting chat, and choose which meeting component is displayed on the left and right panel. IT admins will be able to configure the default number of panels and default components on panel(s). We hope you enjoy this updated experience! Continue reading...

Organizations today face the continually changing and complicated task of protecting their ever-expanding attack surface from cyber-attacks. The move to the Cloud and remote workspaces has pushed the boundary of their digital ecosystem well beyond their traditional physical network. Data, users, and systems are in multiple locations, creating significant challenges for security operations teams tasked with defending their organizational assets. Information Security personnel need to be equipped with solutions to identify new adversaries and threats like ransomware. It's now crucial for defenders to have unique visibility across both their organization's attack surface and the threat infrastructure used to target it. In this blog, I will highlight key capabilities in Microsoft Defender for Cloud (MDC) and Microsoft Defender Threat Intelligence (MDTI) that, when used together, enable analysts to quickly understand exposures and equip them with crucial context about threat actors likely to target them. can help identify and mitigate modern threats and their infrastructure with dynamic threat intelligence by applying three key capabilities: Identify attackers and their tools. Accelerate detection, incident response, investigations, and remediation. Enhance security tools and workflows. To watch an overview of MDTI, please review the episode MDC is a cloud-native application protection that helps strengthen security posture, enabling protection against modern threats and helping reduce risk throughout the cloud application lifecycle across multi-cloud and hybrid environments. MDC works with security teams to efficiently reduce the risk of an impactful breach to their environment. During Microsoft Ignite, MDC introduced new capabilities, including the cloud security graph and attack path analysis capabilities that enable analysts to assess the risk behind each security issue and identify and prioritize the highest-risk issues. What is Cloud Security Explorer? Cloud Security Explorer provides defenders with the ability to perform proactive exploration. With it, analysts can search for security risks within their organization by running graph-based path-finding queries on top of the contextual security data Defender already provides for Cloud, including cloud misconfigurations, vulnerabilities, resource context, lateral movement possibilities between resources, and more. figure; Cloud Security Graph Threat Intelligence Articles and the Cloud Security Graph One of the critical features of MDTI is Articles. Articles are written by Microsoft research teams or curated open-source intelligence enriched by Microsoft's unique insight into threat actors, tooling, attacks, and vulnerabilities. MDTI intelligence includes actionable content and critical indicators of compromise to help security professionals act quickly against threats and continuously track threat actors, tooling, attacks, and vulnerabilities as they evolve. The following image shows an overview of the different Articles created in MDTI with a Tag, which provides insight into an artifact and quickly links incidents and investigations with historical context for improved analysis. Figure: article View on Microsoft Defender for Threat intelligence In this case, we are interested in the Article "DEV-0882 exploits web-facing assets to deploy ransomware" due to aligned Tags for ransomware and CVEs. After clicking on the article, the analyst can obtain a deeper understanding of the threat actor identified and tap into crucial explanatory information ranging from a summary of the threat, an analysis of the infrastructure it targets, and information for post-compromise and mitigation tactics. In this situation, we can track the threat actor DEV-0882, which is consistent with ransomware campaigns. Figure: identified related CVEs within Article "DEV-0882 exploits web-facing assets to deploy ransomware" The article can also contain a detailed analysis of the threat actor and its underlying infrastructure. In this case, we get information on the infrastructure targeted by the threat actor and their post-compromise tactics. Figure: Analysis information for article "DEV-0882 exploits web-facing assets to deploy ransomware" Some of the articles will also contain information detailing mitigation tactics that customers can apply to their environment: Figure: Mitigation procedures described in the Article "DEV-0882 exploits web-facing assets to deploy ransomware" In this case, we have identified the CVEs related to the article "DEV-0882 exploits web-facing assets to deploy Play ransomware." They are CVE-2022-41080, CVE-3031-34473, CVE-2021-31207, CVE-2021-34523, and CVE-2022-41040. Proactively, a SOC analyst can proceed to the cloud Security explorer blade in MDC and run a query searching virtual machines that each vulnerability could impact. This can be seen in the following approach: Figure: Using cloud security explorer to search for Vulnerabilities based on CVEs identified in MDTI MDTI Enriches Alerts in MDC As analysts triage alerts generated within MDC (paid plans will need to be enabled for this to occur), they can use MDTI to quickly investigate entities' information to promptly identify the following: If an artifact (IP, domain, or host) exists in any threat intelligence articles. The artifact's reputation: MDTI generates proprietary reputation scores for any Host, Domain, or IP address to help provide quick information about the activity of these entities, such as First and Last-Seen timespans, ASN, country, associated infrastructure, and a list of rules that impact the reputation score (when applicable). Analyst Insights: These insights distill Microsoft's vast data set into a handful of observations that simplify the investigation and make it more approachable to analysts of all levels. Insights are small facts or observations about a domain or IP address and enable Defender TI users to assess the artifact queried and improve a user's ability to determine if an indicator being investigated is malicious, suspicious, or benign. To get started with the investigation in this scenario, we will begin with the security alerts blade on MDC to identify the alert of interest and the alert's full details. Figure: Alert generated by Microsoft Defender for Cloud "Suspected brute force attack attempt using a valid user " Clicking on the 'View full details' option of the alert, an analyst gets more information and can see the severity information, description, and affected resources. They get crucial visibility of the related entities identified and can pivot to MDTI for further investigation. Figure: Alert view on Microsoft Defender for Cloud, highlighting the entities involved in the alert. On the MDTI workbench, the analyst can search for the IP address (80.66.76.39) identified in the alert. Figure: Heading over to MDTI and searching the artifact (IP~ 80.66.76.39) On searching the artifact, MDTI provides information an analyst can use to determine the entity's validity. In this case, we see data that confirms the IP is potentially used for malicious activity. The reputation score indicates suspicious activity. Figure: Artifacts results capturing reputation scoring, analyst insights, and Articles View The MDTI workbench also provides the user with the ability to pivot to the data blade, where they can identify a series of datasets categorized into two groups: Traditional (Resolutions, Whois, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services) and Advanced (Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies). The primary focus is to collect data about the internet infrastructure to support the investigation process. Figure: Proceed to the Data tab: Who IS information for Suspicious Artifact In this case, the analyst can determine if the IP used in the suspected brute force attack is synonymous with malicious activity and use it to identify other entities that could serve as investigative leads for incident response and threat hunting. In summary, there are a variety of scenarios where Microsoft Defender for Threat Intelligence can work hand in hand with MDC. The scenarios above offer proactive and reactive methods for SOC analysts, Threat hunters, and Vulnerability managers to leverage both tools to improve their operations and processes. Questions? We hope you found this blog helpful in understanding the value MDTI can provide. If you have inquiries regarding threat intelligence use cases mentioned or not mentioned in this blog and are not currently working with an MDTI Technical Specialist or Global Black Belt, please email mdti-pm@microsoft.com. Feedback? We would love to hear any ideas you may have to improve our MDTI platform or where our threat intelligence could be used elsewhere across the Microsoft Security ecosystem or other security third-party applications. Feel free to email mdti-pm@microsoft.com to share that feedback as well. If you are currently working with an MDTI Technical Specialist or Global Black Belt through this PoC, please communicate your requested use cases and product feedback to them directly. Learn About New MDTI Features Please join our Cloud Security Private Community if you're not a member and follow our MDTI Private & Public Preview events in our MS MDTI channel. You will not have access to this Teams channel until you are a Cloud Security Private Community member. Users that would like to help influence the direction/strategy of our MDTI product are encouraged to sign-up for our Private Preview events. Those participating will earn credit towards respective Microsoft product badges delivered by Credly. Work With Our Sales Team If you are interested in working with an MDTI Technical Specialist or Global Black Belt, please get in touch with our Sales team by filling out this form. Resources What is Microsoft Defender Threat Intelligence (Defender TI)? | Microsoft Learn Microsoft Defender Threat Intelligence Blog - Microsoft Community Hub Become a Microsoft Defender Threat Intelligence Ninja: The complete level 400 training Continue reading...

When it comes to protecting servers in hybrid and multicloud environments, Microsoft Defender for Servers as part of Microsoft Defender for Cloud is the solution you might be looking for. However, with all the features, dependencies, and complexity, it might become challenging to always make the right decision when planning, integrating, and deploying Defender for Servers across your environment. With this blog, we are focusing on deployment and integration of Microsoft Defender for Endpoint with Microsoft Defender for Servers on Linux machines. Microsoft Defender for Servers is available in two different plans, both of which include integration and automated deployment of Microsoft Defender for Endpoint for both, Windows and Linux machines. Defender for Servers plan comparison To learn more, see this table about supported features for VMs and servers in Defender for Cloud. Also, to learn more about Defender for Servers plan features, see this documentation. How to enable Defender for Endpoint integration for Linux machines Microsoft Defender for Endpoint for Linux integration has been introduced to Defender for Servers back in summer 2021. At this time, Defender for Endpoint integration for Windows servers has been part of the product for quite a while already, and when introducing Linux support, we added an opt-in method for existing customers to decide at which point in time they would like to enable integration and deployment for their Linux machines. Since then, Defender for Endpoint integration will be enabled for Windows and Linux by default on any new subscription when Defender for Servers is enabled for the first time. However, in case the following three dependencies are true, Defender for Endpoint for Linux integration is not automatically enabled: Your subscription was created earlier than August 2021 In August 2021, your subscription was configured to have Defender for Endpoint integration enabled In August 2021, your subscription had Defender for Servers enabled In this scenario, you will see the opt-in capability in your subscription’s Integrations blade within Defender for Cloud: Enable Defender for Endpoint integration for Linux machines In the figure above, you see there is a second button to enable Defender for Endpoint’s unified solution for Windows Server 2012 R2 and 2016 machines. To learn more about this option, please see this article. We know that in large environments, it might be challenging to find all the subscriptions that don’t have enabled Linux integration with Defender for Endpoint, yet. This is why we are offering several at-scale capabilities to enable the integration in your environment. Enabling Defender for Endpoint integration for Linux on multiple subscriptions In Defender for Cloud’s Overview blade, we are introducing a new Insights campaign that gives you visibility into subscriptions that do not have Defender for Endpoint integration enabled for Linux machines. New insights campaign in Microsoft Defender for Cloud's Overview dashboard You can use this new campaign to directly enable integration for Linux machines from this Overview blade by clicking the Take Action link. Enable Defender for Endpoint integration for Linux machines at scale It will then show you all subscriptions that don’t have integration for Linux machines enabled, including the amount of affected Linux machines in each subscription. You can then select some or all of them and enable the integration at scale. Once done, you can track the deployment progress by clicking the Track Deployment link. Track the Defender for Endpoint deployment across your environment This link will redirect you to a custom workbook that we have published on Github and which you can deploy to your environment. Defender for Endpoint provisioning status The workbook will show you the current deployment status of Defender for Endpoint extensions to your Azure VMs and Azure Arc machines, and if the installation and onboarding was successful, or if it failed. Enable integration via PowerShell A second option we are providing is a PowerShell script that will enable integration for Linux machines on all of your subscriptions. The script will check if Defender for Endpoint integration is enabled at all, and if not, enable it for both, Windows and Linux machines. In case it already is enabled for Windows, Linux integration will be enabled in addition. write-host '#####################################################################################################' -ForegroundColor green write-host '# #' -ForegroundColor green write-host '# This script will enable MDE integration for Linux machines with Microsoft Defender for Cloud. #' -ForegroundColor green write-host '# Please enter your Tenant ID. The script will then configure all subscriptions in this tenant. #' -ForegroundColor green write-host '# #' -ForegroundColor green write-host '# You will be asked if you want to enable MDE integration on all subscriptions, or only those #' -ForegroundColor green write-host '# that already have MDE integration for Windows machines enabled. #' -ForegroundColor green write-host '# #' -ForegroundColor green write-host '#####################################################################################################' -ForegroundColor green write-host '' $tenantId = Read-Host "Enter your Tenant ID" $enableMDE = Read-Host "Do you want to enable MDE integration on all subscriptions (y/n)?" while ("y","n" -notcontains $enableMDE) { $enableMDE = Read-Host "Do you want to enable MDE integration on all subscriptions? Please only enter (y/n)." } $subscriptions = Get-AzSubscription -TenantId $tenantId Foreach ($subscription in $subscriptions){ $context = Set-AzContext -Subscription $subscription.id Write-host -nonewline "Testing subscription " Write-host -nonewline $context.subscription.Name -ForegroundColor Green Write-host -nonewline " with subscription ID " Write-host -nonewline $context.subscription.Id -ForegroundColor Green Write-host "." $test0 = Get-AzSecuritySetting -SettingName WDATP If ($test0.enabled) { $test1 = Get-AzSecuritySetting -SettingName WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW If ($test1.enabled){ Set-AzSecuritySetting -SettingName WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW ` -SettingKind DataExportSettings ` -Enabled $false > $null Write-Host "Enabled MDE integration for Linux machines on subscription" $context.subscription.id } } elseif ($enableMDE -eq "y"){ Set-AzSecuritySetting -SettingName WDATP ` -SettingKind DataExportSettings ` -Enabled $true > $null Write-Host "Enabled MDE integration for all machines on subscription" $context.subscription.id } else { continue } } We have also published the PowerShell script in the Defender for Cloud Github repository. Enable integration via REST API When enabling Defender for Endpoint integration for Linux machines using the Defender for Cloud UI, clicking the button, or using the insights campaign will leverage a REST API call against your subscription(s). You can also use this API call in your own automations, ARM templates, or Azure Policy definitions. To enable Defender for Endpoint integration for Linux machines on a subscription, use the following API call against the microsoft.security/settings REST API provider: Parameter Value REST Method PUT API URI https://management.azure.com/subscriptions//providers/Microsoft.Security/settings/WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW?api-version=2022-05-01 API Version 2022-05-01 JSON Body { "name": "WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW", "type": "Microsoft.Security/settings", "kind": "DataExportSettings", "properties": { "enabled": false } } Conclusion While Defender for Endpoint integration is automatically enabled on new subscriptions, or when enabling Defender for Servers for the first time, you might have subscriptions in your environment that still don’t have the latest integration features enabled. For these subscriptions, you will now get the visibility in Defender for Cloud’s Overview dashboard and can use a variety of automation capabilities to enable Defender for Endpoint integration for Linux machines at scale. Acknowledgements Specials thanks to Gal Fenigshtein for the strong collaboration on this topic and for reviewing this blog. Continue reading...

The Office Insider program is now the Microsoft 365 Insider program, in alignment with the transition from Office to Microsoft 365. This program provides all the info you need to know about preview features for Microsoft 365 products. What has changed? Our name. We’ve updated our name on our website, here on Microsoft Tech Community, and our Twitter handle – you’ll find us @MSFT365Insider on Twitter.  The program purview. You may have noticed that we've been adding topics beyond the traditional Office apps, like Teams and Forms. We will continue to expand our blog to include features, apps, and services under the Microsoft 365 umbrella.  Release notes have moved to Learn.microsoft.com.  An image demonstrating the new homepage of the Microsoft 365 Insider website. How do I sign up to be a Microsoft 365 Insider? Go to our Join page and follow the simple steps! If I was already an Office Insider, do I need to do anything to remain a Microsoft 365 Insider? No, there will be no impact to Insider updates. Apps in Current Channel (Preview) and Beta Channel will continue to receive Insider updates automatically.   Note: Some Microsoft 365 apps may release features through a different preview channel, and we will note that under the Availability section on our blog posts. Unless otherwise noted, Insider updates are delivered through Beta Channel and Current Channel (Preview).  Helpful resources Check out our Microsoft 365 Insider Handbook to find out everything you need to know about being a Microsoft 365 Insider. Continue the conversation in the new Microsoft 365 Insider discussion space! Share best practices, discuss latest trends and stay updated on news and announcements for the Microsoft 365 Insider program. Continue reading...

Microsoft Edge is committed to making your browsing experience convenient and secure. The built-in password manager helps you generate strong passwords, provide password health feedback, and warn you if any of your stored passwords are found in a known online leak. Your passwords are securely stored and can be accessed on all platforms – macOS, Linux, and Windows; iOS and Android using Microsoft Authenticator app; even other browsers using Microsoft Autofill extension. Read more about new password manager capabilities here: New ways to manage your passwords in Microsoft Edge - Microsoft Community Hub Here's how you can import your passwords from third-party password managers. It’s a two-step process. First, you will need to export your passwords to a CSV file. Second, import the CSV file to Microsoft Edge. Note: Exported data files are not encrypted, they are stored in plain text. Anyone with access to your exported data files will be able to read your passwords. Do not email exported data files or store them online. Delete the file immediately after importing passwords and empty Recycle Bin or Trash to be safe. On Windows (and most Linux distros), you can right-click on the Recycle Bin and select “Empty Recycle Bin”. On macOS, long-click on the Trash icon in the dock and select “Empty Trash”. Exporting passwords to a CSV file Avira Go to PWM Dashboard Log in to your Avira Password Manager Click the Settings icon in the left-hand menu Scroll down to the “MY DATA” area and click Export data Click Export CSV to save the file on your system This will download a CSV file Bitwarden Login to your Bitwarden web vault Click Tools in the top navigation bar Select Export Vault and choose CSV file format Enter your master password and click Export Vault This will download a CSV file Dashlane Open the Dashlane web app (Password Manager App for Home, Mobile, Business | Dashlane) and log in to your account Open account settings from the “My Account” button on the left sidebar Select “Export data” from the right sidebar Click on the “Export to CSV”. This will download a CSV file is the selected location LastPass Click the LastPass extension icon in the Address Bar in the browser window → “Export” Enter the master password for the LastPass vault (There may be email verification needed for certain account types as well) This will download a CSV file in the selected location Norton Password Manager Open Norton Password Manager web app Select Settings -> “Export my vault data” Choose Export option from the “Export my vault data” popup Unlock the vault using vault password This will download a CSV file Remove the first two rows from CSV that mention metadata including product version Edit column headers User Name to username Login URL to url True Key Click on the True Key extension on your browser and log in Click the geared wheel which is at the top right corner of the page, and then go to App Settings → Export It should prompt you the export my profile data window, where you need to click Continue Enter your Master Password and click Unlock This will download a CSV file 1Password Instructions for Windows 1Password 8 1Password 8 exports to the 1Password Unencrypted Export (.1pux) format or a comma-separated values (CSV) file. The CSV format supports a limited set of fields and will only export Login and Password items. To export your 1Password data in 1Password 8: Open and unlock 1Password. Click at the top of the sidebar, choose Export, and select the account you want to export. Enter your account password. Choose CSV as export format and click Export Data. Choose where you want to export your 1Password data and click Open. 1Password 7 Open and unlock 1Password. Select the items you want to export. Select multiple items by holding down the Ctrl key when clicking on them. Select all the items by pressing Ctrl + A after clicking one of the items in the list. Right-click the selected item(s) and choose Export. Choose Comma Delimited Text (.csv) Enter a filename and click Save. 1Password 4 Open 1Password and unlock the vault you want to export. Choose File > Export. Choose Comma Delimited Text (.csv) Enter a filename and click Save. Instructions for Mac Open and unlock 1Password. Select the vault you want to export. It’s not possible to export from “All Vaults”, so you’ll need to switch to a specific vault. Choose File > Export > All Items. If you belong to a team account, there may be some vaults where you don’t have the “Export items” permission. Ask your team administrator. Enter your 1Password account password. Choose Comma Delimited Text (.csv) format Click Save. Importing passwords to Microsoft Edge In Microsoft Edge, go to Settings and more > Settings Click "Import Passwords" from Profiles -> Import Browser data -> Import from other password managers Click on Choose file and select the CSV file exported earlier. You should see a confirmation message – “All done! We’ve brought your data over.” Confirm that “Offer to save passwords” is enabled under Settings -> Profiles -> Passwords. This will ensure that your future passwords will be saved to Edge To let Edge save all passwords automatically in future, enable “Automatically save passwords” as well Continue reading...

We are happy to announce the Public Preview of Azure Automation extension to help create and manage runbooks directly from Visual Studio Code. Visual Studio Code is a light weight source code editor which runs on your desktop and is available for Linux, macOS, and Windows. It provides an industry leading creation & editing experience for languages and runtimes like PowerShell, Python etc . This extension offers you features for runbook management operations like editing runbook, triggering a job, tracking recent jobs, linking a schedule , asset management , local debugging etc. ensuring the developers and IT admins can author, debug, edit and manage automation runbooks without leaving the IDE (Visual Studio Code). This extension has been in works for a while and is already used by many Automation customers. It’s now ready for more exposure and usage with some improvements based on feedback as shared by the customers. We’ve built this experience for customers who heavily use the PowerShell ISE for writing runbooks instead of using the built-in browser-based interface for runbook authoring, while working with PowerShell cmdlets and Automation Assets. With a leg up to the current browser-based interface, the extension makes runbook developers more productive and reduces the E2E time for runbook management. Key Features of the extension Supports all the Automation – PowerShell 5, PowerShell 7, Python 2 and Python3 Runbooks. Supports test execution of job, publishing automation Job and triggering job in Azure as well as Hybrid runbook workers. You can execute runbooks locally also. Supports Python positional parameters and PowerShell parameters for job tiggering. Supports linking a Schedule to Runbook and creating webhook. Starting a job through Webhook is simplified. You can manage the Automation Assets – certificates, variables, credentials, and connections. You can perform create, update, and delete operation on the Automation Assets. You can see the recent last 10 jobs by right clicking on the job and select ‘Job Output’ from the menu. You can debug PowerShell scripts locally. You can compare local Runbook to the published or the draft runbook. Some of the key Runbook management operations - Create Runbook – Create a New Runbook in the Automation Account by right clicking on ‘Runbooks’ title node and selecting Create Runbook. Fetch Draft Runbook – Replace the content of the Local Runbook with draft version from the Automation Account by right clicking on the selected Runbook and Select Fetch Draft Runbook. Fetch Published Runbook – Replace the content of Local Runbook with the published version from the Automation Account by right clicking on the selected Runbook and Select Fetch Published Runbook. Open Local – Open the Local Runbook in the Editor by right Clicking on the selected Runbook properties and Select Open Local. Compare Local Runbook - This allows you to compare Local Runbook with the Published or Draft Runbook copy. You can visualize the change in the code side by side between the local runbook copy and the published or draft copy. Upload As Draft – Save a local copy of your Runbook as draft in Automation Account by right clicking on the Runbook properties and Select Upload As Draft. Publish Runbook – Publish the local copy of your Runbook in Automation Account by right clicking on the Runbook properties and selecting Publish Runbook. Delete Runbook – Delete a Runbook from Automation Account by right clicking on the selected Runbook and selecting Delete Runbook. Test Runbook and Jobs - Run Local – Run local version of the automation job by right clicking the Runbook -> Run Local. Run Local in Debug Mode - Run local version of the PowerShell Runbooks in debug mode by allowing you to add breakpoints in the script. This provides support for using internal cmdlets like Get-AutomationVariable also (non-encrypted assets only supported currently). Start Automation Job – Start the automation job by right clicking in the Runbook properties -> Start Automation Job. Start Automation Test Job – Start the automation test job by right clicking in the Runbook properties -> Start Automation Test Job. Job Output – When a job is created, you can track the job output by clicking on Job Output option or you can go to Recent Jobs and right click to select Job Output . It polls the service every 5 seconds to show the job Output. Work with Schedules, Assets and webhook - Link Schedule – You can link a schedule to the runbook by right clicking on the Runbook properties menu and selecting Link Schedule. It supports params and runOn option. Add New Webhook – You can add a webhook to the runbook by right clicking on the Runbook properties menu and selecting Add New Webhook. It supports params and runOn option. 2. You can create, update, or view the properties of Assets - Certificates, Connections, Credentials, Variables. You can also delete assets from the extension. Walkthrough of various extension operations can be found on the Extension Overview in the Visual Studio marketplace. Complete documentation can be found here. Limitation • Creation of new Schedules is not supported. • Adding new Certificate in Assets is not supported. • Uploading Modules (PowerShell & Python Packages) from the extension is not supported. • Currently there is no auto-sync of local runbooks to Azure Automation Account Runbooks. You will have to perform the operation to Fetch or Publish runbook. • For python currently we do not provide any debug options. It should be performed by the user as they do in any python script by installing any debugger extension. We will be addressing these limitations in the future releases. Feedback Do share your review for us to improve the extension! We’ve already heard some great feedback about the extension helping users in the runbook authoring process. We hope you’ll try it out and let us know about your experience so we can continue to refine it. Support for this extension is provided on our GitHub Issue Tracker. You can submit a bug report, a feature suggestion or participate in discussions. Happy automation! Just getting started with Azure Automation? Learn about the service here and follow Azure Automation on Twitter for the latest updates. Continue reading...

Happy Friday, everyone! I hope you all are doing well and staying healthy out there! Here is a look at what’s been going on in the MTC this week… MTC Moments of the Week Over on the blogs this week, @JoshBregman and @Matt_Call announced expanded Microsoft Defender for Endpoint tamper protection to cover antivirus exclusions, a highly requested feature! And good news – you’ll soon be able to keep custom bookable time in Outlook, which you can read more about in @Vikram2011’s latest post. Next week, we are back in the swing of community events with not one but TWO Ask Microsoft Anything’s (AMA’s): Windows 365 for Gov AMA – Tuesday, January 17, 2023, 06:30 AM – 7:30 AM (PST) Microsoft Loop AMA - Tuesday, January 17, 2023, 09:00 AM - 10:00 AM (PST) So, mark your calendars and bring your questions, and we’ll see you there! And since I forgot to update the Member of the Week widget last week (my brain just totally blanked on that one!), I'll allow last week's MotW Robert to hold that spot and get some time to shine before choosing a new one next week! Unanswered Questions - Can you help them out? Every week, users come to the MTC seeking guidance or technical support for their Microsoft solutions, and we want to help highlight a few of these each week in the hopes of getting these questions answered by our amazing community! In the Excel forum, @Denis675 is working with multiple linked workbooks and is looking for help figuring out why the relative file links are being changed to absolute links when copying the workbooks to another drive. Meanwhile, over in the Intune forum, @Stefan Kießig is seeking help managing user rights when registering a device in the Company Portal of Endpoint Manager. Have any ideas to help them out? Upcoming Events - Mark Your Calendars! Microsoft Entra Permissions Management AMA - January 30, 2023, 09:00 AM - 10:00 AM (PST) Windows Server AMA: Developing Hybrid Cloud and Azure Skills for Windows Server Professionals - January 31, 2023, 09:00 AM - 10:00 AM (PST) -------- And lastly, for your fun fact of the week… Did you know that "strengths" is the longest word in the English language with only one vowel? Yep - nine letters, eight of them consonants. The more you know! And with that, have a wonderful weekend, everyone! Continue reading...

Microsoft 365 Defender Monthly news January 2023 Edition [attachment=29901:name] This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this January edition, we are looking at all the goodness from December 2022. NEW: At the end we now include a list of the latest threat analytics reports, as well as other Microsoft security blogs for you. Legend: [attachment=29902:name] Product videos [attachment=29903:name] Webcast (recordings) [attachment=29904:name] Docs on Microsoft [attachment=29905:name] Blogs on Microsoft [attachment=29906:name] GitHub [attachment=29907:name] External [attachment=29908:name] Product improvements [attachment=29909:name] Previews / Announcements Microsoft 365 Defender [attachment=29910:name] Optimize your hunting performance with the new query resources report. Visibility into how query resources are being used across the SOC team is critical to optimize performance, ensure queries are executed efficiently, and allow team to operate in the most effective way possible. The new query resources report now enables you to view how hunting resources are consumed in your organization and provides insights into your consumption of CPU resources for hunting activities. [attachment=29911:name] Use Microsoft 365 Defender role-based access control (RBAC) to centrally manage user permissions. The new Microsoft 365 Defender role-based access control (RBAC) capability, currently in public preview, enables customers to centrally control permissions across different security solutions within one single system with greater efficiency and consistency. More information on docs: Microsoft 365 Defender role-based access control (RBAC). [attachment=29912:name] What was your 2022 like? See some cool year highlights with Defender boxed! Defender Boxed shows you your year highlights in numbers. Just go to your incidents queue and clicks on the Defender Boxed icon (top right of the page). Microsoft Defender for Cloud Apps [attachment=29913:name] Protecting apps that use non-standard ports with Microsoft Defender for Cloud Apps. We are happy to announce that applications that use ports other than 443 can now be protected in real-time using Defender for Cloud Apps. [attachment=29914:name] Azure AD identity protection. Azure AD identity protection alerts will arrive directly to Microsoft 365 Defender. The Microsoft Defender for Cloud Apps policies won't affect the alerts in the Microsoft 365 Defender portal. Azure AD identity protection policies will be removed gradually from the cloud apps policies list in the Microsoft 365 Defender portal. To configure alerts from these policies, see Configure Azure AD IP alert service. Microsoft Defender for Endpoint [attachment=29915:name] Microsoft Defender for Endpoint Device control Removable storage access control updates. 1. Released Microsoft Endpoint Manager UX support for Removable storage access control. 2. The Default Enforcement policy of Removable storage access control is design for all Device control features, recently we released Printer Protection, so this policy will cover printer as well. If you create Default Deny policy, and now printer will be blocked in your organization. - Intune: ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement, documentation here. - Group policy: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement, documentation here. Use Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printers. [attachment=29916:name] Disconnected environments, proxies and Microsoft Defender for Endpoint. In this blog, Brian Badock provides recommendations and guidance for those looking to deploy Microsoft Defender for Endpoint in disconnected or air-gapped environments. [attachment=29917:name] Live Response is now generally available for macOS and Linux. For more information, see: Investigate entities on devices using live response. [attachment=29918:name] Linux isolation in public preview. For more information, see: Take response actions on a device in Microsoft Defender for Endpoint. Microsoft Defender for Identity [attachment=29919:name] Defender for Identity data centers are now also deployed in the Australia East region. For the most current list of regional deployment, see Defender for Identity components. Microsoft Defender for Office 365 [attachment=29920:name] Meet Microsoft’s Most Valuable Professional Security experts in this Security MVP Spotlight! Or check out on how you can get started as a Security MVP. [attachment=29921:name] The new Microsoft 365 Defender role-based access control (RBAC) model, with support for Microsoft Defender for Office, is now available in public preview. For more information, see Microsoft 365 Defender role-based access control (RBAC). [attachment=29922:name] Use the built-in Report button in Outlook on the web: Use the built-in Report button in Outlook on the web to report messages as phish, junk, and not junk. Microsoft Defender Vulnerability Management [attachment=29923:name] Leverage advanced hunting to better understand your discovered devices. In this blog post, we will show a few queries you can use to address various use cases to find devices as well as the ability to create custom alerts in your network. [attachment=29924:name] Vulnerability assessment of apps on iOS devices is now generally available. To configure the feature, read the documentation. Microsoft 365 Defender Threat Analytics Reports Actor profile: China-based DEV-0401, lone wolf turned LockBit 2.0 affiliate. The threat actor that Microsoft tracks as DEV-0401 (also known as Bronze Starlight and Emperor Dragonfly) is a China-based cybercriminal group that’s been active since at least July 2021. It is an opportunistic threat actor, relying on unpatched vulnerabilities to gain elevated credentials and obtain initial access. IRIDIUM uses TOR hidden services on targets for persistence and evasion. Microsoft has identified a post-compromise persistence mechanism attributed to IRIDIUM that involves installing TOR hidden services on target devices for persistent access and network boundary protection evasion. This activity is being tracked as ShadowLink. Threat Insights: Microsoft signed drivers being used maliciously. Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. DEV-0882 exploits web-facing assets to deploy Play ransomware. Microsoft has observed deployments of a ransomware family self-identified as “Play” beginning in August 2022. Based on visibility to date, Microsoft has attributed all Play ransomware deployments to an actor we track as DEV-0882. DEV-0846 offers “Royal” successor to Conti ransomware. Microsoft has identified the DEV-0846 threat group as the likely developer and initial deployer of Royal, a new ransomware offering that launched in September 2022. DEV-0867 provides Caffeine phishing as a service platform. Microsoft has identified DEV-0867 as the actor behind the Caffeine phishing as a service (PhaaS) platform. Microsoft Security blogs DEV-0139 launches targeted attacks against the cryptocurrency industry. Microsoft identified an attack that targeted crypto investment companies and took advantage of Telegram cryptocurrencies groups to identify the targets. Mitigate threats with the new threat matrix for Kubernetes. Third update to the threat matrix for Kubernetes. IIS modules: The evolution of web shells and how to detect them. MCCrash: Cross-platform DDoS botnet targets private Minecraft servers. Botnet propagating through SSH bruteforce, utilizing both Windows and IoT devices with goal of DDoS Minecraft private servers Gatekeeper’s Achilles heel: Unearthing a macOS vulnerability. Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by the Gatekeeper security mechanism. Microsoft research uncovers new Zerobot capabilities. The Microsoft Defender for IoT research team details information on the recent version of a Go-based botnet, known as Zerobot, that spreads primarily through IoT and web-application vulnerabilities. Continue reading...

Protecting sensitive content is a top priority for security and compliance administrators across all organizations. With Microsoft Purview Information Protection, you have the ability to track and regulate user access to content with sensitivity labels. However, with the accelerated adoption of apps and the evolution of our threat landscape, administrators need to ensure that the same protection of the sensitivity content available to users is also available to the apps running in their organization. We wanted to share more details around the recent feature rollout for insights and remediation for sensitive content identified by Microsoft Purview Information Protection labels in the Microsoft Defender for Cloud Apps add-on, App governance. Enterprise admins now have visibility into the workloads that these apps access and whether they access sensitive data in these workloads. With predefined and custom policies, admins are alerted about apps that have attempted to access sensitive data. Moreover, App governance can automatically deactivate noncompliant apps. App governance provides additional app-specific context for allowing or disallowing access to sensitive data. It provides security administrators with more insights into related app activity and the ability to automatically regulate apps.   Overview of the insights and remediation for sensitive content feature: Insights about data access on Microsoft 365: We provide insights on how much content—sensitive or not—is being accessed through 3rd-party and line-of-business (LOB) OAuth apps on SharePoint (sites, files), OneDrive, Exchange Online, and Teams.        Insights on sensitive content: We provide insights on OAuth apps that access various types of sensitive data as identified by Information Protection sensitivity labels on SharePoint (sites, files), OneDrive, Exchange Online, and Teams.      Policies for monitoring & auto-remediation: We added a new policy condition to flag apps that access sensitive data. This new condition can be combined to track access to sensitive data by apps with other risky attributes. Security admins can choose to configure policies so that apps are automatically deactivated based on their risk tolerance.   Integration with Secure Score: We released a predefined policy that security admins can use to quickly boost their visibility and control over noncompliant apps accessing sensitive data. With a corresponding Secure Score recommendation, security admins can harden their security posture with the right policy. As organizations continue to implement new capabilities for SaaS app protection, it is critical to maintain a strong data loss prevention strategy. With the app governance insights and remediation for sensitive content feature, companies will be able to get deeper protection for apps accessing data on behalf of another application. Get Started App governance is an add-on feature for Microsoft Defender for Cloud Apps. To get started with app governance, visit our quick start guide. To learn more about app governance, visit our documentation. To launch the app governance portal in Microsoft 365 Defender, visit  Sign in to your account. Continue reading...

see the latest features and fixes in Excel: Skip Blanks: Avoid pasting blank cells over existing data > with Excel Skip Blanks feature. Nov 9, 2022 Add Sheets Macro: adds new worksheet automatically with Macro > adds new worksheet automatically , Nov 1, 2022 Copy & Paste Problems: fix multiple selections error, or formulas changed to values > fix Excel copy & paste problems Dec 27, 2022. Contextures Blog: planners, Advent calendars, Christmas trees, personalized messages > Excel for the holidays , Nov 17, 2022. Pivot Table Blog: Compare years with > pivot table conditional formatting ,Nov 9, 2022. Contextures Blog: Go to the Help tab and click Feedback So have you ever > sent Microsoft a smile or frown in Excel? Nov 3, 2022. UserForm Search: Add new records, or find existing records, and view, edit or delete them in a worksheet table > Excel UserForm to search transaction records ,Sept 28, 2022 Contextures Blog: Before you click remove all button for excel subtotal feature, be prepared -- there's no Undo! > click Remove All button for Excel Subtotal , Sept 22, 2022 Count Blanks: using pivot table count blanks > pivot table, see how to count blanks , Sept 13, 2022 Contextures Blog: How to fix an excel error messages > fixed an Excel error message ,Sept 8, 2022 Contextures Blog: This shortcut might help, or try a workaround > Problems pasting into filtered Excel list?. Aug 25, 2022 Pivot Table Blog: Date filters in Excel pivot tables > try these 3 different types. Aug 3, 2022 Contextures Blog: how to use wildcards with criteria for a flexible averageIf formula in Excel > use wildcards with criteria for a flexible AVERAGEIF , July 28, 2022 Date Grouping: how to turn off automatic date grouping for Excel Pivot Tables and AutoFilters > turn off automatic date grouping , July 18, 2022 Line Breaks: Find and remove line breaks > add line breaks in Excel cells and formulas , July 13, 2022 Pivot Table Blog: feature in Excel pivot table > check sales progress with % Running Total , July 6, 2022 Contextures Blog: with 1 formula instead of 48672! > make country flags in Excel 365, June 30, 2022 Compare Lists: Compare two excel lists, to find a new items in second list, and add them to first list > Compare two Excel lists, to find new items , June 20, 2022 Pivot Table Blog: Quick and easy steps to > make a clustered stacked pivot chart ,June 8, 2022 Contextures Blog: Find Product Price for quantity ordered > find product price with Excel VLOOKUP and MATCH, June 16, 2022 Status Bar Tips: get key information for macros, show custom messages with macro progress updates > Excel Status Bar info to troubleshoot problems, June 8, 2022 Debra D Blog: Use bookmarks and shortcut keys for > quick navigation in Notepad++ file. June 6, 2022 Contextures Blog: using Excel 365 spill functions with Excel formulas > count duplicate number sets , June 2, 2022 Debra D Blog: Fix mouse double click problem with > fix mouse double click problem in Microsoft Access, May 30, 2022 Contextures Blog: Change chart setting manually or with macro > show hidden data in Excel chart or Excel sparklines , May 19, 2022 Basic UserForm - with text boxes for data entry > how to make basic Excel UserForm . May 16, 2022 Pivot Table Blog: fix the problem with > pivot table show duplicate numbers? May 11, 2022 FILTER Function Reports: create multi-column > summary reports, using Excel FILTER Function , May 7, 2022 Contextures Blog: Take a break from your work > use Excel to stream web radio. May 5, 2022 Debra D Blog: with Video Editor in Microsoft Photos program > fix avi format videos that have audio and black screen, Apr 24, 2022 Contextures Blog: warning if Excel worksheet > sheet has hidden rows or columns, Apr 21, 2022 Compare Cells: Find exact match, or partial match and percentage with > compare cell values in Excel. Apr 12, 2022 Pivot Table Blog: Help Excel by preventing automatic updates > pivot table macros run faster . Apr 6, 2022 Excel Charts: Change chart setting manually or with macro > show hidden data in Excel chart or Excel sparklines. Mar 15, 2022 Highlight Weekends: with conditional formatting. Fix rule settings to avoid problems > highlight weekend data in Excel pivot table . Mar 2, 2022 Excel Printing: check filter settings before printing > Excel report diagnostic display , Jan 27, 2022 Working Days: How to calculate project dates or upcoming workdays in Excel > with WORKDAY function and WORKDAY.INTL function. Jan 17, 2022 Cluster Stack Pivot Chart: from a pivot table. Use named Excel table or see how to unpivot data with Power Query > Cluster Stack Pivot Chart . Sept 27, 2021 Remove Duplicates: Fix problem when duplicates numbers not all removed > remove duplicate items from Excel list. Sept 16, 2021 Conditional Formatting: Fix excel manual, or macro clean up conditional formatting problems when extra rules . Sept 9, 2021 Continue reading...

The Automate tab is growing beyond your web browser and onto your desktop! Starting today, the Automate tab is now available for all eligible users in Excel for Windows and Mac. Previously, this tab was only available in Excel on the web. With this new tab, create and modify scripts that automate your repetitive tasks using Office Scripts. Enhance your workbook by connecting popular applications like Microsoft Teams or SharePoint to build workflows with Power Automate. Combine these productivity technologies to have Power Automate schedule your Office Script. This tab represents the first stage of uniting automation solutions across platforms. We’re eager to hear your feedback! How it works Here‘s how to view and run scripts. Open any workbook in Excel for Windows or for Mac and select the Automate tab.  Select a script from the gallery or from the All Scripts task pane.  Click the Run button on the script’s detail page to run the script.   Here’s how to make a new script.  Open any workbook in Excel for Windows or for Mac and navigate to the Automate tab. All the scripts in your workbook are available, as well as our samples. Make your own script by selecting the New Script button.  To modify an existing script, select Edit on the script’s details page, or select the pencil icon by hovering over any script in the All Scripts task pane. Follow these steps to connect your automations to other applications. In Excel on the web, for Windows, or for Mac, open an Excel workbook.  Select Automate > Automate a Task.  Select the template you want to use.  Sign in, provide the required information, and then select the Create button.  Learn more Want to get started with streamlining repetitive tasks? Check out our documentation below: Take a tutorial on reading workbook data with Office Scripts in Excel Learn how to call scripts from a manual Power Automate flow Explore how to get started with Power Automate Share your feedback   We'd love to hear your feedback as you try out our feature! Give us feedback through the Feedback button located in the Help tab. Include the phrase "Office Scripts" or “Power Automate” to ensure the feedback gets properly routed to our team!  Continue reading...

Outlook allows you to send and receive email messages, manage your calendar, store names and numbers of your contacts, and track your tasks. However, even if you use Outlook every day, you might not know some of the cool things it can do to help you be more productive. Open multiple Outlook Windows Have you ever wanted to quickly go back and forth between your inbox and your calendar or view them side-by-side? Switching between Email, People, Calendar, Tasks, Notes, Folders, Shortcuts, and Add-ins is simple. Select the appropriate button on the navigation pane. If you want to open any of those options in a new Outlook window, right-click the buttons rather than clicking or selecting them. Select Open in New Window. @Mentions Have you ever sent an email to a dozen coworkers, but only needed an answer from two of them? You might have used text effects like bold and underline and bright font colors to highlight their names. Now, you have another option. Type @ followed by their name, and several things happen. Their name is automatically added to the To line of the email message. Their name is highlighted in the message body. When they receive the message in their inbox, they'll see the @ symbol in the message list, indicating they're mentioned by name. Did you forget to attach a file? Outlook can't remind you about a task you never entered or an appointment you forgot to write down, but it can prevent you from sending an email without an attachment. If you compose a new email and type the words attachment or attached, then try to send the email without including an attachment, Outlook will remind you that you may have forgotten to attach a file. You can halt the sending process, attach your file, and then send your message. For more cool attachment features, see Attach files or insert pictures in Outlook email messages. Never miss a flight again If you receive flight, hotel, or rental car reservations by email, Outlook will automatically add those to your calendar along with much of the associated information like your confirmation or tracking numbers, and even links. Unfortunately, Outlook can't yet calculate travel time to the airport, so be sure to check traffic before you leave. Learn how to automatically add travel and package delivery events to your calendar. Stay focused and ignore that conversation. Have you ever found yourself on an email thread you want to ignore? If you work for a large company, someone might add you to a distribution list without your knowledge. For a humorous (and somewhat painful) anecdote about Microsoft's own experience with this situation, see the Exchange Team Blog. Rather than delete every single message in the thread as they arrive, you can Ignore the entire conversation. All messages in the conversation will be moved to the Deleted Items folder and future messages in that conversation will bypass your Inbox entirely and go right to the Deleted Items folder. Want to know more? See ignore all email messages in a conversation. Don't worry about missing an important message Perhaps you're waiting for a job offer or a concert pre-sale code, or a legal brief from your boss. Yet, you also have work to do that doesn't involve staring at your Outlook message list for hours on end. Use Outlook's new item alerts to tell you whenever an incoming message meets specific criteria. This alert will display over any other application you're working on so you never miss that message. For more information on message alerts, see Turn new message alert pop-up on or off. Clean up a folder! Do you have multiple threads in your Inbox with dozens or even hundreds of messages in them? Chances are a lot of those messages are near duplicates of one another. You've read them, you've responded to them, but you've never deleted them. You can use the Clean Up button to delete many of these messages, leaving only the messages that are unread or have unique information in them. Try it and see how much closer you get to Inbox Zero. See folder and conversation clean up for more information. Do you have a tip to share? One of the coolest things about Outlook is how much it can do. From managing your contacts to creating and assigning tasks, to printing beautiful mailing labels, and managing your digital schedule, Outlook can do it all. We're pretty sure you have your own tips and tricks to share with us and the rest of the world. Leave us a comment with your pick for the coolest thing Outlook can do. If you want to open any of those options in a new Outlook window, right-click the buttons rather than clicking or selecting them. Select Open in New Window. Continue reading...

Surface was created 10 years ago to reimagine how we work, how we connect and how we create – to empower more. As we celebrate a decade of innovation, we reflect on our top 10 notable features, initiatives and core principles that defined Surface and transformed organizations. 1. Category-defining form factors Surface became known for its industry-leading design innovation, starting with the 2-in-1 Surface Pro. We continue to create groundbreaking new form factors, including Surface Laptop Studio with full work flexibility; the 28" Surface Studio, enabling your best creative work; Surface Laptop, our most loved device; Surface Go and Surface Laptop Go, our lightest devices for productivity and ease of use; and Surface Hub 2S, a collaborative canvas and meetings device certified for Microsoft Teams. 2. Sustainability At Microsoft, we aim to align our customers' needs with our planet's. We’re taking massive strides to be Carbon Neutral by 2030,1 and Surface is doing its part. From recyclable packaging and thoughtful material sourcing to building products from ocean plastics, we continue to help build a more sustainable future. 3. Enabling hybrid work Our industry-specific solutions have helped many organizations be more productive and develop new ways of tackling age-old problems. Our Surface lineup of devices is built for different use cases, so whether you are a large enterprise or a small company, we have a device designed for your needs. With internet connectivity on the go, Surface has made work possible however and wherever you choose. 4. Experiences built for IT For years, we have partnered with teams across Microsoft to upend the costly process of deploying devices. Now organizations can quickly distribute thousands of devices to their users via Windows Autopilot. We continue to bring advanced management capabilities with features like the Surface Management Portal and Device Firmware Configuration Interface 2 (DFCI), which lets IT remotely manage hardware components from the cloud. 5. Artificial intelligence and smarter collaboration On Surface Pro 9 with 5G, cameras have automatic framing to improve your meeting experience by always keeping you in focus. Look and sound your best with advanced Surface hardware and AI in Windows and Microsoft Teams. Surface Hub transformed many organizations by redefining what a hybrid meeting experience would look like years ago. A deeper partnership with our colleagues in Teams, Microsoft 365 and other groups across Microsoft enables better collaboration whether people work onsite or remotely. 6. Industry-leading security Every layer of Surface, from chip to cloud, is maintained by Microsoft, giving you ultimate control, proactive protection, and peace of mind wherever and however work gets done. We built our own UEFI firmware with deep partnerships across Microsoft to elevate security and manage critical firmware updates. We continue to innovate and bring advanced security to protect your devices, so you can focus on what matters most. 7. Building products for everyone We understand that true accessibility means finding a solution to optimize working conditions for everyone. The Microsoft adaptive accessories are a highly adaptable, easy-to-use system that lets you customize your own mouse, keyboard inputs, and shortcuts—empowering you to create your ideal setup, increase productivity, and use your favorite apps more effectively.  Check out more information about our broader hardware accessibility efforts. 8. Quality by design Every generation of Surface devices undergoes rigorous testing procedures. We even built the world's quietest room to test our products to give you an elevated level of quality. Every design concept is tested relentlessly against ideas, materials, and components to create innovative, quality-rich form factors. 9. Inking Surface Pen provides a natural way of interacting with our touchscreen devices. Over the years, we have continued to push boundaries to give you the best inking experience – to re-create the feeling of pen on paper to let your ideas flow naturally. For example, Surface Slim Pen 23 is always charged and within reach, with storage and wireless charging built right into Surface Pro Signature Keyboard. 4 10. Powered by Windows From the beginning, we created Surface to be the device where the best of Microsoft comes together, powered by Microsoft. With Windows 11, the hardware and software symphony is even more evident. All the software experiences are designed to show up best on Surface devices powered by Windows. References 1. See 2021 Environmental Sustainability Report 2. Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI. Find out more about managing Surface UEFI settings and Surface devices on which DFCI is enabled. 3. Surface Slim Pen 2 sold separately. 4. Pen storage and charging available on select keyboards. Continue reading...

Welcome to the December 2022 update. We are excited to announce the release of Formula Suggestions and Formula by Example for Excel web users - a couple exciting capabilities designed to help save you time and learn more about Excel formulas as you use them. Also for web users are suggested links, IMAGE function, and a new search bar in the queries pane. For Windows users, a new keyboard shortcut is available to open the Power Query editor, and Insiders users on Windows can now get data from dynamic arrays and create nested Power Query data types to better organize your data. Curious to see how we at Excel utilize and implement your feedback? You can now see which features are a direct result of your feedback as they'll be marked with the Feedback In Action tile #FIA. Check out this Excel Features Flyer to find if a specific feature is in your version of Excel Excel for the web: Formula Suggestions Formula by Example Suggested Links Add search bar in queries pane IMAGE Function Excel for Windows: Add keyboard shortcut to open the Power Query editor #FIA Create nested Power Query data types (Insiders) #FIA Add Get Data from Dynamic Arrays (Insiders) #FIA IMAGE Function Excel for Mac: IMAGE Function Excel for the web Formula Suggestions After you type the “=” sign in a cell or the formula bar, Excel will auto-suggest the best formula based on contextual insights from your data. Formulas that can be suggested are SUM, AVERAGE, COUNT, COUNTA, MIN, and MAX. There is currently only support for the English language. This feature is rolling out to production for web users. Formula by Example As you are performing manual and repetitive data entry in a column, Excel will now suggest you to fill the entire column with a formula in case we identify a pattern. This is similar to Flash Fill, however, instead of static text - now formulas can be suggested. Suggested Links Suggested Links allow for new cloud workbook storing for data that detects when an external link to a Cloud workbook is broken and suggests you a new location to fix the broken link. This feature is currently rolling out to Production. Add search bar in queries pane Easily find your queries within the Queries search pane. Search bar in queries pane IMAGE Function The IMAGE function inserts images into cells from a source location, along with the alternative text. Your images can now be part of the worksheet, instead of floating on top. You can move and resize cells, sort, and filter, and work with images within an Excel table. Read more > IMAGE Function Excel for Windows #FIA Add keyboard shortcut to open the Power Query editor Press Alt + F12 (Win32) or Option + F12 (Mac) to open the Power Query Editor quickly. #FIA Create nested Power Query data types (Insiders) Organize your data even better, by creating nested data types (Power Query Data Types with multiple levels). This feature is currently rolling out to Insiders users for Windows. Create nested Power Query data types #FIA Add Get Data from Dynamic Arrays (Insiders) Get Data from Table/Range now supports importing data from Dynamic Arrays – so you can load them into Power Query and transform your data. This feature is currently rolling out to Windows Production. IMAGE Function The IMAGE function inserts images into cells from a source location, along with the alternative text. Your images can now be part of the worksheet, instead of floating on top. You can move and resize cells, sort, and filter, and work with images within an Excel table. The IMAGE function is rolling out to Current Channel users now. Read more > IMAGE Function Excel for Mac IMAGE Function The IMAGE function inserts images into cells from a source location, along with the alternative text. Your images can now be part of the worksheet, instead of floating on top. You can move and resize cells, sort, and filter, and work with images within an Excel table. This function is currently rolling out to Mac users now. Read more > IMAGE Function Check if a specific feature is in your version of Excel Click here to open in a new browser tab Your feedback helps shape the future of Excel. Please let us know how you like a particular feature and what we can improve upon—send us a smile or frown.  You can also submit new ideas or vote for other ideas via Microsoft Feedback. Subscribe to our Excel Blog and the Insiders Blog to get the latest updates. Stay connected with us and other Excel fans around the world – join our Excel Community and follow us on Twitter.  Continue reading...

With security becoming important than ever before, it’s come to our attention that some security champions have been valiantly defending not only their realm, but also assisting others in the tactics of defense and stopping attackers from getting to the crown jewels. At Microsoft Security, we are looking to get them the recognition they deserve, starting with an MVP award! What’s the MVP award? The MVP award is a statement of your dedication to the community, a thanks from Microsoft, and comes with benefits like invitations to exclusive Microsoft events, subscriptions with early access to products and direct communication channels with the product group. For instance, within Microsoft 365 Defender Security group, we have a dedicated private channel for MVPs to directly engage with Product Group experts and other fellow Security MVPs. There are many Award Categories with a number of Contribution Areas focused on Developer and IT Pro products and services. Sounds amazing, how do I become an MVP? The MVP award is given to the brightest and best community leaders for sharing their passion and technical knowledge for the benefit of others. Nomination referrals are submitted by current MVPs or a Microsoft Full Time Employee (FTE). To be nominated, your efforts have to be noticed, so today we will cover some of the common pathways and stories of our MVPs to help you on your journey! Picture 1: Microsoft Intelligence Security Association (MISA) Summit 2022 with Most Valuable Professionals (MVPs) Picture 2: Most Valuable Professionals (MVPs) at Workplace Ninja Summit 2022 You can also read what it takes to be an MVP to get more insights and advice. How do I contribute to the Security award category? For the new Security award category, we are always welcoming experts helping the community in the following contribution areas: Cloud Security Identity & Access SIEM & XDR Putting it all together, with some examples: So, let's say you'd like to be a Security MVP, you're focused on one of the key areas we are taking nominations for, and you have a passion for helping others in the community. Some of the things we are seeking are, but not limited to: Being a technical expert - We've already covered that deep technical knowledge is key, but did you consider that if you're new to a product, your journey of discovery and learning would be hugely beneficial to others in the same position? You have a unique perspective which would be of great use to others in the same position, just like someone who has been working with a product for years will have more advanced knowledge and tips equally as valuable to those in a similar position. Active in the community - You don't need to have a super blog to be a community champion, things like the Tech Community (for example: Microsoft Defender for Office 365 - Microsoft Community Hub) give you a place to share ideas, help others with problems and connect with Microsoft product teams, you may find your community uses a mailing list, or LinkedIn group. - essentially where you find your fellow community members, that's a great place to help. Content creation - Videos on sites like YouTube benefit the people who like to learn by seeing, blogs and contributions to Microsoft Docs via GitHub can help those who prefer reading, speaking at events or running workshops can assist those who would prefer to listen or get hands on. - Did the advanced hunting query you had during the most recent migration really make the difference? - share it with the community. And don't forget to signpost others to useful content you found yourself on your journey. So, as you can see, there really is a wealth of ways you can help others, show off your expertise & get noticed. Never be afraid to step outside the box, think differently & if you struggled to understand something, or find an answer you needed, chances are there are others in the same boat, and you could be the person who really helps them be successful. Submit this form if you’re an active contributor within the Security realm or would like to start at it, and we can point you in the right direction to getting your knighthood (MVP award)! Hear from some of our existing Security MVPs Check out this amazing upcoming episode on the Virtual Ninja Training Show to hear experiences from some of the Security MVPs. (The recording will be available post-event at aka.ms/ninjashow) See examples of some global events from 2022 where MVPs were involved: Microsoft MVP & RD Global Summit Microsoft Ignite Microsoft 365 Virtual Marathon India Cloud Security Summit Workplace Ninja Summit Experts Live Midwest Management Summit Identity Days (Cybersecurity on identity and access management) Thanks for reading, we look forward to seeing your contributions! Continue reading...

Microsoft Dynamics 365 is a cloud based, next generation business application. It provides an analytical method of keeping track of the customers' needs, records, transactions, behaviors and/or trends, etc... Microsoft Dynamics 365 combines two separate systems known as Dynamics AX (ERP - Enterprise Resource Planning) and Dynamics CRM (CRM - Customer Relationship Management). Because its Cloud based, changes are tracked and stored in the same place. Microsoft Dynamics 365 is a leading CRM solution in the Charity and Non-profit sector. It helps boost and track fundraising efforts, increase volunteer engagement and keep all efforts organized and trackable by making all things visible via dashboards. These analytical tools/dashboards allow the organization to track inventory, orders, deliveries and shipping status. This application allows integration with other Microsoft business applications such as: Office 365, Outlook and/or Azure. Non-profits are responsible for keeping track of and reporting numerous amounts of data to Stakeholders, Board Members, Volunteers, Donors and interested parties and Dynamics 365 CRM provides the Database to bring these various departments together. It also has Grant Management and tracking which can automate reminders for Submissions and/or Renewals. Donor tracking provides a method of Acknowledging gifts via email notification while keeping track of progress. All of these features are protected using General Data Protection Regulations (GDPR). Data is encrypted and uses rigorous standards set by the Microsoft Security Assurance Team to protect data. GDPR ensures regular data backups to protect the Organization from disastrous Data Loss. Dynamics 365 on Microsoft Learn Continue reading...

Today, Microsoft Intune enables organizations to enroll Android devices into Azure Active Directory shared-device mode, so they can provide sharable mobile devices to their frontline workers. With shared-device mode, frontline workers have a simpler authentication experience, because they only need to sign-in and sign-out once whenever they use a shared device. For organizations using Intune, in addition to Microsoft Teams and Managed Home Screen, we are excited to announce that the ability for administrators to manage the Microsoft Edge and Yammer apps on Android devices is now in public preview in Intune. At the start of their shifts, after signing into a shared device, frontline workers can use Microsoft Edge to look up answers they need to do their jobs efficiently – whether that is the shipping status of items to be delivered or answers to technical questions to resolve customers issues. With Yammer, frontline workers can easily receive communications from leadership, get information on company mission and strategic priorities, and connect with communities that fit their interests. When used with Intune's Managed Home Screen, administrators can also create a streamlined sign-in experience for both Microsoft Edge and Yammer, so frontline workers always know how to get started with their day. At the end of their shifts, frontline workers can easily sign-out by selecting the sign-out button in any of their apps. This will remove any personal information from the apps that support the feature, so a worker can return the device for the next person to use. When administrators apply application protection policies from Intune, they can provide additional data protection so other apps do not leave data behind. For more information on shared device mode, read the Azure Active Directory shared device mode documentation. For steps to setup shared device mode with Intune, read the Intune setup blog. For further guidance on deploying frontline solutions, read the frontline deployment documentation. Continue reading...

We are pleased to announce the security review for Microsoft Edge, version 108! We have reviewed the new settings in Microsoft Edge version 108 and determined that there are no additional security settings that require enforcement, however there is one setting that attention should be given to. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. TLS Encrypted ClientHello Enabled (Consider) An interesting setting Admin’s may wish to consider, particularly if using Windows Defender Network Protection or similar security software. TLS Encryped ClientHello (ECH) Enabled is a privacy-improving feature that combats one of the shortcomings of HTTPS – namely, TLS does not hide from a network observer the target hostname to which the browser is connecting. This means that your company or ISP network administrator (or anyone who can spy on network traffic) can see the hostname of the site to which your browser is connecting, which has privacy implications. ECH hides the hostname so that a network observer can only see the target IP address of browser traffic, but not which specific site at that IP is being requested. The reason that this feature has a security impact is that some security software may be spying upon your network requests and blocking requests to specific sites based on the site’s hostname. As a specific example, the Windows Defender Network Protection feature relies upon looking at the Server Name Indication (SNI) within the ClientHello to decide whether to block traffic to sites on the “known malicious” list or the customer’s custom blocklist. If the ClientHello is encrypted by the browser’s new ECH, this Network Protection feature (and similar features in other security software) will not be able to read the SNI, and thus will not be able to block the traffic. For Microsoft Edge specifically, there’s a subtlety around the interaction of ECH and Network Protection. Machine installed channels of Edge (Stable/Beta) are exempted from Network Protection (in favor of Microsoft Defender SmartScreen), so the implications of this policy on Microsoft Edge are really limited to Edge Canary OR users of non-Microsoft Defender security products. But IT departments using Network Protection in Google Chrome really should set the equivalent policy. Microsoft Edge version 108 introduced 4 new computer settings and 4 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them. As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here. Please continue to give us feedback through the Security Baselines Discussion site or this post. Continue reading...

Microsoft 365 Defender Monthly news November 2022 [attachment=27371:name] This is our monthly "What's new" blog post, summarizing product updates and various assets we have across our Defender products. Legend: [attachment=27372:name] Product videos [attachment=27373:name] Webcast (recordings) [attachment=27374:name] Docs on Microsoft [attachment=27375:name] Blogs on Microsoft [attachment=27376:name] GitHub [attachment=27377:name] External [attachment=27378:name] Product improvements [attachment=27379:name] Previews / Announcements Microsoft 365 Defender [attachment=27380:name] Investigate incidents more effectively with the new attack story view in Microsoft 365 Defender. [attachment=27381:name] Identity Protection alerts are now available in Microsoft 365 Defender. [attachment=27382:name] (Preview) Microsoft Defender Experts for XDR (Defender Experts for XDR) is now available for preview. Defender Experts for XDR is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft 365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD). For details, refer to Expanded Microsoft Defender Experts for XDR preview. [attachment=27383:name] DEV-0569 finds new ways to deliver Royal ransomware, various payloads. DEV-0569’s recent activity shows their reliance on malvertising and phishing in delivering malicious payloads. The group’s changes and updates in delivery and payload led to distribution of info stealers and Royal ransomware. [attachment=27384:name] Vulnerable SDK components lead to supply chain risks in IoT and OT environments. Researchers investigated an electrical grid intrusion that may have used common IoT devices to gain a foothold into the OT network and found a web server component that although discontinued since 2005, is still implemented and prevalent in many IoT devices [attachment=27385:name] Query resource report in advanced hunting (public preview). The query resources report shows your organization's consumption of CPU resources for hunting based on queries that ran in the last 30 days using any of the hunting interfaces. This report is useful in identifying the most resource-intensive queries and understanding how to prevent throttling due to excessive use. [attachment=27386:name] New advanced hunting table: DeviceTvmHardwareFirmware. The DeviceTvmHardwareFirmware table in the advanced hunting schema contains hardware and firmware information of devices as checked by Microsoft Defender Vulnerability Management. The information includes the system model, processor, and BIOS, among others. Microsoft Defender for Cloud Apps [attachment=27387:name] Introducing the Microsoft Defender for Cloud Apps data protection series. A brand-new blog series focused on information protection in Microsoft Defender for Cloud Apps, various members of the Product Group will walk us through how to protect the data that lives inside your SaaS apps. [attachment=27388:name] Microsoft Defender for Cloud Apps data protection series: Understand your data types. Our second installment in the Microsoft Defender for Cloud Apps data protection series, where we focus on the different types of data that can be protected. [attachment=27389:name] App Governance is a Key Part of a Customers' Zero Trust Journey - Watch this webinar now on YouTube. This webinar focused on how App governance helps customers implement Zero Trust in their environments. We walk you through a typical scenario and how it is aligned to Zero Trust pillars. [attachment=27390:name] Workplace by META API connector is now available in Defender for Cloud Apps. Workplace by META API connector in Defender for Cloud Apps provide you enhanced visibility and control over user activities in Workplace. Microsoft Defender for Endpoint [attachment=27391:name] The new device timeline is now generally available. The device timeline reflects all the event observed on a device in a chronological order, it’s mostly used to deepen the investigation and pivot from an alert to learn what happened on a device before/after the suspicious activity. the new view keeps the existing functionality in pair, in addition to performance several UI improvements. The new timeline offers faster loading time, while seamlessly fetching bigger chunks of data (1000 instead of 200), in addition to several UI improvements for a smoother experience. New event side panel, aligned with the alert story process tree experience, for easy orientationEnhanced MITRE data, showing all related techniques and tactics at a single event panelLinking events to the new user side panel, providing more details and context to the investigation without leaving the pageBetter visibility to the data set shown in the timeline, by reflecting the applied filters on top of the table [attachment=27392:name] Detecting and remediating command and control attacks at the network layer. Microsoft Defender for Endpoint helps SecOps teams detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries. [attachment=27393:name] Mobile Network Protection for Defender for Endpoint on Android and iOS now generally available. Microsoft brings network protection features in Defender for Endpoint to Android and iOS providing more ways to help organizations identify, assess, and remediate endpoint weaknesses with the help of threat intelligence. [attachment=27394:name] Use the new Microsoft 365 Defender API for all your alerts. The new Microsoft 365 Defender alerts API, currently in public preview, enables customers to work with alerts across all products within Microsoft 365 Defender using a single integration. [attachment=27395:name] Announcing new removable storage management features on Windows. Over the last several months, Microsoft Defender for Endpoint has rolled out a handful of device control capabilities to help secure removable storage scenarios on Windows. [attachment=27396:name] Microsoft Defender for Endpoint now integrated with Zeek. The integration of Zeek into Microsoft Defender for Endpoint provides new levels of network analysis capabilities based on deep inspection of network traffic powered by Zeek, a powerful open-source network analysis engine that allows researchers to tackle sophisticated network-based attacks in ways that weren't possible before. [attachment=27397:name] Built-in protection is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure your devices are protected. Built-in protection is a set of default settings that are rolling out to help ensure your devices are protected. These default settings are designed to protect devices from ransomware and other threats. [attachment=27398:name] Check out the Library API to upload/delete/update files in your tenant's library. [attachment=27399:name] Stopping C2 communications in human-operated ransomware through network protection. Providing advanced protection against increasingly sophisticated human-operated ransomware, Microsoft Defender for Endpoint’s network protection leverages threat intelligence and machine learning to block command-and-control (C2) communications. Microsoft Defender for Identity [attachment=27400:name] Deprecation of the Defender for Endpoint Defender for Identity Integration. At the end of November, integration with Microsoft Defender for Endpoint will no longer be supported. We highly recommend using the Microsoft 365 Defender portal (Sign in to your account) which has the integration built-in. [attachment=27401:name] New option for running the remediation actions by using the sensor's server LocalSystem account. Defender for Identity can now use the LocalSystem account on the domain controller to perform remediation actions (enable/disable user, force user reset password), in addition to the gMSA option that was available before. This enables out of the box support for remediation actions. [attachment=27402:name] New health alert for verifying that Directory Services Advanced Auditing is configured correctly. New health alert for alerting customers that their Directory Services Advanced Auditing do not include all the categories and subcategories as required.that the NTLM Auditing is enabled. New health alert for alerting customers that their NTLM Auditing (for eventId 8004) is not enabled. Microsoft Defender for Office 365 [attachment=27403:name] Build custom email security reporting with Microsoft Defender for Office 365 and PowerBI. In this blog, we will showcase an example on how you can leverage Power BI and the Microsoft 365 Defender Advanced Hunting APIs to build a custom dashboard and share a template that you can customize and extend. [attachment=27404:name] Microsoft announces partnership with SANS Institute to deliver a new series of computer-based training (CBT) modules in the Attack Simulation Training service. The modules will focus on IT systems and network administrators. Microsoft is excited to collaborate with a recognized market leader in cyber security training to bring our customers training that can help our customers address a critical challenge in the modern threat landscape: educating and upskilling security professionals. [attachment=27405:name] Why Microsoft is the right choice for healthcare. First in an industry series focusing on why Microsoft is the right choice for your security needs in healthcare. Microsoft Defender Vulnerability Management [attachment=27406:name] Reduce OpenSSL 3.0 vulnerabilities risks with Microsoft Defender Vulnerability Management. The OpenSSL team published two high severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786. Any OpenSSL versions between 3.0.0 and 3.0.6 are affected and the guidance is OpenSSL 3.0 users should expedite upgrade to OpenSSL v 3.0.7 to reduce the impact of this threat. [attachment=27407:name] Announcing Software Usage Insights in public preview. Organizations can view the number of devices using specific Windows software and the median usage for the past 30 days to better inform organizations of the user impact if they want to block software or any vulnerable versions. [attachment=27408:name] Firmware assessments support now in public preview in Microsoft Defender Vulnerability Management. This new firmware assessments feature provides customers with full visibility into device manufacturer, processor and BIOS information Continue reading...

Heya folks, Ned here again. The latest Windows Server Summit is coming December 6th, 2022. Join us for demos, sessions, and live Q & A on Windows Server and: Securing your infrastructure Getting the most from new Windows Server 2022 capabilities Efficiently managing hybrid workloads Seeing my dogs in demos Free registration: Windows Server Summit | Microsoft Event Agenda Products / topics included Opening Rick Claus Sonia Cuff Executive “fireside chat” Roanne Sones Rick Claus High-level hybrid & migration themes, Azure Arc, AHB for Azure Stack HCI and AKS, with Windows Server Azure Edition What’s new with Windows Server / Key announcements Jeff Woolsey (and Ned Pyle, briefly) Secured-core Server, 5-year container support, AHB for Azure Stack HCI and AKS, Hotpatch, WSL2 for Linux containers Optimize your Windows Server Orin Thomas Sonia Cuff File server, security (including how to harden Active Directory), WS2012 end of support Secure and manage infrastructure everywhere Aurnov Chattopadhyay Trung Tran Azure Arc, WAC, Automanage Modernize where and how you need to Vinicius Apolinario and Thomas Maurer Containers, app modernization, AKS Enhance security and save time with Windows Server 2022 and Windows 11 Ned Pyle SMB compression and SMB over QUIC ; security pieces that require Win11 and WS2022 together; HCI and Azure Edition as Windows 11 target. What’s new in System Center 2022 (on-demand) Bhavna Appayya Sujay Jagadish Desai System Center 2022 Navigating technical change for Windows Server professionals (on-demand) Sonia Cuff Orin Thomas Jeff Woolsey Windows Server professionals moving skills to cloud, Hybrid certification That's a lot to pack in. There are several on-demand sessions as well, plus that live Q & A where you can talk to me and dozens of other MS experts and technology owners. Remember that registration! Windows Server Summit | Microsoft See you December 6th! - Ned Pyle and his demo dogs Continue reading...